1
00:00:01,370 --> 00:00:02,600
Hello, my name is Stephan.

2
00:00:02,600 --> 00:00:10,610
And in this section we will learn how to reverse engineer the malwares and disassemble using Ida.

3
00:00:10,880 --> 00:00:16,610
And content analysis is often used to understand the inner workings of a malicious binary when the source

4
00:00:16,610 --> 00:00:18,290
code is unavailable.

5
00:00:18,380 --> 00:00:23,150
In previous lecture you learned the g drive and you learn the code analysis, skills and techniques

6
00:00:23,150 --> 00:00:27,500
to interpret assembly code and to understand the program's functionality.

7
00:00:27,710 --> 00:00:33,190
And the programs that we use were simple C programs, but we are dealing with a malware.

8
00:00:33,200 --> 00:00:39,530
It can contain thousands of lines of code and hundreds of functions and making it difficult to keep

9
00:00:39,560 --> 00:00:42,350
track of all of the variables and functions.

10
00:00:42,500 --> 00:00:49,700
Code analysis tool offers very, very strict features to simplify the code analysis, and this section

11
00:00:49,700 --> 00:00:58,520
will introduce one of such code analysis tool named Ida Pro, also known as Ida, and you will learn

12
00:00:58,520 --> 00:01:03,540
how to leverage the features of Ida Pro to enhance your assembly.

13
00:01:03,630 --> 00:01:10,590
Before we delve into the features of Ida, let's go over different code analysis tools.

14
00:01:10,710 --> 00:01:15,840
Firstly, and we have the Disassembler here, so.

15
00:01:20,670 --> 00:01:21,720
Disassembler.

16
00:01:28,260 --> 00:01:28,800
Tumblr.

17
00:01:28,800 --> 00:01:39,420
So Disassembler is a program that translates machine code back to assembly code and here.

18
00:01:40,090 --> 00:01:41,560
It's actually close it down.

19
00:01:47,370 --> 00:01:53,070
So we also have a debugger that is a program which also disassembles the code.

20
00:01:53,100 --> 00:01:58,200
Apart from that, it allows you to compile the binary in a controlled manner.

21
00:01:58,230 --> 00:02:04,590
Using the debuggers, you can execute a single instruction or selected functions instead of.

22
00:02:05,550 --> 00:02:13,410
Our program debugger allows you to perform dynamic code analysis and helps you combine the aspects of

23
00:02:13,410 --> 00:02:17,110
the suspect binary while it is running at the compiler.

24
00:02:17,130 --> 00:02:23,970
The program that translates the machine code into the code in a high level language also known as pseudo

25
00:02:24,000 --> 00:02:30,660
code and the compilers can greatly assist you with the reverse engineering process and can simplify

26
00:02:30,690 --> 00:02:31,920
your work.

27
00:02:32,040 --> 00:02:37,080
And now let's use this static code analysis using Ida.

28
00:02:37,800 --> 00:02:39,720
The Ida here.

29
00:02:39,720 --> 00:02:41,310
So hex Rays.

30
00:02:41,400 --> 00:02:47,300
Ida Pro is the most powerful and popular commercial disassembler or the debugger.

31
00:02:47,310 --> 00:02:50,970
And here we can download it from their official website.

32
00:02:50,970 --> 00:02:52,920
Here it is also has the two versions.

33
00:02:53,130 --> 00:02:57,240
The one is the paid version and another is the.

34
00:02:58,500 --> 00:02:59,210
Free version.

35
00:02:59,960 --> 00:03:01,340
And here.

36
00:03:02,780 --> 00:03:04,820
And as you can see, we have the.

37
00:03:06,800 --> 00:03:08,900
Write the hex phrase here.

38
00:03:09,890 --> 00:03:10,490
Race.

39
00:03:10,490 --> 00:03:21,020
And after that, um, we will see something like Hex racer.com and we will download to um, we will

40
00:03:21,020 --> 00:03:24,320
download the that program here right now.

41
00:03:29,660 --> 00:03:32,750
And here we are waiting for the response here.

42
00:03:45,730 --> 00:03:50,470
And here, uh, we will click on the first result here.

43
00:03:50,470 --> 00:03:55,000
And as you can see, we have the versions in this lecture.

44
00:03:55,000 --> 00:04:02,770
We have the Ida version 8.3, and we will go to products here.

45
00:04:02,770 --> 00:04:08,500
And as you can see here, we have several, uh, downloads and products here.

46
00:04:08,500 --> 00:04:14,440
So we have the Ida three three binary code analysis tool to evaluate Ida's basic functionalities.

47
00:04:14,440 --> 00:04:22,180
We have the Ida home, this affordable tool for reverse engineering hobbyists and the Ida Pro, the

48
00:04:22,180 --> 00:04:29,140
state of the art binary code analysis tool, as they say, and Ida team's collaborative reverse engineering

49
00:04:29,170 --> 00:04:29,410
tool.

50
00:04:29,530 --> 00:04:32,410
And we will use the free version for now.

51
00:04:33,570 --> 00:04:40,470
Uh, because, um, some of the students don't want to spend money I don't want either because there's

52
00:04:40,470 --> 00:04:42,690
a free and open source alternatives.

53
00:04:42,690 --> 00:04:45,690
But this is a pretty popular tool.

54
00:04:45,690 --> 00:04:51,060
So I wanted to include this in the section here.

55
00:04:51,060 --> 00:04:57,690
And as you can see here, what's included in the pack so we can analyze the both 32 bit and 64 bit applications.

56
00:04:57,690 --> 00:05:04,410
We have the code based, the compiler, and we can save you, save analysis, results and perpetual

57
00:05:04,410 --> 00:05:05,190
license.

58
00:05:05,190 --> 00:05:11,820
And as you can see here, for minimum system requirements, we need to either Windows Linux or Mac OS.

59
00:05:11,820 --> 00:05:19,760
And here, uh, we can download the idea for, for the Mac and Mac arm.

60
00:05:19,770 --> 00:05:25,590
And in this case, since we are using the windows, we will download on the windows here, we will click

61
00:05:25,590 --> 00:05:31,980
on the first option and also we have the Sha 256 checksums here.

62
00:05:31,980 --> 00:05:34,390
So you can the check that.

63
00:05:35,600 --> 00:05:43,280
Checksums to make sure that the program is correctly downloaded without any manipulation by.

64
00:05:44,280 --> 00:05:50,220
Now, the attackers here and here, as you can see here now.

65
00:05:51,110 --> 00:05:54,750
Uh, the Ida free is downloading.

66
00:06:01,830 --> 00:06:09,960
And also in this section and later sections, we will look at various features of Ida Pro and you will

67
00:06:09,960 --> 00:06:15,150
learn how to use Ida to perform static code analysis also called dissembling.

68
00:06:15,150 --> 00:06:21,030
And it's not possible to cover all the features of Ida, only those features that are relevant to malware

69
00:06:21,030 --> 00:06:23,490
analysis and reverse engineering mainly.

70
00:06:24,430 --> 00:06:31,090
And if you are interested in gaining deeper understanding of Ida Pro, it is recommended to make a play

71
00:06:31,090 --> 00:06:36,220
it, play with it and analyze more files to gain experience.

72
00:06:36,220 --> 00:06:40,300
And if you are using the you can also download the demo version.

73
00:06:40,300 --> 00:06:43,270
Um, but you need to write the mail.

74
00:06:43,270 --> 00:06:46,570
So they will do the demo version here.

75
00:06:46,570 --> 00:06:53,680
And uh, using these versions you will be able to try out almost all the features, um, covered in

76
00:06:53,680 --> 00:06:55,450
this uh, course here.

77
00:06:55,450 --> 00:07:01,690
So if you wish to look at uh, the, at an alternative tool for debugging 32 bit and 64 bit binary,

78
00:07:01,720 --> 00:07:08,380
you can use the X 64 debug or debug here, as you can see here.

79
00:07:08,380 --> 00:07:09,910
And you can also use them.

80
00:07:10,810 --> 00:07:18,070
You know, g dryer with several plugins and which is covered in this section and with an understanding

81
00:07:18,070 --> 00:07:20,440
of different versions of Ida.

82
00:07:21,220 --> 00:07:27,790
Now, after downloading it, we will explore its features and you will understand how it can speed up

83
00:07:27,790 --> 00:07:32,260
your reverse engineering and malware analysis tasks.

84
00:07:37,180 --> 00:07:40,090
And here, as you can see, it's already installed.

85
00:07:40,180 --> 00:07:45,070
We'll open it, not install the downloaded here and we will click on Run.

86
00:07:57,230 --> 00:07:57,560
Yes.

87
00:07:57,560 --> 00:07:58,250
Here.

88
00:08:03,610 --> 00:08:04,720
After reading.

89
00:08:05,690 --> 00:08:08,300
Click on accept the agreement.

90
00:08:09,450 --> 00:08:13,620
Then accept the agreement and click on next here.

91
00:08:15,930 --> 00:08:17,820
This is the installation directory.

92
00:08:18,330 --> 00:08:19,290
Leave it default.

93
00:08:21,120 --> 00:08:28,410
And setup is now ready to begin calling it a freeware 8.3 on your computer.

94
00:08:28,440 --> 00:08:29,640
Now, we will click on next.

95
00:08:29,640 --> 00:08:32,160
And as you can see here, it's installing.

96
00:08:36,350 --> 00:08:37,100
That's it.

97
00:08:37,280 --> 00:08:45,160
Ida Pro is installed in our Windows machine and in the next lecture we will begin to use it.

98
00:08:45,170 --> 00:08:46,880
I'm waiting you in the next lecture.