So happy to hear you enjoyed; Thanks so much for watching!

CONGRATS and great work! More coming very soon ;-)

I guess not happier than me "patching" Ultima II game for Atari 800 XE/XL and finally adding joystick support to it 😊 (it was keyboard only)

You are too kind, Pat! I am wishing you back the same - thanks for the positivity and I'm so glad you enjoyed!

*William Knight Appears* "There is no such thing as a coincidence." (So glad you're here and hope these help!)

Same 😂

@@jeFF0Falltrades Infact, I started watching your older "Roller Coaster Tycoon" video (as I am interested in the debugger-functionality combined with Ghidra), and meanwhile I wanted to check what your activity has been otherwise. Got so happy when I saw that you made a return just now. Tonight won't be a night of sleep. I guess.

@@JWAM As someone who stayed up well into the wee hours recording this class - Know your limits and take a break if you need it when it comes to sleep 😂 Hope you find it helpful and invigorating though 🍻

Thanks so much! Comments like these keep me inspired to make more!

Great observations and questions! To your first, Ghidra is doing a bit of unseen “manipulation” here to increase readability - it replaces local variable offsets with a readable name, but also makes it a bit confusing doing so because - as you said - it can look like you are subtracting or adding when you should be doing the opposite. In reality, if you open up the line containing [esp + local_18] in a debugger, you’ll see that instruction actually becomes [esp + 4] which is what we should expect after moving ESP at the start of the function. To your second question, I believe you are correct in that this is just a “compiler-ism” - it looks like it just wasn’t optimized, but I’m not qualified enough in the realm of compiler optimizations to say if or why this may be the case with certainty 😆 Thanks for the great questions! Let me know if anything else doesn’t make sense or needs clarification.

Congratulations! Not only is finishing the series itself an accomplishment, but that understanding throughout the crackme is incredible. You should be proud and I hope you continue to practice and - most of all - have fun with it!

I’m so proud of you! It takes a lot of investment to go through these videos and especially to do the crackme! I see you on the Wall of Fame now and it’s well deserved - Congratulations and best of luck as you continue learning, and thank you for including me in your journey and for the kind words!

Comments like yours are what keep me going - thanks so much, Peter! And congratulations on springboarding off of the videos to do some RE and solve the challenge!!! You should be proud! I hope the videos continue to challenge you (and I hope you had fun too :-))

I’m just here to have fun, hopefully teach something, and make memes. Thank you for the sentiment ❤️

So happy you found me here, Saugata! Thank you so much for the kind words and hope it was all helpful.

It really is helpful. I am now trying to solve the challenge flag question.

Ahhh this is a good catch! You are correct! I will add this to my pinned comment as a correction - thanks so much for catching that.

@@danielabay01 So glad you are enjoying them! Thanks so much for the kind words and for being here!

Thank you so much and thanks for watching!

Thank you so much for the kind words; Your excitement is contagious! I appreciate your patience throughout this one and hope you enjoy this final portion! More will follow, without a doubt.

@@jeFF0Falltrades I'm very happy to hear that! I'm planning on dedicating my evening to this video. Learning something this complex has been a lot of fun.

@@pandemiclevyraati4540 Even in the most frustrating of RE tasks, I’ve always found the fun in the challenge of putting the puzzle together. It sounds like you have the same sentiment, and I hope it carries you forward as you continue learning and excel!

Be careful what you wish for…lol glad you enjoy! Hope they are worth the investment!

You don’t have to beg - More coming soon 😉

Good stuff - hope that inspo continues on to great things for you

What the heck?! Thank you for telling me because I thought I had it enabled! Should be working now - not that I ever expect it, but I also have a BMAC link on the channel. Thank you so much for watching and so glad to hear you enjoyed! We actually have another one of these coming up this month, focused on malware analysis, with another challenge!

@@jeFF0Falltrades Done. I ended up using buy me a coffee instead since I saw that the cut for that is 5% whereas youtube's is 30%. Thanks again!

@@Gaspa79 You didn’t have to do that but not only do I appreciate the donation, but the extra step of looking at the cut percentage is truly kind. Thank you so much and I hope you continue to enjoy the content!

Thanks so much! So glad you enjoyed!

I’m content just reading comments like these - Thank you so much!

🙌

Hahaha, well as per usual, I filmed this all at once, but this time around, I thought the format of the 3 major sections in this class lended itself to be split across 3 separate videos (there was also a lot more editing required for this one than my previous vids). I'm so glad you're enjoying this series though, and comments like these tell me the work is worth it! And while I intend to go back on break for a bit now that this one is in the books, I'll be back soon with something new :-). Thanks for watching and thank you for your support and kindness!

Phenomenal question! It is because the ENTER instruction - even though it saves a few instructions of assembly - is very slow due to its implementation, and so most modern compilers will skip it altogether. LEAVE, on the other hand, is not as much of a hit on performance, and so it has remained a popular choice for stack cleanup.

@@jeFF0Falltrades thank you. Interesting answer. I wonder why it is so slow 🤔👍

So happy to hear you enjoyed! Thanks so much for watching!

I mean I would say use both in conjunction - similar to how Ghidra gives you the side-by-side, it can save a ton of time to see the pseudocode while confirming what’s going on in the assembly. I would say someone serious about reversing should still learn assembly and be able to understand what’s happening when the pseudocode may be wrong or doesn’t make sense, but as a learner, I think it can help a ton in filling knowledge gaps to have both available. Great question and thanks for watching!

Yeah, I’ve mostly used Ghidra to learn it a bit myself, since I had just recently moved from primarily using IDA when I recorded this, but I’d be up for using some other tools in future videos - any specific ones you’d like to see, or just more IDA?

​@@jeFF0Falltrades Is SoftICE still a thing?

@@PhreakDarkSoul I think SoftICE is pretty much dead post-XP, but looks like there’s an OS project called BugChecker that has supposedly taken its place.

Thank you for watching and I hope you enjoy! I want to say my first delving into assembly was in 2013/2014 or so at uni, and RE not too long after. But I didn’t seriously start diving into reversing until after I had my first job in malware analysis/triage ~2016 and i got lots of practice in subsequent years. Thing is, there is no timeframe where it all clicked - I learned as I went and I’m still learning; you all keep teaching me stuff via the comments on these videos, for example haha.

@@jeFF0Falltrades Oh, you've done this for a long time. I'm only about five months in so no wonder I'm clueless sometimes.

@@tumpes2636 HA! My brother - That hasn’t changed for me at all over time 😂 Just be sure to give yourself grace and come back to it when you feel overwhelmed :-)

Do you have a time stamp? Want to see exactly which part before answering

It's because the compiler decided it should be that way. It doesn't really matter

You can actually see a bit about DLL injection in my Solitaire video on this channel - we do exactly that, but with a very small troll mod to XP solitaire! Let me know if there are more specific things you’d like to see in a future video though!

@@jeFF0Falltrades Thank you Jeff, will check it out right now! the answer is probably yes i will need something specific because i am trying to do some complex stuff but i need to invest some time in learning the basics first. When/if I hit any interesting bottlenecks i will drop a line :). Thank you again for the descriptive videos!

@@jeFF0Falltrades Not sure if I understood anything wrong, but you used DLL hijacking, not dll injection in that video. DLL Hijacking is getting your dll to get loaded rather than some other dll that the process would load otherwise DLL Injection is similar, but instead of overriding some dll that the process uses, you get the process to load your new dll alongside other dlls. This does not replace any other dll, it loads a new one. This is done by injecting the dll into the process, usually in the following method: - allocate memory on a process (VirtualAllocEx) - write the path to your dll to that allocated memory (WriteProcessMemory) - create a thread on that process (CreateRemoteThread) which calls "LoadLibrary" to load the dll path allocated to memory above DLL Hijacking hijacks a dll that the process uses, replacing it with your own dll DLL Injection loads your dll, and doesn't replace/overwrite anything else

Thank you so much! I’m glad you enjoy them. I think I understand what you’re asking, but let me know if I’m off base: I think you’re asking is it realistic to study languages like C/C++/assembly from the angle of reversing software made with those languages rather than focusing on learning them for the sake of developing software/tools/programs. I would say you can *to a degree* - trying to reverse without knowing some common patterns used in development will make the journey to learning reversing more difficult, but I don’t know if I would say it would be impossible to do. I would say if you’re passionate about reversing, pursue that as far as you’d like, and when it seems like things are taking longer to understand, maybe take a step back and focus more on learning the high-level development concepts. Hope that makes sense too and best of luck in your learning journey!

@@jeFF0Falltrades It did, thank you for reply Have a nice day!

Actually, I'm dumb, after reviewing part 1 @42:44 of this tutorial, you explain it very well.. For example if I have something like: lea eax, [0x12345678] Instead of moving the value at memory address 0x12345678 to eax,, We're literally going to to put the value 0x12345678 into eax.. So, for my previous question: LEA edx, dword ptr ds:[eax + 1] We're literally going to to put the result value of eax+1 into edx

I was just about to respond and saw you found it yourself - Exactly right! LEA is oblivious to whether it’s using a pointer or a raw value, so you can use it to load an actual address, or just as a shortcut to do multiple arithmetic ops in a single instruction. Well done in finding the answer! And hope you enjoy the series!

@@doelhasan7310 In this video, we were using 10.2.3

🙌 NICE! Thanks for watching!

I love you too, total stranger ❤️

Thanks again for this (and I mean sincerely - I appreciate candid feedback and I get scared when I only hear praise or general feedback) and your other comments. I'll also add these clarifications to the pinned comment in hopes that will help others who may have been confused by these segments: 25:08: Apologies for not calling it out; You're right in that it's important for beginners to understand the "why", and I think I was focused on switching to demo'ing it in the debugger and glossed over the extra instruction: This kind of "duplicative instruction" can happen due to compiler optimizations - Different compilers can hold themselves to different "guarantees" and rules around how they compile code, and I think in this instance, we humans can see that the extra instruction is not needed, but the compiler decided for some reason to include it. Why? It's very difficult to say without knowing a LOT about how the compiler is written to work. It could be accounting for optimizations in speed, or scheduling of instructions, or because it uses some standard pattern of instructions for this type of loop, and applies those rules regardless. 25:45: Apologies again as I was not as focused on the decompilation view vs the disassembly view in this segment. To answer your questions: The 0x34 is added to ESP because that happens to be where this array was placed on the stack by the compiler: 0x34 == 52 in decimal, which divided by 4 bytes is 13, so you can think of it as there are 13 other 4-byte segments between ESP and the array, which are other values on the stack. But put more plainly, the array starts at 0x34 past ESP, so we must add 0x34 PLUS our index*4 bytes (because every int is 4 bytes) to access each element of the array. Now (2) and (3) of your question are interesting: The additional "+ 3" of the decompilation you see there does not appear in other decompilers I used, and it's likely just a case of the decompiler "hallucinating" - meaning that it tried to decompile this segment, but realized the way it decompiled the address to the array was out of alignment, and so it compensated by just tacking on a "+ 3" to make the math work. Sounds silly, but this is why decompilers are not perfect. To see this practically, you can check the values in the debugger: The decompiler says that auStack_4f should be at EBP-0x4f But in the debugger, if EBP is at address 0x9FFB98, EBP-0x4f would be at 0x9FFB49, which is right after the first byte of a DWORD, so the decompiler adds 3 more bytes to align the array to the start of the next DWORD (4-byte) address. In reality, the array starts at EBP-0x44 in the debugger. That value makes more sense because according to our disassembly and decompiler math: auStack_4f + 3 should equal ESP+0x34 auStack_4f+3 should actually be auStack_44 because when we make that change, the math works: ESP == EBP-0x78 auStack_44 == ESP+0x34 == EBP-0x44== EBP-0x78+34 == EBP-0x44 == EBP-0x44 So why did the decompiler misinterpret the disassembly? Again, could be a number of reasons based on the decompiler logic/optimizations. I know that was a long answer to a short question, but please let me know if that helps, and I will add this to the correction pinned comment as well - Thank you again for calling out some great clarifying points!