[Live] GHIDRA HYPE!! - NSA Reverse Engineering Tool

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so this is just a quick spontaneous stream I hadn't really prepared much for it Kirra was just released it's a software reverse engineering suit and of tools developed by NSA research a lot of people are waiting for it you know people are hyping it up and we are basically just checking it out now for the first time I think the talk might have already finished it was presented by errors a just like an hour ago or so and I just downloaded it made sure that I can start it and I just want to you know explore it on stream a little bit I don't want to say that other security people are also screaming it for example a malware tech block is life on Twitch he definitely has a lot more I guess reverse engineering experience and I have especially of course now we're reversing I've never done that so if you're interested in that go check him out he's already you know deep into it probably more interesting at this point so it's Marvel tech block on Twitch and then we also have cerulean streaming right now checking it out he is very experienced with binary ninja so he will or he is kind of comparing it how it goes against like binary ninja how that is going so I can also obviously recommend watching him he also has obviously quite some experience with reverse engineering in general and you know seeing this compare and the comparison is pretty good yeah otherwise I'm gonna just gonna want to check it out now like I said I've already downloaded it and made sure that it it seems to run it's fine I am really fully started it and I have just quickly got some test binaries to test against Oh editor was a binary from the DEFCON CTF so it's just a regular Linux binary if I remember correctly then we have to ledger or firmware so that would be an arm firmware C program but statically linked because I want to see how it handles a statically linked binary which julep C does it have like does it recognize for security people are right now also looking at it so look at Twitter and look here at Nova tech block and cerulean on Twitch as well how they are explained earning it yeah yeah let's check it out okay so did you know and saw tables you can okay oh yeah I'm doing read oh yeah okay so that's it I have talked to what I'm doing okay so I guess this is the food deidre okay so we have to get her help here thanks guy where's he live maybe that's don't get backdoored by he wrote I could also maybe quickly shot that out because I just stumbled over him as well I was looking for get rah tweets and I saw this tweet office that he was thinking about screaming so I hope he will also stream what he promised here that would be amazing and then I also found out that he also makes several YouTube videos I just tried to find here youtube link yeah videos so I go check out his channel gamma labs as well very cool very technical way more advanced videos then then I'm doing you made a key trade days okay wait I need to check this out [Music] [Music] [Music] [Music] [Music] [Music] that was incredible oh my gosh this is awesome well I am so glad that I just went on your YouTube channel yeah I mean I guess good chicken as well and it as a reminder again other people are streaming right now as well they are cerillion who has a lot of experience with binary ninja so you will see probably a lot of comparison between those tools and I think that is super interesting so check him out and now eight o'clock who obviously has a lot of a lot more experience with reverse and then I have so probably also a lot better content over on his twitch channel because I have no clue what I'm doing and I'm also just like jumping on the hype train when is it releasing it is released I have it downloaded you can also download it on get - as re dot o-r-g and yeah again ok so I don't really know where to start okay now there we go okay no active project new project yeah somehow also you have like the sharing thing that you can collaborate easily with other people okay just one okay oh wait I think it was like with drag and drop I saw a cool animation already on Twitter okay I know okay so uh editor was an elf binary if I remember correctly how cool okay so you could also okay you can change the language and compiler specification if you know it better I guess yeah okay options I heard it was written in Java and ran incredibly slow yeah I guess I also heard so brilliant talk on his dream that it was apparently very slow so I don't know by the way is the stream lagging or is it all fine because I I it shows like the stream health being it like yellow yeah yeah whatever I don't know let's see how it just by default behaves impart results okay all right is it doing something oh that was animation I saw and I saw on that Twitter okay oh it has not been analyzed would you like to analyze now yes okay aggressive instruction finder finds valid code and undefined bytes that have not been disassembled this should not be run unless good code has already been found yeah it's this literally linear sweeper is this even like talking I don't know more aggressively I guess hit tool client green during yeah yeah whatever decomp a parameter this can take a significant amount of time turn off by default for large programs creates parameter and local variables for a function using the oh hell I would kind of like to see that but but let's keep it default we can maybe enable that function later and see how it improves maybe the output you missed bad reverse oh I did last L okay thanks my voice is slow okay wait one second okay a fair warning for everybody who has turned me up like crazy I will now increase the microphone gain I will increase it and increase it and increase it and increase it okay is it better now let's see if it works do you think you can trust an asset or yeah I'd trust an acetal is it better now that's as much gayness I can give I can also bring back the microphone closer but then it's like hanging in the you I mean I don't care but I'm just just saying anyway okay what is Kira Kira is check to this link in the description of the video it's a reverse engineering tool developed by NSA and just released at a conference and there are also other streamers linked in the description and as you can check out okay much better awesome also like I said I don't have I will not be online for much longer I'm just like checking it out basically it's 2:00 a.m. here so maybe go to the other streamers that are us-based right now okay so what do we have here okay so elf header is still here let's see did it find ok so these are the sections program Tree program tree okay so here are functions that it found imports okay I doesn't say that it ok export functions labels classes names okay but I mean it's a C program so I guess there's no if there much you why did you remind me of the time will you make a separate video on kitra well I'm sure like if it's a useful tool and especially free that it's something I will you know if I have something where I use it I will make video I don't have anything planned I mean I don't know what it can do so far ok anyway so let's see does it find main ok so it finds a main here I have to say somehow the font and like the boldness and colors I don't know it I mean this is like unnecessary UI criticism but I don't know it feels like I'm not really focusing on the assembler it's like all the stuff around it is very distracting but maybe I could use it oh and here's the decompiler right there oh right that was also an objective-c and now I remember it was Objective C compiled for Linux now I remember so it's objective-c has like a kind of a non-typical way how to basically call functions on stuff so this is I guess kind of a bit uglier but look at these naming things that recognize that here that heals like file contents open file oh it I might have had symbols I don't remember how can I see if these are were like symbols just do I know if this was like stripped or not does it say somewhere I don't maybe I should have selected a binary where I know if it was stripped or not ok see somehow any thoughts on that RC yeah I heard if you saw it like in debug mode I have no clue if this is debug mode but III don't know yeah it sounds funny I like how even here you can see that objects he comes from next okay okay I'm pretty sure this was compiled with with symbols I mean dude this is not made up I think that would be a bit too crazy like I mean I'm just like I don't know what that what I'm for what I should be doing here I think I think wait let's let's close this and actually load the ledger firmer because that's the last thing I was actually like working with and and I have a I remember more like what I'm looking for and now I don't remember the well now I don't know what it was what was the nd unless I forgot I would see what happens sick can we go like okay I think it was like I'll be seven or something of that but can we say that we want 16 bits right away base address was eight zero zero okay that t variant I don't know if that I don't know I don't know enough about yeah I don't think that the binary was stripped why not take a break go to Steve take I was just like you know the hype other people were streaming as well so I thought I check it out as well I mean it's just a casual stream I just thought it would be cool to yeah okay it's not been analyzed yet but this is like a dress size is wrong if I hit now yes I will little prop I mean it most definitely will screw up so that's not to that kemi's change this is simple I had this assembled thumb okay so let's go where we know where it's cold if I remember correctly it was it oh my gosh now it's hanging okay but okay I think code started here so let's see disassemble thumb okay you like space okay [Music] cool process of American program okay how does the graph you function graph oh my gosh I mean this clearly doesn't look right [Music] to use it directly officio it's a VM but I mean this VMs running with 3d acceleration as well I just came here is it any good or just old I don't know if it's good I mean it looks fine on the first you but I mean I have I have no floor to use it so edit how do I say that something is data oh cool ok so we can press P for pointers like mark a lot and press P cool this is wrong okay so the mmm the N DNS is wrong because this year should be a 2-0 oh I also got the base address wrong yeah okay okay so let's reload this close don't save so then it was little onion I presume are we going to see a video Maya I guess eventually I don't know yet no okay oh look at this now it recognized the the interrupt vector table off of arm ah crap I forgot to set the base address can i remap this process options this is this is awesome that I mean so I'd added not automatically I mean to be fair I only have like a bit older I diversion I don't have a current valid license but see here supervisor call reset and stuff that it has this is pretty cool anyway the base the base address obviously wrong now so what is it exactly oh it's a reverse engineering tool so a disassembled decompiler to reverse engineer binaries created by the NSA and was just released so I'm just like checking out right now you know it's just like trying to figure it out and this is the ledger firmware you know from the recent video series have you ever tried a Daddy compiler uh yeah I've obviously used it too before but I don't have it so yeah I thought about buying it you know yeah I don't I have nothing else to spend money on I don't need a car yeah okay so I need to remap this somehow No it's a policy analysis oh wait I remember that wasn't there like a simple table in the window I think there was a memory map can we change this here expand block by setting new end address I can't set a new start address and this is also not where I am like ROM move a block to another address ah cool okay so it was okay nice okay so now okay so now this analysis is gone again it assumed I guess that it starts like from zero and that's why I did like this automatic why did I get the loading address wrong again oh crap move here okay now it's an address okay and now starting from here disassembled thumb now it's finding a lot of functions yeah good night you are one of the developers of kitra oh that's crazy yeah right me I mean I'm if you have something if you had something that I should check out and highlight or something it would be cool how hard would it be to reverse is you an FPGA bitstream font I don't know it depends on I guess everybody has their proprietary bitstream format I don't know I mean just a lot of proprietary stuff I wonder if they are using this as a way to get security community to part of the research for them I packed capping the VM while you are doing this packet capping Oh yep there will be a lot of people looking at what this guy what this tool like communicates with I don't really care to be honest is it going to be a video laughs oh no it's just like I'm just checking it out because it was just released I need a doc mode there is actually apparently I saw malware unicorn on somewhere you can like invert the colors or something oh yeah other people are streaming it as well as let me shut them out so now a tech block who obviously knows a lot more about reverse engineering is streaming right now so check out him I guess and it's really and who is also comparing oh he got the slides I guess version key track oh that's slides from a class interesting okay yeah check him out he knows a lot about binary ninja so you will hear a lot about comparison and they are already way deeper than me so and I will not be able to stream for very long so maybe just go straight to them and you know this will be in the archive anyway you can check it out another time s kitra like yeah I think it's fair to be a little bit suspicious yeah I mean but suspicious about what I mean I'd I highly doubt that they would put a backdoor in this and just release it because people will figure that out and then they will people would freak out there would be insane I cannot imagine them doing that I don't think that I know more about the tools and I think now what a clock knows these kind of reversing it was way more I mean he's doing a reverse engineering I don't it's not a hint it's a leak and it's a release today everyone has a motive everything I I mean they were stating their motives in on the slides you know if you know I guess it's like in general with like open sourcing tools or public research in general sure they give this to other people as well but they will also benefit with people implementing plugins and helping improving it so well then it's like public it will also strengthen ourselves you know it depends on what kind of strategy I guess you want to go for let me show that link here yeah okay yeah cool okay so this is the the entry function and this is here also where they should check the food babe so here it ref had a boot sector thing let's see okay so let's see like renaming so this here okay and it's not renaming function rename fragment I guess not Edit label RL okay so that would be a string [Music] oh oh I just accidentally goddess there is already a such a symbol now well whatever okay so here it references that so renamed in here ah that I really want renaming inside of the decompiler okay I can't also highlight this and rename this label from him here yeah if the red I'm Twitter that they hand released the source code yet I mean the paranoia is fun you know it's fun too I mean it's it's a funny joke you know saying that I mean we are all now on on a list of potential people to watch for you know you can press L yeah I figured out that they can press L but maybe that's not intended maybe you are not supposed to change around here but in here maybe is it referenced somewhere for the fund RCE over debug for apparently I mean it is a share it's it's for sharing right it's the same thing with like Ida Ida also has an RC e if you enable like the remote debug stuff so yeah I don't know yeah okay so so this is also cool so this is you know a special instruction that giedrius so i got the name by the way is it the correct pronunciation kitra Dedra so that it like replaces it with with a name what it represents here and I also notice that when I click around here it highlights to which line this corresponds in the assembly yeah yeah and then it compares here and then it calls your function referenced there can it click on here okay okay it's called kitra okay cool so here we head into this cool look at this year so this is the let's see how can we get the just play function graph so this is the function graph that is like initializing the RAM we'd like copies look at look at these loop animation this is awesome that's a I you know like their UI kinda or user experience things that a lot of tools share you know like colored arrows depending on you know in if cases and stuff like this but animating like the direction the the code flows that is that's the first could you please use darkman with my eyes can watch the Sun phone no I guess Kira Kira Pro is the NSA internal version with maybe more tools that are public you know all the plugins that they've written to reverse engineer are the nation's malware samples faster I can't sent this many responsible people I don't know I can't like make I can't I guess I add you as a moderator or something maybe then you have like here I maybe maybe this allows you more more rights thanks by the way for hanging out and answering questions to people it's really cool okay yeah so this is like this initialization routine let's see it the syntax is quite interesting like with these arrows so what does this like how does it get this data like where does these function values come from again okay so our four is okay when it says pointer data okay so wait I can so this is four three four okay so this is pointing there okay so I'm just like trying to figure out because some if this is already directly destination address so to say that it's loaded in our four if that is like yeah okay so it I guess it loads 8 0 0 2 f 7 4 into our four yeah I now four okay so this is this address then in office so okay so they actually have like some kind of I don't know what the terms are track it like they know that our 4 is this so that's why it I guess starts pointing there and then our 3 it's initialized with 0 so I guess that's how they were able to to this can you save your progress yeah why not you know save its recommended using graph you decompile okay okay so in here I can press L okay so what can you tell me like a my two students um oh wait now it works okay wait wait cross-references how good did I get okay like how do I move back on navigate back pre control up decades okay so now I was able to press L in here I don't know why it didn't work oh yeah I know it works okay I don't know maybe it was just bucked or something I know let's go okay that that's awesome how can I cross references opened if you it has x-rays somewhere I'm sure I'm just not able to find it of course it must have x-ray Oh limited flows - oh no no okay no that was something know that I did something wrong okay no it's gone again select off flow I don't know what that means yeah I know I mean sure only what's highlighted it was highlighted it just didn't react but I guess maybe I don't know yes something was screwed up I don't know but now it clearly works but I do want to go back okay navigate it maybe one of these up here it's probably a window right cross maybe not called graph okay so over the call graph I don't know it's like what it calls right it's not where it come from oh it's definitely not gonna be my hard work I will be lazy interest you is it Oh backrest there we go control semicolon okay I don't know you can press X to 0 for X worked I'm pressing X and nothing happens control-x yeah I also press control eggs okay this this was controlled zette it wasn't control eggs I just changed like here the oh no crap now I'm back again oh no oh no okay like okay that's not what I wanted forward forward forward okay I do have one question maybe Brian Tremblay if you are here right now because I'm wondering so when so the question I have is when I accidentally loaded this firmware at address zero deidre was automatically recognizing the interrupt vector table from arm and was like really nicely listing this is reset and and whatever and then I moved the memory map upwards to a different solid risk because I loaded it at the wrong address and now it's not there anymore can I tell kitra somehow to like analyze starting here as an arm firmware or something like that if that just does it in some way makes sense I'm also not sure that we do and analyze okay let me just do this let's see what happens maybe it already did that I'm not sure yeah okay it was so quick probably better already you you can yeah okay but the thing is so when I loaded it at address zero accidentally Deidre was just like automatically it's having the intro table and then I moved it and even if I reanalyze it now it like it disappeared after I moved it these these labels that kita automatically had listed for it and now like reanalyzing it it doesn't work you want to change SPS Oh mmm good I said maybe in here no these are just maybe it's also in here yeah yeah maybe it's not specifically with our maybe it's in general you know like if you move memory around could you say like I could like imagine you would unpack a malware it would like unpack a PE or an elf file somewhere in memory and for whatever reason you wanna tell deidre starting here is an elf binary that's that does something like this work I don't know it's probably stupid workflow you probably want to like extract it and have it as its own file but I don't know if that is even a work form that makes sense but I wonder if you can like say okay here is like that kind of data structure I don't know if that's so you a reasonable I think where's the base pointer you mean I I guess I mean Oh image pic okay memory maybe if I start this if I move this also at the same oh no okay no wait this was adding a new Ellen you know some what I want look upset image basin help good idea that's used to help [Music] oh maybe we can one achieve their suspicions okay so maybe maybe that's like a Oh what happened there's a specific arm I guess like in a way I changed the image space right I moved up it's it's just like that Gita assumes that only when it like it's at physical address zero then it would have the interrupts table there but this but we expected it we expected it that to be at a Jersey row here and okay well let's head back here again so this is you know so we can press like L Bram in it let's see so this is this would be yeah it's just like can we also say it's a for loop okay in a way I would wish that it would highlight every pew like the bar with the same name so that I can quickly track where it's like set or where's that coming from so this is four-three see okay so that was definitely not I okay I know okay wait I wanted to go back to delete we typed I don't not retire okay so I guess this is gonna be a pattern so of course this is time and now it's a duplicate name because this was not updated here and now I press Ln I can't change this year now I press Ln I can't change this now I can even rename it big - I okay wait and ooh I know we have underwear for God there we go okay so now it's back to normal so wait we want no and I want to navigate back with odd okay or the fact that fewer isn't okay I didn't know yeah that that would be a welcome thing I thought maybe it's a design choice that you don't want to highlight it everywhere this is not where I wanna be I don't know okay so navigation is still very confusing to me here let's go back here okay like this so so why did this happen now this was of our five before or did this okay wait when I changed this to a name it automatically renamed that's it might be a bit confusing that it automatically like shifted now the numbering down I think no isn't that confusing but I just noticed that it also calls it I bar six so I guess you draw recognized hello integer horrible and that's that's what it stands for not not didn't recognize it's a little thing you can't have horrible name objects yeah the problem was that ahead of this I and then I thought oh okay wait let me show you what of the bug was I had I renamed this to I and then I realized oh wait this is not I so I went in there try to rename it renamed it to this and what happened was that this changed but this state I and I couldn't rename this now it works like I don't know it I mean you can watch in the recording I guess not if when you go back now now this also changed but it stayed I before so it was that kind of buggy crap okay back to know okay I mean is maybe also the wrong name is more like a memory offset here plus four the type of survivors infected in the prefix and the suffix is the interpretation type okay and bar 3 was where okay well 3 is you know this memory location here in a way I wish that this would be maybe because this is just a straight assignment right that it would maybe I guess it gets in pretty long but just to already straight up reflect work that it was like that or something I don't know if that just I get it gets pretty long I guess it gets very how is actually an integer point are you I feel like that's a design choice at that one yeah yeah sure yeah and then we are just like loading loading that are you here and then we write it into v4 in every loop we update before here I mean this is the D comma is pretty clear so far and it worked on our I mean this is awesome and here we have just cool okay let's check out the next function so this one had like this all this alien civilization stuff and then we had this loop this well if the button presses stuff what's happening I mean this looks now it kind of crazy in here but cool okay so like that at the end the oaring of flags on to this value here is like reflected here nicely no I don't think that this is what I control up no control up is not working how I imagined this to work how can I go just like back where I was coming from and you said X would be extra for a cross reference but this doesn't work I can press X I guess uh now I apply eyes now I see them here but this is all not where I was coming I'm completely wrong this is not where I wanted to be okay wait so here here's the rose okay it was doing i plus four but then i is moved here see this is not a pointer this is like just a number it's added on here and this is the address plus this offset and this is then dereference and put in he bought three and the same way i is used here again where var1 is also an address so here's an offset control I'll control left and right navigate but does it not show up in here left and right let's see I feel like these kind of hotkeys is a mismatch between your version and the version we have because control left and right is not doing anything for me in the same way that x-48 cross-references is doing nothing for me is it like a configure I'm not using VNC it's just a VM Oh alt-country okay yeah yeah this works cool okay thank you so it's then also out eggs no okay by the way a Brian I don't know how much you can say but I've seen that you know like how was this two also used by some universities or so I think I saw like a training that the universe I'm not sure where so x-ray still beats a decompile of the water yeah I mean I mean this looks okay this does look pretty clean you know I don't know from this function flow here this at least I mean this isn't easy fungus in function but this looks perfectly fine right you have very nicely the flag modification here and stuff I mean I guess this could all be still optimized I don't know these are all separate okay yeah you can rename in there I mean yeah but but so far I mean this is usable yes the use of the tool by certain okay is it now unclassified or was it before because like we didn't like here anything but it was at that time still used at universities a little bit yeah I saw that they are listed here but it doesn't yeah okay no it's fine it does seem to do a better job and test the limits on yeah I'm I mean let's say I wouldn't be surprised if I does if Hector is decompile is much better just because it had a lot longer time to mature but you know I don't know oh don't be sorry no worries it's a right enough to compel know that I mean no you need to define like this is this would just be a symbol our variable name you need wouldn't need to then actually you know this is not enough to compile it again yeah okay so here's the while true loop and here we have some where the button presses I think yeah these were the so this was a button press function by the way this is the ledger of firmware from the recent like video series that we did okay so this I mean this is just a readable right like you would label those masks I guess okay and then we would recognize this like I guess a old bank or something I don't know if that's a correct name for something like this I really wish if I press X then a window would open with the cross references and then like I could like click through the arrow keys and like coding or something like that that's why I'm complaining on something I shouldn't really complain yeah here we also see a little bit the active auto I don't know I don't know these terms information but but remember that it was like building the the address dynamically it was loading here hex 9 0 into R 0 and then it was doing a left shift of that by hex 1 7 and then that became the parameter and github already unfolded or an auto call this but got it already just straight there so that's that's really cool yes this is ski dry yeah I would also if maybe I hadn't plugged it for a while uh is he offline okay Mel we'll talk our tech is or was streaming it drive for a while and civilian I don't know if he is also still alive but civilian is also streaming so go check them out and there's this amazing song and some as well the links to these other streams is also in the description [Music] yeah cool okay so it's reading like the button press like I don't remember which one was like the left button but just call this button one and call this button so then we see it reads like the state of both buttons and so if button two is zero or button one is zero oh no it's ending them too it's like shifting the one one over can can I say that this alright this is just unnecessary but I was wondering if you can say I would rather have this a shift left rather than a multiplier but I mean who cares about that in the end but stayed so this is not a combined state of the buttons shifting it left one and then ordering it together Brian from day I think I made you a moderator so I think you should be able to unhide your own links I guess when you post them I haven't compared x-rays for our Moses kitra yet yeah I mean I have absolutely really no experience with that at all like I am NOT a professional reverse engineer and I have I don't have x-rays and I don't have any professional experience with that kind of stuff so I'm really okay I really can't speak from that position like how we use for this I assume that NSA was using it to do these kind of things I think that it performs reasonably well I think that is fair to assume and I guess it's also fair to assume that might be either just because it was longer around I mean we don't know how long this has been in development but I feel like that might be more mature just because there was more community input than in this tool here yeah I didn't seem to be mad at me when I linked it okay weird and I don't know how that's all stuff Oh John Hammond is also streaming yeah awesome reverses me unfortunate okay yeah awesome yeah go check him out as well I put him also in the description I guess let's put the channel down there we need more releases of tools with marketing like this you know like the gaming industry has figured this out but we are like you know it was fun to be a bit hype for a little bit and have known multiple people scream and share the stuff that's quite fun do I want more of that kitra decompile is better any comparison uh hi disconnected nice to see you I don't know about look at this so this is arm D compilation of this film we're here and this looks like we I mean this is not a very complicated function in that sense but this looks reasonably well so what I haven't seen yet so hopper is another low cost disassembled and also has a D compiler which I can also recommend and for YouTube and stuff and sometimes because I don't have hex raise I often use the hoppitty compiler and then some function it works very well but on others it has problems properly matching like the if cases or the loops and it will use go tools and as soon as you have coaches you lose this understanding of the flow of the code and it becomes very annoying to kind of look at and so hopper is like a hit-or-miss kind of thing and I haven't seen these kind of issues here so far like here these things look reasonably nice I'm been on a few other channels but 1:20 I'm spraying the love yeah awesome yeah thanks so much for answering questions and hanging out if again if you have any like cool stuff to show around you know always can like write an email or something can I analyze axon source I don't know what excellent sources okay yeah here's like you know loop counter again yes again an address I know you think you would generally prefer get run off or reverse into to decompiler so my thing is like I'm not a professional reverse engineer oh I don't have that much experience with it so what I usually do is I use either hopper and binary ninja and sometimes Rodari and often open the same binary in all of them because sometimes I feel more comfortable making progress there and sometimes there sometimes I use the decompiler on hopper sometimes I use like I don't know the nice call graph from binary ninja and stuff like this so I'm a very an amateur when it comes to reversion smearing but what I've seen so far and if you get a bit using this if you honestly if you get figure out the navigation problem figure out the navigation this looks like for CTF so something like this already I would say this looks really excellent never heard of this program is it new yeah it was just released a couple of like two hours ago or so you can find the link in the description to it it's free reverse engineering is easy just takes patience yeah there are some weird constructs that you maybe have to know or figure out on especially with like hardware and how it interacts with hardware I would say this gets really annoying and maybe difficult at times yeah but yeah I mean this cord is really readable what it produces so far I didn't I have no clue where I just went out left oh this was this function yeah I don't remember what this was mmm so we can rename this shut-ins I think was this the function where it had the food babe check I feel like it should highlight where this is I'm always have to like look at the address here a one-eighth and then I have to look at here so this is the food cape so this is also really cool right here the MSR register instructions and stuff like this Detra knows that this stands for like I don't know this like I would have to look this up in the arm reference I don't I don't reverse-engineer arm enough to remember this I guess people who do this often notice but I don't so I would have to look at what does this actually do again and get run recognize it checks if the privileged mode I guess like the ring zero I guess or whatever it's called an arm level I think is enable so you know it disables the interrupts here you know like this is this really cool but are you airing so the what what I'm looking at here I know is the firm the ledger firmware from the recent video series just as an as a test how we draw like just as the first test this was the truth the first thing maybe okay so now we checked out a bit the D compiler and the disassembly if you maybe let's check out just a bit more what kind of functionality like there is like in the windows maybe so what do we have we have a console or the consoles down here scripting okay it doesn't seem like it can okay it's probably you have to load the scripts from somewhere else okay so we did check out the function graph but we were told that this is not the intended way to do this but look at these loop animations that look so cool oh I also see that it gets like faint why does it get faint maybe hmm interesting probably has some meaning this feels a little bit sluggish it doesn't feel as [Music] cool but we were told that this slot oh look at this neat loop to itself nice either seven build you back there okay we know what else do we have oh okay listing is this here program trees okay so this doesn't make any sense I just want to check it out like what happens if I pull in here another binary it's just like this doesn't make any sense right there you just want to see what happens okay no no it just okay no okay this didn't do what I was hoping for I was try to load a second binary oh yeah but the memory map view we could also like you know like create Ram and I think it was like here I guess I don't remember how long it was though yeah I don't know okay yeah so that's cool what else do we have Oh patent I should also go to bed it's 3 a.m. everybody is talking about the remote code execution and gira so what I've seen what I've read is that it was like you know like the remote sharing stuff I don't know I think it's a stretch to call it and I mean it I guess it is an RCE but you know making it solid simple mobility or something okay cool register manager oh wait okay no clue what that means script manager oh cool examples arm oh that is maybe cool let's try to quickly go to the big switch in case off where the apdu commands are coming in I think that would be cool it's one of these functions down here I think this was and maybe this yes can we like open edit edit with basic edit let's have a quick look how how it looks like can I pull drag this out okay I guess that crap import get raw wait why are you writing in Java in here my thoughts on is very positive looks cool I mean it's a bit we are to navigate so far because it's just not used to it but so far pretty cool I think what's this it's really like it it does look like visually like different from others I have a hard time to quickly recognize if this was the apdu handling stuff or not but it looks like it oh here's a go to okay so here I guess it's also kind of failing oh well huh and now it's a switch case it's fair there do recognize your switch case oh yeah this looks like the APU so yeah here's the apdu check okay so this here watch the apdu buffer and then look oh yeah this is great look at this so I mean he checks the first byte I guess this could be nicer I mean like my complaints are not really complaints writers but here it has a switch on the second byte where checks like the first like the type of the apdu command and this here's a proper case okay zero here's case one case three case for in case zero where these other commands and then it would like look on the fourth buy it that's again I know the fifth fight is another case of commands here you know passes in the buffer over there come cat what is that a function for Oh or okay no clue what that function is doing here well I have slept yet head school stunts well you can tell your teacher that you will look at the new ns8 tool buy it from NSA and they will understand is this the code of today yeah this is the ledger phone where just as a test because this is like the most recent thing I like looked at so it's easy for me to easier for me to check a few other things okay so cool like I'm impressed by these switch case statements here yeah okay so this is cool that I should really go to bed but I I feel like I do want to check out quickly the other examples in ahead so let's close close this and try another binary really quick so this was a regular elf binary with symbols 64-bit but statically linked so it's pretty big so let's see what happens I mean pretty big at contents let's see I look like Michael Cera no I do have a decompiling printf positional okay yeah this is gonna run now for a while I guess this is a binary for an upcoming kind of two-part video I'm doing it was just a small Linux binary that I was writing right and I statically linked it to for something why are you running your targets while doing static I mean I'm not running anything by the week does this have a debugger I don't even know how this is pure reverse engineering without debugging I didn't see a debugger like you back integration here I guess it's like purely like static reverse engineering I think that's the intention of this right I haven't heard anything about debugging yeah no debugger I'm sure somebody will have write debugger plugins as it looks so extensible I'm sure somebody oops about that I press coach I am working oh hell we should also try out the assembler but let's okay wait go to remain very cool look okay so this is a simple C program that I wrote are we should also check out a C++ program do I have anything C++ on here I don't know okay yeah so this was just as a program has all the symbols of course but I mean this code looks nice you just have to rename here these local variables he is checking like what you entered I mean for city essence of what do you want more I mean this looks it looks really great here I have some malloc stuff I mean this is a weird photo is this doing here and some let's see weird stuff like I don't know what their compiler did there what do you think of it I am I think it's really cool it looks really great like I mean you know it like navigation and stuff is still a bit weird not used to it but I mean I look at this at the decompiler and it produces pretty nice nice coat I do wonder I don't like I'm also an amateur and reverse engineering my mostly usage will be on like CTF binaries I guess and so this is okay I do I'm really curious to hear like what malware tech also what they are saying about this tool form ever reverse engineering when you have to deal with like pact binaries and like these kind of things if this is a tool you would use for that we did try the ledger firmware and it was producing nicety compilation for the arm firmware now we'll take a yeah I saw that here the last time I was like shouting it out earlier his link is also in the description but I think he stopped streaming I guess yeah he's offline now maybe the recording is available so maybe check that out somebody who actually has a clue talking about it so really it's also offline now but John Hammond is still only so that's awesome so check the codes go go to him it's also in the description link below I think and let's go back here yeah I don't I don't really know like what to do right now this looks I'm really impressed this looks like really I want it I want to check out the Super Plus for program the question is just where I get one from I guess we could like load like Chrome or something like that how do I know where chrome is located here and you burn - I don't know mother take a lot to get a steak I should go to bed the decompiler can handle alpha station at least with me unprotected ah okay others would want to work let's see is this the binary already okay so here we have the Chrome binary kind of looks like Michael Cera it's so funny so many people say that [Music] okay let's let it run for a moment all right maybe maybe would be cool for a video to look at the pony adventure of binary again I guess I'm also more familiar with that to see how yeah I think that would be interesting to fun for more fun adventure maybe a small little update the link is also in the description of to this tool I guess I used mostly mech as my main OS but I'm using everything I mean right now we use Linux but on a Windows host so I use everything okay I mean this is still disassembling it's not even decompiling yet how can likewise why are these names like shorted how can I make them longer but this looks already I don't even know like is this I don't have any I have any other tool on here I've got binary then draw something no I like I don't know hmm it is stripped okay so that's not debug a regular debug information in there I know it's a weird innit I don't know what justice yeah I have no clue I am just kind of like trying to find kind of just a random function in here to look at okay so here we have a random function oh look at this bug you can't see this way to let me move my picture at the bottom right it says here scanning for Au embedded media or just a flash or something what I say you again scanning for a I see iff media so it was actually looking for different file types and stuff inside of the spiring interesting can we like list somehow I mean these kind of code stuff look pretty clean I need to requires I guess more thorough like like something you know if the compiler like look at this this look like HTML parsing XML parsing see that did we just randomly find it an XML parser in here I mean here's a lot of like this kind of stuff going on that those are clearly like like objects or structs and stuff that is like acting on and I mean this is kind of ugly this is another thing that will you know we have to figure out a little bit how do you like to find structures how do you define I don't know your own classes because I mean these are all definitely I mean these are all like like classes and structures like point following like pointers and stuff like that yeah so I mean this is the in that sense kind of ugly right now here because it works on offsets and doesn't like recognize like members of like instructor of classes I wonder if it like has this kind of stuff built in already like discovery of like classes or something or if it will like change the output of this at some point when it like analyze this that instead of like offsets it will have I don't know you will see I wouldn't expect to able determine objects shapes anytime soon sure but you know maybe it would like recognize okay so I mean it recognized types so it could you know automatically guess that this is not just an offset but L param is like an object I guess or you know a reference to a struct and at member 38 we have along that type system is severely lacking okay listen a Steve you not really I guess I mean we only have like the regular function growth by the way what's a call graph oh I also saw I remember I wanted to check this out create a snapshot copy this decompiler window okay interesting it only recognizes your internship types and sometimes pointers to them well here it references char code is definitely an interesting type I guess it's just a void pointer it's pretty slow with decompiling or there's a percentage I don't I cannot wait that long right I should really go to bed how is Strings extras for you I would can you tell me how extras work because like I see here a cross reference but just like go like ex-raf window or something and also I haven't had I guess wait let's open the other binary again this one here a crap this is a static but it will take so long okay wait it's closed I have it slows all okay close all its you co-editor again that is a pretty small binary here we can also do this yeah you're right we should try the not-not-not API help here this is what I wanted to pitch my friends - hello right mouth area on the code show okay yes this works for our miners we just had a little bit before I had a look at the ledger firmware actually references and am I blind oh my god so Rufus oh my god Wow things about God I said um okay cool okay so now you said strings okay like let's look at strength and looked at strengths yet it said like a string this view does it maybe show up in here define strings I mean here's for example string maybe let's see okay so here we have okay our RS for references so it doesn't show I guess X first like this I guess you can only you only have it like here cutting kilo was Apple of fist again and that I would I have no clue what that means I didn't know that Apple is obfuscating something I would window to find strings thank you quo so this was again a binary from the DEF CON CTS finals in Las Vegas from you know that story if you remember that as a video so that was like a banner it was like a small edit or and you could like deal with files and stuff oh thanks alter ego thanks so much and I don't know this currency what is that Mexican peso okay yeah oh okay so it doesn't show crosswalk for Strings yeah this weird I don't know print JPEG but here's a function to close this this is a bit ugly look at this printf here with like these parameters int but nope it's a UN but nope it's a ulong so here I mean it was with debug information so here look here at that's actually pretty awesome it wait no identifier and length with JPEG header and like I don't actually know like what is like included in the debug symbols and stuff like that I guess this was a struct hit function edit data type ah ah cool oh you can just like add data types and then say it would offset less type name cool and then you just change the type to that and then I guess that works neat so if I remember correctly I mean it's like half a year ago right when we did that if I remember correctly and we looked at this in Ida Ida did not get these struts properly like displayed like this but maybe I'm taught saying maybe was just my eye level because I only have like an older license and also yeah also without like the D compiler but I also feel like T understand it I don't know I feel like the these symbols were not included maybe I should have prepared more and have like tools installed here I know but let's say they are debug symbols available like this properly says like all the types that looks pretty cool okay but this function doesn't have cross okay now though something is good with the cross references because he are clearly cross reference for this function so it wasn't our [Music] wait was right-click references Edie and eat it okay oh there's no mmm okay let's go to these same strings again okay references show reference to address okay so here okay so I express to string seems to work yeah I'm like on a 6.8 I think not sick find you know I can't type my password here it doesn't make sense you're on camera okay whatever yeah references hours to add and edit references it's not show references to address and then what I get what you mean yeah I don't know I guess references just general reference you can I guess generally reference stuff from here it has nothing to do with to or from I guess told you the exercise yet that mice they are not a shortcut for show reference to address very weird but okay so this is how we get there yes you know there was Ida and still hopper binary ninja Android re still existed even though item was like perfect you know this is here and I'm sure this great but I'm sure that so many people are so experienced with Ida that maybe in like it definitely is competition to Ida I would say but you know all the professionals right now they don't just like move from one day to another to this however I do think that this def a will help like the new generation that can't work with Ida like you know if for the basic reverse engineering work that seems to do very well so far yeah I can totally see it's definitely a threat I would say competition what do they lose if it turns out to find backdoors well I would say a national crisis if they distribute malware to professionals all around the world and then it would turn out that there was an N is a backdoor in it I think that would cause quite some international controversy yeah you can write scripts as like a script editor here with examples and I just like to look at it for a second and it was super weird because look here you what you write like this deidre script and then you write like Java in here like I this is like kind of like weird I didn't even know how this works with - yeah the scripting I don't look kind of weird but we will figure that all out over soon in the future okay I want to do like cross references here where this show reference is - okay jump okay so here's an easy call fancy print here's like I guess them mean and remember this is an objective-c binary so print yeah print format takes an nsstring so see here it's got the type of like the input is an nsstring so this is like a string in Objective C at C versus input handled so here are a few go to us go tools are really ugly what a handling like like here like they jump like down here or something like that that's like really kind of knowing this is where what Oh like hopper sometimes has like nice tea compilation and sometimes like crappy but the crappy tea compilation is when it can't like properly resolved like the if cases and loops and stuff like this and then you have a lot of code tools and the code basically becomes like unreadable and you lose the advantage of the D compilation the the to me Utley is the biggest advantage of the compiled code is that you see like the you know the general structure with all the ears and stuff and go to is kind of ruin that however in this case it might just be like yeah all of these just jump out of this loop so let's go to is probably just like a break or something click mouse wheel to highlight all I said oh really Wow nice thanks that's awesome we had earlier somebody in here apparently a developer from kitra and he said that it's a known bug that it doesn't highlight when you just click on it but the fact that you can just highlight it when you like it that seems perfectly fine to me I mean it isn't producing nice decompiler output for like all these Objective C message lookups like here you see like object get class gets NS file handlers data and then it just like a mess look up and yeah so like hopper for example I think hand because it also aims it to Objective C would deal with that much better or what is this kind of type what is like E [Music] it's a cash entry okay cool yeah okay I guess I think I will call this I will stop streaming no it's like 4:00 a.m. I really need to go to bed I just wanted to have like a casual checking it out on stream I thought it would be funny to go into the guy draw hype train I guess I linked three channels below in the description that have streamed earlier or might even still be streaming yeah so head over to John Hammond I would say and he's continuing checking out Hydra he looks already doing he I think he's doing an actual challenge so with a bit more aim than what I'm doing yeah and I think check out the like the are cases recordings from brilliant and motovlog who both also looked at at kitra okay yeah thanks so much see you soon and good night

Info

Channel: LiveOverflow

Views: 112,591

Rating: undefined out of 5

Keywords: ghidra, nsa, rsa, reverse engineering, tool, decompiler, decompiling, dissassembler, disassembly, reversing, ida pro, hopper, radare2, binary ninja

Id: qtoS3CG6ht0

Channel Id: undefined

Length: 122min 7sec (7327 seconds)

Published: Wed Mar 06 2019