WEBVTT 1 00:00:00.120 --> 00:00:04.480 Welcome to the deep Dive. Today we're we're going deep 2 00:00:04.519 --> 00:00:08.720 into the world of Linux anti reversing techniques. You provided 3 00:00:08.759 --> 00:00:13.359 some excerpts from Programming Linux Anti reversing Techniques by Jacob Bains, 4 00:00:14.000 --> 00:00:17.640 and we're ready to kind of uncover the secrets that 5 00:00:17.719 --> 00:00:21.719 programmers use to safeguard their code and also the challenges 6 00:00:21.760 --> 00:00:24.320 that reverse engineers face when they're trying to unravel it. 7 00:00:24.320 --> 00:00:28.760 It's an interesting area. You know, developers and reverse engineers 8 00:00:28.800 --> 00:00:31.760 are constantly trying to outsmart each other. It's like an 9 00:00:31.839 --> 00:00:35.960 ongoing chess game, with every move kind of raising the stakes. 10 00:00:36.240 --> 00:00:38.280 It's a really interesting back and forth. And I thought 11 00:00:38.280 --> 00:00:42.759 it was fascinating how basic things like compiler options can 12 00:00:42.799 --> 00:00:45.799 make a huge difference in how easy or difficult it 13 00:00:45.880 --> 00:00:49.359 is to reverse engineer or program like, for example, the 14 00:00:49.439 --> 00:00:54.079 g flag for deepbugging information. Who would thought that would 15 00:00:54.119 --> 00:00:57.600 be such a gold mine for someone trying to understand 16 00:00:57.679 --> 00:00:58.320 the code. 17 00:00:58.600 --> 00:01:01.439 It is kind of counterintuitive, isn't it. You would think 18 00:01:01.479 --> 00:01:05.040 that debugging information is meant for the programmer to make 19 00:01:05.040 --> 00:01:09.439 their life easier, but it inadvertently provides a roadmap for 20 00:01:09.519 --> 00:01:14.480 reverse engineers as well. So daergy can actually embed details 21 00:01:14.599 --> 00:01:20.239 like source file paths, compilation directories, and even variable names 22 00:01:20.280 --> 00:01:23.519 directly into the binary. It's like leaving a trail of 23 00:01:23.560 --> 00:01:25.680 breadcrumbs through the forest of your code. 24 00:01:25.879 --> 00:01:29.560 So essentially a simple decision during compilation can have really 25 00:01:29.799 --> 00:01:33.680 big consequences. Oh, absolutely for the security of the final program. 26 00:01:33.799 --> 00:01:36.599 There's a case study actually in the book about the 27 00:01:36.799 --> 00:01:41.560 xr d DOS malware. Researchers that were analyzing this malware 28 00:01:41.560 --> 00:01:46.280 found debugging information that revealed a directory path with a 29 00:01:46.400 --> 00:01:50.840 username X and way. Now this isn't conclusive proof of authorship, 30 00:01:51.120 --> 00:01:55.519 but it illustrates how this seemingly harmless information can potentially 31 00:01:55.599 --> 00:01:59.959 lead to attribution or provide valuable clues in an investigation. 32 00:02:00.439 --> 00:02:03.719 That's a really striking example of how something that seems 33 00:02:03.840 --> 00:02:06.760 very small can actually be a big deal in the 34 00:02:06.760 --> 00:02:11.080 context of reverse engineering. Absolutely so, knowing this, what can 35 00:02:11.120 --> 00:02:15.280 programmers do to sort of mitigate the risks associated with 36 00:02:15.319 --> 00:02:16.520 these compiler options. 37 00:02:16.599 --> 00:02:19.599 Well, thankfully they have tools at their disposal to strip 38 00:02:19.639 --> 00:02:23.840 away this sensitive information. Look leg and the strict utility 39 00:02:23.919 --> 00:02:28.639 are commonly used. They essentially remove the symbol table and 40 00:02:28.759 --> 00:02:33.919 relocation information, making the binary much harder to analyze statically. 41 00:02:34.159 --> 00:02:36.759 Okay, so let's break down these concepts for a second. Okay, 42 00:02:37.120 --> 00:02:41.080 what exactly are symbol tables and relocation information sure, and 43 00:02:41.159 --> 00:02:44.599 why are they so important for both developers and reverse engineers. 44 00:02:44.800 --> 00:02:48.840 Think of a symbol table as like a directory for 45 00:02:48.919 --> 00:02:54.000 your program. It maps human readable names like function names 46 00:02:54.120 --> 00:02:57.520 and variables to their corresponding locations in the compiled code. 47 00:02:58.080 --> 00:03:02.039 This is essential for debugging and understanding how different parts 48 00:03:02.039 --> 00:03:05.919 of the code interact. Relocation information, on the other hand, 49 00:03:06.520 --> 00:03:10.919 tells the linker how to adjust memory addresses when the 50 00:03:11.000 --> 00:03:15.319 program is loaded and executed. Without it, the program wouldn't 51 00:03:15.360 --> 00:03:17.439 know where to find its functions and data. 52 00:03:18.039 --> 00:03:21.919 So by removing these you're basically making the reverse engineer's 53 00:03:22.000 --> 00:03:23.000 job a lot harder. 54 00:03:23.240 --> 00:03:28.319 Precisely, they can't easily follow the program's logic or understand 55 00:03:28.400 --> 00:03:30.199 how its components are linked together. 56 00:03:30.240 --> 00:03:32.159 It's like you're taking away the instruction exactly. 57 00:03:32.240 --> 00:03:34.960 It's like trying to solve a jigsaw puzzle without the 58 00:03:35.000 --> 00:03:37.840 picture on the box. Have all the pieces, but figuring 59 00:03:37.840 --> 00:03:41.080 out how they fit together becomes a much more daunting task. 60 00:03:41.400 --> 00:03:44.599 That's a good analogy. Yeah, the book also talks about 61 00:03:44.599 --> 00:03:48.560 static and dynamic linking, so can you explain those concepts? 62 00:03:48.560 --> 00:03:50.360 And how they relate to anti reversing. 63 00:03:50.599 --> 00:03:54.000 Sure, static linking is like packing for a trip and 64 00:03:54.000 --> 00:03:57.479 bringing everything you need in one suitcase. All the necessary 65 00:03:57.520 --> 00:04:01.120 libraries and code are bundled directly into the final executable, 66 00:04:01.639 --> 00:04:05.039 making it a self contained unit. Dynamic linking, on the 67 00:04:05.039 --> 00:04:08.800 other hand, is like traveling light and relying on facilities 68 00:04:08.800 --> 00:04:12.960 available at your destination. The program only contains references to 69 00:04:13.159 --> 00:04:16.759 external libraries, which are loaded into memory when the program 70 00:04:16.800 --> 00:04:17.519 is executed. 71 00:04:17.720 --> 00:04:21.079 So how does that choice between static and dynamic linking 72 00:04:21.759 --> 00:04:25.600 affect the security and the difficulty of reverse engineering. 73 00:04:25.759 --> 00:04:30.959 Static linking, especially when using a lightweight C library like 74 00:04:31.319 --> 00:04:36.480 muscle lib, can create smaller binaries that are harder to analyze. 75 00:04:36.800 --> 00:04:40.319 Everything is tightly packed, making it difficult to separate the 76 00:04:40.360 --> 00:04:43.759 core logic from the supporting libraries. It's also worth noting 77 00:04:43.839 --> 00:04:47.639 that statically linked binaries can be more challenging to patch 78 00:04:47.680 --> 00:04:52.800 or modify interesting because any changes require recompiling the entire program. 79 00:04:53.199 --> 00:04:55.399 So it seems like there's this trade off. There is, 80 00:04:55.680 --> 00:05:00.519 yeah between convenience and security, So from manipulating these compilers options, 81 00:05:01.000 --> 00:05:04.600 let's move on to talking about the ELF file format. Okay, 82 00:05:04.680 --> 00:05:07.399 what makes it relevant to anti reversing, sure, and what 83 00:05:07.480 --> 00:05:10.040 kind of tricks can programmers use to make things difficult 84 00:05:10.079 --> 00:05:11.120 for reverse engineers. 85 00:05:11.839 --> 00:05:16.079 The ELF format, which stands for Executable and Linkable Format, 86 00:05:16.680 --> 00:05:20.399 is essentially the blueprint for how programs are structured and 87 00:05:20.480 --> 00:05:22.079 executed on Linux systems. 88 00:05:22.360 --> 00:05:22.600 Okay. 89 00:05:22.680 --> 00:05:26.879 It defines how different sections of a binary code, data 90 00:05:27.000 --> 00:05:29.759 and headers are organized and how they relate to each other. 91 00:05:30.399 --> 00:05:35.040 By manipulating specific elements within this ELF format, programmers can 92 00:05:35.040 --> 00:05:38.000 make their binaries much harder to understand and analyze. 93 00:05:38.040 --> 00:05:40.000 Okay, So give me an example of one of those 94 00:05:40.639 --> 00:05:42.120 techniques that really stands out. 95 00:05:42.279 --> 00:05:45.240 One fascinating technique is called the endian ness lie. 96 00:05:45.439 --> 00:05:45.720 Okay. 97 00:05:45.879 --> 00:05:49.120 Indianness refers to the order in which bytes are stored 98 00:05:49.160 --> 00:05:52.879 in computer memory. It can be either big endian or 99 00:05:53.000 --> 00:05:55.800 little endian, like two different ways to arrange a deck 100 00:05:55.839 --> 00:05:56.399 of cards. 101 00:05:56.680 --> 00:05:57.000 Okay. 102 00:05:57.040 --> 00:05:59.800 Now, imagine a clever programmer flipping a single bit in 103 00:05:59.800 --> 00:06:05.639 the ELF header that indicates endianness. This seemingly minor change 104 00:06:06.199 --> 00:06:09.079 can completely confuse analysis tools. 105 00:06:09.560 --> 00:06:12.079 So just by changing one little bit, you can make 106 00:06:12.120 --> 00:06:13.959 it look like gibberish to these tools. 107 00:06:13.959 --> 00:06:18.720 Precisely, tools like ridelf GDB, even radar A two, which 108 00:06:18.959 --> 00:06:23.600 rely on this correct endingess information to interpret the binary 109 00:06:23.720 --> 00:06:27.480 data would be completely misled. Wow, they might see corrupted 110 00:06:27.560 --> 00:06:31.439 data structures, nonsensical instructions, or even crash altogether. 111 00:06:31.680 --> 00:06:32.560 That's pretty sneaky. 112 00:06:32.879 --> 00:06:37.240 It is a potent technique to deter casual analysis and 113 00:06:37.480 --> 00:06:39.639 force reverse engineers to dig deeper. 114 00:06:39.879 --> 00:06:42.319 So are there other parts of the ELF header that 115 00:06:42.360 --> 00:06:43.199 they can play around with? 116 00:06:43.319 --> 00:06:47.639 Absolutely? Section headers, for example, describe the different segments of 117 00:06:47.680 --> 00:06:51.879 code and data within the binary. So by cleverly manipulating 118 00:06:51.920 --> 00:06:57.399 these headers, programmers can hide code sections from disassemblers like ida. 119 00:06:57.439 --> 00:06:57.920 Interesting. 120 00:06:58.040 --> 00:07:00.240 It's like having a book with several blank page just 121 00:07:00.240 --> 00:07:03.720 strategically placed throughout. Okay, you know there's something missing, but 122 00:07:03.920 --> 00:07:06.439 it's invisible to a casual glance. 123 00:07:06.680 --> 00:07:09.279 So you're forcing the reverse engineer to really work. 124 00:07:09.079 --> 00:07:11.879 Hard exactly to understand what's going. 125 00:07:11.720 --> 00:07:15.560 On, understand the structure and what the code's actually doing exactly. Okay, 126 00:07:15.600 --> 00:07:17.839 So it's all about creating obstacles for it. It is. 127 00:07:17.959 --> 00:07:21.560 Yeah, and don't forget about the dynamic symbols we discussed earlier. 128 00:07:22.279 --> 00:07:26.439 Modifying these symbols can add another layer of confusion to 129 00:07:27.000 --> 00:07:28.240 the disassembly process. 130 00:07:28.279 --> 00:07:31.240 It's like reading a map where all the names are changed, exactly. 131 00:07:31.639 --> 00:07:34.240 Good luck finding your way around right exactly. 132 00:07:34.839 --> 00:07:38.360 So we've been talking a lot about techniques that target 133 00:07:38.480 --> 00:07:42.079 the tools that are used for analysis, but what about 134 00:07:42.120 --> 00:07:47.319 approaches that directly address static analysis where you're looking at 135 00:07:47.319 --> 00:07:49.160 the code without actually running it. 136 00:07:49.279 --> 00:07:50.160 That's a great point. 137 00:07:50.319 --> 00:07:50.720 Yeah. 138 00:07:50.800 --> 00:07:55.439 Stack analysis is a powerful technique for understanding a program's behavior, 139 00:07:56.120 --> 00:07:59.079 but programmers have developed some clever ways to counter it. 140 00:07:59.240 --> 00:07:59.600 Okay. 141 00:08:00.000 --> 00:08:03.560 Instance, they can hide sensitive strings such as bench, which 142 00:08:03.600 --> 00:08:06.560 is often used to spawn a shell, by constructing them 143 00:08:06.639 --> 00:08:08.079 on the stack during runtime. 144 00:08:08.439 --> 00:08:08.839 Okay. 145 00:08:09.000 --> 00:08:12.879 This makes it difficult for static analysis tools, which simply 146 00:08:12.959 --> 00:08:17.199 scan the binary for specific patterns to find these strings. 147 00:08:17.319 --> 00:08:20.040 So instead of hard coding this string in there, you're 148 00:08:20.120 --> 00:08:21.959 basically assembling it piece by. 149 00:08:21.920 --> 00:08:24.319 Piece precisely as the program runs. 150 00:08:24.319 --> 00:08:25.879 As the program runs, are making. 151 00:08:25.759 --> 00:08:27.839 It invisible to static analysis. 152 00:08:28.240 --> 00:08:31.600 Wow, that's interesting. Yeah, it seems like programmers have a 153 00:08:31.600 --> 00:08:33.879 whole bag of tricks up their sleeves. 154 00:08:33.480 --> 00:08:36.600 They do to make life difficult for reverse engineers. 155 00:08:36.759 --> 00:08:37.799 We've covered quite a bit. 156 00:08:37.919 --> 00:08:44.919 We have compiler options, ELF manipulation, hiding strings, checksums for 157 00:08:45.200 --> 00:08:49.399 detecting tempering. Yeah, I think we've hit the key points 158 00:08:49.480 --> 00:08:52.679 from the excerpts that you provided. OK, but it's clear 159 00:08:52.720 --> 00:08:55.480 that Jacob Baines goes into much more depth in his book, 160 00:08:56.120 --> 00:08:57.519 covering a lot more techniques. 161 00:08:57.639 --> 00:09:01.399 Yeah, and we've only really briefly talked about evading debuggers, 162 00:09:01.600 --> 00:09:04.080 which is of course a crucial aspect of anti reversing. 163 00:09:04.200 --> 00:09:07.879 Absolutely so debuggers. Yeah, those are the tools that reverse 164 00:09:07.919 --> 00:09:11.080 engineers use to step through code, examine memory, and really 165 00:09:11.159 --> 00:09:14.360 understand what a program is doing precisely. But I'm guessing 166 00:09:14.360 --> 00:09:16.840 that programmers have some tricks to make that more difficult. 167 00:09:16.840 --> 00:09:17.279 Oh they do. 168 00:09:17.559 --> 00:09:18.000 Yeah. 169 00:09:18.080 --> 00:09:21.960 One common technique is using the p trace system call 170 00:09:22.519 --> 00:09:26.759 with the p tray stressim option. So it's a system 171 00:09:26.799 --> 00:09:29.879 call that allows a process to control another process. 172 00:09:30.080 --> 00:09:30.440 Okay. 173 00:09:30.600 --> 00:09:33.519 In this case, a program can use p trace to 174 00:09:33.679 --> 00:09:36.080 signal to the operating system that it's being debugged. 175 00:09:36.399 --> 00:09:36.639 Okay. 176 00:09:36.840 --> 00:09:39.720 This prevents other debuggers from attaching to the process. 177 00:09:39.879 --> 00:09:41.879 So it's like putting up a do not disturb sign. 178 00:09:41.799 --> 00:09:45.399 Exactly, Sorry, this program is already under surveillance. No room 179 00:09:45.440 --> 00:09:46.440 for another debugger here. 180 00:09:46.919 --> 00:09:50.519 Clever, but I imagine that determined reverse engineers could find 181 00:09:50.559 --> 00:09:51.399 ways around. 182 00:09:51.120 --> 00:09:54.919 That they could. Experienced reverse engineers can sometimes attach to 183 00:09:54.960 --> 00:09:58.320 a process even after it's already running and using process 184 00:09:58.799 --> 00:10:02.039 to counter this program can employ a more advanced technique 185 00:10:02.080 --> 00:10:03.759 involving process forking. 186 00:10:03.919 --> 00:10:05.799 Forking like a fork in the road in. 187 00:10:05.799 --> 00:10:09.600 Essence, yes, forking creates a copy of the running process. 188 00:10:10.120 --> 00:10:14.000 The original process continues its normal execution, but the new 189 00:10:14.480 --> 00:10:18.120 child process becomes a dedicated tracer for its parent. 190 00:10:18.320 --> 00:10:20.480 So it's like a bodyguard exactly. 191 00:10:20.639 --> 00:10:25.240 Yeah, this child process constantly monitors its parent for any 192 00:10:25.320 --> 00:10:28.840 signs of debugging attempts and can take action to protect it. 193 00:10:28.960 --> 00:10:32.720 That's impressive. Yeah, but what about tools that analyze the 194 00:10:32.759 --> 00:10:37.080 memory of a running process without actually attaching a debugger. Sure? 195 00:10:37.399 --> 00:10:40.039 So like o core for example, that creates a core dump. 196 00:10:40.159 --> 00:10:44.120 Excellent point. Core dumps are snapshots of a process's memory 197 00:10:44.200 --> 00:10:45.639 at a specific point in time. 198 00:10:45.879 --> 00:10:46.080 Right. 199 00:10:46.279 --> 00:10:49.399 They can be incredibly valuable for reverse engineers, allowing them 200 00:10:49.399 --> 00:10:52.639 to examine data structures, variables, and even the state of 201 00:10:52.679 --> 00:10:53.320 the call stack. 202 00:10:53.639 --> 00:10:56.639 So how do programmers protect their programs against that? 203 00:10:57.600 --> 00:10:59.720 Well, one approach is to use the madvice function. 204 00:11:00.480 --> 00:11:03.000 It allows a program to give hints to the operating 205 00:11:03.000 --> 00:11:06.960 system about how specific memory regions should be handled. 206 00:11:07.039 --> 00:11:07.759 What kind of hints? 207 00:11:08.159 --> 00:11:11.639 For example, a program can use madvice to mark certain 208 00:11:11.679 --> 00:11:15.120 memory regions as sensitive, okay, and requests that they be 209 00:11:15.240 --> 00:11:16.600 excluded from core dumps. 210 00:11:17.000 --> 00:11:19.600 So it's like a safe that has certain compartments that 211 00:11:19.639 --> 00:11:20.320 are shielded. 212 00:11:20.639 --> 00:11:24.720 That's a great analogy. Yeah. By selectively excluding sensitive information 213 00:11:24.799 --> 00:11:28.039 from core dumps, programmers can make it much harder for 214 00:11:28.159 --> 00:11:31.720 reverse engineers to gain a complete picture of the programs 215 00:11:31.720 --> 00:11:32.600 in a working. 216 00:11:32.440 --> 00:11:34.440 Right, You're hiding the good stuff exactly. 217 00:11:34.799 --> 00:11:37.480 It's a way to protect the most critical data and 218 00:11:37.559 --> 00:11:39.200 algorithms from prying eyes. 219 00:11:40.080 --> 00:11:42.559 This whole conversation has been so interesting. 220 00:11:42.799 --> 00:11:44.159 It is fascinating, isn't it. 221 00:11:44.240 --> 00:11:47.600 Yeah, it really opened my eyes to how complex this 222 00:11:47.720 --> 00:11:49.679 whole area of anti reversing is. 223 00:11:50.320 --> 00:11:50.720 It is. 224 00:11:50.840 --> 00:11:53.039 It seems like this constant battle of wits. 225 00:11:53.240 --> 00:11:55.320 It is a back and forth between those trying to 226 00:11:55.320 --> 00:11:57.840 protect the code and those trying to break it open. 227 00:11:58.519 --> 00:12:02.480 It makes me wonder how reverse engineers even keep up. 228 00:12:02.679 --> 00:12:08.480 With all of these really sophisticated techniques for obfuscating code. 229 00:12:08.679 --> 00:12:12.159 That's a great question and one that deserves a deeper exploration. 230 00:12:13.039 --> 00:12:15.039 I think in the next part of our deep dive, 231 00:12:15.360 --> 00:12:18.799 we should shift our focus to the reverse engineer's perspective. 232 00:12:19.360 --> 00:12:23.840 We can explore the tools the techniques and the mindset 233 00:12:23.879 --> 00:12:28.519 they use to unravel this obfuscated code, bypass these anti 234 00:12:28.559 --> 00:12:32.879 debugging traps, and ultimately understand how these programs work. 235 00:12:33.000 --> 00:12:34.720 I'm on the edge of my seat. I can't wait 236 00:12:34.759 --> 00:12:35.360 to get into that. 237 00:12:35.600 --> 00:12:38.879 It's a fascinating field that requires a really unique blend 238 00:12:38.960 --> 00:12:43.279 of technical skill, patients, and a bit of detective work. 239 00:12:43.399 --> 00:12:44.440 Yeah, I can see that. 240 00:12:44.679 --> 00:12:50.120 We'll explore how reverse engineers use tools like disassemblers, debuggers, 241 00:12:50.480 --> 00:12:54.360 and emulators to piece together this puzzle of obfuscated code. 242 00:12:54.440 --> 00:12:56.879 I have a feeling it'll be just as interesting as 243 00:12:56.919 --> 00:12:57.600 this first part. 244 00:12:57.759 --> 00:12:58.200 Yeah. 245 00:12:58.240 --> 00:13:00.159 So, thank you so much for taking the time. It's 246 00:13:00.159 --> 00:13:02.159 my pleasure to guide us through this complex world. 247 00:13:02.279 --> 00:13:02.960 It's been fun. 248 00:13:03.039 --> 00:13:05.399 Yeah, I'm really eager to continue our journey. 249 00:13:05.480 --> 00:13:05.759 Great. 250 00:13:05.960 --> 00:13:08.639 All right, so we'll be back soon, Okay to continue 251 00:13:08.639 --> 00:13:13.559 our deep dive into the world of Linux anti reversing techniques. Yeah, 252 00:13:13.799 --> 00:13:16.759 welcome back to the deep dive. Last time we started 253 00:13:16.799 --> 00:13:21.080 exploring this fascinating world of Linux anti reversing techniques, right, 254 00:13:21.279 --> 00:13:25.919 we uncovered how programmers are using seemingly simple tools like 255 00:13:26.039 --> 00:13:30.279 compiler options and ELF manipulation to make their code a 256 00:13:30.279 --> 00:13:33.320 lot harder to understand. Yeah, we went deep into that. 257 00:13:33.360 --> 00:13:35.759 It's like they have this secret language that only the 258 00:13:35.919 --> 00:13:40.279 initiated can decipher exactly. And speaking of secrets, we touched 259 00:13:40.320 --> 00:13:43.080 on checksums, right, and how they can act as these 260 00:13:43.120 --> 00:13:46.559 sort of trip wires to detect hampering. Can you talk 261 00:13:46.600 --> 00:13:49.279 a bit more about how checksums are actually used in 262 00:13:49.320 --> 00:13:51.519 the context of anti reversing. 263 00:13:51.879 --> 00:13:55.519 Sure checksums are like fingerprints for data, Okay, they provide 264 00:13:55.519 --> 00:13:58.799 a way to verify that nothing has been altered. Okay. 265 00:13:58.960 --> 00:14:02.559 One popular algorith them is CRC thirty two. It's fast, 266 00:14:02.559 --> 00:14:05.120 efficient and widely used in various. 267 00:14:04.879 --> 00:14:07.639 Applications, including anti reversing. 268 00:14:07.840 --> 00:14:12.200 So how does this actually work in practice? Does the 269 00:14:12.200 --> 00:14:15.000 programmer calculate a checksum for like the entire. 270 00:14:14.840 --> 00:14:19.039 Kind, not necessarily the entire code. It's often more strategic 271 00:14:19.080 --> 00:14:22.840 to focus on critical functions or sections that are particularly 272 00:14:22.879 --> 00:14:27.440 sensitive or likely to be targeted by reverse engineers. 273 00:14:27.039 --> 00:14:30.080 So they choose specific parts of the code exactly. Okay. 274 00:14:30.240 --> 00:14:33.440 Think of it like setting traps in the most valuable 275 00:14:33.519 --> 00:14:36.519 rooms of a house. Okay, you're not protecting every nook 276 00:14:36.559 --> 00:14:40.320 and cranny, but you're making it very risky for anyone 277 00:14:40.360 --> 00:14:43.200 trying to sneak into those specific areas. 278 00:14:42.879 --> 00:14:45.720 So they calculate the checksum for these specific parts. 279 00:14:45.919 --> 00:14:49.320 Right, the programmer calculates the CRC thirty two checksum for 280 00:14:49.360 --> 00:14:53.399 those critical functions and stores it securely within the program. 281 00:14:53.480 --> 00:14:56.279 So that's like the reference point there. Exactly what happens next? 282 00:14:56.320 --> 00:14:59.120 So at run time, Yeah, when the program is executing, 283 00:14:59.759 --> 00:15:03.240 it recalculates the checksum for the same function and compares 284 00:15:03.279 --> 00:15:06.759 it to the stored checksum. If the two checksums match, 285 00:15:07.159 --> 00:15:10.320 everything is fine. It means the code hasn't been tampered with. 286 00:15:10.879 --> 00:15:14.279 But if they don't match, then we have a problem. Exactly, 287 00:15:14.679 --> 00:15:18.200 it's a strong indication that something has been changed. Maybe 288 00:15:18.240 --> 00:15:21.919 a debugger inserted a breakpoint, or an attacker tried to 289 00:15:21.960 --> 00:15:25.639 modify the code to alter its behavior. The program can 290 00:15:25.679 --> 00:15:27.159 then take evasive action. 291 00:15:27.919 --> 00:15:29.480 What does that look like? Evasive action? 292 00:15:29.759 --> 00:15:32.799 Well, self destruct, not quite self distract, although that would 293 00:15:32.799 --> 00:15:37.080 be dramatic. It really depends on the programmer's intent. The 294 00:15:37.120 --> 00:15:41.559 program could simply terminate itself to prevent further analysis or 295 00:15:41.600 --> 00:15:45.440 execution of the modified code. It could also log the event, 296 00:15:46.240 --> 00:15:49.879 send an alert to a security monitoring system, or even 297 00:15:49.919 --> 00:15:52.639 take more subtle actions to mislead the attacker. 298 00:15:52.759 --> 00:15:55.320 So it's like this multi layered defense system. 299 00:15:55.399 --> 00:15:55.720 It is. 300 00:15:55.799 --> 00:15:58.679 You make the code hard to understand, You set these 301 00:15:58.720 --> 00:16:01.080 traps to detect if any one tries to mess with it, 302 00:16:01.679 --> 00:16:03.559 and then you have a plan in place if those 303 00:16:03.639 --> 00:16:04.480 traps are triggered. 304 00:16:04.679 --> 00:16:09.279 Good anti reversing strategies often involve multiple layers of protection, 305 00:16:09.440 --> 00:16:13.200 like an onion. Each layer makes it progressively harder to 306 00:16:13.240 --> 00:16:15.919 get to the core, and each layer can have its 307 00:16:15.960 --> 00:16:17.879 own set of defensive mechanisms. 308 00:16:17.960 --> 00:16:22.320 So we've covered compiler options, yeah, YLF, manipulation, hiding strings, 309 00:16:22.879 --> 00:16:26.679 checksums for detecting, tampering, anything else. 310 00:16:27.679 --> 00:16:31.000 I think from the excerpts you've provided we've hit the 311 00:16:31.120 --> 00:16:34.480 key points, but it's clear that Jacob Bains dives much 312 00:16:34.519 --> 00:16:38.559 deeper in the phone book covers more advanced techniques. For example, 313 00:16:38.639 --> 00:16:42.519 we've only briefly mentioned how to evade debuggers, which is 314 00:16:42.559 --> 00:16:44.799 a crucial aspect of anti reversing. 315 00:16:45.279 --> 00:16:49.399 Yeah. Debuggers are the tools that reverse engineers use to 316 00:16:49.600 --> 00:16:54.559 step through code, examine memory, and really understand how a 317 00:16:54.600 --> 00:16:55.519 program behaves. 318 00:16:55.679 --> 00:16:58.440 Yeah, so programmers have some tricks up their sleeves. 319 00:16:58.519 --> 00:16:59.320 Yeah, I bet they do. 320 00:16:59.559 --> 00:17:02.960 To make the reverse engineer's life a little bit harder. Okay, 321 00:17:03.039 --> 00:17:06.480 One common technique is using the p trace system call 322 00:17:07.039 --> 00:17:10.079 with the p trace TRASMI option trace. 323 00:17:10.160 --> 00:17:10.599 What is that? 324 00:17:10.720 --> 00:17:13.920 It's a system call that allows a process to control 325 00:17:13.960 --> 00:17:14.839 another process. 326 00:17:15.079 --> 00:17:15.480 Okay. 327 00:17:15.680 --> 00:17:18.400 In this case, a program can use pre trace to 328 00:17:18.480 --> 00:17:22.240 signal to the operating system that it's being debugged. This 329 00:17:22.279 --> 00:17:25.039 prevents other debuggers from attaching to the process. 330 00:17:25.160 --> 00:17:28.079 So it's like putting up that do not discurb sign precisely. 331 00:17:28.160 --> 00:17:31.160 Sorry, this program is already under surveillance. No room for 332 00:17:31.200 --> 00:17:32.279 another debugger here. 333 00:17:32.440 --> 00:17:36.279 That's clever. Yeah, but I imagine that there are ways 334 00:17:36.319 --> 00:17:38.880 around that. Oh there, if you're really determined. 335 00:17:39.119 --> 00:17:43.559 Experienced reverse engineers can sometimes attach to a process even 336 00:17:43.599 --> 00:17:47.400 after it's already running and using Patrice Remi To counter this, 337 00:17:47.640 --> 00:17:52.160 programmers can employ a more advanced technique involving process forking. 338 00:17:52.359 --> 00:17:53.799 Forking like a fork in the row. 339 00:17:53.799 --> 00:17:57.039 In essence, yes, okay. Forking creates a copy of the 340 00:17:57.079 --> 00:18:01.880 running process. The original process continues it's normal execution, but 341 00:18:02.000 --> 00:18:06.000 the new child process becomes a dedicated tracer for its parent. 342 00:18:06.640 --> 00:18:08.599 Oh so it's like a bodyguard exactly what. 343 00:18:09.119 --> 00:18:13.440 This child process constantly monitors its parent for any signs 344 00:18:13.440 --> 00:18:16.839 of debugging attempts and can take action to protect it. 345 00:18:17.160 --> 00:18:20.160 That's really interesting. Yeah, so even if a debugger manages 346 00:18:20.200 --> 00:18:23.960 to attach, the child process can detect this and either 347 00:18:24.079 --> 00:18:27.079 terminate the debugger or do something else to protect the 348 00:18:27.079 --> 00:18:28.119 original process. 349 00:18:28.200 --> 00:18:28.599 Exactly. 350 00:18:28.680 --> 00:18:29.400 That's impressive. 351 00:18:29.519 --> 00:18:31.240 Yeah, it's a pretty neat technique. 352 00:18:31.400 --> 00:18:35.079 What about tools that analyze the memory of a running 353 00:18:35.119 --> 00:18:39.519 process right without attaching a debugger, like cre core for example, 354 00:18:39.599 --> 00:18:41.920 excell hit, which creates a coredum. 355 00:18:42.079 --> 00:18:47.359 Coredums are snapshots of a process's memory at a specific 356 00:18:47.440 --> 00:18:50.960 point in time. They can be incredibly valuable for reverse engineers, 357 00:18:51.440 --> 00:18:55.000 allowing them to examine data structures, variables, and even the 358 00:18:55.039 --> 00:18:55.920 state of the call stack. 359 00:18:56.240 --> 00:18:58.720 So how do programmers protect themselves against that? 360 00:18:58.920 --> 00:19:01.519 Well, one approach is to use the mad vice function. 361 00:19:02.279 --> 00:19:05.559 It allows a program to give hints to the operating system. 362 00:19:05.799 --> 00:19:07.960 Hints, what kind of hints about how. 363 00:19:07.839 --> 00:19:12.279 Specific memory regions should be handled okay. For example, a 364 00:19:12.359 --> 00:19:16.440 program can use advise to mark certain memory regions as 365 00:19:16.599 --> 00:19:20.680 sensitive okay and request that they be excluded from core dumps. 366 00:19:21.039 --> 00:19:24.160 So it's like a safe great analogy that has certain 367 00:19:24.680 --> 00:19:28.839 compartments that are shielded from X rays or something like that. 368 00:19:28.960 --> 00:19:29.400 Exactly. 369 00:19:29.440 --> 00:19:32.160 You can see the outline, but you can't see what's inside. 370 00:19:32.279 --> 00:19:37.319 By selectively excluding this sensitive information from core dumps, programmers 371 00:19:37.319 --> 00:19:40.440 can make it much harder for reverse engineers to get 372 00:19:40.440 --> 00:19:43.359 a complete picture of what's going on. Right, You're hiding 373 00:19:43.400 --> 00:19:46.160 the good stuff exactly. It's a way to protect the 374 00:19:46.200 --> 00:19:49.839 most critical data and algorithms from prying eyes. 375 00:19:50.400 --> 00:19:52.559 This has been a really eye opening conversation. 376 00:19:52.759 --> 00:19:54.279 It is a fascinating topic. 377 00:19:54.480 --> 00:19:57.119 It is I'm starting to see why this whole field 378 00:19:57.160 --> 00:20:01.240 of anti reversing is so complex and fascinating. 379 00:20:01.440 --> 00:20:04.920 It's this constant back and forth between those trying to 380 00:20:04.960 --> 00:20:07.960 protect code and those trying to break it open. 381 00:20:08.160 --> 00:20:12.200 It makes me wonder how to reverse engineers even keep up. 382 00:20:12.440 --> 00:20:13.759 That's a great questions, all. 383 00:20:13.559 --> 00:20:17.720 These techniques for obfuscating and protecting code, and one. 384 00:20:17.559 --> 00:20:20.720 That deserves a deeper exploration. I think in the next 385 00:20:20.799 --> 00:20:23.720 part of our deep dive we should shift our focus 386 00:20:23.799 --> 00:20:25.559 to the reverse engineer's perspective. 387 00:20:25.680 --> 00:20:26.480 Okay, I like it. 388 00:20:26.519 --> 00:20:30.079 We can explore the tools, the techniques, and the mindset 389 00:20:30.160 --> 00:20:34.640 they use to unravel this obfuscated code bypass those anti 390 00:20:34.720 --> 00:20:38.480 debugging traps, and ultimately understand how these programs work. 391 00:20:38.640 --> 00:20:40.960 Okay, so we're switching sides now. We are all right, 392 00:20:41.000 --> 00:20:41.480 I'm ready. 393 00:20:41.519 --> 00:20:42.200 Should be fun. 394 00:20:42.440 --> 00:20:45.559 Welcome back to the deep dive. We've been exploring the 395 00:20:45.599 --> 00:20:49.319 world of Linux anti reversing techniques, looking at all the 396 00:20:49.319 --> 00:20:53.000 ways that programmers can protect their code, but we've mostly 397 00:20:53.039 --> 00:20:55.640 focused on the programmer's perspective. Yeah, so I want to 398 00:20:55.680 --> 00:20:58.240 shift gears a little bit and talk about the people 399 00:20:58.279 --> 00:21:02.240 who are actually trying to unwrap this obfuscated. 400 00:21:01.559 --> 00:21:03.119 Code, right, the reverse engineer. 401 00:21:03.279 --> 00:21:07.000 Exactly what kind of tools and techniques do reverse engineers 402 00:21:07.079 --> 00:21:09.759 use to sort of break through these layers of protection? 403 00:21:10.559 --> 00:21:13.200 Reverse engineering is a fascinating field. 404 00:21:13.480 --> 00:21:13.720 Yeah. 405 00:21:13.960 --> 00:21:18.960 It requires a mix of technical skill, analytical thinking okay, 406 00:21:19.200 --> 00:21:20.680 and a lot of persistence. 407 00:21:21.039 --> 00:21:23.039 So do they have like special software. 408 00:21:22.920 --> 00:21:26.960 They do that helps them counteract these anti reversing techniques. 409 00:21:26.960 --> 00:21:29.359 They have a whole arsenal of tools at they're disposal. 410 00:21:29.440 --> 00:21:31.119 Okay, so, like, what are we talking about. 411 00:21:31.400 --> 00:21:34.000 One of the most important tools is a disassembler. 412 00:21:34.279 --> 00:21:34.680 Okay. 413 00:21:34.799 --> 00:21:38.559 A disassembler converts machine code back into a more human 414 00:21:38.640 --> 00:21:41.480 readable assembly language representation. 415 00:21:41.680 --> 00:21:44.839 So it's like translating a secret code exactly back into 416 00:21:44.880 --> 00:21:48.559 something we can understand. But if the code is really obfuscated, 417 00:21:49.599 --> 00:21:53.960 wouldn't the disassembly be super complex and difficult to follow. 418 00:21:54.119 --> 00:21:58.359 That's where debuggers come in. The buggers allow reverse engineers 419 00:21:58.400 --> 00:22:02.519 to step through the code line by line, examine the 420 00:22:02.599 --> 00:22:07.480 contents of memory, and really understand the program's execution flow. 421 00:22:08.000 --> 00:22:10.599 So they're kind of like slowing down the execution and 422 00:22:10.680 --> 00:22:12.799 really seeing what's happening at each step exactly. 423 00:22:12.839 --> 00:22:15.519 They're getting a granular view of what the program is doing. 424 00:22:15.880 --> 00:22:18.359 But what if the program is designed to detect and 425 00:22:18.440 --> 00:22:19.359 evade debuggers. 426 00:22:19.759 --> 00:22:23.359 That's a common challenge. As we discussed earlier, Programmers often 427 00:22:23.440 --> 00:22:27.640 implement anti debugging techniques to make it harder for reverse 428 00:22:27.720 --> 00:22:32.599 engineers to analyze their code. In response, reverse engineers have 429 00:22:32.680 --> 00:22:36.519 developed specialized debuggers and techniques to bypass these defenses. 430 00:22:36.640 --> 00:22:38.599 So it's this constant back and forth. 431 00:22:38.920 --> 00:22:42.000 It is a constant arms race, with both sides trying 432 00:22:42.000 --> 00:22:43.000 to outsmart each other. 433 00:22:43.359 --> 00:22:45.960 Give me an example of how a debugger might try 434 00:22:46.000 --> 00:22:47.319 to get around these defenses. 435 00:22:47.640 --> 00:22:51.400 Well, some debuggers can attach to a process okay without 436 00:22:51.519 --> 00:22:54.079 triggering those typical anti debugging. 437 00:22:53.640 --> 00:22:56.119 Alerts, so they're being sneaky exactly. 438 00:22:56.519 --> 00:22:59.279 Others can actually modify the program's code on the fly 439 00:23:00.160 --> 00:23:02.839 to disable or bypass certain checks. 440 00:23:03.000 --> 00:23:03.759 That's impressive. 441 00:23:03.799 --> 00:23:06.160 It's a constant game of adaptation and innovation. 442 00:23:06.960 --> 00:23:11.039 So besides disassemblers and debuggers, are there other tools, yes, 443 00:23:11.079 --> 00:23:13.119 that are commonly used in reverse engineering. 444 00:23:13.400 --> 00:23:17.160 Emulators are another valuable tool. They allow reverse engineers to 445 00:23:17.240 --> 00:23:20.559 run a program in a controlled environment, separate from the 446 00:23:20.599 --> 00:23:23.799 actual hardware. This can be very helpful when dealing with 447 00:23:24.039 --> 00:23:26.880 malware or other potentially harmful software. 448 00:23:27.000 --> 00:23:28.720 Yeah, you don't want to run that on your actual 449 00:23:28.759 --> 00:23:29.519 machine exactly. 450 00:23:29.599 --> 00:23:32.480 You want to isolate it and prevent it from causing 451 00:23:32.480 --> 00:23:33.400 any real damage. 452 00:23:33.440 --> 00:23:35.839 So it's like a sandbox precisely, or they can play 453 00:23:35.839 --> 00:23:37.480 around with it safely exactly. 454 00:23:37.839 --> 00:23:43.200 Emulators provide that safe and controlled environment for analysis. They 455 00:23:43.200 --> 00:23:47.519 also allow reverse engineers to experiment with different inputs and 456 00:23:47.599 --> 00:23:52.160 observe how the program reacts, gaining valuable insights into its behavior. 457 00:23:52.359 --> 00:23:54.519 So with all these tools, it seems like reverse engineers 458 00:23:54.519 --> 00:23:55.200 are pretty well. 459 00:23:55.039 --> 00:23:58.200 Equipped they are to deal with obtuscated code, but it's. 460 00:23:58.039 --> 00:24:02.960 Still a very demanding and time consuming process. Reverse engineering 461 00:24:03.039 --> 00:24:06.960 is a highly skilled and demanding field. It requires patients, 462 00:24:07.279 --> 00:24:12.279 attention to detail, and a deep understanding of computer architecture, 463 00:24:12.759 --> 00:24:15.279 operating systems at programming languages. 464 00:24:15.319 --> 00:24:16.519 It sounds like detective work. 465 00:24:16.720 --> 00:24:19.839 It is very much like detective work. Reverse Engineers have 466 00:24:19.920 --> 00:24:24.440 to analyze huge amounts of data, cross reference information, and 467 00:24:24.480 --> 00:24:28.960 make educated guesses to understand how a program works. 468 00:24:29.039 --> 00:24:29.799 It's like a puzzle. 469 00:24:29.880 --> 00:24:31.759 It is like solving a complex. 470 00:24:31.319 --> 00:24:33.799 Puzzle where you don't even have all the pieces. 471 00:24:33.519 --> 00:24:36.039 And some of the pieces might be misleading. 472 00:24:35.720 --> 00:24:39.519 Right, which makes it even harder. Exactly, So why bother? 473 00:24:39.720 --> 00:24:40.640 That's a great question. 474 00:24:40.799 --> 00:24:43.000 Why go through all this effort to understand how a 475 00:24:43.079 --> 00:24:46.079 program works when you could just use it as intended? 476 00:24:46.160 --> 00:24:51.079 Well, reverse engineering serves many purposes in cybersecurity. 477 00:24:51.079 --> 00:24:55.839 For example, it's crucial for analyzing malware, understanding how it works, 478 00:24:55.880 --> 00:24:58.160 and developing countermeasures. 479 00:24:57.359 --> 00:25:00.279 To protect systems and users. Exactly. So, it's like taking 480 00:25:00.359 --> 00:25:01.039 up on a bomb. 481 00:25:01.119 --> 00:25:02.200 It is very much like that. 482 00:25:02.240 --> 00:25:03.960 To figure out how to defuse it. 483 00:25:03.920 --> 00:25:06.039 You need to understand how it works in order to 484 00:25:06.079 --> 00:25:07.039 neutralize the threat. 485 00:25:07.279 --> 00:25:12.480 So are there other reasons besides cybersecurity? Yes, why someone 486 00:25:12.559 --> 00:25:14.039 might want to do reverse engineering. 487 00:25:14.599 --> 00:25:19.240 Sometimes it's done for interoperability reasons, okay. For instance, a 488 00:25:19.319 --> 00:25:23.200 company might reverse engineer a competitor's product okay, to understand 489 00:25:23.200 --> 00:25:26.920 how it works and develop compatible software or hardware. 490 00:25:26.799 --> 00:25:28.640 So they're trying to figure out how to make things 491 00:25:28.640 --> 00:25:30.599 work together exactly. That makes sense. 492 00:25:30.759 --> 00:25:34.279 Reverse engineering can be a valuable tool for bridging the 493 00:25:34.359 --> 00:25:36.480 gap between different technologies. 494 00:25:37.200 --> 00:25:39.039 This has been a really enlightening conversation. 495 00:25:39.160 --> 00:25:39.839 It has been fun. 496 00:25:39.920 --> 00:25:44.519 We've gone from like the nitty gritty details of compiler options, yeah, 497 00:25:44.920 --> 00:25:47.680 to the big picture of reverse engineering. It is and 498 00:25:47.720 --> 00:25:49.880 it's fascinating to see how these two sides are always 499 00:25:49.960 --> 00:25:51.319 kind of yeah, pushing each other. 500 00:25:51.400 --> 00:25:53.960 It's that constant push and pull that drives innovation. 501 00:25:55.079 --> 00:25:58.119 So as we wrap up our deep dive into the 502 00:25:58.160 --> 00:26:02.160 world of Linux anti reverse is there anything else that 503 00:26:02.200 --> 00:26:03.440 you want to leave our listeners with. 504 00:26:04.000 --> 00:26:06.240 I think the key takeaway is that this isn't just 505 00:26:06.279 --> 00:26:13.759 a technical topic, okay, it has much broader implications for security, innovation, 506 00:26:14.359 --> 00:26:19.319 and even ethics. Interesting understanding these techniques helps us appreciate 507 00:26:19.440 --> 00:26:23.319 the complexities of software development and the challenges of balancing 508 00:26:23.359 --> 00:26:24.799 protection with transparency. 509 00:26:24.920 --> 00:26:27.240 It's a really interesting thought. And on that note, I 510 00:26:27.240 --> 00:26:29.680 think we'll wrap things up here. Okay, thank you so 511 00:26:29.759 --> 00:26:31.880 much for joining us. It's been my pleasure, and thank 512 00:26:31.880 --> 00:26:33.480 you to all of our listeners for tuning in. 513 00:26:33.640 --> 00:26:34.319 Yes, thank you. 514 00:26:34.559 --> 00:26:36.880 This has been a fascinating journey into a world that's 515 00:26:36.920 --> 00:26:41.839 often hidden. It is but incredibly important. Absolutely keep exploring, 516 00:26:42.559 --> 00:26:45.079 keep learning, keep digging in and stay curious.