WEBVTT 1 00:01.810 --> 00:03.310 Hello and welcome back. 2 00:03.310 --> 00:06.640 In this lesson, we are going to write our first program. 3 00:06.970 --> 00:10.030 So open the x64_template 4 00:10.030 --> 00:16.660 .EXE file that I provided for you or the one that you create yourself using x64dbg. 5 00:17.020 --> 00:20.770 And make sure you use x64dbg and not x32dbg. 6 00:21.400 --> 00:23.350 So just select it and open. 7 00:26.590 --> 00:29.470 So now you can scroll down to the entry point. 8 00:30.190 --> 00:36.730 Entry point is where you see all the—the right-hand column here showing all the text files. 9 00:37.240 --> 00:41.020 So over here, the first column is your memory addresses. 10 00:41.020 --> 00:43.210 Second column is your opcodes. 11 00:43.390 --> 00:51.010 Opcode is the symbol in hex which is the encoded form of the instructions. 12 00:51.010 --> 00:59.590 And the third column here is your conversion of this opcode into human-readable text. 13 01:00.010 --> 01:02.920 This is the assembly code itself. 14 01:03.100 --> 01:07.540 The right-hand column is the comments column. 15 01:07.540 --> 01:14.560 And the comments column contains comments which you can enter yourself, or comments which x64dbg creates 16 01:14.560 --> 01:15.190 for you. 17 01:15.220 --> 01:23.050 For example, over here you can see x64dbg interpreted this string here as a string: 18 01:23.050 --> 01:24.250 "Enter an integer." 19 01:25.240 --> 01:30.580 So to find the entry point, just scroll down and then look for the -. 20 01:31.060 --> 01:33.940 And there is all this string here. 21 01:34.300 --> 01:40.540 Then the next thing you want to do is to zero out all these. 22 01:40.660 --> 01:43.300 So select from here to here, 23 01:44.350 --> 01:48.700 and then right-click and then "Fill with NOPs." 24 01:49.000 --> 01:49.900 Click "OK." 25 01:50.470 --> 01:52.750 So we have all the NOPs here. 26 01:52.960 --> 01:55.450 So NOP stands for "no operation." 27 01:55.450 --> 01:56.980 The code is 90. 28 01:57.670 --> 01:58.750 Hex code is 90, 29 01:58.750 --> 02:05.410 which means that whenever the processor sees 90 as a hex code, it will not execute anything. 30 02:05.770 --> 02:08.230 It will just slide through all the way down here. 31 02:08.710 --> 02:11.380 So now you are free to enter your own code here. 32 02:11.680 --> 02:15.790 So the first code I'm going to show you is the MOV instruction. 33 02:16.150 --> 02:20.620 MOV instruction moves something to the register. 34 02:20.620 --> 02:24.220 For example, you want to enter an instruction here. 35 02:24.220 --> 02:32.410 You press the spacebar here and then you type "MOV" and then the name of the register and then comma, followed 36 02:32.410 --> 02:35.260 by whatever you want to move into the register. 37 02:35.680 --> 02:38.980 Suppose you want to move the value one. 38 02:38.980 --> 02:41.110 So you put hex one. 39 02:42.220 --> 02:43.540 You can just put one itself 40 02:43.540 --> 02:46.210 also, or you can put 0x1. 41 02:47.080 --> 02:48.880 Then you click "OK." 42 02:48.880 --> 02:51.130 So now it's going to move one to -. 43 02:52.330 --> 02:54.040 So this is the source. 44 02:54.040 --> 02:57.070 This is the destination, and this is the instruction. 45 02:57.520 --> 03:01.090 So now in order to see this working, you have to put a breakpoint. 46 03:01.480 --> 03:07.900 So we can put the breakpoint by clicking the line here, right-click, "Breakpoint," "Toggle." 47 03:07.900 --> 03:12.760 So you see this red highlight indicates that there is a breakpoint here. 48 03:13.510 --> 03:14.860 And then now we can run. 49 03:15.280 --> 03:18.040 Once you click "Run"—this is the button for run— 50 03:18.040 --> 03:19.600 it will hit the breakpoint. 51 03:20.230 --> 03:24.820 Then you can step through it line by line using this "Step Over." 52 03:24.820 --> 03:26.470 So you can step over line by line. 53 03:28.780 --> 03:30.040 It goes to the next line. 54 03:31.310 --> 03:33.890 Then step over. 55 03:35.240 --> 03:36.410 It goes to the next line. 56 03:36.830 --> 03:38.300 So now we are here. 57 03:38.300 --> 03:42.440 If we click "Step Over" again, it's going to execute this instruction. 58 03:42.620 --> 03:45.380 So it's going to move one to -. 59 03:45.830 --> 03:46.490 OK. 60 03:46.490 --> 03:50.150 Somehow it changes it back to -. 61 03:50.150 --> 03:51.560 But that is OK. 62 03:52.880 --> 03:57.080 That is OK because the source value is small. 63 03:57.080 --> 03:57.710 It's all right. 64 03:58.190 --> 03:59.090 Leave it as it is. 65 03:59.510 --> 04:01.820 So now you will see the - is here. 66 04:01.820 --> 04:07.010 This instruction is going to move one to -, and then step over. 67 04:07.010 --> 04:09.230 Now you see one is there. 68 04:09.890 --> 04:13.430 So everything is zeroed out and then left one in the first byte. 69 04:14.690 --> 04:20.420 So this "move one to -" is actually moving one to the whole register. 70 04:20.810 --> 04:22.010 It's actually -. 71 04:22.010 --> 04:25.910 But for some reason, x64dbg changes - to -. 72 04:27.840 --> 04:30.750 So this is the first instruction which does nothing, 73 04:30.750 --> 04:34.350 simply moves it to the one, the value there. 74 04:34.470 --> 04:39.180 Now if you want to move to another register, you repeat the same thing. 75 04:39.510 --> 04:40.170 MOV. 76 04:42.820 --> 04:47.110 This time we try a bigger number: 0x— 77 04:47.680 --> 04:49.420 uh, maybe 78 04:49.420 --> 04:56.080 1122334455667788. 79 04:57.040 --> 04:57.610 Sorry. 80 04:57.610 --> 05:02.800 You need to put the destination, comma, followed by the source. 81 05:02.950 --> 05:05.350 So we're going to move this hex value to -. 82 05:05.350 --> 05:06.460 So we click "OK." 83 05:08.710 --> 05:11.530 And now you're going to execute this: step over. 84 05:13.390 --> 05:19.060 And you see this time it doesn't change this to - because your source argument is a big number. 85 05:19.060 --> 05:22.720 So that's why it maintains the register - here. 86 05:23.380 --> 05:28.540 So after you execute this instruction, you notice - now holds this value for us. 87 05:29.050 --> 05:35.770 Now if we were to move something back into -, it's going to overwrite whatever was there. 88 05:35.770 --> 05:36.730 So let's try this. 89 05:36.730 --> 05:37.900 Now let's say we move— 90 05:40.560 --> 05:44.370 uh, -, let's say you move something big as well. 91 05:44.850 --> 05:46.440 Um, 11 92 05:47.250 --> 05:47.460 22 93 05:47.460 --> 05:51.150 334455667788. 94 05:55.250 --> 05:57.230 Let's put the 0x there. 95 05:58.730 --> 06:03.320 So 0x is a prefix to indicate that this is a hex number. 96 06:04.310 --> 06:04.940 Click "OK." 97 06:04.940 --> 06:07.820 So now we can execute this and watch what happens to -. 98 06:09.650 --> 06:11.390 Notice it didn't change this to -. 99 06:11.390 --> 06:12.950 Now step over, 100 06:12.950 --> 06:15.200 and you see that now - got this value. 101 06:16.430 --> 06:18.920 We can also move register to register. 102 06:19.010 --> 06:27.080 For example, if we want to move - to -, we can do it like this. 103 06:28.070 --> 06:33.560 Press spacebar, MOV, the destination, comma, followed by the source. 104 06:35.560 --> 06:38.200 Click "OK" and close this. 105 06:38.230 --> 06:43.750 So now when you execute this instruction, whatever is in - will be moved into -. 106 06:44.260 --> 06:47.590 Now - has got a value of one— 107 06:47.590 --> 06:49.510 so let's run it and see what happens. 108 06:50.470 --> 06:51.310 Step over. 109 06:52.000 --> 06:55.120 And now you see - also has got this value. 110 06:55.120 --> 06:57.160 So we can move register to register. 111 06:57.190 --> 06:59.860 You can move constant to register. 112 07:00.250 --> 07:04.240 Later on, I will show you you can move memory to register as well. 113 07:04.270 --> 07:08.470 So in a future lesson, I will show you how to make use of memory.