1
00:00:00,180 --> 00:00:02,910
So in this video we are going to learn about that.

2
00:00:03,750 --> 00:00:04,860
B File format.

3
00:00:04,890 --> 00:00:06,990
B stands for portable executable.

4
00:00:07,410 --> 00:00:12,520
So in our day to day life, we will be using the X files on the computer.

5
00:00:12,540 --> 00:00:16,110
So we are also using their data files.

6
00:00:16,170 --> 00:00:21,780
So obviously the U.S. files will use the functions from their data for execution.

7
00:00:21,780 --> 00:00:27,540
So these come under the file format that is portable executable.

8
00:00:27,540 --> 00:00:33,350
So their name given based on the portability.

9
00:00:33,360 --> 00:00:37,380
So if you compare one binary to Windows seven.

10
00:00:37,560 --> 00:00:41,910
And if you run that in Windows eight, so it will obviously execute.

11
00:00:42,000 --> 00:00:46,680
So that way there is a portability among the Windows systems are not cross-platform.

12
00:00:46,680 --> 00:00:49,020
That's where the name portability girl has given.

13
00:00:52,370 --> 00:01:00,830
So we are going to see in the hex editor and also will be using that to our period.

14
00:01:01,490 --> 00:01:07,670
There are so many tools that will pass the hour before and read through the contents from that.

15
00:01:09,680 --> 00:01:16,350
BATES So you will be seeing the people that first will be opening the fire in Exeter.

16
00:01:17,820 --> 00:01:18,170
So.

17
00:01:18,250 --> 00:01:20,910
So we'll be using your normal XY file.

18
00:01:22,160 --> 00:01:26,330
And all of these headers are defined in this benign pilot hedge.

19
00:01:26,630 --> 00:01:31,730
So you can download this file from this manga for business.

20
00:01:32,480 --> 00:01:36,500
So after downloading that, you can open this in your code.

21
00:01:36,890 --> 00:01:39,240
And the first one is the DOS.

22
00:01:39,290 --> 00:01:42,620
Head of the first four bytes is the header.

23
00:01:46,470 --> 00:01:49,170
So each row consists of 16, right?

24
00:01:49,170 --> 00:01:52,740
So you can define the first two rows as the two.

25
00:01:53,550 --> 00:01:56,070
So we can also see if the file format.

26
00:01:57,790 --> 00:02:00,310
Images if you go to the images and.

27
00:02:17,860 --> 00:02:20,300
So here you can see the first one is the Darth Vader.

28
00:02:20,980 --> 00:02:22,810
That is the first 64 bit.

29
00:02:22,870 --> 00:02:24,400
So this method is not clear.

30
00:02:24,440 --> 00:02:24,740
So.

31
00:02:29,670 --> 00:02:30,030
Okay.

32
00:02:30,810 --> 00:02:31,250
This?

33
00:02:31,260 --> 00:02:32,280
Oh, yeah, this is fine.

34
00:02:34,920 --> 00:02:36,810
The first one is the.

35
00:02:39,450 --> 00:02:40,590
Does it hurt a?

36
00:02:41,890 --> 00:02:43,270
For 64 bytes.

37
00:02:44,860 --> 00:02:46,390
You can also search here.

38
00:02:47,820 --> 00:02:49,950
Image does header.

39
00:02:52,060 --> 00:02:54,940
You're going to see the are the members of this.

40
00:02:57,130 --> 00:03:01,090
Does her who will not be covering all of these members?

41
00:03:01,180 --> 00:03:03,940
Only the important ones will recover.

42
00:03:04,150 --> 00:03:10,000
The first one is the magic the magic number for the fire.

43
00:03:10,240 --> 00:03:14,500
And we will be also seeing another magic number in nine other heads.

44
00:03:14,620 --> 00:03:17,890
So we'll be discussing in an upcoming videos.

45
00:03:18,340 --> 00:03:21,520
So for now, yes, this one is the magic number.

46
00:03:21,640 --> 00:03:26,860
So the word word is the two bytes and the D word is the double.

47
00:03:26,870 --> 00:03:29,380
What that means to read it is for white.

48
00:03:30,310 --> 00:03:33,540
So magic is five for B.

49
00:03:33,550 --> 00:03:35,710
So these are in the white under.

50
00:03:37,920 --> 00:03:41,490
So the magic number will be five for the.

51
00:03:45,190 --> 00:03:50,130
And if you just identify it, you can see in the ASCII text, I'm there.

52
00:03:50,140 --> 00:03:52,870
So this can be this is a magic phone for that.

53
00:03:53,260 --> 00:03:55,110
A magic number for the beaver for.

54
00:04:05,220 --> 00:04:08,800
So the next feature will be discussing is the elephant you.

55
00:04:09,240 --> 00:04:10,560
So this can be.

56
00:04:10,560 --> 00:04:12,690
This is the pointer to the P here to.

57
00:04:29,790 --> 00:04:31,890
So here you can see there is a dustup.

58
00:04:33,390 --> 00:04:35,340
This is the dustup here.

59
00:04:35,370 --> 00:04:39,230
You can see this from 0200.

60
00:04:39,510 --> 00:04:46,040
So what this does is whenever you wrote this before in that mess, does this string reprinted on the

61
00:04:46,050 --> 00:04:46,470
council?

62
00:04:46,500 --> 00:04:49,140
The program cannot be run under the dance mode.

63
00:04:49,530 --> 00:04:52,810
I should be run in only in the Microsoft Windows.

64
00:04:53,520 --> 00:04:55,530
So that is the purpose of this raster.

65
00:04:56,490 --> 00:05:01,350
So whenever the Windows are this elephant, you is the pointer to the P here.

66
00:05:02,160 --> 00:05:09,330
So this last member will point to the B and here you can see the value is.

67
00:05:13,100 --> 00:05:16,490
Rushed to for whites because it's their before.

68
00:05:17,030 --> 00:05:20,420
And if you reverse from right to left, you'll be getting.

69
00:05:28,240 --> 00:05:33,250
You will be getting 000000080.

70
00:05:33,850 --> 00:05:39,250
So if you go to this address and here you can see on the left hand side, this is the address and we

71
00:05:39,250 --> 00:05:51,490
have the starting address and the contents are the first, uh, uh, d what is the P which defines this

72
00:05:51,490 --> 00:05:52,890
is the P.

73
00:05:56,220 --> 00:06:01,610
In some cases the program is covered under Microsoft or Rinker.

74
00:06:01,890 --> 00:06:06,480
Then there would be some garbage in between this dos and the B header.

75
00:06:06,750 --> 00:06:10,560
So that garbage really has some X are key.

76
00:06:10,590 --> 00:06:14,060
So you need to exert that data with that to take some field.

77
00:06:14,070 --> 00:06:22,980
After that, you'll be getting the information on what system it has compiled and what are the versions

78
00:06:22,980 --> 00:06:24,900
of the linker, etc..

79
00:06:26,270 --> 00:06:34,330
So in our world we don't have that we have only the doorstep does header dust up and the be here to.

80
00:06:36,530 --> 00:06:40,040
So the first number is the signature.

81
00:06:41,190 --> 00:06:45,010
And the second memories, the fighting and the memories, too.

82
00:06:45,510 --> 00:06:51,570
So you can search for this image, image and the score.

83
00:07:16,350 --> 00:07:17,850
Image via the header.

84
00:07:18,960 --> 00:07:20,070
So if you go up.

85
00:07:46,130 --> 00:07:46,760
So this.

86
00:07:47,240 --> 00:07:48,010
Sorry, this is.

87
00:07:48,020 --> 00:07:48,830
Are in theaters.

88
00:07:49,410 --> 00:07:52,400
Uh, I'm searching for another name for that.

89
00:07:52,580 --> 00:07:53,780
So image be here.

90
00:07:53,790 --> 00:07:54,110
Here's.

91
00:07:55,970 --> 00:08:02,450
This is the here and the first member is the B word and this is the signature.

92
00:08:02,840 --> 00:08:05,390
So the first four bytes includes the signature.

93
00:08:05,420 --> 00:08:10,130
So the first four waits are 00004 550.

94
00:08:11,090 --> 00:08:17,690
So this contributes the basking sharks B, which defines the P for.

95
00:08:20,720 --> 00:08:24,430
And the next one is the structure image file header.

96
00:08:26,030 --> 00:08:27,860
So if I go and search for these.

97
00:08:31,220 --> 00:08:36,590
And here we can see the structure so we can estimate the size.

98
00:08:37,990 --> 00:08:44,180
Are two whites, four whites who are 16, 18, 20.

99
00:08:44,600 --> 00:08:49,070
So they fight harder or continue to quantity whites.

100
00:08:51,040 --> 00:08:53,260
So 20 points from this 40.

101
00:08:57,120 --> 00:08:59,340
So these are that were bites.

102
00:09:02,810 --> 00:09:07,530
And here you can see up to the next day debates contribute to that fight.

103
00:09:08,180 --> 00:09:10,080
So the first one is the machine.

104
00:09:10,100 --> 00:09:11,300
So this indicates.

105
00:09:13,280 --> 00:09:16,640
To which CBO type this has come.

106
00:09:21,530 --> 00:09:23,150
Why I search for a machine.

107
00:09:26,160 --> 00:09:34,740
I'll go to this machine, babes, and you can see the various machine types and their values.

108
00:09:35,100 --> 00:09:41,660
Here we how uh, the machine is of also 014c.

109
00:09:44,100 --> 00:09:45,190
014.

110
00:09:46,640 --> 00:09:50,240
Now I'm going to copy this one and Sachin this zero one for.

111
00:09:56,340 --> 00:09:56,640
Okay.

112
00:09:56,670 --> 00:09:57,600
So we got this.

113
00:09:57,870 --> 00:10:01,850
So image file machine I interpret is excited about this.

114
00:10:01,860 --> 00:10:05,760
So this is converting this as a little bit.

115
00:10:05,970 --> 00:10:06,420
Uh.

116
00:10:07,970 --> 00:10:08,560
XY.

117
00:10:09,710 --> 00:10:18,770
That is the number machine and the number of sections you can see the number of sections is defined

118
00:10:18,770 --> 00:10:19,190
here.

119
00:10:20,400 --> 00:10:20,760
These.

120
00:10:23,100 --> 00:10:26,250
You can tell the number of sections from this field.

121
00:10:26,310 --> 00:10:29,160
That is the word which is 0003.

122
00:10:31,790 --> 00:10:34,780
So against concerned number our sections zero.

123
00:10:38,760 --> 00:10:39,980
So there are three sections.

124
00:10:39,990 --> 00:10:47,280
We'll be discussing those sections in the upcoming videos and then actually use our time date stamp.

125
00:10:50,310 --> 00:10:51,410
The next lever.

126
00:10:55,660 --> 00:10:57,560
So this is a unique epoch.

127
00:10:57,970 --> 00:10:59,920
You need to convert that into

128
00:11:03,280 --> 00:11:05,470
actual human readable format.

129
00:11:06,960 --> 00:11:11,190
So we have the condensed by 6440780.

130
00:11:11,550 --> 00:11:19,260
So for this binary, I'm getting the wrong where you hope to convert to 60.

131
00:11:27,210 --> 00:11:32,040
So convert this copy this one uniques about timestamp.

132
00:11:32,700 --> 00:11:38,000
Go to this website and paste here and convert to here.

133
00:11:38,010 --> 00:11:40,560
You can see the year 2066.

134
00:11:40,590 --> 00:11:41,000
Okay.

135
00:11:41,010 --> 00:11:41,400
So.

136
00:11:44,300 --> 00:11:51,920
I don't know why this I was compelled in the research to your doctrinal framework.

137
00:11:53,910 --> 00:11:56,910
Maybe it has put some wrong information there.

138
00:11:57,840 --> 00:11:59,430
So anyway, that is the timestamp.

139
00:11:59,610 --> 00:12:04,230
So we can obviously view another file here.

140
00:12:04,260 --> 00:12:09,090
Simply you can open this selector and see the timestamp values.

141
00:12:11,480 --> 00:12:15,150
So next we will be having some fun under the multiverse, embarrassed etc..

142
00:12:15,170 --> 00:12:19,490
So any debugging information and the.

143
00:12:20,600 --> 00:12:21,780
Size up, often unheard of.

144
00:12:21,890 --> 00:12:28,730
So this is important here because the option I have, the, uh, the size is the dynamic.

145
00:12:29,030 --> 00:12:30,950
So generally it will be 24, right?

146
00:12:31,400 --> 00:12:32,310
It can vary.

147
00:12:32,330 --> 00:12:38,450
So that's why the size of this option header is defined in this file header, not single parent.

148
00:12:39,080 --> 00:12:41,790
So this is the last penultimate word.

149
00:12:42,080 --> 00:12:47,870
So this you can see this one, these two bytes, ee0g regular.

150
00:12:47,900 --> 00:12:53,570
So that is size of option here is 000.

151
00:12:57,320 --> 00:12:58,910
So reduced to 24 bytes.

152
00:13:01,280 --> 00:13:03,140
And the last one is characteristics.

153
00:13:03,140 --> 00:13:06,000
It will define the fire characteristics, whether it's uh.

154
00:13:06,470 --> 00:13:06,840
Uh.

155
00:13:07,340 --> 00:13:08,440
The variable.

156
00:13:08,900 --> 00:13:09,270
Uh.

157
00:13:10,590 --> 00:13:17,700
You can see the characteristics of whether it's a executable image or it has the debugging symbol,

158
00:13:17,700 --> 00:13:18,990
strip, etc..

159
00:13:19,710 --> 00:13:21,540
So let's see what our value has.

160
00:13:21,960 --> 00:13:25,440
We have the world that is this one and this one, two bytes.

161
00:13:26,670 --> 00:13:29,580
So that is 0022.

162
00:13:31,040 --> 00:13:33,560
So we can search for the rights to do.

163
00:13:35,000 --> 00:13:38,450
Do you see the flags, flag values you need to add them.

164
00:13:39,410 --> 00:13:41,040
So 20.

165
00:13:41,120 --> 00:13:45,470
So we have image file at the address aware and add this.

166
00:13:46,190 --> 00:13:48,320
So image file executable image.

167
00:13:48,860 --> 00:13:56,800
So our application can handle are does this and also the it is an executable because it's a.

168
00:14:00,340 --> 00:14:03,670
So these are the headlines we have covered in this video.

169
00:14:03,670 --> 00:14:07,780
First one is the does header, first to 64 bytes.

170
00:14:11,110 --> 00:14:13,090
And the next one is the following.

171
00:14:13,210 --> 00:14:14,740
Uh, does Heather.

172
00:14:15,310 --> 00:14:17,090
And the next one is a signature piece.

173
00:14:17,090 --> 00:14:17,710
Signature.

174
00:14:17,950 --> 00:14:19,750
And the next one is the final head of.

175
00:14:22,570 --> 00:14:27,220
Which contains the machine numbers, actions, timestamp size and characteristics.

176
00:14:29,380 --> 00:14:32,050
So let's go and load this in the B parser.

177
00:14:32,660 --> 00:14:33,250
Bieber.

178
00:14:42,880 --> 00:14:43,120
Here.

179
00:14:43,120 --> 00:14:45,070
You can see it whenever you load this.

180
00:14:45,070 --> 00:14:49,660
Here you have the nice tree structure, the center.

181
00:14:49,660 --> 00:14:57,070
If you go and click on this, it will take me to the first bite for Defi that we have seen in the accelerator.

182
00:14:57,520 --> 00:14:59,590
And here you have a general information.

183
00:14:59,980 --> 00:15:01,930
It also has this disassembly.

184
00:15:04,210 --> 00:15:05,230
And the dust header.

185
00:15:05,680 --> 00:15:08,200
You can see all of the members and their values.

186
00:15:08,500 --> 00:15:11,870
So this people will take these.

187
00:15:12,640 --> 00:15:16,510
According to the site, this site's magic number is the water.

188
00:15:16,510 --> 00:15:18,280
So it will go and pass the content.

189
00:15:18,730 --> 00:15:24,490
You can see this has already written the bytes from returning to normal.

190
00:15:26,710 --> 00:15:27,670
540.

191
00:15:29,000 --> 00:15:32,070
And here you can see the fire at resolve you see here.

192
00:15:32,390 --> 00:15:36,260
So for going through this, I'll be taken to this address.

193
00:15:36,710 --> 00:15:38,690
Would you ever be here?

194
00:15:39,350 --> 00:15:44,300
So if I go click on this so you can see the first addresses and the be.

195
00:15:49,020 --> 00:15:50,650
We can also pick on this offset.

196
00:15:51,240 --> 00:15:51,450
Right.

197
00:15:51,450 --> 00:15:52,050
Click on this.

198
00:15:52,290 --> 00:15:53,760
You need to make sure to follow on.

199
00:15:56,940 --> 00:16:00,980
And the fighter header, we have the machine.

200
00:16:00,990 --> 00:16:06,930
So it also this application also decodes the value for BNC.

201
00:16:07,200 --> 00:16:14,460
So it will see this lookup table and convert this into a meaningful format.

202
00:16:15,090 --> 00:16:20,790
And there are three sections and the timestamp it also converted to 2066.

203
00:16:20,790 --> 00:16:25,710
And so the size of option for weights and characteristics 22.

204
00:16:26,220 --> 00:16:29,090
So the two used for executable and application and.

205
00:16:32,730 --> 00:16:39,730
So again, so far, this video will cover the dance, her dance, the signature and the fight.