1
00:00:01,360 --> 00:00:03,160
Hello and welcome back.

2
00:00:03,160 --> 00:00:14,520
Today we're going to unpack the program and this is the summary of the how a KFC bag program runs.

3
00:00:14,590 --> 00:00:17,490
You can download this from a resource I share.

4
00:00:17,500 --> 00:00:20,560
This is also being used in the introduction lecture.

5
00:00:23,800 --> 00:00:25,200
So let's open a bank.

6
00:00:25,340 --> 00:00:29,320
Yes a program we've excessive for DBC

7
00:00:34,810 --> 00:00:35,430
and now.

8
00:00:35,690 --> 00:00:36,030
Yeah.

9
00:00:36,030 --> 00:00:43,130
The entry fine which is here entry by next.

10
00:00:43,250 --> 00:00:51,120
The we need to check the Bush-Cheney output EVP session.

11
00:00:51,230 --> 00:01:01,260
You can see data push here so when you press F it you push all the registered value to the stack.

12
00:01:01,950 --> 00:01:02,460
Oh here

13
00:01:05,400 --> 00:01:12,790
so the effect of a push you say this pushing you to push everything that is say that the only interest

14
00:01:12,820 --> 00:01:17,820
in push BP So let's check it up.

15
00:01:18,370 --> 00:01:19,280
Press has it now

16
00:01:22,270 --> 00:01:27,500
and you see all the registered voters having pushed through this day and the one we're interested in

17
00:01:27,500 --> 00:01:37,610
is 19 5 9 4 which is here 19 5 9 4.

18
00:01:38,030 --> 00:01:40,130
So it's already on the stack.

19
00:01:40,130 --> 00:01:43,730
So now the better we keep on executing

20
00:01:48,280 --> 00:01:49,050
and better.

21
00:01:49,070 --> 00:01:52,510
Here's how you push the register to the SEC.

22
00:01:52,600 --> 00:02:02,950
Now you uncompressed the original AC and then have the right you resolve the 80 table and then you both

23
00:02:03,520 --> 00:02:06,130
from the secondary register.

24
00:02:06,130 --> 00:02:14,770
So we need to watch out for this so this is important because this is where we know the attacker has

25
00:02:14,770 --> 00:02:24,240
completed and compressing the easy file and he's about to return control to the extractor easy.

26
00:02:24,640 --> 00:02:26,360
And this the one you underdone.

27
00:02:26,500 --> 00:02:27,960
So we have to watch this.

28
00:02:28,630 --> 00:02:32,800
So to watch this we need to put a bullet point.

29
00:02:33,400 --> 00:02:44,050
So to do that will go to look for the stack here which contains the EVP existing EVP which is at this

30
00:02:44,050 --> 00:02:45,690
memory address.

31
00:02:45,910 --> 00:02:57,810
So we write figures we go to them for this in a done and over here you can see this is the stack which

32
00:02:57,810 --> 00:02:59,810
starts the existing EVP.

33
00:03:00,120 --> 00:03:04,080
So we say like this will do what we want it for.

34
00:03:04,500 --> 00:03:12,710
And you will notice this is reversed 0 0 1 9 5 9 4 is reversed.

35
00:03:12,810 --> 00:03:21,530
So here is 19 verses 19 f f 9 4 but then you storing memory it is in reverse order.

36
00:03:21,780 --> 00:03:24,810
Also known as The Little Engine.

37
00:03:24,810 --> 00:03:35,270
So what we do is we referee this debate and in here look for the break point and have a sense do you

38
00:03:35,280 --> 00:03:39,960
want to click on this and you have a big funny set.

39
00:03:40,020 --> 00:03:47,780
So now we just run and until they have a bit fun is triggered OK all right.

40
00:03:47,890 --> 00:03:55,260
And now you see he have a big one has been too good and your boss at this location and if you just screw

41
00:03:55,260 --> 00:03:57,050
up a bit he will see.

42
00:03:57,160 --> 00:03:59,630
Poppy he has happened.

43
00:03:59,640 --> 00:04:02,680
So this has happened.

44
00:04:02,750 --> 00:04:09,150
He has restored the original status by using pop Hades or body B soda pop.

45
00:04:09,180 --> 00:04:12,340
Ada is equivalent to all this insulting.

46
00:04:12,500 --> 00:04:20,210
Well we're interested in is a popular Bebe so now yeah here and he is finally going to attempt to re

47
00:04:20,260 --> 00:04:21,530
original entry point.

48
00:04:21,620 --> 00:04:22,840
Ready.

49
00:04:22,840 --> 00:04:23,260
How you doing.

50
00:04:23,330 --> 00:04:26,410
Yes he has been uncompressed.

51
00:04:26,840 --> 00:04:34,700
So we just have to keep on pressing it now until he jumps to the original entry line.

52
00:04:34,880 --> 00:04:36,560
So he's performing some final look.

53
00:04:37,880 --> 00:04:46,440
So we can get a signal by clicking on the satin after the look on the map.

54
00:04:46,490 --> 00:04:51,310
Francis election and Gigli 9 0 press run.

55
00:04:52,460 --> 00:04:55,690
So now we're here out of the loop press avail again.

56
00:04:56,750 --> 00:05:04,600
And now he's going to jam to the overtime supine press TV and you will see the address we change.

57
00:05:04,640 --> 00:05:08,720
So this is known as the always end to mine.

58
00:05:08,750 --> 00:05:15,530
Our original entry point.

59
00:05:15,630 --> 00:05:18,930
So now we are the are the entry point.

60
00:05:19,410 --> 00:05:24,730
So just press f it again one time for try to look to high 80s.

61
00:05:25,890 --> 00:05:28,370
So now is Rita done in there.

62
00:05:28,380 --> 00:05:40,290
Now you can go to ballgames click on this killer click on File down memory now a search for a strategy.

63
00:05:40,940 --> 00:05:48,320
And from Press TV I see that he said this in any location now that you're funny.

64
00:05:48,660 --> 00:05:50,110
This is what's in memory now.

65
00:05:50,160 --> 00:06:00,170
You've gone and done the P so click on dumpy give it any name you want you can call it dummy AC I've

66
00:06:00,180 --> 00:06:03,750
done this before so it's damn easy

67
00:06:06,660 --> 00:06:13,450
for memory cancer on his 80s and now David dummy we can go and test data.

68
00:06:14,760 --> 00:06:15,910
You didn't the back.

69
00:06:16,720 --> 00:06:18,240
Okay now let's test it out.

70
00:06:18,240 --> 00:06:20,910
Can you see that face to run.

71
00:06:20,910 --> 00:06:25,130
Is it because the high table he's messed up.

72
00:06:25,320 --> 00:06:26,370
We need to fix it.

73
00:06:27,990 --> 00:06:36,730
So to fix the I.T. table the I.T. Xavier refers to the memory addresses of all the DEA files which the

74
00:06:36,750 --> 00:06:39,190
program needs in order to run.

75
00:06:39,210 --> 00:06:48,400
So the fix the I.T. table the open skill are bringing in entry on I.T. autos such as whoever they want

76
00:06:48,400 --> 00:06:52,140
to serve as a result single handedly.

77
00:06:52,230 --> 00:06:52,690
Okay.

78
00:06:52,690 --> 00:06:53,530
It's funny.

79
00:06:55,030 --> 00:06:59,010
And then now you get a pass for on the DL files.

80
00:06:59,400 --> 00:07:03,230
So these are all the DEA libraries which is used by the program.

81
00:07:03,560 --> 00:07:04,110
Yeah.

82
00:07:04,120 --> 00:07:06,850
Now we can fix to the dump.

83
00:07:06,870 --> 00:07:15,150
So yes click on FEMA and select the dumb people open and now the dam has a face.

84
00:07:15,360 --> 00:07:20,750
You can see here it says in part redo success and using union for your file.

85
00:07:20,780 --> 00:07:22,390
Now see why.

86
00:07:22,620 --> 00:07:25,040
So that's going to be a little dicey right.

87
00:07:25,110 --> 00:07:34,690
So now we can write and you know we try getting anything it is working.

88
00:07:35,010 --> 00:07:37,860
So now you're ready to bash this.

89
00:07:37,920 --> 00:07:39,100
I see why.

90
00:07:39,150 --> 00:07:44,590
So this is how you strike the original ESEA far from the pack.

91
00:07:45,300 --> 00:07:47,580
So I'll see you in an assassin.

92
00:07:47,700 --> 00:07:48,590
Thank you for watching.