I did the wife organization on debugging quit with DPG it was super insightful and I managed to learn a lot of stuff of course with the help of you guys but that was my first time doing debugging online so feel free to laugh at my pain and suffering with that being said feel free to smash that subscribe button like the video of course if you like it and let's hope that this video is as useful and insightful as it was to be have a nice seat and enjoy thank you welcome guys it's Jose and welcome welcome to stream it's been an honor to be here and after a lot of time of Miss studying for the ocp I finally have the chance of dedicating more diamonds to beaming and and sessions like that one now for today I have prepared actually I'm not prepared I just have an idea of doing things and we're gonna do that twice because well that's do I have the phone start so don't don't blame me that much I am new to debugging myself and I am a total move so the idea is to just go ahead and and start learning so everyone can help each other and yeah so that's the main idea now I have prepared my setup here I have individually installed so we're gonna use that if you're wondering how to install that you just navigate to store and if you have Windows version let's say higher than 7003 or something I pretty sure you have just type in DPG and you can see that one here so that's the apparently the most let's say UI 21 because is no software that is used for debugging windows for a very long time and they have like the old software is still available but it's kind of let's say boring and I know that's good as that one so if you just have a better Windows version just use that one and it should be fine so yeah that's that's about the installation process oh yeah another thing so since I'm having a Commando I'm already having that installed but maybe you need to go ahead and see uh Windows 10 SDK download that so if you experience any kind of errors or any disruption at all just go ahead and click here download this Tower install the SDK and you should be fine so yeah with SDK and windybg we are pretty much ready so my idea is simple we're gonna develop a very simple C codes then we're gonna go ahead and see and analyze what can we see from the boiler point of view can we see what modules are being installed can we let's say debug the process set the breakpoint and analyze the date in one time so stuff like that yeah so I'm gonna open the FC post you may ask why I use DFC plus plus it's kind of enjoy it to be honest it's super easy and nice to use just open your files type typing is getting compiled to XD and that's it so let's go with including STD all at age that's the main library we can see most of the functions are there then let's do it Main which gonna be the main function so C is compile to the language which means that it needs uh some place to start so here we're gonna dive into let's say very low level and I'm gonna take time of explaining uh like a lot of stuff so if you already knew that just hope you have something new now since that's compiled language so overall we have two types of language one is being compiled and one another has been interpreted an example of that is Javascript to python so in Python you write let's say 10 miles of code when you run the script each one is getting executed and it follows the let's say the wine pattern so first one second one third twine and so on and if you have functions it jumps there and gets back now inviting you don't you do not need to have Main you do not need to have functions at all and that's why that's because it's uh interpreted language but in C or any kind of compiled language such as C sharp let's say Java let's say Lim or go I believe go you have to define a main method so when you start the program the executable and the registers gonna know from where to start and usually that's the main function so that's the first thing that's getting executed and now we're going to start the same wine pattern like from here right so that hope that makes sense now what I want to do is to firstly Define uh just another simple command for a infinite Loop and we're gonna try to see the command arguments so let's go with four and type two semicoms I believe was the name and that syntax is special for c meaning infinite Loop so usually four requires three types of body the usual four four whoopies been like in I equals zero I equal is less than something and I post plus so you have like three parts of the for Loop so you have the beginning you have the condition so while that whoop is gonna run and you have the condition of incrementing so it's not infinite now when you say here we have still three parts like that but they are just empty and we'll Define that the parts is empty the loop is going to continue forever another way of doing that is to go through and type while one so while one is going to do the same thing in some languages it's way out true so it's kind of the same just doing the whack infinite whoop now here let's type system but for that we're gonna need another Library which is called STD div.h and now with that Library we can call system function and with that system we can pass a command so we can do like who am I now if I compile that we're gonna see the name of my local user which is command to user something else like being displayed forever so let's do who am I or let's actually make a directory stream here stream and of course I did a typo so delete that stream save that compile that and if we go to stream directory here we can see that we have where my ex now if I want that come on what I did wrong let's make it through the ID itself and I'm not sure why I did wrong [Music] let's try system here who am I just a single time to verify that it works maybe the system function is being up so other than that and nothing which is super strange do you guys have any idea why that happens I'm going to do my best to look at the chat as much as I can so very much I Disappeared hell all right he's back now I'm not sure why that became is why it's behaving such way let's try pretty Dev and just spin something High compile that and we have high then let's go system and do Ms for example remember that and it works now so what was the mistake there not really sure but who am I and of course we need the syntax what so maybe it's not what I can do who am I come at so maybe it has something to do with my default command line because it's that cmdr maybe so let me try cmd.txz and see who am I so save that and still have the same mirror what the hell well we have some nope that's like super strange we didn't have the for Loop and is being replayed forever yeah now we have like High return zero yep oh looks good now so STD [Music] leave that age I think that's it run that all right let's do system happy config now it works all right who am I now it's not so maybe I'm not sure why it's not working the home I command but sure we striking the ipconfigurement so we can do the same thing using I'm really not sure why that is and hi hi guys if you have any ideas questions tips just hit me up I'm doing my best towards the chat as much as I can so I'm not sure why maybe it's because of my default show environment that's cmdr maybe that's breaking things tough not sure but it doesn't like the who am I never mind so with ipconfig it's fine so we can do the same thing so for an infinite warp and here nice appreciate you man and yeah you you can't help especially if you know debugging and stuff I would be happy to to get some help yeah so my idea I don't I'm not sure if when you joined but my idea is to just develop a simple program and try to debug it between DPG see what we can get so yeah now that thing if I run it should supposed to have infinite repeating of 5p configs nice and now it's compiled so if I run that and now I go back here and run that we get a 5p config now it's big it's gonna be best if we even would I ever named that so I have the config instead of who am I and let's start with DPG now so open that up there's a default let's say UI what I like is to have this assembly on the right [Music] and all the threads actually what was that never mind that that thing looks nice so I'm gonna I like having that and on the right the command pane on the left so in a nutshell uh that's the debug window now most of the things we're gonna do most of the things that most of the things we can engage with the debugger is through that command pane here now additionally we have a different paints for that we can see thread stack and breakpoints here we can see vocals which I'm not really sure what that is and here we can see the assembly is on the runtime now here as I said it's going to be most of the work and we have a bunch of ways into let's say starting things now what I like is when debugging simple program we can do launch executable we can go to the the one we want and go to where was that stream and even that here now let me just answer the question uh do you think it's a good idea to start working python to win two then combine it with you for supposed to make a really good paywall stage all right that's the thing I I'll show you discuss so I think that the following so that's the reason why I started doing C plus plus because you must have uh knowledge in different kind of languages like you can be a very good social programmer but maybe but some cases you have more heavy hits based on your let's say language now I done my experiments and when using C plus plus my payrolls are 25 more evasive choose from the language I'm using the same Windows apis I'm using the same techniques of invoke in the show called I'm using pretty much the same but C plus plus executable this less detectable by antivirus so what I think is that everyone must learn a lot of languages why because if one doesn't work you can switch to another if one doesn't work you can switch to another so you must know what the strengths and the weaknesses of each languages are and thus meaning you have to know a lot so what I like to say people is that you have to learn how to code not how to use specific language that's the the main thing I have to say about that because uh using Language by definition is trivial as soon as you know what you want to do so I've on the mighty Nest stream when I was doing them that was my first time engaging with him very first time and I did simple show code whatever based on Google asking going there researching so you have to let's say just be having the mind of knowing how to code and knowing how the code works and then implementing on different languages and see how they work now of course you have to know a bunch about the languages as you said see based on having a lot of libraries as other languages are but the main point is that you must know where the stress the strengths and the weaknesses of your language are so let's say in simple post everything is being super fast everything is being this this detective just because it's supposed pause but it's harder to write so you have you can make mistakes you can up the memory but you know that's that's about the wife now if you use C sharp it's it's it's super easy to write you cannot up the memory but you have more detection so yeah now let's go and open the binary there but definitely just if you know as much language as you can is always the best thing but the main point is that you have to know that you have to have that mind to think in and get in the code so when you run the file let's get back to the main point when you run the file we we hit the initial breakpoint so each time you run a new executable or attached to any you're gonna have that window here so that window is meaning that we have a breakpoint that initial breakpoint is always triggered when you're attach to something now here we have civil server symbols are pretty much uh the PD bits the the things in the pdb so determining depends on the Civil servers and the symbol that are voted we can see more or less information the command pane now another thing we can see is that what's been wallet so just by attaching to something we can see what's been wallet once we we have attached that now we can see that our application is using so far kubernetes DLo kernel based dll up here though and name is vmsvcr dll now when I haven't go the command is going to start to pop up and we can see more stuff here now on the right we can see that uh the Raw assembly instructions there so here are the command Pane and here we have the assembly instructions where we can observe what is going on if you of course know what that is how can we make uh in the background yeah sure but that's just topic for another video because it's not that that simple in the first case generally if you want to do like post injection so is being in a let's say host of another process that way it's been a background successfully and you generally want a big process that's been that can communicate to network so if you inject into Explorer installing the exports start making network connection then you know something is up yeah but yeah now that's not the case of that of that stream I was sure I would show you some things later on or tomorrow so just hit me up on Discord now here let's just uh see other things so on the watch we don't have really anything on the threads we have two threads and we can switch them on the guy by just clicking on them and when you switch thread you can observe that this thing is getting switched as well that means the threat we are using now we're using the second thread and we know that stuff starts from zero here and here we're gonna use the initial thread now otherwise how we can see threads if to specify tilde so shift and the not sure how to explain that left to the one and you have that now we can switch the same way by specifier number so this is the thread ID now I believe that was the process ID here I believe that's the trade state so they have suspended because we have achieved breakpoint and the we ordered the execution we have the trade environmental book so here we can observe some environmental things about the threats and I'm frozen not sure what that is so here we can choose between different threads let's say one and maybe we need to specify the k nope how was the syntax never mind just switched with the with the GUI here was it uh oh yeah it's dildo 1s for switch so if I run that the same thing is going to happen and I'm gonna switch my trades via the command line but of course goo is just better now let's just run the execution let's just continue and we can see by the way that uh since Diego has been wallet and then the RPC RPC rt4 that was being wallet nice and we can observe that a lot of things happening now let's do a simple breakpoint because it's spamming a lot and let's just heating up hit up the step into and observing when the command has been executed or actually step over so we need to step over five times and the command has been executed now I want to find how to set up a breakpoint just before the commands get executed so I'm gonna do a breakpoint search for let's say system and these are the only system occurrences that we that we have here so let's try to analyze things from the assembly file to see if we can find that like that and like that so let's go step over we have a code to DPG you have a mod backpoint that's not it we have short version here we have lto exit user thread which I'm not sure why we exit into it here and after that when the the command has been executed hmm let's think about it now so let me explain more about the Registries and stuff is this how I get this so oh oh yeah I'm trying to achieve uh I just said it but let me try it to say it again I wanna have that file we generated debugger and I wanna I wanna find the command through a debugger so I want to find where that's been executed how that's been executed and I want to see that the raw strings to 5p config or the output so that's my idea so let's run it again because I close that so file launch executable and ipconvil.txe something happened by the way let's restart all right there we are so these registers we have rcx and oh we have eax so we are talking about 32-bit executable all right let's go with Visual Studio code I want to compile the same code using vs codes and 64-bit so I'm gonna do file new projects and then do C plus plus hope I have the library console app I have now here type ipconfig okay the way I the way I understood that I have a stupid executable is based on the registers themselves so this register you saw exe-a-x-e-bx are based on 32-bit architecture and if you have 64-bit you have Rax RBX and a lot more we're gonna go into that later and the idea is that in 64-bit process you have one coding convention coding convention meaning being essentially how different parameters have been passed and how the vegetables are working and if we have 86 architecture or meaning 32 bits we have like various coding conversions so I think especially for newbies like me it's easier to debug 64-bit applications seems to know that each time ever like the one the calling conversion is going to be one so let's go include STD lib.h and the good thing about C plus post is that you can include standard C libraries and then use the same code for instance even though with that C plus plus I can go ahead and include STD Lipa STD io.h and then just instead of ctd C out I can do PDF just the same way in C like hi just like that and I can go with this and specify the x64 this time now build that stuff all right that's that's nice now let's see it into here and open up Explorer open ipconfig or do ipconfig and we have high so we can engage with the very same way with the standard C libraries it do not need to be like no that's the beauty of C plus pause because you can have C but enhanced with all the courses of C plus right that's why it's been easy plus now let's do the same for each group so the same for infinite whoop and then do the same thing so system let's try with who am I again just of curiosity and that throughout the burger and most likely we have the same kind of output there so there it is the high oh now it works alright so not sure why it was not working on the previous environment yeah there we are so let's open up now in the wind DPG and let's try to analyze the application so go to file launch executable and paste the path send it on that all right now here we have a uh more things being wallet so we have VC event time has been ordered you have a city-based bin wallet and if I give it a go the same things have been worked again now here now the problem is running and let's see let's try to analyze the program and see pretty much the command itself now let's see how much that we have so oh I stopped the app my bad my bad let's try it again [Music] let's start it and breakpoint all right now we have four tibets now if I do that come on we have the threads here I believe if I do K that's gonna list what's being called on the threads yeah that's why I'm trying to make check where that's that being that thing is stored on the ram so if you have idea about how just hit me up now when you do K I think that's inspecting the stack and that thing meaning is meaning child stack pointer because stack is working like a vast input first output so you have to always keep note of the very top element since it's been pushed first now since this thread is the first one we can see the dbg breakpoint and how the debugger generally works is it starts like another thread attached to it and then stops the execution of all of them so when we inspect the last actually the last threat that's been initially caused by the debugger and that's why we see that function here now on the another thread the first one let's do K here and we can see a different stuff have you checked what the address of each functions are now I'm the not can you give me hints about how that can be done now here the stack is being executed that way so the that thing was called by that thing was called by that ink and by that thing and by that thing so seems like that we have a code to execute command which is from the UFC taste dll and I want to copy that and let's get the more information about that new fct based dll will actually do it like that exact command or execute command exit code command so most likely this is how in the system command operates on the bottom level so when you type system it goes to that Library called UC healthy base and then runs a command who is obviously doing execute command now here let's analyze the stack a little bit more now the first thing that's happened is to FTL user restart so obviously we need to start it before anything then that thing called kernel and use curve called that function So based on the name I suggested something like the setting up the threat or something now basically the syntax means library or source and then the function so here we call something from the file itself all right so here we have pretty much going to the main function I'm not sure why they have three calls and why this one is not having addresses in one function so here we have in the main now the main Code common system which Code common spawn NV which called execute command and execute command called wait for single object now wait for single object is an API that wait for single object that is waiting a thread to be executed so wait until a specific object in the signal State or the timeout interval evapses so what that is essentially doing that Windows API is within the execution of something so in that case we execute command here we wait limited for which is its execution and then we do it again so we that that call is wait for single object EX which is more slightly different than the standard one that one says Waits until the specific object is in the signal State entire completion routine or APC skilled to threads all the timeout interval apps so these functions are kind of similar yeah yeah so after high command it's high this is the printf not command so after high we get into Infinite Loop and why we get into Infinite two is because that helps me the book things easier and yeah so pretty much what happens is based on that and my understanding we just initialize threads we go to the main domain uses this Windows API calls and functions to execute the command and then you just wait for the commands to be executed and that that happens in the very first thread sweet that's the stack I believe yeah so K shows the stack now on the second thread which is one the stack is kind of different so yeah here we have mainly some functions like TPP worker threads and wait for work via worker Factory which I'm not sure what that is so let's go and search for TPP worker threat why does Windows 10 start text updating my program DPP worker creates an entry point for a threat post for a thread portrait when I set a breakpoint with the book new breakpoint function breakpoint on this function I got work to capture this stack trace for the first red pool all right scary the water is using the thread proof windows 10 to what the others all right so that's something standard [Music] s yeah didn't get it so it has to do something with red bulls and maybe doing something with the initializing let's say having the support of multiple threats so our program is not wanted by depth by definition or no it's one thread but I think that the debugger needs these functions I think I get it I think I get it because when I that program here has no problem wearing a single threat right but since the booger is attaching to our process it creates additional thread so it can alter the execution of the program and in order for it to create additional threads we need to be optimized with the thread pool and that's why we have more threats and that DPP worker threat function nice I think I think that's it so let's go to the first one since that's more interesting and that one oh boy and what I want to look for is that spawn Envy so why that's Pawn NV because I believe that on the call execute commands that here maybe we should look at that first alright so that's it for breakpoint let's do BP and paste it like that is is not resolved all right let's try bu and that bu and execute command let's try BP execute command could not resolve all right not sure why so clear that let's try doing like that let's try view paste that couldn't resolve Everett dust range see all right now let's try it like that we have one breakpoint for spawn Envy now if I run that I'm not hitting a breakpoint so that means my breakpoint is not working so I'm gonna do PL can we have that 2K to see the stack again oh I'm not in that thread so let's do dildo and then do o and S for switch now we're there then do K again to see the stack and why I can't set up a breakpoint for that maybe can I set up a BP for that one looks like I can so if I haven't we hit wait for single object sweet but why can't I set for breakpoint for the spawn in V or execute command that's super strange all right that's not I was looking for now here we can inspect different kind of registers by specifying are then uh add and then the page that we want so in that case let's do r d i or RBX or rcx or uh r a x and we can see the values of the vegetables now we can do d u and that's gonna display so the r is going to give us the address of the register and the DU or just D is going to give us the content of the register so we can do RBX Rix rcx and so on now in that case we can't see anything fancy because most likely the command is already being executed right so or if it's been in a state of execution and I think our breakpoint is not in the place where we should be I think the big point should be somewhere here in the stack so we can get the execution of that command we can intercept the common spelling view or execute command so let me try to do to clear the breakpoints we have then clean the stack again and then specify BP and then let's try it with common systems nope let's try to Google that because I'm really not sure why it's not working that's not all we want um let's try bu and that one now let's try to Google that so it can be something up with the symbols and wow wait I think what it is so we have that we have that PDP here yeah there it is pdb so I think if we import these symbols into the program we should be able to set the breakpoint to that function simply because now it's not finding that for whatever reason so most likely we're gonna need to import that so let's do simpat and here all right looks like fine export the symbols or maybe we need to specify the full Pi file name oh my bad it is and that is the reward and by the way what's the command is doing yes LD and then oh that's the modules all right so these are all the modules being imported so it looks like we have we have the symbols now so we can go with K uh tilde again now with K again and direct set of a breakpoint on that so BP couldn't resolve it what hmm that's super strange let's do it in and in that case by following the example yeah but can you tell me more how to get the others because there are so much addresses here you mean that one that's right here let's try it repeat that all right then give it a go and it's not that all right based on the example that's the in my case it's ipconfig so if I do Adam and might be config these are most likely the private modules and the path is right the use of cells like config.pdp all right yeah I'm not touching the code I'm debugging it right now meaning the code is the same but I'm trying to see the data in the memory so that's that's different but I have suggestion by the way oh my God don't tell me it's that because this can never out because I am using the name of sign to official Microsoft binary code ipconfig so just to be sure I want to go and close everything here and create a new project with the same code IP not ipconfig that's different maybe that can uh book something something out now let's go X a64 if it is compile go back to VIP cdx64 it is IPL txt and now it works now let's open up the program again because when I try to to walk more into the executable in the library is where I saw the official Microsoft ipconfig.txt which can bug things out so let's try it like that now all right Thief here here all right let's see what's been wallet IPL txt same stuff go here let's break now and let's see the threats alright now let's go to the first one to OS see the stack come on all right and now we have pretty much the same thing we have that one so let me try to set a breakpoint again still gonna resolve maybe do I need to specify the Char oh my God don't tell me that was a thing don't tell me that worked so that's the part of the function all right let's let's try it now I will go yep we hit the breakpoint so we need to specify the Char is part of the signature all right all right so far so good so let me find how often how many hops we need to do before that thing is executed so I can do it like that now just step over step over I want to see on which instruction the date is being passed so maybe that one here because we have move let's inspect the fbx are or do RBX nope let's step over again inspect the RBX again nope g j and ease compare most likely let's do our ax let's do our CX all right let's step over and it's still not getting executed no oh now it does all right so we have a lot of calls until it's been executed oh so we are here let's see what is that I have the source code here how that how that happened whoa can I set a breakpoint foreign all right all right that's making things better but I wanna see when that's been executed so I don't go go so my breakpoint is a common system when I expected the stack we saw that we have no not here I wanna remove breakpoints I will never go and now set a breakpoint now if I do K or first switch to first thread and okay now that's what I want to see now we set up a we set up a breakpoint on that but maybe we need to set for breakpoint on that so let's do BP paste that Now it worked click go and now we're here all right so let's do the exercise again and the way I the way I think we needed to click so many times and step over is because we were setting a breakpoint on setup environment and the environment first needs to be set and then the command needs to be executed so I suspect that now we're gonna have like several buttons so one two three four five oh my God still what yep all right so we step out we can do more General actions now let's see the registers here let's do the U have a x let's do our CX let's do our BX all right let's step out all right I have X have CX all right step over it's about still don't get it let's do that again the RX RBX rcx I think should be on some of these registers here I believe so let's try it again I have CX I have BX R ax step over let's do it like that so we have like one two three four one two three four so in each four step out actions we have a command so one two three four right all right one two three and now on the next one we should get a command nice so one two three and now the object should be should be walled up so let's do d RBX are ax rcx and is not when you step into what is that RBP about RVP gibberish RX rcx RPX we need to definitely read more about the pointers how to get this chart here so let's try R this is going to get all the all the registers here can we do we have a menu for viewing the registers using the GUI move these are the addresses these are the 14 points so I what I what I know about the registers is that they have only two types of vegetables so we have integers which are being DS and then we have the floating points and you may ask all right what happens with the string and I can say well the string on its core is just integer I mean the string can very well level is nothing but anchive because the string is an array of characters and each character can be represented as an integer so on the very low level string is a sum of integers yeah so uh let's try no I want to just be able to see it I want to work it we have in memories is the who am I String so I can get more familiar with debugger on which register that string is being passed so let's do RBX no is zero FDX most on that are eight oh five eleven R14 15 nope all right so that's that's not gonna work I will just locate that and be able to to see it because if we can see it we can modify it going to find exactly can't you find exactly the binary numbers for in memory yeah I'm trying to do that trying to find the memory elements of the string [Music] or maybe here is getting pushed so let's try step in two into two and now get the array X [Music] nope I'm stepping Tunes DX RX 5cx so complicated [Music] common pack fgv so it's called another kind of API we can do step out let's get the top 15 register nope so by checking the vegetable so that I have zeros they do not hold anything in them we so we can quickly RBX and our cxe0 as well so not that RBP nope r10 nope R15 nope all right so let's get it debugged again what's gonna happen by the way if I clear the breakpoint so if I do PL and clear that and set up a breakpoint here we go [Music] and now I'm somewhere so this is the core of the printf and this is these are the machine instructions of the printf whoa that's huge [Music] all right if I click go I'm gonna hit the same backpoint again all right now the rcx [Music] should have but is not containing the values with the command but it's not when the drink is converted to Binary then story into RAM does it store the binary is doing separately together I really didn't get the question I mean everything stored in memory and everything resolves to Binary at the end so aha all right now step over step over now this breakpoint works best better I think we can find it now all right so here is going to step into and see how many times we need to repeat that so one two three four five six seven it's a lot so it's called an API which is going on API which is going on API oh my God it's so complicated oh especially when you're new to this stuff out let's see let's view the registers now so let's view them here are you are BX we have some strings we have movement of CX now R DX now R9 RSP and RSI nope not that let's do step into and we're back here so let's try to analyze that we have the which I'm not sure what that is so let's try to search for that the x64 instruction So the instructions what effective address they are strict to do certain computation but that's not its primary purpose the Excel stick instructions was set to design to support higher languages like Pascal and C whoever is especially arrays or fins or small stocks are common because here for example destructs all right now imagine a statement like that all right where points to an array of points assuming that the base of the array is ebx and the variable e is aax all right didn't get what that is so in this case you don't know oh all right all right so that's something where I can move move statement there memory addressing calculation but do not actually address memory is getting more and more complicated alright so we have for the instruction which I'm not sure what that is then IP and then Main Main and this is the break point so here this thing most likely represents that thing here is the same one now if I put another breakpoint here [Music] I didn't get that oh rcx before coming the system function it's probably will pass all right so let's try do rcx dope step over step into all right FCX nothing here I'm not sure in which registration should be parsed so if you go x64 cutting convention windows you can see that uh the first four integers being passed by rcx FDX R8 and R9 and then the first thoughts have been parsed in xmm something but now we're not working with faults uh uh if you take the FCX you find your string yeah yeah exactly so ah so you mean all right so you mean that since we have only one argument here it's going to be always parsed for the rcx all right so we just need to find I believe the place where it's been walled in rcx so we are looking for our CX now it's moving something to rcx like right here now let's try to get rcx nope rcx again nope nope why don't they have ax so do do you RX nope [Music] we don't have RVC expectations here so far why we have 32 bits like registers here I have ax ah oh all right Rax is used to store the value of the time from functions alright that makes sense now so so we have many working at type CX which is still not initialized strange let's see now nope still nope we have an empty string now and now it's gone and we're back so if I do R ax it's been empty well apis are for coding here I think we can choose the API but in that case I'm not sure how not sure well we are doing that the API has been used is from assistant execute or something so that's why we were trying to see all right so that's executing the command I have here point is this dip into that and I'm not sure why so I think now we are in the common system let's do step out step in step in here we're having the system common systems I want to execute command that here is holding the address of the string into Rax via instructions sorry so you're talking about that one here right yeah so that one you said this word in the address of the string into rcx are c x so there's the address of the rcx maybe I'm missing something or maybe it's not worth it here step after all right step in towards step out let's step into the address changed step by one yeah you still Watt alright so t what do you mean by T oh all right didn't know that hmm uh registers you are CX still not it but again I'm not sure what T is doing by the way step after Divya oh streaming step after that thing is being executed isn't that step over the same action not sure kind of confused so let's do T and we have in the UCR the base system I think should be better if we remove these black points here and do uh and then now do BP or View well I needed to do the stack let's return the execution let's see the stack again and not that red but that one here [Music] in that room see the stack and maybe it's going to be best if we set up on it on breakpoint some of these [Music] I'm I'm trying to to get to where I am I mean that's the whole point of the student to learn more about this type of stuff so you said that you want in rcx after the video is the zip structure for a string so if I need to get a string I need to use STD string or something you if I get you right if you don't want to handle those just use sieve we can do that as well yeah but tell me more about tell me more about STD string think so if we how to get into that thing there [Music] all right [Music] so at least we know it should be in the rcx because we have like one argument there all right but tell me more about all right so let's search that um DPS what's that [Music] GPS [Music] so this whole display contents of the memory with a given range all right but what about the DPS what's the difference there do we have help here by the way I hope DPS yes help nope foreign all right all right so let's doing that DPS thing yes don't pointer ah all right nice thank you so much don't Point them in as with simple if any all right rcx all right now let's continue with that power over uh I'm looking for instruction for rcx [Music] 7dx oh there we are FCX nope let's try to over t you may be right it's gonna be easier if we just do that thing see first machine can I go ahead and report my program by then compile my program using x64 architecture because I think with the default is being X 32 [Music] oh yeah not easy to do this yet [Music] so let me get back to my initial uh thing here how to find specific string maybe that [Music] so let me try to think about that now let's see the breakpoint breakpoint is here on the execute command now I want to do is to remove that even the program back again and now set up a bunch of breakpoints on each function I think that the command can be parsed so I can do uh switch to first thread thumb the stack and then do BP and here just want to see how these are getting executed PP that then BP on that and then BP on that all right so we have like three actions there so we have the first one the second one and a third one and after that the command should get executed so I can confirm that by having that so the first one second one there we go all right so the command is really getting executed after the execute command you don't say but maybe the average is being populated before that so let me try DPS rcx oh have something there uh was it FCX should be yeah rcx so let's try with the second one notice here and the third one so most like I see some progress over here so the common system uh breakpoint on the comma system so first that's been executed then that and then that now on the DPS on rcx here we have a bunch of addresses so let's try to follow the logic here uh working for our CX instructions not quite now David is the Leo now done that did you hit a breakpoint here oh wait now we have something that's from the DPS investor IDU yeah DPS better thank you for sharing that um we have something populated but not yet the commands we want so let's continue with that visual DPS again all right we call something can we now hear now we are going to dump deep up EnV which is another function so from the common system we went into the DP Envy think all right so the FCX is still the same so let's continue here now we have we have populating the R6 here so how I think the move instruction means that we are moving from here to here so let's do move instructions copy that item referred to its by second operation what maybe I'm mistaken let's do x64 move so [Music] come on how should I know which one has been used now we have like in one case contents a 64-bit address to move contents at 64-bit others to 2 Rax so in that case this one is the destination and the second one that one is the destination [Music] oh no wait I'm mistaken so destination is that rvx destination the first one so then in that case we are moving the contents of rcx to RSI all right yep that was right now the other side is the same as rcx now something has to do with rcx because that's why it was it was initially safe to RSI now is getting another function and fire table something so we have going there now let's see what happens with the rcx now it's kind of empty it is not readable and the other side should be still the same so I can do RSI yeah this was the previous content from Darby X rcx now let's do step into and we have it into another thing so enter critical section that doesn't sound fun all right move Now we move something to Rax all right so oh no that the PS RX all right nothing readable so far now we are moving another thinking driver X now let's see what the content of that is of our ax okay Not Invisible so let's filter the things by rcx so and now we move the other side into rcx here so let's compare rcx now now step into and do it again now but that's always the same as before good let's let's continue the book in that [Music] um just wanted to check something quite never mind all right let's continue that rcx we are testing oh wait what's test by the way is it here foreign the facts are modified all right logical compare so it's comparing something all right DPS rcx now let's do it like that and again dump again all right no strings so far and is the command executed by the way not sure I lost it hmm I'm still not seeing a string by the way I'm not sure why I'm doing it wrong guys I would appreciate some hints about that I'm not seeing us staying there all right so let's dump the FCX again at least we know we should be in the rcx it's something step into and do rcx again all right now we copy the contents oh all right we push FDI to the stack and FDI or something now Sim was there all right [Music] we copy avocs into our site so if we if we see RSI we should see the same content yeah so now something must be done with the our so much registers and now we have some other functions oh great management get current state index let's see where the let's see the current content of 5dx are rcx sorry it's still the same so no change [Music] what about the eax isn't that 86 being registered 86 bit ax never mind all right and now the other CX is being populated now let's see the rcx nothing still not in readable [Music] we are stealing some functions of that now ffs get value I'm not sure what that is actually let's search about that get by the function so local storage with the memory address of the search within no I did not this I did I did I think I did not foreign step out step out all right let's see the contents of Rax now I think I started to get it so I just I think I think I'm not saying I I am all right so do you have a rcx is still not populated now said let's win to ever we don't need that step out of that function see started to get it another uh rcx again now is the same now let's continue doing that all right we have now we get to recreate environment no walk now step out of that then the content of rcx again not quite [Music] all right I'm I think why I'm in the infinite War by the way like literary what happened now I step out not sure what's going on CE they have a rcx now it's too same all right so common spawn environment good pass the rcx now still the same let's do DPS all right let's see what that thing is gonna do all right so we are moving R14 into rcx let's jump R14 let's do rcx and now tap into nice nice I think I started to get the basic mechanics of that good all right now we're calling something strings DTR something yeah and see the R8 all right what's that function by the way asttr char is it documented okay it's less occurrence of chat activist string isn't that getting the string by the way whoa all right oh we we entered the execute command by the way let's do RSI uh RX nope I have CX it's empty hmm I mean sometimes the average you know just no symbols and we landed again in in that cursed function here damn that's so so complicated when you do that for the first time I mean it's not really my first first but it's one of the first times all right let's focus now it how hard can it be to find a string hahaha God bless you too man yeah yeah all right now this is the FCX again no it's not populated alright alright let's close that and follow one of my viewers advice and have that be in C now I want to compile that into a x64 bit so I'm gonna do I need to find the compiling options compiler options settings oh I needed to do I needed to do to add m64 right so m64 pile that zero errors and now don't call that call that who am I but the file name all right should be fine and I think we have bugging the things out because the file name itself is called who am I so I can go ahead here and rename that to x.xn there we are so the file name was the issue now let's run the win DPG again let's attach to desktop stream exactly now that thing is based on C so let's observe if if we have it in different now later on that and we should spam who am I now break now let's inspect the threads attached to first one and do stack all right now we have different set of functions but I think we should generally repeat the process so we have pretty much the same syntax so user thread starts created function that I'm not sure what that is so most likely some workout things that there then we have systems spawn V and then system all right so I want to do BP onto system and to spawn the now let's do go and hit the breakpoint hit the goal and get another big one big point now I want to see how much thing how much break points I need to whoop onto it on the command so one two one two so the system is getting the command all right good now here let's do uh DPS and rcx let's do du all right now let's go to other breakpoints and they should carry the value of 5cx so let's do it like that not quite not the case let's continue step out we have the same get last ever so at the end of the day they're using quite the same functions oh all right we are here on the system now let's see RPX rcx all right what I think is happening now is that I need to do more breakpoints so I'm gonna go and do BL clear out the existing one and then do go Drake then do switch to first thread them the stack and now set up a breakpoint here only so you see this this thing is being is getting caught several times and having different addresses so the address of that is different the return address is different like that so maybe let's do it like that I think we go and we can see that the breakpoint is going to be is gonna hit like two times now if I am not wrong I need to whoop two times again in order for that to get executed so one oh no it's not the case so each time system is being called the command has been executed all right now let's try done with di Rix rcx nope so we need to since here it's already getting executed I think we need to set a breakpoint on before that so let's repeat the process then do BL air all right go break switched first one then the stack and then do it like that now let's see hmm First recording system then we will correspond v e spawn V again then system again so let's see if anything is getting executed on that system here beeping that click go so here okay go or maybe I need to do another breakpoint on that because I have only one it's been whooped so it's getting executed every single time so BP that 3.1 hit breakpoint zero hit so on the fourth system is not getting executed on the second it is super strange alright so where are we now into the system let's do our BP let's do where are we now step into we are moving ex to a BX let's see what the BX is all right step into step out it's the poor yeah we are moving something to FCX now let's see what we have here rcx have something but not quite let's continue that I don't want to be in that function less than the contents of rcx it's 73 now all right now it's been watered again it's gibberish and now it's been world again so now is gibbish again I'm really lost here we have jumping somewhere now we did something to have a rcx as well as gibberish again all right we move something to our CX as well we are carving something so much instructions I didn't go towards in the whoop we have all the executions there so let's go with go in both of the breakpoints the rcx is not having a valid uh uh strings Indians even though we're using C now hmm I can do one more thing I can do like PL Ural of them now do same process is stack and now BP on all the others here so here here and no not here so we have did I yeah I made a mistake about that Bo okay all right so BP for system BP first pound V P seconds V nvp system and I want to just in case if we wait for single objects so on one iteration we should have we should hit like five breakpoints before our Command has been executed so we have one two three four five and now the command is gonna run just a quick jump of uh our CX nothing go and yeah we have the command all right so here dump the rcx again now I believe that in some of the states the rcx should have the command inside so that's the breakpoint zero and after that the command should be executed yep all right the big point zero hmm let's do our SP where are we now by the way let's do step forward let's just step out step out so go go I want to see the functions where are we but I'm not seeing them so purchase the actions that's why it's a bad idea to just specify breakpoint to addresses you can now see the others of the string in the disassembly how should I type here I'm trying to find that the very whole time oh yeah oh it's working processes never mind so I want to move for my breakpoints here because I don't want to break points on specific address but on a specific function main goal before system shows the address whoa I've missed that all right let's do it again now BP no it didn't it didn't I'm still trying to costume to get into this Agony so switch from the stack now BP on system do I need to specify like that the whole Battle Before oh yeah I can so I can do BL itz give you everything ldp we specify the firm system BP specified for spawn B now I'm doing EC by the way since you said it's easier with that and BP that I finally go breakpoint 3 is being hit break point three has been on system the last one DPS are CX nothing so far let's try it again nope oh the whole time it changed where I am like if I go step in two it's saying which function and module I'm running currently at that's nice to know all right that helps a lot now we have inside that let's go step out we're having system again and this is the instructions being performed now so all right foreign DPS RBX all right step into now we're in the system again and we moved something into rcx can it be this that time rcx nope it's not it's not we're pushing fbx to the stack we have causing the handle so now the program most likely executed uh superficed because we caused the handle now we should open a new one I believe cross handle course handle course handle I started to get it I started to get it now it's kind of easier when you can when you spend a lot of time pushing your head to the ground and you start to see something like now I I at least know where I am here now I'm into that yellow and that function I can step out I'm doing close handle again so I need to learn the difference between step so this is gonna step into each function on the line this is gonna like hop over it and it's gonna step out of the function I think that's how they work all right so same thing with our CX nothing let's do step into we have calling something which we do not want so if I go step into we're gonna navigate to that msvcr this is a wrist I believe nope we did not we have close handle let's do step out of that and step out of that again oh yeah maybe da is bad is better yeah thank you now just wanted to see oh now we're jumping into system all right which is pretty much the that one no it's not that something else all right so I'm moving up something into RBX that should be the command I'm sure that's the command but we have not just getting that I have CX it's not oh DPS nope so I hit a breakpoint at spawn V which I've CX was being populated again darcx nope foreign how the stack behaves in different points of time so right now breakpoint 3 is hit which means uh that one and if we hit the next one and then the stack again we can see that disappeared it's out of the stack now if we do that again and do K again now the second disappeared because it's out of the stack and the stack pointer moved down if we do go and do that we can see that one is out of it again and now the r CX should be here and because the command is not executed now if I do another goal so if I do another goal we have the command here and now this stack again is being populated so if I okay we have these things again so if I do I do and go go go and do the stack we have the last system command uh coal sorry where the rcx should be populated now let's do it like that yeah thanks so much man BPS all right [Music] let's try a shield way so let's do a break point on that so let's disable all of these [Music] like that now click go and da rcx [Music] thank you ah why it was so complicated why it was so complicated why does it work now how does that work now because 50K [Music] all right let's try my my logic where I was following that uh I have four big points now if I click go go go click here I'm at the very same place where I was with your breakpoint guys and now if I do d a r c x I'm not seeing that what's the difference here that's that's what I try to understand what's the difference here [Music] like for real if I do your breakpoint I mean just blank Point into the uh BP and that like that and I move all the others oh I think what's the difference because here you can see the offset is different Maybe so now if I do go that's before a system call and do da rcx W Square mic if I do DPS I don't see the who am I but with the day I see it so if I remove all my breakpoints I just want to to figure out how that works I can do clear clear clear clear clear clear clear and I'll do uh what was that go and break and switch to here in the stack now I want to do is to set up a breakpoint on that and because you see the offset has been different and maybe that's why it's plugging things out because I use the breakpoint for that function at that offset because I think that's an offset maybe I can be wrong so I have one system I have one on spawn V foreign should be hit four times because this function have been repeated four times so one two one two before command so I can do like that one two one oh it's not so I'm not sure why but I'm having like uh two times the same functions but they are not the breakpoints are not triggered two times I'm not sure why so on the breakpoints I have this on the stack let me just repeat disable breakpoints go break down the stack so on the breakpoints I have two for saying one for system and one for spawn V but the point here is that I have two spawn V's here and two systems so mathematically if I specify a breakpoint on system and spawn V they should hit twice each one of them right because this function is being encountered whack two times but why is not and why when I specify the function that function with the offset I'm not getting the value of the other X rcx wow wow I'm literally not sure I can't think about that why why there's a reason for that and if I do that and click go and then diabetics now start here all right if I do it again now I'm in the system and it's there at least we got that after after two hours yeah so when you go to a function with a specific offset that register could be already ah oh that makes a difference so when I got function with specific offset the register could be overwritten so by specifying just the function name we I mean I can't get it literally so now let me just make this blank Point disappear if I do that and that on each click the I have Command right so I hit the breakpoint I'm not sure if I'm hitting the breakpoint before the command has been run or after so it's all about that there right okay I'm not sure what address of system is I mean maybe I'm not Googling right foreign since I'm running each time I hit the breakpoint the command has been run how does the rxb rcx being saved since obviously that happens if I do wait wait wait wait I think I got it I think I got it so apparently the debugger works the very same way as the the program in the code I [Laughter] needed to think about it everywhere so if I put a breakpoint here and start the windows debugger what happened now yeah when I hit a breakpoint that thing is not executed oh yeah yeah it works cut exactly the same way so here the break point is just before the system call so when I click next in that case it's gonna be step into and I have who am I wow that that took me two hours to figure out all right never mind it's better it's better later than never so that that's the main idea so it works exactly the same as the is the coding debugger and when you put the book in somewhere on some function it's gonna get executed just before that function so the Rax rcx is ready to be moved and pushed out of the stack two hours guys never mind never mind I feel nice about that so how about the C plus plus program by the way is it the same as the C so I can do like course everything and different again file file that all right now I can go now I can break I can do [Music] I can do that now BP here cover it and do d a r c x that's not the case here so there are differences between the languages or maybe I'm doing something wrong now because it's not getting executed all right one two three one two and now if I dump the rcx still not it hmm there we are there we are is the same thing all right so here we just have more calls on the same function so let me just quotes or the breakpoints click go click break now do uh uh moved straight Zero from the stack and yeah we have system spawn V and execute command so most likely that's the command we want so I'm gonna delete my breakpoints I want to do the exercise one more time now let's do here because that's gonna point to the exact same place before the command execution so open that VP paste click go and do uh what was that so I pointed out r or D A and R C X not that so most likely is not that command call yeah it's not that so I'm gonna need to remove my uh that breakpoint here and repeat the exercise do be so it's just the thread on the stack and now put the breakpoint here come on here and one there and how to go and now direct them just the the Rix oh easy yeah who I found it who you guys you helped me find that you saved me let's say if I was doing that by myself I'm not sure how long I should be doing that but I will I was faster now nice I hope you guys were something as well nice we did that and imagine how hard it is to manipulate this kind of things so just getting that was kind of a challenge to get it to understand the whole process whoa yeah so it's already two hours guys and I'm thinking of causing the Stream So I really appreciate all of you watching all your hints and all the all of your help that video is going to be uploaded to YouTube if you find it useful in some way I think it's been more useful for me than to you guys but never mind that's how that's how we we we we won yeah by sharing so thank you everyone for watching and depending on where you are see you guys foreign