1
00:00:00,510 --> 00:00:07,050
All right, so now let us try to sort of level one here, one here has open terminal.

2
00:00:09,680 --> 00:00:11,060
So let's run this one.

3
00:00:14,510 --> 00:00:23,720
And he asked for Bosworth if you gave the wrong password, he just shows you a dash, so you need to

4
00:00:23,990 --> 00:00:31,730
supply the correct password in order for it to show the key and the key, you use it to unlock level

5
00:00:31,730 --> 00:00:33,150
two from BE1.

6
00:00:34,280 --> 00:00:37,460
So let us now open X1 one, we've yeeda.

7
00:00:50,290 --> 00:00:50,800
A new.

8
00:00:53,300 --> 00:00:56,750
And open go to the reverse enfolded.

9
00:00:59,290 --> 00:01:01,630
In level one, open one.

10
00:01:09,190 --> 00:01:15,070
OK, so this is the disassemble code, and the first thing that is interesting is this nine.

11
00:01:16,110 --> 00:01:25,560
He sees this quite symmetric stream and by the differences in life, has got to forward, slash and

12
00:01:26,220 --> 00:01:28,050
go forward slash.

13
00:01:30,400 --> 00:01:37,330
So this might suggest that this is some escaped characters and you can double click on this and go to

14
00:01:37,330 --> 00:01:46,870
the data section to take a look and in the right hand is a character which is not shown here.

15
00:01:47,260 --> 00:01:48,850
So this is the original string.

16
00:01:51,360 --> 00:01:58,200
So a reasonable guess would be that this is a password, so you can try to just copy this.

17
00:02:01,640 --> 00:02:14,120
And then go to the terminal and right, click this hit enter, and true enough, that is the password.

18
00:02:14,420 --> 00:02:17,760
So this is the key to unlock level two.

19
00:02:18,650 --> 00:02:26,990
So another way to do this is to use a string strength util so you can heading into the.

20
00:02:29,840 --> 00:02:31,160
He was in Florida

21
00:02:34,400 --> 00:02:45,170
and used his strength to next excellent and here you see, this is also the password shown here in clear

22
00:02:45,170 --> 00:02:45,590
text.

23
00:02:46,360 --> 00:02:50,470
OK, so now they've got this key that is trying to use it, VFP one.

24
00:02:51,560 --> 00:02:53,030
So let's copy this.

25
00:02:53,720 --> 00:02:54,740
Likely copy.

26
00:02:56,270 --> 00:02:58,070
And now we run P1.

27
00:03:00,510 --> 00:03:01,680
And we face.

28
00:03:02,890 --> 00:03:06,920
The key hit enter, and it looks encouraging.

29
00:03:07,540 --> 00:03:11,110
So now you see this as a lesson.

30
00:03:11,170 --> 00:03:17,290
You see there's a new folder being created, meaning it will unlock the will to be one.

31
00:03:20,090 --> 00:03:28,660
OK, so let's compare this to the parent directory, so we go to the final arbiter here and we see we

32
00:03:28,700 --> 00:03:30,110
have to see right.

33
00:03:30,110 --> 00:03:31,660
Click on this cutie.

34
00:03:32,180 --> 00:03:37,750
Go to the Pandi, Panditji and P.S. here now, you open BE2 folder.

35
00:03:38,060 --> 00:03:40,700
You also see Beita and X2.

36
00:03:40,910 --> 00:03:42,850
So this is our next challenge.

37
00:03:43,610 --> 00:03:50,060
But before we move on to the next challenge, that is try to analyze and understand more about this

38
00:03:50,070 --> 00:03:50,600
X1.

39
00:03:51,740 --> 00:03:57,860
Because the knowledge are analyzing X1 will be probably be useful for the future levels.

40
00:03:58,820 --> 00:04:01,950
The key to go back to the previous.

41
00:04:03,400 --> 00:04:10,660
So it seems like this box here, string compare is comparing two strings, so the two strings is comparing

42
00:04:11,500 --> 00:04:12,460
probabilities to.

43
00:04:14,070 --> 00:04:23,840
As soon as two people decided to barometer's to the string compar function, so let's in this very blessed

44
00:04:23,850 --> 00:04:32,790
puleo course in front press in an SUV Renesmee to global input string G4 Global.

45
00:04:37,730 --> 00:04:43,130
Key to confirm that this is indeed a global variable, you can actually double click on this to go to

46
00:04:43,130 --> 00:04:49,340
the section for an initialised data and you can see it is indeed global.

47
00:04:50,580 --> 00:04:59,310
Anything will be a data, see how global variables, so it's global and the size of this one being X

48
00:04:59,470 --> 00:05:04,440
and then, you know, this year versus SAIC's the segment.

49
00:05:05,040 --> 00:05:06,920
So Scallan VSS.

50
00:05:07,530 --> 00:05:11,190
So this is a global Airbus and initialised hurdles.

51
00:05:11,460 --> 00:05:16,440
So this is a declaration for creating an initialised variable.

52
00:05:16,620 --> 00:05:24,870
You use a WP kinesthetically and let's take a look around so that we're more prepared for the next level

53
00:05:25,740 --> 00:05:28,030
following the comparisons and compare.

54
00:05:28,340 --> 00:05:35,810
You can go left or right and here because of the exclamation dash, this is a failure block.

55
00:05:36,330 --> 00:05:47,520
So we can put a comment here and use that to put the entire comment and time failure.

56
00:05:52,580 --> 00:06:02,360
And if you remember, this one came from here, a fatal blow, he's just coming from here.

57
00:06:03,710 --> 00:06:10,670
Here's how we know that this is a federal law and then for the success before you get this escalation

58
00:06:10,670 --> 00:06:15,620
and a symbol which is coming from here is clear, mission impossible.

59
00:06:16,070 --> 00:06:19,820
I mean, this is a success block, so we can put it a..

60
00:06:19,820 --> 00:06:25,970
Come in here, Pressin said, and then success.

61
00:06:29,570 --> 00:06:34,730
A lot of reverse engineering is just renaming labels and inserting comments.

62
00:06:36,330 --> 00:06:45,510
And then from here, he says that after the crown prince's success exclamation mark, plus it is supposed

63
00:06:45,510 --> 00:06:49,590
to bring the actual key here to remind you.

64
00:06:50,680 --> 00:06:55,600
At Princeton, acclimation in applause you on your key.

65
00:06:55,660 --> 00:06:57,040
So where does this come from?

66
00:06:57,640 --> 00:07:05,320
You can only come from something that came after the printer, which is this dysfunction here.

67
00:07:06,220 --> 00:07:09,040
So this is a function which brings a key.

68
00:07:11,020 --> 00:07:18,690
So we can rename this by typing in and timing every key.

69
00:07:20,740 --> 00:07:27,820
Now a lot of reverse engineering is all about renaming labels and also inserting comments.

70
00:07:28,330 --> 00:07:36,520
So the more labels that you can rename and the more comments that you can insert makes your disassembly

71
00:07:36,520 --> 00:07:40,930
and reverse engineering much easier to understand.

72
00:07:42,220 --> 00:07:52,360
It seems that these functions have been keys also using the input string to derive the key, as you

73
00:07:52,360 --> 00:07:54,330
can see before the call is met.

74
00:07:54,700 --> 00:07:58,170
This is a barometer for that is moving through the register.

75
00:07:59,080 --> 00:08:06,610
And one of the principles of assembly is that before any function is called, the preceding statements

76
00:08:06,790 --> 00:08:14,110
prepared the parameters for the function call, just like for Pranav before Rubinoff is executed, you

77
00:08:14,110 --> 00:08:16,130
prepare the parameters for Rapino.

78
00:08:16,840 --> 00:08:22,110
So before this function is called, you prepare the parameters here for this function.

79
00:08:23,320 --> 00:08:29,500
One of the essential differences between for me and that it would be programs are that there three two

80
00:08:29,500 --> 00:08:37,630
be programs frequently use push push to the stack as in as a method of passing that test before the

81
00:08:37,630 --> 00:08:38,520
function is called.

82
00:08:39,220 --> 00:08:42,420
But 64 bit programs.

83
00:08:42,430 --> 00:08:51,010
Normally they use Fusca, which means they use the registers to whole parameters for the function cost.

84
00:08:51,970 --> 00:08:55,380
Now let's analyze the first block here to see what is happening.

85
00:08:55,900 --> 00:09:03,400
We have a C function and you open an the open can be used to open files.

86
00:09:03,400 --> 00:09:08,170
So even standard in the initial terminal input.

87
00:09:08,530 --> 00:09:14,410
Whenever you have a terminal input like this, this is called standing in and you can see from here

88
00:09:14,980 --> 00:09:22,840
before the function of call you, you're here preparing the parameters to the function and after you

89
00:09:22,840 --> 00:09:25,210
open here accepts two parameters.

90
00:09:26,230 --> 00:09:28,230
The first one is to follow the script.

91
00:09:28,720 --> 00:09:30,120
The second one is the most.

92
00:09:30,520 --> 00:09:32,730
And you can check it up online using Google.

93
00:09:33,730 --> 00:09:38,730
And here is a description of the open from documentation for C programming.

94
00:09:39,340 --> 00:09:41,080
And you open first parameter.

95
00:09:41,190 --> 00:09:48,760
So far this year, so far this quarter can be a standard in which is your terminal input or you can

96
00:09:48,760 --> 00:09:55,420
be an actual file and then a second parameter estimate, which can be for reading, for writing, so

97
00:09:55,420 --> 00:09:55,590
on.

98
00:09:56,290 --> 00:09:58,920
So these are two parameters for the open.

99
00:09:59,560 --> 00:10:03,850
So when you see zero here, that means this is standard in.

100
00:10:04,930 --> 00:10:13,150
And here is a comment that he has helpfully put in for this to zero so we can insert here a helpful

101
00:10:13,150 --> 00:10:19,910
interior comment just like this line and insert to insert into your comment.

102
00:10:21,370 --> 00:10:30,820
So here you can see if you open and then the first parameter is standard in which is your terminal input

103
00:10:31,450 --> 00:10:35,220
and is for reading R.

104
00:10:36,540 --> 00:10:37,740
As you can see here.

105
00:10:39,200 --> 00:10:46,340
Our Senate and coming back to the description for the FDA, open evidence have pointed to a file.

106
00:10:47,990 --> 00:10:55,760
So taking a look at this emittance the result here into RSX every function of intensive Isar in the

107
00:10:56,480 --> 00:10:56,950
area.

108
00:10:56,990 --> 00:11:05,720
So he asked for this to and in this case, the result is copied into into the stream variable, which

109
00:11:05,720 --> 00:11:07,970
is in the code segment.

110
00:11:08,390 --> 00:11:16,450
So stream is the file pointer that returns from FDA open so we can modify our anterior commands, click

111
00:11:16,490 --> 00:11:21,860
on that press search and then here we can make it even clearer.

112
00:11:24,230 --> 00:11:27,050
Returns a file pointer to string.

113
00:11:28,750 --> 00:11:36,790
So over here, we see, you know, preparing these arguments, barometers for the next function call,

114
00:11:37,300 --> 00:11:45,790
and it is passing the input string and he's also passing a value, which is one B. So one B is.

115
00:11:48,280 --> 00:11:49,150
Twenty seven.

116
00:11:50,720 --> 00:11:56,610
Twenty seven, so if you click on stream here and go to this location, you can see the size of the

117
00:11:56,610 --> 00:11:58,730
input stream is 27.

118
00:11:59,760 --> 00:12:02,670
Which is one the press escape.

119
00:12:04,090 --> 00:12:11,320
You can read me, just press in and we can call it function rechartering.

120
00:12:15,860 --> 00:12:19,080
So this concludes our reverse engineering hall.

121
00:12:19,230 --> 00:12:21,260
Level one, thank you for watching.