1
00:00:00,510 --> 00:00:02,710
Welcome back to Basic Exploit Development.

2
00:00:02,730 --> 00:00:04,080
Egg Hunters Part three.

3
00:00:04,620 --> 00:00:07,980
And I just want to show you something from the last crash.

4
00:00:08,370 --> 00:00:14,310
Now, obviously, we overrode the extend instruction point or to a jump ISP instruction.

5
00:00:14,760 --> 00:00:20,580
But take a look at where your stack was pointing at.

6
00:00:23,380 --> 00:00:24,100
Following up.

7
00:00:26,060 --> 00:00:26,840
We're right here.

8
00:00:28,040 --> 00:00:31,400
Not to mention that the A's which we flooded the program with.

9
00:00:33,370 --> 00:00:35,170
Is about 70 bytes.

10
00:00:35,200 --> 00:00:39,250
That's why I told you to memorize the number for the offset of 70.

11
00:00:40,330 --> 00:00:46,540
We need to hop 70 bytes back so that we can execute the 800 that's going to land in this code.

12
00:00:52,340 --> 00:00:52,520
Okay.

13
00:00:52,940 --> 00:00:54,110
So let's see.

14
00:00:55,490 --> 00:01:01,190
What we're going to do is we're using MSF Nasm Shell to make it jump back 70 bytes.

15
00:01:01,640 --> 00:01:04,910
So MSF now as a show.

16
00:01:10,510 --> 00:01:10,930
Jump.

17
00:01:11,920 --> 00:01:12,620
Dollar sign.

18
00:01:12,640 --> 00:01:13,600
-70.

19
00:01:16,100 --> 00:01:17,150
And it's a short jump.

20
00:01:18,610 --> 00:01:23,630
So what are we going to do is to.

21
00:01:26,840 --> 00:01:29,750
We're going to see if we can do a short job back.

22
00:01:30,670 --> 00:01:31,620
So let's see.

23
00:01:32,170 --> 00:01:32,650
John.

24
00:01:34,080 --> 00:01:35,040
So many back.

25
00:01:37,100 --> 00:01:37,670
He calls.

26
00:01:41,840 --> 00:01:42,620
Flashbacks.

27
00:01:43,190 --> 00:01:44,600
Flashbacks, vague.

28
00:01:46,840 --> 00:01:48,460
And this pirate will tune us.

29
00:01:53,260 --> 00:02:01,450
So our ideas were to rewrite this evil strain, and we're going to add 70.

30
00:02:05,050 --> 00:02:06,340
So this is four by slang.

31
00:02:06,340 --> 00:02:07,440
We need to do the math work.

32
00:02:07,960 --> 00:02:10,330
So -70, minus four.

33
00:02:10,630 --> 00:02:11,680
Minus another four.

34
00:02:14,060 --> 00:02:16,970
And we should be able to land at the start of the eighth.

35
00:02:22,540 --> 00:02:23,680
So as we start this.

36
00:02:27,320 --> 00:02:27,950
Reload it.

37
00:02:31,030 --> 00:02:32,020
Double click play.

38
00:02:35,310 --> 00:02:38,580
Go to our break point for our job instruction.

39
00:02:42,050 --> 00:02:48,860
Double click to add a breakpoint and let's follow this proven concept again suggests the first thing

40
00:02:48,860 --> 00:02:56,810
it's going to do once we jump to ESP is immediately execute instructions to jump back 70 bikes so that

41
00:02:56,810 --> 00:02:58,010
we can plan a counter.

42
00:03:01,950 --> 00:03:02,940
We had our break point.

43
00:03:03,450 --> 00:03:04,560
Just one step for it.

44
00:03:07,810 --> 00:03:08,890
This is our short sharp.

45
00:03:11,530 --> 00:03:14,500
And we land somewhere in the beginning of our eyes.

46
00:03:15,400 --> 00:03:15,970
Perfect.