1
00:00:00,460 --> 00:00:01,520
Hello and welcome back.

2
00:00:01,960 --> 00:00:04,380
In this video, we're going to baldies.

3
00:00:04,780 --> 00:00:13,780
And if you look at the for the South for this project and how the compiled script here, if you open

4
00:00:13,780 --> 00:00:21,040
it, if you look back plus plus, you can see that the parameters to take the code.

5
00:00:22,040 --> 00:00:25,400
And Campari and EIC.

6
00:00:27,440 --> 00:00:30,350
You hear this and it's a 64 bit.

7
00:00:30,890 --> 00:00:32,180
All right, so let's do that now.

8
00:00:32,690 --> 00:00:36,500
So we need to open a 64 bit environment, common problem.

9
00:00:36,950 --> 00:00:45,590
So we go to the bottom left corner and type Netiv and then open this one xixi for native tools combined

10
00:00:45,590 --> 00:00:47,360
from four weeks to a nine.

11
00:00:48,580 --> 00:00:54,190
He sure he got the right one, you can see the title here, and then we should change to these fuda.

12
00:00:54,670 --> 00:00:56,620
So is click on this correctly.

13
00:00:57,040 --> 00:00:58,330
He copied it off.

14
00:00:58,990 --> 00:01:00,010
Come down here.

15
00:01:00,160 --> 00:01:08,830
That CD to choose directory is spacebar right click the paste part pressed into to navigate to the new

16
00:01:08,830 --> 00:01:13,870
location that India are now to see the contents of this folder.

17
00:01:14,250 --> 00:01:16,300
We sure the compound that screen is there.

18
00:01:16,780 --> 00:01:25,420
And then now you can run this compound script by typing file name on the Apache script and press enter.

19
00:01:28,850 --> 00:01:36,530
And they if so, if the bill was successful, you should see a new, far higher bill in taxation to

20
00:01:37,110 --> 00:01:37,460
see.

21
00:01:37,940 --> 00:01:39,860
So to run this new E.S. far.

22
00:01:40,580 --> 00:01:48,830
You just taking the name of the fund, but before less time the hour to see the content of the yago

23
00:01:49,050 --> 00:01:50,270
the following.

24
00:01:50,900 --> 00:01:53,450
So to run this now, just take the name.

25
00:01:54,730 --> 00:02:00,300
Bailando fatal in taxation and press to.

26
00:02:02,140 --> 00:02:09,840
So at this point in time, issuing your chacal Pilates and dress and also the allocative memory address,

27
00:02:10,360 --> 00:02:15,340
which is coming from let's open this now to SARS-CoV-2.

28
00:02:15,550 --> 00:02:16,060
Take a look.

29
00:02:16,570 --> 00:02:17,650
You are not back.

30
00:02:19,360 --> 00:02:23,590
So this message here is coming from this Freenet.

31
00:02:24,220 --> 00:02:31,730
So as you can see, it brings the Chakotay to address coming from here, which is the array here, here

32
00:02:31,730 --> 00:02:32,590
that's in disarray.

33
00:02:33,130 --> 00:02:40,630
And in second is the address of the allocated memory from the which are long, which are successful.

34
00:02:40,960 --> 00:02:43,840
Take this memory and you are printing out here to see.

35
00:02:44,520 --> 00:02:46,930
So what you seeing is coming from this line.

36
00:02:48,010 --> 00:02:58,210
OK, so now Nonnatus copy is just so like this is most likely to copy and come up to not back here and

37
00:02:58,210 --> 00:03:01,180
open a new blank file from you.

38
00:03:01,660 --> 00:03:03,440
And right click basing it.

39
00:03:03,460 --> 00:03:04,480
Are we going to analyze it?

40
00:03:05,440 --> 00:03:10,630
OK, now we can attach your debugger to this process and it is still running.

41
00:03:10,960 --> 00:03:13,480
Now he's asking you press enter to create Shreck.

42
00:03:13,750 --> 00:03:16,210
And this message is coming from.

43
00:03:16,480 --> 00:03:22,370
If you go back to the source code, you can see it is coming from this line presenter to create Trent

44
00:03:22,390 --> 00:03:30,790
in his boss here and get Char to it for you to type something before he creates a trick in 1999.

45
00:03:31,420 --> 00:03:38,610
So before we create a generated name and that is attached to a debugger to open, you asked for the

46
00:03:38,950 --> 00:03:40,270
this is for beta version.

47
00:03:41,980 --> 00:03:42,430
And in.

48
00:03:44,590 --> 00:03:48,790
Before you open and here in ocean setting preference.

49
00:03:50,480 --> 00:04:00,200
And check system, break point and in the context, live only into Bitcoin, check and click save now

50
00:04:01,790 --> 00:04:05,910
open, not open, sorry, take file attach.

51
00:04:07,250 --> 00:04:09,710
And then here look for the running process.

52
00:04:11,990 --> 00:04:14,540
This is a running process below in taxation.

53
00:04:15,230 --> 00:04:17,930
So now attached to it after you selected it.

54
00:04:20,420 --> 00:04:25,370
OK, now we just attach and you can click on Symbolics and select.

55
00:04:26,610 --> 00:04:29,940
The bailout, the main function here.

56
00:04:30,870 --> 00:04:32,250
Main menu, day dangling run.

57
00:04:33,030 --> 00:04:38,220
So a nice synchronized exit for the Biji with your running process.

58
00:04:38,880 --> 00:04:43,860
Now we are ready to press enter here and watch what happens when the press enter.

59
00:04:45,820 --> 00:04:48,520
Watch what happens to your acidifying TVG.

60
00:04:51,790 --> 00:04:54,970
Student salivated jumps to this region in memory.

61
00:04:55,060 --> 00:04:55,660
Stop here.

62
00:04:56,230 --> 00:05:00,220
Now, if you scroll up, you will see no, no entry.

63
00:05:00,490 --> 00:05:04,150
And that and that is coming from your Chalco here.

64
00:05:05,470 --> 00:05:06,340
Why does that happen?

65
00:05:06,520 --> 00:05:12,400
That happens because your creator has run to the shellcode and this address and.

66
00:05:14,330 --> 00:05:21,880
That is why he'll actually be stuck there because of the entry instructor.

67
00:05:21,880 --> 00:05:27,930
He wishes to seek hexadecimal, serving as TVG 63.

68
00:05:28,210 --> 00:05:30,190
He will hot down the breakpoint.

69
00:05:30,730 --> 00:05:37,240
So this is how actually we stops at the break point, because this is a break point.

70
00:05:38,050 --> 00:05:43,300
So we are using a shackle to put artificial breakpoint so they can hard for you to examine.

71
00:05:44,440 --> 00:05:46,750
We can actually look for this in the memory map.

72
00:05:47,140 --> 00:05:51,460
Just go to memory map rightly anywhere here and find PETAN.

73
00:05:51,940 --> 00:05:56,530
And then here he Sherko reaches nine zero nine zero.

74
00:05:57,140 --> 00:06:00,310
C, c, c three.

75
00:06:01,720 --> 00:06:02,050
Right.

76
00:06:02,080 --> 00:06:03,190
This is a Chalco here.

77
00:06:03,400 --> 00:06:05,620
Nine zero nine zero, C and C three.

78
00:06:06,490 --> 00:06:06,940
OK.

79
00:06:07,570 --> 00:06:09,370
And you will find that reheats.

80
00:06:09,970 --> 00:06:12,030
So now let's copy this to our notepad.

81
00:06:12,580 --> 00:06:15,310
So we erectly men who are here.

82
00:06:15,730 --> 00:06:20,110
Click copy corruptible in any container.

83
00:06:20,140 --> 00:06:20,380
OK.

84
00:06:20,680 --> 00:06:23,920
And then we came back down here so that we can analyze it.

85
00:06:25,840 --> 00:06:27,640
Now, take a look at the first address.

86
00:06:28,060 --> 00:06:35,020
The first address is one B F one zero, which is your Sherkat payload address, this one.

87
00:06:35,530 --> 00:06:36,970
So you go back to memory make.

88
00:06:39,350 --> 00:06:42,200
One VFR, one zero should be somewhere here.

89
00:06:43,690 --> 00:06:44,110
This is a.

90
00:06:45,190 --> 00:06:46,960
And you can see on this day.

91
00:06:47,320 --> 00:06:48,670
Now, what is this thing?

92
00:06:48,670 --> 00:06:53,770
A state is allocated regional memory for local functions to run.

93
00:06:54,520 --> 00:06:55,990
So that is the meaning of a state.

94
00:06:56,350 --> 00:07:02,970
So is allocated for a trick called nine zero C see, I think nine.

95
00:07:02,980 --> 00:07:04,120
This is only nine.

96
00:07:04,900 --> 00:07:09,280
And if you go look at Trent here, you can see one on this is the track.

97
00:07:09,310 --> 00:07:10,600
It is 93.

98
00:07:10,990 --> 00:07:13,770
So 96 in hexadecimal.

99
00:07:13,780 --> 00:07:19,360
You can use a calculator to convert it to the decimal.

100
00:07:19,810 --> 00:07:20,350
A nine.

101
00:07:21,040 --> 00:07:26,660
The C is two five to four one two five two four zero.

102
00:07:27,670 --> 00:07:31,300
So this is how one is in suspended state.

103
00:07:31,930 --> 00:07:40,180
So in this region of memory is says think why is our string this one following the state?

104
00:07:41,850 --> 00:07:48,220
I hear why is on the state east on this thing, because if you look at the SARS-CoV-2 here, this thing

105
00:07:48,220 --> 00:07:49,840
is in sight, the main function.

106
00:07:50,440 --> 00:07:56,130
So anything has been declared in Senate function could be found on this tank.

107
00:07:57,070 --> 00:07:59,470
So that's why nothing is fine in the state.

108
00:07:59,800 --> 00:08:01,940
As you can see here, state.

109
00:08:03,010 --> 00:08:04,690
Now, let's go to the second one.

110
00:08:06,490 --> 00:08:10,150
The second place finisher is found in this address.

111
00:08:11,500 --> 00:08:12,670
Let's go back to this one.

112
00:08:12,930 --> 00:08:18,310
Yes, one onesI followed by four zeros now one C for about four zeros.

113
00:08:18,310 --> 00:08:21,880
Is here the result of the virtual lock?

114
00:08:22,360 --> 00:08:30,490
Now, if you look at law, which are allocated memory and ST2 allotment, and this is what it is to

115
00:08:30,730 --> 00:08:33,700
allocate memory, which I know has given.

116
00:08:34,570 --> 00:08:37,210
So where is this fun once you buy four zeros?

117
00:08:37,600 --> 00:08:41,830
You're looking at memory, then one C followed by four zeros.

118
00:08:42,220 --> 00:08:45,490
He's over here and he's already selected.

119
00:08:45,490 --> 00:08:45,980
Highlighted.

120
00:08:46,000 --> 00:08:46,420
Why?

121
00:08:46,840 --> 00:08:50,230
Because your program has halted here.

122
00:08:50,230 --> 00:08:51,310
Because in the breakpoint.

123
00:08:52,360 --> 00:08:52,720
Right.

124
00:08:52,870 --> 00:08:54,460
And that's why you see the.

125
00:08:57,870 --> 00:08:58,650
Take a look at this.

126
00:08:59,100 --> 00:09:06,480
This region of memory was previously readable and writeable, but again was changed to become executable

127
00:09:06,480 --> 00:09:07,500
and readable, right.

128
00:09:08,100 --> 00:09:09,960
Because of the virtual thing.

129
00:09:10,710 --> 00:09:20,520
If you look at a Sasko here, this watch alone sets this region in memory to be readable, writable

130
00:09:21,030 --> 00:09:26,160
by when you came to watch it for a day, you change it to become readable, recyclable.

131
00:09:26,190 --> 00:09:27,750
That's why you get e r.

132
00:09:29,000 --> 00:09:29,510
This one.

133
00:09:30,590 --> 00:09:35,660
So this is your your original memory that has been allocated and by which.

134
00:09:37,310 --> 00:09:38,990
OK, let's take a look at the next one.

135
00:09:40,040 --> 00:09:40,860
How about this one?

136
00:09:40,880 --> 00:09:43,340
One tree F nine six oh, one E.

137
00:09:43,910 --> 00:09:49,400
So if you look for it in memory mett, it is over here under the taxation.

138
00:09:49,640 --> 00:09:56,000
One tree F 96, one triple zero over here in this region in a taxi area.

139
00:09:56,450 --> 00:10:03,170
So as you can recall in the earlier lectures, the test region is where the instructions are fun.

140
00:10:03,680 --> 00:10:05,390
So we can actually go there now.

141
00:10:05,960 --> 00:10:06,290
Right.

142
00:10:06,290 --> 00:10:11,660
Click on this and follow in this assembler and you screw around this region.

143
00:10:13,110 --> 00:10:19,920
You should be able to see your court at nine or nine 00, C.C.C. three.

144
00:10:20,700 --> 00:10:23,190
So this is the text region in memory.

145
00:10:23,940 --> 00:10:31,380
OK, so that's the meaning of these three locations where you can find your shako.

146
00:10:32,070 --> 00:10:35,040
So that's all for this video.

147
00:10:35,400 --> 00:10:37,680
Thank you for watching.