1 00:00:06,650 --> 00:00:07,550 Hello, everyone. 2 00:00:07,580 --> 00:00:17,150 And this video, we will continue our, uh, explanation about the search, but this time, which is 3 00:00:17,150 --> 00:00:20,500 structured exception handling, just in case you missed the previous video. 4 00:00:20,930 --> 00:00:27,800 But this time what we will be doing is, uh, last time we had this security check disabled. 5 00:00:27,800 --> 00:00:30,110 So this time we will be enabling it. 6 00:00:30,470 --> 00:00:33,950 OK, and compiling the application again. 7 00:00:35,120 --> 00:00:40,760 So this time the goal is to bypass the security guard. 8 00:00:41,220 --> 00:00:50,090 OK, I already wrote on my account what security guard is, but just in case, let's open up the Microsoft 9 00:00:50,090 --> 00:00:52,640 Web page and take a look at it quickly. 10 00:00:53,210 --> 00:00:59,850 So Stuttgart or Stuckey's, they get enabled with the GSA flag. 11 00:00:59,910 --> 00:01:07,760 OK, so once you apply this, uh, there will be like a security cookie added to the stack. 12 00:01:07,760 --> 00:01:15,270 And that way what happens is the system before it unwinds the frame and goes back to the previous frame. 13 00:01:15,410 --> 00:01:23,210 So let's say a function, uh, a program, a function and a program does a call to another, let's say, 14 00:01:23,540 --> 00:01:30,650 uh, function or the program does a call to a function before the program goes back and the. 15 00:01:32,080 --> 00:01:33,370 Let me just repeat that again. 16 00:01:34,630 --> 00:01:42,280 You have a program, it does a call to some function, so before the function ends and goes back to 17 00:01:42,310 --> 00:01:43,390 where it started. 18 00:01:44,450 --> 00:01:53,060 The unwind process will check if the security kookie or security detail, which was added on to the 19 00:01:53,060 --> 00:01:59,060 stack, has been overwritten or not, if it has or it has been modified, I mean, if it has, then 20 00:01:59,060 --> 00:02:01,730 it means the stock has been corrupted. 21 00:02:01,910 --> 00:02:08,070 So the application will will, uh, uh, will get terminated. 22 00:02:08,370 --> 00:02:14,690 OK, so the application will get terminated if the security cookie is going to be modified. 23 00:02:14,810 --> 00:02:25,400 OK, so we will check this all and this video will learn a little bit about the how to bypass this using 24 00:02:25,400 --> 00:02:26,070 S.H.. 25 00:02:26,600 --> 00:02:34,670 Uh, I'm also going to like show at least the security cookie debugger that using the debugger, look 26 00:02:34,670 --> 00:02:40,820 at it in memory, use a debugger and see how it's being checked and how the application will crash once 27 00:02:40,820 --> 00:02:46,810 it sees that the, uh, the value has been modified and and so on and so forth. 28 00:02:46,940 --> 00:02:49,980 So there are a couple of things we will be learning in this video. 29 00:02:50,000 --> 00:02:56,150 The idea is not really just about exploitation, but also to learn more about these, uh. 30 00:02:57,410 --> 00:03:02,420 Is mitigation technique, so this is a by the way, a compiler compiler mitigation technique, so it's 31 00:03:02,420 --> 00:03:05,840 a technique to mitigate exploits added by a compiler. 32 00:03:05,870 --> 00:03:09,470 As you saw, we applied it using the compiler itself. 33 00:03:09,500 --> 00:03:12,160 Now, all we need to do is compile, which I already did. 34 00:03:12,530 --> 00:03:16,440 So we now have, uh, a new application, by the way. 35 00:03:16,820 --> 00:03:26,890 So if we use our previous like just one one important thing, if we use our previous code, which we 36 00:03:26,900 --> 00:03:31,910 coded last time in the previous video, to exploit the same application, because I love that the same 37 00:03:31,910 --> 00:03:34,280 name, it will not work because. 38 00:03:35,950 --> 00:03:41,230 This attack is now different and the offsets, all of these have changed, so I run this, you'll see 39 00:03:41,230 --> 00:03:42,690 that this is not going to work. 40 00:03:43,620 --> 00:03:44,120 OK. 41 00:03:45,800 --> 00:03:53,750 So the buffer length is all correct and the application started, but it will not work and it will terminate. 42 00:03:53,780 --> 00:03:54,200 Why? 43 00:03:54,200 --> 00:04:00,350 Because the the Stargardt's probably prevented that from happening. 44 00:04:00,350 --> 00:04:04,240 And all of these offsets, again, have been modified. 45 00:04:04,580 --> 00:04:11,360 So what we are going to do now is let's create a copy of this or even let's see what was this one? 46 00:04:12,570 --> 00:04:15,660 And start from there because we need to modify. 47 00:04:15,690 --> 00:04:16,840 Yes, let's use this one. 48 00:04:16,860 --> 00:04:18,660 So let's do a copy. 49 00:04:19,700 --> 00:04:21,180 Going to call it bypass. 50 00:04:22,460 --> 00:04:26,880 One is going to be a little bit a long journey, so please stay focused. 51 00:04:26,900 --> 00:04:30,020 If you have coffee, tea, whatever you like to drink. 52 00:04:30,840 --> 00:04:33,840 Uh, make sure those are available beside you. 53 00:04:34,350 --> 00:04:41,430 So what I'm going to do now is, uh, you, uh, let's say, yeah, let's disable this, because at 54 00:04:41,430 --> 00:04:44,530 the beginning I want to find the new offset. 55 00:04:44,550 --> 00:04:50,280 OK, so I'm going to do off equal, uh, let's say. 56 00:04:51,320 --> 00:04:51,870 And. 57 00:04:53,760 --> 00:04:54,720 Uh, pattern. 58 00:04:55,330 --> 00:04:59,070 Yep, and let's do a pattern. 59 00:05:00,050 --> 00:05:02,330 Here equals. 60 00:05:03,490 --> 00:05:07,240 Uh, a multiply by one thousand. 61 00:05:08,160 --> 00:05:14,090 And I just want to run the immunity thing, uh, create a pattern or actually, let's wait a minute, 62 00:05:14,100 --> 00:05:15,300 we already have one here. 63 00:05:15,580 --> 00:05:16,960 So let me just use this. 64 00:05:16,980 --> 00:05:20,790 This one was done on the previous video, so I just use that. 65 00:05:21,030 --> 00:05:26,280 So if you don't know how to create a pattern, please just go back to the previous video and watch that. 66 00:05:26,730 --> 00:05:33,240 This is very simple, using, uh, immunity debugger and Mörner and, uh, thanks to my honor, we can 67 00:05:33,240 --> 00:05:33,660 do that. 68 00:05:33,870 --> 00:05:35,370 So if we run the code now. 69 00:05:36,240 --> 00:05:39,810 Because I want to adjust the offset, bring some coffee. 70 00:05:43,350 --> 00:05:44,220 And now. 71 00:05:45,860 --> 00:05:54,650 If we run the application, so if we're on the application, an exception happen now. 72 00:05:54,680 --> 00:06:01,070 And as you can see here, look, as you can see here, the pointer to our next guest has been overwritten. 73 00:06:01,070 --> 00:06:03,710 The handler has been overwritten as well. 74 00:06:04,040 --> 00:06:08,570 If we go down here, we can't even find the end of the chain of our exception. 75 00:06:08,570 --> 00:06:09,050 Handler. 76 00:06:09,190 --> 00:06:09,500 Why? 77 00:06:09,500 --> 00:06:11,130 Because everything has been overwritten. 78 00:06:11,540 --> 00:06:15,230 You can also see this and see a chain like with. 79 00:06:16,280 --> 00:06:24,830 It probably last time, so we can see that our I see a chain, which is this record smash that offset 80 00:06:24,830 --> 00:06:25,680 twenty eight. 81 00:06:25,690 --> 00:06:28,600 So by the way, keep this one in mind. 82 00:06:28,610 --> 00:06:33,380 This is telling you the offset, but let's see how we are going to actually find the offset. 83 00:06:33,920 --> 00:06:38,870 So we now had, let's say, a shift of nine. 84 00:06:40,370 --> 00:06:41,780 So the. 85 00:06:42,750 --> 00:06:45,600 Yippy got overwritten with this value, but. 86 00:06:46,540 --> 00:06:55,240 Well, let's copy it and now use mine again, one at an offset, OK, and give it the value so we will 87 00:06:55,240 --> 00:06:58,890 see that it's found that offset position 32. 88 00:06:58,960 --> 00:06:59,440 Great. 89 00:07:00,220 --> 00:07:02,260 But keep in mind the. 90 00:07:04,420 --> 00:07:06,340 The next, because, remember. 91 00:07:07,600 --> 00:07:14,880 The state's record, or let's say the record for the structural exception handler are two four bites, 92 00:07:14,890 --> 00:07:21,670 the first four by eight points to the next one, the next record and the next four bites actually points 93 00:07:21,670 --> 00:07:22,850 to the handler itself. 94 00:07:23,290 --> 00:07:30,790 So at the outset, so this one is telling you the pattern, the offset is 32, which means that the 95 00:07:30,790 --> 00:07:33,170 next S.H. is at 28. 96 00:07:33,190 --> 00:07:41,380 So this was also another way we can find the, uh, the offset, but it's probably just in this case. 97 00:07:41,750 --> 00:07:43,210 OK, so keep that in mind. 98 00:07:43,210 --> 00:07:44,320 Now we have 32. 99 00:07:44,620 --> 00:07:48,790 Let's go modify our code and. 100 00:07:51,040 --> 00:07:53,770 Let's go here, so we have. 101 00:07:54,730 --> 00:08:02,800 So this is my first one going to follow the same thing, we we are used to bypass one, bypass two and 102 00:08:03,550 --> 00:08:04,590 so on and so forth. 103 00:08:04,600 --> 00:08:06,160 So let's call it this way. 104 00:08:07,100 --> 00:08:09,350 And now let's do. 105 00:08:11,210 --> 00:08:21,590 Ayes multiplied by 32, right, or we can just immediately do 28 and then and actually, no, we could 106 00:08:21,590 --> 00:08:24,740 just go now immediately to this and say 28. 107 00:08:25,130 --> 00:08:27,590 Yeah, let's just stop using this one. 108 00:08:27,810 --> 00:08:28,930 We don't need it anymore. 109 00:08:29,820 --> 00:08:31,440 OK, and. 110 00:08:33,040 --> 00:08:34,170 Let's continue. 111 00:08:35,670 --> 00:08:39,680 So, well, actually, let me do one thing sorry, let me do one thing. 112 00:08:41,770 --> 00:08:43,990 Let's see, uh. 113 00:08:45,240 --> 00:08:48,780 Let's see the Stuckart, let's see the Stuckart here. 114 00:08:48,810 --> 00:08:50,640 So instead of twenty eight. 115 00:08:51,670 --> 00:08:59,120 Uh, let's do let's do like 50 to overwrite this with 50 and see what's going to happen. 116 00:08:59,140 --> 00:09:01,610 So I hope we manage to override the. 117 00:09:03,130 --> 00:09:05,950 The cookies as well would this option. 118 00:09:06,880 --> 00:09:13,540 So now, uh, if we look at the chain one to see each. 119 00:09:15,740 --> 00:09:20,210 Jane, Jane, you can see the default for the system. 120 00:09:20,430 --> 00:09:20,970 Oh, good. 121 00:09:21,320 --> 00:09:24,800 So now we secured our application. 122 00:09:25,580 --> 00:09:26,120 OK. 123 00:09:26,150 --> 00:09:26,990 And then. 124 00:09:27,870 --> 00:09:30,240 Let's execute the Asian. 125 00:09:32,080 --> 00:09:38,170 See what's going to happen, I'm jumping over most of them, I just want to see so our point out to 126 00:09:38,170 --> 00:09:39,650 next, it now got lost. 127 00:09:39,670 --> 00:09:45,850 By the way, if we run this again, we should be able to see it because it's got now loaded added to 128 00:09:45,850 --> 00:09:48,520 the stack frame, added to the stack. 129 00:09:48,520 --> 00:09:54,310 I mean, and if we go back, I probably because I'm using of eight. 130 00:09:54,310 --> 00:10:01,330 So I probably jumped over the, uh, the entry where it got added to the stack. 131 00:10:01,750 --> 00:10:08,770 But I will do a detailed, uh, step by step in a in and let's say in a couple of minutes. 132 00:10:08,770 --> 00:10:10,780 So don't worry about that for now. 133 00:10:10,780 --> 00:10:13,930 I just want to see when the override is going to happen. 134 00:10:14,470 --> 00:10:17,500 So let's continue the series. 135 00:10:17,500 --> 00:10:18,640 Continue, continue. 136 00:10:18,790 --> 00:10:22,870 We will do a deep dive into this or at least look at them. 137 00:10:23,990 --> 00:10:27,500 So continue, continue. 138 00:10:27,560 --> 00:10:29,390 I'm going to jump over this. 139 00:10:30,280 --> 00:10:33,400 Look, the point those have not been written yet. 140 00:10:34,030 --> 00:10:35,890 OK, so now. 141 00:10:37,330 --> 00:10:39,320 OK, so great. 142 00:10:39,490 --> 00:10:45,520 So what happened is, as you can see here, I because I jumped, by the way, over most of them, so 143 00:10:45,520 --> 00:10:46,900 we didn't get to see this. 144 00:10:47,170 --> 00:10:52,100 But actually what happened is the cookie got checked and it terminated. 145 00:10:52,120 --> 00:11:00,640 Let's do a let's say a step by step check into this and look at what will happen in a normal situation 146 00:11:00,640 --> 00:11:03,850 and what will happen when our cookie over gets over it. 147 00:11:04,210 --> 00:11:09,030 So we know 50 bites will overwrite the cookie, by the way, and interrupt. 148 00:11:09,220 --> 00:11:10,020 Twenty nine. 149 00:11:10,720 --> 00:11:12,850 This one is if you Google it. 150 00:11:14,640 --> 00:11:24,960 This one will lead to the interrupt, uh, which will lead to an internally implementation, if I will 151 00:11:24,960 --> 00:11:28,950 add that also to the video, which will call the first failed. 152 00:11:30,840 --> 00:11:31,830 Function or. 153 00:11:33,070 --> 00:11:38,410 And this one will actually terminate the terminate the process immediately. 154 00:11:38,470 --> 00:11:42,810 OK, so that's why the process will get terminated. 155 00:11:42,820 --> 00:11:47,140 So if I do shift F nine, you'll see that the process is going to terminate. 156 00:11:47,410 --> 00:11:51,630 And you see the exit code gave some exit number, some error code. 157 00:11:51,720 --> 00:11:53,010 OK, why? 158 00:11:53,020 --> 00:11:56,050 Because the application did not exist properly. 159 00:11:56,260 --> 00:12:00,120 Let's see what will happen when we exit the application normally. 160 00:12:00,370 --> 00:12:08,320 So let's do instead of this, just put 16 because our stack our if we go back to the code, uh, we 161 00:12:08,320 --> 00:12:09,760 were copying 16 bytes. 162 00:12:09,760 --> 00:12:14,090 So let's say our normal case, everything is working properly. 163 00:12:14,680 --> 00:12:15,640 Let's wrap this. 164 00:12:18,430 --> 00:12:26,380 And look, so now if we run this and let's start. 165 00:12:27,360 --> 00:12:33,090 Look, I'm also going to, by the way, jump over things just to speed things up and but then again, 166 00:12:33,090 --> 00:12:36,080 I will do a deep dive into all of these. 167 00:12:36,360 --> 00:12:38,410 At least we'll go through them step by step. 168 00:12:38,430 --> 00:12:40,950 For now, I just want to. 169 00:12:41,980 --> 00:12:47,500 Uh, see that everything if run successfully, no problems. 170 00:12:48,590 --> 00:12:51,580 Unable to process the exception so that we. 171 00:12:52,810 --> 00:12:53,120 Uh. 172 00:12:54,520 --> 00:12:55,660 What happened here? 173 00:12:58,470 --> 00:12:59,460 OK, so. 174 00:13:00,580 --> 00:13:03,330 That's actually called. 175 00:13:05,140 --> 00:13:07,510 That's less than that, maybe 10. 176 00:13:08,510 --> 00:13:09,290 Hutton. 177 00:13:11,850 --> 00:13:14,410 And the buffer here, and you had a. 178 00:13:16,400 --> 00:13:20,450 OK, so let's run the length since 10 this time. 179 00:13:23,230 --> 00:13:26,230 Um, yeah, so this time we should. 180 00:13:30,660 --> 00:13:31,140 Uh. 181 00:13:33,290 --> 00:13:35,190 Just look like, yeah, that's good. 182 00:13:35,870 --> 00:13:38,450 So we start this, uh. 183 00:13:39,330 --> 00:13:39,960 I'm just. 184 00:13:40,900 --> 00:13:42,390 Going to continue. 185 00:13:44,210 --> 00:13:47,630 Uh, good, good, good, good, good, good. 186 00:13:58,280 --> 00:14:06,410 But I think you're here to see everything here finished successfully, and that's why the exit code 187 00:14:06,410 --> 00:14:07,070 was zero. 188 00:14:08,370 --> 00:14:10,000 Can return zero. 189 00:14:10,020 --> 00:14:17,120 So everything finished successfully, so that's why there was no errors in this case, right? 190 00:14:17,130 --> 00:14:18,540 There was no errors in this case. 191 00:14:19,050 --> 00:14:24,960 Now let's look at everything in detail and look at the how how this is going to work. 192 00:14:25,200 --> 00:14:33,150 But before we do that, by the way, one important thing here is let's put break points out our main 193 00:14:33,150 --> 00:14:33,660 function. 194 00:14:33,660 --> 00:14:37,990 So that's why I installed here the demo copy of IDA. 195 00:14:38,340 --> 00:14:45,240 So just load your EXI here and I just want to find the main function. 196 00:14:46,180 --> 00:14:47,770 So we look at. 197 00:14:49,190 --> 00:14:49,820 This. 198 00:14:50,840 --> 00:14:53,740 This is probably where the cookies. 199 00:14:53,780 --> 00:14:59,480 Yes, this is where, by the way, the cookies get and the exception handler, this is where the cookies 200 00:14:59,480 --> 00:15:03,630 and the exception handlers get registered and added to the stack. 201 00:15:03,950 --> 00:15:11,720 Also, as you can see here, this is where the REGISTE, the exception handler, it's it's stored in 202 00:15:11,720 --> 00:15:14,870 eggs and some operations are done on the eggs. 203 00:15:14,870 --> 00:15:24,470 And then, uh, that is going to be stored into the, uh, segment registered of a zero, which is where 204 00:15:24,470 --> 00:15:26,540 our exceptions handlers are located. 205 00:15:26,930 --> 00:15:34,370 So that's why over here you can when we dump the, uh or when we go to zero, we can see where the exception 206 00:15:34,370 --> 00:15:35,090 handler start. 207 00:15:35,570 --> 00:15:38,280 And this is where the security cookie checks. 208 00:15:38,290 --> 00:15:41,580 So these are a couple of proteins, probably, uh. 209 00:15:42,160 --> 00:15:44,510 So these are all of these proteins. 210 00:15:44,510 --> 00:15:49,460 So these are, by the way, the I think the cookie I'm not going to go into details about the cookie, 211 00:15:49,610 --> 00:15:51,110 but it is a random value. 212 00:15:51,680 --> 00:15:55,780 But anyway, for here, what we want to do is two things. 213 00:15:55,790 --> 00:15:58,220 So let's find the address. 214 00:15:59,470 --> 00:16:05,540 Of this, and the good thing is we have a static address, so I want to just put a break point at 10 215 00:16:05,540 --> 00:16:06,160 14. 216 00:16:06,680 --> 00:16:15,250 So when I look at my program, let's increase this make it, uh, this one I mean, make it 50 to do, 217 00:16:15,640 --> 00:16:19,340 uh, make an, uh, overwrite the, uh, the cookie. 218 00:16:19,610 --> 00:16:25,970 OK, or actually let's leave it ten just to see the cookie first and then see how it's going to be, 219 00:16:25,970 --> 00:16:26,870 uh, modified. 220 00:16:27,620 --> 00:16:29,400 How should we do it modified? 221 00:16:29,450 --> 00:16:32,270 Yeah, let's let's go this way, no problem. 222 00:16:32,720 --> 00:16:34,790 So let's do this and run it. 223 00:16:36,320 --> 00:16:40,370 And then go to address what is the address again, 10, 40. 224 00:16:40,400 --> 00:16:45,350 OK, so we need to go to address 45. 225 00:16:46,670 --> 00:16:49,310 Ten or three, let's go here. 226 00:16:49,820 --> 00:16:53,510 So this is where the by the way, the cookie is being added. 227 00:16:54,530 --> 00:16:55,520 Security Koki. 228 00:16:56,420 --> 00:17:01,820 So let's add an address here, and if I by the way, with the time by the time you, uh, watch this 229 00:17:01,820 --> 00:17:04,460 video, there's anything wrong with this approach. 230 00:17:04,460 --> 00:17:06,880 Please let me know at the end. 231 00:17:06,890 --> 00:17:13,130 I, uh, I'm also doing these videos, so I don't forget what I have in my head. 232 00:17:13,820 --> 00:17:14,340 Kind of. 233 00:17:14,990 --> 00:17:16,640 So that's one. 234 00:17:16,790 --> 00:17:21,820 And then the other thing I want to use either for here is also to find the main function. 235 00:17:22,460 --> 00:17:24,620 So Main also starts at 10. 236 00:17:24,660 --> 00:17:25,400 E0. 237 00:17:25,400 --> 00:17:26,960 So this is where Main starts. 238 00:17:26,960 --> 00:17:27,280 Right. 239 00:17:27,290 --> 00:17:28,720 Let's double check here. 240 00:17:30,390 --> 00:17:37,320 Yeah, this is, uh, ten forty and then Main is a 10 zero, so this is where I mean. 241 00:17:38,200 --> 00:17:40,150 The starting. 242 00:17:41,520 --> 00:17:43,740 Uh, the, uh. 243 00:17:50,550 --> 00:17:53,100 What do we have here called to this? 244 00:17:53,130 --> 00:17:54,350 What is this going to do? 245 00:17:55,560 --> 00:17:57,450 To a lot of other things. 246 00:17:59,950 --> 00:18:03,350 So, I mean, I just want Chuck. 247 00:18:04,950 --> 00:18:06,120 You have this. 248 00:18:07,870 --> 00:18:11,150 Exception handled in Maine call this function. 249 00:18:12,410 --> 00:18:13,940 Which is our could. 250 00:18:16,450 --> 00:18:18,630 Which is the print message, right? 251 00:18:19,180 --> 00:18:21,900 Let's just check the one to get this one quickly. 252 00:18:22,900 --> 00:18:24,640 So what do we have here? 253 00:18:24,670 --> 00:18:25,970 This is the. 254 00:18:28,250 --> 00:18:30,140 Uh, the printing. 255 00:18:31,060 --> 00:18:35,560 You print off, OK, so this is where the stuff is happening. 256 00:18:36,510 --> 00:18:37,610 Um. 257 00:18:40,130 --> 00:18:41,290 So, Brent, uh. 258 00:18:42,260 --> 00:18:44,500 What else do we have here? 259 00:18:51,280 --> 00:18:56,260 Uh, just checking out a couple of different things, I just want to make sure. 260 00:18:57,010 --> 00:19:02,530 So, yeah, this is Maine, which we want OK to have and then. 261 00:19:11,450 --> 00:19:13,790 Just checking different details. 262 00:19:17,630 --> 00:19:23,090 Anyway, by the way, I hope I didn't confuse you with this, just we, uh, the important thing for 263 00:19:23,090 --> 00:19:26,330 now, because we use the debugger is to find Maine. 264 00:19:26,340 --> 00:19:28,790 So we know Maine is at 10 e0. 265 00:19:29,120 --> 00:19:31,610 And by the way, it will continue to be a 10 zero. 266 00:19:31,610 --> 00:19:31,880 Why? 267 00:19:31,880 --> 00:19:35,080 Because, uh, I will show you in a minute. 268 00:19:35,090 --> 00:19:37,650 Just let me put a break point and then I will show you. 269 00:19:38,420 --> 00:19:40,250 So we go to ten. 270 00:19:41,630 --> 00:19:42,920 The zero. 271 00:19:44,690 --> 00:19:47,580 OK, this is where Maine is going to start. 272 00:19:47,640 --> 00:19:55,890 OK, so if I go back to my computer code and compiler and just a reminder why this is always going to 273 00:19:55,890 --> 00:20:00,270 be the same, we go to the Linko, we go to advance. 274 00:20:00,780 --> 00:20:04,320 You can see Dynamic Pace has been, uh, disabled. 275 00:20:04,440 --> 00:20:10,680 So we disabled or, uh, there is no dynamic pace and we already specified where the pace addresses. 276 00:20:11,130 --> 00:20:13,840 So that's why it will always start up. 277 00:20:13,890 --> 00:20:18,720 The address is forty four, fifty five and then relative offset for everything else. 278 00:20:19,680 --> 00:20:20,220 So good. 279 00:20:20,280 --> 00:20:25,960 And again the idea here was doing this just for demonstration purposes. 280 00:20:26,700 --> 00:20:29,820 So what else do we need to do to get this started. 281 00:20:30,090 --> 00:20:32,340 Uh, let, let's just start then. 282 00:20:33,030 --> 00:20:39,060 So we OK so now we are uh we started the application. 283 00:20:40,560 --> 00:20:45,630 OK, I'm going to continue doing the. 284 00:20:46,890 --> 00:20:48,190 OK, return. 285 00:20:48,330 --> 00:20:51,250 OK, John here was 14. 286 00:20:52,070 --> 00:21:02,100 OK, if I run the code, by the way, we should stop at our uh uh, we are we are now at the main main 287 00:21:02,100 --> 00:21:03,620 entry of our application. 288 00:21:03,930 --> 00:21:09,870 So if we now push BP, you should see BP has been added. 289 00:21:09,900 --> 00:21:16,980 OK, let's continue push, push these initialization other different stuff. 290 00:21:16,990 --> 00:21:24,480 I'm not going to deal with them for now and here and now before I can before I do this. 291 00:21:24,480 --> 00:21:26,340 By the way, let's look at the. 292 00:21:27,340 --> 00:21:28,990 Mona, SHC. 293 00:21:29,560 --> 00:21:31,450 OK, so if we do that. 294 00:21:32,800 --> 00:21:40,210 We can see that this has been registered or added to the stack, probably from a previous instruction. 295 00:21:41,130 --> 00:21:50,670 And now we can see that X, which has this entry descent three, by the way, is for our, uh, one 296 00:21:50,670 --> 00:21:57,510 of our, uh, sections 19 F zero, 19, 18. 297 00:21:57,810 --> 00:22:00,070 So we look at 19 at 18. 298 00:22:00,090 --> 00:22:01,560 This is where it's pointing. 299 00:22:01,900 --> 00:22:06,380 Let's see where this is going to be pushed to look. 300 00:22:08,120 --> 00:22:09,140 The now. 301 00:22:10,770 --> 00:22:17,190 What happened is at this address, we use the address and we added the pointer to the next search, 302 00:22:17,190 --> 00:22:19,770 which we already saw in the logs. 303 00:22:20,220 --> 00:22:25,590 So in the logs we saw, the address was 19 of 16. 304 00:22:25,800 --> 00:22:32,580 So if we look back here, we can see at X, which has 19, F 18. 305 00:22:32,730 --> 00:22:36,390 So it was pointing 19 F F 18. 306 00:22:36,420 --> 00:22:37,120 What is that again? 307 00:22:37,170 --> 00:22:37,440 Yeah. 308 00:22:37,520 --> 00:22:37,810 Yeah. 309 00:22:38,250 --> 00:22:44,080 And what we added into that is the next pointer is at 19 of 60. 310 00:22:44,580 --> 00:22:48,180 And then the handler is at 44, 55, 11. 311 00:22:48,180 --> 00:22:53,190 Fifty five similar to what we saw were in Mona here. 312 00:22:53,370 --> 00:22:54,600 So forty four. 313 00:22:54,600 --> 00:22:55,230 Fifty five. 314 00:22:55,230 --> 00:22:56,130 Eleven fifty five. 315 00:22:56,430 --> 00:22:57,540 So we saw here. 316 00:22:58,940 --> 00:23:04,880 How this value actually got added to the stack now, so we now know how this value got added even to 317 00:23:04,880 --> 00:23:07,290 the stock, so we managed to see that. 318 00:23:07,700 --> 00:23:13,030 Let's continue now, though, if we continue, let's see here. 319 00:23:13,700 --> 00:23:17,870 Oh, so we now arrive, by the way, 10, 40, remember, were 10 Fortier's. 320 00:23:18,320 --> 00:23:19,180 So turn 40. 321 00:23:19,190 --> 00:23:23,470 If we just go back here, it's where our cookies are dealing with. 322 00:23:23,480 --> 00:23:26,660 So let's make it pay attention to this one. 323 00:23:26,900 --> 00:23:33,890 By the way, I highly recommend you use maybe, uh, like a pen and paper to write things down, or 324 00:23:34,550 --> 00:23:37,070 I will just write them here on a notepad. 325 00:23:37,920 --> 00:23:39,660 Let's see what we have. 326 00:23:41,090 --> 00:23:43,240 So we look at. 327 00:23:44,350 --> 00:23:45,280 Let's see here. 328 00:23:46,690 --> 00:23:53,900 So did we start pushing BP, BP, BP's now added to the stack, which was where is it? 329 00:23:54,260 --> 00:23:55,050 Yeah, this one. 330 00:23:55,060 --> 00:23:56,200 So let's copy this. 331 00:23:57,090 --> 00:23:57,930 Just to check. 332 00:23:59,520 --> 00:24:08,190 A, B, P equals this, and then let's continue our executions of seven, which minus two or minus two 333 00:24:08,190 --> 00:24:10,050 is going to be added to the stack again. 334 00:24:10,240 --> 00:24:12,260 Also, we can see that here. 335 00:24:12,900 --> 00:24:18,090 So minus two here and then push this value 44, 55. 336 00:24:19,070 --> 00:24:21,240 Two or three zero. 337 00:24:21,380 --> 00:24:22,850 So we're going to push that. 338 00:24:23,640 --> 00:24:26,350 So let's take a copy of this, by the way. 339 00:24:26,820 --> 00:24:34,110 Let's take a copy of this and you'll see why this is one and then, uh, continue. 340 00:24:35,470 --> 00:24:38,430 Take a copy of this also. 341 00:24:41,270 --> 00:24:45,950 One thing, if I go back, by the way, to the Microsoft documentation. 342 00:24:47,370 --> 00:24:52,320 This is really the buff, like the stack is not really one. 343 00:24:52,860 --> 00:24:54,990 It's like it's an offset to. 344 00:24:56,340 --> 00:25:01,980 If I remember correctly, I really don't know what I read this, but it's an offset to a kind of let's 345 00:25:01,980 --> 00:25:03,000 say, uh. 346 00:25:03,860 --> 00:25:06,470 Uh, whole, uh. 347 00:25:08,260 --> 00:25:08,940 Structure. 348 00:25:10,410 --> 00:25:15,870 OK, so probably this is the structure, uh, for example, the following suit. 349 00:25:16,290 --> 00:25:18,870 Yes, but first, OK, no, not this one. 350 00:25:19,470 --> 00:25:27,780 Yeah, I don't know where I found that, but, uh, well, I think I can probably if I found it somewhere 351 00:25:27,780 --> 00:25:28,200 else. 352 00:25:33,570 --> 00:25:35,220 So where did I find. 353 00:26:00,450 --> 00:26:06,870 Yeah, let's, uh, I don't remember where I read that, but, uh, it's probably not just one value. 354 00:26:07,460 --> 00:26:08,610 Let's check again. 355 00:26:08,610 --> 00:26:09,510 We'll see that. 356 00:26:10,420 --> 00:26:12,980 So now we are going to add another key here. 357 00:26:13,000 --> 00:26:14,230 We are going to add. 358 00:26:15,120 --> 00:26:17,010 Whatever is pointing now. 359 00:26:17,930 --> 00:26:23,600 Here, so let's see what's pointing now at our first entry of the chain, so if we do this before we 360 00:26:23,600 --> 00:26:30,220 continue just to see I an idea, so we see that our first entry is 19 F F. 361 00:26:30,710 --> 00:26:31,860 So let's copy this. 362 00:26:31,880 --> 00:26:32,990 Oh, it's 19. 363 00:26:33,750 --> 00:26:36,240 Off of that, I copy that, Binoy. 364 00:26:37,160 --> 00:26:38,840 No, I don't think so. 365 00:26:39,540 --> 00:26:40,170 OK. 366 00:26:41,010 --> 00:26:41,730 The line. 367 00:26:45,060 --> 00:26:49,570 Yeah, so this value is going to be copied well into X. 368 00:26:49,950 --> 00:26:57,210 OK, and this address, let's call it of first, uh, start of. 369 00:26:58,000 --> 00:27:00,080 Sort of a sea change. 370 00:27:00,570 --> 00:27:01,000 Right. 371 00:27:01,060 --> 00:27:02,920 This is where it's located now. 372 00:27:03,910 --> 00:27:05,580 Let's save these notes. 373 00:27:08,270 --> 00:27:09,280 The desktop. 374 00:27:10,510 --> 00:27:18,430 And let's call it, uh, and see it, but, uh, clucky by us. 375 00:27:20,290 --> 00:27:28,450 OK, and if we go back here to our execution, so this value which we saw is going to now be starting 376 00:27:28,450 --> 00:27:30,210 to IEX. 377 00:27:30,220 --> 00:27:31,350 So let's continue. 378 00:27:32,590 --> 00:27:40,780 Oh, it's, uh, what was it, 19 of 18, so got started into X, now X is going to be pushed onto the 379 00:27:40,780 --> 00:27:42,460 stack, so it got stuck. 380 00:27:42,820 --> 00:27:44,140 Let's continue here. 381 00:27:45,110 --> 00:27:48,890 These are all the different kind of initialization stuff. 382 00:27:49,850 --> 00:27:51,170 I'm going to continue. 383 00:27:51,960 --> 00:27:57,720 Because this is not really what we need, so here is what's happening, by the way, the copy, by the 384 00:27:57,720 --> 00:27:58,860 way, this is the copy. 385 00:27:59,520 --> 00:28:07,260 The we we saw how the stack got initialized, by the way, with that, uh, with that value, with the 386 00:28:07,260 --> 00:28:08,000 stack cookie. 387 00:28:08,550 --> 00:28:15,270 And now we are, uh, we are writing these values onto the stack. 388 00:28:15,430 --> 00:28:19,560 OK, we are we are copying the values here in our code. 389 00:28:20,450 --> 00:28:28,250 The A's, there is 10 ayes, we are now they are getting copied, were onto the stack so that this operation 390 00:28:28,250 --> 00:28:28,520 is. 391 00:28:29,970 --> 00:28:31,410 This one is Karpinsky here. 392 00:28:32,700 --> 00:28:41,550 There's a lot one getting copied, so we copied now 840 ones and you can put, by the way, a breakpoint 393 00:28:41,550 --> 00:28:47,640 at this entry and then just head off nine if you don't want to, especially with ten, it's fine. 394 00:28:47,640 --> 00:28:52,230 But later on, if you are copying more than 10 bytes, it's going to take a while to do that. 395 00:28:52,500 --> 00:28:55,890 So now the copy should be. 396 00:28:57,120 --> 00:28:59,440 What good, so that's why we finished. 397 00:29:00,090 --> 00:29:03,600 Now we are here, so we should get this message. 398 00:29:04,450 --> 00:29:11,600 Saying you and let's let's finish the argument one now we are going to call this is a brain function, 399 00:29:11,620 --> 00:29:13,690 really, so I'm going to bypass it. 400 00:29:13,690 --> 00:29:15,910 So I'm just going to I mean, I'm going to jump over it. 401 00:29:16,210 --> 00:29:17,260 So I'm not going to do that. 402 00:29:17,620 --> 00:29:22,960 But if you look here now, we got the message, OK, all good. 403 00:29:23,410 --> 00:29:30,550 So now we are we should finish and go back to the previous function or the one who called us. 404 00:29:31,100 --> 00:29:32,950 So we continue here. 405 00:29:35,680 --> 00:29:38,710 So let's do all of this. 406 00:29:38,740 --> 00:29:40,140 OK, good. 407 00:29:40,600 --> 00:29:41,900 Now look at this video. 408 00:29:42,460 --> 00:29:44,770 So look here at this address. 409 00:29:45,250 --> 00:29:46,450 Look here at this address. 410 00:29:46,580 --> 00:29:47,410 Let's go. 411 00:29:48,510 --> 00:29:49,610 Uh, following the. 412 00:29:50,900 --> 00:29:55,430 OK, so if you look at this address here, not this I'm sorry. 413 00:29:56,550 --> 00:30:00,690 Uh, so let's go to DCX.