1
00:00:00,920 --> 00:00:06,310
Hello and welcome to a new section on intro to software protection.

2
00:00:06,320 --> 00:00:13,610
We are going to look at what is software plantation ESG packing purpose how to defeat some reputation

3
00:00:14,210 --> 00:00:20,480
while he's unpacking how do the tech savvy reputation execute.

4
00:00:20,650 --> 00:00:29,140
Here's a program he's tender process of unpacking and EMC and some debugging plugins sovereign protection

5
00:00:29,210 --> 00:00:37,780
his protection of software against piracy or use and reverse engineering and the two main ways to protect

6
00:00:37,780 --> 00:00:46,520
software is using and debugging which is to prevent the bugs from touching or analyzing Oh the second

7
00:00:46,520 --> 00:00:53,780
ways by packing which is to compress the software whilst retaining his ability to execute.

8
00:00:53,800 --> 00:01:03,790
Is he back he is ready executable is compressed to a smaller size and he is protecting a using entity

9
00:01:03,790 --> 00:01:11,670
bugging techniques to prevent reversing it reversing will move backer protector is commonly referred

10
00:01:12,100 --> 00:01:15,380
as Packer has ambos back inside.

11
00:01:15,480 --> 00:01:25,690
UBS is protecting our money to VM protect etc. The purpose of banking easy is to prevent reverse engineering

12
00:01:25,930 --> 00:01:34,060
to extract the correct license ice hierarchy and to defeat the static is assembly to make dynamic debugging

13
00:01:34,060 --> 00:01:34,870
more difficult.

14
00:01:34,970 --> 00:01:44,280
Begging yes you also reduce the executable file size how to defeat self-protection first for started

15
00:01:44,300 --> 00:01:52,430
easy to use and packing unpacking is value letting the program and compress yourself into memory and

16
00:01:52,430 --> 00:01:58,040
then a strengthened original EIC from memory and dumping into a newly file.

17
00:01:58,040 --> 00:02:05,450
Then you create a patch for the new AC and none of these two use loaders.

18
00:02:05,450 --> 00:02:07,920
This is also known as runtime patching.

19
00:02:08,120 --> 00:02:12,720
Here you patch the process in memory instead of putting a file.

20
00:02:12,890 --> 00:02:19,550
We used to load it to start the program and wait for it to uncompressed itself into memory.

21
00:02:19,700 --> 00:02:28,090
The loader would then pass the process whilst it is still running in memory while he's unpacking and

22
00:02:28,090 --> 00:02:35,170
packing is very straight harsh in binary from the pack 60 will file automatically on packets ages for

23
00:02:35,170 --> 00:02:41,800
popular packets by mean all in different versions and not also available for complex packets.

24
00:02:42,010 --> 00:02:50,180
And this also involves life debugging by defeating anti debugging techniques detection or better the

25
00:02:50,260 --> 00:02:54,070
apathetic tech testing PIV NDA.

26
00:02:54,100 --> 00:03:00,600
These detectors can detect popular peddlers and also show the evolution of the pecker and also preview

27
00:03:00,620 --> 00:03:04,340
it to say be 82 in B view.

28
00:03:04,660 --> 00:03:12,700
Two examples of screenshots of battle detectors detected e Internet and b idea on the right structure

29
00:03:12,940 --> 00:03:15,470
the b file.

30
00:03:15,600 --> 00:03:18,140
This is stretching before packing.

31
00:03:18,150 --> 00:03:28,120
We have the origin entry point and program we start running here after it has been packed the origin

32
00:03:28,150 --> 00:03:36,900
entry point and only instructions here are compressed in the origin entry by now is inside here.

33
00:03:37,180 --> 00:03:45,760
The package will put a new entry point so if any program run it will jump to the technical possible

34
00:03:45,790 --> 00:03:51,130
as a stop and the particle will again and compress it back.

35
00:03:51,140 --> 00:03:55,680
The original file into memory so that it becomes like this.

36
00:03:56,130 --> 00:04:03,580
Then we prosecute so there is a way we have difficulty patching the backfire because the pay file is

37
00:04:03,580 --> 00:04:07,540
in a compressed ID and there are several types of beggars.

38
00:04:07,660 --> 00:04:15,390
Taiwan is the simplest bike of all and is unable to be x type 2 contains multiple backing the time tree

39
00:04:15,840 --> 00:04:24,120
is similar to intact too but he was in more complex structures like loops and also different courts

40
00:04:24,260 --> 00:04:27,560
like integrity checks and debugging and so on.

41
00:04:27,600 --> 00:04:33,480
An example will be b e can pay yes pay s protection aspect and so on.

42
00:04:33,510 --> 00:04:40,440
Therefore there is either a single home ideally a banking in which a portion of the Beckel could not

43
00:04:40,440 --> 00:04:46,950
responsible for unpacking is in the lead view the execution of the original program is unable is easy.

44
00:04:46,950 --> 00:04:53,550
People attacked if I firefighter is an entirely regular review and taking good leave usually always

45
00:04:53,550 --> 00:04:54,550
in the program.

46
00:04:54,570 --> 00:04:59,650
Example is media types expect a most complex that way.

47
00:04:59,730 --> 00:05:06,020
The Undertaker and bass fragments of the code at any given time during the execution.

48
00:05:06,030 --> 00:05:14,370
An example is Armadillo that Alan Packer is way pressurization in being use on his trash in translation

49
00:05:14,820 --> 00:05:16,620
to avoid the R is no good.

50
00:05:16,680 --> 00:05:23,860
From the I suppose in a memory is an Bowser time meter and VM protect the assertion of a bank program.

51
00:05:23,970 --> 00:05:31,310
Like this assertion with stock from the new OCP which is the IP of this damn hardy and Becker.

52
00:05:31,380 --> 00:05:36,270
And then you push the EVP and some of the registers to the stack.

53
00:05:36,310 --> 00:05:38,870
Then on the back sessions are unpacking memory.

54
00:05:38,940 --> 00:05:42,580
Then you resolve a part address table or IP on it.

55
00:05:42,590 --> 00:05:53,900
How is executable file Heidi is the news of time in libraries which is being used by the program.

56
00:05:53,930 --> 00:06:00,120
It will restore the horror that Ridge's estate is using but it is in how pop EVP session.

57
00:06:00,140 --> 00:06:04,880
And then finally you adjunct here at OCP to begin the actual execution.

58
00:06:04,880 --> 00:06:09,570
A single push ADR session is equivalent to only pushes.

59
00:06:09,670 --> 00:06:16,340
The most important is AVP a single pot that is Russian is equivalent to holding instructions and the

60
00:06:16,340 --> 00:06:22,310
most important is pop EVP probably VB so we can train.

61
00:06:22,440 --> 00:06:27,910
Wendy pecker is about to return instruction to the straight that he AC fa.

62
00:06:27,990 --> 00:06:34,550
Now this is what he looks like when the batter is about to return instruction do the backfire.

63
00:06:34,610 --> 00:06:42,420
When it program for starts you will start with the instruction for the batter before the batter starts.

64
00:06:42,420 --> 00:06:49,470
You will push UVB to this day so that he can return to it once it has a strike that the original.

65
00:06:49,560 --> 00:06:55,830
Yes he found and then just before he goes to the straight and far to execute it.

66
00:06:55,830 --> 00:06:56,390
He will pump.

67
00:06:56,400 --> 00:06:57,500
He may be so.

68
00:06:57,720 --> 00:07:06,240
This is how you can make use of this characteristic to track when the vacuum has finish unpacking and

69
00:07:06,250 --> 00:07:11,640
is about to turn to the abstracted ESEA to execute.

70
00:07:11,670 --> 00:07:18,530
You can put hardware and find on EVP now the standard process on backing ESEA is like this year with

71
00:07:18,570 --> 00:07:29,910
about BSE to find the real or b there was a only you dump the fully intact program to disk then you

72
00:07:29,910 --> 00:07:39,140
fix the entire DBA and if necessary possibly it be here now unpacking using SD if only be for us we

73
00:07:39,140 --> 00:07:48,310
look in the back GSE interfaces for debug then we start tracing the AC to you and kinda pushing 80 push

74
00:07:48,310 --> 00:07:57,060
UVB instruction then you it have a big fine only BBB address in the stack next you press F nine to continue

75
00:07:57,080 --> 00:08:05,500
the execution you will break on the instruction which is immediately after the pump and on proper instruction

76
00:08:06,910 --> 00:08:13,720
then you press F5 understand tracing as soon you encounter jam and jam destruction which we jump to

77
00:08:13,720 --> 00:08:17,380
the divine in it hurry up again.

78
00:08:17,590 --> 00:08:27,220
Once your father and your baby and done the whole program using SC for the B scale are plugging so dumping

79
00:08:27,280 --> 00:08:33,540
is a process of extracting the obvious now easy far and saving into a separate fund.

80
00:08:35,160 --> 00:08:41,370
After you have done that you need to fix the important receiver set and the new AC fan will know where

81
00:08:41,370 --> 00:08:47,510
to look for the DLR library study needs now.

82
00:08:47,510 --> 00:08:55,830
So if indeed you do devaluing plugins and debugging his van the software is sound the text that evaluates

83
00:08:55,830 --> 00:09:03,180
attention and therefore will refuse to execute and there are too many popular plugins which can defeat

84
00:09:03,240 --> 00:09:07,140
these debugging DSR.

85
00:09:07,160 --> 00:09:12,590
Thank you for this lesson in a nice lesson too is that our protocols Fudan.