Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,830 --> 00:00:05,800 Hello and welcome to a new section on intro to Software Protection. 2 00:00:06,230 --> 00:00:08,750 We are going to look at what is software protection. 3 00:00:09,380 --> 00:00:16,970 Yes, faking purpose, how to defeat software protection while he's unpacking how to detect Charvet 4 00:00:16,970 --> 00:00:17,510 protection. 5 00:00:18,490 --> 00:00:27,790 I think it is he program, he said that process of unpacking and EIC and some entity backing plug ins, 6 00:00:28,000 --> 00:00:34,750 civil protection, his protection of Saffet against piracy or use and reverse engineering. 7 00:00:35,530 --> 00:00:43,060 And the two main ways to protect software is using entity Puggy, which is to prevent debuggers from 8 00:00:43,100 --> 00:00:51,730 attaching or analyzing or the second way is by packing, which is to compress the software whilst retaining 9 00:00:51,730 --> 00:00:54,590 his ability to execute Issie. 10 00:00:54,610 --> 00:01:04,210 Packy is rarely executable, is compressed to a smaller size, and ECAC protecting using anti debugging 11 00:01:04,210 --> 00:01:12,970 techniques to prevent reversing and reversing will go back and protect is commonly referred as Peca. 12 00:01:13,870 --> 00:01:15,860 Examples are backing up. 13 00:01:16,570 --> 00:01:21,220 Yes, protect, armadillo, then protect, etc.. 14 00:01:21,220 --> 00:01:29,080 The purpose of backing is is to prevent reverse engineering, to extract the correct sense of security 15 00:01:29,080 --> 00:01:35,210 and to defeat the static assembly or to dynamically modify the packing. 16 00:01:35,230 --> 00:01:38,380 Yes, you also reduce the executable file size. 17 00:01:40,780 --> 00:01:43,890 How to defeat self-protection first. 18 00:01:43,940 --> 00:01:51,640 Not that easy to use, and backing and backing is where you let the program uncompress itself into memory 19 00:01:52,150 --> 00:02:00,370 and then the original EIC from memory and jumping into a New York fire, then to create a patch for 20 00:02:00,370 --> 00:02:01,110 the new reality. 21 00:02:02,930 --> 00:02:04,130 Another way is to use. 22 00:02:05,390 --> 00:02:13,300 This is also known as runtime betting here, you processing memory instead of putting a file we used 23 00:02:13,310 --> 00:02:21,440 in order to start the program and wait for it to Uncompress itself into memory, the we the process 24 00:02:21,710 --> 00:02:24,050 while is still running in memory. 25 00:02:26,170 --> 00:02:33,400 What is unpacking and packing is very, extremely harsh and binary from the pack of five automatic on 26 00:02:33,400 --> 00:02:41,880 package sizes for popular package by mean of different versions and not also available for complex packages. 27 00:02:41,890 --> 00:02:50,230 And this also involves life debugging by defeating entity bugging techniques, detection of PACA, the 28 00:02:50,230 --> 00:02:58,630 aperture detectors, PIV and the IED detectors can detect popular packages and also show the version 29 00:02:58,630 --> 00:03:06,910 of the packet and also believe you were to be added to and give you two examples of screenshots of package 30 00:03:06,910 --> 00:03:10,800 detected detected in the net and by on the right. 31 00:03:11,740 --> 00:03:14,470 It is a structure, the people. 32 00:03:15,540 --> 00:03:22,230 This is stretching before, Becky, we have to always an entry point and program is still running here. 33 00:03:23,550 --> 00:03:24,990 After he has been back. 34 00:03:26,260 --> 00:03:26,740 The. 35 00:03:27,640 --> 00:03:36,070 Always an entry point, and all the instructions here are compressed in the entry point now is inside 36 00:03:36,070 --> 00:03:40,390 you, the package will put a new entry point. 37 00:03:40,420 --> 00:03:46,450 So when your program run, it will jump to the and technical possible stop. 38 00:03:47,270 --> 00:03:56,480 And again, Uncompress, a backed original file into memory so that he becomes like this, only then 39 00:03:56,590 --> 00:03:57,380 he execute. 40 00:03:58,320 --> 00:04:04,590 So there is a way we have difficulty getting the backfire because the profile is in a compressed it 41 00:04:05,010 --> 00:04:09,190 and several types of peckers, that one is the simplest pick up. 42 00:04:09,190 --> 00:04:14,010 For an example, you type to contest multiple backing. 43 00:04:14,010 --> 00:04:17,190 The three is similar to type two. 44 00:04:17,820 --> 00:04:26,340 But he was more complex structures like loops and also different codes like integrity checks and debugging 45 00:04:26,340 --> 00:04:26,820 and so on. 46 00:04:27,480 --> 00:04:33,060 Example will be Beacom back year by year protection aspect and so on. 47 00:04:33,450 --> 00:04:34,770 That fall by the wayside. 48 00:04:34,790 --> 00:04:42,090 A single Mardele, a package in which a portion of the package could not responsible for handbagging 49 00:04:42,510 --> 00:04:45,780 is intended for the execution on the original program. 50 00:04:45,780 --> 00:04:47,010 Example is E.S.P. 51 00:04:47,010 --> 00:04:54,180 Protect that five package is an entirely PACULA million taking to live with the original program. 52 00:04:54,450 --> 00:05:03,900 Example is Veria Taxi Spica most complex where the attacker and fragments of the code at any given time 53 00:05:04,170 --> 00:05:07,410 during the execution example is Armadillo. 54 00:05:08,970 --> 00:05:16,050 That's seven Paca is very visualisations is being used on a Russian translation to avoid the obvious 55 00:05:16,620 --> 00:05:23,300 from the ice post in memory, Hasan, Boza, Timyra and PVM predict the assassination of a bank program. 56 00:05:23,670 --> 00:05:25,600 It's like this assassination. 57 00:05:25,620 --> 00:05:34,020 We start from the new OEP, which is the OEP of this company, Ambedkar, and then you push the SBP 58 00:05:34,020 --> 00:05:38,840 and some of the registers to this technician on the taxations are unpegging memory. 59 00:05:38,850 --> 00:05:44,280 Then you rizza a progressive ideas on how executable file. 60 00:05:45,700 --> 00:05:52,310 It is the use of time in libraries which is being used by the program. 61 00:05:53,840 --> 00:06:03,440 He will restore her status using U.S. pump Russian, and then finally you would jump to the OEP to begin 62 00:06:03,440 --> 00:06:10,490 the actual execution, a single push against Russia is equivalent to only squishes the most important 63 00:06:10,580 --> 00:06:18,280 CVP, a single Russian is equivalent to how these instructions and the most importantly, AVP. 64 00:06:19,980 --> 00:06:26,620 Probably BP is a way we can when Wendy Packer is about to return to the instructor. 65 00:06:27,900 --> 00:06:34,540 Now, this is what it looks like when the PACULA is about to return instruction to the backfire. 66 00:06:34,560 --> 00:06:41,750 When the program first starts, you will start with the instruction for the better before the battle 67 00:06:41,760 --> 00:06:42,360 starts. 68 00:06:42,390 --> 00:06:46,860 You push SBB to the side so that he can return to it. 69 00:06:47,130 --> 00:06:55,080 Once you strike that the original file and then just before he goes to the instructor, fail to execute 70 00:06:55,080 --> 00:06:56,960 it, he will pop up. 71 00:06:57,060 --> 00:07:02,400 So this is how you can make use of this characteristic to track. 72 00:07:02,400 --> 00:07:10,420 When the linebacker has finished unpacking and is about to return to the instructor, he has to execute. 73 00:07:11,580 --> 00:07:15,060 You can put every point on SBP now. 74 00:07:15,090 --> 00:07:21,240 The standard process of unpegging AICTE like this, he would not be easy to find a real or OEP. 75 00:07:22,350 --> 00:07:28,280 And then once he found you, you dumb the and program to disk. 76 00:07:29,580 --> 00:07:38,940 Then you fix the part-timer anniversary of Sleepyhead now unpacking, using excessive force. 77 00:07:39,370 --> 00:07:42,030 Look into for the big. 78 00:07:43,050 --> 00:07:49,290 Then he starts racing until you encounter a pushy 80 or pushy instruction. 79 00:07:50,470 --> 00:07:57,190 Then you could have a big point on TV address in the stack next to you press F nine to continue the 80 00:07:57,190 --> 00:08:02,470 execution, you would break on the obstruction, which is immediately after the head. 81 00:08:03,440 --> 00:08:12,580 On instruction, then you press F seven to start raising as soon you encounter a jam a jam session, 82 00:08:12,790 --> 00:08:21,490 which will jump to the entry point any way, once you have found and you already have done the whole 83 00:08:21,490 --> 00:08:25,120 program using C for the biggest skill applied in. 84 00:08:26,230 --> 00:08:33,610 So dumping is a process of extracting the easy fire and setting into a separate fire. 85 00:08:35,070 --> 00:08:40,470 After you've done that, you need to fix the ingestible, said the new SFR. 86 00:08:40,710 --> 00:08:44,310 We know where to look for the DNA library study needs. 87 00:08:47,070 --> 00:08:56,370 Now, indeed, developing plugins and debugging is where the software itself detects that Bagley's attention 88 00:08:56,670 --> 00:08:58,420 and their therefore refuse to execute. 89 00:08:59,220 --> 00:09:03,520 And two very popular bloggers we can defeat is. 90 00:09:06,380 --> 00:09:12,620 Dessau, thank you for your lesson in a nice lesson to stand our practicals, Houdin. 9449