1
00:00:01,430 --> 00:00:03,050
Bootloader and executable.

2
00:00:03,320 --> 00:00:11,570
We will launch the Ida pro ida freeware, which in this case we will need to run as administrator.

3
00:00:11,570 --> 00:00:13,520
In order to do that, we will right click on it.

4
00:00:14,630 --> 00:00:17,080
Electron after.

5
00:00:18,480 --> 00:00:18,990
Yes.

6
00:00:21,620 --> 00:00:29,930
If you started the Ida Pro the first time, it will briefly display a screen showing your license information

7
00:00:29,930 --> 00:00:31,910
and immediately after that.

8
00:00:32,680 --> 00:00:36,370
Uh, you will were presented with this following screen here.

9
00:00:39,870 --> 00:00:41,880
And we will choose the new.

10
00:00:41,880 --> 00:00:44,130
And we will the file.

11
00:00:45,700 --> 00:00:46,860
Will wish to analyze.

12
00:00:46,860 --> 00:00:50,220
In this case, it's a simple Hello world program.

13
00:00:50,310 --> 00:00:57,090
And after that, if you as you can see, we have a portable executable and binary file.

14
00:01:00,440 --> 00:01:10,460
Ways, and the file that you give to ID A will be loaded in memory and either ideas.

15
00:01:10,520 --> 00:01:12,410
Acts like a Windows loader.

16
00:01:13,570 --> 00:01:15,550
File into the memory.

17
00:01:16,320 --> 00:01:21,100
I determine best possible order from the file header.

18
00:01:22,030 --> 00:01:22,330
Yeah.

19
00:01:22,330 --> 00:01:30,190
File here and it determines the processor type that should be used during the disassemble process after

20
00:01:30,190 --> 00:01:31,300
you select the file.

21
00:01:31,330 --> 00:01:34,990
It shows a dialog here, as you can see here.

22
00:01:34,990 --> 00:01:43,450
So from this it can be seen that EDA determine the appropriate loaders are the port as you can have.

23
00:01:44,040 --> 00:01:52,080
The x six here and appropriate loaders are the portable executable.

24
00:01:52,970 --> 00:01:55,460
You're just a binary file.

25
00:01:55,580 --> 00:01:56,600
And.

26
00:01:57,740 --> 00:01:58,820
The binary file option.

27
00:01:58,820 --> 00:02:04,790
If you are using the demo version, you will not see this option here and its binary file option is

28
00:02:04,790 --> 00:02:08,360
used by the ID to ID or id.

29
00:02:08,960 --> 00:02:10,040
ID A or.

30
00:02:11,790 --> 00:02:15,430
The idea to load the files that it does not recognize.

31
00:02:15,430 --> 00:02:22,910
So you will normally use this option when you are dealing with a shell code and by default it is not.

32
00:02:25,890 --> 00:02:32,430
Uh, resource section assembly and by using the manual load checkup here.

33
00:02:32,430 --> 00:02:39,780
So as you can see, we have manual load load resources entries and if you check this manual load option

34
00:02:40,020 --> 00:02:47,760
and manually specify the base address where the executable has to be loaded and and the ID will.

35
00:02:49,360 --> 00:02:50,620
Whether you want to.

36
00:02:52,030 --> 00:02:53,590
Section the.

37
00:02:55,460 --> 00:02:55,840
Years.

38
00:02:56,000 --> 00:03:02,630
And as you can see, we have an enviable portable executable for 8306.

39
00:03:02,630 --> 00:03:07,400
And after we click okay here, as you can see, we want to change the process.

40
00:03:07,400 --> 00:03:09,200
Type to Athlon now.

41
00:03:09,320 --> 00:03:09,650
We will.

42
00:03:13,310 --> 00:03:15,200
And after clicking.

43
00:03:15,200 --> 00:03:15,980
Okay.

44
00:03:16,770 --> 00:03:17,600
Um.

45
00:03:17,610 --> 00:03:20,070
Ida loads file into frame and.

46
00:03:21,470 --> 00:03:23,660
This assembles machine code.

47
00:03:23,660 --> 00:03:26,630
And as you can see, a lot of the debug information.

48
00:03:26,630 --> 00:03:27,290
Yes.

49
00:03:28,650 --> 00:03:32,310
Get as much information pulled here and.

50
00:03:33,880 --> 00:03:34,510
Click here.

51
00:03:34,540 --> 00:03:35,030
It might.

52
00:03:37,400 --> 00:03:38,570
System properties.

53
00:03:38,570 --> 00:03:42,410
And as you can see, it's registering and that's it.

54
00:03:42,410 --> 00:03:49,010
And here after the disassembly, Ida Per Ida performs an initial analysis.

55
00:03:49,870 --> 00:03:56,050
Identify the compiler function arguments, local variables, library functions and their parameters.

56
00:03:56,050 --> 00:03:57,460
And let's actually.

57
00:04:01,610 --> 00:04:02,690
And that's it.

58
00:04:02,760 --> 00:04:03,230
Here.

59
00:04:04,000 --> 00:04:11,350
And once the executable has been loaded, you will take to the desktop showing the disassembled output

60
00:04:11,380 --> 00:04:17,920
of the program and the Ida desktop integrates the features of many common static analysis tools into

61
00:04:17,920 --> 00:04:24,580
a single interface, and this section will give you an understanding of the Ida desktop and its various

62
00:04:24,580 --> 00:04:25,330
windows.

63
00:04:25,330 --> 00:04:35,740
And this this you can see here the Ida desktop called Stop after Load and you will see that time after

64
00:04:36,310 --> 00:04:38,020
load an executable file.

65
00:04:38,890 --> 00:04:43,360
And the idea the slope means a different multiple tabs like.

66
00:04:45,620 --> 00:04:52,550
Idea of a hex view and so on, and clicking each tab brings up a different window here.

67
00:04:52,850 --> 00:04:57,290
As you can see, we have tabs here, structures and.

68
00:04:57,970 --> 00:04:59,200
Imports exports.

69
00:05:00,960 --> 00:05:01,710
And.

70
00:05:03,230 --> 00:05:04,310
And select one of them.

71
00:05:04,330 --> 00:05:08,570
And we also have the structures here.

72
00:05:09,900 --> 00:05:11,140
Arms imports here.

73
00:05:11,160 --> 00:05:11,760
Now we are.

74
00:05:13,010 --> 00:05:14,130
The structures.

75
00:05:26,450 --> 00:05:27,560
There's a structures.

76
00:05:27,620 --> 00:05:31,690
We also have the enums, imports we are importing.

77
00:05:32,780 --> 00:05:33,830
Find versus.

78
00:05:36,230 --> 00:05:40,490
Exports and after the executable has been loaded, you will present.

79
00:05:41,570 --> 00:05:49,070
So also known as Ida view a window and this is the primary window and displays the disassembled code

80
00:05:49,070 --> 00:05:53,850
and you will mostly be using this window for analyzing binaries.

81
00:05:53,870 --> 00:05:54,500
Here.

82
00:05:55,590 --> 00:05:59,760
And they can go into display mode.

83
00:06:00,090 --> 00:06:05,700
The first is graph view and text view and graph is the default view.

84
00:06:05,820 --> 00:06:14,070
As you can see here and when the assembly view ID view is active, you can switch between the graph

85
00:06:14,070 --> 00:06:18,810
and the text view by pressing the space bar like this here.

86
00:06:19,640 --> 00:06:21,800
And in the graph view menu.

87
00:06:22,010 --> 00:06:30,320
Ida This Ida displays one function at a time in flowchart style graph and the function is coming to

88
00:06:30,440 --> 00:06:36,440
basic blocks here and this mode is useful to quickly recognize branching and looping.

89
00:06:37,100 --> 00:06:39,560
And the in graph V mode.

90
00:06:40,160 --> 00:06:47,300
The color and the direction of the arrows include the path and the variable taken here.

91
00:06:47,300 --> 00:06:55,010
But in this case this is just a simple hello world application and it has only one function and we don't

92
00:06:55,010 --> 00:06:56,600
see any other functions.

93
00:06:56,720 --> 00:07:01,190
And that's why this is the only tab we can see here.

94
00:07:02,220 --> 00:07:02,850
And.

95
00:07:04,230 --> 00:07:09,210
In the graph view of the virtual addresses are not displayed by default, and this is to minimize the

96
00:07:09,210 --> 00:07:15,080
amount of space required to display each basic block and to display the virtual address information.

97
00:07:15,090 --> 00:07:17,280
You can click the options here.

98
00:07:17,280 --> 00:07:21,990
And after that, General, and as you can see here, we have several.

99
00:07:24,130 --> 00:07:26,140
Here and we will go to graph.

100
00:07:31,420 --> 00:07:36,580
And as you can see, you know, instead of going to graph, you can also change it from here, display

101
00:07:36,580 --> 00:07:39,040
disassembly line parts, and we will enable this.

102
00:07:39,040 --> 00:07:41,230
Check this out and we will click on.

103
00:07:41,230 --> 00:07:41,470
Okay.

104
00:07:41,470 --> 00:07:50,980
And as you can see here now, we are seeing this binaries here and hex hex values here and here we are

105
00:07:51,010 --> 00:07:56,650
seeing the disassembly of the main function and in the graph view mode, notice that the conditional

106
00:07:56,650 --> 00:08:02,590
check at the address is starting at the 0401 460.

107
00:08:04,380 --> 00:08:11,040
And for Android 80 here and if the condition we don't have the condition for now but in next lecture

108
00:08:11,040 --> 00:08:14,670
we will use this for checking the conditions as well.

109
00:08:15,420 --> 00:08:16,080
And.

110
00:08:17,910 --> 00:08:23,150
In next lecture, we will also learn how to use the functions of output window and hex view windows

111
00:08:23,150 --> 00:08:23,750
as well.

112
00:08:23,750 --> 00:08:26,590
And I'm waiting you in next lectures.