1
00:00:00,880 --> 00:00:05,470
After importing files into your project, you can start to reverse engineer them.

2
00:00:05,500 --> 00:00:11,860
This is a cool feature of Jira allowing you to import more than one file into a single project because

3
00:00:11,860 --> 00:00:13,450
you can apply some operation.

4
00:00:13,450 --> 00:00:16,130
For example, search over multiple files.

5
00:00:16,150 --> 00:00:19,340
For example, an executable binary and its dependencies.

6
00:00:19,360 --> 00:00:23,730
In this lecture we will see how to analyze these files using Jira.

7
00:00:23,740 --> 00:00:30,130
And here, in order to perform and configure the analysis, you will want to click double click on it

8
00:00:30,160 --> 00:00:35,530
your project file or you can just right click and open a default window.

9
00:00:36,420 --> 00:00:36,860
Here we are.

10
00:00:36,960 --> 00:00:39,230
We also have the several options here.

11
00:00:39,240 --> 00:00:42,770
Rename, delete, cut, copy, new folder, abort program and refresh.

12
00:00:42,780 --> 00:00:46,950
We will further refresh it in case we have any new files in it.

13
00:00:46,950 --> 00:00:49,860
And after that we will just click on Enter.

14
00:00:49,860 --> 00:00:50,580
That's it.

15
00:00:50,580 --> 00:00:54,000
And here you will be asked whether to analyze the file.

16
00:00:54,000 --> 00:01:00,060
And you you probably want to answer yes to this because the analysis operation recognize functions,

17
00:01:00,060 --> 00:01:02,130
parameters, strings and more.

18
00:01:02,250 --> 00:01:06,090
And usually you will want to let the user get this information for you.

19
00:01:06,090 --> 00:01:09,150
And a lot of analysis configuration options do exist.

20
00:01:09,150 --> 00:01:14,460
So you can see the description for every option by clicking on it.

21
00:01:14,550 --> 00:01:21,210
And here the description is going to be displayed here and we also have the options.

22
00:01:21,210 --> 00:01:28,020
And here we in this apply data archives, we have apply known data type archives based on your program

23
00:01:28,020 --> 00:01:28,530
information.

24
00:01:28,530 --> 00:01:30,120
We have Ascii strings.

25
00:01:30,120 --> 00:01:34,650
This is the analyzer searches for valid strings and automatically creates them into the binary.

26
00:01:34,650 --> 00:01:40,270
And here we can also use create strings containing existing strings, create strings containing references

27
00:01:40,270 --> 00:01:41,680
and so on.

28
00:01:41,920 --> 00:01:43,090
We also have the stack.

29
00:01:43,090 --> 00:01:50,170
So create stacks for variable function function ID finds known functions by hashing and so on.

30
00:01:50,170 --> 00:01:55,210
So we will discover all of these analyzers in this course.

31
00:01:55,990 --> 00:02:01,960
And now after that, let's be the default because it's almost.

32
00:02:02,550 --> 00:02:05,160
Everything is checked on enabled.

33
00:02:05,370 --> 00:02:08,370
And now after that, we will click on Analyze.

34
00:02:08,550 --> 00:02:15,330
And here, in order to click analyze, in order to perform, analyze, you first need to click on analyze.

35
00:02:15,330 --> 00:02:18,430
And then you will see this code browser window.

36
00:02:18,450 --> 00:02:25,380
And don't worry, if you forget to analyze something, you can re analyze the program later in order

37
00:02:25,380 --> 00:02:26,280
to do that here.

38
00:02:26,460 --> 00:02:28,380
And let's find the symbol you will click on.

39
00:02:28,380 --> 00:02:28,890
Yes.

40
00:02:28,980 --> 00:02:32,670
In order to do that, let's actually make it and let's.

41
00:02:33,310 --> 00:02:35,080
Increase a little bit.

42
00:02:35,080 --> 00:02:43,240
And here if you are if you have differences, seeing things on this window, you can go to settings

43
00:02:43,240 --> 00:02:45,670
and here scale and layout.

44
00:02:45,820 --> 00:02:49,510
You can increase this to 125 and that's it.

45
00:02:49,540 --> 00:02:52,360
We can see more like the.

46
00:02:53,480 --> 00:02:55,730
Font sizes a little bit bigger and so on.

47
00:02:56,030 --> 00:03:00,110
And here now, we will, as I said, you can.

48
00:03:01,090 --> 00:03:04,030
Select analyze these files later.

49
00:03:04,030 --> 00:03:11,830
If you forgot to check or enable some analyzer and you will need to go to analysis tab.

50
00:03:11,830 --> 00:03:16,330
And then here we have auto analyze simple Hello world print.

51
00:03:16,570 --> 00:03:20,860
By clicking on Add, you can see the analysis.

52
00:03:22,510 --> 00:03:28,390
Dialogue again and you can choose or enable or disable use analyzers.

53
00:03:29,040 --> 00:03:33,210
And now let's explore the dress code browser.

54
00:03:33,210 --> 00:03:41,550
So code browser has by default a pretty well chosen distribution of dock windows as shown here.

55
00:03:41,550 --> 00:03:43,740
So now we will make it again.

56
00:03:43,740 --> 00:03:45,660
100 recommended 100%.

57
00:03:45,660 --> 00:03:46,550
And that's it.

58
00:03:46,560 --> 00:03:52,770
So here I will get my pen and draw things on the screen.

59
00:03:54,900 --> 00:03:58,050
We will need rectangle and balloon.

60
00:04:00,280 --> 00:04:00,940
Yes.

61
00:04:01,120 --> 00:04:06,220
So here first, we will discuss it here.

62
00:04:07,300 --> 00:04:11,920
So here, as usual, by default in reverse engineering frameworks.

63
00:04:11,920 --> 00:04:13,670
This is in the center of the screen.

64
00:04:13,690 --> 00:04:17,050
Ghidra shows a disassembly view of the file.

65
00:04:17,880 --> 00:04:20,310
And after that we have.

66
00:04:21,210 --> 00:04:22,290
This side.

67
00:04:24,270 --> 00:04:31,620
So as the disassembly level is sometimes a two level perspective too, low level perspective, Ghidra

68
00:04:31,620 --> 00:04:36,390
incorporates its own decompiler, which is located to the right of the disassembly window.

69
00:04:36,420 --> 00:04:42,420
The main function of the program was recognized by a signature, and then parameters were automatically

70
00:04:42,420 --> 00:04:43,710
generated here.

71
00:04:43,800 --> 00:04:48,090
As you can see here, this is our the compiled version of our Hello World.

72
00:04:49,060 --> 00:04:52,120
Executable file like C plus plus program.

73
00:04:52,750 --> 00:04:55,420
And here the main function of the program, as I said.

74
00:04:56,900 --> 00:04:59,600
Was recognized by his signature here.

75
00:05:00,020 --> 00:05:03,320
And then parameters were automatically generated by here.

76
00:05:03,320 --> 00:05:08,390
And Ghidra allows you to manipulate the compiled code in a lot of aspects.

77
00:05:08,390 --> 00:05:13,400
Of course, a hexadecimal view of the file is also available in the corresponding tab.

78
00:05:13,400 --> 00:05:19,130
So these three windows disassembled the compiler and hexadecimal window are synchronized, offering

79
00:05:19,130 --> 00:05:23,540
a different perspective of the same thing.

80
00:05:23,540 --> 00:05:29,030
And here we also have let's actually use different color here and here.

81
00:05:29,870 --> 00:05:39,140
We have this here, we have this program treats So obviously you do allows you to easily navigate in

82
00:05:39,140 --> 00:05:39,800
the program.

83
00:05:39,800 --> 00:05:46,970
For instance, to go to another program section, you can refer to the program trace window located

84
00:05:46,970 --> 00:05:50,600
in the upper left margin of code browser.

85
00:05:50,720 --> 00:05:55,790
And we also have under that under program trace, we have symbol tree.

86
00:05:57,930 --> 00:05:59,760
So this symbol here.

87
00:06:00,950 --> 00:06:07,820
Uh, if you prefer to navigate to the symbol, for example, a program function here, then go just

88
00:06:07,820 --> 00:06:11,000
below that where the symbol tree pane is located.

89
00:06:11,000 --> 00:06:16,370
And we also have the data type manager here.

90
00:06:17,730 --> 00:06:18,510
So.

91
00:06:19,510 --> 00:06:24,790
If you want to work with the data types, then you can just go below that again.

92
00:06:24,790 --> 00:06:33,160
And here data type manager is here and after that we have console scripting here, so if you will use

93
00:06:33,160 --> 00:06:36,700
different color it will be more nice for our lecture.

94
00:06:37,060 --> 00:06:43,630
This is the console scripting, so a ghidra loves scripting reverse engineering tasks.

95
00:06:43,630 --> 00:06:47,860
Script results are shown in this corresponding window at the bottom.

96
00:06:47,890 --> 00:06:52,210
Of course, the bookmarks tab is available in the same position as well.

97
00:06:52,450 --> 00:06:59,560
Loving to create a pretty well documented and organized bookmarks for over any memory location for quick

98
00:06:59,560 --> 00:07:00,490
access.

99
00:07:00,490 --> 00:07:06,140
And here after that we have seven seventh.

100
00:07:06,960 --> 00:07:09,600
Thing we're going to discuss here is this.

101
00:07:10,840 --> 00:07:16,810
So this has Ghidra is a quick access bar.

102
00:07:16,960 --> 00:07:22,450
So Ghidra has also a quick access bar at the top so you can do several options from it, which you will

103
00:07:22,450 --> 00:07:26,620
learn in this course and here at the.

104
00:07:28,100 --> 00:07:29,480
Bottom right.

105
00:07:30,500 --> 00:07:34,370
In order to see that, we will need to close that here.

106
00:07:35,730 --> 00:07:39,540
Sexually do that here and here at the bottom, right.

107
00:07:39,570 --> 00:07:40,860
We will use the pen.

108
00:07:42,200 --> 00:07:43,040
At the bottom right.

109
00:07:43,040 --> 00:07:45,170
First we will want to discuss is.

110
00:07:46,550 --> 00:07:47,810
This year.

111
00:07:47,810 --> 00:07:52,160
The first field indicates this is the current address.

112
00:07:52,520 --> 00:07:53,330
Right.

113
00:07:53,390 --> 00:07:55,160
Current address here.

114
00:07:58,690 --> 00:08:00,250
And here.

115
00:08:01,980 --> 00:08:02,610
Right.

116
00:08:03,800 --> 00:08:07,400
On the current address, we have the.

117
00:08:10,200 --> 00:08:13,020
Couldn't function here in this case.

118
00:08:13,020 --> 00:08:15,640
Here, as you can see here, it's a current function.

119
00:08:15,660 --> 00:08:23,370
The main current function, because obviously we don't have any other functions other than main.

120
00:08:23,370 --> 00:08:23,910
Right.

121
00:08:24,000 --> 00:08:29,460
And right after that, we have call something here.

122
00:08:29,670 --> 00:08:35,010
So in addition to the current address and the current function, the current assembly line is shown

123
00:08:35,010 --> 00:08:37,950
to complete the contextual information.

124
00:08:38,220 --> 00:08:41,970
And here as the last thing we're going to.

125
00:08:43,680 --> 00:08:46,160
The Scouser is this top pain?

126
00:08:46,480 --> 00:08:46,980
Right.

127
00:08:46,980 --> 00:08:51,730
So here at the topmost part of the code browser, the main bar is located.

128
00:08:51,750 --> 00:08:57,240
Now that you know the default perspective, what ghidra it's a good time to learn how to customize it.

129
00:08:57,270 --> 00:09:02,520
Now in next lecture, let's address this in next lecture here.