1 00:00:00,930 --> 00:00:09,330 And finally, we need to align our registers using nation shall code, there's a sample on fuzzy security. 2 00:00:10,650 --> 00:00:11,460 I have it right here. 3 00:00:13,280 --> 00:00:21,020 Am I already completed exploit or basically what's doing is that is trying to align the register that 4 00:00:21,020 --> 00:00:27,070 is closest to our buffer to ensure that we can inject the code in there. 5 00:00:27,500 --> 00:00:37,010 So notice how the line code is interweave with HEX 71, HEX 31 is also known as a Unicode compatible 6 00:00:37,010 --> 00:00:37,380 knob. 7 00:00:37,700 --> 00:00:47,150 It doesn't actually do anything, but when we pad them, we can actually have Unicode compatible exploits. 8 00:00:49,000 --> 00:00:51,070 So at the end of this code. 9 00:00:52,160 --> 00:00:53,330 Let's copying code. 10 00:00:57,680 --> 00:01:04,010 At the end of this, we need to figure out the distance. 11 00:01:05,620 --> 00:01:10,870 So let's go down, let's see, plus online. 12 00:01:15,050 --> 00:01:22,310 At the end of the day, we need to figure out the distance between where. 13 00:01:25,230 --> 00:01:26,910 PBX is located. 14 00:01:29,790 --> 00:01:31,650 And our bluffer. 15 00:01:36,710 --> 00:01:43,580 So let's go run this through the debugger again, remember, a shortcut is control F two to restart 16 00:01:43,580 --> 00:01:44,420 the application. 17 00:01:45,140 --> 00:01:47,660 OK, Pressplay. 18 00:01:48,960 --> 00:01:50,430 Don't forget about our break point. 19 00:01:53,870 --> 00:01:54,720 Control G. 20 00:01:57,110 --> 00:01:58,550 Double click, add breakpoint. 21 00:01:58,580 --> 00:01:59,060 Yes. 22 00:02:01,050 --> 00:02:03,190 And let's run our Python file again. 23 00:02:03,240 --> 00:02:04,590 Let's make sure I save this. 24 00:02:11,880 --> 00:02:15,270 So we generated the file click on list. 25 00:02:20,020 --> 00:02:27,550 Top 40 open, remember to pass the exception and let's step through this. 26 00:02:29,280 --> 00:02:38,190 Pop, pop return, if you keep incrementing down the stack using the step through. 27 00:02:40,350 --> 00:02:43,770 You eventually see the X register. 28 00:02:47,960 --> 00:02:50,000 Contain this memory address. 29 00:02:52,200 --> 00:02:57,870 So what we need to do is we need to find the difference. 30 00:03:02,170 --> 00:03:10,740 Between the start of our days right here and the value that's stored in the register, so to my amusement, 31 00:03:11,050 --> 00:03:14,920 one of the most basic programs you have in. 32 00:03:16,550 --> 00:03:23,310 In Windows, the calculator app is actually very, very useful for calculating this feature. 33 00:03:23,990 --> 00:03:28,550 So we do the value of the register, which is 12 E to. 34 00:03:30,330 --> 00:03:31,320 C0. 35 00:03:32,460 --> 00:03:33,390 Subtract. 36 00:03:36,040 --> 00:03:48,580 12 E to four D enter 73 in Hex Fatime decimal, and that's one hundred and fifteen bytes, that's the 37 00:03:48,580 --> 00:03:49,270 distance. 38 00:03:49,780 --> 00:03:58,030 But remember every time that we inject our buffer as being four pended with no bytes as per the Unicode 39 00:03:58,030 --> 00:03:59,110 accounting standards. 40 00:03:59,530 --> 00:04:02,200 Now that means that we divide it by two. 41 00:04:02,560 --> 00:04:04,450 So divide by two. 42 00:04:07,270 --> 00:04:18,110 And it's actually fifty seven point five, so it's either 57 or 58 of our included buffer that would 43 00:04:18,130 --> 00:04:20,990 be translate to Unico to reach the X register. 44 00:04:21,940 --> 00:04:23,770 So let's try 57 first. 45 00:04:28,570 --> 00:04:29,980 Leslie, copy and paste. 46 00:04:35,630 --> 00:04:42,590 And after our line in code, we're going to add a buffer of F to see how many F does it take to push 47 00:04:42,590 --> 00:04:43,770 into the X register. 48 00:04:45,290 --> 00:04:48,020 So at times 57. 49 00:04:50,190 --> 00:04:54,050 Let's see at another marker, about four, five. 50 00:04:57,460 --> 00:05:05,170 Usually when you're dividing a odd number when it comes to exploit development, it's usually the lower 51 00:05:05,170 --> 00:05:05,420 number. 52 00:05:05,440 --> 00:05:07,240 So it's either 57 or 58. 53 00:05:08,540 --> 00:05:15,310 If we see five letter E's in our tax register, that means we know how long it takes for it to reach 54 00:05:15,310 --> 00:05:17,530 the reach the buffer. 55 00:05:19,100 --> 00:05:23,630 So let's save this python, we try. 56 00:05:29,800 --> 00:05:35,260 Control of two to restart, yes, control. 57 00:05:37,040 --> 00:05:43,100 Oops, sorry, you actually have to run the program, otherwise this memory address, you have to load 58 00:05:43,100 --> 00:05:43,640 it in memory. 59 00:05:43,640 --> 00:05:51,890 You see on the bottom of all of this dynamic link, libraries for Control G, go back to our pop operator 60 00:05:51,900 --> 00:05:52,640 instructions. 61 00:05:53,690 --> 00:05:54,350 Yes. 62 00:05:56,150 --> 00:06:00,620 And let's load our proof of concept again. 63 00:06:08,540 --> 00:06:15,050 Access violation for shift F nine to pass the exception where I pop up return, so let's step through 64 00:06:15,050 --> 00:06:15,200 it. 65 00:06:18,260 --> 00:06:24,830 Then we are going to keep on incrementing until we get to push X so as to keep incrementing. 66 00:06:28,200 --> 00:06:32,160 And if you look at our X register, there are five E's. 67 00:06:35,400 --> 00:06:41,310 Which means we correctly guessed the amount of effort that we need are padding to push our shortcode 68 00:06:42,030 --> 00:06:42,870 into the buffer. 69 00:06:46,120 --> 00:06:48,330 So let's just follow the up to. 70 00:06:51,550 --> 00:07:01,810 As you can see, five E's or Hecks, 45 attended with no bites are in our buffer 71 00:07:04,270 --> 00:07:04,930 now. 72 00:07:08,540 --> 00:07:09,050 Missy. 73 00:07:13,750 --> 00:07:18,010 Now it's time for bad character analysis, and I'm going to leave that section to another video.