1
00:00:00,640 --> 00:00:02,050
Hello and welcome back.

2
00:00:02,530 --> 00:00:05,510
In this video, we are going to talk about several things.

3
00:00:06,040 --> 00:00:09,940
First of all, let's talk about data exploration.

4
00:00:10,810 --> 00:00:21,550
Data exploration is where we will use either to convert our data to call or go to data.

5
00:00:23,070 --> 00:00:31,830
No, automatically he doesn't know how to recognise code and distinguish it from data, but sometimes

6
00:00:31,980 --> 00:00:33,100
he may not know.

7
00:00:33,660 --> 00:00:40,680
So there is a way we can intervene and try to create a lot of unknown data or vice versa.

8
00:00:40,920 --> 00:00:48,240
That is going to leave of, you know, by pressing the spacebar and Hillsville to some data section

9
00:00:49,470 --> 00:00:53,580
just until you see the data section here on the left you issue.

10
00:00:54,420 --> 00:00:54,830
All right.

11
00:00:54,840 --> 00:00:56,790
So now here we are in a data session.

12
00:00:56,790 --> 00:01:04,470
As you can see, for example, this bar here, there is some data here, but you did not know that this

13
00:01:04,470 --> 00:01:05,520
is actually a string.

14
00:01:06,060 --> 00:01:10,050
So we can tell you that we need to convert this string.

15
00:01:11,010 --> 00:01:19,610
So to do that and compress a and then either will combine all the bias in the data into a string.

16
00:01:20,190 --> 00:01:26,560
You can also undefined it and go back to the previous date by typing you for undefined.

17
00:01:28,110 --> 00:01:33,540
You can also access it from here and go to strings.

18
00:01:33,840 --> 00:01:40,920
And in here click on this one, which is actually a shortcut you just used, and then you create a string

19
00:01:41,190 --> 00:01:43,650
out of all this bytes, which was undefined.

20
00:01:44,400 --> 00:01:52,740
And if you want to undefined it back again, you can also presto you or bacteria and click on and define,

21
00:01:53,190 --> 00:01:56,560
which is also the shortcut you anytime you find again.

22
00:01:57,150 --> 00:02:01,680
So let us define the string now by pressing aying in any clustering.

23
00:02:02,250 --> 00:02:04,410
Another thing we can do is over here.

24
00:02:04,830 --> 00:02:08,520
We can combine all this into what?

25
00:02:09,500 --> 00:02:19,780
Or Dewormed or Kingwell, so pleasant is bite, so to group these, to tell you that a good this into

26
00:02:19,790 --> 00:02:24,250
a word word is to bite you Prendes and then.

27
00:02:25,950 --> 00:02:30,220
Presently again, and now two guys being grouped together into a wall.

28
00:02:30,540 --> 00:02:39,140
So what is to be your best Diegan and then group for bikes together into a with you?

29
00:02:39,810 --> 00:02:48,120
If I press the again, you will group it by saying to one Keywell, if I keep on pressing these, you

30
00:02:48,120 --> 00:02:49,880
will then go back to the previous day.

31
00:02:50,310 --> 00:02:54,540
So I now press these one time to grillwork another time.

32
00:02:54,600 --> 00:02:55,990
Good Neiwert.

33
00:02:56,370 --> 00:02:57,090
And at a time.

34
00:02:57,360 --> 00:02:57,700
Great.

35
00:02:57,810 --> 00:03:02,190
OK, so this is part of the desperation at that stage.

36
00:03:02,190 --> 00:03:10,350
You can use know, let us try to deliberately undefined something, some instruction and try to fix

37
00:03:10,350 --> 00:03:10,500
it.

38
00:03:11,520 --> 00:03:14,600
Lets us find this instruction by pressing you.

39
00:03:15,270 --> 00:03:16,560
And now it is undefined.

40
00:03:16,560 --> 00:03:19,020
As you can see, he goes back to the raw data.

41
00:03:19,230 --> 00:03:25,490
But if you go to space and go back to the graph, you you see this error here.

42
00:03:26,070 --> 00:03:29,820
So let us try to fix this now precipice again and go back to linear view.

43
00:03:30,310 --> 00:03:37,500
OK, one wave and try to fix it is to select all this part here, which is undefined up to here and

44
00:03:37,500 --> 00:03:39,600
impressed to see Saeki.

45
00:03:40,650 --> 00:03:42,690
Now here are the redefining.

46
00:03:43,130 --> 00:03:46,680
Now just go back to graphical and see what happens.

47
00:03:47,330 --> 00:03:51,390
Press space on the keyboard and you see still some error here.

48
00:03:51,420 --> 00:03:53,120
So we are not properly fixing here.

49
00:03:53,400 --> 00:03:54,930
So go back to linear view again.

50
00:03:55,290 --> 00:03:58,710
So in order to fix this, if you have to undefined entire function.

51
00:03:59,130 --> 00:04:00,750
So the function system here.

52
00:04:01,080 --> 00:04:05,130
So that's undefined everything from here.

53
00:04:06,180 --> 00:04:09,620
And two in here.

54
00:04:11,140 --> 00:04:17,560
So press you to define the whole thing, so the whole function is undefined, so in order to fix it,

55
00:04:17,860 --> 00:04:23,300
why we can do is we select the start obvious, undefined function instead of pressing.

56
00:04:23,410 --> 00:04:29,130
See, this time you press BP for a procedure and now he has fixed it.

57
00:04:29,500 --> 00:04:31,840
Let's go back to G graph.

58
00:04:31,840 --> 00:04:34,820
You press in space and now we have fixed it.

59
00:04:35,350 --> 00:04:36,760
So this is a flexibility.

60
00:04:36,780 --> 00:04:46,630
Either you can change any part of data to code or any parachuting data, you can modify the data and

61
00:04:46,630 --> 00:04:47,110
so on.

62
00:04:47,110 --> 00:04:53,080
Many things you can do is very flexible and sometimes you might need to do that because sometimes you

63
00:04:53,320 --> 00:05:00,250
might misinterpret the data and mistakenly think you need to be caught and you might undo it and fix

64
00:05:00,250 --> 00:05:00,400
it.

65
00:05:01,030 --> 00:05:03,390
So this is why you need to know all these skills.

66
00:05:04,120 --> 00:05:06,720
So let's explore the various windows.

67
00:05:06,720 --> 00:05:08,740
So this is called the disassembly window.

68
00:05:09,070 --> 00:05:15,010
You can press basically go to graph you and if you wanted to open another disassembly window, you can

69
00:05:15,010 --> 00:05:22,380
always go back up here, view points up use and then you can click anywhere on this and you want another

70
00:05:22,390 --> 00:05:25,730
disassembly window and now you have to disassemble a window.

71
00:05:26,230 --> 00:05:32,530
So this would be useful if you need to look to different parts of the court at the same time so you

72
00:05:32,530 --> 00:05:34,660
can switch between this and this easily.

73
00:05:35,050 --> 00:05:42,130
You can use it on the two of the three, for example, to switch between those two views.

74
00:05:42,460 --> 00:05:42,850
All right.

75
00:05:42,850 --> 00:05:43,960
Now we can close this.

76
00:05:44,260 --> 00:05:46,810
Next thing is the hex view the excuse?

77
00:05:46,810 --> 00:05:49,780
Are we synchronized with the idea of you?

78
00:05:49,990 --> 00:05:56,500
If you select this instruction, here it is four eight eight five zero.

79
00:05:56,500 --> 00:06:04,980
If you go here, you can see for it, if I see zero next to explore the functions window, which is

80
00:06:04,990 --> 00:06:09,820
over here, you can drag this over here and you can see most of the functions.

81
00:06:11,990 --> 00:06:18,680
Already known, for example, if close feelings on those which are known to idear looks like this,

82
00:06:19,100 --> 00:06:20,720
he has got a front running.

83
00:06:20,720 --> 00:06:22,190
The address headed the back.

84
00:06:22,940 --> 00:06:29,960
And once we've analyzed it and you get an idea insight into what they do, we can always rename the

85
00:06:29,960 --> 00:06:32,780
label discussed before in the previous video.

86
00:06:34,010 --> 00:06:38,750
And you can see all these functions based on length, for example, if you click on Link.

87
00:06:39,640 --> 00:06:42,250
Or you can decide based on stutt.

88
00:06:44,030 --> 00:06:51,200
And is the next window you can get is a street window, you can get it by going to views, open some

89
00:06:51,200 --> 00:06:54,290
views and select the strings or hear.

90
00:06:55,620 --> 00:06:58,020
In the streets, we never see.

91
00:06:59,480 --> 00:07:03,080
And the shortcut for that is shiftier.

92
00:07:04,420 --> 00:07:09,700
One thing useful is that you can click any of this string and then you take you to the cross-reference

93
00:07:09,700 --> 00:07:16,180
inside the assembly, out to other windows, we show you who are the imports and exports.

94
00:07:17,590 --> 00:07:24,770
So the imports contain the list of all the functions which this executive order relies on.

95
00:07:25,360 --> 00:07:31,690
So just by looking at the list of imports, we can have a good idea of what this executable is capable

96
00:07:31,690 --> 00:07:32,340
of doing.

97
00:07:32,880 --> 00:07:39,580
We can see the evidence here indicating that this program will be reading something, some input from

98
00:07:39,580 --> 00:07:42,390
the user and I and the open.

99
00:07:42,820 --> 00:07:48,280
And it's also Brener, which means that it's also going to put something to the user.

100
00:07:48,720 --> 00:07:52,610
So Sony Asmar, this one, this executable opposed to the world.

101
00:07:53,140 --> 00:07:54,970
So this is not a library.

102
00:07:54,970 --> 00:08:02,020
Therefore, there's only one export, mainly the entry point, which is start another window, which

103
00:08:02,260 --> 00:08:05,860
is quite useful structures using structures.

104
00:08:05,880 --> 00:08:14,620
You can impose some kind of data structures on the raw data that we find, say, India, sort of a new

105
00:08:14,620 --> 00:08:15,250
structure.

106
00:08:15,460 --> 00:08:18,240
We've passed the insert on it on the keyboard.

107
00:08:20,760 --> 00:08:27,360
And then give a name for your new structure, normally we want to call something meaningful and include,

108
00:08:27,450 --> 00:08:34,320
OK, we would like to call it a capital and because it is a kind of object, so we can add new members

109
00:08:34,440 --> 00:08:44,520
of Fuse to the structure by putting our mouse here and then pressing on the the twice you get what you

110
00:08:44,520 --> 00:08:52,980
press, the again you get a double and then you can press the again, you get a quarter so you can cycle

111
00:08:52,980 --> 00:08:53,310
through.

112
00:08:54,210 --> 00:09:03,000
So now if you create one, the attack is zero time and the means for bytes.

113
00:09:03,270 --> 00:09:08,820
And if you only create a second, if you just use a bottom here or go down here and repeat the same

114
00:09:08,820 --> 00:09:13,640
thing by pressing these again until you get the word.

115
00:09:14,160 --> 00:09:22,380
And then let's create one more press down Arrow and Presente a few times until you get another deal.

116
00:09:23,310 --> 00:09:30,750
So now if you want to name the first few, something meaningful, you can press and Shikaki ideas directly

117
00:09:31,170 --> 00:09:34,560
and rename an X, for example.

118
00:09:37,810 --> 00:09:44,650
And then the second one, you can press em and then give it a name, why, for example?

119
00:09:48,530 --> 00:09:54,720
For anyone who can press in and call it Z horizontal.

120
00:09:55,580 --> 00:10:06,230
So now you have struck consisting of three views each full of size, Daewon of four base and X, Y and

121
00:10:06,230 --> 00:10:06,570
Z.

122
00:10:06,830 --> 00:10:14,000
And if you wanted to impose this structure into any part of your assembly now over here, we don't have

123
00:10:14,000 --> 00:10:15,890
any data, which is actually a structure.

124
00:10:16,400 --> 00:10:23,240
But if you wanted to and if you found some offset, which is looks like a part of a structure, you

125
00:10:23,240 --> 00:10:31,700
can impose the structure onto the data by pressing the prestige on the keyboard and then select the

126
00:10:31,700 --> 00:10:36,410
structure that matches the location, which you suspect to be a structure.

127
00:10:37,400 --> 00:10:45,860
OK, now let's talk about how to say, OK, whenever we open a new project IDA database so you can save

128
00:10:45,860 --> 00:10:54,170
it by clicking fire and then control the failsafe or the Shockley's control w so what happens when you

129
00:10:54,170 --> 00:10:54,560
do that?

130
00:10:55,310 --> 00:11:01,460
Currently, if you go and look at the location here, you will see only small, small little files here.

131
00:11:01,800 --> 00:11:05,930
We can up the database, but once you save it, it is what happens.

132
00:11:10,760 --> 00:11:18,560
A new far is critical X one, not 864, so this is the following you can give to your friends or your

133
00:11:18,830 --> 00:11:25,460
team and they can open this file and get back in the same database and analysis which you have done

134
00:11:25,460 --> 00:11:26,970
on the on this project.

135
00:11:27,620 --> 00:11:30,930
You don't have to give the rest of these small files to anybody.

136
00:11:30,980 --> 00:11:32,180
This is the only file you need.

137
00:11:33,410 --> 00:11:39,080
You know, so I have a way to create snapshots, for example, you can click view here and so I can

138
00:11:39,080 --> 00:11:45,620
get a snapshot manager and then you can take a snapshot and give a name, Clokey.

139
00:11:47,410 --> 00:11:54,400
And then you can make some changes whatsoever, whatever you want, and if you want to revert back,

140
00:11:54,400 --> 00:11:58,220
you can just click on this anything to restore to the snapshot.

141
00:11:58,960 --> 00:12:05,460
So each time you get a snapshot, a new database will be created here containing the time in this time.

142
00:12:06,040 --> 00:12:10,930
And this is also the father you can give to your teammates or anybody in your project.

143
00:12:11,530 --> 00:12:18,550
The other thing new about this idea is that you can also undo, for example, here there is the undo

144
00:12:18,550 --> 00:12:23,380
button, undo and redo, control and control shift.

145
00:12:23,560 --> 00:12:27,330
So you admit some mistake and you want to undo you can use this now.

146
00:12:27,940 --> 00:12:29,500
So you want to close this file.

147
00:12:29,510 --> 00:12:30,970
The current way to do this.

148
00:12:30,970 --> 00:12:32,920
Click, file, click.

149
00:12:33,890 --> 00:12:38,960
Close, and then you ask whether you're in the bank or select bank, all right.

150
00:12:39,350 --> 00:12:42,740
OK, and once you do that, you notice what happens.

151
00:12:43,100 --> 00:12:47,920
All the other temporary file disappear, leaving only one for the bank file.

152
00:12:48,320 --> 00:12:53,600
So it is this file which you can give to your teammates or anybody you want to share your analysis with.

153
00:12:54,290 --> 00:13:01,940
So in future, if you want to reopen this project, you just click file open and then from here, select

154
00:13:02,120 --> 00:13:09,230
S1 and you will look automatically for this file and you read that database file and you can resume

155
00:13:09,230 --> 00:13:10,670
analysis from where you stop.

156
00:13:11,090 --> 00:13:17,940
So those are the basic common sense and techniques which you need to know for basic EDA usage.

157
00:13:18,620 --> 00:13:19,640
Thank you for watching.