1
00:00:00,840 --> 00:00:06,660
Let's continue with your analysis so we know that this is a correct function, we can rename it.

2
00:00:11,250 --> 00:00:17,500
Before we can, Niemi, we have to actually create a function because at the moment it is undefined.

3
00:00:17,940 --> 00:00:25,560
So to create a function, get back to the place where this function is found, which is over here,

4
00:00:25,930 --> 00:00:27,780
the start of the push EVP.

5
00:00:28,770 --> 00:00:30,090
And how did I get here?

6
00:00:31,020 --> 00:00:36,750
I go to the strip search, go back to the Unical for the wrong message, we're here.

7
00:00:38,160 --> 00:00:42,270
And then I went back to cross-reference that with.

8
00:00:43,660 --> 00:00:45,880
And I lembeck over here.

9
00:00:48,250 --> 00:00:55,930
Correct, Carol, if you want to see the rest of the three dots here, you can use this and click on

10
00:00:55,930 --> 00:00:56,710
the tree dots.

11
00:00:57,190 --> 00:01:03,730
You will highlight the run you can draw and now you can see the rest of tree dots.

12
00:01:07,500 --> 00:01:10,830
So now we have to look for the start of this functions.

13
00:01:10,860 --> 00:01:17,820
This whole thing is continuing to function, so we need to scroll up and look for the Kushayb, which

14
00:01:17,820 --> 00:01:19,950
marks the start on this function.

15
00:01:22,750 --> 00:01:23,940
Bush, MBP.

16
00:01:24,980 --> 00:01:25,610
There you go.

17
00:01:26,470 --> 00:01:34,880
So once you found the Bush CVP, you can recreate a function here by clicking and select create function.

18
00:01:35,770 --> 00:01:37,030
So now you have a function.

19
00:01:38,880 --> 00:01:46,290
And now you can double click on this, go back to the decompiled, and now you have proper function

20
00:01:46,380 --> 00:01:48,220
rather than undefined function.

21
00:01:48,780 --> 00:01:54,570
So now you can rename it my recollection of pressing in on the keyboard and rename it.

22
00:01:57,640 --> 00:02:01,960
And we can call this check serial killer.

23
00:02:06,340 --> 00:02:08,350
He could be anything like a tree.

24
00:02:11,300 --> 00:02:19,050
Right now in the licensee's function, we will start from what we know, we know for sure that this

25
00:02:19,050 --> 00:02:20,240
virus is important.

26
00:02:20,540 --> 00:02:23,350
It needs to be zero in order to be correct.

27
00:02:24,080 --> 00:02:28,610
So I one one is probably an integer.

28
00:02:28,860 --> 00:02:32,570
We can rename it as a result.

29
00:02:36,410 --> 00:02:45,470
And this result is coming from dysfunction, dysfunction is doing some kind of comparison, I believe,

30
00:02:45,840 --> 00:02:53,930
if I were to be able to there seems to be a Windows API.

31
00:02:55,640 --> 00:02:56,760
Get local time.

32
00:02:56,780 --> 00:03:00,970
So let's go to Google crew and look it up.

33
00:03:06,200 --> 00:03:07,730
Get coast time,

34
00:03:10,850 --> 00:03:13,280
and probably this is the one that you want.

35
00:03:18,380 --> 00:03:20,250
Getting local time, let's check it out.

36
00:03:23,260 --> 00:03:26,890
So getting local time will return.

37
00:03:30,350 --> 00:03:40,960
Just in time to the perimeter in which it is passed and House is Alby's Eastern Time is a structure

38
00:03:41,830 --> 00:03:44,260
to receive current liquidity in time or a.

39
00:03:45,880 --> 00:03:51,430
So that means we can rename local authority to become.

40
00:03:52,850 --> 00:03:53,670
System time.

41
00:03:54,560 --> 00:03:56,540
So this is consistent time.

42
00:03:57,320 --> 00:03:58,220
So let's rename it.

43
00:04:06,820 --> 00:04:13,740
All right, so in some time now, we are doing some kind of operation.

44
00:04:14,220 --> 00:04:17,340
Just in time you can see here.

45
00:04:19,250 --> 00:04:28,670
All right, let's see, refer to the API Damon once more and see what it does in order to get a better

46
00:04:28,670 --> 00:04:35,000
understanding of what system times structure, we need to enter this right.

47
00:04:35,060 --> 00:04:37,070
Click open a new 10.

48
00:04:38,860 --> 00:04:40,090
And here is.

49
00:04:41,900 --> 00:04:51,140
The third explanation, the what is systematical about about year, the first members year, second

50
00:04:51,140 --> 00:04:52,460
memories month and so on.

51
00:04:53,330 --> 00:04:54,940
So what is he trying to do here?

52
00:04:54,950 --> 00:04:55,850
It isn't time.

53
00:04:58,850 --> 00:05:03,830
It is performing a bitwise operation so we can look it up.

54
00:05:05,000 --> 00:05:07,520
I've already got the page open here.

55
00:05:09,910 --> 00:05:19,120
And you can see bitwise binary right here to the left, operands value is moved to right by the number

56
00:05:19,120 --> 00:05:21,610
of B specified by the right open.

57
00:05:22,530 --> 00:05:29,470
So when you use this understanding with this, it means you are shifting by hex.

58
00:05:29,890 --> 00:05:33,330
Then Hexton is 16 16.

59
00:05:33,880 --> 00:05:41,110
So that means we are accessing probably.

60
00:05:44,590 --> 00:05:50,140
Definitely not the first one probably ever shifting into their members.

61
00:05:50,890 --> 00:05:53,890
So what is supposed to be

62
00:05:56,800 --> 00:06:01,780
a supposedly two by two vice or 16 bids?

63
00:06:03,880 --> 00:06:04,820
Sixteen bits.

64
00:06:05,170 --> 00:06:14,530
So when you perform sheaf of 16 bits, that means you're assessing the second member, the second member.

65
00:06:16,330 --> 00:06:23,890
So if one were 16, which if you perform a shift operation of 16, which means you're assessing the

66
00:06:23,890 --> 00:06:25,990
month, the month.

67
00:06:27,910 --> 00:06:32,960
So over here, you are shifting 16 bits to assess the month.

68
00:06:32,980 --> 00:06:37,900
So lorcaserin see in a month, literally nearly two months.

69
00:06:41,530 --> 00:06:53,380
So now you have month here and asking online and what is local to see locally to see she's 16 and you

70
00:06:53,380 --> 00:06:55,000
need to find out what is like to see.

71
00:06:57,450 --> 00:07:04,300
So sometimes we don't get any clue by looking at the compiler.

72
00:07:05,370 --> 00:07:11,260
We can go back to the existing view to get some more hints.

73
00:07:13,890 --> 00:07:23,910
And the other thing is the asprin F, I think this is asprin that because it takes this as a parameter

74
00:07:24,390 --> 00:07:26,350
to perform some kind of operation.

75
00:07:27,240 --> 00:07:28,980
So what is asprin that?

76
00:07:32,230 --> 00:07:41,170
If you look up the Internet, search for aspirin, five aspirin, it takes at least half for specifiers

77
00:07:41,830 --> 00:07:43,540
to construct a string.

78
00:07:47,520 --> 00:07:56,520
So, for example, if you have this kind of fire and you were using aspirin, if

79
00:07:59,460 --> 00:08:12,240
you put the target string here, followed by your former specify and head and neck, he will pull all

80
00:08:12,240 --> 00:08:13,650
your other strings here.

81
00:08:23,390 --> 00:08:33,510
So in the end, he will get together string, which is made up, and string A, B and C all along together

82
00:08:33,510 --> 00:08:34,500
in one string.

83
00:08:35,280 --> 00:08:43,680
So if you had something like this, so in in your target string would become.

84
00:08:45,700 --> 00:08:54,640
That's Dash, so dash this dash, which is coming from here, and then followed by the one one.

85
00:08:57,130 --> 00:09:05,830
Coming from here to two, coming from here, she's A, B and C coming from here, which is C, so this

86
00:09:05,830 --> 00:09:08,420
is the meaning of form it specifies.

87
00:09:13,510 --> 00:09:18,200
So this is a kind of format specify a string integer, integer, integer.

88
00:09:18,970 --> 00:09:22,150
So in the end, your target string will be this.

89
00:09:23,020 --> 00:09:32,570
This will be a target string so we can make some deductions by analyzing the code here.

90
00:09:33,100 --> 00:09:35,690
We know that the target string is nine.

91
00:09:35,710 --> 00:09:36,990
This is this one.

92
00:09:37,000 --> 00:09:43,960
So this must be the target string so we can use string relabelled as a target string.

93
00:09:48,510 --> 00:09:56,520
So targeting is actually my circle, the actual key, actual key string,

94
00:09:59,880 --> 00:10:08,190
so we make assumptions like this and modify as we discover more more data and more fact, that means

95
00:10:08,190 --> 00:10:13,520
this one must be Springstead so we can relabelled as bringeth.

96
00:10:16,950 --> 00:10:24,300
So from this, we now can deduce that all the parameters above are the parameters that we push to be

97
00:10:24,300 --> 00:10:26,200
used by this function.

98
00:10:27,240 --> 00:10:29,640
So you have man, you have no.

99
00:10:30,000 --> 00:10:35,100
When look 60, which we don't know what it is, but we know for sure months or months.

100
00:10:35,170 --> 00:10:43,950
One of the parameters used by this function and if we lost like this, sometimes it's good to go back

101
00:10:43,950 --> 00:10:46,960
to the existing view, the assembly.

102
00:10:48,120 --> 00:10:55,950
So this is a button where you move barometer's to Espenak and this is where you call the function asprin.

103
00:10:57,090 --> 00:11:02,730
So over here above will be all your parameters that are used by your espenak.

104
00:11:03,630 --> 00:11:06,450
So we can see that one of the parameter is mund.

105
00:11:07,500 --> 00:11:10,680
Just turn this on one of the paramilitaries Mund.

106
00:11:13,800 --> 00:11:24,250
Monday then, so we have three others, this one I typically used for storing string's, probably this

107
00:11:24,250 --> 00:11:31,840
would be a target string so we can just relabel this has targeted this editable and call its target

108
00:11:33,430 --> 00:11:33,970
string

109
00:11:36,730 --> 00:11:38,730
and then this one Veerman.

110
00:11:38,740 --> 00:11:47,050
So what are the other to a lucky guess who be here man in the here man day.

111
00:11:48,160 --> 00:11:51,520
So we assume that this was here.

112
00:11:51,520 --> 00:11:57,190
We can call this here, we can it here

113
00:12:01,270 --> 00:12:08,110
and we can edit this to be this as the just change the label the.

114
00:12:11,500 --> 00:12:18,760
And it makes sense because Manti's Attracta from you can see here threat from the system time.

115
00:12:19,210 --> 00:12:22,810
So it makes sense that the other two is also coming from system time.

116
00:12:23,260 --> 00:12:28,210
So we can deduce that most probably only three are coming from Sistan time.

117
00:12:28,720 --> 00:12:39,090
And we can go back to just in time to take a look see time last year, a year man and B, how these

118
00:12:39,160 --> 00:12:40,360
three things like this.

119
00:12:41,170 --> 00:12:45,880
So we can based on this and how the evidence he has seen it is a good.

120
00:12:46,920 --> 00:12:54,060
Deduction that probably this is the money year and how and you can confirm the year for them by looking

121
00:12:54,060 --> 00:12:55,120
at that one.

122
00:12:55,740 --> 00:13:02,190
So when you look at parent one parent one receives the pointer to the address of this structure.

123
00:13:03,210 --> 00:13:07,710
So the pointer to a structure is the first element on the structure usually.

124
00:13:08,820 --> 00:13:12,420
And what is the first element of the structure here?

125
00:13:14,480 --> 00:13:24,560
So that one is actually a pointer to the year, so we can actually rename this param one.

126
00:13:27,370 --> 00:13:29,750
Point to.

127
00:13:33,370 --> 00:13:41,650
Just in time, and this is a point at his own time, he also points to a year

128
00:13:47,260 --> 00:13:56,340
point so we can probably point to just in time and for Saliman.

129
00:13:56,800 --> 00:14:01,940
So, Saliman, of the point of this structure is yourself, right?

130
00:14:02,040 --> 00:14:03,340
So this makes more sense now.

131
00:14:04,330 --> 00:14:06,580
So most likely you are right.

132
00:14:06,850 --> 00:14:10,750
Did you see his a year here, man in the.

133
00:14:11,950 --> 00:14:15,970
And this one probably is the string, this one.

134
00:14:17,280 --> 00:14:27,030
The string, so the string is probably the your name, because when we go back and take a look at the

135
00:14:27,990 --> 00:14:32,420
correct me if I see a name, there must be a reason why it was a name.

136
00:14:33,270 --> 00:14:36,450
It's probably going to use it to create the Cedar Key.

137
00:14:36,960 --> 00:14:42,330
And then when we see this string component here making more or less guess that this must be the name

138
00:14:42,470 --> 00:14:43,010
you enter.

139
00:14:43,650 --> 00:14:46,930
So and he requires a barometer for that.

140
00:14:46,950 --> 00:14:48,330
So there must be this.

141
00:14:48,840 --> 00:14:53,300
So now that we examine anything, we can really what is based on new findings.

142
00:14:53,730 --> 00:14:58,350
So this is not a string you can really be has named.

143
00:15:02,290 --> 00:15:04,570
Industry, so now this makes sense.

144
00:15:04,720 --> 00:15:13,180
He makes a lot of sense, he named String, goes to the house within 48, specified a year, goes to

145
00:15:13,180 --> 00:15:20,760
the the year one, goes to the other for pacifier and then goes to the last one.

146
00:15:21,340 --> 00:15:32,950
So this is very rarely if our hypothesis this we saw this now that the Espina coming from here has been

147
00:15:33,130 --> 00:15:40,120
coming home here is really the exception, all these parameters and these are the key.

148
00:15:40,150 --> 00:15:45,810
So based on this, we can more or less guess now what is our psyche?

149
00:15:46,600 --> 00:15:49,460
So the first parameter will be whatever you enter.

150
00:15:50,440 --> 00:15:58,470
So if that's the test, then you said that, then you insert a year.

151
00:15:59,230 --> 00:16:04,750
So let's say to these two to one, then you insert a month.

152
00:16:05,170 --> 00:16:07,500
Now is much, so much history.

153
00:16:08,050 --> 00:16:11,350
And finally the day.

154
00:16:11,830 --> 00:16:13,560
So to this date is 19.

155
00:16:13,960 --> 00:16:15,130
You can go up here.

156
00:16:15,130 --> 00:16:21,610
And who we are now is to confirm the date so much, two to one.

157
00:16:22,260 --> 00:16:22,540
Right.

158
00:16:22,630 --> 00:16:27,640
So now we're going to test this hierarchy and see.

159
00:16:28,000 --> 00:16:28,230
Right.

160
00:16:28,720 --> 00:16:38,980
So I'm going to enter Tarsier and then Shiraki will be test for by day two to one three and a 90 is

161
00:16:39,280 --> 00:16:39,580
the.

162
00:16:41,230 --> 00:16:43,220
Yes, correct.

163
00:16:43,420 --> 00:16:44,920
So now you saw this.

164
00:16:45,070 --> 00:16:45,670
Correct me.

165
00:16:46,180 --> 00:16:48,130
So this is how you do analysis.

166
00:16:48,130 --> 00:16:53,170
Sometimes the compiler is not accurate and makes mistakes.

167
00:16:53,590 --> 00:17:02,410
So we have to read between the lines and then go and analyze the other things in the listing, referred

168
00:17:02,440 --> 00:17:10,780
online to the episode like this, and then open up a notepad as scratchpad to make your notes and test

169
00:17:10,780 --> 00:17:11,580
hypotheses.

170
00:17:12,130 --> 00:17:17,770
If your hypothesis is wrong, you re redefining change and Intesa how bad it is.

171
00:17:17,770 --> 00:17:20,450
Again, that's all for this video.

172
00:17:20,500 --> 00:17:21,940
Thank you for watching.