WEBVTT 00:01.430 --> 00:03.050 Bootloader and executable. 00:03.320 --> 00:11.570 We will launch the Ida pro ida freeware, which in this case we will need to run as administrator. 00:11.570 --> 00:13.520 In order to do that, we will right click on it. 00:14.630 --> 00:17.080 Electron after. 00:18.480 --> 00:18.990 Yes. 00:21.620 --> 00:29.930 If you started the Ida Pro the first time, it will briefly display a screen showing your license information 00:29.930 --> 00:31.910 and immediately after that. 00:32.680 --> 00:36.370 Uh, you will were presented with this following screen here. 00:39.870 --> 00:41.880 And we will choose the new. 00:41.880 --> 00:44.130 And we will the file. 00:45.700 --> 00:46.860 Will wish to analyze. 00:46.860 --> 00:50.220 In this case, it's a simple Hello world program. 00:50.310 --> 00:57.090 And after that, if you as you can see, we have a portable executable and binary file. 01:00.440 --> 01:10.460 Ways, and the file that you give to ID A will be loaded in memory and either ideas. 01:10.520 --> 01:12.410 Acts like a Windows loader. 01:13.570 --> 01:15.550 File into the memory. 01:16.330 --> 01:21.100 I determine best possible order from the file header. 01:22.030 --> 01:22.330 Yeah. 01:22.330 --> 01:30.190 File here and it determines the processor type that should be used during the disassemble process after 01:30.190 --> 01:31.300 you select the file. 01:31.330 --> 01:34.990 It shows a dialog here, as you can see here. 01:34.990 --> 01:43.450 So from this it can be seen that EDA determine the appropriate loaders are the port as you can have. 01:44.040 --> 01:52.080 The x six here and appropriate loaders are the portable executable. 01:52.970 --> 01:55.460 You're just a binary file. 01:55.580 --> 01:56.600 And. 01:57.740 --> 01:58.820 The binary file option. 01:58.820 --> 02:04.790 If you are using the demo version, you will not see this option here and its binary file option is 02:04.790 --> 02:08.360 used by the ID to ID or id. 02:08.960 --> 02:10.040 ID A or. 02:11.790 --> 02:15.430 The idea to load the files that it does not recognize. 02:15.430 --> 02:22.910 So you will normally use this option when you are dealing with a shell code and by default it is not. 02:25.890 --> 02:32.430 Uh, resource section assembly and by using the manual load checkup here. 02:32.430 --> 02:39.780 So as you can see, we have manual load load resources entries and if you check this manual load option 02:40.020 --> 02:47.760 and manually specify the base address where the executable has to be loaded and and the ID will. 02:49.360 --> 02:50.620 Whether you want to. 02:52.030 --> 02:53.590 Section the. 02:55.460 --> 02:55.840 Years. 02:56.000 --> 03:02.630 And as you can see, we have an enviable portable executable for 8306. 03:02.630 --> 03:07.400 And after we click okay here, as you can see, we want to change the process. 03:07.400 --> 03:09.200 Type to Athlon now. 03:09.320 --> 03:09.650 We will. 03:13.310 --> 03:15.200 And after clicking. 03:15.200 --> 03:15.980 Okay. 03:16.770 --> 03:17.590 Um. 03:17.610 --> 03:20.070 Ida loads file into frame and. 03:21.470 --> 03:23.660 This assembles machine code. 03:23.660 --> 03:26.630 And as you can see, a lot of the debug information. 03:26.630 --> 03:27.290 Yes. 03:28.650 --> 03:32.310 Get as much information pulled here and. 03:33.880 --> 03:34.510 Click here. 03:34.540 --> 03:35.030 It might. 03:37.400 --> 03:38.570 System properties. 03:38.570 --> 03:42.410 And as you can see, it's registering and that's it. 03:42.410 --> 03:49.010 And here after the disassembly, Ida Per Ida performs an initial analysis. 03:49.870 --> 03:56.050 Identify the compiler function arguments, local variables, library functions and their parameters. 03:56.050 --> 03:57.460 And let's actually. 04:01.610 --> 04:02.690 And that's it. 04:02.760 --> 04:03.230 Here. 04:04.000 --> 04:11.350 And once the executable has been loaded, you will take to the desktop showing the disassembled output 04:11.380 --> 04:17.920 of the program and the Ida desktop integrates the features of many common static analysis tools into 04:17.920 --> 04:24.580 a single interface, and this section will give you an understanding of the Ida desktop and its various 04:24.580 --> 04:25.330 windows. 04:25.330 --> 04:35.740 And this this you can see here the Ida desktop called Stop after Load and you will see that time after 04:36.310 --> 04:38.020 load an executable file. 04:38.890 --> 04:43.360 And the idea the slope means a different multiple tabs like. 04:45.620 --> 04:52.550 Idea of a hex view and so on, and clicking each tab brings up a different window here. 04:52.850 --> 04:57.290 As you can see, we have tabs here, structures and. 04:57.970 --> 04:59.200 Imports exports. 05:00.960 --> 05:01.710 And. 05:03.230 --> 05:04.310 And select one of them. 05:04.330 --> 05:08.570 And we also have the structures here. 05:09.900 --> 05:11.140 Arms imports here. 05:11.160 --> 05:11.760 Now we are. 05:13.010 --> 05:14.130 The structures. 05:26.450 --> 05:27.560 There's a structures. 05:27.620 --> 05:31.690 We also have the enums, imports we are importing. 05:32.780 --> 05:33.830 Find versus. 05:36.230 --> 05:40.490 Exports and after the executable has been loaded, you will present. 05:41.570 --> 05:45.260 So also known as Ida view a window. 05:45.590 --> 05:49.070 And this is the primary window and displays the disassembled code. 05:49.070 --> 05:53.840 And you will mostly be using this window for analyzing binaries. 05:53.870 --> 05:54.500 Here. 05:55.590 --> 05:59.760 And they can go into display mode. 06:00.090 --> 06:05.700 The first is graph view and text view and graph is the default view. 06:05.820 --> 06:14.070 As you can see here and when the assembly view ID view is active, you can switch between the graph 06:14.070 --> 06:18.810 and the text view by pressing the space bar like this here. 06:19.640 --> 06:21.800 And in the graph view menu. 06:22.010 --> 06:30.320 Ida This Ida displays one function at a time in flowchart style graph and the function is coming to 06:30.440 --> 06:36.440 basic blocks here and this mode is useful to quickly recognize branching and looping. 06:37.100 --> 06:39.560 And the in graph V mode. 06:40.160 --> 06:47.300 The color and the direction of the arrows include the path and the variable taken here. 06:47.300 --> 06:55.010 But in this case this is just a simple hello world application and it has only one function and we don't 06:55.010 --> 06:56.600 see any other functions. 06:56.720 --> 07:01.190 And that's why this is the only tab we can see here. 07:02.220 --> 07:02.850 And. 07:04.230 --> 07:09.210 In the graph view of the virtual addresses are not displayed by default, and this is to minimize the 07:09.210 --> 07:15.080 amount of space required to display each basic block and to display the virtual address information. 07:15.090 --> 07:17.280 You can click the options here. 07:17.280 --> 07:21.990 And after that, General, and as you can see here, we have several. 07:24.130 --> 07:26.140 Here and we will go to graph. 07:31.420 --> 07:36.580 And as you can see, you know, instead of going to graph, you can also change it from here, display 07:36.580 --> 07:39.040 disassembly line parts, and we will enable this. 07:39.040 --> 07:41.230 Check this out and we will click on. 07:41.230 --> 07:41.470 Okay. 07:41.470 --> 07:50.980 And as you can see here now, we are seeing this binaries here and hex hex values here and here we are 07:51.010 --> 07:56.650 seeing the disassembly of the main function and in the graph view mode, notice that the conditional 07:56.650 --> 08:02.590 check at the address is starting at the 0401 460. 08:04.380 --> 08:11.040 And for Android 80 here and if the condition we don't have the condition for now but in next lecture 08:11.040 --> 08:14.670 we will use this for checking the conditions as well. 08:15.420 --> 08:16.080 And. 08:17.910 --> 08:23.150 In next lecture, we will also learn how to use the functions of output window and hex view windows 08:23.150 --> 08:23.750 as well. 08:23.750 --> 08:26.590 And I'm waiting you in next lectures.