everything is open source if you can reverse engineer (try it RIGHT NOW!)
ฝัง
- เผยแพร่เมื่อ 13 ม.ค. 2023
- Keep on learning with Brilliant at brilliant.org/LowLevelLearning. Get started for free, and hurry - the first 200 people get 20% off an annual premium subscription with my URL! Thanks again Brilliant for sponsoring this video!
One of the essential skills for cybersecurity professionals is reverse engineering. Anyone should be able to take a binary and open it in their favorite disassembler or decompiler to figure out what the features are. ALSO, reverse engineering is a fun puzzle that I highly recommend everyone try out for themselves.
Follow along!: www.github.com/LowLevelLearni...
Download IDA: hex-rays.com/ida-free/
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
📰 NEWSLETTER 📰 Sign up for our newsletter at mailchi.mp/lowlevel/the-low-down
🙌 SUPPORT THE CHANNEL 🙌 Become a Low Level Associate and support the channel at / lowlevellearning
🛒 GREAT BOOKS FOR REVERSE ENGINEERING 🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: www.linktr.ee/lowlevellearning
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord - วิทยาศาสตร์และเทคโนโลยี
![500 บาท สุ่มกินสตรีทฟู้ดริมทะเล หาดจอมเทียนพัทยา 8K [HDR]](http://i.ytimg.com/vi/aZLagyZyQE4/mqdefault.jpg)
wanna learn more about computers? check out my courses at lowlevel.academy (there's a sale) 👌
"You don't need any programming experience" continues to show code and terms that only a programmer would understand.
😂😂
Not only programmer, computer scientist too
Forreal lol..... Im looking at the command line print out like, "Is that not assembly." Then very next line "That's why we learn assembly." 🧐
basically the "refuse to elaborate" chad kinda thingy kek
You definitely need it, anyway why would you want to "reverse engineer" if you have no clue what to do with it?
TH-camrs need to stop promoting "you don't need to know anything of X for this" and actually encourage people to learn what they need.
"No coding experience needed", then dives straight into system level assembly.
teehee
@@LowLevelLearning don't try to teehee yourself out of this one !
@@LowLevelLearningnot even funny. you just lied in the video
@@MisterChief711 Skill issue.
i can feel the sweat on your hands@@NickyDekker89
This reminds me back in the nineties when I ran my own company. I found a bug in QuickBooks Pro where they assumed a value for one of the payroll deductions would be a constant number. In my case it turned out that it had to be another value that the programmers at Intuit hadn't coded for since they hadn't done their due diligence research into corporate payroll tax law. I then proceeded to look at the data file that they were keeping I found the two bytes that represented the number for the percentage deduction on the line and I manually modified it to be the new number it needed to be. I then was surprised when I informed Intuit of their bug that they threatened to sue me for modification of what they termed copyrighted data.
Checks out lol
Super cool to c one of the original hackers (before it became erroneously equivalent to a “cracker”) talking about this.
How dare you.... checks notes... find and fix a bug in our software!
They were all bark and no bite. First sale doctrine.
This sounds a lot like what happened with Russell 'Rusty' Hardenburgh if I remember correctly. Very interesting either way.
Although coding from a young age, 'decompiling' always felt like black-magic concept. Thanks for explaining it to me.
but black-magic makes it sound cool so its even better
You get used to it. Just filling in the gaps made by compiler optimizations and custom data types most of the time by intelligent guessing.
Think of compiling as a mathematical function and decompiling as its inverse function. This is a fairly decent analogy except compilation and recompilation is within a much bigger scope of complexity where some deductions have to be inferred by its context.
It's actually kinda hard to make a good decompiler and the ones we do have are inherently unreliable
So most of the time you're better off with just disassembly
Also, for various reasons password checkers shouldn't execute like that. You can absolutely tell that if you hammer it that feeding it a letter `c` first takes twice as long as any other letter when entered into the password checking. And then another 10ms if you add an `a` you can end up solving the password based on the time it takes to accept or reject that password. Since each letter you get right delays the time to rejection.
How do you check them simultaneously?
@@Oliver_Atkinson You can force a delay. So from the time you hit `enter` to the rejection the time will be like 1 second, which also makes brute force not an issue. But, usually this isn't an issue because the password is stored as a salted-hash password. So when you type aaaaaaa and then aaaaaab it would create two radically different hashed strings so you would not actually be able to simply compute the time to denial, because even if you could tell a particular password took longer to reject the hash is cryptographic, so you can't use that information in any useful way. It's another reason to never store passwords, because comparing plain-text passwords also leads to some security issues.
@davidolsen1222 Well, the even better answer is that a check in an executable will never hold, or more simply "you don't". But ofc server side stuff too (also, a delay will not hold up, the actual operation must be constant time)
Usually a password is hashed and salted, it does not check letter by letter... this would almost never/ never work or make a difference in execution time
One thing you can do is for example put both the password and the input in a 256 character buffer and then check all 256 characters for equality, regardless of whether an earlier check already failed. This is not a problem if you're using password hashes btw, which is the actual correct solution for password authentication.
Good luck reversing any binary with zero programming knowledge.
😂😂😂😂
I have been waiting man. Thank you! I don't wanna go down the conventional, tools first, path that is taught in most of the courses out there.
Right on
@@LowLevelLearning can you please answer where did you hide the password on C's source code? I reviews the video some times and I didn't see the password on original C source code... How did you manage to hide?
@@thiagomoreira6640 he collapsed the getPass function in the source view. Lines 4-36 are hidden when we see it.
This was the BEST tutorial on IDA and disassembly I've heard on TH-cam
Amazing video. Just a small side note that IDA Freeware comes with a free online decompiler which generates (very *accurate*) pseude C code. Would love to see more of this kind of vids. Cheers.
ida is too far away from that "accurate"
I was having trouble understanding how memory call works on a computer. This video cleared that for me. Seeing it into action made so much sense. I can't thank you enough.
Loving the content! A tutorial on learning C language from beginner to advanced maybe? Roadmaps for these kind of languages are always welcome by community and highly watchable, might pull in more new viewers!
Intermediate c programming kitabı var internette bedava. Orda güzel bilgiler vardı.
@@alpayarsoy2437 can you tell me which one is it?
Bro cmon it's like begging content for calculus 1 or trigonometry in 2023. C and C++ already have very depth guides on youtube and as book. These languages are out there like decades.
@@Moon-D0G 5 ay önce “im new at programming” diye baska bir videoya yorum atmissin simdi buraya gelip come on bro yillardir var bro yazmissin hava atiyosun 😁 adama hem icerik tavsiyesi vermisim hem de gecerli sebepler sunmusum, “begging” diyosun ulen bizim Türkler niye böyle anlamak imkansiz 😁
@@alpayarsoy2437 teşekkür ederim güzel yönlendirmeniz için 🙏🏼
This was awesome. Also the first time I feel like I’ve genuinely followed a video like this. Thank you!!
I never knew IDA before, I used to use GDB to do kinda reverse engineering but now I feel like it's something I should start relaying on. Thank you sir!
@@khatdubell thanks a lot man
Hello, can you help with guides to becoming a reverse engineer?
@@sobowalebayo9185 google
@@sobowalebayo9185 watch the video...
This was really great to see. Thanks for the intro! 😀
You are good at explaining things to beginners, pls do more of this reverse engineering stuff, make it a series you don't complicate things, i like it
आपने बिलकुल सही कहा , सरलता और सहजता ही दिव्यता। 👏👏👏
“..Simplicity and spontaneity is divinity.”; Very true.
@@JLSXMK8 👏👏👏
Hi firmware can it be decompiled
The ABI is more like an agreement that writers of assembly language programs make with other assembly writers for the sake of code interoperability. (In this context, the writer is a compiler, but it could be a person as well.)
The processor generally doesn't care; as long as it's valid machine code, it'll run, ABI be damned.
You can return your own custom tuple with 2 ints, a short, and a char* if you want, but you can't expect a C program to understand.
I came down here to say that this is absolutely correct.
Woah, super cool! And at 12:50, after he pointed out the 'g', you can actually see the rest of the password characters at the start of each section in the buffer. Crazy!
I love Ghidra
Idafree is really limited. Ghidra is the way to go.
I love chicks
Nice, takes me way back to my 6502 days, writing decompilers.
Subscribed and Looking forward to seeing what else you have.
The program `strings` is exactly why if I want to protect my own programs I just encode my own strings. I don't always write things that I want to protect, but it's still fun to play with different methods of encoding to stave off passive RE.
What do you mean by encoding?
@@spaghettiking653 It could be as simple as an xor scheme, but no matter what method I use, it wouldn't be secure because the means to decode it would be in the binary. It's at best a first step.
Also best to save this part as a pre-production-build automation instead of unironically making a mess of your codebase
Should also be worth mentioning that in the United States, contracts can override the fair use clause in the DMCA. Courts have upheld this.
This means thar while reverse engineering isn't illegal, it almost always violates a contract and could result in a civil lawsuit for breach of contract or copyright infringement.
www.eff.org/files/2022/02/17/2022-02-16_apple_v_corellium_amicus_-_filed.pdf
reverse engineering, with how it is traditionally done, can violate copyright law, however pure clean room blackbox reverse engineering, in any instance does not break copyright law, as none of the code of the original program is actually used.
clean room blackbox reverse engineering, is obviously astronomically more difficult to do, but legally it is airtight because all you are doing is reading the output of the original program, and then writing code based on what you think it is doing.
@@LowLevelLearning
1: see Bowers v. Baystate Technologies, Inc.
2: This is an amicus curiae, not a court case. it also discusses the benefits of reverse engineering and isn't a law.
I never said that reverse engineering was bad, I said it was a breach of contract.
Amazing video, king. One thing though, I think you forgot to put the download link for IDA you mentioned at 4:11. Also, the repo in the description is probably private.
I once made a function from ida pseudocode in c++, used a function pointer of my function and Mshookfunction to hook into the real function and replaced it, it worked as the replacement function had same bytesize as original function. Ida or ghidra + hooks are really fun
I am so far 1 week into C#, granted this video went over my head a tiny bit, but I understood the fundamentals. Looks like I might dabble in this in the future.
Such explanations of simple concepts are really why I subscribed to your channel! Wish you did followup videos on more advanced stuff with it.
i always wanted to dig into reverse engineering but never knew where to start. thank you so much!
The ABI varies depending on the OS rather than the processor. For example, Windows and Linux have different ABIs while they may run on the same process.
does that mean that some ASM scripts don't run on both Operating Systems?
@@GAxelic ASM is not a script and typically no ASM code that does anything useful will run on two different OSes with the same CPU unless specially crafted to do so.
Came here to say this. The CPU or ISA company may well have an official ABI these days and some part of that might not be negotiable by the OS designer, but most of it is. And machine code doesn't need to follow it at all and in the case of malware should probably avoid as much official ABI style as possible in the most obfuscated parts.
Dude this video is awesome. You should do more of these!
Can't wait to watch this video but I'm studying
Love your content man please make more cybersec videos cause things magically click if it's you explaining
Ok this was very helpful since i didn‘t know where to begin on reverse engineering thank you!
Love the breaking down of every step. Keep it up!
Reverse engineering is so fun. Please teach us more
We need more stuff like this
Great, hope you do more!
Thanks!
Incredible channel, thank you for existing
You are doing such a great job man ! Keep it up, I learnt so much from you dude, you're litterally a better teacher than most of the teachers I had in college ! Love you !
I appreciate that!
Same here
Such a good job by saying no prerequisites required BUT NOT TELLING that you are freaking messing with CPU & MEMORY REGISTERS that can demage your HARDWARE if you execute the wrong LOW LEVEL CODES !!!!!!
@@agentstona Where was he messing with CPU registers? What memory address registers was he changing?
@@pialdas6835 you have alot to learn . Have you ever played the game of Janga and do you know what a stack and offsets are ? sigh
This is awesome! Thank you! 🎉
The RDI and RSI part is for the 64 bit ABI, for 32 bits, the arguments are pushed to the stack. If a function has 2 args in 32 bit code, [esp] inside the function will have the return address of the function, [esp + 4] will have the 1st arg (pushed in reverse order) and [esp + 8] will have the 2nd arg.
Depending on the calling convention, actually, but assuming stack for arguments, that's correct. Order of the argument push also varies, however. Calling convention gets to be lots of fun. That we have a single de facto calling convention for AMD64 is one of the nicest things about it.
Edit for clarity: One calling convention per *platform* the ABI for Windows differs from the ABI for Linux, on AMD64. This is still much better than the situation on 32 bit x86 processors, where the ABI varied by platform and language, and sometimes developer whim.
Nice demonstration! Except that when dealing with passwords no one just compares them char by char. They often are stored in hashes with salts, so you cannot decipher it w\out brute force
Because of you I love low-level stuff, and studying to get eCRE certified.
nice video man (as always), love your channel
could you make a video about dynamically analysing/debugging any binary? (in preference a normal program or a malware, if i'm asking too much i am sorry)
Good introduction! Not quite disassembly-related question: I am wondering why the code generated by the compiler for each character comparison uses RAX for different things, so it needs to overwrite it multiple times: 1. it loads the buffer address into it and adds offset to it, and then 2. loads the character for comparison. Wouldn't it be more effective to use another register, say, RBX for the buffer address and RAX for the character comparison (or vice versa)? I know, registers are scarce resource, but here it seems to make sense for me to use 2 regs.
At the same time, I heard that compilers are very smart today and create much better binary code then average human writing assembly code, so it should have some efficiency explanation.
GCC does have many flags that can affect the way that the compiled code will look, some of the flags allow you to choose what level of optimization you want for your code, but more optimized code also takes more time to compile
a few come to mind.
1. rax is the alu register.
2. being a c program, all return values are stored in rax.
3. rax is generally safe to be changed whenever.
4. modern cpus can write faster to the same register if it was accessed shortly before. of course it's not perceivable but that's what intel claims.
my guess is mostly because of 2 and 3 but also depends on the compiler's optimization lvl. of course the disassembly can be a bit "off" because ida doesn't always produce the most accurate results, but this is a very simple binary for that to be the case.
The explanation is simply that he compiled without optimizations. The mov, add and movzx instructions are unnecessary. In an actual release executable, each set of these 4 instructions can be reduced to a single cmp instruction, like cmp byte ptr [rdi+7], 100.
For real, this was amazing! I might actually start trying it 🔥🔥
Nice timing! Just installed Ghidra to learn rev eng and binary exploitation and your video came out
One of the video to get started for reverse engineering
Great video man ! We want more on reverse engineering, so intresting
wow, been waiting for reverse engineering video, thanks!
Great video, a similar video for ARM Assemble would be great, explaining the special registers and stuff.
Great suggestion!
I think that the free IDA version doesn't include ARM support, that would be a big issue
recently I learned how to hook functions in C and C# , it's so cool. Also, great video !
Really engaging content and shows actual examples, keep up the good work ^^
I definitely enjoyed the video. Although I think the title is a bit too much clickbait. Equaling reverse engineering to being open source code, is a long stretch in my opinion. Sure, this simple non optimized example is quite understandable when it’s reverse engineered. Now try a large program containing lots of templated code, with O3 optimization, inline functions, loops unrolled, SIMD optimizations etc and see how far the disassembly will bring you to what it is you’re trying to achieve. E.g., getting around a password check. It’s super hard and you definitely need programming and assembly experience to even begin to tackle that. Nice introduction though ☺️
It's definitely click bait and a lie - just because you can reverse engineer something doesn't mean you have the legal ability to create and publish a derivative work.
Awesome vídeo with a lot of great content! Pls keep this series on
That was quite simple to understand. despite the fact that it will need you to understand the basic terminologies of computer science in order to fellow along. but overall, it was nice to watch. hey maybe you can make a video covering those basic terminologies and link it to your future videos, so people would be able to understand easier. but hey what do I know~
Nice video, thanks. I missed the short info about a second solution patching the binary to bypass the check simply by changing the 'jz' to a 'jnz'.
I enjoyed it. Thanks for this video. Please continue making such videos.
Would be cool to see you reverse engineering a multiplayer flash game. Since most of them only have the .swf files and no server side files. Maybe tricking it to run on a localhost. Something like this would be very cool and could help archive more flash games, but it probably 100x more effort
Yes please!!
It is actually easier to decompile Flash games because they run on ActionScript, which like Java and C#, is first compiled to bytecode, which is then run on a VM. There are decompilers that give you the entire source code from a SWF file with full variable names and everything.
I finally understood why my school taught me assembly now🤯. I never used it because I am on the dev side. that is so cool!!
thanks for making it easy to understand pls keep post that kind of video
Ghidra is a more complex tool to per say, but its also its gpl2, so if your looking for something opensource I'd go for that
You should do this for real malware, YT needs more of this stuff
You're a cyber treasure, dude.
Don't ever forget that.
6:00 there is no agreement with the processor. It's simply a calling convention that in 64 bit processors you use registers for the first few arguments and then the stack for the rest. There is no agreement with anything, it's just something that the compiler does for internal consistency. There is no need for it to be that way. You can write your own assembly and put whatever you want in whatever register you want and do a function call and then read those registers back. All that really matters is how the processor behaves to the outside world, and that is documented in the instruction set manual, outlining how the processor should behave when any given instruction is executed. And none of those say that RDI should contain the first argument for a function call. In fact call really only does 2 things. Push the next IP to the stack and set the instruction pointer to the callee. Or in detail it pushes the address of the next instruction to the stack pointer address and then decrements the stack pointer address and then sets the instruction pointer to the function to be called. Nothing else goes on here. It's up to the compiler to handle how arguments are transferred to and from the function, how to handle the stack or anything else, really.
9:43 no, some dumb programmer may have given the function the name "getPass" originally, but that's not what the function does. Since you "don't know" the original name, you should give it the best name you can come up with. A better name would be "checkPassword" or "comparePassword" or something along those lines, because that function doesn't return (get) the password, it just checks if the password you provided is correct or not.
I didn't know that there's existing bash code disassemble strings and object.. I like that you go up level by level but you should talked about reverse engineering the code with some decompilers as it's usually return the code if it's not obfuscated then maybe try to see the callstack with debugging. then using a disassembler
I legit thought he'd show us a decompiler when he said you don't need programming skills or anything.
SO happy I found your channel!
I'd love to have seen what the getpass function looked like in c at the end of the video
“You don’t need any programming experience” taking a binary? From a Source code? With diferent simbols? They are tipes of variables? Names of funcions? And they are readable strings? And you can get a lot of information by reading a buffer from the source code? What is the if get pass? This is just not even minute 1 and I’m lost.
This is just like CSAPP: Bomb Lab! I really recommend it as a good way to practice these types of skills
I like how you brake this down for people that don't understand this or dummy it down very nice brother 👍👍
Great video! You say the registers are set for the processor x86, but I think is for the "calling convention" in Linux and it can change for other OS. I didn't know this IDA, it looks very intersting, thank you!
Yeah, a calling convention is set based on the target processor AND target OS.
x86/i686 is different than x86-64/amd64, which is different from ARM, etc. And Linux and Windows conventions can be different.
woooow what a great video... excpectig this video from so long time.. kep going this series
wow really helpful info! i can only imagine what a nightmare it is do to this on malware that has been purposefully obfuscated
“no coding experience required.”
*requires past programming participation *
Such good content keep it up buddy
Man I want an assembly course so much !
Very cool, i will hav to try this for work when trying to understand some dll stuff.
This is a very good high level explanation of reverse engineering. Do you have any plans on something more intermediate level or do you have a channel that I could go look at for something like that? I'm already in the weeds from reading the Intel Architectures Software Developer's Manual. I've been enjoying using Kaitai.
This channel youtube.com/@HEXORCIST?si=EnSIkaIECMiOmarE
This video is awesome.
I use Cutter for reverse engineering, highly recommend
Very informative, thank you
Memories; this reminds me of the times I would spend with Olly (before I really knew solaris and linux). It is good to know the same principals still work. I just watch this for entertainment (which solidifies me as a somewhat nerd).
While I like the video in general, reverse engineering is definitely NOT easy. Try reversing a more complex binary (AAA games, commercial software, etc.). Without references, existence of obfuscation & code virtualization, RE can quickly become a very specialized and extremely time-intensive puzzle that likely requires deep knowledge about OS internals, compilers and assembly. Here, we of course have the original code as reference and - having written it ourselves - all underlying program concepts are already known which defeats the purpose of "solving the puzzle" aka reverse engineering.
getting into it is easy, getting good is hard
Guy really expected the 13 min video to be 3 hours long
@@S.O.N.E Guy really thinks the 3 Hours video to be enuf for reverse engg
@@simulator8 guy really wouldn't want a 3 hour long video about RE
I love videos like this. Keep 'em coming. :)
Thanks! Will do!
EULA: am I a joke to you?
Yes, yes it is
Great explanation, thanks
Coming at this with a year of CE, learned a bit about the buffer. Any chance you could do a crash course about the stack? I know how to manipulate it, but I don't understand what I'm manipulating
literally the video i‘ve been waiting for from your channel. thank you so much
Remember folks, you don't need any programming experience 😅
incredible primer great job!
Thank you! Cheers!
This is how you used to change to the dark theme for Unity a few years ago back when the free version of Unity was restricted to the light theme only. You would open the Unity.exe with a hex editor and manually change a particular value.
back in XP era (32 bit), IDA Pro is able to disassemble these simple unencrypted binary executable files and generate corresponding c++ code
I am not the best reverse engineer in the world, but IDA is so much fun for the entire family and friends... The Cyber research of the Law.
Easy stuff, great explanation
keep em coming 🔥🔥
This is so cool, IDA is such a Powerfull Tool
Wish I had this 10 years ago. Did so much learning the wrong way around.
"You don't need any programming experience" yeah right...
Marvelous! Thank you
“No previous programming experience needed…anyway, here’s assembly”
AYOOO U FINALLY RELEASED IT!!