1 00:00:05,190 --> 00:00:06,080 But the. 2 00:00:07,100 --> 00:00:10,100 Und Kopi. 3 00:00:28,550 --> 00:00:35,150 Yep, so if we go to the address here, exactly, so if we go to the address here, what what is the 4 00:00:35,150 --> 00:00:36,230 value that we have? 5 00:00:36,710 --> 00:00:38,930 We have let's let's copy it actually. 6 00:00:38,930 --> 00:00:42,740 Let's copy it and let's bring it over here. 7 00:00:43,290 --> 00:00:45,830 OK, so this is a little endian. 8 00:00:45,850 --> 00:00:46,830 Don't remember. 9 00:00:46,850 --> 00:00:47,630 Don't forget that. 10 00:00:47,640 --> 00:00:50,560 So we have uh. 11 00:00:50,570 --> 00:00:51,650 We have, uh. 12 00:00:52,510 --> 00:01:02,160 All of you have the nine and then we have 10 and then we have six eight, right. 13 00:01:02,280 --> 00:01:04,760 This is what this is a little engine. 14 00:01:05,290 --> 00:01:12,900 OK, so for f so at this location, we have this value and we are comparing it with X. 15 00:01:13,170 --> 00:01:18,590 So let's look at X, which is the one actually which is holding our kookie value. 16 00:01:18,600 --> 00:01:21,000 It got pushed into X I think. 17 00:01:21,000 --> 00:01:27,930 I think from previous instruction probably I missed that, but we'll see it in another, uh, when I'm 18 00:01:27,930 --> 00:01:30,290 going to do the the follow up again. 19 00:01:30,720 --> 00:01:32,190 So look at X. 20 00:01:32,340 --> 00:01:34,050 What do we have an X. 21 00:01:35,070 --> 00:01:44,700 So why let me just delete this and say at this location, we have this right and then here, let's do 22 00:01:44,700 --> 00:01:45,470 X? 23 00:01:46,140 --> 00:01:46,410 Yes. 24 00:01:46,450 --> 00:01:47,700 Yes, we have. 25 00:01:51,190 --> 00:01:54,750 It's just that and then are they the same value? 26 00:01:54,790 --> 00:01:55,580 The answer is yes. 27 00:01:55,600 --> 00:01:58,620 So this means the cookie was not overwritten. 28 00:01:58,630 --> 00:02:00,330 So this was the cookie, by the way. 29 00:02:00,550 --> 00:02:05,580 This was the cookie that is currently that was currently added to the stack. 30 00:02:05,740 --> 00:02:06,700 So let's continue. 31 00:02:07,420 --> 00:02:15,220 So everything looks good and then we are going to, uh, finish the execution and jump here. 32 00:02:15,730 --> 00:02:18,340 Everything, because everything was successful. 33 00:02:18,610 --> 00:02:20,620 And we are gonna return from here. 34 00:02:20,620 --> 00:02:26,230 And then we are cleaning the stack and we will be ending our program. 35 00:02:26,410 --> 00:02:32,950 But I'm going to just continue to and I'm not going to jump over these things just to reach the end 36 00:02:32,950 --> 00:02:33,670 of the program. 37 00:02:34,180 --> 00:02:36,190 And then the program will terminate. 38 00:02:36,190 --> 00:02:42,070 But the exit code is what zero like because there was no problem in executing the program. 39 00:02:42,670 --> 00:02:46,810 Now let's modify it and overwrite our stack cookie and see what's going to happen. 40 00:02:49,290 --> 00:02:55,830 OK, let's modify it, see what the stack cookie is, uh, gets modified, so let's close this. 41 00:02:57,300 --> 00:03:00,410 And this time, so this was for case number one. 42 00:03:01,220 --> 00:03:02,420 Let's bring this down. 43 00:03:03,370 --> 00:03:06,820 OK, so you see, this is, by the way, where we. 44 00:03:08,860 --> 00:03:15,580 Yeah, I don't remember which one exactly, we overwrote the stack, but these were all our entries. 45 00:03:15,610 --> 00:03:17,730 Let's go to a test again. 46 00:03:18,580 --> 00:03:25,370 Hopefully, if you continue, you, uh, if you also do this by yourself and repeat the process, you 47 00:03:25,390 --> 00:03:27,070 will understand what I'm doing here. 48 00:03:27,420 --> 00:03:28,420 So let's run it again. 49 00:03:29,810 --> 00:03:35,590 Let's hope if you didn't follow in the previous one, you'll follow now and you'll see how our, uh, 50 00:03:35,690 --> 00:03:39,470 stack cookie is going to be, uh, overwritten this time. 51 00:03:39,770 --> 00:03:42,680 So F7, let's continue the execution. 52 00:03:43,160 --> 00:03:46,130 And if we now look at our team on, uh. 53 00:03:47,620 --> 00:03:49,360 I see a change. 54 00:03:49,450 --> 00:04:00,040 Let's see, so we should have a default ones good, cause we still have not book added our the one that 55 00:04:00,040 --> 00:04:02,890 comes from the opera, uh, the program yet. 56 00:04:03,550 --> 00:04:06,130 So let's now continue. 57 00:04:06,130 --> 00:04:09,040 Continue, continue. 58 00:04:09,040 --> 00:04:12,730 I this is where we. 59 00:04:13,560 --> 00:04:19,980 Continue, yep, this is where we will probably start adding our, uh. 60 00:04:21,690 --> 00:04:24,150 So this is where we will be adding our. 61 00:04:25,210 --> 00:04:28,080 Uh, Jean, let's just check again. 62 00:04:29,000 --> 00:04:31,670 You have not added yet, so let's go back. 63 00:04:32,030 --> 00:04:37,340 So this is where our first entry will be here and then we are going to push. 64 00:04:38,200 --> 00:04:45,610 The first entry of the chain, we're into, uh, the segment here, so what sorry, what the segment 65 00:04:45,610 --> 00:04:48,910 is currently pointing, uh, will be pushed onto the stack. 66 00:04:48,920 --> 00:04:52,480 So let's do that, which is FCC, which is the end of the chain. 67 00:04:52,480 --> 00:04:52,990 By the way. 68 00:04:53,290 --> 00:04:57,550 We just go back here at the end of the chain, see this one? 69 00:04:57,550 --> 00:05:04,030 And it's going to be pointing to our, uh, next one, which at the end also points to the end of the 70 00:05:04,030 --> 00:05:11,020 chain, which I mean, it's our and last one in our stack, uh, in our chain. 71 00:05:11,020 --> 00:05:11,640 I mean, sorry. 72 00:05:12,100 --> 00:05:13,300 So let's continue. 73 00:05:13,300 --> 00:05:16,540 All of these are good, good, good. 74 00:05:17,230 --> 00:05:19,540 And let's see. 75 00:05:20,820 --> 00:05:26,990 I hope I didn't jump over the one where we will add our handler until now, no. 76 00:05:27,750 --> 00:05:29,680 So all good over here. 77 00:05:30,210 --> 00:05:30,590 Yep. 78 00:05:30,630 --> 00:05:32,740 This is where X has the handler. 79 00:05:32,970 --> 00:05:35,030 So this is where the handler was added, by the way. 80 00:05:35,430 --> 00:05:37,940 So it's 19 F 60. 81 00:05:37,950 --> 00:05:40,590 This is where our chain now starts. 82 00:05:40,620 --> 00:05:43,040 So now I see a chain. 83 00:05:43,460 --> 00:05:44,430 Let's do that again. 84 00:05:46,020 --> 00:05:48,010 I'm not jumping over things for you. 85 00:05:48,030 --> 00:05:49,650 So I've, uh. 86 00:05:49,680 --> 00:05:50,870 What did we have to get? 87 00:05:52,080 --> 00:05:57,030 So we had 60, OK, and this one was. 88 00:05:58,020 --> 00:06:04,830 Added to get the entry, so 19 of 60, so if I go one, I can. 89 00:06:06,410 --> 00:06:10,160 Nineteen sixties where our country now starts the. 90 00:06:11,600 --> 00:06:18,870 The threat environment, not now at this location, points here, which is exactly what we saw. 91 00:06:19,230 --> 00:06:21,290 OK, again, I hope I'm not. 92 00:06:22,890 --> 00:06:26,610 Rushing into stuff, so the address here, this was good. 93 00:06:26,640 --> 00:06:32,960 Now let's do the call to our what our function, which is going to do the copy. 94 00:06:32,970 --> 00:06:35,550 So this is, by the way, where we will be doing the copy. 95 00:06:35,800 --> 00:06:36,630 Let's go there. 96 00:06:37,140 --> 00:06:39,990 So this is the function that will be doing the copy. 97 00:06:40,590 --> 00:06:43,830 So let's do this. 98 00:06:44,020 --> 00:06:45,690 And now. 99 00:06:47,300 --> 00:06:48,020 Uh. 100 00:06:49,050 --> 00:06:51,840 I'm going to jump over this, I don't want to go into it. 101 00:06:52,970 --> 00:06:56,350 I will continue over here. 102 00:06:57,960 --> 00:06:58,560 Uh. 103 00:07:00,600 --> 00:07:03,490 And continue, continue, continue. 104 00:07:03,510 --> 00:07:04,170 These are. 105 00:07:05,060 --> 00:07:07,040 Not important, at least for now. 106 00:07:08,400 --> 00:07:11,000 I want I think I probably. 107 00:07:12,880 --> 00:07:13,420 Uh. 108 00:07:14,590 --> 00:07:15,310 So. 109 00:07:16,740 --> 00:07:20,810 Let's see, what do we have here before I just continue? 110 00:07:23,590 --> 00:07:24,520 These are all good. 111 00:07:27,120 --> 00:07:27,640 Uh. 112 00:07:31,880 --> 00:07:32,690 Uh. 113 00:07:39,520 --> 00:07:45,140 I am not, by the way, people going every single step, but I I want to reach our, uh. 114 00:07:45,990 --> 00:07:50,750 Oh, just to try to bypass that jump over something, by the way. 115 00:07:55,620 --> 00:07:57,030 What happened here? 116 00:07:58,680 --> 00:08:00,600 We sent the. 117 00:08:03,190 --> 00:08:05,070 Let me start this, by the way. 118 00:08:07,030 --> 00:08:09,910 Our court was sending sort, so I. 119 00:08:12,240 --> 00:08:13,460 Let me just check. 120 00:08:13,500 --> 00:08:16,660 So now we arrived at our main program. 121 00:08:16,710 --> 00:08:17,520 This is the main. 122 00:08:18,580 --> 00:08:26,830 And by now, our chain is not loaded or it is actually, yes, actually it is loaded. 123 00:08:27,650 --> 00:08:30,740 That God, is this mean, I think it is. 124 00:08:30,780 --> 00:08:31,030 Yeah. 125 00:08:31,860 --> 00:08:35,460 10 zero, if I remember correctly, this was. 126 00:08:36,970 --> 00:08:37,760 I mean. 127 00:08:40,160 --> 00:08:44,030 Yeah, 20 zero, so probably I missed one. 128 00:08:44,780 --> 00:08:49,390 One thing, OK, no problem, let's just continue here. 129 00:08:50,550 --> 00:08:59,070 These values, so this one is going to be stored at IEX, which is where our appointer. 130 00:09:00,200 --> 00:09:00,890 So. 131 00:09:02,300 --> 00:09:07,760 Currently, our next Assiut is at 19 of 60. 132 00:09:08,020 --> 00:09:10,570 So this video is going to be stored in the works now. 133 00:09:11,030 --> 00:09:19,200 So nineteen sixty now we are pushing X on the stack again doing these operations. 134 00:09:19,250 --> 00:09:22,660 OK, ok, ok, ok. 135 00:09:23,700 --> 00:09:26,130 All good, so this is where. 136 00:09:27,320 --> 00:09:28,130 We. 137 00:09:29,560 --> 00:09:35,470 But the values and to ethics of ethics now holds our ace. 138 00:09:35,880 --> 00:09:39,080 Now we are going to do the call to do the copy. 139 00:09:39,370 --> 00:09:41,860 So this one is the one that's going to do the copy. 140 00:09:43,060 --> 00:09:45,070 And that's to. 141 00:09:45,960 --> 00:09:55,110 So the here we got we are initializing, by the way, uh, we are initializing the stack cookie here 142 00:09:55,110 --> 00:09:58,500 and these values, I think these are the ones. 143 00:09:59,510 --> 00:10:01,570 Well, what is the execution now, by the way? 144 00:10:02,490 --> 00:10:04,970 That hurts all the eggs. 145 00:10:05,010 --> 00:10:14,100 OK, so F 18, f f 18 is what our next instruction got pushed into copy to X.. 146 00:10:14,100 --> 00:10:17,040 OK, now we are pushing X on the stack. 147 00:10:17,840 --> 00:10:18,430 Now. 148 00:10:19,150 --> 00:10:29,350 Where our exception handler is OK, this value got copied to X. So this value at this location, by 149 00:10:29,350 --> 00:10:36,220 the way, so if we follow this is if you remember, uh, let's copy this value of these four bytes. 150 00:10:39,060 --> 00:10:40,380 So if you copy. 151 00:10:41,650 --> 00:10:42,850 Is for both sides. 152 00:10:43,350 --> 00:10:51,310 OK, so they are six, uh, twenty one three, three fifty. 153 00:10:52,400 --> 00:10:55,700 Uh, six, be OK. 154 00:10:55,790 --> 00:10:59,060 Let's see what's this value in the X? 155 00:10:59,100 --> 00:11:00,850 OK, let's continue. 156 00:11:01,970 --> 00:11:05,960 So now we continue to hear continue. 157 00:11:06,900 --> 00:11:08,030 Continue. 158 00:11:09,280 --> 00:11:09,790 Uh. 159 00:11:10,800 --> 00:11:24,020 Now, we thought, OK, copy this value back to the entry point of our chain or our chain, it's so 160 00:11:24,020 --> 00:11:27,200 of, uh, nineteen fifty eight. 161 00:11:27,410 --> 00:11:30,260 Nineteen forty eight. 162 00:11:31,430 --> 00:11:33,500 19 of the. 163 00:11:38,290 --> 00:11:39,810 19 of he. 164 00:11:45,950 --> 00:11:46,760 Yeah, this one. 165 00:11:47,630 --> 00:11:48,920 So this value. 166 00:11:50,370 --> 00:11:52,820 It is now going to be what? 167 00:11:53,670 --> 00:11:55,050 At the beginning of the chain. 168 00:11:56,140 --> 00:11:58,840 So let's look at the beginning of the chain now again. 169 00:11:59,900 --> 00:12:00,980 Just to double check. 170 00:12:01,760 --> 00:12:02,750 We should see that. 171 00:12:04,390 --> 00:12:09,940 So, yeah, nineteen fifty eight now it's at the beginning of the chain, so as you can see these, 172 00:12:10,480 --> 00:12:17,170 by the way, structure, exception handler, these handlers get dynamically added to the stack as they 173 00:12:17,200 --> 00:12:20,320 are used or as they are going to be needed. 174 00:12:21,240 --> 00:12:24,360 So now we continue, continue. 175 00:12:25,670 --> 00:12:28,370 And this is continue. 176 00:12:28,400 --> 00:12:29,660 Continue. 177 00:12:30,280 --> 00:12:30,950 OK. 178 00:12:30,980 --> 00:12:36,980 And this we are going to move one value from Xolair going on here. 179 00:12:36,980 --> 00:12:37,610 Move. 180 00:12:38,300 --> 00:12:47,270 I mean, copy, by the way, uh, copy one bite from Essex, which is the A's and to L so if we look 181 00:12:47,270 --> 00:12:50,630 at that now, we copy that into AOL. 182 00:12:50,880 --> 00:12:53,630 Now the AOL is going to be copied. 183 00:12:54,390 --> 00:12:55,920 And to this location. 184 00:12:56,790 --> 00:12:58,500 So this is where we started. 185 00:12:58,530 --> 00:13:00,910 Now, by the way, to do the copy operation. 186 00:13:01,080 --> 00:13:09,030 OK, so since this is a copy operation and we have 70, uh, 50 bytes, I'm not going to go over all 187 00:13:09,030 --> 00:13:09,390 of them. 188 00:13:09,900 --> 00:13:13,050 So what I will do is I am going to add a breakpoint here. 189 00:13:13,260 --> 00:13:14,160 And Heidrun. 190 00:13:15,190 --> 00:13:22,660 So now we are at the break point, I can remove it so we might we copy the 50 bytes, OK, and now if 191 00:13:22,660 --> 00:13:23,950 we continue. 192 00:13:25,660 --> 00:13:26,890 Now, if we continue. 193 00:13:27,740 --> 00:13:36,380 Uh, pushier, watch this video and I'm going to jump the print function, so the print was successful. 194 00:13:36,650 --> 00:13:43,700 OK, but now when when the function wants to unwind and go back, this is where things get interesting 195 00:13:43,700 --> 00:13:45,350 because now we are going to check the cookie. 196 00:13:45,830 --> 00:13:46,430 So. 197 00:13:47,250 --> 00:13:56,070 John Kerry, now we are going to do a copy minus to add to this location, SBP minus four. 198 00:13:56,850 --> 00:13:58,710 So we copied that over here. 199 00:13:58,710 --> 00:14:03,330 So you can see SBP EBP is pointing at FGF eight. 200 00:14:04,230 --> 00:14:06,600 If he, uh. 201 00:14:10,910 --> 00:14:12,170 F f eight. 202 00:14:12,390 --> 00:14:19,840 Right, and we said at minus four, so at minus four, we copied B minus two value there. 203 00:14:19,880 --> 00:14:21,130 So now it's minus two. 204 00:14:21,710 --> 00:14:28,330 And now what we are going to be doing is copying SBP minus 10 to X.. 205 00:14:28,340 --> 00:14:29,840 So look at X now. 206 00:14:30,440 --> 00:14:32,510 X now is these 40 ones. 207 00:14:32,690 --> 00:14:37,010 And this is, by the way, where our stuff quickly is supposed to be. 208 00:14:37,220 --> 00:14:39,320 So let's continue. 209 00:14:39,470 --> 00:14:44,420 And now we are going to put this into the beginning of the chain. 210 00:14:44,960 --> 00:14:46,790 So this is where we are adding, actually. 211 00:14:46,910 --> 00:14:48,560 So this is, by the way, not the cookie. 212 00:14:48,900 --> 00:14:52,490 This is where we are adding the, uh, sorry, not the cookie. 213 00:14:52,910 --> 00:15:01,550 This is where we are adding the, uh, pointer to the next handler right to the beginning of our chain. 214 00:15:01,560 --> 00:15:05,540 So you can see the pointer now is going to be added to the chain. 215 00:15:05,550 --> 00:15:10,100 So if we continue and now if we check the chain, by the way, again, we should see that it has been 216 00:15:10,100 --> 00:15:11,420 now overwritten. 217 00:15:13,290 --> 00:15:19,600 Yeah, we can see that the address has been overwritten y because, uh, we wrote it with the CS, with 218 00:15:19,620 --> 00:15:24,390 the A's, I mean, sorry, let's continue pop up these values, ok. 219 00:15:24,390 --> 00:15:29,910 OK, uh, EBP minus one seed that's going to be copied into X. 220 00:15:30,600 --> 00:15:33,180 So good to do this. 221 00:15:33,750 --> 00:15:38,460 This is now let's do this function and see the value again. 222 00:15:38,470 --> 00:15:44,760 So it seems the previous value that we did, the previous instruction is where we load the value from 223 00:15:44,760 --> 00:15:48,020 the stack into X and now we are going to compare it. 224 00:15:48,660 --> 00:15:50,220 So if we go to. 225 00:15:52,540 --> 00:15:59,020 Forty four fifty five three zero zero four, which I think we are already there yet here we are going 226 00:15:59,020 --> 00:16:03,230 to compare this value with the value and ethics. 227 00:16:03,250 --> 00:16:07,400 We are going to compare this value with the value in X, OK? 228 00:16:08,400 --> 00:16:16,990 Uh, so if we compare now the value here, what's going to be the comparison is false for sure. 229 00:16:17,700 --> 00:16:28,500 So we are now going to be actually, uh, I'm going to jump this just to so we are now at Interop 929 230 00:16:28,710 --> 00:16:33,150 because the the, uh, the system will terminate the application. 231 00:16:33,150 --> 00:16:33,450 Why? 232 00:16:33,450 --> 00:16:35,730 Because the cookie got overwritten. 233 00:16:35,910 --> 00:16:38,910 And by the way, the cookie is usually added. 234 00:16:39,690 --> 00:16:44,390 Before the siege, OK, the before the next siege. 235 00:16:47,360 --> 00:16:53,630 So if you look at the stats, you'll see the buffer and then you'll see the the next four bites are 236 00:16:53,630 --> 00:16:59,240 for the the cookie and then you will see the nexus search and then so on and so forth. 237 00:16:59,780 --> 00:17:02,300 So now we hit shift F nine. 238 00:17:03,660 --> 00:17:06,070 Our application of the plan. 239 00:17:08,620 --> 00:17:11,380 So if I hit now, shift my. 240 00:17:12,510 --> 00:17:13,620 Oh, it's Rollingstone. 241 00:17:16,200 --> 00:17:19,440 So there is no problem and probably. 242 00:17:28,130 --> 00:17:30,010 It's not able to proceed. 243 00:17:30,350 --> 00:17:34,790 It terminated, actually, I think there was a delay in my, uh. 244 00:17:36,350 --> 00:17:40,270 My my system is getting slow, so the application terminated, why? 245 00:17:40,290 --> 00:17:41,500 Because the. 246 00:17:43,010 --> 00:17:49,110 Because the cookies was overwritten, let's just repeat the process again, by the way, just one more 247 00:17:49,130 --> 00:17:53,530 final time and just to make sure you you got the idea here. 248 00:17:54,140 --> 00:17:57,740 So we do a five again for this one. 249 00:18:03,940 --> 00:18:04,470 OK. 250 00:18:06,270 --> 00:18:11,700 So if we do, we start let's start our work. 251 00:18:12,250 --> 00:18:22,050 OK, so this is where we are actually, uh, copying this value to X. So this value is being copied 252 00:18:22,050 --> 00:18:22,870 to X. 253 00:18:23,360 --> 00:18:27,560 OK, so let's remember this, but I think that's copy. 254 00:18:27,580 --> 00:18:29,040 Just check it out. 255 00:18:30,490 --> 00:18:33,000 And now let's continue the execution. 256 00:18:35,580 --> 00:18:36,210 The. 257 00:18:37,420 --> 00:18:38,930 Ka ching. 258 00:18:40,660 --> 00:18:43,060 All of these are all good. 259 00:18:49,660 --> 00:18:51,580 OK, so those are all to check. 260 00:18:53,510 --> 00:18:59,750 The values that we have, we can see our pointer to the next US, which has already been added, so 261 00:18:59,750 --> 00:19:00,320 that's good. 262 00:19:00,710 --> 00:19:03,530 And let's just check it out the chain. 263 00:19:04,140 --> 00:19:05,870 Want to see it chain. 264 00:19:07,600 --> 00:19:09,410 I think I've got something. 265 00:19:09,430 --> 00:19:12,790 You see the chain. 266 00:19:16,220 --> 00:19:23,980 So the value nineteen of sixty, so we have this is what it is, 19 of 60. 267 00:19:24,140 --> 00:19:25,370 OK, let's continue. 268 00:19:26,360 --> 00:19:35,930 So this one is now going to do the call to our, uh, to our, uh, uh, function, so let's call that 269 00:19:36,740 --> 00:19:39,410 so we continue here. 270 00:19:40,590 --> 00:19:45,700 I'm going to jump over this one, by the way, but I want to go and, uh. 271 00:19:46,960 --> 00:19:49,780 But at least you come back here. 272 00:19:51,920 --> 00:19:53,750 Uh uh. 273 00:19:55,070 --> 00:19:57,320 All of these are called good. 274 00:20:00,240 --> 00:20:03,610 Probably these are the cold that's actually doing the. 275 00:20:05,340 --> 00:20:08,560 The cookie thing, maybe I didn't check. 276 00:20:08,640 --> 00:20:10,980 I kind of jumped into it. 277 00:20:12,590 --> 00:20:14,630 Let's do OK. 278 00:20:15,300 --> 00:20:16,770 OK, cool. 279 00:20:17,160 --> 00:20:18,260 These are good. 280 00:20:21,750 --> 00:20:22,410 OK. 281 00:20:22,450 --> 00:20:22,920 Uh. 282 00:20:26,670 --> 00:20:29,550 Look, I stand good, good. 283 00:20:29,610 --> 00:20:31,530 I want to see where our. 284 00:20:32,470 --> 00:20:33,220 CWD. 285 00:20:36,480 --> 00:20:36,960 Oh. 286 00:20:37,790 --> 00:20:39,350 We got into this problem again. 287 00:20:41,410 --> 00:20:42,490 Let me do this. 288 00:20:43,840 --> 00:20:45,850 I think I have to. 289 00:20:47,290 --> 00:20:48,790 OK, so that's. 290 00:20:50,070 --> 00:20:51,120 That's actually. 291 00:20:52,090 --> 00:20:59,380 So I just wanted this time to see this is actually even every time is getting changed and I think this 292 00:20:59,380 --> 00:21:01,540 is the value, by the way, of the cookie. 293 00:21:02,120 --> 00:21:03,040 I think it is. 294 00:21:03,990 --> 00:21:06,030 So let's just continue. 295 00:21:06,060 --> 00:21:06,840 I will jump. 296 00:21:09,230 --> 00:21:12,850 I've got this book right back here. 297 00:21:13,630 --> 00:21:16,800 These are the exceptions got added back. 298 00:21:17,580 --> 00:21:20,550 And here I think this is, uh. 299 00:21:22,140 --> 00:21:22,800 The. 300 00:21:25,200 --> 00:21:30,120 Exceptions get added, I'm going to jump over this one this time. 301 00:21:30,690 --> 00:21:34,680 OK, now this is where we do the, uh. 302 00:21:37,030 --> 00:21:37,800 Uh. 303 00:21:41,730 --> 00:21:44,670 This is where we do to what? 304 00:21:50,600 --> 00:21:52,010 That's good here. 305 00:21:52,450 --> 00:21:53,080 So. 306 00:21:54,400 --> 00:22:01,580 I have nine, we reach the main function, which is what I want, good. 307 00:22:01,600 --> 00:22:04,120 So he's got added to the stack. 308 00:22:04,970 --> 00:22:07,920 The pointer to the next associate cat got added. 309 00:22:08,270 --> 00:22:10,700 OK, so now let's check here. 310 00:22:10,880 --> 00:22:15,850 This value over here is going to be added minus to this value here. 311 00:22:15,860 --> 00:22:18,290 It's going to also be added to the stack. 312 00:22:20,690 --> 00:22:23,650 So all of these, uh, that, uh. 313 00:22:25,280 --> 00:22:31,190 This value is going to be pushed into X, which is where our current, uh. 314 00:22:32,500 --> 00:22:42,010 See, it starts, so our current chain starts at F 19, F F 60, that's going to be added to X, could 315 00:22:42,650 --> 00:22:44,180 push it onto the stack again. 316 00:22:44,670 --> 00:22:50,420 Now, we are creating this space over here where she pushes the Idei. 317 00:22:50,900 --> 00:22:53,200 Let's just all move. 318 00:22:53,210 --> 00:22:55,310 OK, so this value here. 319 00:22:56,280 --> 00:23:01,560 At this location, so if we follow this location and to. 320 00:23:02,840 --> 00:23:06,230 No dress and we follow it, let's just copy. 321 00:23:07,350 --> 00:23:09,990 These videos here, so we copy. 322 00:23:10,690 --> 00:23:11,120 OK. 323 00:23:14,190 --> 00:23:22,440 Um, it's it's actually exactly the one I knew it was the one, so you can see a six F eight. 324 00:23:24,080 --> 00:23:26,810 Then we have zero nine. 325 00:23:27,820 --> 00:23:29,230 Then see eight. 326 00:23:30,520 --> 00:23:34,520 This is the the the cookie, the one that was posted. 327 00:23:34,810 --> 00:23:39,670 OK, so now it's going to be copied to X, probably this operation is going to happen with it. 328 00:23:40,180 --> 00:23:41,440 So it's copied there. 329 00:23:41,530 --> 00:23:46,910 Now, X is going to be absorbed with this value at Eppy minus eight. 330 00:23:47,510 --> 00:23:50,530 OK, now accord with SBP. 331 00:23:51,310 --> 00:23:53,410 Now it's going to be pushed back to the stack. 332 00:23:54,350 --> 00:23:55,700 OK, so. 333 00:23:56,740 --> 00:24:04,420 Uh, so this value here is now pushed back to the stock. 334 00:24:05,460 --> 00:24:06,830 That's just copy it over. 335 00:24:06,930 --> 00:24:10,320 I just want to keep this again, I'm not checking. 336 00:24:10,350 --> 00:24:12,530 By the way, how the cookie is generated. 337 00:24:12,540 --> 00:24:15,390 I don't really care about that for now. 338 00:24:15,390 --> 00:24:26,970 But just to understand this, and here we can see the value and this is now actually pointing to our, 339 00:24:27,210 --> 00:24:28,140 uh. 340 00:24:30,050 --> 00:24:31,770 So now the handler. 341 00:24:31,820 --> 00:24:38,700 OK, now 19 of 18 is going to be pushed at the beginning of our chain. 342 00:24:38,720 --> 00:24:43,190 So now if we check the chain again, we should see 19 F 18. 343 00:24:43,820 --> 00:24:47,840 The starting point of it, as you can see here, 19 F 18. 344 00:24:48,080 --> 00:24:48,500 Good. 345 00:24:49,330 --> 00:24:50,550 So let's continue. 346 00:24:51,980 --> 00:24:55,090 And then we do these continue. 347 00:24:56,540 --> 00:24:59,330 This one is going to do the call for the copy. 348 00:25:00,010 --> 00:25:00,950 Let's do that. 349 00:25:01,590 --> 00:25:04,800 Yep, this is the call for the copy. 350 00:25:05,450 --> 00:25:13,130 What's going to happen here is that it's going to store CVP to make sure when it rewinds does a check. 351 00:25:13,130 --> 00:25:17,860 So EP got stored, uh, the uh, the cookie. 352 00:25:17,870 --> 00:25:25,890 I mean this is where we are now entering another function will keep this file is going to be pushed. 353 00:25:25,910 --> 00:25:26,620 OK. 354 00:25:28,260 --> 00:25:35,310 And now push this value onto the stock, 44, 55, 24 zero. 355 00:25:36,030 --> 00:25:40,530 This one also pushed onto the stock and then push pushbacks. 356 00:25:41,970 --> 00:25:47,550 Uh, yeah, this pushy now onto the stack, OK, create some space. 357 00:25:48,630 --> 00:25:50,790 OK, so we created some space. 358 00:25:51,820 --> 00:25:55,020 And what do we have next? 359 00:25:55,260 --> 00:25:56,280 Is. 360 00:25:57,830 --> 00:26:08,840 I we created some space now that value at that location is going to be copied into, uh. 361 00:26:09,750 --> 00:26:12,000 Going to be copied into X. 362 00:26:12,930 --> 00:26:17,040 Right, yeah, into X, so it's copied the. 363 00:26:17,900 --> 00:26:19,940 Now, some excellent operation. 364 00:26:21,380 --> 00:26:26,000 These are all added and just continuing, by the way, here. 365 00:26:26,600 --> 00:26:27,420 OK. 366 00:26:27,460 --> 00:26:28,280 OK. 367 00:26:30,520 --> 00:26:35,560 OK, now we are going to be this is where we are going to be starting the copy operation. 368 00:26:37,570 --> 00:26:45,970 So we can see, by the way, our next sketch is here, right, we can see our handler is here. 369 00:26:47,350 --> 00:26:47,840 Right. 370 00:26:48,250 --> 00:26:53,560 So I'm assuming this one is our cookie, by the way, let's just save that. 371 00:26:54,960 --> 00:26:55,860 Like Kopit. 372 00:26:59,070 --> 00:27:01,760 Yeah, let's copy this out here. 373 00:27:05,070 --> 00:27:06,930 I assume probably this is the one. 374 00:27:07,320 --> 00:27:12,750 OK, so let's continue here, have seven now, copy one byte. 375 00:27:13,520 --> 00:27:16,460 And now that one bite is going to be. 376 00:27:17,400 --> 00:27:23,820 Checked if we finished, so I'm going to vote because it's about my bike operation, I'm going to put 377 00:27:23,820 --> 00:27:26,190 a point here on the program. 378 00:27:26,200 --> 00:27:29,580 So, uh, it will do all the copies. 379 00:27:32,180 --> 00:27:37,290 Did I reach the oh, so I put the front in the wrong location. 380 00:27:38,140 --> 00:27:43,540 I put the point here, if I ran, the application would have nine now it should. 381 00:27:43,570 --> 00:27:51,880 So here you can see this is where our pointer is and this is where our. 382 00:27:53,010 --> 00:27:57,450 Uh, yeah, this is what our pointer to the next one, et cetera. 383 00:27:57,900 --> 00:27:59,400 So now I had. 384 00:28:00,450 --> 00:28:04,110 If nine, we can see this fire. 385 00:28:04,970 --> 00:28:08,180 I want to, by the way, just copy this value also, just in case. 386 00:28:09,300 --> 00:28:13,090 Uh, actually, being that this location. 387 00:28:13,420 --> 00:28:19,840 OK, so if I hit the F nine now, these will all be overwritten with the buffer because we have the 388 00:28:20,050 --> 00:28:20,560 bytes. 389 00:28:21,100 --> 00:28:22,720 So F nine got overwritten. 390 00:28:22,720 --> 00:28:23,310 Exactly. 391 00:28:24,040 --> 00:28:24,520 Great. 392 00:28:24,590 --> 00:28:26,260 Now, if we continue. 393 00:28:27,350 --> 00:28:33,170 So to this to this this is a print message, so I'm going to jump over it. 394 00:28:33,200 --> 00:28:34,190 OK, step over. 395 00:28:34,850 --> 00:28:37,670 But we still get the we still get the message. 396 00:28:37,680 --> 00:28:42,410 But now, one, we want to go back to the previous caller, which was mean. 397 00:28:42,920 --> 00:28:45,770 We will start, uh, doing our checks. 398 00:28:45,770 --> 00:28:47,660 So we are going to do the check. 399 00:28:47,900 --> 00:28:49,480 So continue. 400 00:28:50,210 --> 00:28:54,380 I am going to do the continuous or minus two is going to be copied at that location. 401 00:28:55,060 --> 00:29:01,010 Uh, that value over here, minus GBP minus 10. 402 00:29:01,520 --> 00:29:06,470 So SBP is at FGF eight F F eight. 403 00:29:07,770 --> 00:29:14,490 And then minus 10 is going to copy those values into X, OK, let's do that continue. 404 00:29:15,440 --> 00:29:17,150 Bush, OK. 405 00:29:17,200 --> 00:29:23,690 OK, continue here, I'm going to do the do the call actually jump into it. 406 00:29:24,620 --> 00:29:32,210 Because we want to check the this is where the cookie gets checked, so X now has this value. 407 00:29:33,590 --> 00:29:41,060 Right, this values and X and it's going to be compared with the value add three thousand. 408 00:29:41,890 --> 00:29:43,900 Uh, for three thousand four. 409 00:29:44,870 --> 00:29:47,090 So this value. 410 00:29:48,230 --> 00:29:50,510 Was it any one of these, by the way? 411 00:29:54,290 --> 00:29:56,870 And I think there was some calculation that got. 412 00:29:57,610 --> 00:30:02,930 So it's not really directly done, probably, or I missed a step, by the way, I could have missed 413 00:30:02,950 --> 00:30:03,380 a step. 414 00:30:03,970 --> 00:30:06,730 But anyway, this is a cookie which is going to be checked. 415 00:30:08,080 --> 00:30:10,070 Right, so it's going to be checked. 416 00:30:11,300 --> 00:30:13,370 And, uh, now. 417 00:30:14,790 --> 00:30:16,710 We can see the. 418 00:30:18,280 --> 00:30:27,460 It's telling us, uh, Torchy, BP, we are going to jump into another Collaroy came, by the way, 419 00:30:28,360 --> 00:30:30,880 and I'm going to bypass this. 420 00:30:31,720 --> 00:30:32,270 OK. 421 00:30:33,520 --> 00:30:34,270 OK. 422 00:30:34,910 --> 00:30:41,950 OK, now we are going to actually do the call to interrupt 29 and as I said, interrupt twenty nine, 423 00:30:41,950 --> 00:30:43,530 I will add the link to it. 424 00:30:44,110 --> 00:30:48,100 It's a face past fail and, uh, enterable. 425 00:30:48,490 --> 00:30:56,610 Nine, whether the architecture is exacty six or x 64, uh, it's going to be first. 426 00:30:56,860 --> 00:31:01,780 The the value of it is loaded into, uh, X. 427 00:31:01,790 --> 00:31:07,510 So we saw the value number two, which is going to call this function. 428 00:31:07,850 --> 00:31:13,450 Uh, this interrupt was, uh, two and then it's popped into X. 429 00:31:13,840 --> 00:31:23,770 So the location of the code argument is always an X on an X 64 bit system is going to be in X, uh, 430 00:31:23,840 --> 00:31:28,010 and on our machine and item sixty four is going to be an R zero zero. 431 00:31:28,200 --> 00:31:32,400 Again, I'm just reading this from, uh, the Microsoft website. 432 00:31:32,860 --> 00:31:34,720 So now we try to continue. 433 00:31:34,720 --> 00:31:37,000 We can't because the interrupt has happened. 434 00:31:37,420 --> 00:31:38,920 If we had, uh. 435 00:31:40,930 --> 00:31:47,800 Shift of nine, the application should terminate with the board that, uh, the application terminated 436 00:31:48,100 --> 00:31:55,960 so we can see that one if we had overwritten our code, even if our, uh. 437 00:31:57,790 --> 00:31:59,200 Even if our code. 438 00:32:00,020 --> 00:32:05,210 I would exploit was successful, by the way, uh. 439 00:32:06,540 --> 00:32:08,550 Without triggering in Assiut. 440 00:32:09,470 --> 00:32:18,420 The cookie will actually temper our exploitation process, so what we will be doing this time is work 441 00:32:18,470 --> 00:32:19,010 as we saw. 442 00:32:19,010 --> 00:32:25,220 If we override them, then the cookie will prevent us from running the application and then probably 443 00:32:25,220 --> 00:32:26,140 terminate our child. 444 00:32:26,780 --> 00:32:30,420 But I see it as one way to bypass the cookie. 445 00:32:30,590 --> 00:32:32,720 So what we will be doing now is. 446 00:32:33,560 --> 00:32:40,640 We will be using the search method, which we have already done to bypass the cookie, so all we need 447 00:32:40,640 --> 00:32:43,340 to do here actually is, uh. 448 00:32:45,180 --> 00:32:46,080 I think. 449 00:32:48,180 --> 00:32:53,310 This should be fine, by the way, but let's now double check. 450 00:32:54,870 --> 00:32:57,360 All of the Chilkoot. 451 00:32:58,210 --> 00:33:03,370 And I think this address is no longer this one, so let's. 452 00:33:04,520 --> 00:33:11,050 Let's just run it to get some, uh, some addresses, by the way, as the addresses are now different, 453 00:33:11,510 --> 00:33:15,560 everything else should be the same except the the offset we saw. 454 00:33:15,560 --> 00:33:25,730 It's 32 now instead of so we have 28 bytes and then we have four bytes for the Nexus S.H. and so on. 455 00:33:25,760 --> 00:33:27,800 So let's let's just continue. 456 00:33:28,310 --> 00:33:32,600 But this time I just want to get an address. 457 00:33:40,460 --> 00:33:41,660 And. 458 00:33:43,370 --> 00:33:45,790 Yeah, so I go and no, not. 459 00:33:46,830 --> 00:33:47,430 Yecch. 460 00:33:48,400 --> 00:33:51,550 OK, we can do that, wait a little bit. 461 00:33:52,090 --> 00:33:53,450 I'm going to take too much time. 462 00:33:54,190 --> 00:33:57,070 OK, so we go to Assiut. 463 00:33:58,390 --> 00:34:01,200 We can take one of these addresses over here. 464 00:34:02,060 --> 00:34:11,090 And just use a set of wheels, for example, this one, so 15, 45, I'm going to use this one. 465 00:34:11,600 --> 00:34:13,010 Fifteen forty five. 466 00:34:15,030 --> 00:34:17,700 OK, so if I go back. 467 00:34:19,150 --> 00:34:19,960 Was this. 468 00:34:20,760 --> 00:34:22,580 Um, go back here. 469 00:34:23,880 --> 00:34:28,380 So we do, yeah, here it is, I have already probably done that on my test. 470 00:34:28,390 --> 00:34:35,130 OK, and this is from the previous video when we didn't have the, uh. 471 00:34:36,250 --> 00:34:39,210 Estacada, like enabled. 472 00:34:41,380 --> 00:34:45,190 So we can now get rid of this or actually why did I do that? 473 00:34:45,580 --> 00:34:49,570 Let me just do this right and to. 474 00:34:52,350 --> 00:34:53,190 Number three. 475 00:34:55,280 --> 00:34:57,170 So this is number three. 476 00:34:58,710 --> 00:34:59,850 Let's do this. 477 00:35:02,170 --> 00:35:08,320 Let's remove the salt so we don't get any more, and now let's run our call, let's copy this address, 478 00:35:08,320 --> 00:35:08,710 by the way. 479 00:35:08,710 --> 00:35:10,900 I will need it to put a breakpoint on it. 480 00:35:11,780 --> 00:35:12,340 OK. 481 00:35:13,780 --> 00:35:14,750 Und. 482 00:35:18,580 --> 00:35:19,100 Good. 483 00:35:19,120 --> 00:35:22,050 So let's go to this address here. 484 00:35:23,220 --> 00:35:25,080 Uh, the break point for our. 485 00:35:29,500 --> 00:35:30,550 So if we. 486 00:35:31,610 --> 00:35:32,180 It. 487 00:35:33,820 --> 00:35:41,950 Nine, we are at the main function, right, we are at the main function and now if we. 488 00:35:43,310 --> 00:35:48,190 Let's let's continue let's let's just do a couple of quick instructions here. 489 00:35:49,320 --> 00:35:53,640 So this is where we are in the hour. 490 00:35:53,700 --> 00:35:55,620 The one that will do the right. 491 00:35:55,720 --> 00:36:01,180 Yep, this is the one that will do the copy got initialized with the cookie also. 492 00:36:01,500 --> 00:36:03,570 And now we are copying the one. 493 00:36:05,080 --> 00:36:07,420 At the time, see one bite at a time. 494 00:36:07,660 --> 00:36:12,200 So I'm going to put a break point actually is still here, so I'm just going to hit of nine. 495 00:36:12,460 --> 00:36:13,990 We finished the copy. 496 00:36:14,950 --> 00:36:23,410 All of those and even the pointer to next, which we finished overwriting all of this with a special 497 00:36:23,410 --> 00:36:28,660 code and everything else, all all is done properly as we want. 498 00:36:29,110 --> 00:36:32,500 So now we can continue our execution by. 499 00:36:35,760 --> 00:36:42,120 Oh, we've got an exception, great, though, we triggered an exception, and if we check the chain, 500 00:36:42,930 --> 00:36:44,400 I see a chain. 501 00:36:46,270 --> 00:36:52,290 And if we check the change, we can see that the chain has been overwritten, so this is where it started 502 00:36:52,300 --> 00:36:53,670 overwritten with this value. 503 00:36:54,130 --> 00:36:55,860 And, uh, yeah. 504 00:36:55,870 --> 00:36:59,350 So let me do just one thing. 505 00:36:59,950 --> 00:37:00,310 One. 506 00:37:01,830 --> 00:37:03,870 You I want to Chuck. 507 00:37:05,550 --> 00:37:06,410 Uh. 508 00:37:08,740 --> 00:37:09,960 Yeah, OK, good. 509 00:37:09,990 --> 00:37:11,670 So let me just do this. 510 00:37:13,110 --> 00:37:17,640 So now what we need to do is, uh, shift of nine. 511 00:37:19,070 --> 00:37:29,660 We should stop at our exactly so that knowing what happened is the value in our chain right where our 512 00:37:29,660 --> 00:37:31,680 next asset is located. 513 00:37:32,030 --> 00:37:34,060 This is again, we saw it in Mona. 514 00:37:34,880 --> 00:37:35,980 Why go back here? 515 00:37:36,770 --> 00:37:41,250 But let me just again see it changed. 516 00:37:41,480 --> 00:37:46,570 OK, so if we look again here, what am I looking at? 517 00:37:47,880 --> 00:37:50,100 We look again here. 518 00:37:51,610 --> 00:37:57,850 Uh, yep, this one we can see where is the handler is at forty four, fifty five. 519 00:37:57,860 --> 00:38:02,730 So we are now calling actually this one, so we are calling it OK. 520 00:38:04,290 --> 00:38:07,190 But since excuse me, there is nothing there to be done. 521 00:38:08,690 --> 00:38:15,470 We are going to now do the pop up return, so we will pop these four bites. 522 00:38:15,510 --> 00:38:20,660 So this is if there was a handler, this is where the code for the handler will start. 523 00:38:20,880 --> 00:38:23,390 But since there is no really handler, we just. 524 00:38:24,200 --> 00:38:33,650 We feel that the application of the system we are going to now use to return to this address, so the 525 00:38:33,650 --> 00:38:38,000 return to this address, if we don't dump, what is it? 526 00:38:38,000 --> 00:38:39,870 It's our job instruction. 527 00:38:40,550 --> 00:38:45,070 So once we do the return, this value is going to be loaded into IP. 528 00:38:45,500 --> 00:38:48,110 So F7 loaded into IP. 529 00:38:48,110 --> 00:38:55,910 We went to the jump instruction and now the jump instruction is going to go to FGF, to Sophi afterwards, 530 00:38:55,910 --> 00:38:57,090 immediately at here. 531 00:38:57,380 --> 00:38:59,980 So we are going to jump all these values over here. 532 00:39:00,230 --> 00:39:10,340 So see now we are at five two and now if we continue hit our F nine, by the way, our application continued 533 00:39:10,340 --> 00:39:13,140 and we got our on our code. 534 00:39:13,340 --> 00:39:15,790 So we bypass the security guard quickly. 535 00:39:15,950 --> 00:39:17,410 It didn't even check that. 536 00:39:17,420 --> 00:39:17,810 Why? 537 00:39:18,380 --> 00:39:24,430 Because when we triggered an exception, we had to follow, uh, the exceptional routine. 538 00:39:24,440 --> 00:39:29,990 And since we, uh, I mean, the the the exception handler. 539 00:39:30,910 --> 00:39:35,460 Routine, but since the exception handler routine is really not a routine, there is no handler there. 540 00:39:35,740 --> 00:39:40,470 There were just addresses mangling how to jump around in memory. 541 00:39:40,600 --> 00:39:46,880 We managed to bypass that and not continue unwinding the process and going back to the previous function. 542 00:39:47,110 --> 00:39:48,760 So that did not happen. 543 00:39:49,120 --> 00:39:55,150 And at this time, we managed to run our, uh, payload. 544 00:39:55,580 --> 00:39:56,860 OK, so. 545 00:39:58,130 --> 00:39:59,690 That's it for this video. 546 00:39:59,900 --> 00:40:06,010 I hope you saw how those cookies got get added to the application. 547 00:40:06,260 --> 00:40:11,820 They are, again, usually at, uh, before the next inspection exception handler. 548 00:40:12,270 --> 00:40:18,110 Uh, but again, you can trace them and see how they are getting compared to where they are getting 549 00:40:18,110 --> 00:40:18,700 compared. 550 00:40:18,980 --> 00:40:27,050 And based on that Interop twenty nine is going to be called, especially on an, uh, an intel architecture, 551 00:40:27,050 --> 00:40:29,480 whether 64 or 32. 552 00:40:30,380 --> 00:40:35,000 But otherwise, like you saw, we bypassed the, uh, the application. 553 00:40:35,000 --> 00:40:37,280 We did not have to, uh. 554 00:40:40,340 --> 00:40:42,490 We've managed to bypass the security guard. 555 00:40:43,480 --> 00:40:50,160 I let me, by the way, just before I and the video, let me just do the one final thing here. 556 00:40:50,710 --> 00:40:51,280 Call this. 557 00:40:52,450 --> 00:40:53,680 See it as. 558 00:40:54,660 --> 00:40:55,770 And bypass for. 559 00:40:58,060 --> 00:41:05,140 And then let's delete this, we don't need it and see, uh, run it without the without the debugger. 560 00:41:07,390 --> 00:41:08,730 Very so good. 561 00:41:08,930 --> 00:41:12,570 Oh, let's check if everything is working correctly. 562 00:41:13,600 --> 00:41:14,940 If we run this. 563 00:41:18,640 --> 00:41:23,130 We should get our application and get our calculators. 564 00:41:24,730 --> 00:41:32,770 So we managed to run our code seems to added four parts extra, so we managed to run our Salkeld and 565 00:41:32,770 --> 00:41:40,800 bypass the Stuttgart protection, uh, which is actually a catch. 566 00:41:40,810 --> 00:41:44,600 Exploits are known for bypassing Stuckart protection. 567 00:41:45,010 --> 00:41:51,100 You have any questions or if you want me to go in, uh, let's say explain anything else related to 568 00:41:51,100 --> 00:41:52,660 this, please let me know. 569 00:41:52,660 --> 00:42:00,610 Otherwise, I will continue on another example on S.H., because this time the buffer was immediately 570 00:42:00,610 --> 00:42:02,500 after, uh. 571 00:42:03,320 --> 00:42:06,110 Our handlers, all we we, uh. 572 00:42:08,010 --> 00:42:14,310 We called the handler, the handler actually was just a prop operator, and then the pop up return did 573 00:42:14,310 --> 00:42:23,640 not do anything, but we now call the next search and the next day just did a jump to the location after 574 00:42:23,640 --> 00:42:24,920 the those handlers. 575 00:42:25,410 --> 00:42:31,280 But in our in this case, we had a space in the area behind that. 576 00:42:31,290 --> 00:42:32,870 So we were able to exploit it. 577 00:42:33,180 --> 00:42:36,140 But what if your area is actually before that? 578 00:42:36,150 --> 00:42:37,460 How are you going to deal with that? 579 00:42:37,800 --> 00:42:39,230 So we need to go backwards. 580 00:42:39,230 --> 00:42:42,180 So we're going to be dealing with a negative offset. 581 00:42:42,180 --> 00:42:46,560 So that's what we will be discussing in, uh, other videos. 582 00:42:46,710 --> 00:42:50,190 And sometimes you you might need to do multiple jumps. 583 00:42:50,190 --> 00:42:51,680 So also keep that in mind. 584 00:42:51,840 --> 00:42:53,580 We might need to do multiple jumps. 585 00:42:54,000 --> 00:43:00,420 And I hope I will find a, uh, an example to see to see how those will all play out. 586 00:43:01,110 --> 00:43:03,220 OK, so that's it for this video. 587 00:43:03,270 --> 00:43:06,930 I hope you learn something and see you in the next one. 588 00:43:07,230 --> 00:43:07,790 Thank you. 589 00:43:07,800 --> 00:43:08,840 And, uh, bye bye.