Youtube comments of (@lauriewired).

  1. Didn't really think about that😅
    265
  2. Yeah I noticed that 🥲 will fix it in future videos
    179
  3. Here’s the (summarized) concurrency puzzle to help follow along: 
We have 1 Santa thread, 9 reindeer threads, and 10 elf threads. The elves build toys, and the reindeer are on vacation. Santa sleeps in his workshop at the North Pole until one of two events:

 1. All 9 reindeer return from vacation to the airplane hangar 
2. Exactly 3 elves have issues making toys and enter the panic room.

 If both events happen simultaneously, the reindeer take priority. Santa helps the elves or prepares the sleigh, depending on who woke him.

 This classic concurrency problem demonstrates synchronization in multi-threaded programming. For the full problem, check out the original paper: https://dl.acm.org/doi/pdf/10.1145/187387.187391
    42
  4. The full problem is in the first paper cited in the description: Trono (1994) - "A new exercise in concurrency" - DOI: 10.1145/187387.187391 You can find it on ACM
    27
  5. I 3D printed them myself :)
    23
  6. Yes
    15
  7. would it help if I threw the computer at the wall to free the memory?
    12
  8. I have a CS degree. I have a video here that explains how to get into this field :) https://www.youtube.com/watch?v=RnL5HQfq4Ik
    10
  9. You're absolutely right about ARM's use of pipelining, and this indeed impacts how the PC behaves in certain situations. ARM is a pipelined architecture, which means it fetches, decodes, and executes instructions in stages, overlapping these operations for different instructions. The PC (Program Counter) indeed points ahead in the instruction stream due to the pipeline. Regarding your observation about the use of the -4 offset with LDR: When an instruction is fetched, the PC is often a few instructions ahead of the current instruction being executed. With 32-bit ARM instructions, the PC is typically 8 bytes ahead during the fetch stage. However, since in the ARM architecture, the PC behaves as if it is two instructions ahead of the current instruction (4 bytes per instruction, so 8 bytes total), the offset -4 essentially compensates for this advancement. This way, we are "correcting" the PC value to the desired address.
    9
  10. That's true. However, typecasting is best practice. It makes the code clearer to read, and is taught that way in many universities. Also in the off chance you end up using a C++ compiler with C code, typecasting will reduce compilation errors. I understand how it can be a controversial topic, but it's mostly a stylistic choice.
    9
  11. Why isn't your ui in 1999?
    9
  12. You're partly correct in your understanding, and it's a common source of confusion when we discuss Android and Linux Yes, Android does use the Linux kernel, but it's not considered a typical Linux distribution due to various reasons, including the ones you mentioned. It modifies the kernel and creates a different user space that is not standard to other Linux systems. The JNI (Java Native Interface) is indeed used to call native code (usually C or C++) from Java, and vice versa, in the Android environment. However, this isn't the same as the syscall mechanism. JNI just provides a way to use native libraries from Java, it doesn't change how system calls are made. When it comes to system calls, POSIX (Portable Operating System Interface) is a standard that defines a set of system calls among other things. Android, being based on the Linux kernel, does support many POSIX system calls natively. However, it's true that the NDK (Native Development Kit) does implement some POSIX features on top of Android system calls, as not all POSIX features are natively supported in Android. Lastly, whether Android is considered "Linux" or not often depends on context. If we're discussing kernel-level features, Android is very much Linux. But if we're talking about the user-space environment (including system libraries and application behavior), Android is quite different from what is traditionally considered a Linux system.
    8
  13. Great question! To me, tools like Genymotion are charging a sizable convenience fee when you could run the emulator yourself for much cheaper in AWS/Azure. It's doing the same thing on the backend, but with the options I mentioned, you have more control and spend much less.
    7
  14. Most of the time schools are getting rid of them as e-waste, I managed to snag 2 for $50
    7
  15. Good catch! I will likely have a video dedicated to manual string decoding in the future since I just focused on the automation here
    7
  16. The intention behind this setup is to offer an isolated, consistent, and easy-to-manage environment that can be easily reset. The use of Docker for malware analysis isn't intended to replace traditional dynamic analysis in a full VM environment. It's more of an additional tool in the arsenal that can be useful in certain scenarios. My next upcoming video is actually going to go into detail about how to get past that, and use the encryptor and decryptor :)
    7
  17. It's a tricky problem. Because Android is just linux underneath, you could technically use iptables to sort by UID. That being said, many android applications these days spin up multiple processes, often with the same UID. In my opinion, there are a couple of hacky ways to do it, but all methods have their own issues, and it's much easier to focus on a single application at a time. Keep in mind, IP packets carry no ownership information. Hence, you can't just dump a random PCAP file and immediately tell what process spawned the traffic without a lot of additional work. Another potential option would be to run a per-app proxy or VPN with something like NetGuard: https://github.com/M66B/NetGuard However, because that relies on the Android VPN service, theoretically a really sneaky malware could change it's behavior if a VPN was detected/present. There are a few other potential ways of doing it, but they all have various pros and cons. There is an excellent thread on StackExchange that goes into some various scenarios here: https://android.stackexchange.com/questions/203868/how-to-view-network-traffic-requested-by-a-specific-app
    6
  18. The dubbing new automatic feature of YouTube, not my doing. Sorry!
    6
  19. You should make one anyway, there isn't enough good content on YouTube about multithreading :)
    6
  20. This is one option for reversing and will sometimes tell you if a sample is malicious or not, but you're likely to miss a lot of behavior this way. Example: suppose a sample puts a sleep timer in the code to postpone malicious behavior for two days. Unless you're sitting and watching the sample for two days, you will only realize this by checking the code
    6
  21. I would, but polymarket isn't available in the US, and it's a pretty niche subject. Maybe I could post to Metaculus, but that would be non-monetary of course
    6
  22. It depends a lot on the person and their previous background as you mentioned. For Android RE, it took me about 1 year of learning before I felt confident
    6
  23. Yes, I use blender
    5
  24. Not necessarily faster per se, just a different usecase. Bluestacks is mostly intended for gaming, and abstracts much of the underlying Android Operating system away from you, making it unsuitable for Development or Reverse Engineering purposes. Bluestacks also does not support ARM natively. For anything that isn't gaming, a docker container is usually going to be the better choice.
    5
  25. At first I assumed it was dead code since malware authors sometimes do insert it to try to throw you off. In most cases though, I think it's more likely the decompiler failed so that's why I went back and decided to check references by signature before deciding for sure.
    5
  26. Risc-V to come very soon!
    5
  27. Thanks for the compliment! The end song is Thanatos from Neon Genesis Evangelion ;)
    4
  28. Yes, you need to repackage the binary into an IPA file and re-sign it with your own developer certificate for it to run on iOS (unless using a jailbroken device)
    4
  29. yes, tbh I like old HP scopes more though
    4
  30. They updated the container name. You can find the latest name here on their github: https://github.com/budtmo/docker-android
    4
  31. Yup, I do all the editing+graphics. It's a mixture of After Effects + Premiere, and I used figma to design some of the OS elements :)
    4
  32. Also works on non-rooted devices but not necessarily forcing for all apps. And if you don't have the settings bar, you can also do this in the command line via iptables. The Medusa framework has an easy proxy setting command as well.
    4
  33. You'll never get it out of your head now
    4
  34. no real method, I just make stuff that I happen to be thinking about at the time
    3
  35. Yes, glad you enjoyed it :)
    3
  36. Ah, understand your problem. APKLab has a nice feature for resigning / compiling APKs in VSCode
    3
  37. You'd have to edit smali code for functionality changes. Frida only works for runtime changes
    3
  38. You can set up a virtual machine for your malware analysis or run your samples in the cloud. In this video, I wasn't running anything though, just static analysis :)
    3
  39. Absolutely will in a future video!
    3
  40. If you want full explanations of what each instruction does, feel free to watch my Practical ARM Assembly Tutorial series! I have 11+ videos going in depth about how each instruction works, as well as go over the official ARMv7 Assembly Reference Manual :) Link: https://youtube.com/playlist?list=PLn_It163He32Ujm-l_czgEBhbJjOUgFhg&si=GIxasZEFaMZsQWao
    3
  41. Precisely!
    3
  42. Hey! Finally someone recognized it! I'm so glad someone else remembers Neko :)
    3
  43. Great catch! Too many things named medusa out there... updated
    3
  44. If they payload is encrypted, you could also throw that into JADX and start analyzing it. Usually that's what I end up doing, but here I was just looking to get the payload. Although it's used a lot in malicious apps, packing itself is not a sign of malicious behavior actually. It's common for legit Android devs to try to protect their source code as well.
    3
  45. There shouldn't be issues using an ARM sbc as long as it's not a significantly different/super old ISA. ARM64 will cause a few differences to the register sizes and such, but most of the overall concepts will be the same. As long as you are on ARMv7 or higher most of these lessons should just work as expected.
    3
  46. Sure thing, future videos are now using a larger font :)
    3
  47. I always pronounce it as the letter "v" in my head so it was hard for me to remember to say "5" while making this :)
    3
  48. Hope you're joking ;)
    3
  49. https://github.com/LaurieWired
    2
  50. yes 😄
    2
  51. JVC broadcast video crt monitors
    2
  52. Since the hooking occurs at runtime, you shouldn't need to recompile the app. Frida hooks the method while the app is running to allow you to change the behavior
    2
  53. It might be a problem with nested virtualization. You can double check that your host supports it
    2
  54. Similar but Docker offers a lot more isolation and extra features. chroot still shares system resources and the network stack
    2
  55. Sorry man, I do my best to keep up
    2
  56. I'm so glad, I hope it's a fun class for you 🙂
    2
  57. I'm so glad it helped!
    2
  58. It's actually just happenstance what gets printed first since calling fork creates a new process that executes at the same time. You could even get these printed in a different order each time you run
    2
  59. yes, gridfinity worked very well for this analogy😅
    2
  60. check out @OALABS on YouTube
    2
  61. Great suggestion! It's on my list of one to do soon
    2
  62. Agreed, doing this problem in python is difficult with threading
    2
  63. Pixel 6 with API 29 run via Android Studio :)
    2
  64. Unfortunately there is not a great way of quickly spinning up mac environments inside Docker containers like this. There are containers that spin up full mac environments (sickcodes), but they use full QEMU underneath, which isn't nearly as light as say, a traditional linux container. You can still use virtual machines on mac device for dynamic analysis though
    2
  65. not born yet 😉
    2
  66. Oh not sure, that's just how I heard my CS professor pronounce it
    2
  67. Sure thing! You could hook many different functions and get similar results. Just preference by situation :)
    2
  68. The creators added some updates to the container. You can check their github for the latest names: https://github.com/budtmo/docker-android. I'll update my link though as well
    2
  69. Are you saying that native hooking never helps for real apps? Hard disagree. It won't work for certain apps, but it's super useful in a lot of real-world situations. For example, if you are trying to get by some native anti-emulation.
    2
  70. Glad it was helpful!
    2
  71.  @RobertFletcherOBE  I just had the samples cranked, close to 1000 I think
    1
  72. I'm so glad someone recognized it :)
    1
  73. You may find this video I made on Debugging Android Java code with JDB helpful: https://www.youtube.com/watch?v=8JFWTJ-hQ7A
    1
  74. Absolutely! It's also very encouraging to see the code quickly becoming more readable
    1
  75. Usually I just remove the container and run it again although this doesn't save the container state. To remove, run "docker container rm -f CONTAINER_NAME" with the name of your container and then do the run command again. Starting and stopping doesn't work great for these containers
    1
  76. I was planning on doing a video on setting up native debugging with gdb. I’ll try to get to it soon :)
    1
  77. Soon ;)
    1
  78. It's all real :)
    1
  79. It should be by default unless you have it disabled on the host since they share the kernel
    1
  80. :)
    1
  81. Great catch! Fixed it
    1
  82. More to come!
    1
  83. More in the series to come shortly!
    1
  84. I might check it out in a future video :)
    1
  85. haha oh no didn't think about that 😅
    1