WEBVTT 00:01.370 --> 00:02.600 Hello, my name is Stephan. 00:02.600 --> 00:10.610 And in this section we will learn how to reverse engineer the malwares and disassemble using Ida. 00:10.880 --> 00:16.610 And content analysis is often used to understand the inner workings of a malicious binary when the source 00:16.610 --> 00:18.290 code is unavailable. 00:18.380 --> 00:23.150 In previous lecture you learned the g drive and you learn the code analysis, skills and techniques 00:23.150 --> 00:27.500 to interpret assembly code and to understand the program's functionality. 00:27.710 --> 00:33.190 And the programs that we use were simple C programs, but we are dealing with a malware. 00:33.200 --> 00:39.530 It can contain thousands of lines of code and hundreds of functions and making it difficult to keep 00:39.560 --> 00:42.350 track of all of the variables and functions. 00:42.500 --> 00:49.700 Code analysis tool offers very, very strict features to simplify the code analysis, and this section 00:49.700 --> 00:58.520 will introduce one of such code analysis tool named Ida Pro, also known as Ida, and you will learn 00:58.520 --> 01:03.540 how to leverage the features of Ida Pro to enhance your assembly. 01:03.630 --> 01:10.590 Before we delve into the features of Ida, let's go over different code analysis tools. 01:10.710 --> 01:15.840 Firstly, and we have the Disassembler here, so. 01:20.670 --> 01:21.720 Disassembler. 01:28.260 --> 01:28.800 Tumblr. 01:28.800 --> 01:39.420 So Disassembler is a program that translates machine code back to assembly code and here. 01:40.090 --> 01:41.560 It's actually close it down. 01:47.370 --> 01:53.070 So we also have a debugger that is a program which also disassembles the code. 01:53.100 --> 01:58.200 Apart from that, it allows you to compile the binary in a controlled manner. 01:58.230 --> 02:04.590 Using the debuggers, you can execute a single instruction or selected functions instead of. 02:05.550 --> 02:13.410 Our program debugger allows you to perform dynamic code analysis and helps you combine the aspects of 02:13.410 --> 02:17.110 the suspect binary while it is running at the compiler. 02:17.130 --> 02:23.970 The program that translates the machine code into the code in a high level language also known as pseudo 02:24.000 --> 02:30.660 code and the compilers can greatly assist you with the reverse engineering process and can simplify 02:30.690 --> 02:31.920 your work. 02:32.040 --> 02:37.080 And now let's use this static code analysis using Ida. 02:37.800 --> 02:39.720 The Ida here. 02:39.720 --> 02:41.310 So hex Rays. 02:41.400 --> 02:47.300 Ida Pro is the most powerful and popular commercial disassembler or the debugger. 02:47.310 --> 02:50.970 And here we can download it from their official website. 02:50.970 --> 02:52.920 Here it is also has the two versions. 02:53.130 --> 02:57.240 The one is the paid version and another is the. 02:58.500 --> 02:59.210 Free version. 02:59.960 --> 03:01.340 And here. 03:02.780 --> 03:04.820 And as you can see, we have the. 03:06.800 --> 03:08.900 Write the hex phrase here. 03:09.890 --> 03:10.490 Race. 03:10.490 --> 03:21.020 And after that, um, we will see something like Hex racer.com and we will download to um, we will 03:21.020 --> 03:24.320 download the that program here right now. 03:29.660 --> 03:32.750 And here we are waiting for the response here. 03:45.730 --> 03:50.470 And here, uh, we will click on the first result here. 03:50.470 --> 03:55.000 And as you can see, we have the versions in this lecture. 03:55.000 --> 04:02.770 We have the Ida version 8.3, and we will go to products here. 04:02.770 --> 04:08.500 And as you can see here, we have several, uh, downloads and products here. 04:08.500 --> 04:14.440 So we have the Ida three three binary code analysis tool to evaluate Ida's basic functionalities. 04:14.440 --> 04:22.180 We have the Ida home, this affordable tool for reverse engineering hobbyists and the Ida Pro, the 04:22.180 --> 04:29.140 state of the art binary code analysis tool, as they say, and Ida team's collaborative reverse engineering 04:29.170 --> 04:29.410 tool. 04:29.530 --> 04:32.410 And we will use the free version for now. 04:33.570 --> 04:40.470 Uh, because, um, some of the students don't want to spend money I don't want either because there's 04:40.470 --> 04:42.690 a free and open source alternatives. 04:42.690 --> 04:45.690 But this is a pretty popular tool. 04:45.690 --> 04:51.060 So I wanted to include this in the section here. 04:51.060 --> 04:57.690 And as you can see here, what's included in the pack so we can analyze the both 32 bit and 64 bit applications. 04:57.690 --> 05:04.410 We have the code based, the compiler, and we can save you, save analysis, results and perpetual 05:04.410 --> 05:05.190 license. 05:05.190 --> 05:11.820 And as you can see here, for minimum system requirements, we need to either Windows Linux or Mac OS. 05:11.820 --> 05:19.760 And here, uh, we can download the idea for, for the Mac and Mac arm. 05:19.770 --> 05:25.590 And in this case, since we are using the windows, we will download on the windows here, we will click 05:25.590 --> 05:31.980 on the first option and also we have the Sha 256 checksums here. 05:31.980 --> 05:34.390 So you can the check that. 05:35.600 --> 05:43.280 Checksums to make sure that the program is correctly downloaded without any manipulation by. 05:44.280 --> 05:50.220 Now, the attackers here and here, as you can see here now. 05:51.110 --> 05:54.750 Uh, the Ida free is downloading. 06:01.830 --> 06:09.960 And also in this section and later sections, we will look at various features of Ida Pro and you will 06:09.960 --> 06:15.150 learn how to use Ida to perform static code analysis also called dissembling. 06:15.150 --> 06:21.030 And it's not possible to cover all the features of Ida, only those features that are relevant to malware 06:21.030 --> 06:23.490 analysis and reverse engineering mainly. 06:24.430 --> 06:31.090 And if you are interested in gaining deeper understanding of Ida Pro, it is recommended to make a play 06:31.090 --> 06:36.220 it, play with it and analyze more files to gain experience. 06:36.220 --> 06:40.300 And if you are using the you can also download the demo version. 06:40.300 --> 06:43.270 Um, but you need to write the mail. 06:43.270 --> 06:46.570 So they will do the demo version here. 06:46.570 --> 06:53.680 And uh, using these versions you will be able to try out almost all the features, um, covered in 06:53.680 --> 06:55.450 this uh, course here. 06:55.450 --> 07:01.690 So if you wish to look at uh, the, at an alternative tool for debugging 32 bit and 64 bit binary, 07:01.720 --> 07:08.380 you can use the X 64 debug or debug here, as you can see here. 07:08.380 --> 07:09.910 And you can also use them. 07:10.810 --> 07:18.070 You know, g dryer with several plugins and which is covered in this section and with an understanding 07:18.070 --> 07:20.440 of different versions of Ida. 07:21.220 --> 07:27.790 Now, after downloading it, we will explore its features and you will understand how it can speed up 07:27.790 --> 07:32.260 your reverse engineering and malware analysis tasks. 07:37.180 --> 07:40.090 And here, as you can see, it's already installed. 07:40.180 --> 07:45.070 We'll open it, not install the downloaded here and we will click on Run. 07:57.230 --> 07:57.560 Yes. 07:57.560 --> 07:58.250 Here. 08:03.610 --> 08:04.720 After reading. 08:05.690 --> 08:08.300 Click on accept the agreement. 08:09.450 --> 08:13.620 Then accept the agreement and click on next here. 08:15.930 --> 08:17.820 This is the installation directory. 08:18.330 --> 08:19.290 Leave it default. 08:21.120 --> 08:28.410 And setup is now ready to begin calling it a freeware 8.3 on your computer. 08:28.440 --> 08:29.640 Now, we will click on next. 08:29.640 --> 08:32.160 And as you can see here, it's installing. 08:36.350 --> 08:37.100 That's it. 08:37.280 --> 08:45.160 Ida Pro is installed in our Windows machine and in the next lecture we will begin to use it. 08:45.170 --> 08:46.880 I'm waiting you in the next lecture.