WEBVTT 1 00:00.890 --> 00:01.970 Welcome back. 2 00:01.970 --> 00:08.930 In this lesson, we are going to take a look at memory arrays and how to implement them in assembly 3 00:08.930 --> 00:10.700 inside x64dbg. 4 00:12.280 --> 00:16.930 Assuming you wanted to store a sequence of numbers in memory. 5 00:16.930 --> 00:25.120 For example, the numbers 11, 22, 33, 44, 55, and you also want to retrieve them sequentially. 6 00:25.660 --> 00:27.310 How would you store them in memory? 7 00:28.240 --> 00:32.470 One way to do it is to store them sequentially like this. 8 00:32.620 --> 00:36.580 You open your template tool in x64dbg. 9 00:37.360 --> 00:41.440 Head over to Memory Map and look for a data segment. 10 00:41.470 --> 00:47.110 Right-click on it, follow dump, and scroll down and look for an empty space. 11 00:47.680 --> 00:53.140 So basically, what we want to do is to store it like this sequentially in memory. 12 00:53.590 --> 00:59.260 So let's say we store the first value here at this address 403180. 13 01:00.040 --> 01:03.280 So we go to 403180. 14 01:04.150 --> 01:07.840 And then we store the number 11 here. 15 01:07.840 --> 01:11.800 So this is a QWORD, QWORD is eight bytes. 16 01:11.800 --> 01:18.520 So we store the first number here. We will put 11 there. 17 01:19.690 --> 01:21.640 Now remember that this is little-endian. 18 01:21.640 --> 01:25.450 So a QWORD is read from the right to the left like this. 19 01:25.450 --> 01:26.680 So this number is actually 20 01:26.680 --> 01:32.950 0000000000000011. 21 01:33.640 --> 01:35.800 Then we want to store our second number. 22 01:35.800 --> 01:37.810 It would be here at this address. 23 01:37.810 --> 01:43.570 So if you hover your mouse here, you can see a pop-up showing you the address as 403188. 24 01:43.570 --> 01:44.770 So you right-click there. 25 01:45.670 --> 01:49.330 Right-click this and store your number there. 26 01:50.590 --> 01:52.360 So this would be 22. 27 01:54.550 --> 02:00.640 And then your third number will be here, 403190. 28 02:00.640 --> 02:06.400 So you select all this and then right-click and binary edit. 29 02:07.480 --> 02:09.670 And you put your number 33 there. 30 02:11.470 --> 02:16.510 And then the next number will be here at 403198. 31 02:18.860 --> 02:25.700 Right-click, binary edit, and you put the number there, 44. 32 02:27.560 --> 02:31.880 And then the last number we'll put it here, 4031A0. 33 02:32.960 --> 02:38.150 So we select this QWORD, right-click, binary edit. 34 02:38.480 --> 02:41.300 And we keep our number, 55. 35 02:42.200 --> 02:46.700 So at this point in time, we will have all our numbers in memory. 36 02:46.820 --> 02:51.050 So the first number will be at this location. 37 02:52.440 --> 03:01.650 403180, which will store the number 11, and then the second number will be at 403188. 38 03:01.650 --> 03:03.900 Over here, it will store the number 22. 39 03:05.170 --> 03:11.350 And then the third number will be 403190, which will be over here, which will store the number 33. 40 03:11.350 --> 03:12.010 - 41 03:13.440 --> 03:15.450 And then the fourth number will be here. 42 03:15.450 --> 03:18.570 403198 stores number 44. 43 03:19.410 --> 03:25.860 And the last number will be at 4031A0, stores number 55 as indicated here. 44 03:25.860 --> 03:27.090 So this is a QWORD. 45 03:27.960 --> 03:31.890 And then every element of the array has got an index. 46 03:31.890 --> 03:35.610 If you look at the left of the table here, it has an index. 47 03:35.880 --> 03:40.050 So the index zero refers to the first number, which is 11. 48 03:40.560 --> 03:47.160 And incidentally, we can also call the index as the base address because it marks the base of the array. 49 03:47.340 --> 03:48.930 The array starts from here. 50 03:49.620 --> 03:54.870 So the array starts from the base address, and it starts with index zero. 51 03:55.680 --> 04:03.030 Then index one would be here, which is the second number, index two, index three, and index four. 52 04:03.030 --> 04:05.280 So index always starts from zero. 53 04:05.280 --> 04:06.420 It doesn't start from one. 54 04:06.420 --> 04:11.820 Remember that this is how arrays are created inside assembly, 55 04:11.820 --> 04:13.290 inside x64dbg. 56 04:13.830 --> 04:18.510 You can think of arrays as variables, but the variables are sequential. 57 04:18.510 --> 04:20.700 They are side by side, next to each other. 58 04:21.000 --> 04:22.620 Why is this important? 59 04:22.770 --> 04:26.160 Because it makes it easy to loop through them. 60 04:26.490 --> 04:34.140 We can use a counter and change the index from one to the other just by incrementing the counter. 61 04:34.530 --> 04:39.090 So that's why the sequential nature of the array is useful. 62 04:40.650 --> 04:42.870 So how do we loop through them? 63 04:43.500 --> 04:49.320 We can come up with a formula to address each of the elements using this formula like this. 64 04:49.800 --> 04:52.980 So the base address will refer to the start of the array. 65 04:53.610 --> 04:59.070 And if we wanted to access the next element, we will just take the counter, 66 04:59.100 --> 05:01.020 the index, times eight. 67 05:01.860 --> 05:03.810 Now index starts off with zero, right? 68 05:03.810 --> 05:08.130 So zero times eight will still refer to the first element. 69 05:08.700 --> 05:13.770 If index was one, one times eight will refer to the second element. 70 05:15.330 --> 05:17.370 Why the "times eight"? Why times eight? 71 05:17.400 --> 05:21.570 Because the distance from one memory array to the next is a QWORD. 72 05:21.960 --> 05:26.430 A QWORD from here to here is a QWORD, as you can see. 73 05:26.880 --> 05:28.920 So that's why we multiply with eight. 74 05:30.180 --> 05:36.330 So if you want to access the third element, the index will be two. 75 05:36.360 --> 05:39.180 So X will be two, two times eight. 76 05:39.210 --> 05:42.690 Then you will get this value here. 77 05:43.260 --> 05:44.550 You will reach this address. 78 05:44.880 --> 05:51.180 So this is the formula to use when you want to go through the array elements. 79 05:51.180 --> 05:54.000 So X is your index and also a counter. 80 05:54.810 --> 05:58.500 And how are you going to loop through the elements of the array? 81 05:58.530 --> 06:00.450 We will see that in the next lesson. 82 06:00.750 --> 06:02.310 That's all for this video. 83 06:02.340 --> 06:03.630 Thank you for watching.