1
00:00:01,450 --> 00:00:06,490
Hello, everyone, welcome to our second video of our Pinery exploitation series.

2
00:00:07,150 --> 00:00:12,610
In this video, we will take a look at the effect of pushing destruction when our stock and the E.S.P

3
00:00:12,610 --> 00:00:13,300
register.

4
00:00:25,910 --> 00:00:29,390
Let's let's put a break point in our main function.

5
00:00:34,170 --> 00:00:41,130
In our main function, we can see a push in instruction at main three, plus three four.

6
00:00:41,890 --> 00:00:45,510
Let's examine the E.S.P value before and after this instruction.

7
00:00:50,050 --> 00:00:54,220
Going to use step by first, step by step in one instruction.

8
00:01:10,080 --> 00:01:18,120
So I said the program, it's easier just to set a breakpoint here and to continue.

9
00:01:20,010 --> 00:01:25,490
OK, now we are here on this structure, LBA or lowed effective address.

10
00:01:25,950 --> 00:01:27,730
We don't need to know this from now.

11
00:01:27,750 --> 00:01:29,660
We just need to reach this new structure.

12
00:01:29,970 --> 00:01:32,420
The push will step in.

13
00:01:33,880 --> 00:01:34,350
OK.

14
00:01:38,480 --> 00:01:49,700
At this instruction before we executed our strike points to zero X, BFX F, F, F, six C for now,

15
00:01:49,700 --> 00:01:51,590
let's step in one instruction.

16
00:02:00,320 --> 00:02:07,940
So after we pushed the value that was stored in index register on the stack, our E.S.P points to that

17
00:02:07,940 --> 00:02:13,370
value at this moment here, which is emeritus of the Hello World.

18
00:02:17,970 --> 00:02:24,190
Now, let's take a look at the address of Espie itself, not the value on this stack.

19
00:02:25,200 --> 00:02:29,380
This is the actual address of USP FICO scroll up a little bit.

20
00:02:30,210 --> 00:02:32,340
It was six o four, right?

21
00:02:32,340 --> 00:02:37,430
Like Beef B, five, six or four.

22
00:02:37,770 --> 00:02:43,260
But when we stepped in one instruction and then we pushed one value on the stack.

23
00:02:43,830 --> 00:02:48,660
Now the address of VSP is six six zero zero.

24
00:02:48,660 --> 00:02:48,970
Right.

25
00:02:50,430 --> 00:02:56,610
What really happened is four bytes was subtracted from this address here.

26
00:02:57,420 --> 00:03:01,370
It was six 04, but here it's six zero zero.

27
00:03:01,470 --> 00:03:10,110
So we subtracted four from the the hex address of the first one because we stack grows it nodes downward

28
00:03:10,110 --> 00:03:10,970
towards zero.

29
00:03:10,980 --> 00:03:11,290
Right.

30
00:03:11,490 --> 00:03:13,490
We really mentioned this before.

31
00:03:14,850 --> 00:03:21,660
So it's the same thing with the pop instruction, an example, example of Poppy X, the poppy X and

32
00:03:21,660 --> 00:03:28,950
obstruction will simply take the value at the top of the stack and put it in here x register, then

33
00:03:29,130 --> 00:03:31,380
add four to the value VSP.

34
00:03:32,610 --> 00:03:39,690
So it's actually the opposite of what we what we just did when we used push and then a register or a

35
00:03:39,690 --> 00:03:46,260
hex value, we subtracted four from the stack because we're moving downwards, we're actually growing

36
00:03:46,260 --> 00:03:46,950
our stack.

37
00:03:47,280 --> 00:03:50,280
But when we popped, we're doing the opposite.

38
00:03:51,300 --> 00:03:56,950
We are taking a value off the stack and we're moving upward, not downward.

39
00:03:58,410 --> 00:04:01,740
That's why we had to add four, not to subtract four.

40
00:04:02,580 --> 00:04:07,470
And when I say removing a value from the stack, we're not actually removing it.

41
00:04:07,470 --> 00:04:09,750
It's still the data still in memory.

42
00:04:10,110 --> 00:04:13,380
But we are just adjusting where the ASP is pointing at.

43
00:04:15,120 --> 00:04:16,230
What else we should know?

44
00:04:16,680 --> 00:04:21,390
Well, something very important we need to know about is how the function is being called.

45
00:04:22,170 --> 00:04:29,220
When we call a function in our program, the program will go to the function and executed, execute

46
00:04:29,220 --> 00:04:29,860
everything there.

47
00:04:30,090 --> 00:04:35,430
Then when it's done, it has to go back to wherever called the function and continue from there again.

48
00:04:35,430 --> 00:04:35,730
Right.

49
00:04:36,660 --> 00:04:39,510
Let's take a look at a simple C program.

50
00:04:46,810 --> 00:04:54,010
In this program, you know, our main function here, which is the color function, we will call my

51
00:04:54,010 --> 00:04:55,390
funk, this one.

52
00:04:57,100 --> 00:05:04,540
And Popson, my funk is finished executing everything it has to return to the address of the next instruction,

53
00:05:06,160 --> 00:05:11,050
which is the printf in me not here, it will return to the next one.

54
00:05:13,300 --> 00:05:16,290
Let's see a practical example in GDP.

55
00:05:33,120 --> 00:05:40,020
We are now inside our main function in GDB, but we haven't called our mic or my funk function yet in

56
00:05:40,020 --> 00:05:40,530
this line.

57
00:05:43,050 --> 00:05:50,640
Let's take a look at what is being pushed on this tack when it's called, I'm going to set a breakpoint.

58
00:05:51,970 --> 00:05:58,960
At this address, so because I want my program to stop here and then I will continue.

59
00:06:03,050 --> 00:06:11,150
Remember, when we call my funk, we need to return back to the next instruction, which is sub E.S.P

60
00:06:11,660 --> 00:06:16,940
06, see it has Addazio 06, Forry 11, year three.

61
00:06:19,060 --> 00:06:25,340
Let's examine the value of the stack first, which also you can see here.

62
00:06:34,300 --> 00:06:36,070
Step one instruction.

63
00:06:38,920 --> 00:06:39,700
See what happened?

64
00:06:41,530 --> 00:06:48,130
He examined the stack again, it points to the memory letters of the instruction that we just talked

65
00:06:48,130 --> 00:06:48,460
about.

66
00:06:49,000 --> 00:06:50,110
You go up a little bit.

67
00:06:51,960 --> 00:06:52,410
This one.

68
00:06:54,580 --> 00:07:01,930
So now we are inside my funk, once we are done executing everything, we have to return back to the

69
00:07:01,930 --> 00:07:05,770
next instruction in the main function, which is just one.

70
00:07:08,110 --> 00:07:09,820
This is the same thing with every function.

71
00:07:10,180 --> 00:07:16,800
Whenever we call a function, we have to return to push the return address on the set, the same return.

72
00:07:17,060 --> 00:07:21,880
So we need to go back to when we're done executing everything inside this function.

73
00:07:23,610 --> 00:07:29,040
In the next video, we will take a look at how arguments are passed to the function along with the local

74
00:07:29,040 --> 00:07:31,230
variables inside that function.

75
00:07:32,490 --> 00:07:34,520
Thank you for watching and see you in the next one.