WEBVTT 00:01.520 --> 00:03.530 Hello and welcome back. 00:03.860 --> 00:09.950 In today's video, I'll show you how to get started with Windows Ghidra. 00:10.730 --> 00:19.460 Before that, go ahead and create a new folder called Ghidra Projects, and inside it create a new sub 00:19.470 --> 00:27.920 folder called gcm-1, and download this from the resource link that I provided for you, and 00:27.920 --> 00:31.700 put this crackme inside this new subfolder. 00:33.110 --> 00:37.970 This is a GUI crackme, so let us run it first and see what it does. 00:42.180 --> 00:51.150 Now enter any kind of serial key and click on Check, and you get the bad message. 00:51.300 --> 00:52.860 So this is the behavior. 00:52.950 --> 00:56.080 Now we are going to reverse this 00:56.100 --> 00:56.790 crackme. 00:59.780 --> 01:02.870 Now in Ghidra, click on the File. 01:03.260 --> 01:05.420 Click on New Project. 01:08.400 --> 01:09.630 Click on Next. 01:11.640 --> 01:13.740 And then click on the three dots. 01:15.590 --> 01:18.170 Navigate to your new folder. 01:25.720 --> 01:33.250 Ghidra Projects and select this folder called gcm-1, and click on the Select Project Directory. 01:35.080 --> 01:39.220 Give it a name called gcm 01:42.820 --> 01:47.500 -1, and hit on the Finish button. 01:50.050 --> 01:54.160 Now we are going to import this crackme into Ghidra. 01:54.370 --> 01:58.810 So drag and drop it into this new folder. 02:03.750 --> 02:08.200 And it has detected the PE file format. 02:08.950 --> 02:09.370 Click 02:09.370 --> 02:09.970 OK. 02:17.550 --> 02:21.330 And this is the summary of the import process. 02:21.360 --> 02:22.590 Click on the button 02:22.590 --> 02:23.280 OK. 02:25.790 --> 02:28.160 Now we can start analyzing. 02:28.610 --> 02:30.890 Drag it into the dragon icon. 02:32.700 --> 02:39.540 And it will open up the Code Browser and ask you to confirm if you want to analyze it. 02:39.570 --> 02:40.200 Click on 02:40.230 --> 02:40.770 Yes. 02:43.160 --> 02:46.850 And then in the list of analyses, 02:48.430 --> 02:49.720 check this box, 02:49.750 --> 02:50.980 Decompiler 02:51.280 --> 02:52.510 Parameter ID. 02:53.890 --> 02:58.120 And then scroll down and uncheck PDB Universal. 03:01.090 --> 03:07.450 PDB is a debugger file that is generated when you create a program. 03:08.650 --> 03:15.010 Now, only the person, the programmer who writes the program, will have this PDB file. 03:15.340 --> 03:22.780 If you downloaded a program or crackme from third-party sources, you will not have access to 03:22.780 --> 03:23.200 this. 03:23.590 --> 03:28.570 So we will assume that we don't have access to this PDB debugger file. 03:30.470 --> 03:31.400 So we uncheck it. 03:32.500 --> 03:34.420 And then check this one, 03:34.900 --> 03:42.190 Windows PE. It will propagate the external parameter and make it easy for us to analyze data. 03:44.130 --> 03:46.020 So click on Analyze. 03:49.250 --> 03:56.990 And keep your eye on the bottom right corner, which shows you the status and progress of the analysis. 03:58.510 --> 04:02.740 After about one minute, the analysis is now complete. 04:04.000 --> 04:07.680 The thing I want to do now is to set the preferences. 04:07.690 --> 04:15.040 So go to Edit, select Tool Options, and then select Listing Fields. 04:16.420 --> 04:17.170 Listing Fields. 04:17.170 --> 04:21.040 And then inside here, look for Cursor Text Highlight. 04:21.970 --> 04:25.060 And then here the default is Middle. 04:25.060 --> 04:26.620 So change it to Left. 04:27.160 --> 04:31.600 Similar to what we did for the Ghidra on Linux. 04:31.900 --> 04:33.010 So click 04:33.010 --> 04:33.520 OK. 04:35.290 --> 04:38.650 Look for the Functions folder and then look for main. 04:38.650 --> 04:43.510 But you won't find any main because this is a GUI program. 04:44.170 --> 04:48.520 So look for Entry Point instead. 04:51.380 --> 04:51.910 There you go. 04:51.920 --> 04:52.820 Entry Point. 04:53.480 --> 04:57.050 So the Entry Point is the thing that runs before main. 04:57.740 --> 05:02.930 But in GUI programs, there is no main. 05:03.410 --> 05:06.500 Even though you can find the entry, there is no main. 05:07.160 --> 05:09.050 But it does have a Win 05:09.050 --> 05:15.260 Main. WinMain is the entry point for Windows GUI programs. 05:16.070 --> 05:19.670 I will also put this link in the resource file that you download. 05:19.670 --> 05:21.860 So this is the signature of WinMain. 05:22.970 --> 05:27.590 But sometimes you won't find it inside the code listing. 05:28.460 --> 05:33.290 So on the right, you go to the Decompiler window and look for Entry. 05:33.320 --> 05:34.030 There it is. 05:34.040 --> 05:40.610 And then if you scroll down looking for WinMain, you might not find it. 05:40.640 --> 05:50.270 One clue of where WinMain could be is just after the function that gets all the environment variables. 05:51.750 --> 05:53.550 So you get command line here. 05:54.240 --> 05:55.440 So this could be it. 05:56.490 --> 05:57.180 Let's check it out. 05:58.770 --> 06:00.420 Yes, this is it. 06:01.020 --> 06:06.870 So this is WinMain, and you can see the CreateDialogParam, then ShowWindow. 06:07.230 --> 06:13.410 So when this ShowWindow API is called, it will display this window. 06:14.130 --> 06:15.510 This is the meaning of ShowWindow. 06:15.510 --> 06:16.680 So this must be WinMain. 06:17.370 --> 06:18.960 Add the signature. 06:20.290 --> 06:22.420 So we can go to 06:24.170 --> 06:26.540 the documentation for WinMain. 06:26.750 --> 06:29.210 You should not copy the semicolon at the back. 06:29.870 --> 06:32.840 So you might want to do this instead. 06:34.040 --> 06:36.440 And leave out the semicolon. 06:37.430 --> 06:41.720 And then right-click, Copy, and head back to Ghidra. 06:43.520 --> 06:50.810 And then right-click on undefined, the undefined function, and select Edit Function Signature. 06:52.490 --> 07:00.770 And now here you can just paste in, right-click and Paste, or Ctrl+V to paste what you have 07:00.770 --> 07:05.270 just copied, and then remove the API in front. 07:07.050 --> 07:11.010 So once you've done this, make sure there is no semicolon at the back here. 07:11.490 --> 07:11.940 Click 07:11.940 --> 07:12.540 OK. 07:14.890 --> 07:21.490 And then for this one, you can just accept the default as string pointer, 07:21.490 --> 07:22.280 window string. 07:22.300 --> 07:22.510 Click 07:22.510 --> 07:23.050 OK. 07:26.450 --> 07:29.570 And so now you have the correct signature for WinMain. 07:30.140 --> 07:32.060 You can see here this is a while loop. 07:33.440 --> 07:42.230 Typically, Windows will have a while loop where it keeps on parsing or scanning for the inputs from 07:42.230 --> 07:45.770 the user and then checking whether it's a message dialog. 07:47.000 --> 07:53.210 And then after that, if it is a dialog message, for example, if you use your mouse and click on 07:53.630 --> 08:01.580 these windows with the mouse, it will translate it using the TranslateMessage function and 08:01.580 --> 08:05.810 store it in the Windows structure called MSG. 08:07.100 --> 08:09.080 And then it will dispatch it. 08:09.650 --> 08:12.590 It will dispatch it to the callback function. 08:13.310 --> 08:16.100 But here you don't see the callback function. 08:17.360 --> 08:21.170 So callback function is not visible here. 08:21.440 --> 08:29.270 If you have done some Windows programming, you will know, you will recognize this kind of code. 08:31.370 --> 08:36.350 But we are not going to use this to solve this challenge. 08:36.740 --> 08:39.440 Instead, we are going to search for strings. 08:40.010 --> 08:41.510 So look over here. 08:42.620 --> 08:45.880 This is the bad message, 08:46.160 --> 08:47.280 Wrong Key, 08:47.300 --> 08:48.080 Try Again. 08:48.170 --> 08:52.640 Go to Windows Menu and select Defined Strings. 08:54.490 --> 09:00.310 And it will show you all the strings that have been found while doing the analysis. 09:00.940 --> 09:06.640 So you can scroll down and look for the bad message, which is this one: Wrong Serial Key, 09:06.640 --> 09:07.330 Try Again. 09:08.500 --> 09:10.330 Or you can filter it out from here. 09:11.230 --> 09:12.250 Type "wrong." 09:13.840 --> 09:15.160 And there you go. 09:15.370 --> 09:16.450 Wrong Serial Key, 09:16.480 --> 09:17.230 Try Again. 09:18.250 --> 09:23.590 Sometimes you might not be able to find it in the Defined Strings window. 09:23.590 --> 09:29.800 So if you don't see your strings here, for example, if it's Unicode, you might not see the strings 09:29.800 --> 09:30.220 here. 09:30.370 --> 09:31.990 You might or you might not. 09:32.560 --> 09:41.350 So in that case, if you don't see it here, go to Search, use a different tool called Search, and then 09:41.350 --> 09:44.410 select For Strings, and then here 09:45.140 --> 09:46.300 I accept the default, 09:47.490 --> 09:53.250 which is switched on and loaded blocks, and click Search, and there you go. 09:54.030 --> 09:55.470 You get another 09:55.500 --> 09:56.640 result here. 09:57.030 --> 10:04.710 If this window doesn't pop up in here, sometimes you might, it might be a 10:04.830 --> 10:06.990 floating window like this, for example. 10:07.470 --> 10:10.860 And you want to dock this window in here, you just drag 10:11.080 --> 10:14.940 the inside blue bar, not the outside one, the inside blue bar. 10:14.940 --> 10:17.190 Drag it to the right here and let go. 10:17.490 --> 10:22.780 And then you will dock it here, and you will have the tabs showing you all the windows that you've 10:23.120 --> 10:23.130 docked. 10:25.050 --> 10:25.380 Right. 10:25.380 --> 10:25.800 So 10:25.800 --> 10:29.970 you can use the result of the search here and filter out. 10:29.970 --> 10:30.690 Sorry. 10:32.040 --> 10:32.940 And there you go. 10:33.420 --> 10:35.790 So you have two ways of searching for strings. 10:35.820 --> 10:39.900 One is you use Defined Strings, which is coming from Windows, 10:39.900 --> 10:40.860 Defined Strings. 10:41.070 --> 10:48.520 The other way is to use the Search for Strings, and you will find it here. 10:49.810 --> 10:56.830 So now you can double-click on this and go to the location of the string, which is here. 10:58.050 --> 10:58.330 Wrong 10:58.340 --> 11:04.800 Serial Key, Try Again, and then you will find the cross-references to the function which makes use of this 11:04.800 --> 11:05.160 string. 11:06.090 --> 11:12.660 So you can just double-click on this cross-reference, and it takes you to the code listing, 11:12.690 --> 11:13.710 the function. 11:14.100 --> 11:16.770 Scroll up and you will see the function. 11:17.610 --> 11:21.630 This is a function from 0x401090. 11:22.260 --> 11:30.500 So the moment you see this in the code listing, it will also be displayed in the Decompiler view. 11:30.510 --> 11:33.270 So click on the Decompiler tab here. 11:33.270 --> 11:34.740 And this is the function. 11:36.390 --> 11:38.310 All right, so this is a main function. 11:38.550 --> 11:41.580 You can rename it as main. 11:45.310 --> 11:53.050 And in here you will see the GetDlgItemText is a Windows API to extract whatever the user has 11:53.050 --> 11:53.410 typed. 11:54.460 --> 12:00.580 And then if you scroll down, you will see the MessageBox for good message. 12:00.910 --> 12:04.330 And the MessageBox for the bad message. 12:04.750 --> 12:11.110 So whether you're showing the correct key or the wrong key, it will depend on the result of 12:11.420 --> 12:17.740 uVar3. So uVar3 is the result of your comparison. 12:18.650 --> 12:23.660 So this is a comparison loop which goes through the process of comparison. 12:23.900 --> 12:26.060 And it looks quite complicated. 12:26.090 --> 12:33.260 It is actually doing some kind of string comparison between the actual password and what you enter. 12:33.830 --> 12:42.200 So if the comparison shows that the key that you enter is the same as the actual key, then uVar3 12:42.230 --> 12:43.400 should be zero. 12:43.850 --> 12:46.430 Then only it will show the MessageBox. 12:47.300 --> 12:54.410 Now another way you can view this whole function main is to use the Window Graph. 12:55.040 --> 13:00.260 You can hit on the Window and go down to Window Function Call Graph. 13:02.890 --> 13:05.420 A new Function Call Graph will then 13:07.900 --> 13:18.310 do a graphical analysis and show you from a high-level point of view what your call stack looks like. 13:18.310 --> 13:24.310 So your call stack started with WinMain, and then from WinMain you call your main, which is this 13:24.310 --> 13:25.630 one which you just renamed. 13:28.090 --> 13:34.960 And then from this main function, you have all the subfunctions within this main function. 13:34.960 --> 13:42.010 For example, GetDlgItem is this one, and PostQuitMessage is somewhere down at the bottom. 13:42.520 --> 13:47.080 And then MessageBox would be this MessageBox inside here. 13:49.380 --> 13:52.530 And sometimes it can even expand further. 13:52.860 --> 14:01.500 If you have a plus icon and a minus icon, if it's a minus icon, you can collapse the parent. 14:03.720 --> 14:08.010 And if you click on the button minus, you collapse the child. 14:11.510 --> 14:16.580 So it's quite a good tool for visualizing your call stack. 14:17.900 --> 14:20.600 Sometimes you can also use this to trace the parent. 14:21.410 --> 14:27.500 Okay, now that you have the decompiled main here, you can scroll down and analyze the code. 14:28.360 --> 14:34.360 You can see here that it is having a GetDlgItem 14:34.360 --> 14:43.570 Text API to read what the user entered, and you can check out MSDN library by going to Google Chrome 14:43.570 --> 14:48.220 and search for GetDlgItem 14:50.010 --> 14:54.540 Text, and click on this result. 14:55.080 --> 15:02.280 So this one will read in the string and store it in here. 15:04.760 --> 15:05.140 All right. 15:05.140 --> 15:09.220 This is the handle to the window that you are trying to read. 15:09.370 --> 15:13.750 And then this is the string that stores the item. 15:14.590 --> 15:17.860 This is a data item referring to the text box. 15:18.370 --> 15:21.760 So you are storing your text in the third parameter. 15:21.790 --> 15:23.260 One, two, three. 15:23.350 --> 15:25.390 So when you come back here, you see, 15:26.140 --> 15:29.590 so this parameter, one, two, three, 15:29.800 --> 15:32.800 the parameter contains your string. 15:34.990 --> 15:36.670 This is what you entered. 15:38.300 --> 15:38.810 All right. 15:38.810 --> 15:45.250 And interestingly, if you see on top here, pcVar4 is the actual password, right? 15:45.260 --> 15:46.580 It looks like the actual password. 15:46.760 --> 15:48.470 So you can rename it. 15:48.650 --> 15:51.710 This one is the actual key. 15:53.030 --> 15:55.220 This is just an assumption. 15:55.760 --> 15:59.780 So even if it's just an assumption, you just go ahead and rename it. 16:00.980 --> 16:05.150 So this local, the default is the third parameter, 16:05.150 --> 16:06.210 one, two, three. 16:06.230 --> 16:07.880 So this is your input, 16:09.050 --> 16:09.920 my_input. 16:13.790 --> 16:15.290 And then it starts in here. 16:16.250 --> 16:17.720 You can also rename this. 16:19.940 --> 16:25.820 Right-click and Rename, or just press L on your keyboard, and we'll call this pointer. 16:25.850 --> 16:31.910 Pointer is just a memory address, pointer to my input. 16:33.200 --> 16:34.460 Underscore my_input. 16:36.890 --> 16:37.280 See. 16:37.280 --> 16:38.480 So actual key here, 16:38.510 --> 16:39.470 my input here. 16:40.440 --> 16:42.090 And then if you go down further, 16:43.930 --> 16:46.270 it is trying to extract some things. 16:48.540 --> 16:55.200 You don't have to understand every single line. Just from the high-level conceptual view is good enough. 16:56.020 --> 17:02.770 So just by looking like this, you can see it is taking your input and using it in various places and 17:02.770 --> 17:08.380 doing some kind of string operation with the input. 17:08.380 --> 17:14.110 So even if you didn't understand every single line, still you can more or less guess that they are 17:14.110 --> 17:15.640 comparing these two things. 17:15.640 --> 17:22.150 So this makes it very highly likely that this is actually the actual key, right? 17:22.150 --> 17:29.380 And then based on this, it will then store the result of your comparison, probably in this uVar2. 17:29.410 --> 17:36.280 Because at the end, after doing all this, it was going to check whether your uVar2 is zero. 17:36.310 --> 17:37.960 That means this one 17:37.960 --> 17:41.140 probably we can rename it now as the result. 17:41.530 --> 17:44.860 Right-click, Rename, result, and hit 17:44.860 --> 17:45.430 OK. 17:46.750 --> 17:50.920 So if your result is zero, then it will show you a good message, right? 17:50.920 --> 17:59.780 So from here you have a very good basis for suggesting that this is your actual key, so we can test it 17:59.780 --> 18:03.410 out. Now we can go to our crackme and test it out. 18:03.680 --> 18:10.610 So we just run our crackme and then try to enter the password. 18:11.990 --> 18:16.610 So from here your password is "cracking_lessons." 18:18.230 --> 18:19.760 So we just copy it. 18:21.140 --> 18:23.270 And right, just right-click and Copy. 18:23.510 --> 18:26.030 And then from here we right-click and Paste. 18:28.090 --> 18:28.780 There you go. 18:28.810 --> 18:33.280 So we have solved this crackme by reversing it in Ghidra. 18:33.460 --> 18:37.150 Before we leave, I want to show you another useful tool. 18:38.200 --> 18:42.670 Under Windows, you can also look at Function Call Trees here. 18:43.330 --> 18:48.340 So when you do Function Call Trees, it will show you two panels at the bottom. 18:48.370 --> 18:52.450 On the left is your incoming call, and on the right is your outgoing call. 18:53.140 --> 18:58.030 The outgoing call is all the functions contained within the main. 18:58.750 --> 19:05.650 So you can see here, main, and inside it you have all these outgoing calls or outgoing functions like 19:05.650 --> 19:06.520 memset. 19:06.550 --> 19:09.730 Memset is over here. MessageBox here. 19:09.730 --> 19:11.770 So should be down here somewhere. 19:11.770 --> 19:18.010 You got a few MessageBoxes here, and then GetDlgItemText is found here, and so on. 19:18.220 --> 19:20.950 And on the left panel is your incoming calls. 19:20.980 --> 19:24.910 Incoming calls list all the parents for main function. 19:25.120 --> 19:31.130 That means the other functions which call main, for example, WinMain. 19:31.130 --> 19:33.890 And this tallies up nicely with our graph. 19:33.890 --> 19:40.640 So we go back to graph here. Windows and click on Function Call Graph, and you can see WinMain is a parent 19:40.640 --> 19:41.210 for main. 19:42.580 --> 19:47.500 And compare it with your call tree. WinMain, incoming, incoming reference. 19:47.500 --> 19:49.510 So WinMain is the parent. 19:50.140 --> 19:51.910 You are here: main, and this is WinMain. 19:52.690 --> 19:57.250 And then down here is your outgoing calls, and you can compare with the right panel. 19:57.820 --> 19:59.320 Outgoing calls are down here. 19:59.920 --> 20:03.520 So there are two ways to visualize your call stack. 20:03.730 --> 20:06.130 You can use the Windows 20:07.220 --> 20:13.820 Function Call Graph, or you can use the Windows Function Call Tree from here. 20:14.210 --> 20:15.200 Windows 20:16.070 --> 20:17.930 Function Call Graph or 20:19.430 --> 20:21.110 Function Call Trees. 20:21.150 --> 20:22.670 These two are quite useful. 20:24.740 --> 20:26.780 The other one is Functions itself. 20:27.290 --> 20:28.310 You click on Functions. 20:28.310 --> 20:33.620 It will list all the functions that are available in this whole program. 20:35.750 --> 20:37.490 This function can also be docked. 20:38.060 --> 20:39.560 You can pull it out from here. 20:39.740 --> 20:41.600 You can pull it up to the top, 20:41.600 --> 20:43.520 and so it will become floating. 20:44.480 --> 20:48.170 Or you can dock it back in here by pulling the inside bar, not the outside one, 20:48.200 --> 20:50.150 pulling the inside bar and pulling here. 20:50.300 --> 20:51.410 And it will dock here. 20:51.410 --> 20:52.820 One, two, three, four. 20:55.920 --> 20:59.790 So these are all the main things you can use. 21:00.330 --> 21:02.610 So in this lesson, you have learned quite a lot. 21:03.000 --> 21:03.600 Yes. 21:03.600 --> 21:11.040 You learned how to identify the Entry Point for Windows GUI programs, how to use the search string, 21:11.040 --> 21:15.810 search for Defined Strings, and also for using the String Search method. 21:16.320 --> 21:26.850 Also, learn how to use the Function Call Tree and Function Call Graph, and also how to understand 21:26.850 --> 21:29.910 and search for Windows API and understand it. 21:30.690 --> 21:33.760 So that's all for this video. 21:33.780 --> 21:35.550 Thank you for watching.