1 00:00:01,500 --> 00:00:02,700 Hello and welcome. 2 00:00:03,150 --> 00:00:07,910 So now we're going to do a reverse engineering on crack, me too. 3 00:00:08,450 --> 00:00:14,250 So I'm going down and put it in your creamy folder and it's funny and see what he does. 4 00:00:15,510 --> 00:00:19,550 So you just pop something, tells you that he's unregister software. 5 00:00:20,130 --> 00:00:20,970 Please correct me. 6 00:00:21,690 --> 00:00:28,890 So according to the Donald Page where this thing is downloaded from the instruction. 7 00:00:30,080 --> 00:00:37,850 She said, you are supposed to this is the download page discussion without getting registered in your 8 00:00:37,850 --> 00:00:38,150 name. 9 00:00:38,930 --> 00:00:40,750 So let's try to solve this now. 10 00:00:41,840 --> 00:00:44,810 So we just remember that when he runs, he shows his. 11 00:00:46,090 --> 00:00:47,430 So how do you register? 12 00:00:49,720 --> 00:00:57,610 He also says, please correct me, so I think what he wants to do is to. 13 00:00:58,860 --> 00:01:01,800 Find a way to make this become registered. 14 00:01:02,760 --> 00:01:12,350 So presumably that will happen when the tax changes to register sort of same thing with this money issue 15 00:01:12,630 --> 00:01:13,260 register. 16 00:01:14,640 --> 00:01:16,050 That is presumption. 17 00:01:16,980 --> 00:01:18,950 So let's see how this thing works. 18 00:01:18,980 --> 00:01:20,070 You open it up. 19 00:01:20,520 --> 00:01:21,700 So I've already done it. 20 00:01:22,140 --> 00:01:27,330 And when you first open that file and either you will see something like this. 21 00:01:28,350 --> 00:01:29,070 Like this. 22 00:01:30,310 --> 00:01:31,480 From the start here. 23 00:01:32,810 --> 00:01:34,610 But this is not the main entry point. 24 00:01:35,090 --> 00:01:43,500 This is just the start of a the program all these years just to set up the system for showing people 25 00:01:44,090 --> 00:01:53,540 and you normally say that gut check and then here you find instance and then here you find Mexico. 26 00:01:54,520 --> 00:02:01,360 And I want to see this exit poll like this is just before, as I said, go here, you should have a 27 00:02:01,780 --> 00:02:04,720 call to give me an entry point homilist. 28 00:02:05,160 --> 00:02:07,400 This is a one, right? 29 00:02:07,520 --> 00:02:10,960 You have a few pushes and here within minutes of mine. 30 00:02:11,050 --> 00:02:12,250 So you double click on this. 31 00:02:13,150 --> 00:02:15,280 And here you are now the main entry point. 32 00:02:16,690 --> 00:02:27,800 In this section, so the first thing you see is great, great pyramids, who set up the window to show 33 00:02:27,800 --> 00:02:28,630 a dialogue window. 34 00:02:29,260 --> 00:02:32,110 So this is a narrow window like this. 35 00:02:34,870 --> 00:02:43,180 And these are all the parameters, and in here you see something interesting, you find out 60. 36 00:02:44,210 --> 00:02:50,400 And then here is the API concrete file, and these are the parameters that are pushed to this thing 37 00:02:50,420 --> 00:02:57,640 before you call the API and you can refer to the API in the end. 38 00:02:59,210 --> 00:03:04,840 So this is you create file API so far is not just to clarify. 39 00:03:05,030 --> 00:03:08,420 It's also use for opening a file for reading or writing. 40 00:03:09,140 --> 00:03:13,800 So it depends on the second parameter, the design access. 41 00:03:14,900 --> 00:03:23,300 So here you can see the second parameters design process, and it followed by seven zeros hexes, actually 42 00:03:23,300 --> 00:03:32,110 the flat for reading Hamisi opening a file for reading and you can refer to the documentation online 43 00:03:32,810 --> 00:03:35,380 or here the access musk. 44 00:03:36,020 --> 00:03:45,140 So if you send this to one full amount of zeros in binary and incongruities in two axes, it fallen 45 00:03:45,140 --> 00:03:46,280 by seven zeros. 46 00:03:47,360 --> 00:03:52,730 It is for reading, if it was or writing, and then you would get were setting is. 47 00:03:54,500 --> 00:04:00,420 On one here, disaffecting, one hand is open for writing and he'll be zero. 48 00:04:00,770 --> 00:04:03,230 So when you convert that to you'll be. 49 00:04:04,440 --> 00:04:06,000 Four four seven zero. 50 00:04:06,330 --> 00:04:13,860 That's how, you know, is hoping for reading or for writing, so in this case it's for reading. 51 00:04:14,550 --> 00:04:20,430 So we know that he is looking for his father, key father text based on this analysis. 52 00:04:21,330 --> 00:04:26,480 So he's pushing his father is pushing this perimeter to open this powerful reading. 53 00:04:27,030 --> 00:04:28,960 So now he's open for reading. 54 00:04:29,280 --> 00:04:33,840 We expect to find a Refah function, a wi fi API tuner. 55 00:04:34,230 --> 00:04:35,790 When you come down here, you see this. 56 00:04:36,540 --> 00:04:43,400 So on here, the quickfire API returns the result to X over here. 57 00:04:44,040 --> 00:04:48,420 And if it's negative, then you would know that the file is not phone. 58 00:04:49,700 --> 00:04:53,790 But if he's had a negative, that means the is fun. 59 00:04:54,260 --> 00:04:57,720 So this is the comparison for whether or not it is negative. 60 00:04:57,720 --> 00:05:06,080 It pushes the result of nucleophile EPA, which is next to IACI, and then you compare it with ISIS 61 00:05:06,080 --> 00:05:06,890 and negative No. 62 00:05:07,220 --> 00:05:08,520 Negative one in this case. 63 00:05:09,260 --> 00:05:14,830 So then here, if it is negative one, then it will be comparison. 64 00:05:14,930 --> 00:05:18,250 The return of zero emission USA minus needs will be zero. 65 00:05:18,980 --> 00:05:23,500 Then you would jump, you would jump to four 01 or even Lemieux's. 66 00:05:23,510 --> 00:05:26,960 You take the Green Arrow and there is there would be the failure. 67 00:05:27,200 --> 00:05:28,580 There is a fairly small town. 68 00:05:29,030 --> 00:05:33,620 So we should clarify this tells us that we should clarify. 69 00:05:34,460 --> 00:05:34,940 Right. 70 00:05:34,940 --> 00:05:39,340 And then so we can go through the following year, frankly. 71 00:05:40,540 --> 00:05:40,990 New. 72 00:05:42,610 --> 00:05:43,330 Thanks for. 73 00:05:44,960 --> 00:05:52,180 And in college, he gave our daughter, my wife, should we put inside of her? 74 00:05:53,000 --> 00:05:54,080 So let's analyze this. 75 00:05:54,080 --> 00:05:59,840 Whether he's opening the fire, he is reading the fire and the fire API. 76 00:05:59,840 --> 00:06:04,610 You can also refer to the modern refineries who were here. 77 00:06:06,040 --> 00:06:15,780 So far has got these parameters, the FA handle the buffer, so the buffer is where you stole the content 78 00:06:15,790 --> 00:06:17,080 that is direct from the FA. 79 00:06:18,520 --> 00:06:21,610 So we are interested in a buffer in the second parameter. 80 00:06:23,140 --> 00:06:27,100 So the second parameter is just one buffer. 81 00:06:27,730 --> 00:06:35,990 And here I've only renamed this variable as far content, you can just press in on your keyboard and 82 00:06:35,990 --> 00:06:38,730 then Renesmee to Fartman 10 so it's easier to read. 83 00:06:39,250 --> 00:06:45,310 And once you rename it, you can easily follow through the rest of the code because it could be running 84 00:06:45,550 --> 00:06:46,100 as well. 85 00:06:47,080 --> 00:06:54,250 So after you open the file, you the content and CV inside this variable cofound buffer and then over 86 00:06:54,250 --> 00:06:57,040 here is going to set up in text. 87 00:06:58,300 --> 00:07:00,450 So how does send the line text? 88 00:07:00,730 --> 00:07:02,590 What is meaningless and right index. 89 00:07:04,150 --> 00:07:13,150 Can we come to the embassy and send that I can send a title or text in a controller that unlocks so 90 00:07:13,150 --> 00:07:21,940 our suspicion or true that means is going to change this text here and also the text here in here. 91 00:07:22,810 --> 00:07:28,160 So probably is going to say register to follow by whatever your name is. 92 00:07:28,600 --> 00:07:36,310 So the name that you specify inside a key file is probably going to be attended to some kind of text 93 00:07:36,670 --> 00:07:37,860 and then shown here. 94 00:07:38,590 --> 00:07:40,290 So is going to create a new string. 95 00:07:40,300 --> 00:07:43,570 So a new string is going to create in place of this. 96 00:07:43,960 --> 00:07:44,570 Let's take a look. 97 00:07:45,640 --> 00:07:48,850 So from here, you can see that it is moving. 98 00:07:48,850 --> 00:07:50,310 Some things registered, too. 99 00:07:50,710 --> 00:07:55,840 So we suspect that the first part of the string is registered to. 100 00:07:57,200 --> 00:07:57,890 Yes, sir. 101 00:07:57,920 --> 00:08:05,000 And you said to it in the second part is probably coming from the Kifah so we can test the hypothesis, 102 00:08:05,390 --> 00:08:07,970 we can put our name here 103 00:08:13,630 --> 00:08:20,610 is put on in there and see and then come back here and continue checking. 104 00:08:20,630 --> 00:08:28,030 So if our hypothesis is correct, it is going to create a new string registered to an insect that then 105 00:08:28,170 --> 00:08:30,620 I and thanks to this new string. 106 00:08:31,600 --> 00:08:40,420 And here is another function, which is and knowing this way goes up and my suspicion is that this Saphir 107 00:08:40,930 --> 00:08:45,040 is to take this far conten and A to this. 108 00:08:45,320 --> 00:08:49,810 So this Phalcon 10:00 Eastern is coming from the content of the father. 109 00:08:50,710 --> 00:08:57,940 So if you supply your name, Insania Kifah, you would take that name and pass it along with the string 110 00:08:58,750 --> 00:09:00,090 to this function. 111 00:09:00,100 --> 00:09:07,580 So this function, my guess is to create a new string so we can call it again, renaming the press and 112 00:09:07,600 --> 00:09:08,230 reliably. 113 00:09:12,690 --> 00:09:15,540 Greek registered. 114 00:09:16,790 --> 00:09:26,060 Do so, he's going to create a string already to and so and so and him, right. 115 00:09:26,450 --> 00:09:29,390 So this the purpose of this one is creating this. 116 00:09:29,900 --> 00:09:31,670 You will now over here. 117 00:09:32,840 --> 00:09:41,000 Set that right and thanks to this, registered to right, so now we can close this and reopen again 118 00:09:41,210 --> 00:09:42,390 to see whether we are right. 119 00:09:42,440 --> 00:09:45,560 So now if you are right, you the content on this far. 120 00:09:46,710 --> 00:09:49,200 So that's open to. 121 00:09:52,030 --> 00:10:02,590 And we are right, Sarah is not changing the content of the dialogue inside to register to follow by 122 00:10:02,590 --> 00:10:03,100 the name. 123 00:10:04,330 --> 00:10:06,900 Same thing here, we just had to fly. 124 00:10:07,600 --> 00:10:20,140 OK, so this is how we can use static analysis to analyze executable binary and solve he correct me. 125 00:10:22,300 --> 00:10:29,800 The important thing to take away from this also is to always refer to the MSDS documentation in Google 126 00:10:29,800 --> 00:10:34,650 by Googling for it and understand the parameters to the API. 127 00:10:34,930 --> 00:10:35,830 What do they mean? 128 00:10:36,520 --> 00:10:43,090 And also, don't be scared to rename rename the labels as I have done here. 129 00:10:44,380 --> 00:10:55,270 And also here and also here, so the more you do, the more easier it is to heal your reverse engineering 130 00:10:55,450 --> 00:10:55,940 project. 131 00:10:56,290 --> 00:11:03,310 So the whole idea of reverse engineering static analysis is to relabel to rename labels, to insert 132 00:11:03,310 --> 00:11:10,040 comments and to convert data to meaningful names and so on. 133 00:11:10,600 --> 00:11:12,020 So that's all for this lesson. 134 00:11:12,190 --> 00:11:13,240 Thank you for watching.