Source code for Ghidra now released on Github ! thehackernews.com/2019/03/ghidra-reverse-engineering-tool.html
@MichaelJenkin5 жыл бұрын
Personal Plea: As you can appreciate, it is very hard to get noticed on KZbin. I am doing my best to educate other IT people (MSP's, Technicians, engineers, resellers, VARs and hobbiests) so that we can know the tricks and fight back against malware. The more education out there, the better our lives will be (and data safer). I am an IT engineer. I am not a vlogger, a picture editor, a graphics artist or audio engineer. I make mistakes and am learning. KZbin is a tricky platform to navigate and to be heard. I appreciate every subscriber I get but what I really need ... is your feedback, your comments, your suggestions, video ideas and if you like a video, link it on your Facebook, Twitter, Forums, Reddit or other social media. Spread the word. I can only make this channel effective if people know about it. If you find this helpful, insightful or engaging, let others know. If you hate the format, let me know. every new video is made from advice from the last video. Thanks everyone. You have all been great !
@brEZ527 Жыл бұрын
Thank you I'm 16 reverse engineering some stuff to improve my coding and overall tech skills and this video really helped. I found this website where there's puzzles in which you have to reverse engineer in order solve it and it's really interesting so I'm trying to solve one.
@meylaul50074 жыл бұрын
For anyone who searches for the word in 18:09 and is not a native speaker: "obfuscated" is the word. I recommend to search "obfuscated assembly code" to get further information on what it does. There is also a mention on stackoverflow that code obfuscation and code protection are two different things.
@MichaelJenkin4 жыл бұрын
Awesome comment ! Thanks
@PhilAlbu4 жыл бұрын
Thank you for the great intro video, Michael! Very nice overview of Ghidra and how to use it. Could you please make some follow-on videos about how to specifically analyze and RE certain types of programs (i.e. PE, Mac OS X, ELF, etc)?
@sent4dc5 жыл бұрын
10:57 the MS DOS header (the one that starts with MZ) is not there so that "the executable could run in command line." It used to be called from the MS DOS mode as the name suggests. Today, in Windows, that header is not used, except for its two members. The first one, that contains MZ, and the other one with the offset to the NT headers.
@MichaelJenkin5 жыл бұрын
Thanks for the correction. You are correct. Sometimes I fail to articulate correctly when I am trying to remember everything for the video, I appreciate your comment
@overcheats45182 жыл бұрын
your knowledge lvl is over 9000 let that be clear
@Sarge21985 жыл бұрын
Great video and demo of Ghidra, I'm now subscribed. I noticed in some parts of the video that the audio was several seconds ahead of the video, which made it a little hard to follow, but not prohibitively so. I'll share your whitehat vids with my son, it's right up his alley.
@MichaelJenkin5 жыл бұрын
Thanks. I tried to really give this program a work out. I learnt a lot doing it. You would be correct about the video. The video frames per second of the video kept changing. It was weird. I am ditching that program as it was extremely frustrating. Live and learn :(
@MichaelJenkin5 жыл бұрын
I have found a new recording tool. Planning to use OBS Studio. Thanks for your feedback. Let's hope that this improves things, unless you have experience with another product you can recommend? (My line in on my laptop does not like the microphone so I do record audio separately)
@MichaelJenkin5 жыл бұрын
It's great for a parent to share an interest with their offspring. I am kinda jealous :)
@Sarge21985 жыл бұрын
@@MichaelJenkin I don't personally know of another product, but I'll ask a friend I'm seeing tomorrow about his experience.
@MichaelJenkin5 жыл бұрын
@@Sarge2198 Awesome !
@TheTavaro114 жыл бұрын
Pls do not play music in the background!
@MichaelJenkin4 жыл бұрын
Tavaro thanks. I no longer do that. Thanks for the feedback.
@Dogsss7524 жыл бұрын
Being able to concentrate on multiple sources is a good trait to aquire. Keep the music.
@TheTavaro114 жыл бұрын
@@Dogsss752 1.: its not about that. I just watch vids with faster speed and music just sounds awfull. 2.: Some might just don't like the music 3.: Feel free to play ur own music while watching the vid
@EpicTyphlosionTV4 жыл бұрын
If you get a missing PDB error upon analyzing, and you don't have the PDB file, are you pretty much screwed?
@MichaelJenkin3 жыл бұрын
Looks like others have found a solution for you. reverseengineering.stackexchange.com/questions/20950/how-to-load-symbols-from-a-symbol-server-in-ghidra
4 жыл бұрын
I use Retdec by Avast to decompile Dynamic Libraries, then use CppCheck or whatever to demangle the general code and recompile it to a .a library... Dynamic to static libraries ARE POSSIBLE
@MichaelJenkin4 жыл бұрын
That is just awesome. Very Cool.
@nancypinancypi23 күн бұрын
hey mate , i have recently purchased binary destroyer indicator for fx trading i have it as zip file dowloaded as i purchased but it does t allow me to crack into the source code in it how can i crack the algo file and read the source code ..
@JohnStewien5 жыл бұрын
This is number 1 on reddit programming right now. I came here as I recognized the submitter.
@MichaelJenkin5 жыл бұрын
Hey John. Thanks for the comment. We have to catch up in the non virtual world.
@JohnStewien5 жыл бұрын
Yeah I keep on thinking I should catch up with people between eat-sleep-work-repeat, and fixing things on the weekends. Time gets away from me.
@MichaelJenkin5 жыл бұрын
@@JohnStewien Oh dear, the human condition. I have this as well :(
@alexmindr10753 жыл бұрын
Thank you Michael! The part where you looked into functions imported from DLL was especially interesting. Now I'm having a problem with decompiling DLL being used by a simple exe. In a nutshell, that DLL exports a few dozens of functions but my exe utilizes only one of them. Can I use Ghidra to patch the DLL so that to drop away all unused functions? It would by nice to have a video showing how to shrink DLL so that it contains only the functions used by specific exe.
@SpaceSpice4 жыл бұрын
do you have here on the channel a video with dll decompile by ghidra?
@MichaelJenkin4 жыл бұрын
No, not yet. Many of the DLL files I have seen of late have been DotNet and there is a great decompiler for DotNet already. I will have to poke a little more with DLL files. They are really just stored code (executable code) called on when needed so the structure and the way Ghidra behaves will be very similar.
@eddiejackson42275 жыл бұрын
Thanks for sharing! -MrNetTek
@MichaelJenkin5 жыл бұрын
You are very welcome
@davidmauricio88863 жыл бұрын
I'd like to figure out how to change a program from using a HLP to using a CHM for it's help.
@dineshmehta633 Жыл бұрын
GOOD ONE SIR
@ericmoreno17475 жыл бұрын
Hey great video very excited for more
@MichaelJenkin5 жыл бұрын
Thank you. I appreciate the feedback.
@adrianmiszczuk80614 жыл бұрын
You know maybe a nice website for learning Reverse Engineering? I watched your video about Ghidra and I using for my own, sometimes I learn from program documentation (Ghidra) but anyway I looking for best side to learn Reverse engineering. I'm asking the profesional. If you wanna ask what I language use, it's definitely C++
@MichaelJenkin4 жыл бұрын
Hello, Everyone is at a different level with different skills. recommending what is good for me, might just frustrate you. My best suggestion is join the reverse engineering group on Reddit. Don't jump in with questions as they already have loads you can read about in their posts. Once you know more about what level you are at and the know the level of questions to ask, then jump in and ask. Be careful as they are a great group but do prefer it when people think about their questions before blurting them out.
@megamind29244 жыл бұрын
Hello sir. I have an exe file which i cant decompile because it was not made by .net or c#. Can ghidra decompile it? Im really hoping I could fet a reply from you. Btw, that was a good tutorial.
@MichaelJenkin4 жыл бұрын
Hello, Thanks for the question. You can decompile into "Approximate pseudo code". The C code it produces can't always be recompiled. It is a guess that the Ghidra program makes to try and give you code to do approximately the same thing as the binary it sees.The more reliable way to read it is in the less friendly assembly. I don't think Ghidra will produce results reliably that will do what you need. It will get close and then rely one someone to tidy up what it produces.
@boris.utjesinovic3 жыл бұрын
Please help, i play alpine ski racing 2007, and i want change player names and stats, with quickbms i enter this setting but i can't reimport file, exe file need PAK file, i am noob in programing...
@onelaugh56603 жыл бұрын
Can you tell me how to remove a malware from an exe file. The thing is I want to use that program but it has malware that sends my data to the hacker. How do I kick the malware out and still be able to use the exe. Please atleast tell what to search for to learn how to do it myself. Please sir @Michael Jenkin
@ReversingHub4 жыл бұрын
very interesting, thanks! keep it up dude!
@MichaelJenkin4 жыл бұрын
Thank you
@courtneymarie18954 жыл бұрын
I have a question you seem very knowledgeable when it comes to such things is there an email I could get in touch with you ?
@MichaelJenkin4 жыл бұрын
mickyj@mickyj.com
@RixtronixLAB4 жыл бұрын
Thanks for the information, cool :)
@MichaelJenkin4 жыл бұрын
you are very welcome !
@kewkabe5 жыл бұрын
Eh. IDA's done this for years. All it really does is label the CRT and Win32/64 kernel calls. The generated C code is actually harder to follow than the assembly, IMO.
@MichaelJenkin5 жыл бұрын
Cool. I need to borrow your Assembly skills ;)
@tbordelon68675 жыл бұрын
Agree. If folks want to see a real tool that's very robust, check out IDA Pro. It makes this thing look silly. The generated code from this is crap.
@dieSpinnt4 жыл бұрын
@@tbordelon6867 Actually if you are an reverse engineer, a skill you should probably have is writing your own tools and have a good oversight of creating software. With that it is easy to extend the functionality of Ghidra and extend its core, because it is Open Source. You are welcome to participate. IDA provides its SDK and IDA-Python scripting for this essential task. For 879$ to 3944$ you will receive your ida.key license file. It's easy like that. So what are you complaining? That there is diversity and a free alternative? That you are unable to write a filter and a decorator? That "silly" is a rock hard term to describe software and yogurt? Nice try, Mr. Guilfanov;) (i am joking) Please do not take this personal, because it is unfair of me posting this 10 months later, where Ghidra development got traction and you have now access to analyzers and scripts from many people on Github.
@DerriStudios69693 жыл бұрын
can it open .xbe files and xex files?
@MichaelJenkin5 жыл бұрын
Have I covered everything you would expect to see ? Let me know in the comments.
@MichaelJenkin5 жыл бұрын
@pfifo fast Yes, this is called "Shift+Delete" on the old program and moving to OBS Broadcaster. Many have commented and I have listened ! Thanks for the feedback
@sensoryoverload46675 жыл бұрын
Are you able to use reverse engineering to get full access to customizing a program? If I were to say and recommend this to you it can help form into a video idea. because some people relatively to me would love to stylized their own programs and maneuvering in say your own custom user interface can be satisfying, eye-pleasing, correct. because you would feel that, "o this plugin is MINES"! and that you can turn a dankish outdated program into its updated self.
@remasteredretropcgames33123 жыл бұрын
@@MichaelJenkin Send Morpheus. Gotham needs your help.
@remasteredretropcgames33123 жыл бұрын
@@MichaelJenkin Out of license retro games with encrypted executables are satan incarnating.
By any chance do you have a discord where I can possibly contact you?
@monkeytrident3 жыл бұрын
He works for the NSA now bro !
@ggre553 жыл бұрын
I always wanted to disassemble software's
@MCircuits4 жыл бұрын
Ok I may not know how it works..but I have a question before I try going with the reversal of a code. Can this manipulate and remove the name on the software when the executable file has finished installing on windows.. For example I have an application installed and when opened it shows.. "Virtual Reality V3.0 by Mcircuits" I want to remove the "by MCircuits" Can it be done on Ghidra. The file was made by VB.NET Express 2010
@MichaelJenkin4 жыл бұрын
Hello, If the name is in text (Ascii) or you know how it is stored, you may be able edit in a Hex editor. If you can understand Assembly language, you can edit the raw code. If you disassemble it with Ghidra you have two problem's. The first is what ever changes you make, you need to recompile the code. the second, the decompilation with Ghidra is a guess, an approximate. The code might be broken and not recompile. If you know how the executable was compiled (e.g. dotNet) then there are other better specific decompilers. So the answer to your question is a firm maybe, based on the file and what you know and how much time you have.
@freakindividual5 жыл бұрын
excellent thank u
@MichaelJenkin5 жыл бұрын
Thsnk you for your feedback
@corycourtney89235 жыл бұрын
Next time, no music. It's not doing you any favors.
@MichaelJenkin5 жыл бұрын
Done ! was it too loud or distracting ? BTW, thanks for the feedback !
@corycourtney89235 жыл бұрын
@@MichaelJenkin The sparse music that was almost noise around 8 mins in, took away from what you were saying. The stuff with the drum beat wasn't as bad. Just an opinion.
@MichaelJenkin5 жыл бұрын
@@corycourtney8923 yeah, but your opinion counts. It was free music from KZbin. I dropped it to -20 db and pumped me by 10 db and sounded fine in the editor. Then I exported and noticed it seemed a lot quieter. It was a long video and I did not like the idea of exporting it again. I should have. thanks for the feedback.
@ronraz86974 жыл бұрын
the background music is abusively distracting!
@MichaelJenkin4 жыл бұрын
Agreed. I no longer use music. Thanks for the comment. Others that also found it painful educated me and I have listened.
@logiciananimal4 жыл бұрын
That's not the code to main(), that's the code to what *calls* main()
@MichaelJenkin4 жыл бұрын
Thanks for pointing that out. Sometimes between preparing, scripting, practising, recording, editing and posting, I goof. It's a lot of work and I am certainly not perfect. Thanks again for pointing it out.
@jefferywilkins2 жыл бұрын
the audio video is WAAAAAAAAAAAAAY out of sync on this
@duterteshadowmu59264 жыл бұрын
hello sir ? can you please teach me how to crack a file . reply comment for your help. thank you.
@MichaelJenkin4 жыл бұрын
Hello, I have two answers for you. Firstly, each file that needs "Cracking" is likely going to be cracked a different way each time. The only real way to crack a program is to observe what it does in the environment through many and various monitoring tools and then hope to be able to reverse engineer it. The reverse engineering would involve learning C, learning Assembly, learning how the file structure works, what it depends on and experience with working with many different types of files. Not really something I can teach over KZbin. There are so many reference resources to go through and so many different processes involved. Secondly, due to piracy, intellectual rights and ownership, I would be reluctant to crack anything. Hacking/Cracking and the like normally involves someone trying to avoid being a legal owner of a product or trying to make it do something that is outside it's technical design or licencing. I would not do this. Thanks for your comment and sorry that I can't assist.
@ahmedbellil51614 жыл бұрын
why alzays crack easy executable ??? do the hard one
@MichaelJenkin4 жыл бұрын
This was a very early view of the product and how people can use it. Many others have completed decompilation of much harder EXE files. I am not attempting to compete with their Genius.
@skyzone93244 жыл бұрын
Regards
@MichaelJenkin4 жыл бұрын
You are welcome
@treyv68044 жыл бұрын
🦍
@MichaelJenkin4 жыл бұрын
Not sure what that emoji means. Very small on my screen.
@treyv68044 жыл бұрын
@@MichaelJenkin it's a gorilla. "King Kong"
@MichaelJenkin4 жыл бұрын
@@treyv6804 Nice !!!
@UrbanCha0s4 жыл бұрын
So you are actually telling us nothing, Other than basically if we don't have the un-compiled version don't bother.
@MichaelJenkin4 жыл бұрын
Hello, At the time this filmed, it was a new product and this video was just an intro into that product and the basics of pulling things apart. For me, the usefulness is in finding out how malware works. For others they want to take things a lot further. We all have different goals. There is no time to build into the videos how to use Assembly code, fix issues in the Pseudo code in C or how to pull down a whole EXE into code and re-engineer it. There are a few other KZbin channels that assume the basics (like my video shows) and then go onto deeper dives. I am not there to compete with them. For those that have the backgrounds, skill sets and time and want to pull things apart and recompile, there is enough in this video to quickly get into Ghidra and take it further with the training they already have. If you want to go further, I would suggest subscribing to the reverse engineering groups in Reddit and reading/watching the posts and comments and learn. I am sorry if you did not get anything from my video, I take that onboard and will try and provide better content from your and other comments. If you don't have the uncompiled version of something, unless you can read and write assembly code, the produced Pseudo code (Whilst it gets better and better) is only a best guess by the decompiler, what it is looking at. Programmers can use encryption, obfuscation and other debug aware tricks to make working from the code you see, very difficult. Not Impossible, just very difficult. There are algorithms (e.g. blowfish) that can make decompilation extremely difficult (if at all). Many EXE files can also be compressed and Ghidra is not going to decompress it for you. You need to recognise what you are dealing with, decompress if you can, get the code back to the raw binary before tricks were done to it, then decompile and hope it is not encrypted etc. For what I do, I have found 1 in 5 exe's were not worth decompiling. In those cases, from monitoring the environment in which it runs (on a test PC) I get the answers I need in other ways. I hope my reply makes sense to you, Thanks again for taking the time.
@UrbanCha0s4 жыл бұрын
Music very off putting. Closed video after 10min, really annoying.
@MichaelJenkin4 жыл бұрын
Thanks for the comment. Yes, I have learnt from your comment and many others. Thanks for watching the 10 mins.
@tobiasoffical96005 жыл бұрын
Hey Nice Video ! Please Change your Intro , it ist lagging. Greetings
@MichaelJenkin5 жыл бұрын
Thank you. Yes I am aware about the audio but can't fix it without uploading a completely new video. I might have to at some point.
@TheAmazeer4 жыл бұрын
All over the place, too much things, where is your source code in the cracked source, after 18 min I quit
@MichaelJenkin4 жыл бұрын
TheAmazeer fair enough. Thanks for your comment. It was early days for the product and we know it much better now. Thank you again for your comment.
@leozendo35004 жыл бұрын
My friend wrote a virus and I can't disassemble it. Give it a try? It displays a full-screen coverup and locks up your computer. It does not do any damage. But it is hard to disassemble or reverse engineer as 1 it is inflated af and 2 it uses driver virus and I have zero experience with that. I think the idea is it works to lock up your disassembler so you cant reverse engineer it. You may need to patch out the driver. Here is the binary: drive.google.com/drive/folders/1RKBMqbPTIWrPKH0Xeo149kD8cUkHqgdg?usp=sharing
@MichaelJenkin4 жыл бұрын
Many viruses have code within them to detect if they are being debugged. I think dumping the virus straight to Assembly is the best way around those things. Many are also encrypted or rely on external bits of code to form the complete program. I would refrain from suggesting that your friend "wrote" a virus. In most places this is illegal. As it suggests it is not malicious, it is more of a Software tool that locks out a PC that is hard to disassemble. It is a challenge in reverse engineering, not a virus (I hope).
@fivethreeone21324 жыл бұрын
bruh your mic is fucking loud my ears
@MichaelJenkin3 жыл бұрын
Hello, Thanks for your comment. I am sorry it was too loud and I promise to do better in the future. Thanks for stopping past.