1 00:00:00,300 --> 00:00:01,560 Hello, my name is Stephen. 2 00:00:01,560 --> 00:00:08,820 And in this lecture let's delve into the concept of relative addressing a technique that leverages the 3 00:00:08,820 --> 00:00:13,080 current location in relation to the RIP register. 4 00:00:13,080 --> 00:00:21,210 So this approach is valuable as it enables us to avoid relying on hardcoded addresses within our assembly 5 00:00:21,210 --> 00:00:21,540 code. 6 00:00:21,540 --> 00:00:24,330 So the process is remarkably straightforward. 7 00:00:24,330 --> 00:00:30,930 So we can achieve this by employing the Lia, which is load effective address instruction with the format 8 00:00:30,930 --> 00:00:32,460 like the. 9 00:00:33,920 --> 00:00:34,550 Leah. 10 00:00:34,790 --> 00:00:36,060 Destination. 11 00:00:36,070 --> 00:00:37,290 Destination. 12 00:00:37,940 --> 00:00:43,460 And after that, we will also give the rel rel source. 13 00:00:43,460 --> 00:00:43,940 Right. 14 00:00:43,940 --> 00:00:44,600 Source. 15 00:00:44,600 --> 00:00:54,440 So with this here, the Rel instruction in this computes the address of the source relative to the IP 16 00:00:54,440 --> 00:00:55,250 register. 17 00:00:55,640 --> 00:01:00,950 So to implement this we must define our variables before the code itself. 18 00:01:00,950 --> 00:01:08,390 So this definition should precede the current location of the IP register and otherwise, if it's situated 19 00:01:08,420 --> 00:01:15,560 too far away, the variable's value will be truncated and the remainder of register will be filled with 20 00:01:15,560 --> 00:01:16,160 zeros. 21 00:01:16,160 --> 00:01:22,670 So now let's take the next step and enhance our shell code using the relative address technique to precisely 22 00:01:22,670 --> 00:01:24,920 locate the Hello World String. 23 00:01:24,920 --> 00:01:28,670 So we will declare the entry point of the program as start. 24 00:01:28,670 --> 00:01:30,890 So global. 25 00:01:31,880 --> 00:01:32,390 Sorry. 26 00:01:32,390 --> 00:01:34,970 Here global start here. 27 00:01:34,970 --> 00:01:41,870 We will create a text section containing the actual program code section text. 28 00:01:43,120 --> 00:01:43,990 Text here. 29 00:01:43,990 --> 00:01:46,990 So we will first start here. 30 00:01:47,260 --> 00:01:52,090 So we will start the program executing from this label. 31 00:01:53,180 --> 00:01:55,410 So GMP cut. 32 00:01:55,970 --> 00:02:02,330 Here we are jumping to the code label, which we will define now. 33 00:02:02,570 --> 00:02:10,940 And also in this section we will need to define the Hello world to declare a null terminated string. 34 00:02:11,830 --> 00:02:12,850 Uh, now. 35 00:02:16,230 --> 00:02:17,070 Here. 36 00:02:19,120 --> 00:02:20,770 It will also create a Hello world. 37 00:02:23,850 --> 00:02:25,080 Hello, world. 38 00:02:26,310 --> 00:02:27,240 String. 39 00:02:27,240 --> 00:02:28,490 And what will it? 40 00:02:28,500 --> 00:02:29,550 Containers. 41 00:02:29,760 --> 00:02:30,720 Hello, world. 42 00:02:31,350 --> 00:02:36,300 Now we will also declare it with this null termination here. 43 00:02:36,420 --> 00:02:41,820 0XA And after that we will create our code label. 44 00:02:41,970 --> 00:02:44,490 This is the main code section for our program. 45 00:02:44,490 --> 00:02:47,370 Code here and here. 46 00:02:47,370 --> 00:02:50,250 We will not create this with our tab here. 47 00:02:50,250 --> 00:02:55,560 So because this is the label, the labels writes this way in assembly. 48 00:02:55,560 --> 00:03:01,290 So now we will create our instructions to prepare Siskel to print the string. 49 00:03:01,290 --> 00:03:14,010 So mov al uh, here mov al one which is the with this here we are telling the assembly to load the Siskel 50 00:03:14,010 --> 00:03:14,730 number for. 51 00:03:14,730 --> 00:03:15,150 Right. 52 00:03:15,150 --> 00:03:19,320 Which is Siskel number one into the al register. 53 00:03:19,350 --> 00:03:26,130 Now we will clear the register with x or so our x or die. 54 00:03:27,660 --> 00:03:29,430 Here are the I. 55 00:03:30,540 --> 00:03:37,590 Now we are clearing the register, which is a file descriptor zero for the standard output. 56 00:03:37,590 --> 00:03:49,500 And we will add the we will set the RTI to one, we will set the RTI to one and we will load the address 57 00:03:49,500 --> 00:03:53,160 of Hello World into RC, which is the pointer to the string. 58 00:03:53,160 --> 00:04:01,740 So Leah, as I said, we will use this Leah here, RC the RL and Hello World. 59 00:04:04,820 --> 00:04:05,270 With this. 60 00:04:05,270 --> 00:04:08,620 Here we are loading the address of Hello World into RSA. 61 00:04:08,660 --> 00:04:14,690 As I said, and we will use XOR here again, which is for clearing the RDX register. 62 00:04:14,780 --> 00:04:20,810 RDX, RDX here, RDX. 63 00:04:20,810 --> 00:04:27,920 And after that we will set the RDX to 12 because this is the length of the string. 64 00:04:27,950 --> 00:04:30,020 Hello world and. 65 00:04:31,650 --> 00:04:35,820 Are the X here and 12. 66 00:04:38,720 --> 00:04:44,360 Also after Hello World, we also have this new line which and also the null terminated string here. 67 00:04:44,360 --> 00:04:46,580 So that's why it is 12. 68 00:04:48,070 --> 00:04:54,760 If the count is one, two, three, four, five, six, seven, eight, nine, ten, 11. 69 00:04:54,760 --> 00:04:56,470 And we also have the 12 here. 70 00:04:56,800 --> 00:05:02,890 And after that we will perform the syscall to print the string syscall. 71 00:05:05,110 --> 00:05:08,410 And here after that, we will need. 72 00:05:09,790 --> 00:05:15,530 To, uh, to prepare the fiscal to exit our program. 73 00:05:15,550 --> 00:05:24,310 And in order to do that, we will use clear the racks, register with X or racks here racks. 74 00:05:25,330 --> 00:05:31,690 And we are we are going to add the racks 60. 75 00:05:31,690 --> 00:05:34,810 We are setting the racks to 60, which is this. 76 00:05:34,810 --> 00:05:44,920 This is the fiscal number for exit and we will use the X or racks or no racks, the die or die. 77 00:05:46,480 --> 00:05:52,690 Uh, with clearing the register, which is this is the exit status zero. 78 00:05:52,690 --> 00:05:57,340 And after that we will perform the syscall to exit the program. 79 00:05:57,580 --> 00:05:58,660 Syscall here. 80 00:05:58,660 --> 00:05:59,350 That's it. 81 00:05:59,530 --> 00:06:09,190 Now, our Start label is declared as the program's entry point execution begins at this label here. 82 00:06:09,190 --> 00:06:11,770 And we also have the GMP code. 83 00:06:12,250 --> 00:06:18,280 This instruction jumps to the code label and effectively skipping the Hello World label for now. 84 00:06:18,490 --> 00:06:23,770 And the Hello World label is a null terminated string containing the Hello world followed by a new line 85 00:06:23,770 --> 00:06:30,190 character 0XA and the code label marks the main part of the program where the actual code execution 86 00:06:30,190 --> 00:06:33,550 takes place and the first block of our instruction. 87 00:06:34,270 --> 00:06:36,850 Prepares a syscall to print the string. 88 00:06:36,880 --> 00:06:38,300 MOV al one. 89 00:06:38,320 --> 00:06:44,980 Sets the value of al register to one which corresponds to the syscall number for the write system. 90 00:06:44,980 --> 00:06:51,790 Call and SDA are the I sometimes recall this as RDA or RDA. 91 00:06:51,790 --> 00:07:00,970 So RDA RDA here clears the RDA register which will be used to specify the file descriptor and this is 92 00:07:00,970 --> 00:07:11,590 the zero for standard output and RDA add RDA one sets the RDA to one indicating standard output and 93 00:07:11,590 --> 00:07:15,400 as I said, explained this in this lecture. 94 00:07:15,490 --> 00:07:25,030 You learned that in this lecture the l e a so l e rsi rel Hello World loads the address of Hello World 95 00:07:25,030 --> 00:07:28,210 string into the RSI register and. 96 00:07:29,080 --> 00:07:31,850 And we also have the RDX, RDX. 97 00:07:31,870 --> 00:07:37,900 This clears the RDX register, which will be used to specify the length of the string to be printed. 98 00:07:37,900 --> 00:07:48,520 And also we have the RDX and RDX 12, which as I explained, which is the length of the string. 99 00:07:48,550 --> 00:07:49,500 Hello world. 100 00:07:49,520 --> 00:07:51,160 New new line character. 101 00:07:51,160 --> 00:07:57,010 And we also have the syscall executes the write syscall printing the string to the console. 102 00:07:57,010 --> 00:08:01,960 And the second block of our instruction prepares a syscall to exit the program. 103 00:08:01,960 --> 00:08:07,030 So x or x rax clears the rax register which will hold the syscall number. 104 00:08:07,030 --> 00:08:16,450 And this is for the 60 to exit and add rax 60 sets the rax to 60, indicating the syscall number for 105 00:08:16,450 --> 00:08:25,930 exit and X or clears the RDA register which will be used to specify the exit status in this case. 106 00:08:25,930 --> 00:08:32,510 And after that, as always, syscall executes the exit syscall terminating the program. 107 00:08:34,290 --> 00:08:40,050 Now let's actually compile and assemble our this assembly language code. 108 00:08:40,080 --> 00:08:46,440 Now and after that, you will see what's what we changed here with our programs. 109 00:08:46,440 --> 00:08:50,700 Logic so Nasm f elf 64. 110 00:08:50,730 --> 00:09:00,150 Hello dot hsm dot HSM here and hello world dot all here. 111 00:09:00,150 --> 00:09:02,550 And as you can see we got some warnings but don't worry about that. 112 00:09:02,580 --> 00:09:05,190 We have our code working. 113 00:09:05,880 --> 00:09:06,750 Okay here. 114 00:09:06,750 --> 00:09:09,810 So hello world dot. 115 00:09:09,810 --> 00:09:12,180 All here and all. 116 00:09:12,180 --> 00:09:13,080 Hello world. 117 00:09:14,530 --> 00:09:15,130 Hello. 118 00:09:16,040 --> 00:09:16,460 Yeah. 119 00:09:16,490 --> 00:09:16,820 Well. 120 00:09:17,510 --> 00:09:21,630 And now we will use the as you can see, we have the Hello world here again. 121 00:09:21,660 --> 00:09:24,680 La la la la la. 122 00:09:25,280 --> 00:09:26,210 Just created. 123 00:09:26,210 --> 00:09:27,710 Now here. 124 00:09:28,670 --> 00:09:34,520 Now what we're going to do is we will use the Objdump again and you will see the interesting things 125 00:09:34,520 --> 00:09:34,940 here. 126 00:09:34,940 --> 00:09:39,260 So M Intel, Hello world here. 127 00:09:39,350 --> 00:09:41,600 And that's it. 128 00:09:41,630 --> 00:09:45,280 We have no bad characters at all. 129 00:09:45,320 --> 00:09:50,780 So now let's try it as a shell code and let's see what will change here. 130 00:09:50,810 --> 00:09:55,940 Objdump Oh, actually we can also let's actually write it from zero here. 131 00:09:55,940 --> 00:09:57,680 We know how to do that, right? 132 00:09:57,680 --> 00:10:04,550 So objdump m Intel the hello world here grep. 133 00:10:05,710 --> 00:10:06,520 Hello, world. 134 00:10:06,620 --> 00:10:07,180 Grab. 135 00:10:11,500 --> 00:10:12,120 Crap. 136 00:10:12,130 --> 00:10:13,750 Zero nine. 137 00:10:14,110 --> 00:10:15,730 A f. 138 00:10:17,790 --> 00:10:18,570 Here. 139 00:10:20,650 --> 00:10:26,230 And grab the file. 140 00:10:27,800 --> 00:10:29,210 And cut. 141 00:10:30,810 --> 00:10:32,580 F to d. 142 00:10:32,970 --> 00:10:39,810 Here you will use this code every time you you create a new shell code here. 143 00:10:39,810 --> 00:10:44,860 So save this command somewhere so you don't have to write it all again. 144 00:10:44,880 --> 00:10:46,920 It's not a short command. 145 00:10:46,950 --> 00:10:47,550 Right? 146 00:10:47,550 --> 00:10:48,810 So cut. 147 00:10:49,260 --> 00:10:50,160 And after that? 148 00:10:50,160 --> 00:10:50,640 Yeah. 149 00:10:50,850 --> 00:11:00,210 After cutting the F to D, we need to cut the FF177 here. 150 00:11:00,450 --> 00:11:01,200 Seven. 151 00:11:01,680 --> 00:11:04,590 And after that the here. 152 00:11:07,080 --> 00:11:07,920 He r. 153 00:11:08,220 --> 00:11:08,970 S. 154 00:11:11,140 --> 00:11:11,860 TR. 155 00:11:17,440 --> 00:11:19,570 Tears here and. 156 00:11:21,710 --> 00:11:22,820 They are. 157 00:11:24,010 --> 00:11:24,970 No. 158 00:11:25,330 --> 00:11:26,980 Yeah, they are. 159 00:11:30,660 --> 00:11:33,000 He and. 160 00:11:34,860 --> 00:11:35,610 Here. 161 00:11:36,270 --> 00:11:37,170 Set. 162 00:11:40,180 --> 00:11:42,430 S no backslash here. 163 00:11:43,000 --> 00:11:45,190 And dollar sign. 164 00:11:45,860 --> 00:11:46,760 Where is my dollar? 165 00:11:46,860 --> 00:11:47,210 Yeah. 166 00:11:47,240 --> 00:11:48,560 Dollar sign. 167 00:11:49,250 --> 00:11:50,360 Double slash. 168 00:11:50,360 --> 00:11:51,290 Like this. 169 00:11:52,250 --> 00:11:52,580 G. 170 00:11:53,540 --> 00:11:56,030 And after that we will use the set. 171 00:11:56,240 --> 00:11:57,530 S here. 172 00:11:58,370 --> 00:12:01,910 The slash slash here. 173 00:12:02,210 --> 00:12:03,080 This. 174 00:12:04,420 --> 00:12:05,890 X this year. 175 00:12:06,040 --> 00:12:14,920 And after that we will write G here and we will paste the here. 176 00:12:16,290 --> 00:12:16,800 As. 177 00:12:18,280 --> 00:12:18,490 Hmm. 178 00:12:19,690 --> 00:12:23,920 I think we didn't close some of the schools we opened here. 179 00:12:26,130 --> 00:12:28,410 So let's analyze it. 180 00:12:31,530 --> 00:12:32,160 Yeah. 181 00:12:32,490 --> 00:12:36,180 The problem is, I believe it's here. 182 00:12:36,930 --> 00:12:39,720 We need to add another code here, and that's it. 183 00:12:40,440 --> 00:12:44,130 And as you can see, here, we have. 184 00:12:44,900 --> 00:12:45,740 This. 185 00:12:47,390 --> 00:12:48,080 Here. 186 00:12:48,080 --> 00:12:51,770 So it starts with A, B or C. 187 00:12:54,010 --> 00:12:56,230 It also have a 35. 188 00:13:05,210 --> 00:13:05,840 Yeah. 189 00:13:06,200 --> 00:13:08,180 And this is our shell code. 190 00:13:08,180 --> 00:13:13,550 And as you can see here, we do not have any bad characters at all here. 191 00:13:13,550 --> 00:13:17,240 So the bad characters, you learn that bad characters in previous lectures. 192 00:13:17,240 --> 00:13:23,600 So 000A, f, F0D and we do not have those, luckily. 193 00:13:23,600 --> 00:13:27,860 So because we wrote our program exceptionally good. 194 00:13:27,860 --> 00:13:36,800 So what are we going to do here is we will code that to our C plus plus program, not C plus plus the 195 00:13:36,800 --> 00:13:37,970 C program here. 196 00:13:39,490 --> 00:13:40,540 You might get. 197 00:13:40,570 --> 00:13:41,060 Oops. 198 00:13:41,080 --> 00:13:41,800 No. 199 00:13:42,160 --> 00:13:42,790 Yeah. 200 00:13:43,180 --> 00:13:45,950 And as you can see, we have some warning here. 201 00:13:45,970 --> 00:13:47,740 This is an escaped backslash. 202 00:13:47,740 --> 00:13:51,310 At the end of the string is not portable. 203 00:13:52,220 --> 00:13:52,730 I believe. 204 00:13:52,730 --> 00:13:54,260 Let's actually check this again. 205 00:13:54,440 --> 00:13:57,350 Why this tells us here. 206 00:13:58,190 --> 00:13:59,810 Teachers. 207 00:14:02,620 --> 00:14:04,590 So tr. 208 00:14:04,780 --> 00:14:06,720 S s. 209 00:14:08,900 --> 00:14:09,680 And. 210 00:14:11,650 --> 00:14:12,520 Airlines. 211 00:14:13,870 --> 00:14:15,340 Space characters. 212 00:14:15,440 --> 00:14:16,300 TR. 213 00:14:18,410 --> 00:14:20,510 Oh, yeah, we have this error here. 214 00:14:20,510 --> 00:14:21,170 That's it. 215 00:14:21,170 --> 00:14:24,680 And as you can see here, we don't have that warning anymore. 216 00:14:24,680 --> 00:14:29,720 But actually we didn't change this anything at all in our shell code. 217 00:14:29,720 --> 00:14:34,060 But it's okay to write the nice code without warnings here, right? 218 00:14:34,070 --> 00:14:35,390 So that's it. 219 00:14:36,170 --> 00:14:41,520 We got we got the same results still here, but I don't want to use. 220 00:14:41,750 --> 00:14:46,490 So this warning here and yeah, we had some type of error here. 221 00:14:46,490 --> 00:14:51,200 So now let's actually copy this into our C code here. 222 00:14:53,360 --> 00:14:54,140 Now. 223 00:14:57,210 --> 00:14:58,230 In order to do that. 224 00:14:58,230 --> 00:15:02,460 And as you can see here in previous code here, we have lots of bad characters. 225 00:15:02,460 --> 00:15:05,910 So now we will copy this here and that's it. 226 00:15:07,590 --> 00:15:08,040 Here. 227 00:15:09,260 --> 00:15:11,630 So now let's go to here. 228 00:15:13,550 --> 00:15:17,210 It's actually use this terminal in our Visual Studio. 229 00:15:17,510 --> 00:15:18,200 Clear. 230 00:15:18,860 --> 00:15:21,230 So we don't have to switch that over time. 231 00:15:22,920 --> 00:15:26,070 Or let's actually use stick to the traditions here. 232 00:15:26,070 --> 00:15:36,360 So now what we're going to do is we will run compile this here with F No, no FPI, F, no stack. 233 00:15:37,450 --> 00:15:38,570 Protector. 234 00:15:38,590 --> 00:15:40,000 Protector. 235 00:15:40,030 --> 00:15:41,800 The exact stack. 236 00:15:41,830 --> 00:15:42,760 And. 237 00:15:43,990 --> 00:15:44,870 Hello, world. 238 00:15:44,930 --> 00:15:45,760 That's. 239 00:15:47,660 --> 00:15:48,430 Hey, where. 240 00:15:48,440 --> 00:15:50,350 Where is our mate? 241 00:15:50,420 --> 00:15:51,200 No, it's. 242 00:15:51,200 --> 00:15:52,370 It's main.cpp. 243 00:15:53,750 --> 00:15:54,290 Mean. 244 00:15:55,930 --> 00:15:56,650 Not CP. 245 00:15:56,740 --> 00:16:03,010 Actually, it's as you can see, we have our file name is Main CP, but it doesn't matter for the GCC 246 00:16:03,010 --> 00:16:05,710 here if your file name is here. 247 00:16:05,710 --> 00:16:12,160 So let's actually change this name to main dot CP, But actually let's change this from the Visual Studio 248 00:16:12,160 --> 00:16:13,390 code here because. 249 00:16:15,900 --> 00:16:17,190 Oh, turns out we. 250 00:16:20,230 --> 00:16:21,370 Can change it here. 251 00:16:21,370 --> 00:16:21,820 Yeah. 252 00:16:22,240 --> 00:16:23,080 rMe. 253 00:16:23,530 --> 00:16:24,520 Main.cpp. 254 00:16:24,550 --> 00:16:26,080 Main.cpp here. 255 00:16:26,080 --> 00:16:27,040 Main.c. 256 00:16:29,160 --> 00:16:29,580 No. 257 00:16:30,650 --> 00:16:34,600 And we main dot cpp Main.c and sunos. 258 00:16:34,940 --> 00:16:36,850 Why don't we have the. 259 00:16:36,860 --> 00:16:40,100 No, we don't have this main.cpp here. 260 00:16:40,130 --> 00:16:41,450 Why is that? 261 00:16:50,610 --> 00:16:52,500 It should be somewhere sheltered. 262 00:16:52,530 --> 00:16:54,930 Maybe we deleted that accidentally. 263 00:16:55,020 --> 00:16:55,950 That's actually. 264 00:16:57,180 --> 00:16:58,170 Create a new. 265 00:17:02,720 --> 00:17:04,640 Main dot C here. 266 00:17:05,060 --> 00:17:06,560 And copy this here. 267 00:17:06,680 --> 00:17:08,030 And the same code. 268 00:17:08,120 --> 00:17:11,960 And as you can see, we will not change anything in our code. 269 00:17:12,050 --> 00:17:18,440 And now can we actually increase the size of this and the terminal size? 270 00:17:18,470 --> 00:17:18,980 No. 271 00:17:19,830 --> 00:17:21,900 I believe we can from the settings. 272 00:17:21,900 --> 00:17:26,940 But now instead of increasing it, let's actually use this terminal here. 273 00:17:26,940 --> 00:17:28,380 Stick to the traditions. 274 00:17:28,380 --> 00:17:34,650 And we have we should have the Hello world, the main dot see here. 275 00:17:35,490 --> 00:17:36,060 Right. 276 00:17:38,970 --> 00:17:42,510 Yeah, I think we move this somewhere or do it. 277 00:17:42,840 --> 00:17:44,760 So now what we're going to do is. 278 00:17:46,510 --> 00:17:47,410 Now we will. 279 00:17:47,420 --> 00:17:48,040 Geek. 280 00:17:50,060 --> 00:17:51,550 F no stack. 281 00:17:52,570 --> 00:18:04,420 Protector the exec stack here and main dot C here main dot c Yeah we have exec start ignored here. 282 00:18:04,660 --> 00:18:17,020 We know that we did that on purpose and now the final thing here and now we have the shell code length. 283 00:18:17,170 --> 00:18:22,630 We have the segmentation fault at the shell code 51 here. 284 00:18:22,630 --> 00:18:25,090 Let's actually see what happened here. 285 00:18:31,750 --> 00:18:34,150 We probably have that bad characters again. 286 00:18:35,260 --> 00:18:36,070 So. 287 00:18:37,100 --> 00:18:37,260 One. 288 00:18:37,400 --> 00:18:38,600 One, two, three. 289 00:18:48,080 --> 00:18:49,640 Why we have that. 290 00:18:54,190 --> 00:18:56,500 Let's actually find another place. 291 00:18:56,500 --> 00:19:01,600 Search for slash back slash and replace to new line. 292 00:19:03,280 --> 00:19:04,060 No. 293 00:19:08,630 --> 00:19:09,890 Regular expression. 294 00:19:26,490 --> 00:19:30,120 Find and place New line. 295 00:19:31,700 --> 00:19:32,950 And don't we have Internet? 296 00:19:33,340 --> 00:19:35,850 Yeah, sure, we can do that. 297 00:19:35,980 --> 00:19:38,080 I think from the regular expressions here. 298 00:19:40,590 --> 00:19:44,370 And I think I did that correct in previous example here. 299 00:19:44,370 --> 00:19:46,110 So we will search for the. 300 00:19:47,740 --> 00:19:51,400 Slashes not for apparent and regular expression. 301 00:19:51,580 --> 00:19:53,230 And here. 302 00:19:54,520 --> 00:19:57,850 We will change to New line. 303 00:20:00,570 --> 00:20:05,070 Or we can also enable the regular expression, change the access to new line. 304 00:20:05,070 --> 00:20:06,120 And that's it. 305 00:20:07,760 --> 00:20:08,570 And. 306 00:20:09,390 --> 00:20:15,710 As you can see here, we have the bad character in here. 307 00:20:15,720 --> 00:20:20,580 This is f f, which is mentioned as bad character.