1
00:00:01,740 --> 00:00:11,490
And, Lou, come back into this video, I'll show you how to get started, the Windows guitar behind

2
00:00:11,490 --> 00:00:16,110
it, go ahead and create a new folder called Hydra Projects.

3
00:00:16,740 --> 00:00:20,640
And inside you create new software called GWI.

4
00:00:20,880 --> 00:00:28,650
They correct me one and download this from the resource link, and I provide it for you and put this

5
00:00:28,860 --> 00:00:31,650
with me inside this new folder.

6
00:00:33,390 --> 00:00:37,860
This is a Greek himi so that is writing first and see what he does.

7
00:00:42,680 --> 00:00:51,080
And to any kind of Shiraki, a canine on check and you're getting that message.

8
00:00:51,620 --> 00:00:55,880
So this is a behavior now we are going to reverse this.

9
00:00:56,330 --> 00:00:56,900
Correct me.

10
00:01:00,110 --> 00:01:05,330
In Keija, click on the file, click on New Project.

11
00:01:08,630 --> 00:01:09,590
Click next.

12
00:01:11,880 --> 00:01:13,680
And then click on the three dots.

13
00:01:15,620 --> 00:01:18,130
Navigate to your new folder.

14
00:01:25,710 --> 00:01:35,640
Guitarra produce and sell this hotel, kongregate me and click on the Select Project directory giggling

15
00:01:35,790 --> 00:01:39,420
Naeem Khan, who threatening me

16
00:01:42,900 --> 00:01:47,370
dash one and hit on the finish button.

17
00:01:50,310 --> 00:01:58,770
Now we are going to import this crime into guitarra, so drag and drop it into this new folder.

18
00:02:03,440 --> 00:02:09,860
And he has detected the P format click, OK.

19
00:02:17,730 --> 00:02:22,590
And this is the summary of the budget process, click on the button.

20
00:02:22,620 --> 00:02:23,190
OK.

21
00:02:26,000 --> 00:02:30,830
Now you can start analyzing dragging into the Nikon.

22
00:02:32,860 --> 00:02:40,690
And you open up a good browser and ask you to confirm if you want to analyze it, click on Yes.

23
00:02:43,160 --> 00:02:46,790
And then in the least, analyses.

24
00:02:48,650 --> 00:02:52,670
Check this box, the compiler parameter parameterized.

25
00:02:54,090 --> 00:02:58,050
And then scroll down and check PDV and so.

26
00:03:01,110 --> 00:03:11,880
Previous to the Berghofer, the January 10, when you create a program now, only the person, the programmer

27
00:03:11,880 --> 00:03:14,870
who writes the program will have this need PDUFA.

28
00:03:15,600 --> 00:03:22,830
If you downloaded program or correct me from the third party, source says he will not have access to

29
00:03:22,830 --> 00:03:23,180
this.

30
00:03:23,880 --> 00:03:28,640
So you assume you don't have access to this PDB debugger for.

31
00:03:30,490 --> 00:03:31,480
Sylvia and Jackie.

32
00:03:32,680 --> 00:03:34,330
And then check this one.

33
00:03:35,350 --> 00:03:42,150
Will be will propagate the extent barometer and make it easy for us to analyze data.

34
00:03:44,390 --> 00:03:45,980
So clearly, in a nice.

35
00:03:49,180 --> 00:03:56,920
And keep your eye on the bottom right corner, which shows you the status and progress of the analysis.

36
00:03:58,610 --> 00:04:02,600
After about one minute, the analysis is now complete.

37
00:04:04,190 --> 00:04:12,350
The thing I want to do now is to set in their preferences, to go to edit, select two options and then

38
00:04:12,350 --> 00:04:14,960
select listing fees.

39
00:04:16,420 --> 00:04:21,070
Listing fees and an entire new focus tax highlight.

40
00:04:22,020 --> 00:04:26,530
And then here the default, so change it to the left.

41
00:04:27,360 --> 00:04:31,670
Similar to what we did for the IRA on Linux.

42
00:04:32,220 --> 00:04:38,750
So take look for the functions for the again, new for me.

43
00:04:38,760 --> 00:04:43,430
But you won't find any meaning because this is a GUI program.

44
00:04:44,520 --> 00:04:48,510
So Noufal actually entry point is to.

45
00:04:51,430 --> 00:04:52,030
There you go.

46
00:04:52,060 --> 00:05:00,690
Entry point, so entry point is the thing that runs before me, but in good programs days.

47
00:05:01,270 --> 00:05:06,420
No, I mean, even though you can find your entry, there is no mean.

48
00:05:07,420 --> 00:05:09,450
But he does have a win win.

49
00:05:10,880 --> 00:05:15,160
Win win is the entry point for Windows program.

50
00:05:16,120 --> 00:05:18,970
I also put this link in a resource file.

51
00:05:19,000 --> 00:05:19,700
Can you download?

52
00:05:19,810 --> 00:05:24,820
So this is the signature we need, but sometimes you won't find it.

53
00:05:25,120 --> 00:05:27,540
Say the coolest thing.

54
00:05:28,690 --> 00:05:36,280
So on the right, you go to the decompiled window and look for entry, Davis and then you scroll down

55
00:05:37,660 --> 00:05:38,800
looking for women.

56
00:05:39,340 --> 00:05:49,510
You may not find one clue of where women could be is just after the function that gets all the environmental

57
00:05:49,510 --> 00:05:50,200
variables.

58
00:05:51,860 --> 00:05:57,250
So you going to come line here, so this could be let's check it up.

59
00:05:58,970 --> 00:06:00,450
Yes, this is it.

60
00:06:01,310 --> 00:06:06,810
So this is me and you can see the dialogue, Perram, and show the window.

61
00:06:07,520 --> 00:06:12,890
So when this show Window API call, you display this.

62
00:06:12,890 --> 00:06:14,930
You know, it is a meeting.

63
00:06:14,950 --> 00:06:22,220
I'm sure this must be giving me the signature so we can go to.

64
00:06:24,200 --> 00:06:32,740
The documentation for women using a computer semicolon and a back, so you may want to do this to.

65
00:06:34,220 --> 00:06:46,790
And leave the semicolon, right, click copy and head back to Ghidorah and directly hold undefined the

66
00:06:46,790 --> 00:06:50,750
undefined function and select edit function signature.

67
00:06:52,700 --> 00:07:00,710
And now here you can just basing Reichling and based on controversy, controversy to best, what do

68
00:07:00,710 --> 00:07:04,790
you just copy and then remove the WINEP?

69
00:07:07,150 --> 00:07:12,460
So once you've done this mission, there is no semicolon in the back here, click, OK.

70
00:07:14,970 --> 00:07:23,010
Again, for this one, you can just accept the default SBW string point the industry, OK?

71
00:07:26,410 --> 00:07:31,120
And so now you have the correct nature for me, you can see it.

72
00:07:31,170 --> 00:07:41,860
So while look typically with those who have value, where he keeps on passing or scanning for the inputs

73
00:07:41,860 --> 00:07:45,730
from the user and then checking, that is the message talo.

74
00:07:47,110 --> 00:07:54,310
And today, it is that different message, for example, if you use your mouse and click on click on

75
00:07:54,310 --> 00:08:03,820
these windows in the mouse, you translate it using a translate message function, installing windows

76
00:08:03,820 --> 00:08:06,000
structure called MSJ.

77
00:08:07,300 --> 00:08:12,520
And then he would especially you despatching to the callback function.

78
00:08:13,510 --> 00:08:16,030
But here you don't see the callback function.

79
00:08:17,620 --> 00:08:26,680
So function is not visible here if you have done something, just programming, even though he will

80
00:08:26,680 --> 00:08:29,890
recognise this kind of just kind of code.

81
00:08:31,540 --> 00:08:37,480
But we are not going to use this to to solve this challenge, he said.

82
00:08:37,550 --> 00:08:39,370
We are going to search for strings.

83
00:08:40,190 --> 00:08:47,010
So here is the message here.

84
00:08:47,380 --> 00:08:52,630
Try again, go to Windows Menu and select define string.

85
00:08:54,710 --> 00:09:02,540
And he will show you all the strength that has found who are doing analysis so you can scroll down and

86
00:09:02,540 --> 00:09:06,180
look for the back passage, which is wrong.

87
00:09:06,270 --> 00:09:07,250
Here we try again.

88
00:09:08,580 --> 00:09:15,110
I can feel data from the room and there you go.

89
00:09:15,560 --> 00:09:16,130
Wrong here.

90
00:09:16,130 --> 00:09:17,200
OK, try again.

91
00:09:18,400 --> 00:09:25,720
Sometimes you may not be able to find it in the defined strings window, so if you don't see your strings

92
00:09:25,720 --> 00:09:28,000
here, for example, it is unique.

93
00:09:28,170 --> 00:09:30,150
You may not see the strings here.

94
00:09:30,640 --> 00:09:31,870
You might or you might not.

95
00:09:32,890 --> 00:09:41,950
So in that case, if you don't see here, you go to search, use a different to call search and select

96
00:09:41,950 --> 00:09:42,690
for strings.

97
00:09:43,510 --> 00:09:44,290
And then here.

98
00:09:45,170 --> 00:09:46,340
A seventh default.

99
00:09:47,380 --> 00:09:56,590
This is home and loaded blocks, click search, and there you go, you you get another resource here.

100
00:09:57,280 --> 00:10:06,370
If this window doesn't performing here, sometimes you might you might be floating window like this,

101
00:10:06,370 --> 00:10:06,940
for example.

102
00:10:07,630 --> 00:10:09,630
And you want to dump this window in here.

103
00:10:10,030 --> 00:10:12,790
He just drank it inside Gluba.

104
00:10:12,800 --> 00:10:17,100
Nobody else on the inside gluba drag it to the right here and let go.

105
00:10:17,620 --> 00:10:23,250
And then you were talking here and you have the text showing you all the windows, then you stopped.

106
00:10:25,070 --> 00:10:25,450
Right.

107
00:10:25,480 --> 00:10:30,640
So so you can use the result of the search here and filter out sorry.

108
00:10:32,260 --> 00:10:35,710
And Davor, so you have two ways of searching for string's.

109
00:10:36,070 --> 00:10:40,720
One to use and you find a string which is coming from windows, define string.

110
00:10:41,260 --> 00:10:48,320
The other way is to use, to use to search for strength and you find here.

111
00:10:49,990 --> 00:10:56,650
So now you can double click on this and go to the location of the string which is here.

112
00:10:58,070 --> 00:11:03,800
Wrong, seriously, try again and then you will find a cross references to the function which makes

113
00:11:03,800 --> 00:11:12,090
use of the string so you can just double click on these cross references and he takes you to the code

114
00:11:12,110 --> 00:11:16,700
listing the function screw up and you will see the function.

115
00:11:17,780 --> 00:11:21,540
This is a function from four zero one zero nine zero.

116
00:11:22,460 --> 00:11:30,440
So when you see this in a listing, you will also be displaying the decompiled of you.

117
00:11:30,710 --> 00:11:34,670
So click the compiler that here and this is a function.

118
00:11:36,400 --> 00:11:36,780
All right.

119
00:11:36,800 --> 00:11:38,240
So this is a main function.

120
00:11:38,690 --> 00:11:39,780
Can rename.

121
00:11:39,920 --> 00:11:41,540
It has been.

122
00:11:45,550 --> 00:11:53,380
And here he see getting along item tax is a window API to extract whatever the user type.

123
00:11:54,470 --> 00:12:04,230
And then he was called on, he received the message for a good message and a message for that message.

124
00:12:05,030 --> 00:12:11,930
So whether you're showing the correct key or the wrong guy, you will depend on the result of your voluntary.

125
00:12:12,890 --> 00:12:17,600
So you've got three is the result of your comparison.

126
00:12:18,780 --> 00:12:25,860
So this is a comparison, look, if you go through the process comparison and it looks quite complicated,

127
00:12:26,220 --> 00:12:33,290
it is actually doing some kind of strange comparison between the actual parts of it and what you enter.

128
00:12:34,050 --> 00:12:37,350
So even the comparison is chosen.

129
00:12:37,560 --> 00:12:40,710
The key that you enter is the same as the actual key.

130
00:12:41,130 --> 00:12:46,400
Then you voluntary should be zero, then you show the message box.

131
00:12:47,460 --> 00:12:56,490
Now, another way you can view this is whole function main is to use the window, grab on the window

132
00:12:56,880 --> 00:13:00,110
and go down to window function called.

133
00:13:02,940 --> 00:13:05,490
And if I can go to the game.

134
00:13:07,940 --> 00:13:18,360
Do graphical analysis and show you from a high level point of view what your call stack looks like.

135
00:13:18,380 --> 00:13:22,990
So, of course I started with me and from give me a call.

136
00:13:23,000 --> 00:13:25,550
You mean because this one you just really

137
00:13:28,340 --> 00:13:33,770
hanging from from this main function, you have all the support functions.

138
00:13:33,800 --> 00:13:35,060
We didn't need some information.

139
00:13:35,060 --> 00:13:41,930
For example, a Kindle item is just one and possibly message somewhere down at the bottom.

140
00:13:42,740 --> 00:13:47,000
And then message box will be these message boxes, I hear.

141
00:13:49,490 --> 00:13:56,060
And sometimes you can even expand further if you have a plus icon and a minus icon.

142
00:13:57,340 --> 00:14:01,480
If you if it's a minocycline, you can collapse the parent.

143
00:14:03,700 --> 00:14:08,070
And so if you click on the bottom line, you the child.

144
00:14:11,820 --> 00:14:18,560
So it's quite a good tool for visualizing your stack sometimes.

145
00:14:18,630 --> 00:14:20,640
You can also use this to trace the pattern.

146
00:14:21,420 --> 00:14:27,480
OK, now that you have the decompiled mean here, you can scroll down and analyze the code.

147
00:14:28,530 --> 00:14:40,110
You can see here that it is having a get to light and tax API is doing what the U.S. and you can check

148
00:14:40,110 --> 00:14:47,000
out the library by going to Google Chrome and search for gay Tyler.

149
00:14:47,430 --> 00:14:47,880
All right.

150
00:14:50,070 --> 00:14:50,490
Thanks.

151
00:14:52,940 --> 00:15:02,210
And clicking on this result, so this one reading the stream story here.

152
00:15:05,170 --> 00:15:12,260
This is handled through the window that you are trying to read, and again, this is a string, just

153
00:15:12,270 --> 00:15:17,710
toss the item, this and that item referring to the textbooks.

154
00:15:18,590 --> 00:15:23,110
So you are starting your taxiing that that parameter one to three.

155
00:15:23,630 --> 00:15:31,940
So when you come back here, you see so this parameter one, two, three, that barometer contains your

156
00:15:32,240 --> 00:15:32,750
string.

157
00:15:34,980 --> 00:15:36,600
His wife, Unter.

158
00:15:38,280 --> 00:15:45,220
All right, and interestingly, you see on top here, Boockvar is right.

159
00:15:45,330 --> 00:15:46,420
He looks like the two of us.

160
00:15:47,100 --> 00:15:51,660
So you can rename it is on is the actual key.

161
00:15:53,340 --> 00:15:55,190
This is just an assumption.

162
00:15:56,010 --> 00:15:59,700
So even if it's just an assumption, you just go ahead and rename it.

163
00:16:01,200 --> 00:16:05,970
So it's local to define that parameter mandatory.

164
00:16:06,450 --> 00:16:07,830
So this is your input?

165
00:16:09,090 --> 00:16:09,870
My input.

166
00:16:13,920 --> 00:16:17,350
And then you starting here, you can also bring in.

167
00:16:19,970 --> 00:16:26,990
Reichling in Geneva, press haling you, Khiva, and you call this point to point out, it's just a

168
00:16:26,990 --> 00:16:34,140
memory address point to underscore my.

169
00:16:37,350 --> 00:16:38,970
So Alyokhina might.

170
00:16:40,530 --> 00:16:42,000
And then if you go down for the.

171
00:16:43,940 --> 00:16:46,190
He is trying to strike some things.

172
00:16:48,630 --> 00:16:54,930
You don't have to understand every single light just from the high level conceptual view, he's good

173
00:16:54,930 --> 00:16:55,260
in a.

174
00:16:56,170 --> 00:17:02,890
So just by looking like this, you can see this taking your input and using it in various pieces and

175
00:17:02,890 --> 00:17:08,460
doing some kind of string operation with the key input.

176
00:17:08,500 --> 00:17:15,010
So even if you didn't understand every single line, still you can guess that they are comparing these

177
00:17:15,010 --> 00:17:15,560
two things.

178
00:17:15,910 --> 00:17:21,040
So this makes it very highly likely that this is actually the actual key.

179
00:17:21,850 --> 00:17:22,250
Right.

180
00:17:22,270 --> 00:17:29,200
And then based on this, he will then store the results of your comparison, probably in this vial to

181
00:17:29,200 --> 00:17:29,520
why?

182
00:17:29,530 --> 00:17:36,180
Because at the end, after doing all this, he was going to check whether you are to zero.

183
00:17:36,610 --> 00:17:41,050
That means this one probably you can remember now as the result.

184
00:17:41,710 --> 00:17:41,960
Right.

185
00:17:41,980 --> 00:17:44,870
Click the new result here.

186
00:17:44,950 --> 00:17:50,980
OK, so if the result is zero, then you show you a good message, right.

187
00:17:51,010 --> 00:17:59,650
So from here you have a very good basis for suggesting that this is your actual key so you can test

188
00:17:59,650 --> 00:17:59,870
it out.

189
00:17:59,930 --> 00:18:10,590
Now you can go to our quami and so we just run our economy and then try to enter the password.

190
00:18:12,160 --> 00:18:16,470
So from here, your password is cracking essence.

191
00:18:18,340 --> 00:18:19,650
So we just copy.

192
00:18:21,090 --> 00:18:26,130
And right, just right, clean copy and get from here directly in peace.

193
00:18:28,080 --> 00:18:28,630
There you go.

194
00:18:29,100 --> 00:18:33,010
So we saw this, correct me, by reversing it in.

195
00:18:33,660 --> 00:18:34,920
Before we leave.

196
00:18:34,950 --> 00:18:39,180
I want to show you another photo on the windows.

197
00:18:39,200 --> 00:18:42,650
You can also look at some countries here.

198
00:18:43,620 --> 00:18:45,080
So we do Fasching Trees.

199
00:18:45,090 --> 00:18:48,120
He will show you to beknown about them.

200
00:18:48,600 --> 00:18:52,560
On the left is incoming call and you're right, outgoing call.

201
00:18:53,370 --> 00:18:58,160
The outgoing call is all the functions continue within the mean.

202
00:18:59,040 --> 00:19:06,990
So you can see you mean any sign of all these outgoing calls or ongoing functions like then set and

203
00:19:07,350 --> 00:19:09,860
who are here message Boxey.

204
00:19:09,930 --> 00:19:11,820
So should be down here somewhere.

205
00:19:11,830 --> 00:19:17,910
He got a few message boxes here and then get down to it and text his phone here and so on.

206
00:19:18,480 --> 00:19:24,840
And on the left panel is your incoming calls, incoming calls list all the parents for more information.

207
00:19:25,380 --> 00:19:30,840
That means the other functions, which calls mean, for example, women.

208
00:19:31,200 --> 00:19:33,890
And these tallies up nicely with our graph.

209
00:19:33,900 --> 00:19:41,220
So you go back to here windows and click on Function Condra and you can see we have a pattern for me.

210
00:19:42,520 --> 00:19:50,590
And compared with your country, we minister incoming incoming reference, so we need to parents who

211
00:19:50,590 --> 00:19:56,680
are here a million years of being me, and then down here you see a ongoing cause and you compare the

212
00:19:56,680 --> 00:19:57,220
Rapino.

213
00:19:57,850 --> 00:19:59,280
I'm going cause I don't hear.

214
00:20:00,100 --> 00:20:02,740
So there are two ways to visualize your.

215
00:20:03,970 --> 00:20:06,040
You can use windows.

216
00:20:07,290 --> 00:20:15,120
Function Colora, or we can use the Windows function country from here windows.

217
00:20:16,080 --> 00:20:17,970
Function Goldburg Oh.

218
00:20:19,450 --> 00:20:22,540
Functioning countries is still quite useful.

219
00:20:24,830 --> 00:20:26,460
The other one is functioning.

220
00:20:26,540 --> 00:20:33,560
So he clearly functions, he released all the functions that I believe in this whole program.

221
00:20:35,940 --> 00:20:43,110
This can also be done, can pull it out from here, you can pull up to the top and so it becomes a little

222
00:20:43,220 --> 00:20:50,130
thing I can take you by here by pulling the inside, but nobody else pulling inside by putting here.

223
00:20:50,580 --> 00:20:51,470
And you would duck here.

224
00:20:51,480 --> 00:20:52,770
One, two, three, four.

225
00:20:56,170 --> 00:20:59,630
So these are the main things you can use.

226
00:21:00,610 --> 00:21:02,510
So in this lesson, you learned quite a lot.

227
00:21:03,220 --> 00:21:11,160
Yes, you learn how to identify an entry point for windows reprograms, how to use the such strings,

228
00:21:11,180 --> 00:21:14,940
which for defined strings and also for using the string.

229
00:21:14,990 --> 00:21:20,350
Such might also learn how to use the function.

230
00:21:20,680 --> 00:21:23,400
Three called three and function Colgrove.

231
00:21:24,360 --> 00:21:29,940
And also how to understand and search for Windows XP, if there's any.

232
00:21:30,900 --> 00:21:33,540
So that's all for this video.

233
00:21:34,050 --> 00:21:35,700
Thank you, Hoity.