WEBVTT

00:00.880 --> 00:05.470
After importing files into your project, you can start to reverse engineer them.

00:05.500 --> 00:11.860
This is a cool feature of Jira allowing you to import more than one file into a single project because

00:11.860 --> 00:13.450
you can apply some operation.

00:13.450 --> 00:16.130
For example, search over multiple files.

00:16.150 --> 00:19.340
For example, an executable binary and its dependencies.

00:19.360 --> 00:23.730
In this lecture we will see how to analyze these files using Jira.

00:23.740 --> 00:30.130
And here, in order to perform and configure the analysis, you will want to click double click on it

00:30.160 --> 00:35.530
your project file or you can just right click and open a default window.

00:36.420 --> 00:36.860
Here we are.

00:36.960 --> 00:39.230
We also have the several options here.

00:39.240 --> 00:42.770
Rename, delete, cut, copy, new folder, abort program and refresh.

00:42.780 --> 00:46.950
We will further refresh it in case we have any new files in it.

00:46.950 --> 00:49.860
And after that we will just click on Enter.

00:49.860 --> 00:50.580
That's it.

00:50.580 --> 00:54.000
And here you will be asked whether to analyze the file.

00:54.000 --> 01:00.060
And you you probably want to answer yes to this because the analysis operation recognize functions,

01:00.060 --> 01:02.130
parameters, strings and more.

01:02.250 --> 01:06.090
And usually you will want to let the user get this information for you.

01:06.090 --> 01:09.150
And a lot of analysis configuration options do exist.

01:09.150 --> 01:14.460
So you can see the description for every option by clicking on it.

01:14.550 --> 01:21.210
And here the description is going to be displayed here and we also have the options.

01:21.210 --> 01:28.020
And here we in this apply data archives, we have apply known data type archives based on your program

01:28.020 --> 01:28.530
information.

01:28.530 --> 01:30.120
We have Ascii strings.

01:30.120 --> 01:34.650
This is the analyzer searches for valid strings and automatically creates them into the binary.

01:34.650 --> 01:40.270
And here we can also use create strings containing existing strings, create strings containing references

01:40.270 --> 01:41.680
and so on.

01:41.920 --> 01:43.090
We also have the stack.

01:43.090 --> 01:50.170
So create stacks for variable function function ID finds known functions by hashing and so on.

01:50.170 --> 01:55.210
So we will discover all of these analyzers in this course.

01:55.990 --> 02:01.960
And now after that, let's be the default because it's almost.

02:02.550 --> 02:05.160
Everything is checked on enabled.

02:05.370 --> 02:08.370
And now after that, we will click on Analyze.

02:08.550 --> 02:15.330
And here, in order to click analyze, in order to perform, analyze, you first need to click on analyze.

02:15.330 --> 02:18.430
And then you will see this code browser window.

02:18.450 --> 02:25.380
And don't worry, if you forget to analyze something, you can re analyze the program later in order

02:25.380 --> 02:26.280
to do that here.

02:26.460 --> 02:28.380
And let's find the symbol you will click on.

02:28.380 --> 02:28.890
Yes.

02:28.980 --> 02:32.670
In order to do that, let's actually make it and let's.

02:33.310 --> 02:35.080
Increase a little bit.

02:35.080 --> 02:43.240
And here if you are if you have differences, seeing things on this window, you can go to settings

02:43.240 --> 02:45.670
and here scale and layout.

02:45.820 --> 02:49.510
You can increase this to 125 and that's it.

02:49.540 --> 02:52.360
We can see more like the.

02:53.480 --> 02:55.730
Font sizes a little bit bigger and so on.

02:56.030 --> 03:00.110
And here now, we will, as I said, you can.

03:01.090 --> 03:04.030
Select analyze these files later.

03:04.030 --> 03:11.830
If you forgot to check or enable some analyzer and you will need to go to analysis tab.

03:11.830 --> 03:16.330
And then here we have auto analyze simple Hello world print.

03:16.570 --> 03:20.860
By clicking on that, you can see the analysis.

03:22.510 --> 03:28.390
Dialogue again and you can choose or enable or disable use analyzers.

03:29.040 --> 03:33.210
And now let's explore the dress code browser.

03:33.210 --> 03:41.550
So code browser has by default a pretty well chosen distribution of dock windows as shown here.

03:41.550 --> 03:43.740
So now we will make it again.

03:43.740 --> 03:45.660
100 recommended 100%.

03:45.660 --> 03:46.550
And that's it.

03:46.560 --> 03:52.770
So here I will get my pen and draw things on the screen.

03:54.900 --> 03:58.050
We will need rectangle and balloon.

04:00.280 --> 04:00.940
Yes.

04:01.120 --> 04:06.220
So here first, we will discuss it here.

04:07.300 --> 04:11.920
So here, as usual, by default in reverse engineering frameworks.

04:11.920 --> 04:13.670
This is in the center of the screen.

04:13.690 --> 04:17.050
Ghidra shows a disassembly view of the file.

04:17.880 --> 04:20.310
And after that we have.

04:21.210 --> 04:22.290
This side.

04:24.270 --> 04:31.620
So as the disassembly level is sometimes a two level perspective too, low level perspective, Ghidra

04:31.620 --> 04:36.390
incorporates its own decompiler, which is located to the right of the disassembly window.

04:36.420 --> 04:42.420
The main function of the program was recognized by a signature, and then parameters were automatically

04:42.420 --> 04:43.710
generated here.

04:43.800 --> 04:48.090
As you can see here, this is our the compiled version of our Hello World.

04:49.060 --> 04:52.120
Executable file like plus plus program.

04:52.750 --> 04:55.420
And here the main function of the program, as I said.

04:56.900 --> 04:59.600
Was recognized by his signature here.

05:00.020 --> 05:03.320
And then parameters were automatically generated by here.

05:03.320 --> 05:08.390
And Ghidra allows you to manipulate the compiled code in a lot of aspects.

05:08.390 --> 05:13.400
Of course, a hexadecimal view of the file is also available in the corresponding tab.

05:13.400 --> 05:19.130
So these three windows disassembled the compiler and hexadecimal window are synchronized, offering

05:19.130 --> 05:23.540
a different perspective of the same thing.

05:23.540 --> 05:29.030
And here we also have let's actually use different color here and here.

05:29.870 --> 05:39.140
We have this here, we have this program treats So obviously you do allows you to easily navigate in

05:39.140 --> 05:39.800
the program.

05:39.800 --> 05:46.970
For instance, to go to another program section, you can refer to the program trace window located

05:46.970 --> 05:50.600
in the upper left margin of code browser.

05:50.720 --> 05:55.790
And we also have under that under program trace, we have symbol tree.

05:57.930 --> 05:59.760
So this symbol here.

06:00.950 --> 06:07.820
Uh, if you prefer to navigate to the symbol, for example, a program function here, then go just

06:07.820 --> 06:11.000
below that where the symbol tree pane is located.

06:11.000 --> 06:16.370
And we also have the data type manager here.

06:17.730 --> 06:18.510
So.

06:19.510 --> 06:24.790
If you want to work with the data types, then you can just go below that again.

06:24.790 --> 06:33.160
And here data type manager is here and after that we have console scripting here, so if you will use

06:33.160 --> 06:36.700
different color it will be more nice for our lecture.

06:37.060 --> 06:43.630
This is the console scripting, so a ghidra loves scripting reverse engineering tasks.

06:43.630 --> 06:47.860
Script results are shown in this corresponding window at the bottom.

06:47.890 --> 06:52.210
Of course, the bookmarks tab is available in the same position as well.

06:52.450 --> 06:59.560
Loving to create a pretty well documented and organized bookmarks for over any memory location for quick

06:59.560 --> 07:00.490
access.

07:00.490 --> 07:06.140
And here after that we have seven seventh.

07:06.960 --> 07:09.600
Thing we're going to discuss here is this.

07:10.840 --> 07:16.810
So this has Ghidra is a quick access bar.

07:16.960 --> 07:22.450
So Ghidra has also a quick access bar at the top so you can do several options from it, which you will

07:22.450 --> 07:26.620
learn in this course and here at the.

07:28.100 --> 07:29.480
Bottom right.

07:30.500 --> 07:34.370
In order to see that, we will need to close that here.

07:35.730 --> 07:39.540
Sexually do that here and here at the bottom, right.

07:39.570 --> 07:40.860
We will use the pen.

07:42.200 --> 07:43.040
At the bottom right.

07:43.040 --> 07:45.170
First we will want to discuss is.

07:46.550 --> 07:47.810
This year.

07:47.810 --> 07:52.160
The first field indicates this is the current address.

07:52.520 --> 07:53.330
Right.

07:53.390 --> 07:55.160
Current address here.

07:58.690 --> 08:00.250
And here.

08:01.980 --> 08:02.610
Right.

08:03.800 --> 08:07.400
On the current address, we have the.

08:10.200 --> 08:13.020
Couldn't function here in this case.

08:13.020 --> 08:15.640
Here, as you can see here, it's a current function.

08:15.660 --> 08:23.370
The main current function, because obviously we don't have any other functions other than main.

08:23.370 --> 08:23.910
Right.

08:24.000 --> 08:29.460
And right after that, we have call something here.

08:29.670 --> 08:35.010
So in addition to the current address and the current function, the current assembly line is shown

08:35.010 --> 08:37.950
to complete the contextual information.

08:38.220 --> 08:41.970
And here as the last thing we're going to.

08:43.680 --> 08:46.160
The Scouser is this top pain?

08:46.480 --> 08:46.980
Right.

08:46.980 --> 08:51.730
So here at the topmost part of the code browser, the main bar is located.

08:51.750 --> 08:57.240
Now that you know the default perspective, what ghidra it's a good time to learn how to customize it.

08:57.270 --> 09:02.520
Now in next lecture, let's address this in next lecture here.