WEBVTT 00:00.440 --> 00:01.080 Now. 00:01.400 --> 00:02.640 Welcome back everyone. 00:03.600 --> 00:04.640 Typhoon here again. 00:05.560 --> 00:11.920 Now in this lecture we will explore how you can personalize and expand Guitarist Interface to suit your 00:11.960 --> 00:17.120 workflow as well as uncover some of the more powerful, but sometimes hidden features of the guitar 00:17.160 --> 00:17.680 offers. 00:18.400 --> 00:24.200 By the end of this lecture, you will be able to unlock parts of the tool that many users overlook or 00:24.240 --> 00:28.520 don't know, setting you apart as a more efficient and capable reverse engineer. 00:29.520 --> 00:35.640 Now, guitar layout is well organized as you've seen in previous lecture, but it doesn't have to stay 00:35.640 --> 00:36.080 that way. 00:36.920 --> 00:40.640 You can fully customize the interface to match your preferences. 00:40.680 --> 00:42.240 Now let's start with the basics here. 00:43.000 --> 00:48.160 Now if you go to window and choose your desired pane. 00:49.000 --> 00:55.640 Now this menu basically allows you to toggle visibility for different windows such as for example, 00:55.680 --> 01:00.680 function call graph or Decompilation graph or console. 01:02.110 --> 01:04.910 Now your workspace is your design basically. 01:04.910 --> 01:11.910 So if you click on console and it will sometimes like shake it a little bit and tell that the console 01:11.910 --> 01:12.830 is already here. 01:12.830 --> 01:16.110 But if you close this now you can say console is gone. 01:16.110 --> 01:20.950 Now click on Windows Console. 01:20.950 --> 01:22.630 And here we have the console here. 01:22.630 --> 01:24.470 That's as easy as it gets. 01:25.910 --> 01:31.830 Now this menu also allows like um we can see the PC code. 01:31.830 --> 01:37.750 We were like the register view and so on and so forth. 01:37.950 --> 01:42.430 So let's actually open the register manager. 01:45.150 --> 01:45.590 Yeah. 01:46.950 --> 01:50.470 Now Ghidra also lets you tweak the disassembly listing itself. 01:50.470 --> 01:56.550 Now look to the upper right of the disassembly window. 01:56.590 --> 02:03.140 You will find this small icon that opens the disassembly Layout editor. 02:04.060 --> 02:13.180 And if you look at this, the you will you can see here that you can add or remove fields like this 02:13.340 --> 02:14.180 address. 02:14.220 --> 02:20.260 If you want to add this address here or opcode settings, you can move it like that. 02:22.780 --> 02:29.020 Or like we can also choose the operands to make it more on the left side of the bytes. 02:32.100 --> 02:34.500 Yeah, but this is best. 02:34.540 --> 02:35.460 The default is best. 02:35.460 --> 02:37.380 Always uh, is best. 02:37.380 --> 02:38.660 But it's good to know. 02:40.060 --> 02:47.100 And this, uh, feature is, uh, particularly useful for users who want a streamlined view when analyzing 02:47.140 --> 02:50.700 deeply nested or repetitive assembly logic. 02:51.780 --> 02:54.180 And as you can see here, that's it. 02:55.900 --> 02:58.180 And we also have the PC code here. 02:58.980 --> 03:06.570 So, uh, one of the most powerful internal tools is its use of intermediate representation, known 03:06.570 --> 03:07.970 as p code. 03:08.570 --> 03:12.170 Some call it p c code, but it's not a PC code, it's a p code. 03:13.090 --> 03:19.130 Now this allows Ghidra to abstract away architecture specific syntax and analyze binaries in a normalized 03:19.130 --> 03:19.770 format. 03:20.370 --> 03:26.810 Now, to enable p code or PC code in the disassembly view, open the layout configuration again. 03:27.450 --> 03:28.930 Let's actually close it. 03:30.170 --> 03:32.130 Open the layout configuration again. 03:33.610 --> 03:34.690 And here. 03:43.210 --> 03:43.570 Oops. 03:43.570 --> 03:43.890 Yeah. 03:44.250 --> 03:44.730 Here. 03:46.450 --> 03:50.450 Functions plate adds to the brick. 03:53.210 --> 03:55.090 Now we can instruction and data. 03:56.770 --> 04:04.000 And here in the P code we will let's make it the left side of this File. 04:09.840 --> 04:10.880 And here we are. 04:19.640 --> 04:27.640 Now, P code isn't the most human readable format I can say that, uh, but it is ideal for scripting 04:27.640 --> 04:33.000 and tool development, especially when creating platform independent, uh, logic. 04:34.320 --> 04:40.040 And we also have the graph view, uh, which is basically. 04:42.560 --> 04:48.360 Like uh supports control flow visualization through its graph view. 04:48.440 --> 04:55.520 So this feature helps you see how code branches like loops and inter interacts at the function level. 04:55.680 --> 05:05.550 Now to enable it navigate to the function here and click the graph Icon here. 05:07.270 --> 05:10.990 Now you can see it's location is not defined right now, but. 05:14.710 --> 05:18.790 Let's make it P squad button here. 05:21.110 --> 05:21.870 Close it. 05:24.950 --> 05:25.990 Make it smaller. 05:31.750 --> 05:35.230 For the data part and graph. 05:38.190 --> 05:40.110 Yeah it's undefined now. 05:40.910 --> 05:43.110 So here we have found the string. 05:43.110 --> 05:44.510 It is also undefined. 06:03.310 --> 06:06.620 And here we have the graph basically. 06:07.180 --> 06:14.580 Now this here opens visual node graph where you can follow paths and call relationships. 06:14.980 --> 06:21.980 Now it's particularly helpful for malware analysis obfuscated code or just understanding complex logic 06:21.980 --> 06:22.380 here. 06:23.300 --> 06:25.220 Now you can see it's a callback. 06:26.780 --> 06:32.940 And this will be useful in our next lectures as well. 06:32.940 --> 06:34.300 So we will use it a lot. 06:36.940 --> 06:40.780 And we have a world of features which you haven't touched yet. 06:41.140 --> 06:45.660 So what we have shown here is only a portion of what Ghidra can do basically. 06:45.940 --> 06:49.780 In fact, we have barely scratched the surface of Ghidra here. 06:50.140 --> 06:55.140 So it has plugin support, version tracking, collaborative projects. 06:55.140 --> 06:58.500 It also has API for scripting in Java and Python. 06:59.220 --> 07:05.970 So these advanced tools will be introduced aggressively as we explore particular use cases like we can't 07:05.970 --> 07:08.050 do much with the Hello world application. 07:08.050 --> 07:09.050 It has no sense, right? 07:09.090 --> 07:13.970 It just gets the variable source in this printf and just prints it. 07:16.210 --> 07:23.490 There's not much we can do about this, but this code will help us to understand the how GitHub works 07:23.490 --> 07:23.970 better. 07:23.970 --> 07:31.010 But in the next lectures we will use it with real world examples on the malware analysis or general 07:31.010 --> 07:32.410 reverse engineering codes. 07:33.370 --> 07:40.850 Now in this lecture you haven't learned much compared to the first two lectures of our course. 07:41.850 --> 07:52.450 Um, but um, you see that you saw that Ghidra is customizable, customized, customizable, uh, which 07:53.170 --> 07:55.490 will be useful in particular cases. 07:57.890 --> 08:02.170 You also learned how to modify the disassembly listing and enable the p code. 08:03.090 --> 08:08.120 And, uh, we used this graph here you can see. 08:10.560 --> 08:14.440 And here you can see we have a lots of graph. 08:14.720 --> 08:19.360 So if we make it now you can see it's a divot. 08:19.520 --> 08:23.920 Basically print gets this hello world print. 08:23.920 --> 08:24.120 And. 08:26.600 --> 08:30.120 Here it's a signal call. 08:31.640 --> 08:32.120 Yeah. 08:33.480 --> 08:39.920 Now these features are the building blocks of your personalized, uh ghidra workflow. 08:40.120 --> 08:45.080 Mastering them will allow you to reverse engineer with more speed, precision, and insights. 08:45.840 --> 08:46.040 Now. 08:46.040 --> 08:47.160 Thank you for watching. 08:48.160 --> 08:51.200 In the next lecture, we will dive into the Ghidra scripting. 08:51.320 --> 08:57.480 How to automate tedious tasks, build your own tools, and level up your reverse engineering game with 08:57.520 --> 09:02.040 Python or JavaScript, not JavaScript. 09:02.040 --> 09:04.120 Again, Java based scripts.