WEBVTT 00:02.480 --> 00:03.320 Welcome back. 00:03.360 --> 00:04.160 Typhoon here. 00:04.880 --> 00:12.840 Now that we have successfully imported your binary into Ghidra, it is time to begin the most crucial 00:12.840 --> 00:16.040 part of reverse engineering, which is the analysis here. 00:17.400 --> 00:22.560 In this lecture, we'll explore how Ghidra analyzes binaries, explain what each analysis option does, 00:22.600 --> 00:28.200 and truly break down the code browser interface so you can confidently interpret and manipulate the 00:28.200 --> 00:28.840 results. 00:29.600 --> 00:31.480 We'll click on the Hello world! 00:31.480 --> 00:32.160 At the. 00:32.200 --> 00:42.520 You can see the launching tool, and once you import a binary ghidra prompts with the question hello 00:42.560 --> 00:45.560 world has not been analyzed, would you like to analyze it now? 00:46.640 --> 00:47.680 Always say yes. 00:48.080 --> 00:50.600 This is where Ghidra begins to shine. 00:52.160 --> 00:57.680 And this analysis process in Ghidra is not just the background tasks, it's a critical step that automatically 00:57.680 --> 01:01.750 identifies The functions and their calling conventions. 01:02.150 --> 01:06.350 Function parameters and stack variables. 01:06.790 --> 01:08.950 Strings and constants. 01:09.310 --> 01:11.110 Control flow structures. 01:11.230 --> 01:13.990 Cross references between functions and memory locations. 01:14.550 --> 01:18.470 Now with this analysis option windows appear. 01:18.710 --> 01:26.950 You will see the long list of analysis modules, each one responsible for a specific type of analysis, 01:27.750 --> 01:36.910 such as instruction decoding like the data references and symbol references and symbol recovery, and 01:36.910 --> 01:37.790 so on and so forth. 01:38.350 --> 01:43.630 Now you can enable or disable individual analyzers. 01:43.630 --> 01:51.590 If you can see we have disabled the function start search after code analyzer and it also has description 01:51.590 --> 01:51.990 here. 01:52.030 --> 01:55.910 Now you can click on any analyzer enabled it right now. 01:56.030 --> 02:05.180 So we can click on any analyzer and you see a detailed description in the upper right section of the 02:05.180 --> 02:05.740 dialog. 02:13.300 --> 02:21.300 And yeah, it also has the uh, we can also configure the advanced options such as heuristic behaviors 02:21.300 --> 02:27.860 like the create local variables, create param variables, use new function stack analysis, and so 02:27.860 --> 02:28.780 on and so forth. 02:29.340 --> 02:36.740 So every analyzer has description and has its own options. 02:38.060 --> 02:43.700 Now if you're not just getting started the default configuration is safe and effective here. 02:43.740 --> 02:45.140 You don't need to change that. 02:46.020 --> 02:52.700 But however, understanding these modules allows you to tailor guidry's analysis to suit specific binaries. 02:52.740 --> 02:59.340 Now, for example, stripping symbols in a malware or non-standard calling conventions in an embedded 02:59.340 --> 03:01.780 firmware will definitely help you. 03:02.740 --> 03:07.580 And once satisfied, click the analyze to begin now. 03:07.580 --> 03:10.340 You will now be redirected to Code Browser interface. 03:10.340 --> 03:13.420 You can see in the loading file loading. 03:13.420 --> 03:19.940 Here is loading I can I can make me smaller right now. 03:22.100 --> 03:25.100 Yeah because I will use the almost whole window here. 03:27.620 --> 03:37.220 Now you may ask what if I have like forgot something in the Analysis and analyzer page? 03:37.580 --> 03:43.700 Now you can by rerun anytime navigating to analysis. 03:46.900 --> 03:49.780 Auto analyze hello world detects in this case. 03:51.980 --> 03:55.210 And you can see the same pain just appeared. 03:55.410 --> 03:56.970 So don't worry about that. 04:03.130 --> 04:11.290 And after analysis, you drop manchester's code browser your primary interface for exploring and interacting 04:11.290 --> 04:12.090 with binaries. 04:16.450 --> 04:21.730 Now, at first glance, the interface might seem overwhelming, but every component is there for a reason. 04:22.090 --> 04:26.170 Now let's talk you through each part of the layout here. 04:26.850 --> 04:29.050 Now at first we have the disassembly view. 04:31.010 --> 04:32.170 This is your world. 04:32.730 --> 04:35.770 Now this is your command center for raw machine level insights. 04:36.010 --> 04:42.170 The disassembler shows instruction level output letting you follow the program's logic exactly the process 04:42.170 --> 04:43.090 of the textbook. 04:45.850 --> 04:47.250 We also have comments here. 04:52.440 --> 04:59.080 And at the right side we have the compiler rule, which is one of the standard features. 04:59.320 --> 05:05.600 Now this window provides high level of c-like pseudocode generated for the disassembly. 05:06.320 --> 05:09.200 Now you may notice something weird. 05:09.200 --> 05:12.440 Here it is synced with the disassembly window. 05:12.760 --> 05:20.440 So selecting an instruction one will highlight its counterpart in the other. 05:22.760 --> 05:23.720 This is all good right? 05:25.200 --> 05:29.600 So this view is essential for simplifying complex assembly logic. 05:31.400 --> 05:37.640 At the left side we have program symbol and datatype manager trees. 05:39.400 --> 05:51.310 Now program tree we have this panel organizes the memory layout of your binary sections like Text data. 05:52.150 --> 05:54.550 Our data and others are shown here. 05:55.030 --> 05:58.910 Now use it to quickly jump between code and data segments. 05:59.550 --> 05:59.910 See? 06:01.950 --> 06:02.990 The lines here. 06:12.430 --> 06:14.110 Learn more in the next lecture. 06:16.710 --> 06:18.350 We have the symbols tree as well. 06:18.790 --> 06:21.270 So we have I have back pain here. 06:22.030 --> 06:24.230 So we have the symbols tree here as well. 06:24.990 --> 06:33.150 This is a hierarchical listing of all symbols recognized in the binary encoding functions imports labels 06:33.150 --> 06:35.110 and namespaces. 06:35.150 --> 06:36.150 Also classes. 06:36.870 --> 06:45.670 It helps you to locate specific code artifacts such as imported application programming interfaces or 06:46.190 --> 06:46.870 global. 06:47.310 --> 06:47.670 Oh. 06:51.470 --> 06:54.030 This hurts. 06:56.070 --> 06:56.750 Right? 06:57.150 --> 06:57.510 Yes. 06:59.790 --> 07:05.230 That makes sense, considering that our code is just up here. 07:08.030 --> 07:12.270 And we have datatype manager at the bottom of the symbol tree. 07:13.350 --> 07:19.870 Now, DataType manager allows you to manage and define the data types like structures, enumeration 07:19.870 --> 07:22.550 types, typedefs and unions. 07:24.230 --> 07:31.350 Now these types can then be applied to memory regions or variables for clearer analysis. 07:32.550 --> 07:37.230 And here this here is our script console. 07:37.230 --> 07:43.630 And this panel here houses few features. 07:47.580 --> 07:48.740 How those two features. 07:49.380 --> 07:56.260 The first is it acts as a script console which where Python or Java scripts run. 07:56.780 --> 07:57.340 Now what? 07:57.380 --> 07:59.780 JavaScript's not JavaScript. 07:59.820 --> 08:04.660 Here it is a Java and script JavaScript. 08:04.860 --> 08:07.140 It has nothing to do with reverse engineering. 08:09.260 --> 08:09.780 And. 08:11.860 --> 08:21.380 It also has the function of bookmarks, which lets you mark the address or name or category, which 08:21.380 --> 08:26.460 is perfect for recommending malware behaviors or return points and functions. 08:30.940 --> 08:38.140 And here also I want to get this end so I can explain it better. 08:42.580 --> 08:42.980 Here. 08:54.650 --> 08:55.650 So here. 09:00.010 --> 09:02.650 We have the current address here. 09:08.530 --> 09:08.930 Yeah. 09:09.130 --> 09:18.930 This is our current address field which displays the address of the currently selected instruction or 09:18.970 --> 09:22.970 byte as it changes in the press. 09:25.210 --> 09:26.610 We also have another. 09:29.050 --> 09:33.490 Yeah this is current function. 09:38.130 --> 09:43.000 You can see it changes every time we go to different Functions here. 09:43.640 --> 09:44.840 So go here. 09:47.840 --> 09:49.640 And also here. 09:57.360 --> 10:09.080 And here you are seeing the instruction contents of both here which shows the complete instruction line 10:10.000 --> 10:17.200 including others mnemonics like keyword pointer and some others here. 10:20.200 --> 10:22.840 Band capacitors and references as well. 10:23.120 --> 10:26.320 Basically the instruction context here. 10:26.720 --> 10:34.200 Now this field is context sensitive and updates dynamically as others are here as well. 10:36.560 --> 10:39.320 And lastly we have the main toolbar. 10:51.240 --> 11:00.560 Which is basically you are classic dropdown menu bar with access to our drop modules, file operations, 11:01.400 --> 11:09.080 edit tools, analysis settings like so and understood in the previous lectures. 11:09.360 --> 11:10.080 The beginning. 11:11.880 --> 11:21.600 But it also has a search activities and search for the string school in this case and see how it goes. 11:22.080 --> 11:34.200 But I am sure we have something called Hello World because as you remember, we have seen or we can 11:34.200 --> 11:35.040 also filter it. 11:35.080 --> 11:35.600 Hello! 11:36.520 --> 11:37.400 And here we are. 11:37.720 --> 11:38.990 We found the string. 11:42.150 --> 11:45.510 And yeah, that's basically it. 11:46.430 --> 11:52.030 So we also have the Google toolbar which provides access to those tools. 11:52.510 --> 11:56.710 We have the creation commons and data changes and search. 11:58.230 --> 12:00.630 But we can also search from there. 12:00.990 --> 12:08.510 So what we have now together these components form the complete analytical environment. 12:08.790 --> 12:14.270 And the more comfortable you become with navigating and organizing these things, the more efficient 12:14.270 --> 12:16.310 your reverse engineering work for building. 12:17.030 --> 12:22.990 Now in the next lecture, we will go beyond the default layout and learn how to customize it for for 12:23.030 --> 12:29.950 for specific workflows including scripting support, plugin interaction and configuration. 12:29.990 --> 12:30.510 And. 12:32.670 --> 12:34.030 Now thank you for watching. 12:34.070 --> 12:36.590 I'm peaceful and I'm meeting you in the next session.