WEBVTT 1 00:01.680 --> 00:03.180 Hello and welcome back. 2 00:03.180 --> 00:10.290 In this lesson, we are going to take a look at conditional jumps in the context of x64dbg. 3 00:10.830 --> 00:20.340 The two most common jumps you will find are JE and JB, or its opposite JNE and JAE. 4 00:20.790 --> 00:26.040 You won't see JZ or JNZ, neither will you see JC or JNC. 5 00:26.160 --> 00:28.440 So these are actually equivalent. 6 00:28.440 --> 00:35.310 So whenever you enter JZ, it is automatically converted to JE inside x64dbg. 7 00:35.340 --> 00:37.290 The same holds true for JNZ. 8 00:37.500 --> 00:43.650 When you enter JNZ instruction, it will be converted to JNE because they are equivalent instructions. 9 00:44.250 --> 00:46.110 The same also is true for JC. 10 00:46.320 --> 00:53.910 If you input JC in here, it will be converted to JB, and if you input JNC, it will be converted to JAE. 11 00:54.030 --> 00:55.470 They are both equivalent. 12 00:55.470 --> 01:03.510 JC is equivalent to JB, JNC is equivalent to JAE. So let's understand what this means. 13 01:03.510 --> 01:09.090 So take, for example, you do a comparison instruction between - and zero. 14 01:09.180 --> 01:11.940 This is equivalent to - minus zero. 15 01:11.940 --> 01:20.010 So when - minus zero, and the result, let's say if - is also zero, so zero minus zero will give you zero. 16 01:20.010 --> 01:23.880 So this means that - is equal to zero. 17 01:23.880 --> 01:25.470 So JE is true. 18 01:26.010 --> 01:35.220 Another way to look at it is when the result of the subtraction - minus zero equals zero, the zero flag 19 01:35.220 --> 01:36.150 will be set. 20 01:36.150 --> 01:41.310 So when the zero flag is set, then the jump will take place. 21 01:41.310 --> 01:45.510 Because this is testing whether the jump is equal to zero or not. 22 01:45.990 --> 01:48.690 So in this case, if - is zero, it will jump. 23 01:49.380 --> 01:52.200 Now the same thing happens in the opposite. 24 01:52.410 --> 01:57.480 If, let's say - minus zero does not give you a zero. 25 01:57.480 --> 01:59.280 For example, if - is one. 26 01:59.280 --> 02:06.510 So when you compare one and zero, you get a non-zero result because one minus zero does not give you 27 02:06.510 --> 02:06.900 zero. 28 02:06.900 --> 02:09.480 So in this case, the zero flag will be cleared. 29 02:09.480 --> 02:13.290 So because the zero flag is cleared, the JNZ will take place. 30 02:13.920 --> 02:16.500 Assuming this was JNZ, so it will jump. 31 02:18.000 --> 02:20.220 Now the same thing is true for here. 32 02:20.850 --> 02:27.990 If you are, let's say you have one in -, and you are comparing one with two. 33 02:28.020 --> 02:32.490 So if you compare one and two, one is less than two. 34 02:32.520 --> 02:33.600 So it's true. 35 02:33.600 --> 02:34.770 So jump below. 36 02:34.770 --> 02:37.320 So JB means jump if below. 37 02:37.320 --> 02:40.140 So if - is below two, it will jump. 38 02:40.560 --> 02:41.400 That is the meaning. 39 02:41.400 --> 02:44.400 So here you will see something like JB. 40 02:44.850 --> 02:45.600 It will jump. 41 02:47.490 --> 02:55.200 So another way to look at it is when you minus one with two, you need to carry, as in normal operations, 42 02:55.200 --> 03:01.980 when the first parameter is less than the second one. One minus two needs to carry. 43 03:01.980 --> 03:03.990 So that will cause a carry. 44 03:04.110 --> 03:06.240 So the carry flag will be set. 45 03:06.330 --> 03:08.310 So CF will be set. 46 03:09.360 --> 03:11.070 Then the opposite is also true. 47 03:11.070 --> 03:12.450 Let's say if -. 48 03:12.750 --> 03:19.770 If this - is two or bigger than two, then JAE will be true. 49 03:20.430 --> 03:23.550 That means jump if above or equal. 50 03:23.550 --> 03:31.680 So if - is two, then two and two is above or equal. 51 03:31.770 --> 03:33.870 So in this case, two is equal to two. 52 03:33.900 --> 03:36.390 So JAE will take place. 53 03:38.100 --> 03:40.710 And also if, let's say - is three. 54 03:41.160 --> 03:43.620 So three is above two. 55 03:43.650 --> 03:45.480 Therefore, JAE also will jump. 56 03:45.480 --> 03:47.760 So if this is JAE, it will jump. 57 03:47.760 --> 03:48.120 All right. 58 03:48.120 --> 03:52.890 So now let's open our template2 inside x64dbg. 59 03:53.820 --> 03:58.470 Put a breakpoint here, and then we will enter this code. 60 04:00.510 --> 04:07.680 First one is CMP - with zero here, okay. 61 04:08.640 --> 04:13.860 So now we are going to run so that it hits our breakpoint. 62 04:13.860 --> 04:16.620 And then we step over until we come to this line. 63 04:16.770 --> 04:20.910 So over here now, we are going to modify the value in -. 64 04:21.750 --> 04:25.080 So to see what happens with this. 65 04:26.710 --> 04:33.010 I see. Now we're going to enter another code here, JE. 66 04:33.790 --> 04:35.110 Let's see if I enter JZ. 67 04:35.140 --> 04:37.360 Notice that it will convert it into JE. 68 04:38.140 --> 04:41.950 So let's say, okay, let's pick an address somewhere down here. 69 04:42.790 --> 04:44.770 Let's say I pick this address here. 70 04:46.570 --> 04:48.910 I assemble an instruction here. 71 04:48.940 --> 04:53.350 Say MOV -, eight. 72 04:56.000 --> 04:58.700 And then I copy this address. 73 05:01.380 --> 05:01.650 All right. 74 05:01.650 --> 05:03.510 So I want to jump to that address. 75 05:04.260 --> 05:06.240 So I will assemble a JZ. 76 05:06.240 --> 05:08.760 So let's see what happens when I put JZ. 77 05:09.150 --> 05:12.450 And I paste that address here, okay. 78 05:12.450 --> 05:14.640 And you see, JZ is converted to JE. 79 05:15.030 --> 05:17.490 So JE and JZ are equivalent. 80 05:18.150 --> 05:26.040 So now we are here. I'm going to modify the register to put zero inside it. 81 05:27.900 --> 05:30.420 So now it's going to compare zero with zero. 82 05:30.420 --> 05:35.850 And what happens is the result is going to be zero. 83 05:36.060 --> 05:38.310 And so it will set the zero flag. 84 05:38.670 --> 05:39.450 Let's take a look. 85 05:40.500 --> 05:41.700 Zero flag is set. 86 05:41.700 --> 05:46.680 So because the zero flag is set, immediately you will see here there is a red line coming down. 87 05:47.650 --> 05:50.800 And then here also you will see the message saying jump is taken. 88 05:50.800 --> 06:00.850 That means it's going to jump. Why? Because - minus zero will give you zero and sets the zero flag. 89 06:01.210 --> 06:02.860 Another way to look at it is zero 90 06:02.860 --> 06:04.480 minus zero gives you zero. 91 06:04.480 --> 06:05.740 So they are both equal. 92 06:05.740 --> 06:08.320 That's why jump equal is true. 93 06:08.320 --> 06:10.330 So it will jump over here. 94 06:10.690 --> 06:12.340 So let's jump now and see. 95 06:13.060 --> 06:13.990 It jumps over there. 96 06:14.140 --> 06:14.680 You see that. 97 06:15.220 --> 06:16.000 That's how it works. 98 06:16.600 --> 06:16.990 All right. 99 06:16.990 --> 06:25.750 So now let's reset this and come back to another scenario over here, JNZ. 100 06:26.020 --> 06:34.750 So now I'm going to also do the same comparison, - zero. 101 06:36.610 --> 06:41.620 But this time I'm going to put JNZ, but it's going to convert to JNE. 102 06:41.650 --> 06:42.400 Just take a look. 103 06:42.850 --> 06:48.820 JNZ, paste the same address, and take a look. 104 06:48.820 --> 06:49.960 It converts it to JNE. 105 06:50.620 --> 06:50.920 All right. 106 06:50.920 --> 06:56.770 So now I'm going to run until it hits this breakpoint and step over. 107 06:58.210 --> 06:59.110 And inside. 108 06:59.110 --> 07:02.890 Right now I'm going to put something which is non-zero. 109 07:02.890 --> 07:04.630 So let's right-click this. 110 07:04.630 --> 07:09.820 Right-click this, modify -. I'm going to put two here, okay. 111 07:10.030 --> 07:11.650 So now - is two. 112 07:11.680 --> 07:15.190 So when you do a comparison, you got - and zero. 113 07:15.190 --> 07:16.930 It's going to take two minus zero. 114 07:16.930 --> 07:19.930 So two minus zero will give you a non-zero result. 115 07:19.930 --> 07:22.120 Therefore, the zero flag will be cleared. 116 07:23.230 --> 07:27.730 Another way to look at it is two is not equal to zero. 117 07:27.730 --> 07:29.170 So jump not equal. 118 07:29.170 --> 07:30.310 Therefore, will be true. 119 07:30.310 --> 07:31.270 So it will jump. 120 07:31.780 --> 07:37.180 If I step over that now, you will see the zero flag is clear and it's going to jump because you can see the 121 07:37.180 --> 07:38.890 red arrow lights up. 122 07:40.390 --> 07:41.140 Okay. 123 07:41.140 --> 07:44.440 So if I step over now, it jumps down here. 124 07:44.440 --> 07:44.890 All right. 125 07:44.890 --> 07:45.970 So that's how it works. 126 07:46.270 --> 07:48.190 Now let's reset this now. 127 07:49.060 --> 07:54.010 And this time we are going to study the JB and JAE. 128 07:54.430 --> 07:57.550 So in this case, we are going to move one to -. 129 07:58.120 --> 08:01.390 So before that, let's run to this breakpoint. 130 08:03.070 --> 08:04.180 Let's reset. 131 08:05.970 --> 08:08.970 Okay, so let's run to this breakpoint. 132 08:10.350 --> 08:11.280 Step over. 133 08:11.280 --> 08:16.770 And now we are going to assemble this instruction, move one to -. 134 08:16.920 --> 08:19.170 So let's MOV one to -. 135 08:23.570 --> 08:29.600 And now the next instruction is to compare - with two. 136 08:32.990 --> 08:36.410 -, two. And then we are going to assemble JB. 137 08:38.540 --> 08:40.160 And paste our address there. 138 08:40.730 --> 08:42.860 Watch what happens when I press okay. 139 08:42.860 --> 08:44.960 It will convert JB to JAE. 140 08:45.740 --> 08:46.850 It will convert the. 141 08:46.850 --> 08:47.300 Sorry. 142 08:47.300 --> 08:48.710 Let's enter JC. 143 08:50.090 --> 08:53.270 Watch what happens when I convert this and I press okay. 144 08:53.270 --> 08:54.890 It converts JC to JB. 145 08:55.730 --> 08:59.360 See, JC to JB because they are equivalent. 146 08:59.510 --> 09:03.230 So in this case here, it's going to compare. 147 09:03.980 --> 09:06.230 It's going to compare one with two. 148 09:06.230 --> 09:10.580 So one minus two, one minus two. 149 09:10.610 --> 09:17.450 So that will cause a carry because one minus two is, one is smaller than two. 150 09:17.480 --> 09:19.460 So that will set the carry flag. 151 09:19.550 --> 09:23.000 Another way to look at it is one is less than two. 152 09:23.030 --> 09:23.480 Yes. 153 09:23.480 --> 09:25.370 So jump if below is true. 154 09:25.370 --> 09:26.360 So it's going to jump. 155 09:26.360 --> 09:30.320 So let's step over and see that happening. 156 09:31.790 --> 09:33.200 It moves one to -. 157 09:33.350 --> 09:36.170 Now it's going to take one minus two. 158 09:38.420 --> 09:43.790 And you see, the carry flag is set and the arrow lights up, meaning it's going to jump. 159 09:43.790 --> 09:45.920 And here also you see jump is taken. 160 09:46.760 --> 09:47.060 All right. 161 09:47.060 --> 09:49.280 So let's step over and you see the jump. 162 09:50.210 --> 09:51.470 It has jumped over here. 163 09:51.710 --> 09:53.270 Now let's look at the opposite. 164 09:53.270 --> 09:54.380 This one over here. 165 09:54.770 --> 09:56.300 Jump above or equal. 166 09:56.780 --> 09:57.080 All right. 167 09:57.080 --> 09:59.210 So for that, we will reset again. 168 10:00.140 --> 10:05.270 And then we are going to run to our breakpoint and step over. 169 10:05.270 --> 10:10.100 And now we are going to move a different value to -. 170 10:11.750 --> 10:13.760 We are going to move three to -. 171 10:16.380 --> 10:17.490 Okay, let's do this first. 172 10:17.790 --> 10:22.680 We forgot to enter the comparison instruction, so let me do that now. 173 10:23.250 --> 10:26.220 -, two. 174 10:28.030 --> 10:36.760 Then we will assemble the JNC and paste that in there. 175 10:36.790 --> 10:37.330 All right. 176 10:37.330 --> 10:38.710 So now we got it right. 177 10:38.710 --> 10:40.240 So now we are here. 178 10:40.870 --> 10:42.250 Let's step over. 179 10:42.250 --> 10:45.610 It's going to move three to -. 180 10:45.640 --> 10:47.950 Now it's going to compare - with two. 181 10:47.950 --> 10:51.130 So three minus two, three is bigger than two. 182 10:51.160 --> 10:51.370 Yes. 183 10:51.370 --> 10:53.050 So three is bigger than two. 184 10:53.080 --> 10:58.360 Therefore, JAE is true because JAE means jump if above or equal. 185 10:58.360 --> 11:02.800 So since three is above or equal to two, therefore it will jump. 186 11:03.070 --> 11:06.760 So let's step over that and see it jumps over here. 187 11:06.760 --> 11:10.450 So this is how you can use the conditional jumps. 188 11:10.750 --> 11:13.210 Note that these are the most common jumps you will find. 189 11:13.210 --> 11:18.550 There are actually others like jump overflow or jump sign or jump not overflow, jump not sign. 190 11:18.550 --> 11:24.820 But we are not going to bother with that because you won't see them in x64dbg as 191 11:24.820 --> 11:29.320 they are not very commonly used when you reverse any programming software. 192 11:29.320 --> 11:35.860 The most common conditional jumps you will see are JE, JNE, JB, JAE. 193 11:36.070 --> 11:37.840 Those are the most common ones. 194 11:37.840 --> 11:39.520 So that's all for this video. 195 11:39.520 --> 11:40.870 Thank you for watching.