You definitely need it, anyway why would you want to "reverse engineer" if you have no clue what to do with it? UA-camrs need to stop promoting "you don't need to know anything of X for this" and actually encourage people to learn what they need.
That's why IDA Pro is such a great set of tools. Besides the fact, by learning from zero programming knowledge, you're learning from the base (assembler), which is about as low level as a human being can get between program operations and the computer CPU (the next step being binary), you'll learn things that even advanced programmers are only casually (if at all) familiar with, as well as develop a skillset that can be used in digital forensic investigations, learn how to battle in the field against real-world malware, viruses and uncovering exploits and vulnerabilities that have never been seen or identified. I learnt "debug", when I was 11 years old to gain access to more games in MS-DOS 1.1, as I found this easier to learn ASM registers and HEX conversions and re-program instruction cycles as well as stack management and I/O, than fiddling with BASIC to draw sprites. Admittedly I went to a computer fair every month, for 6 months before I started to get any clue of how it worked but from there, in time and with a sincere dedication (with 3 months of glandular fever, which nearly prevented me from ever reaching teenage years), I honed my skills and put my OCD to good use, becoming one of the most prolific crackers in Australia and the UK (where my father lives and 12 years of my life were spent), during the 80s and the best part, was nobody knew who I was or would have guessed anything about my identity, being just a kid from rural Victoria! From that point, learning C and C++ was straightforward and much easier than had I taken a standard learning path, achieved in higher learning or as a student of an academic institution. Having worked in IT for over 25 years, I recommend this path as the first point in learning, or for anyone serious in developing skills, as this goes far beyond simply programming and opens your mind to a universe of new possibilities, which developing programming skills and knowledge of alone, likely will never provide anyway (reverse engineering is not a basic requirement of programming or used to teach software development, as I tend to believe they should be!).
This reminds me back in the nineties when I ran my own company. I found a bug in QuickBooks Pro where they assumed a value for one of the payroll deductions would be a constant number. In my case it turned out that it had to be another value that the programmers at Intuit hadn't coded for since they hadn't done their due diligence research into corporate payroll tax law. I then proceeded to look at the data file that they were keeping I found the two bytes that represented the number for the percentage deduction on the line and I manually modified it to be the new number it needed to be. I then was surprised when I informed Intuit of their bug that they threatened to sue me for modification of what they termed copyrighted data.
Think of compiling as a mathematical function and decompiling as its inverse function. This is a fairly decent analogy except compilation and recompilation is within a much bigger scope of complexity where some deductions have to be inferred by its context.
It's actually kinda hard to make a good decompiler and the ones we do have are inherently unreliable So most of the time you're better off with just disassembly
Also, for various reasons password checkers shouldn't execute like that. You can absolutely tell that if you hammer it that feeding it a letter `c` first takes twice as long as any other letter when entered into the password checking. And then another 10ms if you add an `a` you can end up solving the password based on the time it takes to accept or reject that password. Since each letter you get right delays the time to rejection.
@@Oliver_Atkinson You can force a delay. So from the time you hit `enter` to the rejection the time will be like 1 second, which also makes brute force not an issue. But, usually this isn't an issue because the password is stored as a salted-hash password. So when you type aaaaaaa and then aaaaaab it would create two radically different hashed strings so you would not actually be able to simply compute the time to denial, because even if you could tell a particular password took longer to reject the hash is cryptographic, so you can't use that information in any useful way. It's another reason to never store passwords, because comparing plain-text passwords also leads to some security issues.
@davidolsen1222 Well, the even better answer is that a check in an executable will never hold, or more simply "you don't". But ofc server side stuff too (also, a delay will not hold up, the actual operation must be constant time)
Usually a password is hashed and salted, it does not check letter by letter... this would almost never/ never work or make a difference in execution time
One thing you can do is for example put both the password and the input in a 256 character buffer and then check all 256 characters for equality, regardless of whether an earlier check already failed. This is not a problem if you're using password hashes btw, which is the actual correct solution for password authentication.
The ABI is more like an agreement that writers of assembly language programs make with other assembly writers for the sake of code interoperability. (In this context, the writer is a compiler, but it could be a person as well.) The processor generally doesn't care; as long as it's valid machine code, it'll run, ABI be damned. You can return your own custom tuple with 2 ints, a short, and a char* if you want, but you can't expect a C program to understand.
Amazing video. Just a small side note that IDA Freeware comes with a free online decompiler which generates (very *accurate*) pseude C code. Would love to see more of this kind of vids. Cheers.
I was having trouble understanding how memory call works on a computer. This video cleared that for me. Seeing it into action made so much sense. I can't thank you enough.
I'm a developer and this is my first exposure to reverse engineering.... I have other stuff to do but the urge to learn more about it is SO STRONG!!! I'm putting a pin in it and most definitely coming back to learn more. Thanks, dude!!!! 😀
The ABI varies depending on the OS rather than the processor. For example, Windows and Linux have different ABIs while they may run on the same process.
@@arronalt ASM is not a script and typically no ASM code that does anything useful will run on two different OSes with the same CPU unless specially crafted to do so.
Came here to say this. The CPU or ISA company may well have an official ABI these days and some part of that might not be negotiable by the OS designer, but most of it is. And machine code doesn't need to follow it at all and in the case of malware should probably avoid as much official ABI style as possible in the most obfuscated parts.
I once made a function from ida pseudocode in c++, used a function pointer of my function and Mshookfunction to hook into the real function and replaced it, it worked as the replacement function had same bytesize as original function. Ida or ghidra + hooks are really fun
The program `strings` is exactly why if I want to protect my own programs I just encode my own strings. I don't always write things that I want to protect, but it's still fun to play with different methods of encoding to stave off passive RE.
@@spaghettiking653 It could be as simple as an xor scheme, but no matter what method I use, it wouldn't be secure because the means to decode it would be in the binary. It's at best a first step.
@@LowLevelTV can you please answer where did you hide the password on C's source code? I reviews the video some times and I didn't see the password on original C source code... How did you manage to hide?
I never knew IDA before, I used to use GDB to do kinda reverse engineering but now I feel like it's something I should start relaying on. Thank you sir!
Woah, super cool! And at 12:50, after he pointed out the 'g', you can actually see the rest of the password characters at the start of each section in the buffer. Crazy!
Should also be worth mentioning that in the United States, contracts can override the fair use clause in the DMCA. Courts have upheld this. This means thar while reverse engineering isn't illegal, it almost always violates a contract and could result in a civil lawsuit for breach of contract or copyright infringement.
reverse engineering, with how it is traditionally done, can violate copyright law, however pure clean room blackbox reverse engineering, in any instance does not break copyright law, as none of the code of the original program is actually used. clean room blackbox reverse engineering, is obviously astronomically more difficult to do, but legally it is airtight because all you are doing is reading the output of the original program, and then writing code based on what you think it is doing.
@@LowLevelTV 1: see Bowers v. Baystate Technologies, Inc. 2: This is an amicus curiae, not a court case. it also discusses the benefits of reverse engineering and isn't a law. I never said that reverse engineering was bad, I said it was a breach of contract.
Loving the content! A tutorial on learning C language from beginner to advanced maybe? Roadmaps for these kind of languages are always welcome by community and highly watchable, might pull in more new viewers!
Bro cmon it's like begging content for calculus 1 or trigonometry in 2023. C and C++ already have very depth guides on youtube and as book. These languages are out there like decades.
@@Moon-D0G 5 ay önce “im new at programming” diye baska bir videoya yorum atmissin simdi buraya gelip come on bro yillardir var bro yazmissin hava atiyosun 😁 adama hem icerik tavsiyesi vermisim hem de gecerli sebepler sunmusum, “begging” diyosun ulen bizim Türkler niye böyle anlamak imkansiz 😁
While I like the video in general, reverse engineering is definitely NOT easy. Try reversing a more complex binary (AAA games, commercial software, etc.). Without references, existence of obfuscation & code virtualization, RE can quickly become a very specialized and extremely time-intensive puzzle that likely requires deep knowledge about OS internals, compilers and assembly. Here, we of course have the original code as reference and - having written it ourselves - all underlying program concepts are already known which defeats the purpose of "solving the puzzle" aka reverse engineering.
6:00 there is no agreement with the processor. It's simply a calling convention that in 64 bit processors you use registers for the first few arguments and then the stack for the rest. There is no agreement with anything, it's just something that the compiler does for internal consistency. There is no need for it to be that way. You can write your own assembly and put whatever you want in whatever register you want and do a function call and then read those registers back. All that really matters is how the processor behaves to the outside world, and that is documented in the instruction set manual, outlining how the processor should behave when any given instruction is executed. And none of those say that RDI should contain the first argument for a function call. In fact call really only does 2 things. Push the next IP to the stack and set the instruction pointer to the callee. Or in detail it pushes the address of the next instruction to the stack pointer address and then decrements the stack pointer address and then sets the instruction pointer to the function to be called. Nothing else goes on here. It's up to the compiler to handle how arguments are transferred to and from the function, how to handle the stack or anything else, really. 9:43 no, some dumb programmer may have given the function the name "getPass" originally, but that's not what the function does. Since you "don't know" the original name, you should give it the best name you can come up with. A better name would be "checkPassword" or "comparePassword" or something along those lines, because that function doesn't return (get) the password, it just checks if the password you provided is correct or not.
I definitely enjoyed the video. Although I think the title is a bit too much clickbait. Equaling reverse engineering to being open source code, is a long stretch in my opinion. Sure, this simple non optimized example is quite understandable when it’s reverse engineered. Now try a large program containing lots of templated code, with O3 optimization, inline functions, loops unrolled, SIMD optimizations etc and see how far the disassembly will bring you to what it is you’re trying to achieve. E.g., getting around a password check. It’s super hard and you definitely need programming and assembly experience to even begin to tackle that. Nice introduction though ☺️
It's definitely click bait and a lie - just because you can reverse engineer something doesn't mean you have the legal ability to create and publish a derivative work.
You are doing such a great job man ! Keep it up, I learnt so much from you dude, you're litterally a better teacher than most of the teachers I had in college ! Love you !
I am so far 1 week into C#, granted this video went over my head a tiny bit, but I understood the fundamentals. Looks like I might dabble in this in the future.
Would be cool to see you reverse engineering a multiplayer flash game. Since most of them only have the .swf files and no server side files. Maybe tricking it to run on a localhost. Something like this would be very cool and could help archive more flash games, but it probably 100x more effort
It is actually easier to decompile Flash games because they run on ActionScript, which like Java and C#, is first compiled to bytecode, which is then run on a VM. There are decompilers that give you the entire source code from a SWF file with full variable names and everything.
Amazing video, king. One thing though, I think you forgot to put the download link for IDA you mentioned at 4:11. Also, the repo in the description is probably private.
Nice demonstration! Except that when dealing with passwords no one just compares them char by char. They often are stored in hashes with salts, so you cannot decipher it w\out brute force
Speaking of which... Has anybody ever considered this Reverse Engineering pipeline i came up with? 1. Play a game 2. Record the video/sound 3 Record each and every player input 4. Feed [Pixels and Sound + Player input] to an AI 5. Through AI "magic", the game is recreated because the AI has learned so much from what happens to the pixel resulting from this/that input. 6. Create a whole new AImulation (my term) market. =)
Great video! You say the registers are set for the processor x86, but I think is for the "calling convention" in Linux and it can change for other OS. I didn't know this IDA, it looks very intersting, thank you!
Yeah, a calling convention is set based on the target processor AND target OS. x86/i686 is different than x86-64/amd64, which is different from ARM, etc. And Linux and Windows conventions can be different.
“You don’t need any programming experience” taking a binary? From a Source code? With diferent simbols? They are tipes of variables? Names of funcions? And they are readable strings? And you can get a lot of information by reading a buffer from the source code? What is the if get pass? This is just not even minute 1 and I’m lost.
If anyone found themselves struggling to understand this, the following are the required courses: 1. Program design (for understanding the C code) (C recommended, python is not actually close to the topic) 2. Compiler (for understanding how computer transfer high level code to machine code or instructions) 3. Computer Organization (for understanding how instructions have your CPU interact with other components like RAM and Cache) Overall, there is one shortcut, that is to have a degree in Computer Science.
Good introduction! Not quite disassembly-related question: I am wondering why the code generated by the compiler for each character comparison uses RAX for different things, so it needs to overwrite it multiple times: 1. it loads the buffer address into it and adds offset to it, and then 2. loads the character for comparison. Wouldn't it be more effective to use another register, say, RBX for the buffer address and RAX for the character comparison (or vice versa)? I know, registers are scarce resource, but here it seems to make sense for me to use 2 regs. At the same time, I heard that compilers are very smart today and create much better binary code then average human writing assembly code, so it should have some efficiency explanation.
GCC does have many flags that can affect the way that the compiled code will look, some of the flags allow you to choose what level of optimization you want for your code, but more optimized code also takes more time to compile
a few come to mind. 1. rax is the alu register. 2. being a c program, all return values are stored in rax. 3. rax is generally safe to be changed whenever. 4. modern cpus can write faster to the same register if it was accessed shortly before. of course it's not perceivable but that's what intel claims. my guess is mostly because of 2 and 3 but also depends on the compiler's optimization lvl. of course the disassembly can be a bit "off" because ida doesn't always produce the most accurate results, but this is a very simple binary for that to be the case.
The explanation is simply that he compiled without optimizations. The mov, add and movzx instructions are unnecessary. In an actual release executable, each set of these 4 instructions can be reduced to a single cmp instruction, like cmp byte ptr [rdi+7], 100.
> selecting ELF's program header table > reverse engineering is going from *this* to what the code does You could have scrolled down to the .text section with machine code at least :)
I didn't know that there's existing bash code disassemble strings and object.. I like that you go up level by level but you should talked about reverse engineering the code with some decompilers as it's usually return the code if it's not obfuscated then maybe try to see the callstack with debugging. then using a disassembler
I didn't thought I'd understand someone using c this early for a program like this 💀 though i still haven't gotten used to it but I've taken few steps ig 🚶 trying to understand programs just by looking at codes, reading documentations and trying to recreate the stuff i learn really did helped more than taking lectures or watching video tutorials 👾
As someone who has been learning/doing programming for 3+ years now and knowing 7 different high and low level languages. I can most definitely assure you that although you don't essentially need to know how to code this is NOT for beginners. Even I had to rewind a few parts to understand this. That being said this was an extremely fun to watch and informative video. Thanx man✌
This is a very good high level explanation of reverse engineering. Do you have any plans on something more intermediate level or do you have a channel that I could go look at for something like that? I'm already in the weeds from reading the Intel Architectures Software Developer's Manual. I've been enjoying using Kaitai.
For novice programmers... write some javascript or css. Use an online minifyer on said code. Take the minified code and place into a formatter. Then try to determine what the code is doing...
Great tutorial, but DEFINITELY not suitable for people with "no programming experience." I know a lot of computer science and software engineering students that would be completely lost with this. It's easy to forget that even lines like "only the case for 64-bit Intel" mean little to complete beginners.
This is how you used to change to the dark theme for Unity a few years ago back when the free version of Unity was restricted to the light theme only. You would open the Unity.exe with a hex editor and manually change a particular value.
That's like saying, you can go anywhere if you know how to pick locks. Sure you can do that, doesn't mean you should do that. What makes open source, open source is the licence under which they make the source code available. Not that you can reverse engineer a code.
That was quite simple to understand. despite the fact that it will need you to understand the basic terminologies of computer science in order to fellow along. but overall, it was nice to watch. hey maybe you can make a video covering those basic terminologies and link it to your future videos, so people would be able to understand easier. but hey what do I know~
Hey, thanks for the amazing video. I have a small question. At 7:47 you labeled the variable as "buffer" because you know the code already that it was a buffer that you had created and will be storing password. But in real scenario we will not have that C code but will only have access to the IDA generated assembly code then how will I know wat that variable stores and why was it defined. Here you knew its buffer but in real cases while rev. engineering software I would never have a dream about where, what and why was that variable defined.
You kinda look around to see how it is being used, and pick whatever name makes sense for you. In this case you can see that it is being passed as the second parameter to scanf, which reads data from stdin (in this case user input) into the passed pointer. So it makes sense to call it a buffer. Personally, I would have called it user_input or input_buffer.
asm is mainly used for cracking software (at least that's how i learnt it) and it is well demonstrated in this video. thanks for the memories i should say, this brought me back to me teenager times.
Being open source doesn't mean you get the code. It's a type of license. Doesn't matter how you obtain the code, be it reversing or stealing it somehow, if the code has a closed license you can't use it in any way shape or form.
Any reason why you're choosing to use IDA over Ghidra? I know IDA has a nice decompiler, but it's prohibitively expensive to use the non-cloud version and some of its other better features.
0:00 📖 Reverse engineering is the process of understanding the functionality of a binary without access to its source code. 1:31 🛡 Malware reverse engineering is crucial for cybersecurity professionals to understand and defend against threats. 1:53 😄 Reverse engineering can also be enjoyable, involving the challenge of understanding how things work. 2:03 🛠 Basic reverse engineering techniques include using the strings command to find ASCII strings in a binary. 3:01 🧠 Disassemblers like object dump and IDA convert binary machine code into human-readable assembly instructions. 8:00 🔍 Reverse engineers use disassemblers to analyze assembly instructions and infer the functionality of a binary. 11:38 🔐 Understanding the binary's functionality, such as password comparison, allows for successful reverse engineering. 13:00 🤔 Some binary content, like password comparisons, may not be revealed by simple string extraction due to how instructions are encoded.
Nice channel name and I reverse engineer hand tools and hardware a lot just to get a idea on the problems they solve. Compilers are the cyberspace equivalent to the blacksmith using a forge or the foundry that eventually makes it to your home via four wheels. Decompilers are the defininive tool for sloving computer problems, and as such are by definition open source, and if not open still relevant to software error.
Bro you said no programming/networking experience 😂. Took my 8 years of professional app development experience just to keep up with you. Thanks for the vid though, btw you have a new sub. ❤
From my own experience a good reverse engineer is also a good programmer. I, a BBA graduate just learned how to code, tried RE but never surpassed my colleague with years of programming experience. You DO need some knowledge and experience to read reversed code, and the more the better. Computational thinking is a thing.
Don't get me wrong. If you've never disassembled an application before, consider the course. However, know that most "interesting" systems have cryptography and methods that perform differently if they are at debug speed instead of running freely (among other methods). Even people with years of experience can take weeks to really disassemble the area of interest.
Reverse engineering requires knowledge, but, more importantly, the right tools. It would be hard to rev eng with only 'strings' for instance (and who wants to read machine code )
My favorite trick is to change the jnz to a jmp. It's much quicker. Just one bit flipping from a 74 to a 75 or something. Of course, this only works if you have write permissions on the file, but it's a pretty good demonstration of what can be done.
Can't wait to watch this video but I'm studying Love your content man please make more cybersec videos cause things magically click if it's you explaining
![How to Get a Developer Job - Even in This Economy [Full Course]](http://i.ytimg.com/vi/6nz8GXjxiHg/mqdefault.jpg)
![How to Get a Developer Job – Even in This Economy [Full Course]](/img/tr.png)
wanna learn more about computers? check out my courses at lowlevel.academy (there's a sale) 👌
9 likes?? lmao what
This is fascinating! Thanks!
The guys with no coding experience must be terrified now
bro, 8 years of professional experience with me. Still struggling just to keep up with him. 😂
@@MohitKhare skill issue
@@artemis-arrow-3579 no one likes u
@@artemis-arrow-3579 challenge your
İ Felt dumb until ı read thıs tnx
"You don't need any programming experience" continues to show code and terms that only a programmer would understand.
😂😂
Not only programmer, computer scientist too
Forreal lol..... Im looking at the command line print out like, "Is that not assembly." Then very next line "That's why we learn assembly." 🧐
basically the "refuse to elaborate" chad kinda thingy kek
You definitely need it, anyway why would you want to "reverse engineer" if you have no clue what to do with it?
UA-camrs need to stop promoting "you don't need to know anything of X for this" and actually encourage people to learn what they need.
"No coding experience needed", then dives straight into system level assembly.
teehee
@@LowLevelTV don't try to teehee yourself out of this one !
@@LowLevelTVnot even funny. you just lied in the video
@@MisterChief711 Skill issue.
i can feel the sweat on your hands@@NickyDekker89
Good luck reversing any binary with zero programming knowledge.
😂😂😂😂
fr 😂
That's why IDA Pro is such a great set of tools. Besides the fact, by learning from zero programming knowledge, you're learning from the base (assembler), which is about as low level as a human being can get between program operations and the computer CPU (the next step being binary), you'll learn things that even advanced programmers are only casually (if at all) familiar with, as well as develop a skillset that can be used in digital forensic investigations, learn how to battle in the field against real-world malware, viruses and uncovering exploits and vulnerabilities that have never been seen or identified. I learnt "debug", when I was 11 years old to gain access to more games in MS-DOS 1.1, as I found this easier to learn ASM registers and HEX conversions and re-program instruction cycles as well as stack management and I/O, than fiddling with BASIC to draw sprites.
Admittedly I went to a computer fair every month, for 6 months before I started to get any clue of how it worked but from there, in time and with a sincere dedication (with 3 months of glandular fever, which nearly prevented me from ever reaching teenage years), I honed my skills and put my OCD to good use, becoming one of the most prolific crackers in Australia and the UK (where my father lives and 12 years of my life were spent), during the 80s and the best part, was nobody knew who I was or would have guessed anything about my identity, being just a kid from rural Victoria! From that point, learning C and C++ was straightforward and much easier than had I taken a standard learning path, achieved in higher learning or as a student of an academic institution. Having worked in IT for over 25 years, I recommend this path as the first point in learning, or for anyone serious in developing skills, as this goes far beyond simply programming and opens your mind to a universe of new possibilities, which developing programming skills and knowledge of alone, likely will never provide anyway (reverse engineering is not a basic requirement of programming or used to teach software development, as I tend to believe they should be!).
This reminds me back in the nineties when I ran my own company. I found a bug in QuickBooks Pro where they assumed a value for one of the payroll deductions would be a constant number. In my case it turned out that it had to be another value that the programmers at Intuit hadn't coded for since they hadn't done their due diligence research into corporate payroll tax law. I then proceeded to look at the data file that they were keeping I found the two bytes that represented the number for the percentage deduction on the line and I manually modified it to be the new number it needed to be. I then was surprised when I informed Intuit of their bug that they threatened to sue me for modification of what they termed copyrighted data.
Checks out lol
Super cool to c one of the original hackers (before it became erroneously equivalent to a “cracker”) talking about this.
How dare you.... checks notes... find and fix a bug in our software!
This sounds a lot like what happened with Russell 'Rusty' Hardenburgh if I remember correctly. Very interesting either way.
Corporations are touchy that way. Heaven forbid you should improve something, correct a bug... That's what all that text is about in the EULA.
Although coding from a young age, 'decompiling' always felt like black-magic concept. Thanks for explaining it to me.
but black-magic makes it sound cool so its even better
You get used to it. Just filling in the gaps made by compiler optimizations and custom data types most of the time by intelligent guessing.
Think of compiling as a mathematical function and decompiling as its inverse function. This is a fairly decent analogy except compilation and recompilation is within a much bigger scope of complexity where some deductions have to be inferred by its context.
It's actually kinda hard to make a good decompiler and the ones we do have are inherently unreliable
So most of the time you're better off with just disassembly
@@narrativeless404 idk man, I've always found psuedo C to be decently reliable
to be fair, I never tried ghidra or ida pro, binary ninja ftw
Also, for various reasons password checkers shouldn't execute like that. You can absolutely tell that if you hammer it that feeding it a letter `c` first takes twice as long as any other letter when entered into the password checking. And then another 10ms if you add an `a` you can end up solving the password based on the time it takes to accept or reject that password. Since each letter you get right delays the time to rejection.
How do you check them simultaneously?
@@Oliver_Atkinson You can force a delay. So from the time you hit `enter` to the rejection the time will be like 1 second, which also makes brute force not an issue. But, usually this isn't an issue because the password is stored as a salted-hash password. So when you type aaaaaaa and then aaaaaab it would create two radically different hashed strings so you would not actually be able to simply compute the time to denial, because even if you could tell a particular password took longer to reject the hash is cryptographic, so you can't use that information in any useful way. It's another reason to never store passwords, because comparing plain-text passwords also leads to some security issues.
@davidolsen1222 Well, the even better answer is that a check in an executable will never hold, or more simply "you don't". But ofc server side stuff too (also, a delay will not hold up, the actual operation must be constant time)
Usually a password is hashed and salted, it does not check letter by letter... this would almost never/ never work or make a difference in execution time
One thing you can do is for example put both the password and the input in a 256 character buffer and then check all 256 characters for equality, regardless of whether an earlier check already failed. This is not a problem if you're using password hashes btw, which is the actual correct solution for password authentication.
The ABI is more like an agreement that writers of assembly language programs make with other assembly writers for the sake of code interoperability. (In this context, the writer is a compiler, but it could be a person as well.)
The processor generally doesn't care; as long as it's valid machine code, it'll run, ABI be damned.
You can return your own custom tuple with 2 ints, a short, and a char* if you want, but you can't expect a C program to understand.
I came down here to say that this is absolutely correct.
This was the BEST tutorial on IDA and disassembly I've heard on UA-cam
Amazing video. Just a small side note that IDA Freeware comes with a free online decompiler which generates (very *accurate*) pseude C code. Would love to see more of this kind of vids. Cheers.
ida is too far away from that "accurate"
@@neutron_stz8894 推荐一个
I was having trouble understanding how memory call works on a computer. This video cleared that for me. Seeing it into action made so much sense. I can't thank you enough.
I'm a developer and this is my first exposure to reverse engineering.... I have other stuff to do but the urge to learn more about it is SO STRONG!!! I'm putting a pin in it and most definitely coming back to learn more. Thanks, dude!!!! 😀
The ABI varies depending on the OS rather than the processor. For example, Windows and Linux have different ABIs while they may run on the same process.
does that mean that some ASM scripts don't run on both Operating Systems?
@@arronalt ASM is not a script and typically no ASM code that does anything useful will run on two different OSes with the same CPU unless specially crafted to do so.
Came here to say this. The CPU or ISA company may well have an official ABI these days and some part of that might not be negotiable by the OS designer, but most of it is. And machine code doesn't need to follow it at all and in the case of malware should probably avoid as much official ABI style as possible in the most obfuscated parts.
I once made a function from ida pseudocode in c++, used a function pointer of my function and Mshookfunction to hook into the real function and replaced it, it worked as the replacement function had same bytesize as original function. Ida or ghidra + hooks are really fun
The program `strings` is exactly why if I want to protect my own programs I just encode my own strings. I don't always write things that I want to protect, but it's still fun to play with different methods of encoding to stave off passive RE.
What do you mean by encoding?
@@spaghettiking653 It could be as simple as an xor scheme, but no matter what method I use, it wouldn't be secure because the means to decode it would be in the binary. It's at best a first step.
Also best to save this part as a pre-production-build automation instead of unironically making a mess of your codebase
I have been waiting man. Thank you! I don't wanna go down the conventional, tools first, path that is taught in most of the courses out there.
Right on
@@LowLevelTV can you please answer where did you hide the password on C's source code? I reviews the video some times and I didn't see the password on original C source code... How did you manage to hide?
@@thiagomoreira6640 he collapsed the getPass function in the source view. Lines 4-36 are hidden when we see it.
Brother Can anyone explain...how can we unlock item in codm ... through open source
No!
I never knew IDA before, I used to use GDB to do kinda reverse engineering but now I feel like it's something I should start relaying on. Thank you sir!
@@khatdubell thanks a lot man
Hello, can you help with guides to becoming a reverse engineer?
@@sobowalebayo9185 google
@@sobowalebayo9185 watch the video...
You are good at explaining things to beginners, pls do more of this reverse engineering stuff, make it a series you don't complicate things, i like it
आपने बिलकुल सही कहा , सरलता और सहजता ही दिव्यता। 👏👏👏
“..Simplicity and spontaneity is divinity.”; Very true.
@@JLSXMK8 👏👏👏
Hi firmware can it be decompiled
Woah, super cool! And at 12:50, after he pointed out the 'g', you can actually see the rest of the password characters at the start of each section in the buffer. Crazy!
Should also be worth mentioning that in the United States, contracts can override the fair use clause in the DMCA. Courts have upheld this.
This means thar while reverse engineering isn't illegal, it almost always violates a contract and could result in a civil lawsuit for breach of contract or copyright infringement.
www.eff.org/files/2022/02/17/2022-02-16_apple_v_corellium_amicus_-_filed.pdf
reverse engineering, with how it is traditionally done, can violate copyright law, however pure clean room blackbox reverse engineering, in any instance does not break copyright law, as none of the code of the original program is actually used.
clean room blackbox reverse engineering, is obviously astronomically more difficult to do, but legally it is airtight because all you are doing is reading the output of the original program, and then writing code based on what you think it is doing.
@@LowLevelTV
1: see Bowers v. Baystate Technologies, Inc.
2: This is an amicus curiae, not a court case. it also discusses the benefits of reverse engineering and isn't a law.
I never said that reverse engineering was bad, I said it was a breach of contract.
Loving the content! A tutorial on learning C language from beginner to advanced maybe? Roadmaps for these kind of languages are always welcome by community and highly watchable, might pull in more new viewers!
Intermediate c programming kitabı var internette bedava. Orda güzel bilgiler vardı.
@@alpayarsoy2437 can you tell me which one is it?
Bro cmon it's like begging content for calculus 1 or trigonometry in 2023. C and C++ already have very depth guides on youtube and as book. These languages are out there like decades.
@@Moon-D0G 5 ay önce “im new at programming” diye baska bir videoya yorum atmissin simdi buraya gelip come on bro yillardir var bro yazmissin hava atiyosun 😁 adama hem icerik tavsiyesi vermisim hem de gecerli sebepler sunmusum, “begging” diyosun ulen bizim Türkler niye böyle anlamak imkansiz 😁
@@alpayarsoy2437 teşekkür ederim güzel yönlendirmeniz için 🙏🏼
While I like the video in general, reverse engineering is definitely NOT easy. Try reversing a more complex binary (AAA games, commercial software, etc.). Without references, existence of obfuscation & code virtualization, RE can quickly become a very specialized and extremely time-intensive puzzle that likely requires deep knowledge about OS internals, compilers and assembly. Here, we of course have the original code as reference and - having written it ourselves - all underlying program concepts are already known which defeats the purpose of "solving the puzzle" aka reverse engineering.
getting into it is easy, getting good is hard
Guy really expected the 13 min video to be 3 hours long
@@S.O.N.E Guy really thinks the 3 Hours video to be enuf for reverse engg
@@simulator8 guy really wouldn't want a 3 hour long video about RE
6:00 there is no agreement with the processor. It's simply a calling convention that in 64 bit processors you use registers for the first few arguments and then the stack for the rest. There is no agreement with anything, it's just something that the compiler does for internal consistency. There is no need for it to be that way. You can write your own assembly and put whatever you want in whatever register you want and do a function call and then read those registers back. All that really matters is how the processor behaves to the outside world, and that is documented in the instruction set manual, outlining how the processor should behave when any given instruction is executed. And none of those say that RDI should contain the first argument for a function call. In fact call really only does 2 things. Push the next IP to the stack and set the instruction pointer to the callee. Or in detail it pushes the address of the next instruction to the stack pointer address and then decrements the stack pointer address and then sets the instruction pointer to the function to be called. Nothing else goes on here. It's up to the compiler to handle how arguments are transferred to and from the function, how to handle the stack or anything else, really.
9:43 no, some dumb programmer may have given the function the name "getPass" originally, but that's not what the function does. Since you "don't know" the original name, you should give it the best name you can come up with. A better name would be "checkPassword" or "comparePassword" or something along those lines, because that function doesn't return (get) the password, it just checks if the password you provided is correct or not.
You don't have to have ANY programming experience, you just have to be a computer engineer🤣
I definitely enjoyed the video. Although I think the title is a bit too much clickbait. Equaling reverse engineering to being open source code, is a long stretch in my opinion. Sure, this simple non optimized example is quite understandable when it’s reverse engineered. Now try a large program containing lots of templated code, with O3 optimization, inline functions, loops unrolled, SIMD optimizations etc and see how far the disassembly will bring you to what it is you’re trying to achieve. E.g., getting around a password check. It’s super hard and you definitely need programming and assembly experience to even begin to tackle that. Nice introduction though ☺️
It's definitely click bait and a lie - just because you can reverse engineer something doesn't mean you have the legal ability to create and publish a derivative work.
maybe llms or anns can be employed to make the process more accessible
I love Ghidra
Idafree is really limited. Ghidra is the way to go.
I love chicks
You are doing such a great job man ! Keep it up, I learnt so much from you dude, you're litterally a better teacher than most of the teachers I had in college ! Love you !
I appreciate that!
Same here
@@agentstona Where was he messing with CPU registers? What memory address registers was he changing?
@@LowLevelTVeverything is open source if u understand machine code and the cpu architecture of the app.
Reverse engineering is so fun. Please teach us more
I am so far 1 week into C#, granted this video went over my head a tiny bit, but I understood the fundamentals. Looks like I might dabble in this in the future.
Great video, a similar video for ARM Assemble would be great, explaining the special registers and stuff.
Great suggestion!
I think that the free IDA version doesn't include ARM support, that would be a big issue
Would be cool to see you reverse engineering a multiplayer flash game. Since most of them only have the .swf files and no server side files. Maybe tricking it to run on a localhost. Something like this would be very cool and could help archive more flash games, but it probably 100x more effort
Yes please!!
It is actually easier to decompile Flash games because they run on ActionScript, which like Java and C#, is first compiled to bytecode, which is then run on a VM. There are decompilers that give you the entire source code from a SWF file with full variable names and everything.
Amazing video, king. One thing though, I think you forgot to put the download link for IDA you mentioned at 4:11. Also, the repo in the description is probably private.
Nice demonstration! Except that when dealing with passwords no one just compares them char by char. They often are stored in hashes with salts, so you cannot decipher it w\out brute force
Speaking of which...
Has anybody ever considered this Reverse Engineering pipeline i came up with?
1. Play a game
2. Record the video/sound
3 Record each and every player input
4. Feed [Pixels and Sound + Player input] to an AI
5. Through AI "magic", the game is recreated because the AI has learned so much from what happens to the pixel resulting from this/that input.
6. Create a whole new AImulation (my term) market.
=)
What you just said was... Have AI do all the work and you do nothing. Doesn't sound like reverse engineering.
Great video! You say the registers are set for the processor x86, but I think is for the "calling convention" in Linux and it can change for other OS. I didn't know this IDA, it looks very intersting, thank you!
Yeah, a calling convention is set based on the target processor AND target OS.
x86/i686 is different than x86-64/amd64, which is different from ARM, etc. And Linux and Windows conventions can be different.
Oh wow... I think I'm in love. This makes me feel like I'm a kid again, tearing apart my dad's old VCR trying to figure out how it works.
“You don’t need any programming experience” taking a binary? From a Source code? With diferent simbols? They are tipes of variables? Names of funcions? And they are readable strings? And you can get a lot of information by reading a buffer from the source code? What is the if get pass? This is just not even minute 1 and I’m lost.
"You don't need any programming experience" yeah right...
No, just the basics and you can learn that in an hour maybe
We need more stuff like this
If anyone found themselves struggling to understand this, the following are the required courses:
1. Program design (for understanding the C code) (C recommended, python is not actually close to the topic)
2. Compiler (for understanding how computer transfer high level code to machine code or instructions)
3. Computer Organization (for understanding how instructions have your CPU interact with other components like RAM and Cache)
Overall, there is one shortcut, that is to have a degree in Computer Science.
Good introduction! Not quite disassembly-related question: I am wondering why the code generated by the compiler for each character comparison uses RAX for different things, so it needs to overwrite it multiple times: 1. it loads the buffer address into it and adds offset to it, and then 2. loads the character for comparison. Wouldn't it be more effective to use another register, say, RBX for the buffer address and RAX for the character comparison (or vice versa)? I know, registers are scarce resource, but here it seems to make sense for me to use 2 regs.
At the same time, I heard that compilers are very smart today and create much better binary code then average human writing assembly code, so it should have some efficiency explanation.
GCC does have many flags that can affect the way that the compiled code will look, some of the flags allow you to choose what level of optimization you want for your code, but more optimized code also takes more time to compile
a few come to mind.
1. rax is the alu register.
2. being a c program, all return values are stored in rax.
3. rax is generally safe to be changed whenever.
4. modern cpus can write faster to the same register if it was accessed shortly before. of course it's not perceivable but that's what intel claims.
my guess is mostly because of 2 and 3 but also depends on the compiler's optimization lvl. of course the disassembly can be a bit "off" because ida doesn't always produce the most accurate results, but this is a very simple binary for that to be the case.
The explanation is simply that he compiled without optimizations. The mov, add and movzx instructions are unnecessary. In an actual release executable, each set of these 4 instructions can be reduced to a single cmp instruction, like cmp byte ptr [rdi+7], 100.
I like how you brake this down for people that don't understand this or dummy it down very nice brother 👍👍
I'd love to have seen what the getpass function looked like in c at the end of the video
> selecting ELF's program header table
> reverse engineering is going from *this* to what the code does
You could have scrolled down to the .text section with machine code at least :)
“No previous programming experience needed…anyway, here’s assembly”
i always wanted to dig into reverse engineering but never knew where to start. thank you so much!
I didn't know that there's existing bash code disassemble strings and object.. I like that you go up level by level but you should talked about reverse engineering the code with some decompilers as it's usually return the code if it's not obfuscated then maybe try to see the callstack with debugging. then using a disassembler
I legit thought he'd show us a decompiler when he said you don't need programming skills or anything.
RTFB = reverse engineering - like we did back in the day with VIC-20, C64, and Amiga
I didn't thought I'd understand someone using c this early for a program like this 💀 though i still haven't gotten used to it but I've taken few steps ig 🚶 trying to understand programs just by looking at codes, reading documentations and trying to recreate the stuff i learn really did helped more than taking lectures or watching video tutorials 👾
I finally understood why my school taught me assembly now🤯. I never used it because I am on the dev side. that is so cool!!
Such explanations of simple concepts are really why I subscribed to your channel! Wish you did followup videos on more advanced stuff with it.
Ok this was very helpful since i didn‘t know where to begin on reverse engineering thank you!
"everything is open source if you can reverse engineer" -- I hope the company you work for has a good legal team.
You should do this for real malware, YT needs more of this stuff
"Manipulating Assembly is so interesting!" I said today for the first time in my life.
Indeed!
Its pure power.
As someone who has been learning/doing programming for 3+ years now and knowing 7 different high and low level languages. I can most definitely assure you that although you don't essentially need to know how to code this is NOT for beginners. Even I had to rewind a few parts to understand this.
That being said this was an extremely fun to watch and informative video. Thanx man✌
Hello do you use discord
@@adelitaz nope
@@akulkumar1357 is there any future in reverse engineering
This is a very good high level explanation of reverse engineering. Do you have any plans on something more intermediate level or do you have a channel that I could go look at for something like that? I'm already in the weeds from reading the Intel Architectures Software Developer's Manual. I've been enjoying using Kaitai.
This channel youtube.com/@HEXORCIST?si=EnSIkaIECMiOmarE
Videos like this is why I like youtube, keep up the good work!
Remember folks, you don't need any programming experience 😅
For novice programmers... write some javascript or css. Use an online minifyer on said code. Take the minified code and place into a formatter. Then try to determine what the code is doing...
Great tutorial, but DEFINITELY not suitable for people with "no programming experience." I know a lot of computer science and software engineering students that would be completely lost with this.
It's easy to forget that even lines like "only the case for 64-bit Intel" mean little to complete beginners.
This is how you used to change to the dark theme for Unity a few years ago back when the free version of Unity was restricted to the light theme only. You would open the Unity.exe with a hex editor and manually change a particular value.
nice, more of these
That's like saying, you can go anywhere if you know how to pick locks. Sure you can do that, doesn't mean you should do that. What makes open source, open source is the licence under which they make the source code available. Not that you can reverse engineer a code.
I love videos like this. Keep 'em coming. :)
Thanks! Will do!
Nice, takes me way back to my 6502 days, writing decompilers.
Subscribed and Looking forward to seeing what else you have.
I get a 404 error when I click on the GitHub link. Where can I find your GitHub?
That was quite simple to understand. despite the fact that it will need you to understand the basic terminologies of computer science in order to fellow along. but overall, it was nice to watch. hey maybe you can make a video covering those basic terminologies and link it to your future videos, so people would be able to understand easier. but hey what do I know~
Hey, thanks for the amazing video. I have a small question. At 7:47 you labeled the variable as "buffer" because you know the code already that it was a buffer that you had created and will be storing password. But in real scenario we will not have that C code but will only have access to the IDA generated assembly code then how will I know wat that variable stores and why was it defined. Here you knew its buffer but in real cases while rev. engineering software I would never have a dream about where, what and why was that variable defined.
You kinda look around to see how it is being used, and pick whatever name makes sense for you.
In this case you can see that it is being passed as the second parameter to scanf, which reads data from stdin (in this case user input) into the passed pointer. So it makes sense to call it a buffer. Personally, I would have called it user_input or input_buffer.
asm is mainly used for cracking software (at least that's how i learnt it) and it is well demonstrated in this video. thanks for the memories i should say, this brought me back to me teenager times.
@LowLevelLearning FYI, Your github link in the description is a 404
I am not the best reverse engineer in the world, but IDA is so much fun for the entire family and friends... The Cyber research of the Law.
Being open source doesn't mean you get the code. It's a type of license. Doesn't matter how you obtain the code, be it reversing or stealing it somehow, if the code has a closed license you can't use it in any way shape or form.
Ghidra is a more complex tool to per say, but its also its gpl2, so if your looking for something opensource I'd go for that
Any reason why you're choosing to use IDA over Ghidra? I know IDA has a nice decompiler, but it's prohibitively expensive to use the non-cloud version and some of its other better features.
He may happen to have it for work or something
@@scootergirl3662 He’s using IDA freeware version, so that’s not likely.
You're a cyber treasure, dude.
Don't ever forget that.
404 on the github link
When I write performance-critical C# code, I usually disassemble it to make sure JIT optimizes it properly.
1:20
That is not binary data, it's HEX. Binary data is only 1s and 0s.
One of the video to get started for reverse engineering
FYI, your github link in the description is broken (404)
He probably forgot to make it public.
This was awesome. Also the first time I feel like I’ve genuinely followed a video like this. Thank you!!
Misleading title, misleading claims.
0:00 📖 Reverse engineering is the process of understanding the functionality of a binary without access to its source code.
1:31 🛡 Malware reverse engineering is crucial for cybersecurity professionals to understand and defend against threats.
1:53 😄 Reverse engineering can also be enjoyable, involving the challenge of understanding how things work.
2:03 🛠 Basic reverse engineering techniques include using the strings command to find ASCII strings in a binary.
3:01 🧠 Disassemblers like object dump and IDA convert binary machine code into human-readable assembly instructions.
8:00 🔍 Reverse engineers use disassemblers to analyze assembly instructions and infer the functionality of a binary.
11:38 🔐 Understanding the binary's functionality, such as password comparison, allows for successful reverse engineering.
13:00 🤔 Some binary content, like password comparisons, may not be revealed by simple string extraction due to how instructions are encoded.
garbage content
Nice channel name and I reverse engineer hand tools and hardware a lot just to get a idea on the problems they solve.
Compilers are the cyberspace equivalent to the blacksmith using a forge or the foundry that eventually makes it to your home via four wheels. Decompilers are the defininive tool for sloving computer problems, and as such are by definition open source, and if not open still relevant to software error.
“no coding experience required.”
*requires past programming participation *
Thanks for showing, how tedious is reverse engineering! :P
Bro you said no programming/networking experience 😂. Took my 8 years of professional app development experience just to keep up with you. Thanks for the vid though, btw you have a new sub. ❤
Nice timing! Just installed Ghidra to learn rev eng and binary exploitation and your video came out
From my own experience a good reverse engineer is also a good programmer. I, a BBA graduate just learned how to code, tried RE but never surpassed my colleague with years of programming experience. You DO need some knowledge and experience to read reversed code, and the more the better. Computational thinking is a thing.
Don't get me wrong. If you've never disassembled an application before, consider the course. However, know that most "interesting" systems have cryptography and methods that perform differently if they are at debug speed instead of running freely (among other methods). Even people with years of experience can take weeks to really disassemble the area of interest.
Wish I had this 10 years ago. Did so much learning the wrong way around.
Reverse engineering requires knowledge, but, more importantly, the right tools. It would be hard to rev eng with only 'strings' for instance (and who wants to read machine code )
Dude this video is awesome. You should do more of these!
My favorite trick is to change the jnz to a jmp. It's much quicker. Just one bit flipping from a 74 to a 75 or something. Of course, this only works if you have write permissions on the file, but it's a pretty good demonstration of what can be done.
"Wow! I just went from zero programming experience to knowing how to reverse-engineer and decompile binary by watching this 14 minute video!"
- No one
This one of the biggest reason i learn programming
Can't wait to watch this video but I'm studying
Love your content man please make more cybersec videos cause things magically click if it's you explaining