you like War Stories history of War good good sit down let me tell you a story specifically a World War II story there was one specific event that had to do with the use of the Enigma machine yeah the Enigma machine was very similar to a typewriter way it worked is you would type a message and then there was an electromagnetic signal that would go through some wires right into spinning rotors there were these mini rotors that would spin when the signal went through the wires into the rotors the letter that you type would get scrambled and output as a scrambled letter it was one of the earlier stages of encryption during World War II in fact there were so many combinations it was nearly impossible to brute force it so we thought well around 1930s 1940s Poland came up with a new device called the bomb bomb ending in e which was polish for bomb without the e it was a bomb the machine was specifically designed to decrypt the Enigma machine and it did its job very well in fact did the job so well that the US was able to use the bomb to turn the tides of War during World War II till that Germans could no longer use the Enigma machine for encryption cuz that message can now be decrypted once it's intercepted so that turned to tides of War and it was a key critical moment in World War II now the question that's on the table is how did po more specifically Alan Turing the inventor of the bomb how did he make the bomb what was the process that he used well he reverse engineered the Enigma machine now this was a hardware based cryptographic reverse engineering strategy but he still reverse engineered it in fact reverse engineering has been around for decades centuries it's been around for a long time we as humans tend to reverse engineer things in order to figure out how it works only definitely does help us to figure out how it works but can also be useful in cyber security for protecting against things like malware understanding how malware Works understanding how we can protect and prevent malware from spreading protect the computers from being infected and how we can combat things like malware it helps with bug Bounty as we're learning these applications and we want to do some reverse engineering we could understand bugs that lie in the application based on how the application works reverse engineering it's also helpful to understand vulnerabilities that might exist in operating systems verse engineering an operating system would help you understand how the operating system works and then from there you can understand what you need to do to secure it so reverse engineering is very useful in many areas especially cyber security and that's where we're going to go today we're jumping in to understanding reverse engineering now this video is going to be a very beginner level overview of reverse engineering we'll go into more details in another video but you need to understand a few things before we jump jump into reverse engineering you need to understand things like registers what they are how to interpret them you need to understand basic Assembly Language which we will go through and you will need to understand the main memory modules you know going from high addresses to low addresses and how that all works how does when you enter a command into the CLI and that command needs to be executed how does that work how does it interact with system memory as it goes down the uh process that we'll we'll get and what happens there how does the computer interpret that command we'll look through it it's going to get very Advanced if it gets hard that's a good thing that means you're doing the right thing let's jump in so first we have to start with the x86 architecture because we're going to be going over x86 based um reverse engineering so let's start there by the way it it's called x86 because the earliest Intel processor was the 8086 and then came the 8 186 8286 So eventually we just came to x86 because uh that follows that 86 pattern you just keep adding numbers to it so that's why we have x86 instead of X32 because x86 technically is 32bit right it uses 32-bit registers in fact you could get 64 bit but you just combine two 32-bit registers we'll go into that later we'll get to see that later so this this here let's start looking at this architecture and um we'll start diving into each each component and then we'll start going into some of the other stuff you'll need for reverse engineering so this is the CPU architecture this is how instructions are fetched from the CPU process executed push over to RAM and then this whole process repeats again pretty much and then when a program's done Ram goes and clears its stack and also the heat might be cleared as well so at the top we have our registers registers in a CPU is a type of memory that is used by the processor so it's like a quick access memory those registers you'll see later as we go through x86 as registers are very important for reverse engineering but for now just know that their quick and accessible pieces of memory that the CPU has now next is the arithmetic logic unit the arithmetic logic unit is responsible for well one fetching commands from the register but then it applies in arithmetic logic arithmetic logic is pretty much like your bitwise operators so think of your end nand or exor things like that so it takes the data your command apply some kind of bitwise operator to it and in this case it would be binary we'll say for this example then you bit wi you you set a bitwise operator it could be like an end then you perform that bitwise calculation which is that arithmetic logic to your binary or machine code uh there we could look at that later as well from your arithmetic logic unit then you have your control unit this is basic basically the brains of the CPU the control unit is responsible for actually executing the commands that it receives so what happens is it executes commands it sends it along sends like a signal along a control bus um and that control bus allows it to not only execute command but also interact with things like your main memory which is your RAM also interact with the arithmetic logic unit and the registers in the CPU okay moving on we have your we'll go down you have the input and output devices uh those are just any information that goes in and out of your CPU so that's all that happens it just regulates a lot of that information that goes in your CPU and out of your CPU that's all you need to know for now we'll look at that stuff later of course this is just high level and then lastly you have your RAM now your RAM in this architectural diagram as you can see has something called stack and Heap then you have your code you have your stack again now we'll get into what stack and Heap is just know for now stack is a very shortterm memory that's in your RAM it uses the last in first out method and it usually has a fixed size whereas your HEAP is more dynamically allocated you don't have that fixed size it is used for storing like data structures uh pieces of memory that is going to be a little longer than a stack but still going to be temporary your HEAP is not limited to the last and first out order I mentioned it's Dynamic those are the two big differences for now um at a high level let's dive deeper some of these things starting with the registers okay so these are your register sets and data types for the x86 Intel architecture now one thing I want to point out is the x86 architecture is a 32-bit architecture by default it's called x86 it's a little misleading but it's just because one of the earliest Intel chips or the 8086 series and then you know later you have series like the 8186 82 86 and things like that so what Intel ended up doing is taking away the eight and the second digit and just throwing an X there so it always ends in 86 and then you have the x86 so that's where the x86 came from it's a 32-bit architecture so that's what we're going to be focusing on now today we do have 64 big architectures and we have you know 128 bit architectures but if you know the 32-bit architecture there's a good chance you'll know 64 and 128 especially the way that we're going to break it down and understand today looking at the register set and data type I want to focus on the top left here this is uh where we're going to focus the most this is what you're going to see the most these are where a lot of the main functions the main instructions are processed in your a registers so we're going to focus on this probably more than the other other registers um you might see the I register sometimes we we'll go through that as well just to explain what that is and things like that before we go into the the a registers I do want to point out the numbers that you see here are the bits so you know 0 through 7 is eight bits you count at zero and you stop at seven so if you include zero that equals 8 Bits which is one bite 8 Bits equals one bite pretty much how it works here all right so this these are 32bit registers at the very top and then you know as far as the eight registers at the bottom here you have each individual eight bits now going from bottom to top the a actually stands for accumulator so you have your accumulator low low is because has a lower side of the bits and your register so you have 0 through 7 right and that's the accumulator low register here 0 through 7 and you have your accumulator High register which is 7 through 15 that's on the higher side of the 16bit register there above that you have your accumulator extended extended just basic it almost combines the two right so extended just means that it extends the bit size from the 8 Bits to 16 so two bytes from one bite to two bytes pretty much then you have your extend Ed accumulator extender extend extended extended extended accumulator extended it's weird right so the E is actually also extended um so you're basically just extending twice here with your eax which makes it a 32-bit register very weird I know just bear with me this is something you're going to see a lot just know eax extended accumulator extended 32 bits ax is just once extended so 16 and by default with the 32-bit architecture you're going to see ah and Al which are 8 bit pretty much it h is high L is low okay moving down the list we have our ESI now again these might not be as important for this video but it's still important to know what they mean the SI is your Source index The Source index is um specific to string operations so after the arment take calculations it handles a lot of the strings um after you know after operations here so you have your si which is the 16 bit and then going up you have your ESI which is the extended Source index that's it going down you have your di which is the destination Index right you have the 16 bit and then you have your EDI again extended destination Index this also handles strings just like the source index okay moving on to the right side we have our stack frame base pointer right and then we have our extended uh stack frame base pointer here on the right side so 32bit and 16bit right and moving down we have our stack top pointer we call this the just stack pointer I mean the top it always the stack it starts at the top of the stack remember the last in first out kind of thing and then you have your extended stack pointer right and then moving down you have your IP which is also going to be very important this is your instruction pointer in this case the extended instruction pointer this just points to the next instruction in your uh Assembly Language as the um functions are executed or the instructions are executed points to the next instruction in that list so that's what your EIP does it's important to know especially when you see it in Assembly Language lastly you have your e Flags this pretty much just reports on the health status of your CPU so just think of it as like a health check that's all nothing nothing too crazy with the E Flags now there are times where you might see something like ebx ECX e DX these are just aliases for eax they perform a lot of times they perform the same function so don't get confused when you see stuff like that okay and sh these are your register sets and data types it's important to know this because when you see this in Assembly Language um it's going to be very important all right let's jump into some of the arithmetic based operations we need to understand the conversion between binary and hexad decimal if you don't already because these are the two things that are mainly used when we're talking in terms of machine code and then if with heximal you have things like little Indian and big Indian and understanding the difference between little Indian and big Indian and how to identify them it's going to be really helpful when we're looking at a lot of the low-level code you know we're plugging it into our tools like Ida Pro like gedra like uh GDB like things like that it's going to be really helpful to be able to read little Indian big Indian hexadecimal values and also we have issues with the compiler or the decompiler it'll be easy to be able to identify where the issue is and manually do the math ourself to try to fix the issue that we that we've had trying to decompile back to an Assembly Language okay let's jump into that decimal binary and heximal based kind of flow see how it looks so these are your decimal values your binary base 2 and then you have your hexad decimal base on the far right here um I'm not going to go too far into this but you will need to know pretty much this table right you need to know that uh decimal 1 is equal to the binary of 00001 which is uh four bits here right and so then you have your X Bas 16 is equal to 01 um well we say x0 0x01 for your hex in this case base 16 case and you'll see later that there are heximal values that are kind of uh grouped together um that's you know a lot of times in assembly you're not going to see it as 0x01 initially you might see that in like a 4bit little Indian or big Indian style but a lot of the times it's not really 4 bit it's like 16 32 bits so the X decimal values be a lot longer and you know two for binary 00 0 1 0 so you have 00 1 0 1 0 then 0 0 one one so if you can see it's almost like a pattern right the one shifts to the left and then you start a new one kind of thing and the one shifts to the left you start a new one the one shifts to the left and then you start a new one and you kind of just follow this pattern for binary heod decimal one thing that that needs to be noted is that after nine uh hexal does go to the capital letters of the alphabet so you have capital A and then you have capital b capital c uh through F and F is uh the 15 for decimal which which would be the 16bit uh which would complete our um Extended register right the 16bit register where the you know x86 register was pretty much based on before the 32-bit came out it was a 16 bit so this is all 16 bit based just for the understanding of things um one thing you do need to know is the operan so the arithmetic part of the binary and hex and decimal so if we had something like we'll say if we had something like two 0x02 and 0x02 for example or we had 0x2 and 0x07 we have to be able you have to know how to convert that to Binary and do the operation and then go from there and be able you know it's going to be useful for in case our decompiler runs into issues we need to do some manual operations and it's also nice to know just so you understand how things are working let me show you an example of what I mean okay so when we're talking about binary let's say I have 1 1 0 1 and then let's say I need to use the and operator so we'll do it like that and terrible writing by the way but that's all right and then let's say we have 0 0 1 and boom like this in decimal this would be uh 13 that would be 13 and then this would be about three so in decimal uh in sorry in hexad decimal we'd have the uh 0x03 so that' be x03 and then um for the 13 we would have uh you know 10 is a 11 is B 12 is C and then D would be 13 that we would have here so that's how we we'd represent an exod decimal but when we're adding especially when adding uh binary or we're running the arithmetic the N logic here against two binary numbers what we do is we have to check both binary values that we're at we're ending we're adding we're doing the and operator to and if the corresponding result is one then it's one Ela to be zero so this would be one uh 0 and one would be zero 1 and Z be 0o and 1 and Z be Z so our end result would be one once we provide once we appli the um an operator that's what I mean by being able to do the um arithmetic logic with binary now there are other things are like exor you know there are the or operand um there is the nand there is nand um not we have a few other operands it's good to just go and study those you'll need it for for a lot of debugging if the decompiler fails as far as reading Assembly Language maybe not so much but still nice to know okay back to the assembly okay so these are your decimal binary and heximal it's very important to know these uh this table and all the 16bit registers for decimal for binary and also for hexadecimals and also how to apply that arithmetic to the binary values okay moving on so when we start talking about the Indian type of architecture little Indian big Indian it's actually very simple so little Indian pretty much just starts with the lowest bit and then big Indian starts with the biggest bit that's really it so when we talk about the 32bit registers as you saw in the we went through the registers 32bit is usually at the far left side and then zero bit is at the far right side so when we talk about in terms of big Indian little Indian we start at the far right side for the smallest bit and we start at the left side for the biggest bit so when we talk about little Indian let's say there's our full uh heximal value here right our U we'll call this our address here right let's say this is the full address and um we need to convert this to little Indian hex and decimal uh what we're going to do is start with the smallest bit here really quickly little Indian applies to btes so we don't apply little Indian to bits and we apply it to memory so we are talking in terms of memory and bytes that's when we appli little Indian and big Indian we talk in terms of bits and registers we don't really talk about the Indian format so just just something to keep in mind okay so when we're starting with little Indian here we have our 32-bit address right here right and we want to convert it to little Indian so what we have to do is take the bytes first in this case we're just taking one bite at a time and so for heximal one bite is just the there just two values um so what we're going to do is take for D since this is the lowest value here the far right is our first bite and we're just going to bring it down and that's going to go at the top of our memory here then we go to the next lower bytes the next two are 3 C and so that goes down and that goes to the next slot in memory uh same thing 2B that goes down next slot and then 1 a that goes down next slot now when we go over to Big Indian we start at the left because we want to take the largest bytes first and we're talking about um just one bite here so we're just doing two values so out the left one a 2 B 3 C 4 d that's it that's the whole idea with little Indian and big Indian now don't get confused you might see that the disassembler kind of throws these out a whack you could adjust the bite size that the little Indian is applied to or the big Indian and that might make things better what I mean is you might see something like 4D 3C 2B 1 a and that might be a little confusing to read um but you can set the the compiler to say I don't know instead of taking taking one bite let's say it takes two bytes well now the first uh memory slot here is going to have 3 C 4D and then it's going to have 1 a 2B so it'll be a lot easier to read and you'll kind of understand that format and the same thing with big Indian here and you could even increase it to 32 by and then you just have pretty much this uh uh inserted here pretty much backwards almost um and then big Indian would be just as you see it there um so that's the little Indian big Indian um you'll see that with especially when you're when reading through the assmbly code big Indian you'll see a lot of like network based traffic in big Indian format uh little Indian pretty much other types of traffic in fact little Indian is very common you'll see the address space especially in a lot of tools and then when you look at the heximal values they'll look a little JBL up they might just be backwards and if you notice that they're backwards that's little Indian just keep that in mind also when we're talking about big Indian and little Indian background as to why they even exist pretty much just a lousy dispute between I think it was like England and France or something like that one believe that you should read things one way the other believe you should read it the other way that's pretty much it deserves to confuse us all I guess okay we're doing good so far let's keep going let's quickly talk about memory so that we understand how concept of well in in this case we're going to talk about stack concept of the stack how that works because uh it's going to be important um for reverse engineering but also this this video lab all right so this here we have our main memory as you can see then we have a high address low address inside this we have our command line argument and then we have our stack so the stack is what I'm really going to be focusing on and um I want to take mention on how this arrow is pointing downwards and that's because the stack naturally is pointing down so the stack generally starts at a high address and points down to the low address um actually let's show you a diagram on how that works so that you can um better understand how a stack would work okay so let's say this is our memory here to kind of get our stack back in here we'll do this we'll do something like this we'll do something like that it doesn't and then we'll call this our high address and our low address which is usually how it is um the way the stack works is that the stack is well one it's temporary memory um very temporary and it uses something called lifeo last in first out so the way it works is if you want to put something onto the stack let's say you want to put the value of uh three onto the stack know you put three on a stack here and that is the um now this is well not only is it the first end it's the last end um which is fine right you can access this three from the stack but let's say you want to put another value onto that stack let's say you want to put five okay so now you put your five here which again looks great the way the stack works well one it's always headed to the lower address but when you try to remove something from the stack you always have to remove first value well the first value on top of the stack which is the last value into the stack so so if you want to get to this three you actually have to remove this five first and then you can get to the three um and so that's how the stack works that's what that last in first out mean so if I add more values down here 12 13 terrible three but you get the point and later in my code I want to get to the three I need to remove the 13 first I need to remove the 12 I need to remove the five then I can get to the three that's how it works it's very useful for a number of things you'll see in the code um and you might see when I explain some of the uh like push and pop instruction I'll kind of go through this one more time just to make sure you understand how it works um but it's useful for something like the main instruction so in regular code when you write code you have something called main instruction um and that instruction pretty much is like your centralized instruction it's used for um I say instruction but it's really a function when we're talking about code it's used to call other functions and help your code run through um pretty much your entire code base and so at the end of your code you want the program to uh return back to the main function and continue through main just to um finish the execution process and so let's say instead of three let's say we stored Main in our stack well now it's really helpful because we don't go back to main until we finish executing all and removing all the things in the stack and the very last thing we have which is the first thing we put in is our main function once this is removed our program ex uh finishes and so it's the same concept with assmbly and that's how the uh stack works and that's what you need to know about Stacks um for this for the understanding of this video and also for the lab okay before we start looking and dissecting a piece of malicious code let's talk a little bit about the assembly instruction for the x86 Intel architecture so there are some basic instructions that we're going to review today or we're going to review right now and um these will help you to understand what's going on especially when we look at the disassembler um and look at a lot of the instruction in the disassembler it'll make a lot more sense and you'll see how to start figuring out what's going on or you'll see one of the methods that I I use when figuring out so starters I like to categorize these as like General instruction function call and stack instructions they're all instructions you know you don't these aren't official categorizations I just do this because it makes it easier for me to understand what's happening so with your general calls you have the move the mov all you're doing here is you're moving information from one register to another register that's pretty much it it could be an address it could be a value it could be you know a character it could be an integer it could be uh whatever you want to move you're just moving something into a register so it could look something like you know move eax comma eax for example that means you're just moving eax to eax really quickly something I do want to point out is that x86 does use the little Indian style as I as I mentioned so if you have a move instruction it'll be something like this it'll say move and then you might have uh I don't know eax um and then you can say just to make things simple I'll just throw another eax here just to make things simple the way you read this is this is your instruction right so we'll say that's the instruction then it goes to the value this right here is your value um so because it's little Indian it's backwards so you read the last thing first and then this is the register so your you're moving the instruction right this is the value so whatever is inside this eax you're just moving it in this case you're just moving it to itself so that's how this works with the move instruction and um little Indian um so just keep that in mind when we look over this assembly instruction okay uh moving on we have the jump instruction essentially it allows you to jump to an address so you'll see that when we look at a lot of the functions but you might see a heximal address one area and then you see a JMP and you're able to jump to another area so it'll look something like this it'll say you know let's say it was jump and then let's say you have like I don't know you want to jump to a specific um address and then I don't know we'll just throw something random up here that means wherever you are in your assembly code you want to jump to this address because that's where the code's going to continue that's pretty much now there are variations of jump there's something like j and z um this j and z is pretty much like a conditional jump so it's like uh you know if the register contains zero for example then you're going to jump to this address else you're going to go somewhere else or you're going to do something else or jump somewhere else so there are conditional jumps um you'll see that usually J something and that's so you can tell whether it's like a jump instruction all right let's move on to the next instruction um so the next instruction we have we're going to talk about is add and subtract I won't spend too much time on that but it's pretty much just integer based so integer base adding integer base subtracting you also have your bitwise operator so you have your end you know your not your exor uh it all falls under I call the General instructions here and it usually also applies to integer values or so um if you see like an end not exort you're going to see that follow with probably like a hexad decimal value most likely um for that you can probably manually just convert it to Binary and then do your bitwise operator and then convert it back to Hod decimal to try to figure out what the value is um a lot of the times the decompiler will try to figure that stuff out for you so we'll get to see some of that okay now we have what I call uh function call instructions they're still part of the general instruction set but these two have very specific functions so that's why I call them function call we have call and then we have red Now red is just short for return that's pretty much it and call is uh allows you to call a function so the way that works is you know let's say you're you're writing General and you have your main function here and Main is you know just your regular main function in this case this be like a python format um what you want to do is you want to execute some code here and then you want to I don't know part of your code execution you want to call a function and assembly we would use that call um uh instruction here and you're going to call uh let's say you want to call specific function I don't know want to call X so now the um disassembler you know knows to go to wherever this x function is and it's going to call wherever that is now that's going to have some code that runs and that code might also have another call that goes somewhere down here and just you know it can just go on go on however complex this might be or simple U when you do see a call function it's important to just jot down where you are before you jump over to the next um address or the next uh function that you're trying to call uh cuz you can lose track especially if it has a lot of calls if you have a call then inside your call you have another call inside your call you have another call you can lose track of where you are so it's good to to jot that down to note that uh so that's pretty much how the call works now you also have the R so you can return for example U let's say you want to return y inside of your call let's say this was like you know this was like that you're calling X and then inside of your X function you're returning y well now you your your code is redirecting to the Y fun so it can also get um really complex as well but just know uh if you're used to General code it's pretty much the same as when you're calling a function and then return you know you're returning a value but or another function or so that's how the call and R works with assembly instruction okay then we have our push and pop as I explained how the stack works it is last and first out so the way that we have our stack is let's say you have something like this and then you have uh the stack is always going to the lowest address first so then you have I don't know zero and then you have some random numbers just going to make any some scribbles you can have a 12 here terrible two there you can have a 12 here um I don't know you can have like a three here and then here you have like0 x0 0 for example um the stack is always going downwards towards the the lowest um address and so how these functions work is if we want to push we will push to the stack and we will pop from the stack so push pretty much pushes to wherever the stack um uh is in this case so let's say the stack starts off here you're going to push it back value there let's see you push the value one now this right now is at the top of the stack it's the only thing in the stack you want to add another value what happens is let's say you want to add that 12 then you'll add 12 to the stack so now 12 is at the top of the stack all that and this one here which this first value here would be after 12 especially with little Indian as things go backwards and then next you have your three and now three is at the top of the stack so that's your push so you push you're just pushing things to the stack now when you call the function the instruction pop you pop whatever is at the first the first value in that stack so last in so the last thing that we put in was a three now we want to pop so the first thing we have to take out is the three and same with the 12 after we take three out we have to go out to the 12 and then we have to go up to this this value that we put here in one's Place we've pretty much had our crash course let's jump into the actual assembly instruction let's look at well in this case it would be malicious code or malicious executable and let's let's see if we can figure some of this stuff out and so you can see how this flow works all right we made it we made it to the fun part right let's jump in and let's take a look at this stuff so really quickly the program that I'm using is called cutter um you can just find it on GitHub or Google cutter um decompiler debugger you can call it cutter disassembler I guess you can call it cutter disassembler should come up or Cutter GitHub something like that um I chose this program because it's really easy to read and follow along with things a lot of other programs that are good for disassembling code um or programs or applications executables things like that um there is gedra there is uh Ida Pro um there's GDB there there's a few and there's many out there I'm just choosing cutter why not okay so from the start here we just have an overview of our malicious code in this case it's a piece of malware and so we can kind of start seeing um basic information that we can use to start figuring out what's going on like for example these are the libraries that are being used used in this in this case is the windows environment so the windows libraries um we can see the hash of uh the malware and then we can just see you know little Indian so this tells us going in that this is going to be in Reverse like the uh the values will be a little reversed um for that little Indian style to meet that style Sal architecture x86 which is what we're focusing on that's a good thing Sal operating system so if you wanted to run this you would probably pop this into a Windows machine and try running this format portable executable and then is the 30 2 bit u meaning that you're going to see a lot of the E registers so like e ax e uh you know BP uh es and things like that um you know read and execute mode that's just a um executable mode um language and then you just have some other stuff and then you have your base address and this is going to be the Base address here of uh you know this hexad decimal value um and that's where you'll see like entry um zero here where you'll probably see that Base address um okay let's jump actually let's take let's take a look at open up entry here and just take a look okay entry in uh in a disassembler entry is usually where like the entry point of the code starts but we're not going to do that what we're actually going to look for is the main module not going we we usually don't start at the entry well at least I usually don't start the entry I start at Main the reason why I start at Main is because in a program you usually start at Main and main function calls other functions or other um parts of your code and then it executes that part of your code goes back to main main you know continues to run down calls another function or sometimes while you're executing a different function there's another function that's called as a result but it usually starts in Main and then the program generally finishes in main so I like to start in main because that's where you're going to start and finish regardless you know you don't really need to start anywhere else you should you know by default go through all the flows and try to figure out what's going on okay now I know this might look confusing but um it's actually really simple when you start looking at it and you start plugging things in in fact I'm going to look at a graph view boom so now you have have your graph View and now you have you know this is your main function how things start and then there's looks like there's a condition and this is why I like the graph view because it shows a condition now if the condition's Met it looks like you end up here if the condition is not met you end up here pretty self self-explanatory at least for that part okay but let's start with our since we're in our graph here let's uh see if I can zoom in a little bit H it should be good enough okay so when I read especially when we're reading um uh in the x86 uh Assembly Language I like to start at the very top and just try to make out what we can make out so I guess the best way to show you how that works is to just dive in and start talking about a lot of the stuff okay so starting at the very top we have our int main which is usually a declaration of a of a function especially when we talk about C the C language is this was written in C and then we have our parameters that main will accept and so par the integer um then we have you know two uh chars so pretty self-explanatory there and then going down we have what we see our variables hence the VAR the V these are a bunch of variables that are going to be used somewhere in the code it's hard for us to figure out what these variables are so I'm not even going to try that's it I I just going to we'll come back to these as they come up and try to you know plug in uh what values could could exist in here really quickly you can do a dynamic analysis where you actually run the code and you start figuring out what's happening what's going on you can start making assumptions based on the uh behavior of the program we're not going to do that right now we're just going to focus on the static part try to figure out what's going on but when you really reverse engineering it is good to run the program and try to get information on that like what features doesn't have um what buttons are mapped to and things like that that will help with the reverse engineering process but for this video we're just going to do the static part maybe we'll do another video on the dynamic stuff okay jumping back in So under after all these variables we have our first instruction I call this and this instruction is pushing the base pointer so EBP as you remember from the U registers BP is the base pointer and then e just stands for extended so this is the 32-bit uh base pointer now in a lot of cases you're going to see a lot of assembly Codes start with pushing something to the top this is most likely the main module so we're going to add a comment here I could find where the comment there it is ADD comment so firstly we see push so you know push and pop are going to the stack so we're pushing something to the stack and that's the very first value into stack we're pushing EBP to stack we know that let's read add that comment since I for some reason can't backspace all right so we're pushing EBP to stack and then this is probably Main module remember we want to start at Main and we want to end that main so since it's the first instruction good chance we're pushing that to the stack and now that it it's since it's to the top of the stack that means it's going to be the last thing that's uh executed and Po from the stack so it only makes sense then what you're doing is you're moving the current stack position so right now the stack has EVP in it you're just moving the position of that stack into the um base pointer register so probably to you know save that um save that main module so that the code can reference it later okay so moving down that's part of this comment here we're just we're just adding um so moving down we have a bitwise operator and and you're ending you're doing a bitwise function to this hexadecimal value which is uh most likely some kind of like value and an address and then you're uh doing the operator with whatever was inside ESP so in this in this case wherever value is in ESP we're doing it bitwise an operator with this heximal value now I'm not going to go ahead and do that right now I think um any of the addition subtraction stuff can come later we can try to figure out what's going on based on easier things right now and if we still can't figure out we can just go back and start looking at the math and in this case we're just doing like a subtraction subtracting values from uh what whatever values in this um address from wherever the uh you know from whatever is in the uh stack pointer now again we're not going to focus on on the addition or the and and subtraction here okay moving on now we have our familiar register here right the accumulator register and we have in this case it's the extended accumulator extended register so uh this is the 32-bit register we have and then it looks like we're moving a double word right a dword which belongs to this function right here into our register so in this case what we would do is we would take a look at what this would be uh that's a you know in this case a dword and it's being moved to eax so then we're trying to figure we'd figure out um you know what's let's see if we can add a common here we figure out uh what data is being moved to uh eax so we try to figure that out so at that point we figure out where what's an e and then we go down we see that there's an exor operator and so the ESP is being exort with that value that would just move to eex um in this case we are going to skip this because we're not going to do um bitwise operat right now maybe we might just do it in another uh video it depends depends on how this video goes all right now we go down to the next one so next one now we have a value in EA and we're um we're moving at to whatever this variable is so the variable here at ah as you can see at the top so now we we starting to look at we starting to figure out that we have variables that are assigned so in this case this might have been assigned to nothing like zero and then eventually we assign eax to D dword so we can just I don't know something like add a comment we have bar H is being sign Val at ex here boom and we can just do some Dynamic analysis we can set a break point like right here for example and then we could stop here and then we could look at what ex holds as a as a value and then we know that that value is now belonging to this um variable so that's one way we could figure out where that value is but you leave your comment here you can do all that later I'm going to keep going down the list of main because when it comes to reverse engineering it's easy to get lost and uh it's probably easier to continue going down Main and then start filling in the blanks the second time around and then you go through the verse engering process is a very tedious long process but it starts to get repetitive so you start to understand how things work as you continue going okay now we have a bunch of pushes and then a call and uh let's just see what we're doing here so we're pushing zero to the stack so now stack has zero and we push another zero to the stack so it has another zero push another zero to the stack has another zero push another zero to the stack so right now the stack has four zeros and then you go down to this one so this is interesting because now we're pushing a string mozzilla 5.0 and we pushing that to the stack and it looks like that's the last thing we push to the stack here which makes it the first thing we're going to take out so string maill 5.0 looks like a user agent I'm not going to comment here because we I haven't confirmed that it's user agent yet but my my guess is that this is some kind of user agent and then once you push all that to the stack we're making a function call so now we go into this function and we're calling this function because it's not an address it's an actual function this is actually a Windows um like a Windows based API that we're calling and we're running whatever uh function this API does we're running that function so we can actually figure that out quite easily when're not going to a um register so let's do uh internet open w so we'll do internet open w and then uh Windows it should come up with the document there we go okay so there's the internet open w and then here's a syntax so in the internet open w you have five different parameters and those include looks like uh agents so it looks like it's like a user agent access type proxy proxy bypass and then Flags so if we look here uh this is little Indian so technically we do have to read this backwards because the way it works on stack is the last and you know uh last and first out so the first thing that's out is the thing that should be at the top which is the string monzula 5. so if we try to match that with this API call and see if it actually makes sense we might have figured out our first um reverse engineering piece so let's think so this is the user agent and looks like it is user agent so this matches let's go here uh so actually let's add that comment here uh just to make sure that we're in consistent that's us your agent um and then next we have access type which is zero then we have proxy which is zero we have proxy bypass which is zero and then we have Flags which is zero so it looks like it matches we have five parameters as we should the very first parameter is user agent so this is making a function called to the and we'll just add this uh comment uh when API call um for user agent that's all function call for user agent and now we just figured out our first block of uh would say assembly instructions so we're making a call to Windows API to uh push a user agent um or to uh do something with the user agent in this case the windows api's internet open w and we can pretty much see what it says initializing applications use of the when inet functions and then uh parameters Returns value handle application passes if internet open fails returns no so you're opening the internet so it's doing something with opening an internet and make you know we're assuming that there's going to be some kind of connection made especially since it's U assigning a user agent after opening like an internet um API from the windows API here okay now we can keep going we see Lea which pretty much stands for load effective address so you're just loading an address um you're loading the address where uh the stack pointer is into our register EC CX which is the extended um C extended register so it's just like eax but it's another register it's like an like think of it like an alias so um there's a there's e ax ebx ECX uh kind of like how we explained so you're moving whatever is in um uh the address space for ESP or the address for ESP into the um ECX here all right going down we do we have a few more moves we're moving um whatever an eax to uh whatever this value here is this address add um again you know now we're just moving this address into ESP and we see what these values are there's already commments that um cutter has put in for us so like this is 2000 this is the heximal address so this is helpful to to keep up here uh we're just going to keep looking down um because we see another push push push push push um instruction set here which could be helpful um since the last one was pretty helpful so in this case we have Z 0 then we have user public documents uh data manager help Des local favon um and then you have this another Windows API call whoops back um URL download to file W so now we're actually going to take a look at that URL download to file W another Windows API call and boom takes five parameters color URL file name reserve and call back CB here um and so we start looking since we're doing little Indian we start at the at the top of our stack we go in so first value uh call back zero this value is the reserved so this will be reserved um I'm not going to make the comment there but just know it's reserved then we have file name so this will be a file name then we have URL this will be URL and then we have caller this will be the caller here so we do know that it meets the number of parameters that need to be met so this so far is working out really well um but we still need to to figure out stuff right so we know the file name that's pretty self-explanatory what is this dword reserved what is that so good thing about Microsoft documents is that they they document um so reserved must be set to zero well that doesn't really help us right so um here what we would try to do is try to figure out what that reserved is so we can do this it is download okay so looks like uh my guess is that this this Reserve is actually talking about the same Reserve that I'm seeing in the stack Overflow um special characters called Reserve since their uses in the URI component is limited to reserve purpose so uh these are just reserved characters and it would make sense that this is dword and it's a dword for reserved characters um for downloading a file from URL so that would make sense and that was what this Reserve would be here um okay so now we just figured out our second instruction this one is using the URL download file will um add our comment here and we're downloading file I can't backspace so file um to we'll say C drive because in this case it is C boom so now we have two things that we just figured out we figured out that we make we we make a um internet open call and we specify user agent of mozzilla and then the second thing we figured out is that we're reaching out to some kind of URL and we're downloading file so so far we can probably take a guess here is that we're we were reaching out we're downloading a file and then after that file we're doing a test here this is probably a conditional so after we download the file right we're running a test and we can make a deduction based on a graph this is why the graph is great right if the test is true right we're going to make that jump to this U address space and if you look and if you follow the graph 4011 142 and then you go here 41142 so if it act if that file is tested and it works we jump here if that file's tested and it doesn't work well we go here and so now we're going to assume that it works because we want to figure out what happens when the flow stream is correct and so we go down and we start pretty much doing exactly what we did we start looking we we can see there's a bunch of pushes here and then there's LP command line that's another um uh API call there that's making so we might want to look at these pushes here um and then the same here get module file name we want want to look at these pushes and then go back and try to fill in the blanks we see we see some ads we see another call here uh after a push we might want to take a look at what this call is uh VC runtime and things like that um and then over time as you as you see as we're doing over time you're starting to figure out what's going on you're starting to figure out how this application is working and um you start to also be able to figure out how to like make your own kind of similar application so in this case yeah sure we assign a user agent of Mozilla 5.0 and then we reach out and start downloading a file to see we don't have the URL yet we haven't really you know um we can test that by just doing like a dynamic analysis running the program and then just monitoring Network traffic now we have the URL that we can add um but you see with this static and if you combine it with Dynamic analysis it makes the reverse engineering process a lot easier and you're pretty much able to like recreate whatever this program is based on how you're learning it and based on like as you're running it dynamically you're still looking at the assembly instruction you're still putting pieces together and then eventually you have your full piece your full picture now I do want to note that uh there there are disassemblers like cutter that will go and decompile um the code and so this is the uh debuggers attempt at decompiling the code so you can look at this if your debugger um if your disassembler has this feature what it what this is is just uh General C syntax and so uh it basically trying to piece together what it thinks is going on here so as you can see we've already went through this assembly code but as you can see we have our user agent comment here and then win API call for user agent right and then um if you keep Lo keep looking we have our other comment that we just added downloading the file to see and then this is where you're downloading that file and this is actually the name of the file that you download we got that from the ASM instruction but um as you can see if you look at the disassembly of the file and let's uh all right okay as you can see the file that we download is this right here cr4 33101 dat a.exe and if you go to the D compiler you can see it's more cleaned up uh right here so that is um we'll stop here that is a uh I would say like a crash course into reverse engineering I gets pretty fun especially when you're um trying to I don't know inject some kind of exploit you know being able to figure out okay well which register should I manipulate or what data should I add into a specific register or if you're trying to bypass something for example one of the things I like to do is there are some uh pieces of malicious code that will check and see if you're Renning a virtual machine and if you are the the maware will just uh die and not run um and you can actually just go in and you can just start deleting those lines that will actually check for a virtual machine so it runs regardless um or if you're I don't know uh reversing during an application and you notice the application reaches out for like a license check and continues maybe you want to like delete that license check and then see if the program will continue without a license check um I think that's how uh I won't say the names but there are some applications that reach out to a server to check for a valid license and uh there has been ways to get around that by deleting the license check and the assembly instruction and then just running the say cracked application that way um yeah it's it's very useful um reversing can help with multiple multitude of things applications um bug Bounty malware analysis as I mentioned but um this is pretty much a good start on getting your hands dirty with the reverse inuring process you made it through you just graduated to reverse engineering intermediary Beyond novice thank you for watching this video I might make a part two just let me know if you'd like a part two for reverse engineering it's a a very confusing Topic at times but uh it's really fun to get into especially when we're dealing with like malware analysis and trying to get into the guts and trying to figure out what's going on really fun the x86 architecture really um interesting to work with but I like it a lot now if you like the video what you wait hit the Subscribe if you haven't give me a like comment notification Bell once again all the above we only releasing bangers from this point on I'm here to help you guys learn as much as possible CU throughout this process I can also learn as much as possible we all win it's a win-win thanks so much for watching the video and I'll catch you guys in the uh next one pap