1 00:00:06,170 --> 00:00:08,900 - Reverse engineering is the methodology 2 00:00:08,900 --> 00:00:11,630 for acquiring architectural information 3 00:00:11,630 --> 00:00:14,610 about anything originally created by someone else. 4 00:00:14,610 --> 00:00:16,080 Reverse engineering has been around 5 00:00:16,080 --> 00:00:19,650 since long before computers or modern technology. 6 00:00:19,650 --> 00:00:22,210 So nowadays, reverse engineering is not only used 7 00:00:22,210 --> 00:00:25,040 to steal or counterfeit technology 8 00:00:25,040 --> 00:00:27,240 and reverse cryptographic algorithms, 9 00:00:27,240 --> 00:00:31,060 but it's also used to perform malware analysis 10 00:00:31,060 --> 00:00:34,290 and cybersecurity forensics by the good guys as well, right? 11 00:00:34,290 --> 00:00:37,260 So reverse engineering can even be useful 12 00:00:37,260 --> 00:00:41,740 to software developers to discover how to interpret 13 00:00:41,740 --> 00:00:46,050 with you know, undocumented or partially documented software 14 00:00:46,050 --> 00:00:47,990 or even to develop computing software, right? 15 00:00:47,990 --> 00:00:51,490 So which in some cases actually may be illegal, right? 16 00:00:51,490 --> 00:00:53,900 So the use of reverse engineering is to actually 17 00:00:53,900 --> 00:00:56,380 steal somebody else's intellectual property. 18 00:00:56,380 --> 00:00:59,060 It's definitely, definitely illegal. 19 00:00:59,060 --> 00:01:02,280 Reverse engineering can be used for exploit development 20 00:01:02,280 --> 00:01:04,080 to locate vulnerabilities in a system 21 00:01:04,080 --> 00:01:07,170 and then compromise such system. 22 00:01:07,170 --> 00:01:11,120 But it's also used to reverse engineer malware, right? 23 00:01:11,120 --> 00:01:14,840 To see how malware actually is behaving, right? 24 00:01:14,840 --> 00:01:18,090 So security researchers and forensics experts 25 00:01:18,090 --> 00:01:21,110 can actually trace every step that malware takes 26 00:01:21,110 --> 00:01:24,950 and assess the damage that actually it could cause, right? 27 00:01:24,950 --> 00:01:27,900 The expected rate of infection as well is another thing 28 00:01:27,900 --> 00:01:31,500 that they actually measure and how it could be removed 29 00:01:31,500 --> 00:01:33,670 from the infected systems, right? 30 00:01:33,670 --> 00:01:36,570 Reverse engineering also help how, you know, 31 00:01:36,570 --> 00:01:39,670 finding out how to potentially proactively 32 00:01:39,670 --> 00:01:42,470 defend against, you know such a malware 33 00:01:42,470 --> 00:01:43,450 and such threats, right? 34 00:01:43,450 --> 00:01:47,450 So malware analysis extends to identifying 35 00:01:47,450 --> 00:01:50,100 that the malware is present on a given system 36 00:01:50,100 --> 00:01:53,610 and studying the malware to understand how it functions. 37 00:01:53,610 --> 00:01:57,210 Doing that can reveal the purpose of the malware 38 00:01:57,210 --> 00:02:00,490 and even the author of the malware, in some cases, right? 39 00:02:00,490 --> 00:02:04,220 So because in some, you know, scenarios 40 00:02:04,220 --> 00:02:07,690 you can determine, you know, if a specific technique 41 00:02:07,690 --> 00:02:11,466 is actually being used, whether it's actually an amateur 42 00:02:11,466 --> 00:02:14,720 or perhaps, you know, a more sophisticated developer 43 00:02:14,720 --> 00:02:17,050 and, you know, in some cases, you know, 44 00:02:17,050 --> 00:02:20,920 folks with a lot of resources, like in the case of, you know 45 00:02:20,920 --> 00:02:23,159 fairly large crime organizations 46 00:02:23,159 --> 00:02:26,150 and also nation states, right? 47 00:02:26,150 --> 00:02:28,210 So there are two additional uses 48 00:02:28,210 --> 00:02:29,940 for reverse engineering, right? 49 00:02:29,940 --> 00:02:32,780 One is to reverse cryptographic algorithms 50 00:02:32,780 --> 00:02:35,380 and that's actually used to decrypt data. 51 00:02:35,380 --> 00:02:39,380 And the second one is to reverse DRM, right? 52 00:02:39,380 --> 00:02:42,750 Or Digital Rights Management solutions. 53 00:02:42,750 --> 00:02:45,480 And that's where the threat actors 54 00:02:45,480 --> 00:02:47,730 use DRM reverse engineering techniques 55 00:02:47,730 --> 00:02:50,900 to steal things like music, movies, books, 56 00:02:50,900 --> 00:02:55,260 and any other contents actually protected by DRM solutions. 57 00:02:55,260 --> 00:02:57,730 Now, there are many tools available 58 00:02:57,730 --> 00:02:59,410 to perform reverse engineering, right? 59 00:02:59,410 --> 00:03:01,420 So I'm including a few here. 60 00:03:01,420 --> 00:03:04,380 The first example is system-monitoring tools 61 00:03:04,380 --> 00:03:08,490 which are tools that actually sniff, monitor, explore 62 00:03:08,490 --> 00:03:10,930 and otherwise actually expose 63 00:03:10,930 --> 00:03:13,190 the program being reversed, right? 64 00:03:13,190 --> 00:03:15,420 The next ones are actually disassemblers, right? 65 00:03:15,420 --> 00:03:19,330 So these are tools that take a program's executable binary 66 00:03:19,330 --> 00:03:22,800 as input, and then generate textual files 67 00:03:22,800 --> 00:03:24,900 that contain the assembly language code 68 00:03:24,900 --> 00:03:27,900 for the entire programs or parts of the program, right? 69 00:03:27,900 --> 00:03:30,420 So then we also have debuggers, right? 70 00:03:30,420 --> 00:03:32,830 And debuggers allow reverse engineers 71 00:03:32,830 --> 00:03:37,330 to observe the program while it's actually running, right? 72 00:03:37,330 --> 00:03:40,770 And they're actually able to set what we call break points. 73 00:03:40,770 --> 00:03:41,780 And then, you know, 74 00:03:41,780 --> 00:03:46,230 that allows them to have the ability to trace, you know 75 00:03:46,230 --> 00:03:49,213 throughout the code to actually, you know, 76 00:03:49,213 --> 00:03:52,710 use these debuggers to step through the disassembled code 77 00:03:52,710 --> 00:03:55,860 and watch the system as it runs in the, you know, 78 00:03:55,860 --> 00:03:57,780 as it runs actually the program 79 00:03:57,780 --> 00:04:00,030 one instruction at a time, right? 80 00:04:00,030 --> 00:04:02,640 And then we also have decomcompilers, right? 81 00:04:02,640 --> 00:04:07,080 So programs actually that take an executable binary file 82 00:04:07,080 --> 00:04:09,760 and then attempts to produce readable 83 00:04:09,760 --> 00:04:13,413 high-level language code from, you know, those executables.