1 00:00:00,400 --> 00:00:01,750 Hello, my name is Stephen. 2 00:00:01,750 --> 00:00:06,400 And in this lecture we will move our program to the next phase here. 3 00:00:06,400 --> 00:00:10,360 So let's revisit the insights you gained in our previous lecture. 4 00:00:10,360 --> 00:00:15,460 And remember in the initial instruction mov rax one. 5 00:00:16,830 --> 00:00:23,100 Uh, the presence of zeros stemmed from our attempt to move a single byte, which is eight bits into 6 00:00:23,100 --> 00:00:24,750 a 64 bit register. 7 00:00:24,750 --> 00:00:29,620 So this caused the remaining bits to be populated with zeros. 8 00:00:29,640 --> 00:00:39,960 And to address this, we adopted move L1 approach, so which focused exclusively on the eight bit segment 9 00:00:39,960 --> 00:00:41,250 of the Rax register. 10 00:00:41,250 --> 00:00:48,360 So our verification process involves the command Objdump, DM, Intel Helloworld here. 11 00:00:48,360 --> 00:00:57,570 So let's actually we actually did this compile here, so source and it should be somewhere Shellcode. 12 00:00:57,570 --> 00:00:59,250 And here we. 13 00:01:00,440 --> 00:01:03,530 What we're going to do is we will use the objdump. 14 00:01:04,360 --> 00:01:06,850 The Intel. 15 00:01:06,940 --> 00:01:07,900 Hello, world. 16 00:01:07,930 --> 00:01:08,290 Oops. 17 00:01:08,680 --> 00:01:10,060 Hello, World. 18 00:01:10,210 --> 00:01:10,960 Yes. 19 00:01:11,170 --> 00:01:15,820 And as you can see here, what we have is B0 zero one. 20 00:01:16,000 --> 00:01:17,830 Now our verification. 21 00:01:17,950 --> 00:01:24,070 We have verified that with Objdump here and solidifying the elimination of problematic characters from 22 00:01:24,070 --> 00:01:25,480 the opening instruction. 23 00:01:25,510 --> 00:01:32,470 And now let's delve deeper and explore an alternative strategy for the second instruction, one that 24 00:01:32,470 --> 00:01:36,970 involves arithmetic operations like addition or subtraction. 25 00:01:36,970 --> 00:01:45,880 So to initiate this technique, we take the essential step of clearing the register using XOR instruction. 26 00:01:45,880 --> 00:01:47,620 So note this XOR here. 27 00:01:47,620 --> 00:01:49,330 We need to do that again. 28 00:01:49,630 --> 00:01:59,080 So this translates to Xor R.D. effectively setting the R.D. register to contain only zeros. 29 00:01:59,080 --> 00:02:03,220 Subsequently, we embark on the process of incrementing its value. 30 00:02:03,220 --> 00:02:11,990 So this involves employing the Add instruction to the argument, the contents of R.D. register by one. 31 00:02:12,450 --> 00:02:16,770 So here what we're going to do is, as you can see, we have the move. 32 00:02:17,280 --> 00:02:19,440 One, we will not change this also. 33 00:02:19,440 --> 00:02:21,660 We will not change this this here. 34 00:02:21,660 --> 00:02:29,820 And but after this move instruction, what we're going to do is we will use the xor xor. 35 00:02:30,990 --> 00:02:36,730 R d i or r d x here and r d x. 36 00:02:36,750 --> 00:02:40,860 Now, with this, you will see what will change here. 37 00:02:40,860 --> 00:02:45,480 And also we will, instead of using length variable here, we will just delete that. 38 00:02:46,620 --> 00:02:49,440 Let's actually count the length of our hello world. 39 00:02:49,470 --> 00:02:53,760 One, two, three, four, five, six, seven, eight. 40 00:02:55,290 --> 00:02:57,270 Nine, ten, 11. 41 00:02:57,270 --> 00:03:00,960 So we will write it. 42 00:03:02,280 --> 00:03:03,180 12 year. 43 00:03:10,300 --> 00:03:10,840 Yeah. 44 00:03:10,840 --> 00:03:11,530 12 yea. 45 00:03:11,530 --> 00:03:14,050 And one for the end string here. 46 00:03:14,080 --> 00:03:15,400 Null terminated string. 47 00:03:15,400 --> 00:03:20,500 So it so 11 plus 112 here and that's why we wrote it. 48 00:03:20,500 --> 00:03:23,770 And after that we will use syscall. 49 00:03:24,910 --> 00:03:30,100 And here we will also change this on the termination side of our program. 50 00:03:30,100 --> 00:03:31,750 So X or. 51 00:03:32,620 --> 00:03:33,730 We will use racks. 52 00:03:33,770 --> 00:03:34,870 Racks again. 53 00:03:37,190 --> 00:03:37,730 Rags. 54 00:03:37,730 --> 00:03:39,680 Rags and add. 55 00:03:40,390 --> 00:03:42,160 Racks here. 56 00:03:42,610 --> 00:03:43,330 60. 57 00:03:45,700 --> 00:03:47,020 And X or. 58 00:03:48,170 --> 00:03:48,780 Are the. 59 00:03:51,220 --> 00:03:51,930 Or die. 60 00:03:52,420 --> 00:03:55,900 And after that, syscall we are calling the syscall here. 61 00:03:56,020 --> 00:04:00,280 Now, what we're going to do is we will let's actually assemble and link this file. 62 00:04:01,670 --> 00:04:03,820 Remember the Hello Asem. 63 00:04:03,920 --> 00:04:06,980 Let's actually remove all the old files here. 64 00:04:06,980 --> 00:04:11,540 So ram a lot of ram. 65 00:04:14,070 --> 00:04:14,640 Hello? 66 00:04:15,630 --> 00:04:17,310 No, actually, not need to remove that. 67 00:04:17,310 --> 00:04:22,650 So what we're going to do is we will use the Nasm FL 64. 68 00:04:22,680 --> 00:04:24,420 Hello, world Dot. 69 00:04:24,450 --> 00:04:26,130 Hello, World dot. 70 00:04:26,280 --> 00:04:27,210 No, it's actually. 71 00:04:27,210 --> 00:04:28,110 Hello dot ASM. 72 00:04:29,430 --> 00:04:31,350 And hello that output. 73 00:04:31,590 --> 00:04:43,380 Output file is going to be hello world.org here and let's actually create a linking file so ld hello 74 00:04:43,710 --> 00:04:48,900 world dot o here and let's actually create the executable. 75 00:04:48,990 --> 00:04:49,390 Right. 76 00:04:49,440 --> 00:04:51,540 Hello world. 77 00:04:51,630 --> 00:04:52,740 And that's it. 78 00:04:52,740 --> 00:04:56,820 So as you can see, we this is just a warning. 79 00:04:56,930 --> 00:04:58,680 There is no error here. 80 00:04:58,680 --> 00:05:03,450 So if we just run this here, we will. 81 00:05:04,490 --> 00:05:05,630 Get our message. 82 00:05:06,050 --> 00:05:08,120 And as you can see, it runs successfully. 83 00:05:09,320 --> 00:05:09,650 Oops. 84 00:05:09,650 --> 00:05:12,890 Actually, yeah, we saved this. 85 00:05:12,890 --> 00:05:13,190 Right? 86 00:05:13,190 --> 00:05:18,740 So let's actually, I'm not sure about that, but let's actually compile it and. 87 00:05:19,580 --> 00:05:22,430 Now we need to first use NSM and then LD. 88 00:05:22,460 --> 00:05:23,060 That's it. 89 00:05:24,820 --> 00:05:28,870 And now what are we going to do is we will objdump and to see the. 90 00:05:32,330 --> 00:05:34,880 Compiled and executable program. 91 00:05:34,880 --> 00:05:37,430 Here we will use Intel instruction. 92 00:05:37,430 --> 00:05:39,020 Hello world. 93 00:05:39,350 --> 00:05:40,870 And that's it. 94 00:05:40,880 --> 00:05:49,310 So as you can see here, we managed to remove all the bad characters from our shellcode, which leaves 95 00:05:49,310 --> 00:05:53,240 us with how to deal with addresses when copying. 96 00:05:54,160 --> 00:05:54,910 Strings. 97 00:05:56,690 --> 00:06:00,380 In our first lecture, we actually managed to remove this. 98 00:06:02,160 --> 00:06:03,480 No characters here. 99 00:06:03,510 --> 00:06:10,290 2AL, And then we fix that in a second lecture also here and in this lecture here. 100 00:06:10,290 --> 00:06:12,270 So we have fixed code. 101 00:06:12,300 --> 00:06:15,030 We manage to remove all the bad characters. 102 00:06:15,030 --> 00:06:17,430 And as you can see, we use sorry. 103 00:06:17,640 --> 00:06:21,780 And as you can see here, we don't need anything like a X or something here. 104 00:06:21,780 --> 00:06:23,730 Instead we just have the X here. 105 00:06:23,730 --> 00:06:25,110 But this is necessary. 106 00:06:25,110 --> 00:06:32,280 And as you can see here, we are using the required instructions and registers for each of our instructions 107 00:06:32,280 --> 00:06:32,790 here.