Alcohol, Blood, Sweat, and Creativity: Reversing an Obfuscated Car Mod Tool

hello and welcome how are you all doing today you get a good 10 o'clock hour set of talks one two who who went to two talks in the 10 o'clock hour all right I wanted to go to one of those uh who went to two who was out here with the vendors drinking hi my name is atlas nice to meet you um I'm happy to have you all here today in case you're wondering there are 120 seats here there are two dividers with four heat exchangers and Wi-Fi and and so that's what I do before I I give a talk I own the room because it is my room and if you give me any grief I will

kick you out I'm just kidding two exit doors on your right in case of emergency file out those doors and don't trample anybody so this is a interesting day for me they don't have a lava layer mic but they have given me extensions even though their GoPro is not going to like me so today we're going to talk about heavily reverse reverse engineering heavily modified b or heavily officiated binaries specifically for a car hacking uh modification tool so a little bit about me I'm a Jesus dude father of three amazing kids um hacker of things maker of hacks I love making tools that making hacking easier which is why I really love software reversing but about

2008 I got wrapped into Hardware hacking and and all sorts of cool things so uh a little bit more about me data Telecom background shifted into cyber security um CTF taught me that I can do a lot more than I ever thought possible and then from CTF got wrapped into Hardware hacking power grid cars medical equipment uh Aerospace things and dot dot dot so who here's had that moment where they realized holy crap I I didn't think I could do that can I have a show hands who didn't you don't have to but truly like talk to me uh for the last 20 years that happened to me 20 years ago is for the last 20 years I've had great joy helping

other people realize what they're actually capable of because I realized in 2005 I had set these boundaries around what I was capable of and self-protective if I think that I'm only capable of here I'll stop before I run into them and then I won't be disappointed but then I would have missed one incredible set of years so love riding motorcycles and all sorts other cool stuff swing dancing Latin dancing if you dare this is a lot of information contact information for me I'll give you about 30 seconds to snap a picture if you dare

so I got a I got a chance to talk to some of you got a got a nice smattering of skill sets and interest level uh or interests not interest level if you're here I hope you better be very interested so who here has ever had a car the OBD2 port onboard diagnostics must be with within reaching distance of the steering wheel so that's why it's under wherever you're running your legs into it or whatever and it is a way for mechanics to fix your car or or diagnose your car actually it has so many other purposes from that um including checking to see if your exhaust emissions are good enough and blah blah blah blah blah

anyway most often in recent years these are basically a glorified can interface to many of the important systems of your car and in order to interface with your ecus the electronic control units that control how your engine runs whether your doors unlock or whether uh you know control your windows going up and down or other things like the microphone and stuff um I skipped something that I really wanted to say I'll get back to it in order to do this you have a Hardware tool that does the signaling the hardware tool either through Bluetooth or or a wired connection connects into a laptop most often where some standardized set of software is installed basically a standardized API

for interfacing with cars and then you install a third-party software most often if it's a Ford you you download Ford software if it's GM you download their stuff but there are some thirdparty aftermarket uh tools that allow you to interface with the car as well they plug into this whole stack to talk on your car your canos interface on your car most often so this is a very valuable thing to understand uh when this software talks to your ecus it is it is able to reprogram how the ECU Works maybe Flash firmware updates for your ECU program new keys to your car so that your immobilizer says oh yeah cool he's actually in the car and many other

things code execution there are two ways to that uh that the industry is trying to protect this right now there's an authentication that is now it's brand neish in the last five years um because cars have a fiveyear cycle and before that there was a security access mechanism basically you get on the can bus you send a message saying I want to enter this Diagnostics mode and there's generally like three and then you say security access which is basically a seed key exchange security access the ECU sends you back a thing going all right here's some gobbley bits do the magic to it so that I know that you're okay to talk to so this is the authentication mechanism

that's been in use for 15 20 years or

more so the authentication mechanism the the newer one you'll notice there are heximal numbers associated with this so service 27 that's saying this is my can message 27 that I'm sending and that's how the ECU knows that you're authenticating using security access hex 29 is the new fandag version and it can include a lot more like before it's just a certain size of random bits blah blah blah so the authentication mechanism they allow for a lot more information exchange and you can do cryptographic key signing type authentication so in the we not got to talk too much about that there are ways to hack that but it involves a different approach so I set out my

team uh after I left the Intel Community I I joined um I joined grim and have been part of their cyber physical systems team for the last 10 years and we have developed skills and abilities to hack all the embedded cyber physical systems so started off power meters because that's actually how I got dragged into Hardware but then the same Concepts translate directly over to cars and I've been playing with cars for a long time I used to hate computers in cars because I I wrenched when I was 16 and I still have that 74 Dotson 260Z um but figured out that the same things that we use to hack power meters applied to cars different

protocol different culture of people maybe a few other things but the m microcontrollers are the same the storage mechanisms are the same the protection mechanisms are pretty much the same as well so we did that transitioned into Automotive then Aerospace medical devices and uh all the all the computers that can kill you basically cyber physical systems so I started off uh with this idea okay I'm not so by the way I don't have a clicker and I don't have a lva but I still love to move around so I'm going to go go back and forth I will say if you have a hardware radio hacking device I did leave the my clicker uh remote control in there if you want to

try to control my slides the clicker itself is broken but I thought i' throw that out there for you anyway so we have developed this ability to interface with a bunch of different Vehicles over the last 10 years and to be able to set whatever level we want why because my world revolves around remote code execution and the easiest way that I found to gain execution of code on an ECU is to put it into firmware update mode and say oh here's the code that's actually going to flash that so we had a gap one of the oems introduced a new method and we didn't have it covered so they send a key we'd send it back an answer and they'd be

like n can't do it so I jumped in and I'm looking around for ways that I can easily knock out and in a fun way this new authentication or this seed key exchange mechanism ended up choosing a thirdparty tooling which is why I'm feeling a little comfortable talking about it even though I have tried to avisc everything possible about it uh by the way if you're expecting oday at the end of this you'll be sadly disappointed because I I love the community but I will be teaching you how to go find your own oday and that's actually way more valuable so we'll just call it the binary file it's an obos skated PE binary anybody know what a PE

is so Windows executable so on posix Unix Linux it's basically elf files on Windows their PE files you you know them asex or dlls but actually the internal storage mechanism is PE uh no dependencies this means you run the program it doesn't say operating system please load these kernel 32 user 32 blah blah blah blah blah libraries for me kind of does that on its own once it deis skates itself but that's a different story and that's pretty common it's like reversing malware but at the end of the day if I let it slip and it runs I don't get infected the program pops up and runs like it should so started off I don't know how

much you guys can see this but there's a push of an of an address location and then a call to this other address location and return this is the very entry of the program that first thing called is literally a return so it's basically not and so when we get down to this other return it just is basically a jump into this first location that we pushed under the stack blah blah blah and it goes on and on and on in very nasty gnarly not very easy to reverse ways to do s all sorts of weird stack manipulation things and basically deop fisc itself in multiple layers so it'll go blah blah blah blah blah and kind of be

building the code that is Deon fiscated and then it'll jump into it and it'll run that and that will decate another layer of code and after enough of these happen you have a program deop fiscated running in

memory so I thought to myself how do I do this in a way that is a going to be fast it was not but that's a different story I've used it for mentoring I've used it for so many things um and B I'm going to have fun with with and going to be able to build out a tool set something that that this this is my spare time so I need it to be fun so I either I could be doing emulation of the code and trust me that's actually what normally gets me up in the morning or we could try something special basically let the program load itself and then snap in grab everything

out of memory and load it into a Vivas workspace that I can then analyze so normally I would be talking about emulation either qmu or vivx emulation built in with Viv section uh something I'd like to throw out there that I didn't do but gives hope that we'll always be able to do some cool stuff like this is Colonel debugging if we get to a point where the idea of running a program and then debugger attach to it and pulling everything out of it that we can analyze if that ever becomes too much and they somehow figure out how to keep us from doing that debugging the kernel itself means that we still should be

able to get in and basically do what we're doing so we start it up we connect to it with a debugger grab all the memory out of it and dump it into a file okay for this I used uh vivx VDB the vulnerability debugger it has the idea of snapshotting basically what VDB does is it attaches to a process you run you say say to dump a snapshot yes I will get my words eventually the que kind of runs out of words and so it throws out random words kind of like listening to AI um and then we [ __ ] it out into a little Fe snapshot that we can analyze later uh in

including processor state so all your registers and uh your PEB and your tab if your windows people PAB and tab basically every thread running on a Windows program has this little snippet of memory called the Ted the thread uh execution block and it gives context for that running thread inside of every tab is a PEB which is a program execution block and it's like this centralized thing that every thread can access every part of the program can access to gain knowledge about the program and actually tap yourself into ntdll which is a great aisc technique that malware uses but so we snapshot so we run the program attach with VDB and VDB has a command line

interface as well as guey I like the command line interface for this because I don't need the goey and we just create we attach to it it spits out all the all the libraries that it has found now notice there are no dependencies in the program itself but once the program got decad it then just loaded in the things that it wanted it just hid it from you and we say snapshot and we create target. V snap and it it goes through all the memory Maps [ __ ] out into the file my my second favorite word is shat so I'll probably find a way to use that to um so before this talk there was no good

way to load vs snapshot files into a Vivas workspace they've B basically been somewhat separate but equal parts of the vivac project um written a lot of done a lot of work to make this a reality I've not gotten it merged into Mainline vivx yet but the Vivas section code should have it available in the near future as soon as I like the stability of the results I'm a hacker I just want the stuff I want to do the thing and at the end of the day if 30 to 50% of it is garbage but I don't need that 30 to 50% I'm generally good but I'm trying to get it so that it's actually 95 99%

good so basically we roll through all the memory maps that are in the v the snapshot we Lo them into a vivisect workspace as a memory map with the right with the same permissions and whatnot and that's the easy part we then throw a little bit of the metadata like hey you know here's the registers at the time of capture blah blah blah um but then

what we had two different hardfought lessons I talk about myself in the third person plural because I I run multiple personalities it's not a disorder it's a feature um tried three or four different ways to do this some of them trying to use I'm trying to use as much code that's within vivisect is possible because I don't want to do anything too much outside that I have to maintain more code but at the end of the day I ended up modifying the PE parser from vivisect um so that I could do exactly what I wanted yeah you can look through that later if you want reach out to me you got contact information for me I I'm

happy to share it right now this lives in a non-committed file called [ __ ] pie it's where I keep all the real good gems that haven't been uh refined

yet yeah yeah had some issues I'll talk talk about the issues in a minute so who here's done a little bit of or a lot of malware reversing good good you'll understand a lot of what we're dealing with this is just like malware it's just at the end of the day they're not infecting your system they're running a cool program but they're trying to hide key the thing that I'm after they're trying to hide it from me [ __ ] so there are four major ways that I've run into that malware un uh confiscates and so do these tools there's unpack and de and decrypt in place so the program runs it it gets loaded at like 401 th000 heck blah blah

blah it runs and it just kind of overwrites itself in place I like that that's pretty cool very efficient and it doesn't have me tromping through all sorts of nasty places or extra extra programs unpacking decrypting into a new memory map so you you get running it spins up grabs a new memory map and then just shits itself into the new memory map boom we're done uh actually the first one is harder to reverse because you start doing these things and suddenly you go back and the codes changed and you have to go Analyze That code as well from a disassemblers perspective that's actually a [ __ ] the third one and actually one of

my fa favorite and coolest is where it spins up another program or takes or attaches to an already running program like Explorer exe and shits itself into there spins up a new thread because Windows is so friendly for remote debugging and and thread manipulation blah blah blah sometimes they'll just say hey load up explorer.exe strip out all the guts and let's put our code there so it doesn't even look different and and uh and several other things but these are the main ones so I proved very early on this is a decrypt in place or deop in place binary the original I don't know if you can read it but it's 6801 9080 blah blah blah and it turns into at the

same location c701 9479 does that mean anything to you it doesn't mean anything to me but it does mean that it's writing it it zeros me in to where I need to focus and when you're reverse engineering one of the biggest helps and skills that you can develop is figuring out where to apply your attention most automated tools at their very best will point the skilled reverse engineer at where they need to look it's not insert into a tool and the tool says hey here's magic that works too to a low percentage but above that percentage it takes a skilled reverser not cat GPT so what do we look at okay I got it I got it shat into a into a nice vict

workspace what do I look for uh so obviously I'm interested in UDS the universal Diagnostics service that's the thing that allows you to put it into security mode and and gain access to diagnos notics uh searching for can related things searching for hacks 29 and 27 as immediate values so you've got your your op code and it's a compare of this register with this hex 29 like that's very useful stuff but here's the problem I have the data shoved into a workspace but I've got no analysis disassemblers use analysis entry points into a program that are clearly defined in the PE or the Elf or the moo for for Mac here are your entry points this is

x86 we have issues with with not knowing where stuff is with x86 I don't even know where the strings are so if I go into the strings window or I search through strings um they're not defined yet see so right here we have a uh no I'm on my screen thinking that you should be able to see what I'm pointing at not going to help anyway security array I kind of like this I want to know more about that but viv's like nope those are the btes 5if 53 four five four so I mean there are some strings because metadata has strings attached to it when it loads in uh very various things but not very interesting we got

to figure out where do I get a Toe Hold where do I where do I know to dig in security access is clearly something I want so I run strings anybody here run strings actually this is how I got into this madness and running strings one time oh my gosh so there are millions of strings some really aren't strings um Radix means nothing because this is actually a vivc workspace so I ran straight on the workspace itself so like the where it is isn't going to make any difference I just needed access to the deop fiscated versions because running strings on the binary didn't work at all so once I get in there I identify

hey here's some cool strings over here on the right I like uh yeah Wi-Fi IP Edition product name Windows yeah extended license is active huh that's really interesting I know that this program can actually write new keys into the body control module so that you can start the car with your own key so let's go check out extended licenses active and I search and I find it one result here at 78120 well this is a slow process and wildly prone to being bad and I'll tell you about that in a minute so I wrote a tool I wrote a tool within Viv section which is the uh vivisect Plus+ that it's a plugin for vivisect that allows me to

do all sorts of hackery things that I don't have to have perfect that are just for me and if you want to use it for you too don't complain PRS are welcome um and I wrote in a scan for Strings module and I say oh okay okay the the first question that everybody should come up with is how long does a string have to be to qualify as a string so hey we get to set that defaults five do we search all memory or do we start at a memory map and end at a memory map and we only do within there I needed granularity I don't think I've gotten to the slide yet but I'll I'll I'll breach

it I figured out where code was I wrote tools to figure out where code was really cool stuff we'll talk about it in a second and overnight analysis crashed because I ran out of memory because it was all of memory it wasn't just the thing that I was interested in it had all of Windows every library that was it depended on and it just as soon as it hit there it's like w carel 32 baby yeah let's do all this analysis and basically yeah I had have a 600 Meg workspace file that takes 15 minutes to load 45 if I do it over the network it's bad so I had to learn uh so starting map

ending map or starting address ending address I want to be able to limit do I apply the strings or do I just spit out some results and am I looking for asky or utf16 so I am not a guey programmer if you want a gooey programmer I'm sure you know some I am not one but this does the trick so I started discovered strings so I gave it some parameters it went and it started showing me strings and I'm like oh this is looking good with these parameters I can have some Faith because if you misidentify stuff in a workspace you may call something a string that's really code and it'll really screw with you

later when you you want everything to be as exact and real as possible so I figured out discovered strings and then I put in the specific memory address start and stop that I wanted to go for yes apply the strings go and suddenly I had strings like security array and DPF soot PCT and O and S wdl SEC level SE level is good right I like that problem now like normally if I'm reverse engineering a binary I go find a cool string like access granted or whatever and then I see what code accesses that string you see right here NADA no code access to that string nothing access to that string but I have the string yay oh crap

okay so x86 is a variable size instruction set that means that you have instructions that are B in size and you have instructions that are 15 byes in size all right we're at a casino who wants to gamble you don't want to gamble with something like this sorry you have to know because as soon as you take guesses you have multiple layers of things that you're reasoning about that suddenly you're not confident in the in the truth of what is what so you have to start off with truth this I know to be code so how might we do that well it turns out there are 12 stack areas 13 actually I think in this

the last one that I did why why is the stack interesting I'd say no cheating but it's right in front of your face because Stacks Store return variable or return addresses what's your return address you have a program or you have a procedure function calls into another function on x86 the call op code takes the next instruction to return to and shoves it onto the stack we have stacks so we can just roll through the stack and find all the return codes oh crap but there's pointers everywhere how do we know what a what well we go to the location that's pointed to by the pointer that's on the stack and we disassemble it if it disassembles to something good

okay great let's back up because the instruction that is immediately preceding must be a call and it must end at that address you following me does this make sense so we back up problem is calls can be multiple byes too like there's a B call there's a three four five six B call so we start at two is it a two call if it's two bite call and it ends and and it started two bytes before it's probably a pretty good thing we'll call that code we go back three go back four go back five as long as it is a call within this certain range and it ends at the right spot we're going to trust it okay this

is how I ran out of memory but it worked it freaking worked but um it did take an 80 gig swap file and a dedicated machine that I could just let run for 15 hours um I don't know if you saw that yeah 500 Meg at the time it's at 600 Meg right now it's insane and also with this much analysis done many of the tools that I just rely on don't work because I rely on tools that emulate to a thing to the end meaning I call Colonel 32 and I stop no Colonel 32 is right there it just keeps going and going and 15 minutes later I'm finding myself going do I wait or do I control C

uh we also found that this broke vivc server anything this big didn't work and we I was able to find some bugs in vivc server that I that I got fixed so yay got some good good out of it at least um but it did take 45 minutes to load over the over the network so we add in I like things that are easy and and when I'm reversing I love the challenge I remind myself with a goal I allow myself to sink in to wallow in the bits kind of you know let them wash over me a bit but with the hope that that time is going to be well spent it will come with something that means that I

need to get rid of as much tedium as possible because the brain drain where my brain is actually spent and r out before I get to the thing that really gives me joy uh no thank you so write tools that's actually why I write tools so I added in something for Viva section to look through for Stacks uh here's a starting stack ending stack ending map um and for Stacks I'm also most interested in limiting what they're able to point to like going through Stacks I don't want things that point to colel 32 so restriction is

good every so often as I so that worked really really well but it didn't find me all the things that I really

wanted but I was looking through and just kind of exploring like you do around security access and some of these other strings you know I just like to it's all bits I like to turn it into meaning and that's why I do this um and the tools don't always get it so I'm Meandering around the strings and I found a whole bunch of stuff that look like this AO 8359 that's kind of a three byte string but AO doesn't print well 83 doesn't print well 50 86590 okay 86 doesn't print well but it's kind of like a string null terminated string right okay look at the address to the left of it 0075 d2888 is repeated here

59 basically large numbers that share a whole lot of data in common at the upper realm with some variant at the bottom sounds like pointers so I made them pointers in fact I I created a a pointer array tool for saying heyy start here go to there make them all pointers well vivisect does the pointer thing turns into pointers but then analyzes whatever they're pointing at and I started seeing this name here subcore thing sub notice they're all starting with sub that means they're a function every one of those is a function going huh I like this pointer arrays I love this it's great oh and by the way security array now has two cross

references just by making this chunk of pointers above security array into pointers and the subsequent code that was identified you guys with me here I suddenly can back up a step and analyze the code that is accessing this string security way and this is what C++ pointer uh virtual function tables look like who here's written C++ all right good a lot of you see you guys are familiar with inheritance objectoriented programming and inheritance and all that stuff so what happens is when you define a class with a set of uh with a set of functions that the class okay intro to oop for those of you who haven't done it object-oriented programming is basically where you

identify a thing it's called a ball and you do some data around that pertains to the ball and then you write some functions that do things for the ball like it's all about knowing what to do for that object that's objectoriented programming you can subclass the ball and say ah yeah that bounce function that you wrote for generic ball doesn't work very well for the football things work differently so I overload and write a balance function for football that changes the Dynamics okay in order to do that C++ has to identify those functions as virtual meaning I can replace them and the compiler creates these cool amazing gifts godsend called virtual function tables so when you have a a ball you

have a virtual function table that has all of the supported functions and connect and pointers to other things too sometimes and when you have a football you have its own virtual function table that actually shares a lot in common with the original one except where you overload something and you've got a pointer to a different function so this that we're looking at right here is a virtual function table with functions that know all sorts of things to do with a ball or whatever the heck that thing is so added in some new uh functionality make pointer array allows me to uh start with a start address stop with a stop address or if I want just say hey I got I know there's

20 don't make me do the math um and stop if you run into a null pointer maybe you don't care so again I like flexibility I like ease and lack of brain drain so we started seeing vtable entries and what one of the cool things about uh V tables is that every function in a virtual table a virtual function table knows how to interface with this thing in fact in C++ you have a this pointer handed in every one of those dogon functions if you want to figure out the structure of a C++ class like if you make structs C++ is basically structs with code these functions know where all the fields are so you can scroll you can

roll through this code and say hey that access this plus 16 okay and it access this plus 15 at one bite in size oh okay cool so I got a bite right there and you can learn all sorts of things about what this is so I'm for example the C++ class that is in that is responsible for interfacing with this model year model type of blah OEM I'll just say Maserati because it's far enough away from the truth and I'm not sure if they have OBG anyway um another Nifty thing about C++ especially uh Visual Studio C++ for Windows the first entry is the destructor well what do we know about destructors well Constructors are cool

like we we do all the things nobody writes a Destructor right okay well you should because as you build this object which is generally objects within objects with strings and all the things and it's good stuff from a reverse Engineers perspective you may have to draw it out on paper but it's amazing set of information um the destructor goes through and it clears out everything frees everything up like if you want one place where you're going to get the most data about how that stuff is laid out the destructor is it it's that first entry I'm working on code I keep saying this I'm working on code that does destructure analysis to spit out you know a lot of good data on

uh for you it should be wrapped into Viva section I got a [ __ ] ton going on in my life right now so it's taking a lot longer than I thought uh but that is coming Constructors and destructors are amazing and then based on what each function accesses you can start to reason about what that function

does then as you're rolling through code that is not part of a virtual function table you start to run into things like a call to Malik and then writing of some pointer a virtual function table pointer into the initial portion the the start of hi are we back on the camera shuts off every 10 minutes apparently it's a feature um what was I saying oh so in normal code not C++ code or actually unfortunately most often inside of one C++ object there's calls to allocate memory for other C++ objects and stamping in other virtual function tables but that's really good stuff too because now we can start graph Theory anybody here like graph theory if you

don't you should guilt peer pressure all that stuff um graph Theory not the visual stuff the idea of nodes and edges that that establish and Define relationships that you can do sorting and you can actually turn into visual things because visual things are how I process the best so there are there is code creates memory stamps a virtual function table into a particular part of memory if you get if you get if you get other virtual function table things stamped into other parts of memory you might find embedded objects find this a lot with strings and the joy keeps going so here is I'm going to walk you through the destructor if you can read

it so the first thing this is the destructor it actually just calls free objects if it's ready and then if it's ready it returns um a zero and it comes down and it actually decrements the reference pointer to that me and if it hits zero it calls free on it so this is cleanup code and most of the destructors in this code look just like this but that free thing this is the actual cleanup code for the destructor this is going through I don't know how how famili familiar you are with x86 this is 32-bit code but you see things right here so ESI is is the this pointer at this point there's a a function table

number six with that address I I haven't gotten into great naming for this particular set of code yet um so it's stamps that into the location this is something that actually happens a lot more often than you than you'd think if you say I have a football but I really want to call balls version of this the C++ code says oh okay balls virtual function table just stamp that sucker in call the thing and then we'll stamp it back when we're done so move Ed 16 okay so EDI register has the number 16 in it compare ESI 608 bytes into the this object okay compare that against 16 now move something seven into this local

variable and this compare does this uh this subtraction based yeah basically if it is 16 or over then it will call decrement and free and if it's not it won't this is a C++ string c c strings we all know it's character character character null right null null terminated string C++ there is a structure that has size potential size and if the size is lower than 16 bytes like there's room in the structure just to store the damn string so this comparison against 16 is a dead giveaway I think I'll be done so it's a dead giveaway if it's below if it's below 16 then everything is right here and we don't need to free this extra

thing otherwise is if it's over 16 we have allocated the right amount of data in a buffer for that string and there's a pointer where the string would otherwise live so we see this throughout the dec uh the deconstructor yada yada move EVP so we part of cleaning this up is actually setting that counter back to 15 so that it never gets confused it's kind of a a safeguard even though we're going to free it anyway so we come down 608 604 ESI plus 608 ESI plus 604 these are all defining where [ __ ] goes inside the memory allocation for this object so this is good telling stuff for nerds like me I mean let's be

real come down we do the exact same thing compare against EDI this 580 and we've got another string that we're freeing up if it's bigger than that we we call the free on that pointer that's stored there otherwise just call it good and then we

find we find a call to another subar tetine going hey here's something else go clean that out and after a couple of a couple of iterations like this we end up knowing what every or where everything is and in a lot of ways find out what it is so recapping C++ structure reconstitution look for a whole bunch of pointers that resolved a code uh xrfs to the start of a bunch of them so when you go through the pointers actually there will be references to the start of that virtual function table in that code so I just started off with a bunch of pointers and at the end I'm like oh there's a cross reference right

to this start of pointers and that's how I know that's where virtual function table lives or very likely there there's checking but very likely analyze the first function for the destructor and go through the destruction process use graph Theory and graphing um that is a something I don't have time for but what you wanted to see the seed key exchange sorry that's not how I roll I'd rather teach you to fish and have you hacking for a lifetime you're much better served go find it yourself so the real conclusion think outside the box don't be limited by your tooling make your tools better make tools there's this delimiting fa this delimiting factor in your self-development where you know tools

to where you are the powerful one and the tools simply are things that you use to be

powerful then go hunting imagine what it might look like sometimes that takes experience honestly just jump in and and let your brain Meander around what the code is doing because over time you'll start to figure out what things start to look like write some simple C++ code or C code compile it down reverse engineer it try to figure out why it turned into the way that it did so that you can identify it better remember that you are the real power go forth and do great things