Time
32 minutes
Difficulty
Intermediate

Video Transcription

00:00
Hello, sir. Librarians and welcome to the latest breaking stuff with Joe Video. I am your host, the eponymous Joe Perry. And if you're familiar with this, Siri's or with Meet the real quick rundown is breaking Stuff With Joe is an ongoing series of standalone episodes
00:18
where in each video we take apart
00:20
a different tool. A different utility used cybersecurity Righty. This video is gonna be focusing on the cool item, the interactive disassemble I. As I said, I'm Joe Perry. I'm the director of research here at Psy Berry, and it is my absolute pleasure that every day I get to come in and create material like this to help people learn about the tools
00:37
and understand how to use them to further their own careers. Success in the field?
00:41
I've been here broke just a couple of months now. I came here from the federal government where I was an engineer, a security researcher and just sort of an all around jack ball cybersecurity trades. So that's me. That's what this course is gonna be about. Let's talk a little bit more about the details. So before we go any further, I do want to say this is gonna be a little bit more advanced than some of the material on Cyber Mary
01:00
to date and even more advance in, you know, some of our earlier videos
01:04
because of the fact we're dealing with Ida. We're dealing with a disassembly. There's a lot of prior knowledge that's gonna make this easier to follow. So if you're not familiar with assembly program and you're not familiar with data structures, if you're not familiar with the weight functions are actually called on the way they work. This class is this 30 minute video is probably gonna get kind of tough to follow.
01:23
Additionally, it's very, very, very important that you be capable of using VM. You understand
01:27
how to make use of virtual machines in general just because of the fact that we're gonna be working in one. And it's very important to be able to use those tools effectively when you're doing any kind of reverse engineering. Because when you're doing things like malware analysis or reversing some some malicious tool, it is essential not to do that on your host machine where it might get access to important data.
01:48
So be EMS assembly program knowledge and general pouring knowledge are gonna be the three skills and really need to be successful
01:53
watching this video and to get the full use out of it. So if you have those, or if you're willing to pretend you have those for the next 30 minutes, what are we gonna be learning? We're gonna focus. First, we're gonna learn how to actually pull down and install. I did a really basic setup. We're going to see what happened when I'd actually disassemble the file. So before any actual activity is undertaken by the user,
02:12
what is it actually doing under the hood?
02:14
Then we're gonna look at a sample executed. We're gonna understand all the different Windows and utilities built into Ida and how those could be useful to us as reversion Rivers engineers.
02:23
Now, this is the first part of what's actually gonna be a two part either, too, for the way you were looking for the really advanced material. You know, howto beatrix like P trace and howto take apart, you know, a bit more of a complex for a bit more impressive file that's gonna be coming up in a couple of weeks in the same series breaking stuff, Joe. It's not necessarily gonna require this video,
02:42
but if you do find this one to be a little bit easy or something you already knew
02:45
Totally fine. We're gonna have a video just for you in a couple of weeks. As I said, I'm Joe Perry. You were watching breaking stuff with Joe this episode. It's all about item.
02:54
All right, So what we're gonna be working in today is gonna be a robot to 64 bit BM which is the B M that we've used in the previous breaking stuff with Joe videos and that I've actually used in a lot of other coursework that I created for Cyber Eri. It's sort of my old reliable. It's just the bm that I use for basically everything I need to do in this in this program.
03:13
So we're trying to Obviously our first objective is to download Ida and install it for use.
03:20
In order to do that, we're gonna open up our web browsing.
03:23
We're gonna navigate Hex raised up
03:27
on X rays. You can see. First of all, this is a website that's pretty obviously built by an engineer. That's not to say anything negative about hex rates. I'm actually a huge fan of theirs. And obviously idea is one of the most amazing products ever sent ever put together or reverse engineering. But this is how I would design a website.
03:43
Which is kind of why Cyberia doesn't let me design our website
03:46
So inside of this to get to the actual item download, it's a little bit
03:51
nasty to try and navigate. What we're gonna do is we're gonna pick this link right here where it says disassembling
03:55
that's gonna take us to the products.
04:00
Where is
04:02
it's not the button I met depressed. It's not the dis assemblers. We're gonna hit the our products linked.
04:06
We're gonna go here. We see Ida,
04:11
that will eventually load. Now, here's where it gets a little weird because instead of finding an easy download link, we're actually gonna click this evaluation virgin, and that's just gonna take us to the full download page. So the actual link that you can find in the world, including our supporting our supplemental material is just hex res dot com products Ida support download as HTML.
04:30
Then once we're here, we're gonna hit this itis seven notto free where we're gonna pick the one for our operating system. I find it kind of fascinating. There's one for Mac. I don't know. Very many reverse engineers work with Mac, but I think it's pretty cool if there is one we're gonna download, obviously for limits, since we're working the limits. BM
04:46
However, I'm not actually going to download that because I already have it downloaded onto this PM just to save a little bit down with it doesn't take terribly loan. It's, you know, it's It's a pretty small file altogether, only about 45 minutes. So it shouldn't take terribly long to download. But I have learned from, you know, a few years of making videos like this that
05:05
anything you rely upon to happen quickly will happen very,
05:09
very slowly. We're gonna get to downloads where we've stored.
05:13
You can see we have a right of free. I didn't have to do with Jamaat on this, So just 777 give information to be executed,
05:20
and then we're gonna hit about Slash, to indicate, execute this man.
05:27
It's gonna take just a second and then it will pop up our Hui window here pretty much everything we do in idea is gonna be done through the DUI just because it is. It's a disassembly tool that's designed to show you really cool graphs and structures and make it easier to understand. So it kind of defeat the purpose for that.
05:43
Now you're gonna read this license agreement, Hopefully, fully, you're going to go through the whole thing and make sure that you're willing to be on board with using Ida the way it's indicated that license agreement. If you are not on board with that, you can you can resolve your disputes in the district court in Bellevue. So, yeah, if you want to start a fight with Ida, I guess it's a great way to get a free trip to Belgium.
06:02
Well, it probably won't be free,
06:04
but it's certainly a trip to Belgium. So we accept the agreement we hit forward. We give it the installation directory. The default generally is gonna work just fine with it. Forward again.
06:15
All right, so now we have finished installing, and once we hit this, it's gonna give us it's gonna actually give us a desktop icon of items and see it right here beside every desktop
06:25
uh, what we're gonna be doing now that the sort of the the objective going forward is we have a couple of files written by a novice programmer and that novice program will remain nameless. But he looks a lot like me about 10 years ago. And so to find those, we're gonna go ahead and just popped back into our show really fast. We're gonna change two documents
06:46
breaking stuff. Joe, I had a lesson,
06:48
and we're gonna do a quick L s U C here. We have to execute the uptown, and we have aged h w. We can assume is a hello world, but hello, world isn't quite operating correctly. And you can see that because when we run it,
07:02
it personal spits out a segmentation full. And if we try and run it maybe with an argument, it says goodbye now, obviously, that's not something how the world should ever do. So we're gonna have to figure out what's causing. That was gonna be our first objective here is to just open that up. And I didn't figure out what's wrong with now. Of course, our second learning objective is learning. Exactly what I did is doing or learning
07:23
in a broad sense. What I do is doing
07:25
when we started running so you can see here we have that Idol lesson that doesn't necessarily auto populate. You may have to go looking for it.
07:31
Uh, so we're just gonna go ahead and say,
07:35
Load that up, Double click on it now because of the fact that I didn't say the database so that I could display that you're going to see this. I hear this menu open up and this is the load a new file menu. So it does a bunch of work, actually, even before it has begun properly disassembling the first thing I do is doing is it's pursing the headers of your file to determine
07:55
what kind of file it is
07:57
now. It pretty immediately was able to determine this is an elf 64 which is an executed will file for linens and for UNIX based systems. It's designed for an X 86 tax six. Before we used to say, 64 bit system. All of that is correct, and it has this processor type thing here where it says meta PC. Have you click on that? You'll see that they're a bunch of other options.
08:16
Meta PC is the one that it picks when
08:18
you know, for example, you created this code in the B M or for some reason, the processor reason viable. And all that means is that instead of making assumptions based on the processor and sort of short cutting some of the disassembly, it's just gonna disassemble and examine every single op code file. And we have a few other options here. If we wanted to pick the specific loading segment,
08:37
we could do that. We could decide how we're going to start the disassembly.
08:41
We do that by disabling the analysis. Generally speaking, you're gonna leave you, not the analysis enabled. The reason for that is because Ida has so many powerful modules under the hood that it really does a huge chunk of the work for you before you ever even actually look at the code. But you may have to this you may have to disable this
09:00
and something. We'll talk about a little bit in our idea to video
09:03
in a couple of weeks because there are things that are called what we call ided the feats. There are specific ways that bull right programs intentionally to make, um, difficult or impossible to analyze with Ida. So sometimes you will actually have to click this box and disable analysis.
09:18
Unfortunately, this is not one of those times are young Aaron. Programmer is not quite skilled enough breaking things yet
09:24
to break Ida.
09:26
So all of these other option we don't really need to examine in great detail. This has a few different extra options for loading. See, here we can load. The resource is if we have any PGP files, things like that, we could do a manual loaded we want to do. We're not gonna worry about it. We're just gonna go ahead and hit, OK,
09:41
now it's gonna load up and you can see here. There's a bunch of stuff happening with no real use in action. I don't wanna talk about what just took place, and we can see some of it in the 1st 1 that we're gonna examine.
09:50
Get to resize,
09:52
which is this output window here.
09:54
You could see your it's creating in the leading new segments. It's adding relocations. It's not able to find it looking for plug ins on it's it's loading it into the actual database.
10:05
So what's actually happening under the hood? Here it is beginning. In analysis based on the data entry PR, that mother dated the fields of an assembly filer of an executed file your dot Dana, you're not be SS. You're not text, and it's going through those. And it's analyzing and finding our their structures that are obviously identifiable
10:24
are their functions that are identifiable.
10:26
Are there any problem, any chunks of code that I can't understand? You can't evaluate if there are no mark those errors or mark closes Sternal on Marco's is as problematic in some way. It's going to find out what all of your imports and exports are gonna find out again if it can identify any obvious data structures or uses of data. And it's gonna
10:45
out for all of that to the different windows that were about to explore
10:48
So under the hood. What I just doing is essentially sort of a first pass analysis saying Okay, based on jump commands based on Ellie is based on compares. This is the logic of the program, as I understand it now that what's really cool is that is something you can modify if you need to. You can regroup, renamed undefined functions right here. You see that
11:07
you can modify the analysis that it is done
11:11
if for some reason, it's inaccurate. Fortunately, in this case, like I said, it's a very, very simple program. Pretty much all of the logic of the programs have been great here. So we are gonna have to do too much to modify this analysis. So the Windows we want to look at we're just gonna go down the list as they're presented here. We just looked at the apple window. An actual issues, dysfunctions,
11:31
the functions, windows part of Ida's initial analysis, where it's going through and say, OK, what functions can I identify now? Generally speaking, if you don't have to be, if you don't have to be bugging symbols stored with your, uh your excusable what it is only going to be able to Neymar the functions that are for some for one reason or another,
11:48
very obviously given. Usually that's because they, their names are exported
11:54
by the UNIX operating system or they're identifiable, meddle in its operating system, and Ida has those saved in its database somewhere. So for example, you see that identifies, puts, identifies this this frame dummy. And of course, that identifies made because Maine is the most identical part identifiable part of any sea program.
12:13
And of course, this is all going to happen in Maine because that's the only code that's written in your average hello world file.
12:20
So that's That's the function table, and you can see there are some functions that are unnamed. And when you're doing a full analysis with IDA, those air the functions that your job is basically to go through and figure out
12:30
what is this function doing?
12:33
Identify its actual functionality. Figure out what it's supposed to be, what it's actually representing. And then in here you can actually go in and rename it.
12:41
So, for example, here I could say
12:45
junk
12:46
function,
12:50
and that's an easy shorthand. You can see now it up. Get in our function names over functions window. That's something that you can do when you're running through. I like to. When I'm when I'm disassembly. When I'm over, it's interfering something. I'll bounce through and find all of the really small, sort of obviously not terribly important functions and just give them names. Then I'll go through this. I'm working. All remain functions according to what I think they do.
13:09
A lot of times, you can put that in a number of arguments or other information there.
13:13
It's a really surprisingly important ability. Just rename news functions inside of
13:20
So that's our functions. Window, that's our functions. Name windows. Well, and we want to look at our next window here, which is the item you I'd give you a is this first happened? You see here it's the one that we've been looking at sort of front and center of the whole time. This is the actual This is the sort of graph of your function. This is
13:35
the whole thing broken out into its different logical separation. So
13:39
what's gonna happen in this is that you're gonna have different panels like this one based primarily on your jumps. So if you have a jump like you see right here, which this jump not zero command, it's evaluating. Okay, this is a conditional jump there, two possible paths that this could take it. Lives were a, for example, of switch table,
13:58
which might or might not be something
14:00
a little bit later it may have multiple arrows that go down and sort of tree out, so you have every possible execution.
14:07
But it's going to evaluate based on these jumps, and you see, here we have a jump. It's non conditional, which just means, Okay, go to this new codes
14:13
and so, generally speaking, from jump to jump, it's kind of the
14:18
simplest way that idea is gonna break code segments out. You'll see here, over in this box, there isn't actually a jump, and the reason for that essentially, is because this this this chunk of code right here is the next logical operation after this. But it's jumped from here, so I was able to immediately analyze, say, OK,
14:35
even though there's not a jump statement between these two,
14:37
this line of code or this chunk of code is logically distinct. That's a really cool feature that's kind of just built in
14:46
now. The next window we can see here is our hex view. Makes view is basically the non prettified coat. This is the code you would get if you just open this file in a hex on now. That's not to say that it's not all. It's not useful. A lot of times when you're working in idea, you might see something over here that doesn't make a whole lot of sense. When you look at that code in the same location over here, you can figure out Oh,
15:05
that's actually you know, that's a string. For example,
15:07
if it maybe wasn't identified, I could see a bunch of asking characters right after one another that may or may not be showing up over on this panel for whatever reason. But I cannot make that man. It's not may or may not be showing up in this panel for some reason, but are showing up in this one that I can see my stream.
15:22
It's a really cool sort of utility of this hex view. Generally speaking, I will admit you're not gonna spend a ton of time, innit? Just because the other feature of the other views are a little bit
15:33
next time over is the structures on? So this is a hello world, so I don't have any structures built into it. But if we did, I don't would identify. Those would say, OK, this is a struck. This is tight dept as instruct. Fantastic. On a story in this file, so that could be easily analyzed. And we can find out where that structure used and how
15:50
next one over his enumeration enumeration essentially
15:54
creating symbolic constants are creating certain names for Smith's numbers. Maybe ideas. Maybe it feels whatever it might be, the new operations tab is just gonna tell you that now the next two are a little bit more interesting. You have your imports here, which is gonna show you all of the functions that come from an extra library, all of the shared functions.
16:11
And when you're doing reverse engineering, this is one of the places where you can find out some really useful information.
16:15
You know, what functions is this important? That maybe shouldn't. What functions isn't important that don't see sense or don't even in some cases, seem to actually show up in this excusable anywhere? Why are they being important and where one of the things that you could do that will help a lot it's actually find is actually find these names
16:34
inside of where they're being referenced in, for example.
16:37
So you see here over in, for example, I did you see over here and you have your function name for puts, which is one of our imports we could figure out. OK, is this the only place that it's actually be referenced? We could do that by checking all over X reps to
16:52
and interactions cross references.
16:53
And this will show up another window, which shows that we only have one example work where used puts and that's coming for remain.
17:00
So we know what puts. Does we know what out? Put something on the screen. So before we've even really examined our main function we know. Okay, in some place this is gonna be out on the screen now. Obviously, we ran this coat already, and we know you know that this terrible programmer is trying to help with something to the screen, But that's not necessarily something we would know. Malware.
17:19
So finding those functions gives us insight into what the program is gonna be doing
17:23
before we have to take this election running and exports kind of on the other direction. Joe's is all of the functions that are being exported from this file. Generally speaking, you're you're not going to see a ton of these if it's not intended to be a library. But if it is intended to be a library, basically every function inside of me
17:41
you see here that it's primarily the two big ones Officer start in Maine, which it has to export in order to use usable.
17:48
So those are the windows that Ida has available to us. That's sort of the information, and it's able to display for us very, very easily.
17:56
Now we want to pop back over here to our right of you.
17:59
Get back. There we go.
18:00
And we're gonna look at the actual code of this program and try and figure out what exactly is wrong. As you'll remember from the start of the video. The young programmer who couldn't quite figure out what's going on for some reason is either getting a SEC fault or the word goodbye in a program that he intended to write a little world. So we're gonna figure out exactly what this young program did wrong.
18:21
And to do that, we want to examine this whole area right here, where we can immediately see the string that we want
18:26
is right there,
18:27
and the string we don't want is over here.
18:30
So our objective, your whole job is just to figure out why are we getting to this execution instead of this one?
18:37
And I didn't give us a little bit of help with that. First we see that they're different colored arrows. There things Green Arrow is leading to this box, and the red is leading the spots on the left.
18:47
Now, what the green and red arrows indicate is that the green arrow
18:51
that went haywire on the Green Arrow indicates that if the comparison is evaluated to true or if the jump is evaluated to true and it's gonna take this path, the jumpers falls this path. Now we see that this is a J A N Z, which is a jump, not zero, which actually means that if this comparison above is false,
19:11
we're gonna go over here to goodbye. And if this comparison above is true,
19:14
we're going over here to the hello world that could be a little bit wonky to try and read it. It's a little bit weird to interpret. Fortunately, once we've worked out that logic once we can save it in our memory forever, just by entered in common. We do that by hitting the semi colon. We're gonna say if come above is
19:33
friends.
19:37
Hello?
19:37
Well,
19:40
it's about Sports Prince.
19:44
Goodbye.
19:45
So now we know that one of the mistakes that this young partner made a program that's supposed to just be hello world is that he wrote goodbye in it at all. To be possible to print that already is indicating that some of the states were made and he probably wasn't paying too much attention to his homework. That's okay. We're gonna keep looking. So the comparison that's actually happening here, the decision that's being made
20:06
is based on the value in a L, which is the lower register for the E X.
20:10
It's actually the lower register of a X. So this is just a single bite being prepared against the number one.
20:15
So it seems that somewhere in this code we're trying to get the number one motor of the world.
20:22
If we look at the lines that are immediately above it
20:23
Well, hi. Letting everything We look at the lines there immediately above it. We see that we have a bunch of work in that X ray uncertainty. Ansari X In that larger set of a X registers, we didn't start trying to figure out what exactly is happening here. And if you click on R E X anywhere in this function, it's gonna be highlighted.
20:42
Not only are e x were also omits some registers, Yanks and L.
20:47
So here we can see that the first thing we do the first time we touch Ari ET's to store our V P plus Bar 10. Now, for those of you who maybe don't remember, this function prefix right here is basically a way of saving the stack. And this plus bartend is a really useful way for addressing
21:03
variables for addressing arguments to your code.
21:07
So we see here that we're addressing something that is above the above the bass player weaken. We're addressing some arguments being passed for a program, and then we're going to store whatever is, whatever is inside of that, we're gonna put into r E X. Gonna add eight to that. We're gonna find out whatever is inside of that. So
21:27
this code that's happening here maybe a little bit longer trying follow. But essentially, what we know for sure is that we're trying to find the value of some argument given to this code. And if that value turns out to have one and its lowest renders its lowest bite its least significant bite, then we're going to jump down the world.
21:45
Which means that the intent of this code is to perform a hello world.
21:52
If it gets the argument one and we can see if that actually works
21:57
and you see that it's still friends could bought. Now this is where we're able to buy just by reverse engineering this car just kind of looking at the code in its disassembled form. We could identify that something is being some mistake is being made in the way that this variable that suit. Now I'm going to skip a couple of steps and show you the actual C code here
22:15
because it gets a little bit wonky. Try and describe it all. Just assembly.
22:18
We can look back. And what we've identified here is the problem. In this code, the error exists.
22:26
Have you seen
22:27
in a comparison? It's happening right here, and you can see this is why we had that one key code that was a little hard to follow because we're getting this argument in R B. But we're getting.
22:38
We're addressing the d reference of art, and we're getting the first item in that. So this weird sort of point your behavior that's happening here, that's actually not terribly weird you're used to see is the reason why we're spitting so many link a pack of addresses and moving into the deer reference location moving out of the reference locations.
22:59
That's why that assembly looks a little bit wonky
23:02
because a little bit of walking right here. But the great news is we can give the advice for young programmer that instead of having this if else statement that should never have existed in this code
23:15
Well, not that moment. Press
23:18
you can just write
23:29
and get rid of all the other junk. That doesn't happen.
23:32
Now, that's obviously a slightly contrived example, because the mistake here was that that program or just did a bunch of stuff you should have done. So we have a slightly more robust file that we're gonna examine now that's gonna give us a better look at the logic and the internal functioning off program. And that one the way we're gonna get into that. First of all this, we're gonna close out this database.
23:52
So get in this sort of Chung what we look at our windows and I don't talk about sort of
23:56
the initial analysis that it's performing. Now what we want to do is actually use Ida on a less contrived still slightly could drive, but a less contrived executed file figure out what's happened. So leave. We can just get. Except here you have a few options for closing idea. You can pack the database, which is giving it a place to be stored.
24:14
It's basically compressing the data mate, so they start more easily
24:18
collect all your garbage. In this case, we're not going to save the database because we've already fixed the young program. This problem, we don't have to worry about him anymore.
24:26
All right, Fantastic. So now we're gonna go ahead. We're gonna reopen idea this time with a new
24:30
hearted.
24:33
So again, we double clicking right column and say OK,
24:36
and we're gonna hit new disassemble a new file
24:40
and we're gonna find that file right in the same place here in the Idol lesson. And that's gonna be the help execute herbal file.
24:47
Now, this one, our young programmers having a very interesting problem. And that problem is that is, menu isn't working correctly
24:53
and we can see that by opening up our shell again never takes forever to open.
24:59
We could see that by opening our shell again.
25:02
Eventually, there we go.
25:03
And going back into
25:07
I didn't get a little bit insistent will go back into that actual project folder
25:14
and we're gonna run this calculator.
25:17
You see here it spits out the menus has entered the function. One is add to a subtract freeze, dried and forth multiply. Okay, well, let's try at. It
25:25
s for the first number. Ask for the second. Any criticism? Some? Okay, that's not a problem. That's try some fractures.
25:33
First number second number spits out. The defense looks great so far. Now let's try Division
25:41
first number, second number, and it spits out something completely wrong. So his error here that he's trying to figure out what's wrong is why his division function is not performing division. Now we conserve logically. Look at this and guess probably what he's implemented incorrectly. But we can also find it like performing rivers, reverse engineering
26:00
by looking at this disassembled code
26:03
and directly convert data No, didn't want to hit whatever, but I just hit
26:07
and we're gonna let Ida finish out its process of analyzing this code you can see here is doing a little bit more work.
26:14
It's constructed our file. Now it's pulled it all apart. This is slightly slightly intimidating looking function. Now it can be kind of tough to see it because there's just so much code being written here. It's kind of difficult to figure out what in the world has happened.
26:30
And so what we could do
26:32
is we can actually look at our graph over you. You look at the whole program, just It's sort of a larger, a more abstract level and just see what this logic is looking like.
26:42
So even though we're not actually looking at any code, we can see that the execution path of this seems to be leading down into the series of tables right here on this series of tables. I actually slightly referenced earlier on in this video when I was talking about the idea of a switch table of the view of case statements
26:59
so we can jump ahead a little bit and go down to see and try and figure out what's happening. The lug there because we know that when he hits Divide, for some reason this young programmers getting not evict, he's getting multiplication.
27:11
So you can see before we before we quite look at those boxes you can see here we have the requests for we have our print statements on her requests. We're getting our variables to work with,
27:22
and we can see that the last thing that we do is a jump. And that's the logic of schooling create that's leading us down all of these different boxes. So
27:30
we have compared to yes, the E X is stored is clearly storing our choice because that's where our menu is happening. So the X has the choice stored in it. And based on that decision, based on whatever stored there is where we're going to jump
27:47
if it is to sow jumped zero gonna follow this green era and see where that evaluates to buy. No clicking it. See that it leads down to this coat and it calls the sub function, so we can pretty safely assume it's cracked, and that will square when we rewrite. When we look back, our code. See that sub is too
28:07
now before that or alternative to that. Rather,
28:11
we have another function that it might be where we have a few other functions that might be
28:15
if it did not value. It is Europe that wasn't a two in our argument. It's going come over here and it's going to say was greater than two. If so,
28:23
go down to this code, if not a disco. Now, in this particular case, we only have four options. So we don't get to see all of this logic in all of its full glory. One of the things that I think is absolutely fascinating that's happening here. Is it under the hood? Even though you didn't even though he didn't write the code to do this necessarily
28:41
these case statements you switch statement got built out into more complex code. That instead of just saying, isn't this number? Yes. No. Is this number? Yes. No, actually makes the code Maura Bishan by first comparing the central number and then going for the larger and smaller in a sort of binary tree fashion.
28:56
So this tree is actually a function is a result
29:00
is a result of the compiler actually giving you more efficient code than you might otherwise have had. So here we compare it to two. Is it greater than two? If Yes, we're gonna look at three if it is three. Fantastic. That's what we know. You were gonna jump zero down this green line. We're going to see what code to execute their
29:18
If it's not, we're gonna goto four.
29:22
If it is not full, then we're gonna go here where we have this. Oh, statement. So for is the last one that we see here. It's the last option that the number entry could have been. Which means that what this box right here is and what we can reference as
29:37
is our people
29:37
are our default case. Rather,
29:44
that's our people up here again. We have our four. So now the next thing we want to do very quickly and try and figure out exactly what's wrong with this guy's code is look back at the auction that we selected, which remember,
29:53
was three we wanted to divide, and instead we got multiplication.
29:57
So we have our compared the X three and we have our jump zero.
30:03
So if it is three ball or green arrow down here all the way down to this box.
30:07
Rich,
30:11
if we look
30:11
doesn't have quite the function call that we might want it to have
30:15
instead, it calls multiply.
30:18
So now we're able to go back to this program and say, Well, kid, the problem with your code is that you mix up your menu where you said Case three is divide. You actually called multiply. And you just have to fix that in your menu and that it's your code
30:33
and we could weaken very by that by cheating a little bit and actually going back and looking at the source Go here in the terminal.
30:44
And of course, we've seen what we suspected to see, which is that even though the menu has did at three,
30:49
our switch down here.
30:52
So let's mole instead.
30:53
So all he has to do to fix this code is swap cases three and four I can actually do that is easily is just by deleting the number three writing a four
31:06
and that will fix this coat.
31:07
So that's pretty much all we're gonna cover on idea here in this Ida one video. It's a little bit longer, a little bit more crunchy than the video that we did on our password crackers. That's totally okay. There's a lot of information about I'd be to be learned. It's an incredibly powerful tool
31:23
in our next video idea, too. Well, in our next item video, which is not gonna be the next video on breaking stuff with Joe,
31:29
we're gonna be talking about the more advanced features we're gonna learn how to build structures. And, Ida, we're gonna learn about some of the item defeats and how to get around. Those were just gonna be able to take some of the knowledge we gain in this video and build it out into a more robust experience and start really messing with code rather than just leave.
31:45
So that's gonna be all there is for today's video. Thank you all for tuning in. I had a great time making it. I really love Ida. I I enjoy graphs. It's kind of a joke in the office that I think in spreadsheets. So either really kind of scratch that itch For me, it can be a little bit dry. It can be a little bit tricky to get used to.
32:02
But once you've got the hang of it, Ida will become one of your best friends and most powerful
32:07
disassembly and reverse engineering schools you could ever hope to use.
32:10
Thank you again for watching Aya's always in your instructor, Joe Perry, and you have been watching breaking stuff with Joe.

How to Use IDA (BSWJ)

The IDA is used throughout the IT and cybersecurity industries by exploit developers, vulnerability analysts, security specialists, software engineers, and more. This IDA tutorial will teach you how to use IDA.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor