1
00:00:00,870 --> 00:00:03,690
All right, everybody, welcome back to Advance Exploit Development.

2
00:00:03,930 --> 00:00:06,570
Now, the computer finally unfroze itself.

3
00:00:07,710 --> 00:00:10,590
Let's just walk back through what we went through before.

4
00:00:11,130 --> 00:00:17,040
So we need to copy this, which is where I click copy on Clipboard Holding.

5
00:00:17,820 --> 00:00:20,160
And it says it's an offset of five hundred thirty six.

6
00:00:20,160 --> 00:00:23,330
That's one that was written of original Unicode pattern.

7
00:00:24,390 --> 00:00:27,250
So we need to validate that it actually worked.

8
00:00:28,290 --> 00:00:29,580
So let's go back.

9
00:00:31,590 --> 00:00:32,970
Let's add this for comments.

10
00:00:39,560 --> 00:00:46,490
And now we need to overwrite our structured exception handler, hopefully with something that we can

11
00:00:46,490 --> 00:00:52,730
project so we're on a tight equal string equals Capital Times 536.

12
00:00:54,740 --> 00:01:02,840
Plus, Toobs, remember, these were Occupy for bias because they will be pended with a nawabi in front

13
00:01:02,840 --> 00:01:03,570
of each letter.

14
00:01:04,970 --> 00:01:10,940
So just use tubes then C to make sure that we don't see any CS in the record.

15
00:01:11,480 --> 00:01:16,580
So we're spot on target then.

16
00:01:16,580 --> 00:01:20,150
D maybe three thousand.

17
00:01:24,300 --> 00:01:29,040
So let's just restart our you again Python we tried up by.

18
00:01:31,090 --> 00:01:34,660
Go back, control F to restart your application.

19
00:01:37,470 --> 00:01:38,280
Pressplay.

20
00:01:45,710 --> 00:01:47,870
Click on the list on MP three player.

21
00:01:50,980 --> 00:01:54,400
And low top 40, again, which is the father wrote.

22
00:01:56,600 --> 00:02:05,450
And notice how we have to Unicode encoded A's in our IP register, I mean, we just pull this one to

23
00:02:05,450 --> 00:02:06,250
the left of it.

24
00:02:10,830 --> 00:02:11,220
They're.

25
00:02:13,900 --> 00:02:15,790
Let's look at our structural exception handler.

26
00:02:18,210 --> 00:02:25,830
We cleanly overwrote it with two Unicode encoded BS zero zero 42, zero zero 42.

27
00:02:29,200 --> 00:02:36,220
And let's go back Savu CPU shift F nine.

28
00:02:38,560 --> 00:02:41,230
And let's take another look at our situation again.

29
00:02:43,760 --> 00:02:50,570
So now we verify that we can possibly control the structured exception handler, so what we're gonna

30
00:02:50,570 --> 00:02:53,720
do is we're going to validate this by.

31
00:02:56,230 --> 00:02:56,590
See?

32
00:03:02,300 --> 00:03:06,700
Want to validate this by making sure that our seats are turned into Knopf's.

33
00:03:09,230 --> 00:03:13,280
So let's just control copy this, put it down here again.

34
00:03:14,720 --> 00:03:16,540
Let's change our seas and turn up.

35
00:03:18,440 --> 00:03:22,940
Remember, these will be Unicode and coded, so we prepared it with two zeros.

36
00:03:26,190 --> 00:03:28,140
Let's see you run the Python file again.

37
00:03:32,390 --> 00:03:33,050
Restart.

38
00:03:37,880 --> 00:03:38,450
Play.

39
00:03:45,340 --> 00:03:46,180
Click on list.

40
00:03:49,950 --> 00:03:56,520
Load the top 40 again and let's look at our situation before and after.

41
00:03:58,900 --> 00:04:07,600
So you see, we have to unico Knopf's zero zero nine zero zero ninety in the structure except a handler

42
00:04:07,600 --> 00:04:19,600
before the address where we we're over all of these go back to CPU shift F nine, and you should see

43
00:04:19,680 --> 00:04:21,600
IP pointing to our unit code.

44
00:04:22,540 --> 00:04:30,250
These are when I say Unico Knopf's, I mean that it's prepend it with zero zero nine zero zero zero

45
00:04:30,250 --> 00:04:30,880
nine zero.

46
00:04:36,230 --> 00:04:43,570
Now, what we need to do to seize control of the structure exception handler is look for any exceptions.

47
00:04:45,320 --> 00:04:46,310
So Mona.

48
00:04:48,130 --> 00:04:59,200
S.H. Dash DKP for compatibility unico, we need a Unicode compatible popup return instruction, so press

49
00:04:59,210 --> 00:04:59,740
enter.

50
00:05:08,140 --> 00:05:08,590
Put on.

51
00:05:10,170 --> 00:05:11,760
Let's restart immediately after.

52
00:05:14,560 --> 00:05:25,530
We have to do this on a clean on a clean program, so right click when I was administrator file logic.

53
00:05:26,830 --> 00:05:27,580
Yes.

54
00:05:29,420 --> 00:05:30,200
Pressplay.

55
00:05:37,410 --> 00:05:44,340
Then exclamation point, Mona S.H. Dash, Sepi Unicode, because we're looking for Unicode compatible

56
00:05:46,290 --> 00:05:49,740
popup return instructions if you don't know what's going on right now.

57
00:05:49,770 --> 00:05:51,840
We tried adding just quote a log.

58
00:05:55,910 --> 00:06:03,080
And as long as it's not tender with no bites or sore unico compatible format as they are right here,

59
00:06:03,560 --> 00:06:04,440
then you can use them.

60
00:06:04,700 --> 00:06:05,980
So we're going to use this one.

61
00:06:05,990 --> 00:06:06,230
So.

62
00:06:06,260 --> 00:06:06,440
Right.

63
00:06:06,440 --> 00:06:08,120
Click on that.

64
00:06:09,760 --> 00:06:11,890
Copy the clipboard, whole line.

65
00:06:13,570 --> 00:06:14,590
Let's put another note.

66
00:06:24,640 --> 00:06:29,830
That was my phone and let's change this.

67
00:06:32,760 --> 00:06:39,040
And and our pop pop reconstruction, remember, we need a little Indiana, is it so that means that

68
00:06:39,060 --> 00:06:41,460
we're going to reverse the F two in the four one.

69
00:06:43,500 --> 00:06:45,450
So let's replace our knob's.

70
00:06:49,380 --> 00:06:59,270
With hats off to Hex 41 and it will change back into this format once we load it through a debugger,

71
00:06:59,400 --> 00:07:05,010
but let's just try that out to see that we can actually control the structure exception handler chain.

72
00:07:05,670 --> 00:07:07,650
So I want you to restart.

73
00:07:07,860 --> 00:07:09,450
So control F two.

74
00:07:10,440 --> 00:07:11,070
Yes.

75
00:07:13,530 --> 00:07:14,130
Play.

76
00:07:20,390 --> 00:07:23,990
Now, right quick go to expression.

77
00:07:25,770 --> 00:07:30,630
And we're going to enter the the memory address for pop up return.

78
00:07:32,180 --> 00:07:32,930
So we're in the press.

79
00:07:33,090 --> 00:07:38,270
OK, we're at a break point, double click, yes.

80
00:07:42,500 --> 00:07:43,460
Pressplay again.

81
00:07:45,880 --> 00:07:48,820
Oh, if you have to right to file.

82
00:07:50,850 --> 00:07:58,140
Let's see if we can hijack this structured exception handling process, if that would execute our pop

83
00:07:58,140 --> 00:08:00,560
up return instructions, click open.

84
00:08:01,650 --> 00:08:06,990
Remember, we have to now pass the exception and let the structure and the handler handle it.

85
00:08:07,470 --> 00:08:15,000
So shift F nine and we land in our pop up return instruction further stepping in through.

86
00:08:18,870 --> 00:08:27,000
We need to find a way to overwrite this in such a manner that we can Hillard's the lively.

87
00:08:29,010 --> 00:08:30,900
But that is going to be on our next episode.