I think you might be the best teacher i have ever had the pleasure to learn from. You're so articulate, it was almost unreal listening to it, in a good way. What a great gift you have, hoping to see more masterpieces like this, they're greatly appreciated.
I feel like reverse engineering is a skill that's heavily reliant on other skills, but you've basically just reverse engineered the topic of reverse engineering 😂. Great video! very helpful for someone getting started like me.
The comment to “allow the feeling of confusion to sluff off” was just perfect. I do technical training and frequently find people feeling like they need to completely understand everything before they can continue. Those that can just accept that they will start to understand the whole picture later usually end up with a deeper understanding in the long run. You have a great teaching style!
😊Hearing that from an instructor is really wonderful... thank you! What you say makes sense about deeper understanding in the long run... While frustration can serve as a catalyst for focus, it can often (more often?) act as an unhelpful obstacle. I found over the years developing a sense that my brain is multiprocessing, that it is working in ways I do not immediately perceive, helped to build a sense of "things are happening, moving me toward the goal" while consciously not yet completely understanding content being taken in. Never to forgetting tenacious effort is part of the picture, I obviously find confidently letting things "bake" or "age" to be instrumental. Thank you again for your comment!
I wanted to thank you for this amazing tutorial. I believe your style of coaching for RE/Reverse Engineering is 'perfect' for people that a interested in the subject but do not have the exposure to tools & techniques. The reminders of hit these keys speed things up. I love that! Ty from Massachusetts
@edhopkins6589 That is so very nice to hear, thank you tremendously for saying so! I try to create what I would like to encounter myself, nice to hear it's working... and glad the shortcut reminders were helpful!
I've been coding for 25 years and I still very much appreciate your back-to-basics teaching style. It's nice to get on the same page by starting at first principles. Thank you so much! I just started working on a career shift from software engineering to reverse engineering. Gotta start somewhere! This is fantastic. Thank you!
That's wonderful to hear, and thank you tremendously for noticing the approach... even within my scope when ponding over an issue, or some design choices, going to well-known starting points is helpful if not essential. Best of luck with your new endeavors!
@WordMouth Thanks for the heads-up, insight, experience. I assume you mean specifically for cybersecurity. Probably obvious, or something you know already, but reversing skills can be essential in many everyday software development endeavors where there can be crashes, crash dumps, or tough release-build problems that need digging into. In situations like that, being able to pick apart details without source can sometimes be make-or-break for time-to-market, customer well-being/satisfaction, sales, and so on. It's great to hear about your experience... but just wanted to say the skills can be applied broadly beyond cybersec. Thanks again for stopping by and the insight.
In my particular case, reversing is helping with a non-cybersecurity context. That said, a lot of the skills seem to be closely related to malware analysis and security mitigations.
One of the most amazing tutors !! From the little details about the shortcuts to saying that this was a brief explanation and don't get discouraged if you can't grapse the concept, shows the understanding behind learning. So many times i have watched a tutorial which solves some of my questions but then leaves with more, then i rewatch the part trying to understand it myself but i find myself to just up the brain cycles and do no good. It is vital to teach and remind someone who is trying to learn that feeling confused is in the nature of learning espesially when it isn't explained throuroghly. I'm finishing up my studies in CS and wanting to learn about many fields like cybersecurity, AI and others but when i try to start learning i fell like there are so many things to learn, i don't know where to start, this will require so much time if i keep learng so little, so many people already know it, i don't know if i am wasting my time etc. I understand that this confusion is part of the process and try push through but many times i do get discouraged like many people slowing my progress. But seeing someone like you mention it in such a good way is very refresing and helpfull to me and to many others. Also the calm and relaxing style of teaching makes it so much better. Thank you very much and keep up the good work !
This is literally golden content for free... There are not much free good courses/information regarding to reverse engineering. and this one is really really good. keep up the good work waiting for new videos
that's best video tutorial i have ever seen in youtube since years !!! really awesome sure i liked it and cant understand how can someone don't like it honestly subscribed, liked and shared waiting for part 2 thank you so much 😘
I'm still watching, but wanted to say THANK YOU VERY MUCH for this tutorial! You are excellent at explaining concepts and really helped me fill in my knowledge gaps. You have quite a gift for teaching!
Wow, this is the most comprehensive Ghidra tutorial ever, and also the most informative, the most professional, the most knowledgeable one that I know of. I'm really blessed by God to have access to such knowledge of computer programming. Because a mere 20 years ago in order to get such knowledge one had to attend one of the top Universities in the world, such as Stanford or MIT. Now we can have this knowledge for free, anywhere in the world. I'm so grateful to you and to the other RUclipsrs who are putting out such educational gold nuggets for free. You are truly contributing to the collective knowledge of humanity.
@konstantinrebrov675 Thank you so much for those very kind words, they are greatly appreciated! I, like you, remember what it was like not to have everything easily available... one had to dig and discover. When creating a video I try to create something I would want to encounter... so it's good to hear the video is having that effect to some extent. Again, thank you!
I don't comment on videos often (if at all), but I just have to say that this was such an absolutely fantastic tutorial. I wish (and hope) you'll do more. Thanks a lot for this.
Thank you so much for stopping by, sharing your thoughts! As I consider all possibilities, I cannot promise anything, but it would be great to hear of any specific topic you might be interested in.
I rarely comment on youtube but couldn't resist mentioning that it was a really good video. Learnt so much about Reverse Engineering and I'm hooked. Thank you
Hello! Thank you so much for this insightful Ghidra tutorial. Your clear and captivating explanations make complex topics easy to understand, especially for those of us new to the digital world. Your video has sparked a real passion in me to learn more about how things function in the digital realm. I'm eagerly waiting for your next video. Please keep creating these wonderful videos. Wishing you a Merry Christmas and a Happy New Year!
This is my first time commenting on RUclips. I really appreciate your time and amazing talent in explaining difficult concepts so easily. I aspire to teach like you in the future. I look forward to more videos. Thank you!
I liked it very much that you explained it in all details.I did not understand how the hours passed.I am waiting for new lessons with curiosity and excitement.thank you.
You are such a great teacher and the way you explain things is so easy to grasp. I've followed every step of the first part and paused to write this comment. I've looked through many videos on that topic and they were meh to say the least, but yours are just on a totally different level. I'll definitely look through other videos on your channel and I'll be waiting for your next videos. Assembly language and how CPU works is also a great topic for a video. I'm also curious about IDA and how does it compare with Ghidra? P.S.: finished watching the second logical part of the video. It was more difficult to understand, but I've learned so many new things. Thank you for your efforts!
😊That is so awesome to hear... thank you! Which portion of the second part did you find difficult? Was it a specific area or generally? I like to collect feedback like yours for my long list which I can use when creating new videos. Thanks again for your wonderful comment!!
@@RicochetTech1Thank you for the reply! The difficult part, for me at least, was "Calling Conventions", because I couldn't understand at first what are you trying to tell us. I'm already watching your next "assembly" video, and at first I wasn't understanding it too, then the more I've watched, the more I started to understand. It's like you said - don't be afraid if you don't understand something at first. And that's a really great point to make. It's like a puzzle, when you see all the pieces and can't make heads or tails of them, then they start to slowly connect and you are starting to see the picture clearer and clearer. I really really love and find it so much useful, when you start to explain things very deeply, steering away a bit from the main topic. It's just an eye opener! The information you give is so useful and I can't even image where would I find it on my own. And at first you may not understand something, like "what does it have to do with anything" or "how would it be helpful" and then BAM, it all connects and you are just overwhelmed with joy! I can't thank you enough. I've learned so much already from your single video (and so much more from the second one) than from dozens of other videos. Because that's exactly the way one should explain and teach things, just how you do it. I always want to repeat everything after you, and try some new things on my own now, because you've shown how to do it, explained it in every detail, and I don't feel overwhelmed by what I see anymore, its starting to make sense and it's such a great feeling, and all thanks to you!
Oh, and, I've read someone said about using dark mode - totally agree. And if you could make fonts a bit bigger, in your future videos, that'd be great! Also a good tip to know in general: when you press Shift+RMB there's a new option appearing in the context menu - you can open command prompt right here in this directory. In Win11 like you said, you can choose PowerShell without the need to press those hotkeys. But it case someone's using previous versions of Windows or don't want PowerShell and wants cmd, then he'd know that it's possible and convenient.
@@quodpipax Thank you! ... I agree, dark mode and larger font... I was bothered by the bright background and small fonts too... and others have mentioned the same.
@swenic That is a great question! Let me share my thoughts incrementally, from the general standpoint to something more specific. Generally speaking, yes, there is a point... validating the hashes match generally hedges bets to a more secure approach to validating/using a download. This generally means it will in many cases provide value, yet it is not full proof just as most if not all forms of validation are not full proof. The fuzzy or "hedging bets" benefits depend on the context. When you say "same source" you are not specific as to what "same source" means so let's start with what I do not think you are referring to, and then give an example of what I think you mean by "same source." Let's say the "purported proper hash" is the hash presented by a download publisher and we call it purported because we do not know if it is truly valid or not, but we believe it is the one from the publisher, and we act on faith as such. What I do not believe you are referring to: If a download comes from one site, but the purported proper hash comes from another site, one might theorize a threat actor would have to attack both sites so, for the case where the threat actor does not do that, validating the hash will help. Regarding "same source" cases, let's start with a web site where the web page or database sourcing the purported proper hash is the same as the one where the download resides, and that the URL for the download is mapped to a directory on the server that accessible to the same user account having access to the source of the purported proper hash. In such a case, the risks are higher that spoofing can occur because the site publishes the hash and the download from a location that requires breach of only one user account. Considering the CIA triad, in this case a single user account can affect the Integrity of both the download itself and the purported proper hash. Despite that weak approach, validating the hash still hedges bets to a more secure approach to using a download than not validating the hash. The reason is because the download itself may have become corrupt somewhere else before being posted the site, where the hash may be the original valid hash. There are other examples. Another example of "same source" is where a download and its purported proper hash are each stored/accessible via a different portions/accounts of the site (neither being root or having auth to modify the other's realm), where one portion or the other becomes compromised, allowing either the download or the hash, but not both, to be maliciously modified. In this case, validating is obviously good. Again, all of this is hedging bets... It's not that the approach doesn't have weaknesses but not validating what is believed to be from the publisher pretty much hedges no bets at all and merely accepts the download, ignoring any presented hash. If the download/hash are each stored in separate realms, or even if not, when you ignore the presented hash, you essentially make the attacker's job easier because the attacker then merely needs to modify only the download and skip the hash because you won't check it due to your belief it's not helpful, if that makes sense. So we might say it's always good to check the hash but to also not get swept away by any false sense of security, to avoid imagining there is more security than there is. Your question actually shows vigilance in this area which is a really good thing. Generally, when you religiously check the hash, you do not magically get lots of a security that isn't really there, but you generally make the attacker's job more difficult.
very good, the best tutorial i ever have watched about. I have a doubt can you help? at moment we calculating numbers, why do "DE ^ AA" = 74? I dont understando how this hex numbers comparations give us numbers
@vander5464 Thank you tremendously for those kind words! Regarding your question on hexadecimal... convert each number to binary and perform exclusive or on the bits... DE is hex D and hex E. Hex D is decimal 13... and 13 in binary is 1101 ... how do I know this quickly/offhand? Binary 1000 is 8, binary 0100 is 4, binary 0001 is 1 ... so 8+4+1 = 13 decimal or D hex. Hex E is decimal 14... and 14 in binary is 1110 ... how do I know this quickly/offhand? Binary 1000 is 8, binary 0100 is 4, binary 0010 is 2 ... so 8+4+2 = 14 decimal or E hex. Overtime, you also begin to remember what each hex value is in both decimal and binary... it is something you will memorize but if I've not worked with hex/binary in a while, it's easy to derive as I've explained above. Given the above we know that DE==1101 1110 in binary (8 bits is one byte, DE is a byte in hex, and it is 11011110 in binary... all ways of representing the same value). AA is hex A and hex A. Can you figure this one out? Hex A is decimal 10... and 10 in binary is 1010 ... 1000 is 8, and 0010 is 2, where 8+2 = 10... and 10 decimal is A in hex. AA hex is 1010 1010 binary ... so we have... DE=11011110 AA=10101010 Now the symbol "^" is the bitwise "Exclusive OR" operator, also called XOR and other names. Think of XOR as "exclusive or" meaning it is an operator that requires an "or" to exist for the result to be true or 1. By "requiring an or" I mean either one bit or the other being compared must be 1 and the other must be 0 for the result to be 1 true. Specifically... 0 XOR 0 is 0 1 XOR 0 is 1 0 XOR 1 is 1 1 XOR 1 is 0 Notice that 0 XOR 0 and 1 XOR 1 are false or 0. Why? Because both those have the same values, 0 and 0 in one case, 1 and 1 in the second case. For XOR to be true either one or the other can be 1, and the other must be 0. It must be an OR relationship. Or another way to think of it is "one or the other can be true, and the other must be false, for XOR to be true." So DE XOR AA is this... 11011110 XOR 10101010 ...or... a better way to view it here... 11011110 10101010 XOR ---------------- 01110100
@@vander5464 😊How magnificent for me to hear that, thank you very much @vander5464 ! ... and by the way, you gave my first "coffee" contribution, which is also my first ever creator contribution received! I do not, did not expect it... thank you! 🎉🎊
Great video! I have only one question. If you’re so paranoid that check SHA-256 of every download, then why you are not paranoid enough to give up using Windows and switch to GNU/Linux?
@thmUNIX I'm glad you enjoyed the video, thank you for the comment! Re your question on SHA256 checks... >> ... why you are not paranoid enough to give up using Windows and switch to GNU/Linux? ...I do not check download SHA-256 hashes due to any paranoia but because it's very low cost to do so and could discover an issue. This is discussed in other comments if you are curious to hear more details. Regarding switching... no need to switch... it's all available for folks to use as desired. If I ever download anything to Linux, I still check the download's hash if available. 😊
I never understood that thing of verifying the hash that is given on the same page that is giving the download link of a thing. If a MIT is tampering with the page content, why wouldn't he be able to change the Sha that we obtain?
@jeremylemans3005 It's good your are thinking in that way! If taking advantage of what exists to maximize security is your goal (this is assumed), the problem with that viewpoint is it is assumptive about the nature of the attack that could take place while ignoring other attacks. It's not that hash-checking is full proof as much as checking the hash costs little and can catch attacks that cannot (or do not) compromise the visibly displayed and/or downloaded hash. To say checking the hash offers nothing by citing only cases which can theoretically simultaneously update the hash, and assuming, for all such cases, the hash will be certainly updated, is to ignore all other cases, and is therefore a theoretically weaker stance. This was discussed in earlier comments... ruclips.net/video/OWEZQMVLMPs/видео.html&lc=Ugxw7-C6QxMExgmG9y14AaABAg.A1HfcY4qewrA1uxRozg_By
id usually just use openjdk & install it thru winget i use linux so i like open source implementations where possible. not sure if u rly need jdk the runtime env should suffice 'jre'
@Rino6357 Can you specify the HH:MM:SS point in the video you are referring to? Without knowing what part of the video you're referring to, generally speaking RAX always contains a 64-bit integral value whose meaning is context dependent. For example, if it contains the address pointing to the start of a string, one might say "RAX contains the address of the string," or that it "points to the start of a string," or more simply that it "points to a string." In this type of context, the RAX register is a pointer. Ghidra may assign a label to the use of a register at a given point in time, where the label itself is synonymous with (an alias for) the register name. You might then use this label to refer to the register and its value rather than using the register name. The meaning of the contents of the register, though, would not really change so what I mentioned above would still apply. Very technically speaking, but likely completely irrelevant to your question, RAX (or other registers) could fully contain a string itself, where each byte within the register is a character, as one example. I only mention this in case you encounter code which does this. I'm fairly certain you're referring to a part of the video where RAX contains the address of (pointer to) a string or some position within a string... let me know the point in time in the video so I can see more specifically what you're asking about.
@@RicochetTech12:14:11 Maybe I don’t understand what CPU registers are, because I thought they were just places where you store stuff. If you stored stuff in CPU registers, and there are only a limited amount, how can RAX entirely be just one pointer?
@@Rino6357 I think I see what you might be asking. When you ask "How can it be EQUAL to RAX?" in reference to 2:14:11 into the video, I think you may be interpreting what I’m saying as "equal" but I say, "… you can see over in the hover window here, secret_string_ptr is actually RAX, which is the RAX register. …" I’m merely pointing out that the RAX register has been given an alias (a name) of secret_string_ptr. Note, that was not the original name, but named earlier from Ghidra’s initial user-friendly name. Perhaps that answers your question but let me elaborate… You are correct that registers are a limited resource. All available registers, or all visible registers in a given situation is often referred to as the "register space." Think of register space as the set of all available registers. So you are pointing out that register space is generally limited and any given register may be used several times for different purposes throughout the life of a function. The RAX register (and portions of the RAX register such as AL, which is the lower 8 bits of RAX) can have different meanings throughout the life of a function. You refer to 2:14:11 which is line 47 in Ghidra’s Decompile window. Specifically, I think you’re asking about secret_string_ptr which is an alias for the RAX register. The alias was created at 1:10:33. Let’s break this down… At 1:10:33 we observed the basic_string::c_str() method is called to get a pointer to secret_string’s internally maintained null-terminated string of characters. Given the calling convention, the c_str() method returns that pointer in the RAX register. In a sense, the return "variable" of that call is the RAX register. To be helpful, Ghidra gives that "variable" (register) a default name of pcVar2. At 1:10:33 into the video, we chose to rename that variable from "pcVar2" to "secret_string_ptr." We did this because we know the meaning of the c_str() method, its contract, which says it will return such a pointer when called. We also know the c_str()method was called for the "secret_string" object instance. In a sense, the line calling "c_str()" is making a call as follows… RAX = secret_string.c_str(); …and Ghidra, in effort to be helpful, gives RAX an alias of "pcVar2" which would make the call something like the following… pcVar2 = secret_string.c_str(); …and we rename the pcVar2 alias to "secret_string_ptr" which would make the call something like the following… secret_string_ptr = secret_string.c_str(); I realize you do not see those easy-to-read lines in the Decompile window … that is my way of explaining it here. The Decompile window shows you literally what is happening so you will see C++ method calls in a sort of low-level C-language manner. To make a method call, the "this" pointer is loaded into the RCX register, and any parameters are passed according to the convention so the first parameter would be passed via RDX (which is actually the second parameter to a method, the first being the "this" pointer via RCX). Keep this in mind when you look at the more complex Decompile source code… it is not C++ but a C-like high-level language format. Writing C++ method calls in C is always more verbose and "complex" looking… but my pseudo code above is essentially what is happening. Our focus here, though, is to explain that Ghidra can give a register an alias, a friendly name that might be helpful, which we chose to rename to secret_string_ptr at 1:10:33 into the video. Regarding CPU registers, generally speaking, for x64, all of the registers we are directly dealing with, general purpose registers such as RAX, RCX, etc., are all 64-bits. They can be interpreted by program logic in many ways but you can think of all such registers as 64-bit unsigned integers as a starting point. You can then consider different interpretations as needed. For example, if you are looking at program logic and see a program interprets RAX to mean something more nuanced, you can then refer to RAX as having that meaning. 64-bits can be used many different ways. The RAX register could be a 64-bit unsigned integer, or 8 characters, or many other possibilities. The CPU does not dictate how the bits are interpreted logically by the overall application, its functions. The CPU just views RAX as a 64-bit register and will use its bits with machine instructions as defined by the CPU specification itself. Program logic will use such machine instructions to essentially achieve the program-logical meaning of those bits (i.e., an integer, a pointer, whatever). An x64 pointer is a 64-bit unsigned integer so the general purpose register such as RAX can hold the value of a single 64-bit pointer which is to say RAX can hold one 64-bit address at any given time. Once a register such as RAX is holding an address, what happens with that value, how it is used, is up to the program logic, the overall machine instructions that execute to use and/or affect RAX and so forth. A program might read the character at the address, as one example. There are many things which can be done to a pointer in a register. The walkthrough in the video covers some of the starting rudimentary cases. In the case we are focusing on here, RAX is merely being assigned a pointer returned by the "c_str()" method… So the program does this… RAX = secret_string.c_str(); ... where Ghidra renames RAX for that context to be pcVar2 as follows…. pcVar2 = secret_string.c_str(); … and we rename Ghidra’s best-effort at user-friendly naming to use the following instead… secret_string_ptr = secret_string.c_str(); Regardless of our renaming, secret_string_ptr is really RAX as the hover window indicates, and the above line is call the "c_str()" method which returns a 64-bit pointer (an address) of the location in memory that contains the first character of secret_string’s internally maintained copy of the string, or more simply, c_str() returns a pointer to the start of the string which is often referred as a pointer to the string. To be very clear, when calling "c_str()" a "string" is not returned, nor is "secret_string" but rather the address of the location of the first character of the string is returned. Therefore, returning a pointer in the RAX register returns merely an address which is a 64-bit value on x64. Even though the value is returned in the RAX register, we use Ghidra’s aliasing (naming) capabilities to rename RAX to secret_string_ptr. I hope that addresses your question… let me know if not.
@@RicochetTech1 Ahh thank you, I understand better now. To be clear, I wasn’t any confused about the c.str() stuff or the assigning variables, but about how a register can be equal to a single value. I thought CPU registers were just places to store multiple things, because how else could you have as many variables as possible in a program? If a CPU register can store only one value at a time, where else do you store variables after you’re done with the existing registers?
@@Rino6357 Great questions... > "... I thought CPU registers were just places to store multiple things, because how else could you have as many variables as possible in a program? ..." It depends on what you mean by "multiple things" ... but given the context, I think you mean multiple things at once which would be incorrect. A register is as I mentioned in my prior comment above... On x64, a single general purpose register is 64-bits. The 64-bits can be used as desired by program logic. Program logic manipulates the bits in a register as desired by the program logic by using machine instructions. You can think of the CPU's general purpose registers as temporary locations that are used as guided by the instructions. They each hold a single value at a time, and instructions do things to a given register value, including modifying the value, storing it to memory, or overwriting a register's current value by reading a new value from a memory location, and so on. The appearance of multiple variables is both actual and an illusion depending on the nature of the variable and how it is used... Variables that need to live beyond their life in a register are stored in memory when not within a register, and variables which are no longer needed after they are used are simply discarded... which means the register's value can be replaced when needed. This is all despite any appearances within the original high-level source code which might indicate some variable exists. A variable usually exists for as long as needs to exist. The actual reality depends on many factors such as the compiler's understanding of program scope, whether its a debug/release build, what optimizations are in play, and so on. In the video at the location you referenced 2:14:11, you will notice c_str() is called which returns with the string pointer in the RAX register. Next, you see a MOV instruction that moves RAX to RCX where RCX is the first parameter of next CALL, where the string's pointer is passed to get_the_code via RCX. After the pointer in RAX is moved to RCX, the value in RAX is completely unimportant... yet it remains in RAX until RAX is used for something else. To highlight what I'm saying with an example, you can replace the original DemoApp source code line 43 with the following 3 lines... //original: const char* the_code = get_the_code(user_secret.c_str()); const char* secret_string_ptr = user_secret.c_str(); const char* the_code = get_the_code(secret_string_ptr); ...then build a debug build, import it into Ghidra, you will see the underlying machine instructions have not changed. The newly added variable "secret_string_ptr" provides an aesthetic to the C++ developer but plays no role in affecting program execution. The reason this happens is because "secret_string_ptr" is not needed after the call to get_the_code. So the "secret_string_ptr = user_secret.c_str();" line calls c_str() which returns the pointer in RAX, and RAX is moved to RCX when get_the_code is called. Underlying this, though, RAX is completely unimportant after it is moved to RCX. You can therefore think of RAX is temporarily holding a pointer returned by basic_string::c_str() which is used to load RCX before calling get_the_code but beyond that, the returned pointer in RAX ("secret_string_ptr") is not needed. And RCX itself is sort of temporary... it is used by get_the_code as needed but not required by the caller after get_the_code is called. Tangential, but you might want to gander at the x64 calling convention to learn about volatile and non-volatile registers across calls (i.e., what a callee must preserve or not). Try web searching for "x64 calling convention windbg" and then, on that docs page, search for the section "Caller/callee saved registers" and you can see, for example, the callee does not need to preserve RCX which means, after the call to get_the_code, RCX can be any value and the caller must not assume anything about RCX after making a CALL. Same goes for RAX. Given all that, both RAX and RCX can be anything after the get_the_code call and the pointer obtained by c_str() is completely lost by the time get_the_code returns which means, if you want it again, you either need to call c_str() again or save the pointer in a variable that lives beyond the life of the CALL to get_the_code. Perhaps a worthwhile experiment: Change the above DemoApp modification to the following which uses secret_string_ptr *after* the call to get_the_code... //original: const char* the_code = get_the_code(user_secret.c_str()); const char* secret_string_ptr = user_secret.c_str(); const char* the_code = get_the_code(secret_string_ptr); std::cout
Nice Tutorial man But 've a problem: on my .exe file it's from ms-dos (an old game for win 3.11) i will do a reverse engineering to re-create this game for a school project (sorry for my bad english - i'm from italy) Bye
@mr.incognito4640 See this following June 12, 2024 "GP-4122: Switching to JDK 21" commit... github.com/NationalSecurityAgency/ghidra/commit/966e6fddf3e77e21fac27a9ecf79976066443bdf
Why didn't you just explain shortcuts in ghydra as simple as pressing CTRL+X in Windows, instead of making it seem like an endless explanation? Because you never explained shortcuts when when you are cutting something on windows by pressing CTRL+X . In this video filled with endless motivational talks, you're ruining all the motivation with these silly, never-ending explanations with your own hands. And thanks for the video
Thank you so much for this tutorial! it helped me a lot and I love your teaching style. You mentioned that there are many assembly language videos out but I would really enjoy one from you. Easy to follow along tutorial and although my Ghidra decompiler wasnt exactly the same as yours I was still able to figure everything out. I look foward to more tutorials and I think you make a great teacher.
I think you might be the best teacher i have ever had the pleasure to learn from.
You're so articulate, it was almost unreal listening to it, in a good way.
What a great gift you have, hoping to see more masterpieces like this, they're greatly appreciated.
@zeez7777 Thank you so so much for your very gracious kind words! It makes me very happy to hear the content is working in the way you mention.
I feel like reverse engineering is a skill that's heavily reliant on other skills, but you've basically just reverse engineered the topic of reverse engineering 😂. Great video! very helpful for someone getting started like me.
@zer0k4ge Thank you so much for your generous words... what a high compliment to receive... thank you again.
The comment to “allow the feeling of confusion to sluff off” was just perfect. I do technical training and frequently find people feeling like they need to completely understand everything before they can continue. Those that can just accept that they will start to understand the whole picture later usually end up with a deeper understanding in the long run.
You have a great teaching style!
😊Hearing that from an instructor is really wonderful... thank you! What you say makes sense about deeper understanding in the long run... While frustration can serve as a catalyst for focus, it can often (more often?) act as an unhelpful obstacle. I found over the years developing a sense that my brain is multiprocessing, that it is working in ways I do not immediately perceive, helped to build a sense of "things are happening, moving me toward the goal" while consciously not yet completely understanding content being taken in. Never to forgetting tenacious effort is part of the picture, I obviously find confidently letting things "bake" or "age" to be instrumental. Thank you again for your comment!
I wanted to thank you for this amazing tutorial. I believe your style of coaching for RE/Reverse Engineering is 'perfect' for people that a interested in the subject but do not have the exposure to tools & techniques. The reminders of hit these keys speed things up. I love that!
Ty from Massachusetts
@edhopkins6589 That is so very nice to hear, thank you tremendously for saying so! I try to create what I would like to encounter myself, nice to hear it's working... and glad the shortcut reminders were helpful!
I've been coding for 25 years and I still very much appreciate your back-to-basics teaching style. It's nice to get on the same page by starting at first principles. Thank you so much! I just started working on a career shift from software engineering to reverse engineering. Gotta start somewhere! This is fantastic. Thank you!
Reverse engineering is fun but bro it doesn't pay well and you will struggle a lot to find job opportunities.... Personal experience 😢
That's wonderful to hear, and thank you tremendously for noticing the approach... even within my scope when ponding over an issue, or some design choices, going to well-known starting points is helpful if not essential. Best of luck with your new endeavors!
@WordMouth Thanks for the heads-up, insight, experience. I assume you mean specifically for cybersecurity. Probably obvious, or something you know already, but reversing skills can be essential in many everyday software development endeavors where there can be crashes, crash dumps, or tough release-build problems that need digging into. In situations like that, being able to pick apart details without source can sometimes be make-or-break for time-to-market, customer well-being/satisfaction, sales, and so on. It's great to hear about your experience... but just wanted to say the skills can be applied broadly beyond cybersec. Thanks again for stopping by and the insight.
In my particular case, reversing is helping with a non-cybersecurity context. That said, a lot of the skills seem to be closely related to malware analysis and security mitigations.
Thank you, please continue this series!
That is great to hear, thank you!
One of the most amazing tutors !! From the little details about the shortcuts to saying that this was a brief explanation and don't get discouraged if you can't grapse the concept, shows the understanding behind learning. So many times i have watched a tutorial which solves some of my questions but then leaves with more, then i rewatch the part trying to understand it myself but i find myself to just up the brain cycles and do no good. It is vital to teach and remind someone who is trying to learn that feeling confused is in the nature of learning espesially when it isn't explained throuroghly. I'm finishing up my studies in CS and wanting to learn about many fields like cybersecurity, AI and others but when i try to start learning i fell like there are so many things to learn, i don't know where to start, this will require so much time if i keep learng so little, so many people already know it, i don't know if i am wasting my time etc. I understand that this confusion is part of the process and try push through but many times i do get discouraged like many people slowing my progress. But seeing someone like you mention it in such a good way is very refresing and helpfull to me and to many others. Also the calm and relaxing style of teaching makes it so much better. Thank you very much and keep up the good work !
@themixedmixedchocolate7561 😊It's so nice to hear, encouraging that I'm approaching things in a way that works for you... thank you!
This is literally golden content for free... There are not much free good courses/information regarding to reverse engineering. and this one is really really good. keep up the good work waiting for new videos
@erncpp 😊Very encouraging to hear that, thank you!
Your back to basic teaching approach is simply amazing!!, you just might be the BEST Teacher/Tutorialist on RUclips. I immediately subbed!
@artistepromotionz9183 So awesome to hear... thank you tremendously for such heartwarming/encouraging words... a great way to start Friday!
You are a great teacher! I love your teaching style and would encourage you to make more as you have a talent for it
@JasonSubOfficial Thank you tremendously for your gracious comment, encouragement... I'm glad you enjoyed the video!
I’m only 30 minutes in and I learned so much already.. Love your teaching style and i can’t wait to get through the whole video
😊Really awesome to hear that... thank you!
that's best video tutorial i have ever seen in youtube since years !!! really awesome
sure i liked it and cant understand how can someone don't like it honestly
subscribed, liked and shared
waiting for part 2
thank you so much
😘
Very nice and efficient style of teaching ... one of the best I've seen. Subscribed.
@pitc5793 😊 So wonderful to hear... thank you!
Amazing, as the other comments have outlined. There is no content out there at this level. Outstanding ❤
@ZacMagee That is so wonderful to hear, thank you tremendously!! I hope you continue to enjoy it.
I'm still watching, but wanted to say THANK YOU VERY MUCH for this tutorial! You are excellent at explaining concepts and really helped me fill in my knowledge gaps. You have quite a gift for teaching!
@XenKreigor Thank you so much for your comment, I'm so very glad you find the material meets a good bar, is helpful!
Wow, this is the most comprehensive Ghidra tutorial ever, and also the most informative, the most professional, the most knowledgeable one that I know of. I'm really blessed by God to have access to such knowledge of computer programming. Because a mere 20 years ago in order to get such knowledge one had to attend one of the top Universities in the world, such as Stanford or MIT. Now we can have this knowledge for free, anywhere in the world. I'm so grateful to you and to the other RUclipsrs who are putting out such educational gold nuggets for free. You are truly contributing to the collective knowledge of humanity.
@konstantinrebrov675 Thank you so much for those very kind words, they are greatly appreciated! I, like you, remember what it was like not to have everything easily available... one had to dig and discover. When creating a video I try to create something I would want to encounter... so it's good to hear the video is having that effect to some extent. Again, thank you!
Very informative video. Please keep on providing this high content.
Great to hear, thank you!
the greatest teacher that i never had, love the way you breakdown complex concepts so anyone can understand
@beast3570 Wow... I'm so happy you liked the content... very inspiring words... thank you tremendously!
thank you so much for doing this!! Hoping to hear more from you.
That's really great to hear, thank you!
I love your video! It took me a couple days but it was so informative and easy to follow along ❤
@sararisotti6106 😊wonderful to hear, thank you!
Hey thanks for the video! you explain it so nicely!!
@QuantumMystics 😊Very encouraging to hear... thank you!
I don't comment on videos often (if at all), but I just have to say that this was such an absolutely fantastic tutorial. I wish (and hope) you'll do more. Thanks a lot for this.
@skollie5660 Thank you so much for letting me know, it's really great to hear your feedback!
thank you very much for this amazing tutorial , i enjoyed it a lot thanks again
@abdellahoullaij4946 😊That is wonderful to hear, thank you!
This is what I was looking for. Thank you
That is great to hear... thank you!
I thought this video had millions of views but only 23k views for such quality free content?
@pet.me102 I'm glad you like the content... thank you!!
this is amazing, keep it up !!! want more videos on RE
Thank you so much for stopping by, sharing your thoughts! As I consider all possibilities, I cannot promise anything, but it would be great to hear of any specific topic you might be interested in.
I rarely comment on youtube but couldn't resist mentioning that it was a really good video. Learnt so much about Reverse Engineering and I'm hooked. Thank you
@mcandcodes That is wonderful to hear... thank you tremendously for your very kind words!! 💯✨
Super, vielen Dank fürs teilen 👍
@GW-nh9qc Wonderful to hear that... thank you!
This is what I was looking for. Thank you ❤️
That is awesome to hear, thank you!
woww you're teaching so well! you're super articulate with your words and it is super beginner friendly. thank you so much maam!
@the_yugandharr What a wonderful compliment to hear... thank you tremendously!
This is one of the best tutorials I've watched so far. I love it how you constantly motivate me to go on even if I'm confused
@nine9winged Thank you so much for the kind words... greatly appreciated!! Happy "reversing"!
Just outstanding. Thanks for sharing
That is awesome feedback… thank you tremendously!
Oh man! Such an amazing content and a great teacher!
@MarcosTrigoTechera Thank you tremendously for your very kind words!! 💯✨
this video really helped me thanks man :)
@user-kw5yw7vv5i 😊I'm glad you found it helpful!
i subbed because I like that you kept it super basic, i'm just getting into reversing and its what i need
That's great to hear... thank you!
Hello! Thank you so much for this insightful Ghidra tutorial. Your clear and captivating explanations make complex topics easy to understand, especially for those of us new to the digital world. Your video has sparked a real passion in me to learn more about how things function in the digital realm. I'm eagerly waiting for your next video. Please keep creating these wonderful videos. Wishing you a Merry Christmas and a Happy New Year!
Wow, very moving feedback, thank you tremendously! Merry Christmas and a Happy New Year to you too!
This is my first time commenting on RUclips. I really appreciate your time and amazing talent in explaining difficult concepts so easily. I aspire to teach like you in the future. I look forward to more videos. Thank you!
@keeganna5576 Thank you so much for your wonderful words, beyond encouraging! ... and I'm very honored to be part of your first RUclips comment!
This is the one video I have been looking for. very informative. Thank you so much. You have inspired me
@handlerKE So glad to hear that... thank you!
@@RicochetTech1 am looking forward to learn more from you. once again thanks for inspiring me
I liked it very much that you explained it in all details.I did not understand how the hours passed.I am waiting for new lessons with curiosity and excitement.thank you.
@mehmetarifartan5633 I'm so glad to hear that... thank you!
Fantastic! Must have taken a while to edit. I appreciate the detailed timestamps!
@maxdignitas3698 Thank you! I'm glad you found the timestamps helpful!
Thank you for the great content, sir! Very interesting even for such an amateur like myself.
@bulletproof1453 I'm grateful you find the content worthwhile, thank you!
thank you , great content
You are this channel's very first comment... and what an awesome comment it is... you are welcome and thanks for stopping by, checking it out!!
Awesome content!
So glad to hear it... Thank you!
Comprehensive tutorial.
Thank you!
You are such a great teacher and the way you explain things is so easy to grasp. I've followed every step of the first part and paused to write this comment. I've looked through many videos on that topic and they were meh to say the least, but yours are just on a totally different level. I'll definitely look through other videos on your channel and I'll be waiting for your next videos. Assembly language and how CPU works is also a great topic for a video. I'm also curious about IDA and how does it compare with Ghidra? P.S.: finished watching the second logical part of the video. It was more difficult to understand, but I've learned so many new things. Thank you for your efforts!
😊That is so awesome to hear... thank you! Which portion of the second part did you find difficult? Was it a specific area or generally? I like to collect feedback like yours for my long list which I can use when creating new videos. Thanks again for your wonderful comment!!
@@RicochetTech1Thank you for the reply! The difficult part, for me at least, was "Calling Conventions", because I couldn't understand at first what are you trying to tell us.
I'm already watching your next "assembly" video, and at first I wasn't understanding it too, then the more I've watched, the more I started to understand. It's like you said - don't be afraid if you don't understand something at first. And that's a really great point to make. It's like a puzzle, when you see all the pieces and can't make heads or tails of them, then they start to slowly connect and you are starting to see the picture clearer and clearer. I really really love and find it so much useful, when you start to explain things very deeply, steering away a bit from the main topic. It's just an eye opener! The information you give is so useful and I can't even image where would I find it on my own. And at first you may not understand something, like "what does it have to do with anything" or "how would it be helpful" and then BAM, it all connects and you are just overwhelmed with joy! I can't thank you enough. I've learned so much already from your single video (and so much more from the second one) than from dozens of other videos. Because that's exactly the way one should explain and teach things, just how you do it. I always want to repeat everything after you, and try some new things on my own now, because you've shown how to do it, explained it in every detail, and I don't feel overwhelmed by what I see anymore, its starting to make sense and it's such a great feeling, and all thanks to you!
Oh, and, I've read someone said about using dark mode - totally agree. And if you could make fonts a bit bigger, in your future videos, that'd be great!
Also a good tip to know in general: when you press Shift+RMB there's a new option appearing in the context menu - you can open command prompt right here in this directory. In Win11 like you said, you can choose PowerShell without the need to press those hotkeys. But it case someone's using previous versions of Windows or don't want PowerShell and wants cmd, then he'd know that it's possible and convenient.
@evgenybogatsky8854 😊 That is great to hear, thank you so much for the wonderful feedback!
@@quodpipax Thank you! ... I agree, dark mode and larger font... I was bothered by the bright background and small fonts too... and others have mentioned the same.
thanks a lot
@mcacyber You are quite welcome!
❤
😊Thank you!
2:25:30 "It's just gonna call it fun" :D
"For function" D:
Is there a point to comparing hashes if the hash and download are from the same source?
@swenic That is a great question! Let me share my thoughts incrementally, from the general standpoint to something more specific.
Generally speaking, yes, there is a point... validating the hashes match generally hedges bets to a more secure approach to validating/using a download. This generally means it will in many cases provide value, yet it is not full proof just as most if not all forms of validation are not full proof. The fuzzy or "hedging bets" benefits depend on the context.
When you say "same source" you are not specific as to what "same source" means so let's start with what I do not think you are referring to, and then give an example of what I think you mean by "same source."
Let's say the "purported proper hash" is the hash presented by a download publisher and we call it purported because we do not know if it is truly valid or not, but we believe it is the one from the publisher, and we act on faith as such.
What I do not believe you are referring to: If a download comes from one site, but the purported proper hash comes from another site, one might theorize a threat actor would have to attack both sites so, for the case where the threat actor does not do that, validating the hash will help.
Regarding "same source" cases, let's start with a web site where the web page or database sourcing the purported proper hash is the same as the one where the download resides, and that the URL for the download is mapped to a directory on the server that accessible to the same user account having access to the source of the purported proper hash. In such a case, the risks are higher that spoofing can occur because the site publishes the hash and the download from a location that requires breach of only one user account. Considering the CIA triad, in this case a single user account can affect the Integrity of both the download itself and the purported proper hash.
Despite that weak approach, validating the hash still hedges bets to a more secure approach to using a download than not validating the hash. The reason is because the download itself may have become corrupt somewhere else before being posted the site, where the hash may be the original valid hash. There are other examples.
Another example of "same source" is where a download and its purported proper hash are each stored/accessible via a different portions/accounts of the site (neither being root or having auth to modify the other's realm), where one portion or the other becomes compromised, allowing either the download or the hash, but not both, to be maliciously modified. In this case, validating is obviously good. Again, all of this is hedging bets...
It's not that the approach doesn't have weaknesses but not validating what is believed to be from the publisher pretty much hedges no bets at all and merely accepts the download, ignoring any presented hash. If the download/hash are each stored in separate realms, or even if not, when you ignore the presented hash, you essentially make the attacker's job easier because the attacker then merely needs to modify only the download and skip the hash because you won't check it due to your belief it's not helpful, if that makes sense.
So we might say it's always good to check the hash but to also not get swept away by any false sense of security, to avoid imagining there is more security than there is. Your question actually shows vigilance in this area which is a really good thing.
Generally, when you religiously check the hash, you do not magically get lots of a security that isn't really there, but you generally make the attacker's job more difficult.
@@RicochetTech1 Longest utube comment I have seen so far. Thank you for the response 🤍
@@swenic 😊 Thank you!
Brava
@breves Thank you!!
very good, the best tutorial i ever have watched about. I have a doubt can you help? at moment we calculating numbers, why do
"DE ^ AA" = 74? I dont understando how this hex numbers comparations give us numbers
@vander5464 Thank you tremendously for those kind words! Regarding your question on hexadecimal... convert each number to binary and perform exclusive or on the bits...
DE is hex D and hex E.
Hex D is decimal 13... and 13 in binary is 1101 ... how do I know this quickly/offhand? Binary 1000 is 8, binary 0100 is 4, binary 0001 is 1 ... so 8+4+1 = 13 decimal or D hex.
Hex E is decimal 14... and 14 in binary is 1110 ... how do I know this quickly/offhand? Binary 1000 is 8, binary 0100 is 4, binary 0010 is 2 ... so 8+4+2 = 14 decimal or E hex.
Overtime, you also begin to remember what each hex value is in both decimal and binary... it is something you will memorize but if I've not worked with hex/binary in a while, it's easy to derive as I've explained above.
Given the above we know that DE==1101 1110 in binary (8 bits is one byte, DE is a byte in hex, and it is 11011110 in binary... all ways of representing the same value).
AA is hex A and hex A. Can you figure this one out?
Hex A is decimal 10... and 10 in binary is 1010 ... 1000 is 8, and 0010 is 2, where 8+2 = 10... and 10 decimal is A in hex.
AA hex is 1010 1010 binary ... so we have...
DE=11011110
AA=10101010
Now the symbol "^" is the bitwise "Exclusive OR" operator, also called XOR and other names. Think of XOR as "exclusive or" meaning it is an operator that requires an "or" to exist for the result to be true or 1. By "requiring an or" I mean either one bit or the other being compared must be 1 and the other must be 0 for the result to be 1 true. Specifically...
0 XOR 0 is 0
1 XOR 0 is 1
0 XOR 1 is 1
1 XOR 1 is 0
Notice that 0 XOR 0 and 1 XOR 1 are false or 0. Why? Because both those have the same values, 0 and 0 in one case, 1 and 1 in the second case. For XOR to be true either one or the other can be 1, and the other must be 0. It must be an OR relationship. Or another way to think of it is "one or the other can be true, and the other must be false, for XOR to be true."
So DE XOR AA is this...
11011110 XOR 10101010
...or... a better way to view it here...
11011110
10101010 XOR
----------------
01110100
@@RicochetTech1 I asked for a question and you gave me a true xp learning . Thanks im grateful, ill buy you a coffe :D magnificant teaching
@@vander5464 😊How magnificent for me to hear that, thank you very much @vander5464 ! ... and by the way, you gave my first "coffee" contribution, which is also my first ever creator contribution received! I do not, did not expect it... thank you! 🎉🎊
Great video! I have only one question. If you’re so paranoid that check SHA-256 of every download, then why you are not paranoid enough to give up using Windows and switch to GNU/Linux?
@thmUNIX I'm glad you enjoyed the video, thank you for the comment!
Re your question on SHA256 checks...
>> ... why you are not paranoid enough to give up using Windows and switch to GNU/Linux?
...I do not check download SHA-256 hashes due to any paranoia but because it's very low cost to do so and could discover an issue. This is discussed in other comments if you are curious to hear more details.
Regarding switching... no need to switch... it's all available for folks to use as desired. If I ever download anything to Linux, I still check the download's hash if available. 😊
Thank you and switch to dark mode it is better for eyes.
Thank you for the helpful feedback... I not only prefer dark mode but had wondered about that on hindsight, you're confirming it matters... thanks.
I never understood that thing of verifying the hash that is given on the same page that is giving the download link of a thing. If a MIT is tampering with the page content, why wouldn't he be able to change the Sha that we obtain?
@jeremylemans3005 It's good your are thinking in that way! If taking advantage of what exists to maximize security is your goal (this is assumed), the problem with that viewpoint is it is assumptive about the nature of the attack that could take place while ignoring other attacks. It's not that hash-checking is full proof as much as checking the hash costs little and can catch attacks that cannot (or do not) compromise the visibly displayed and/or downloaded hash. To say checking the hash offers nothing by citing only cases which can theoretically simultaneously update the hash, and assuming, for all such cases, the hash will be certainly updated, is to ignore all other cases, and is therefore a theoretically weaker stance.
This was discussed in earlier comments...
ruclips.net/video/OWEZQMVLMPs/видео.html&lc=Ugxw7-C6QxMExgmG9y14AaABAg.A1HfcY4qewrA1uxRozg_By
@@RicochetTech1 thank you for pointing to the same question and your answer ^^ I see the point now.
Where did you learn all these stuff?
A little bit here/there over the years. I've been looking at disassembly listings and disassembling for decades.
id usually just use openjdk & install it thru winget i use linux so i like open source implementations where possible. not sure if u rly need jdk the runtime env should suffice 'jre'
Isn’t the pSecret_string just a pointer to a string? How can it be EQUAL to RAX? Is it just a value stored in the register?
@Rino6357 Can you specify the HH:MM:SS point in the video you are referring to?
Without knowing what part of the video you're referring to, generally speaking RAX always contains a 64-bit integral value whose meaning is context dependent. For example, if it contains the address pointing to the start of a string, one might say "RAX contains the address of the string," or that it "points to the start of a string," or more simply that it "points to a string." In this type of context, the RAX register is a pointer.
Ghidra may assign a label to the use of a register at a given point in time, where the label itself is synonymous with (an alias for) the register name. You might then use this label to refer to the register and its value rather than using the register name. The meaning of the contents of the register, though, would not really change so what I mentioned above would still apply.
Very technically speaking, but likely completely irrelevant to your question, RAX (or other registers) could fully contain a string itself, where each byte within the register is a character, as one example. I only mention this in case you encounter code which does this.
I'm fairly certain you're referring to a part of the video where RAX contains the address of (pointer to) a string or some position within a string... let me know the point in time in the video so I can see more specifically what you're asking about.
@@RicochetTech12:14:11 Maybe I don’t understand what CPU registers are, because I thought they were just places where you store stuff. If you stored stuff in CPU registers, and there are only a limited amount, how can RAX entirely be just one pointer?
@@Rino6357 I think I see what you might be asking. When you ask "How can it be EQUAL to RAX?" in reference to 2:14:11 into the video, I think you may be interpreting what I’m saying as "equal" but I say, "… you can see over in the hover window here, secret_string_ptr is actually RAX, which is the RAX register. …"
I’m merely pointing out that the RAX register has been given an alias (a name) of secret_string_ptr. Note, that was not the original name, but named earlier from Ghidra’s initial user-friendly name. Perhaps that answers your question but let me elaborate…
You are correct that registers are a limited resource.
All available registers, or all visible registers in a given situation is often referred to as the "register space." Think of register space as the set of all available registers. So you are pointing out that register space is generally limited and any given register may be used several times for different purposes throughout the life of a function.
The RAX register (and portions of the RAX register such as AL, which is the lower 8 bits of RAX) can have different meanings throughout the life of a function. You refer to 2:14:11 which is line 47 in Ghidra’s Decompile window. Specifically, I think you’re asking about secret_string_ptr which is an alias for the RAX register. The alias was created at 1:10:33. Let’s break this down…
At 1:10:33 we observed the basic_string::c_str() method is called to get a pointer to secret_string’s internally maintained null-terminated string of characters. Given the calling convention, the c_str() method returns that pointer in the RAX register. In a sense, the return "variable" of that call is the RAX register.
To be helpful, Ghidra gives that "variable" (register) a default name of pcVar2. At 1:10:33 into the video, we chose to rename that variable from "pcVar2" to "secret_string_ptr." We did this because we know the meaning of the c_str() method, its contract, which says it will return such a pointer when called. We also know the c_str()method was called for the "secret_string" object instance.
In a sense, the line calling "c_str()" is making a call as follows…
RAX = secret_string.c_str();
…and Ghidra, in effort to be helpful, gives RAX an alias of "pcVar2" which would make the call something like the following…
pcVar2 = secret_string.c_str();
…and we rename the pcVar2 alias to "secret_string_ptr" which would make the call something like the following…
secret_string_ptr = secret_string.c_str();
I realize you do not see those easy-to-read lines in the Decompile window … that is my way of explaining it here. The Decompile window shows you literally what is happening so you will see C++ method calls in a sort of low-level C-language manner.
To make a method call, the "this" pointer is loaded into the RCX register, and any parameters are passed according to the convention so the first parameter would be passed via RDX (which is actually the second parameter to a method, the first being the "this" pointer via RCX). Keep this in mind when you look at the more complex Decompile source code… it is not C++ but a C-like high-level language format. Writing C++ method calls in C is always more verbose and "complex" looking… but my pseudo code above is essentially what is happening.
Our focus here, though, is to explain that Ghidra can give a register an alias, a friendly name that might be helpful, which we chose to rename to secret_string_ptr at 1:10:33 into the video.
Regarding CPU registers, generally speaking, for x64, all of the registers we are directly dealing with, general purpose registers such as RAX, RCX, etc., are all 64-bits. They can be interpreted by program logic in many ways but you can think of all such registers as 64-bit unsigned integers as a starting point. You can then consider different interpretations as needed.
For example, if you are looking at program logic and see a program interprets RAX to mean something more nuanced, you can then refer to RAX as having that meaning.
64-bits can be used many different ways. The RAX register could be a 64-bit unsigned integer, or 8 characters, or many other possibilities. The CPU does not dictate how the bits are interpreted logically by the overall application, its functions. The CPU just views RAX as a 64-bit register and will use its bits with machine instructions as defined by the CPU specification itself. Program logic will use such machine instructions to essentially achieve the program-logical meaning of those bits (i.e., an integer, a pointer, whatever).
An x64 pointer is a 64-bit unsigned integer so the general purpose register such as RAX can hold the value of a single 64-bit pointer which is to say RAX can hold one 64-bit address at any given time.
Once a register such as RAX is holding an address, what happens with that value, how it is used, is up to the program logic, the overall machine instructions that execute to use and/or affect RAX and so forth. A program might read the character at the address, as one example. There are many things which can be done to a pointer in a register. The walkthrough in the video covers some of the starting rudimentary cases. In the case we are focusing on here, RAX is merely being assigned a pointer returned by the "c_str()" method…
So the program does this…
RAX = secret_string.c_str();
... where Ghidra renames RAX for that context to be pcVar2 as follows….
pcVar2 = secret_string.c_str();
… and we rename Ghidra’s best-effort at user-friendly naming to use the following instead…
secret_string_ptr = secret_string.c_str();
Regardless of our renaming, secret_string_ptr is really RAX as the hover window indicates, and the above line is call the "c_str()" method which returns a 64-bit pointer (an address) of the location in memory that contains the first character of secret_string’s internally maintained copy of the string, or more simply, c_str() returns a pointer to the start of the string which is often referred as a pointer to the string.
To be very clear, when calling "c_str()" a "string" is not returned, nor is "secret_string" but rather the address of the location of the first character of the string is returned. Therefore, returning a pointer in the RAX register returns merely an address which is a 64-bit value on x64. Even though the value is returned in the RAX register, we use Ghidra’s aliasing (naming) capabilities to rename RAX to secret_string_ptr.
I hope that addresses your question… let me know if not.
@@RicochetTech1 Ahh thank you, I understand better now. To be clear, I wasn’t any confused about the c.str() stuff or the assigning variables, but about how a register can be equal to a single value. I thought CPU registers were just places to store multiple things, because how else could you have as many variables as possible in a program? If a CPU register can store only one value at a time, where else do you store variables after you’re done with the existing registers?
@@Rino6357 Great questions...
> "... I thought CPU registers were just places to store multiple things, because how else could you have as many variables as possible in a program? ..."
It depends on what you mean by "multiple things" ... but given the context, I think you mean multiple things at once which would be incorrect.
A register is as I mentioned in my prior comment above...
On x64, a single general purpose register is 64-bits. The 64-bits can be used as desired by program logic. Program logic manipulates the bits in a register as desired by the program logic by using machine instructions.
You can think of the CPU's general purpose registers as temporary locations that are used as guided by the instructions. They each hold a single value at a time, and instructions do things to a given register value, including modifying the value, storing it to memory, or overwriting a register's current value by reading a new value from a memory location, and so on.
The appearance of multiple variables is both actual and an illusion depending on the nature of the variable and how it is used...
Variables that need to live beyond their life in a register are stored in memory when not within a register, and variables which are no longer needed after they are used are simply discarded... which means the register's value can be replaced when needed.
This is all despite any appearances within the original high-level source code which might indicate some variable exists. A variable usually exists for as long as needs to exist. The actual reality depends on many factors such as the compiler's understanding of program scope, whether its a debug/release build, what optimizations are in play, and so on.
In the video at the location you referenced 2:14:11, you will notice c_str() is called which returns with the string pointer in the RAX register. Next, you see a MOV instruction that moves RAX to RCX where RCX is the first parameter of next CALL, where the string's pointer is passed to get_the_code via RCX. After the pointer in RAX is moved to RCX, the value in RAX is completely unimportant... yet it remains in RAX until RAX is used for something else.
To highlight what I'm saying with an example, you can replace the original DemoApp source code line 43 with the following 3 lines...
//original: const char* the_code = get_the_code(user_secret.c_str());
const char* secret_string_ptr = user_secret.c_str();
const char* the_code = get_the_code(secret_string_ptr);
...then build a debug build, import it into Ghidra, you will see the underlying machine instructions have not changed. The newly added variable "secret_string_ptr" provides an aesthetic to the C++ developer but plays no role in affecting program execution. The reason this happens is because "secret_string_ptr" is not needed after the call to get_the_code. So the "secret_string_ptr = user_secret.c_str();" line calls c_str() which returns the pointer in RAX, and RAX is moved to RCX when get_the_code is called. Underlying this, though, RAX is completely unimportant after it is moved to RCX.
You can therefore think of RAX is temporarily holding a pointer returned by basic_string::c_str() which is used to load RCX before calling get_the_code but beyond that, the returned pointer in RAX ("secret_string_ptr") is not needed. And RCX itself is sort of temporary... it is used by get_the_code as needed but not required by the caller after get_the_code is called.
Tangential, but you might want to gander at the x64 calling convention to learn about volatile and non-volatile registers across calls (i.e., what a callee must preserve or not). Try web searching for "x64 calling convention windbg" and then, on that docs page, search for the section "Caller/callee saved registers" and you can see, for example, the callee does not need to preserve RCX which means, after the call to get_the_code, RCX can be any value and the caller must not assume anything about RCX after making a CALL. Same goes for RAX.
Given all that, both RAX and RCX can be anything after the get_the_code call and the pointer obtained by c_str() is completely lost by the time get_the_code returns which means, if you want it again, you either need to call c_str() again or save the pointer in a variable that lives beyond the life of the CALL to get_the_code.
Perhaps a worthwhile experiment: Change the above DemoApp modification to the following which uses secret_string_ptr *after* the call to get_the_code...
//original: const char* the_code = get_the_code(user_secret.c_str());
const char* secret_string_ptr = user_secret.c_str();
const char* the_code = get_the_code(secret_string_ptr);
std::cout
It's pronounced gee-druh, great video though!
@ethanriley2939 😊Re pronunciation... see 13:22 into the video... but thanks for clarifying and for the kind words!
Nice Tutorial man
But 've a problem: on my .exe file it's from ms-dos (an old game for win 3.11) i will do a reverse engineering to re-create this game for a school project (sorry for my bad english - i'm from italy) Bye
Why JDk 17 ??
@mr.incognito4640 See this following June 12, 2024 "GP-4122: Switching to JDK 21" commit...
github.com/NationalSecurityAgency/ghidra/commit/966e6fddf3e77e21fac27a9ecf79976066443bdf
Do you have discord server?
It is not active yet... but thank you for expressing interest as it may get me to set something up!
hello thx for this videos can give me a road map tol learn reverse engering
@nadjehelhamza3923 I'm honored to hear that, thank you for saying so! I hope you continue to find it worthy.
! WE DON'T HAVE THE SOURCE CODE ! 😹😹
Why didn't you just explain shortcuts in ghydra as simple as pressing CTRL+X in Windows, instead of making it seem like an endless explanation? Because you never explained shortcuts when when you are cutting something on windows by pressing CTRL+X . In this video filled with endless motivational talks, you're ruining all the motivation with these silly, never-ending explanations with your own hands. And thanks for the video
the first guy i ever saw that uses Win 11 for Reverse Engineering...
GhiRDa? MNa
Thank you so much for this tutorial! it helped me a lot and I love your teaching style. You mentioned that there are many assembly language videos out but I would really enjoy one from you. Easy to follow along tutorial and although my Ghidra decompiler wasnt exactly the same as yours I was still able to figure everything out. I look foward to more tutorials and I think you make a great teacher.
Well, that is sensational feedback... thank you so much! ... and thanks for a hint as to what content interests you.