 If you thought so far that the main method in a.net application is the very first thing being executed, then this video is for you, because Maverick might use this against you. To demonstrate when which code gets executed, I have prepared a Hello World application in intermediate language assembly. So instead of using something like C-sharp or F-sharp, we can directly work on intermediate language assembly and have more control over the application. That's why we are using that. So this is what it looks like. Our module is called helloworld.exe and we are in the namespace hello with the class world and this is our main method. We define the main method as the entry point of the assembly. We load the string hello world, then we call write line and then we return from main. So this is it. To compile this, you can use I-L-A-S-M. So we're gonna open PowerShell here. So this is the executable from the.net framework that can compile this file. So we have done that successfully and now we can execute it. And we see here it's writing hello world. Most of the time when you learn programming in an object-oriented language, the very first thing that you will learn is that you put your hello world print string into main because they will say something like, yeah, the main method or the main function is the first thing being executed. And for the purpose of learning programming, this concept is fine, but it's not the first thing that is being executed. And that is very important to know when you are reverse engineering software because Melvier will use this. It will use the fact that there is code executed before that that a Melvier analyst might miss. So that's why we are looking at this. Let's first start by creating a class constructor because the constructor is also executed before this method. I'm going to copy the code here, but instead of main, we call it cctor. And it's not the entry point. We define the entry point as being this method. And to distinguish the two, we are going to change the string a little bit. So how does it know this is the class constructor? That is because it has a special name dot cctor. So this is being executed to prepare this class world. So it's like the code that needs to be done before anything else from this class, any other static methods can execute. So let's try that. Let's compile that and see what happens. I didn't save it, I guess. Now it should work. And here we can see that. So class constructor is executed before the main is executed. But there's even something that comes before that. And that is when we put this constructor outside of the class, actually even outside of the namespace. Now we don't have a class constructor but a module constructor. The module here meaning because it's outside of any namespace, outside of any class. So it's put into a global namespace. And this is executed before anything else. So let's see. Save it, compile it. And here it is, hello world from the module constructor, hello world from the class constructor, and then hello world from main. So how is this being abused by Melver? Well Melver might put some decryption code inside of this, it may encrypt this code here and put the decryption code inside of this. You will see this for instance with Confuser examples. Let's take a look at one of them. I did a video on this in the past but it's pretty old though. This is the example. So you see here when you open a sample in dnspy you can look at the entry point by visiting the entry point here and you see the entry point is empty, there's nothing there. When you have a look around to other code here it always complains that it couldn't decompile this method. And the reason is exactly that you right click and go to module cctor. You see there's something weird going on before any of the main function is executed. So let's look into this and here is some encryption going on. How do I know it's some sort of encryption because there are lots of shifts and exhausts and you know it's some sort of encryption. You don't need to analyze all of that but let's just quickly see what the extra code is. Take point here, start this, yes and now we step over until we step into the main, bam and now everything is decrypted and we can now read the code and not only the code of the main but also the other code that's around, that's here, relevant to know. So this is why this concept is important. So main function, what we learned today, the main function or even the entry point function is not the very first thing that is being executed. If you want to read more about this topic check out the article by Washi what really is the entry point of a .NET module because this article goes even more into depth. So there is not only our CCTOR functions being used to execute code before main but also native code, TLS callbacks, DLL injection. So at the end you have a call stack like that one. So that's very impressive. Check it out and see you. If you have any questions please put them below. If you want to learn math analysis from the ground up then check the link in the description below. There is a link to my Udemy course for beginners. It contains 11 hours of video content and the link is a coupon link that's a little bit cheaper for you than buying it from Udemy itself. So check it out and maybe I see you there.