1
00:00:00,300 --> 00:00:05,170
Hello, everyone, welcome to our Third Day, you are Binary Exploitation series.

2
00:00:06,300 --> 00:00:12,420
Let's take a look at another example of function with an argument past, which is the same concept.

3
00:00:12,420 --> 00:00:18,420
But when we pass an argument to a function, this argument will be pushed on the stack first and then

4
00:00:18,420 --> 00:00:20,100
the return address to go to.

5
00:00:23,710 --> 00:00:25,990
So let's take a look at this program.

6
00:00:26,740 --> 00:00:31,870
We have two variables and our main function, and we have one function called my func.

7
00:00:32,810 --> 00:00:40,120
And then we will call this function from our main program, we're passing our two variables, bar one

8
00:00:40,160 --> 00:00:42,970
of our two, and then we will come here.

9
00:00:43,580 --> 00:00:49,670
We will have two variables and set our function to local variables, will print something to the screen.

10
00:00:49,880 --> 00:00:56,780
And then, of course, we have to return back to the next instruction after the colon one, which is

11
00:00:56,780 --> 00:00:59,180
a print of this line.

12
00:01:02,960 --> 00:01:08,580
Keep in mind that the return address, when the function is done, executing it, will be in the IP

13
00:01:08,600 --> 00:01:09,210
register.

14
00:01:10,190 --> 00:01:14,700
As we said earlier, it contains the very address of the next construction.

15
00:01:14,840 --> 00:01:21,950
So if we are able to override the IP register with a memory address of our cell code that we will create

16
00:01:21,980 --> 00:01:24,800
later, it will go there and execute it for us.

17
00:01:24,890 --> 00:01:25,340
Right.

18
00:01:27,010 --> 00:01:31,210
In this picture, this is the main frame from the main function.

19
00:01:31,240 --> 00:01:32,650
We haven't called anything yet.

20
00:01:34,520 --> 00:01:36,980
But once we called them my funk.

21
00:01:39,390 --> 00:01:46,650
We are creating a new static frame and pushing the values of our one anvar two on the stack, which

22
00:01:46,650 --> 00:01:49,600
in fact is X and Y at the receiving function.

23
00:01:50,670 --> 00:01:57,010
Keep in mind that when running a programming assembly, the order of the argument will be reversed.

24
00:01:57,270 --> 00:02:05,280
So if you have X first and then Y, then others can function and then you need to push Y first and then

25
00:02:05,280 --> 00:02:05,670
X.

26
00:02:05,880 --> 00:02:13,670
And then of course the returning address, which is the next instruction after decoding one print f

27
00:02:13,740 --> 00:02:14,610
don calling.

28
00:02:17,160 --> 00:02:21,410
Also, every time we call a function, there are three instructions to take place.

29
00:02:23,180 --> 00:02:30,710
First, since a new tack will be created, we don't want to lose our pointer to the old stack, right?

30
00:02:33,540 --> 00:02:42,810
Then a push, BP instruction is used now when we pushed BP onto the stack, EBP points to the to the

31
00:02:42,810 --> 00:02:45,240
top of the previous static frame.

32
00:02:46,290 --> 00:02:54,450
So the address that BP was pointing at here will be pushed all the way here because we don't want to

33
00:02:54,450 --> 00:02:56,750
lose track of our old stack.

34
00:02:57,100 --> 00:02:57,460
Right.

35
00:02:58,620 --> 00:03:03,810
And of course, we have ESP pointing here since we really pushed a new ATRs here.

36
00:03:05,190 --> 00:03:06,870
Let's take a look at the second instruction.

37
00:03:09,680 --> 00:03:19,970
Which is Move SBP E.S.P, so we're actually moving the value of E.S.P to SBP, not the value of opportunities.

38
00:03:20,180 --> 00:03:21,950
This is the Cantell Syntex.

39
00:03:22,640 --> 00:03:25,940
The source is USP and the destination is EDP.

40
00:03:27,140 --> 00:03:34,370
So by making this construction, we are actually making ESPN, SBP, both of them pointing at the top

41
00:03:34,370 --> 00:03:35,060
of the stack.

42
00:03:36,590 --> 00:03:39,800
And keep in mind that we have local variables in our function.

43
00:03:39,800 --> 00:03:40,090
Right?

44
00:03:40,100 --> 00:03:49,850
If we go back here, we have A and B, so we need eight bytes because every each integer is only four

45
00:03:49,850 --> 00:03:50,170
bytes.

46
00:03:50,180 --> 00:03:55,700
So we need eight bytes for a space on the stack for our variables.

47
00:03:55,710 --> 00:04:02,680
So that's when we come to our third, um, instruction sub E.S.P eight.

48
00:04:03,440 --> 00:04:10,580
So now we just sort of pointing here will go here because we need to make space for our two local variables,

49
00:04:10,580 --> 00:04:11,540
eight bytes.

50
00:04:12,770 --> 00:04:17,090
So just to recap, we pushed our arguments first.

51
00:04:17,300 --> 00:04:27,590
Why an X or Vah one or two, and then our return address from the main function and then our old base

52
00:04:27,590 --> 00:04:28,130
pointer.

53
00:04:28,730 --> 00:04:36,500
And then we we make we made a space for our two variables and B, which is eight bytes.

54
00:04:36,830 --> 00:04:37,140
Right.

55
00:04:38,360 --> 00:04:42,830
Keep that in mind because we will need it later when we do our binary exploitation and we need to know

56
00:04:42,830 --> 00:04:50,090
where our return address because we need to override this return address for our binary exploitation

57
00:04:50,090 --> 00:04:50,570
to work.

58
00:04:52,620 --> 00:04:55,830
That said, for this video, thank you and see you in the next one.