1
00:00:06,600 --> 00:00:07,740
OK, welcome back.

2
00:00:07,980 --> 00:00:15,990
So this third and last part of the session will go over a little bit about optimization, I would say,

3
00:00:16,410 --> 00:00:27,270
and then finish this session with an example about the code and how it all looks like in the stack and

4
00:00:27,270 --> 00:00:27,890
all of that.

5
00:00:28,440 --> 00:00:34,440
And this is the last such that I would say theoretical session before we start jumping into some Hands-On

6
00:00:34,440 --> 00:00:34,760
stuff.

7
00:00:34,770 --> 00:00:36,580
So excuse me.

8
00:00:37,260 --> 00:00:42,020
So, uh, first thing is computers do lots of generation.

9
00:00:42,070 --> 00:00:45,210
They like they don't generate the code just at once.

10
00:00:45,210 --> 00:00:54,430
What they will probably do is they will run the code multiple times and generate uh uh, let's say.

11
00:00:55,850 --> 00:01:01,670
Better code, so they will when they do the compilation, they might generate multiple.

12
00:01:04,880 --> 00:01:12,620
Multiple versions of the code in order at the end, let's say, to reach some optimization so you can

13
00:01:12,620 --> 00:01:19,670
think of it, it's trying to do, let's say, generate some code, then generating code again, generating

14
00:01:19,670 --> 00:01:27,620
code again until it finally can optimize the code to the best the best code, which will be more smaller

15
00:01:27,620 --> 00:01:28,500
and more faster.

16
00:01:28,820 --> 00:01:32,210
So it might take a couple of iterations to get that.

17
00:01:32,450 --> 00:01:39,560
We are not going to discuss this out of the scope of this code to talk about optimization.

18
00:01:39,560 --> 00:01:40,870
But this gives you an idea.

19
00:01:41,180 --> 00:01:47,060
Here are also some instructions or an example, which will also probably give you an example of what

20
00:01:47,060 --> 00:01:47,880
we are talking about.

21
00:01:48,140 --> 00:01:54,060
So look at the instructions, move on, or they can be used to set X registers to zero.

22
00:01:54,080 --> 00:01:59,410
So both Exodus Möller as a code by then the move instruction.

23
00:01:59,870 --> 00:02:00,770
So look at this.

24
00:02:00,890 --> 00:02:07,150
If we want to set, let's say, X with the value zero, we could do move X zero.

25
00:02:07,280 --> 00:02:13,550
But the problem or let's say not the problem, but if we look at the code, it's actually five points.

26
00:02:13,550 --> 00:02:17,360
As you can see here, the code is one, two, three, four, five bytes.

27
00:02:17,750 --> 00:02:23,650
While if I do X or X with X, that should also give me a year.

28
00:02:23,660 --> 00:02:27,890
That should also lead to having X with a value zero.

29
00:02:28,280 --> 00:02:29,510
That's only two bytes.

30
00:02:29,510 --> 00:02:32,700
So we here minimize the code with three bytes.

31
00:02:32,700 --> 00:02:33,770
So it's much smaller.

32
00:02:34,220 --> 00:02:39,440
But again, we're not going to talk a lot about optimization, but just to give you an example of how

33
00:02:39,440 --> 00:02:41,080
things are going to happen.

34
00:02:41,840 --> 00:02:43,100
So let's look at this.

35
00:02:43,100 --> 00:02:47,150
So think of these instructions are going to be executed by the COLLEE.

36
00:02:47,570 --> 00:02:53,870
And let's assume that the call is going to make another call to another function called Foo, which

37
00:02:53,870 --> 00:02:57,640
which Foo will be like requiring one argument or one integer argument.

38
00:02:58,010 --> 00:03:04,440
Now, the COLLY will set its local integer variability to seven and then send double its value to four.

39
00:03:04,670 --> 00:03:06,740
Let's just take that as an example.

40
00:03:06,740 --> 00:03:09,980
Again, we the call is going to call another function.

41
00:03:10,310 --> 00:03:13,220
That function takes one argument and it's an integer.

42
00:03:13,550 --> 00:03:19,420
And then that argument will create local integer variable and we are going to set it to seven.

43
00:03:19,430 --> 00:03:25,190
Just an example, but we are going to also double that value and send it were to full.

44
00:03:26,350 --> 00:03:33,610
Let's start so if you look here, the void Colly, which just again, what we are talking about here,

45
00:03:33,980 --> 00:03:40,660
integer argument one takes one argument, integer V one, which is the here defining that we have one

46
00:03:40,660 --> 00:03:44,050
variable type of integer V one equals seven.

47
00:03:44,050 --> 00:03:46,300
So defining that V1 equals seven.

48
00:03:46,600 --> 00:03:50,570
And then when we wanted to call for we want this and double that value.

49
00:03:50,950 --> 00:03:53,070
So let's look at the code.

50
00:03:53,080 --> 00:04:01,120
We push EBP Move SBP, ESP, and now we push the value zero because we want to create the variable in

51
00:04:01,120 --> 00:04:01,720
the stack.

52
00:04:01,910 --> 00:04:07,720
OK, that variable at the beginning is really it's not going to be really zero, but let's just think

53
00:04:07,720 --> 00:04:09,340
of it like that at the beginning.

54
00:04:09,340 --> 00:04:11,390
It has no value.

55
00:04:11,410 --> 00:04:13,680
So it's going to be zero for the local variable.

56
00:04:13,990 --> 00:04:21,670
Then what's going to happen is SBP copied the value seven into were SBP minus four is actually pointing

57
00:04:21,670 --> 00:04:21,970
to.

58
00:04:22,360 --> 00:04:31,090
So where SBP minus four is pointing to, we will copy the value seven into it then what SBP minus four

59
00:04:31,270 --> 00:04:32,320
is pointing to.

60
00:04:32,330 --> 00:04:38,920
We are going to copy it were into X, so we are copying now the value seven into X.

61
00:04:39,610 --> 00:04:47,320
But before we before that here again EBP if we do were SBP minus four is pointing to.

62
00:04:47,350 --> 00:04:53,290
So we have this location, we stored the value seven in there and then in the next instruction we did

63
00:04:53,620 --> 00:05:00,360
what EBP minus four is pointing to copy Ekso or TBP minus four which is seven.

64
00:05:00,490 --> 00:05:05,860
We copy that now we're into X, so we copied this into X..

65
00:05:06,400 --> 00:05:14,230
Now we did Addicks, which is the double the value, so that made now X 14.

66
00:05:14,350 --> 00:05:20,490
And then as you can see here, we have pushbikes, so we have 14 being pushed on top of the stack.

67
00:05:20,800 --> 00:05:24,880
Then we did the call to full and then everything continues from there.

68
00:05:25,370 --> 00:05:31,240
OK, now, before we continue, let's take a look at the stacks memory reminder.

69
00:05:31,250 --> 00:05:32,440
This is about Indianness.

70
00:05:32,440 --> 00:05:38,050
We talked about this, but this is just a reminder of how the actual bite by bite view will look into

71
00:05:38,050 --> 00:05:38,530
memory.

72
00:05:38,830 --> 00:05:42,760
So as you can see, this is how the bite by bite will.

73
00:05:42,760 --> 00:05:48,280
If we look at the memory, let's say bite by bite, this is how the memory will look like for, let's

74
00:05:48,280 --> 00:05:50,830
say, the value seven, because these are here.

75
00:05:50,830 --> 00:05:51,690
It's four bytes.

76
00:05:51,700 --> 00:05:52,510
This is four bytes.

77
00:05:52,510 --> 00:05:54,280
Again, that's what we mentioned.

78
00:05:54,430 --> 00:06:00,130
But if we look at the byte view, this is how these bytes are going to be represented in memory.

79
00:06:00,390 --> 00:06:03,820
OK, now let's consider this.

80
00:06:03,850 --> 00:06:10,510
This is actually not this is the little Indian and this is big Indian little Indian stores, the values

81
00:06:10,510 --> 00:06:12,280
from the least significant bit first.

82
00:06:12,640 --> 00:06:15,820
So we can see this is how the value is actually being stored.

83
00:06:16,090 --> 00:06:19,210
While the big Indian starts from the most significant bit first.

84
00:06:19,480 --> 00:06:27,250
So systems are processors like Intel will use have like they are multiplied by values are filled starting

85
00:06:27,250 --> 00:06:33,200
from the least significant bit, while in begin again like Sparke processors, they will have there

86
00:06:33,550 --> 00:06:38,230
they are, they will fold or they have their value filled in reverse order, starting from the more

87
00:06:38,250 --> 00:06:39,070
significant bits.

88
00:06:39,070 --> 00:06:41,300
So it's going to start this way, this way, etc..

89
00:06:41,560 --> 00:06:48,220
OK, so that's why you need to keep in mind we are when in our case now, of course, we are talking

90
00:06:48,220 --> 00:06:51,400
all about Intel, so we will be dealing with the little Indian.

91
00:06:51,550 --> 00:06:54,220
It's very important to remember that, OK.

92
00:06:55,520 --> 00:07:02,180
But as you can see here, SBP minus four here points to this valley, while SBP minus four points to

93
00:07:02,180 --> 00:07:02,670
this valley.

94
00:07:02,870 --> 00:07:06,810
But again, this is just a bite by bite level.

95
00:07:06,830 --> 00:07:11,640
At the end, it's all going to be four points at least on on 32 bit system.

96
00:07:12,260 --> 00:07:19,910
So let's go back here and we can see that we can see that the default value zero that was pushed in

97
00:07:19,910 --> 00:07:21,950
the epilogue section was not used.

98
00:07:22,310 --> 00:07:27,560
Why we did that, we just did that to save some space for our local variables.

99
00:07:27,560 --> 00:07:32,330
So compilers like INSEE compilers do not push a default value.

100
00:07:32,480 --> 00:07:35,880
Instead, they reverse the space by moving higher speeds register.

101
00:07:36,290 --> 00:07:40,070
So the compiler will not actually really store of value.

102
00:07:40,280 --> 00:07:43,920
It will reserve that space which we want.

103
00:07:44,330 --> 00:07:46,680
OK, by moving E.S.P.

104
00:07:46,740 --> 00:07:54,320
OK, also, instead of performing the pop to clean local variable space, we can also move to empty

105
00:07:54,320 --> 00:08:00,560
the stack frame so we can do two things are the compiler will will do two things for optimization.

106
00:08:00,920 --> 00:08:06,320
It will move E.S.P to make space for local variables, OK.

107
00:08:06,470 --> 00:08:12,030
And it can also move E.S.P to clean the variables are the arguments on the stack.

108
00:08:12,050 --> 00:08:20,980
OK, so now again, what will happen here is the compiler instead of just a few look, go back and forth.

109
00:08:21,380 --> 00:08:22,780
So here we have pushed zero.

110
00:08:22,790 --> 00:08:25,720
But here what happened is sub E.S.P by four.

111
00:08:25,940 --> 00:08:35,240
So we made four bites of space on the stack now because and we now ESPs pointing also on top of the

112
00:08:35,240 --> 00:08:35,540
stack.

113
00:08:35,540 --> 00:08:39,890
But at that location, E.S.P here will be empty.

114
00:08:39,890 --> 00:08:42,110
So we won't have this value for over here.

115
00:08:42,600 --> 00:08:47,090
OK, A14 sorry now SBP SBP minus four sorry.

116
00:08:47,090 --> 00:08:50,150
Copy seven and two minus four is pointing to.

117
00:08:50,150 --> 00:08:53,360
So we copied that value over here then what.

118
00:08:53,360 --> 00:08:55,130
EBP minus four is pointing to.

119
00:08:55,130 --> 00:08:56,600
Copy it into exile.

120
00:08:56,610 --> 00:09:05,300
We copied 1736 then ADC so we multiplied all with double the value three X now became fourteen.

121
00:09:05,300 --> 00:09:11,300
So easy X has fourteen pushes the X on the stack so that we push now is six on the stack and then we

122
00:09:11,300 --> 00:09:13,700
call the function four to do something.

123
00:09:14,420 --> 00:09:20,540
Popke So if we pop this value it will be removed into X and then here we are cleaning the stack because

124
00:09:20,840 --> 00:09:22,820
this is how the declaration will work.

125
00:09:23,600 --> 00:09:31,700
We are removing this returning and then the solid DC declaration will have if there is another value

126
00:09:31,700 --> 00:09:34,550
here, which is seven, it will be cleaned by the caller.

127
00:09:34,970 --> 00:09:41,330
Now, E.S.P will move to reserve space for local variables, like I mentioned in the previous slide.

128
00:09:41,810 --> 00:09:46,050
But the space is still not initialized, so the space is still not initialized.

129
00:09:46,070 --> 00:09:49,810
Again, memory will not like delete and clear those values.

130
00:09:50,240 --> 00:09:56,300
So this is what happens, by the way, in when if those of you, anyone of you, which is who is listening

131
00:09:56,300 --> 00:10:03,800
now watching this video, when we first create a variable and C and we go and print it, we usually

132
00:10:03,800 --> 00:10:05,210
get this gibberish data.

133
00:10:05,450 --> 00:10:06,320
Why is it gibberish?

134
00:10:06,320 --> 00:10:12,710
Because it's probably some value which was on the stack, which we are in that memory location which

135
00:10:12,710 --> 00:10:13,850
we are now printing.

136
00:10:14,180 --> 00:10:18,820
So again, this value is not really what's happening.

137
00:10:18,830 --> 00:10:21,170
The system will optimize it and will just move.

138
00:10:21,170 --> 00:10:24,380
Espy's much better than storing that value on the stack.

139
00:10:25,640 --> 00:10:31,820
Let's continue now another thing which the compiler can do also to save space and make things faster

140
00:10:32,240 --> 00:10:42,080
is replace both movie movie ASPE, which is when we restore we want to like the epilogue and we want

141
00:10:42,080 --> 00:10:50,030
to like remove, delete that the stack frame and then pop up so we can replace those with one single

142
00:10:50,030 --> 00:10:51,870
instruction, which is the leave instruction.

143
00:10:52,100 --> 00:10:58,640
So what will happen now is instead of having more Vesp and then Pop will just to leave.

144
00:10:59,090 --> 00:11:05,280
So what Live is actually doing is actually doing the movie ASPE and then doing the pop SBP.

145
00:11:05,630 --> 00:11:10,940
OK, so again, like I mentioned at the beginning, the compiler is read the code in many passes before

146
00:11:10,940 --> 00:11:12,230
generating the object code.

147
00:11:12,590 --> 00:11:20,450
OK, now one thing the compiler will do is calculate the needed space for all arguments and like the

148
00:11:20,450 --> 00:11:21,410
local variables.

149
00:11:21,470 --> 00:11:28,550
OK, so if let's say in our case foo needed for bitts so it will allocate four bytes and that's why

150
00:11:28,550 --> 00:11:35,990
we saw sub E.S.P was subbed before it was subtracted by four Y because we only need four bytes for the

151
00:11:35,990 --> 00:11:36,720
function foo.

152
00:11:37,460 --> 00:11:41,630
OK, also the push instruction push is slow instruction.

153
00:11:41,630 --> 00:11:45,930
Therefore the compiler will reserve the argument space in the epilogue section.

154
00:11:45,950 --> 00:11:47,140
OK, keep that in mind.

155
00:11:47,480 --> 00:11:51,020
Push is also not a fast instruction.

156
00:11:51,020 --> 00:11:57,470
It's slow so compilers will you will use something different, which is usually more so here as you

157
00:11:57,470 --> 00:11:58,510
can see what happened.

158
00:11:59,060 --> 00:12:07,160
Now we can see that if you takes two arguments, then SBP minus eight is the first one and SBP minus

159
00:12:07,160 --> 00:12:08,990
12 is the second one.

160
00:12:09,210 --> 00:12:09,650
Right.

161
00:12:10,310 --> 00:12:14,070
Same as performing push for the second then the first argument.

162
00:12:14,090 --> 00:12:24,230
OK, so if we had if, let's say Fule really took two arguments, then we will have E.S.P sub E.S.P

163
00:12:24,230 --> 00:12:27,620
eight because we need one for the first and one for the second.

164
00:12:27,690 --> 00:12:32,540
OK, everything else as you can see here, is actually kind of the same.

165
00:12:33,980 --> 00:12:38,960
OK, except for the move Echikson toward SBP minus eight is pointing to.

166
00:12:39,530 --> 00:12:40,370
Let's continue.

167
00:12:41,920 --> 00:12:50,110
Now, SBP minus eight, what he means is point two is for sure the argument to be passed, but we can

168
00:12:50,110 --> 00:12:51,940
replace it with the spin, this case.

169
00:12:51,970 --> 00:12:57,410
So this is GBP minus four is this one and minus eight is this one, actually.

170
00:12:57,910 --> 00:13:03,040
Why can we replace this in our scenario with with what ESPs pointing to?

171
00:13:03,040 --> 00:13:07,630
Because currently Espy's pointing to the top of the stack and so we can we can do that.

172
00:13:08,110 --> 00:13:10,140
But again, that's not our decision.

173
00:13:10,180 --> 00:13:10,840
That's the.

174
00:13:11,930 --> 00:13:19,640
That's what the compiler will do, so if that was to be replaced, we can do see here X was copied into

175
00:13:19,640 --> 00:13:22,550
what EBP minus eight is pointing to while here.

176
00:13:22,580 --> 00:13:29,510
What we did, the push is X, we did copy X to where E.S.P is actually pointing to.

177
00:13:29,630 --> 00:13:35,090
So again, these are what the compiler or the optimization will will be doing.

178
00:13:36,380 --> 00:13:38,690
Let's look at the example from our code.

179
00:13:38,750 --> 00:13:42,620
Now, this code, by the way, could also be seen here.

180
00:13:43,250 --> 00:13:51,620
So we could see in this one the code if we want to go back so you can see what my function one and then

181
00:13:51,620 --> 00:13:55,130
you can see the function with the code.

182
00:13:55,130 --> 00:13:58,730
We already saw that and function, too, which is going to be printing this message.

183
00:13:59,060 --> 00:14:01,040
And then we have the main function.

184
00:14:01,040 --> 00:14:06,350
And this is what Minyans is doing if you want to look at the assembly code for each one of them.

185
00:14:06,380 --> 00:14:12,830
So this is the code for my function, one after being after disassembling it and saying for my function

186
00:14:12,830 --> 00:14:17,490
to and this is the code for me, let's go back to our presentation.

187
00:14:17,960 --> 00:14:24,700
So here the function, my function one requires 16 bytes for the local array.

188
00:14:24,890 --> 00:14:27,860
So the local array, the buffer is 16 bytes.

189
00:14:28,040 --> 00:14:34,550
OK, now ETR copy requires eight bytes because four bytes for this one and for bytes for this one.

190
00:14:34,550 --> 00:14:38,570
The pointer, this pointer in this pointer each one requires for byte.

191
00:14:38,590 --> 00:14:39,920
So we need 18 bytes.

192
00:14:40,040 --> 00:14:45,590
So what that means and also my function to here in this case, let's just go with the slide requires

193
00:14:45,590 --> 00:14:47,170
four bytes for its argument.

194
00:14:47,180 --> 00:14:50,970
It's taking a pointer to a buffer and that argument is four bytes.

195
00:14:51,530 --> 00:15:00,470
So this means the compiler made the decision to reserve 24 bytes, which is 18 in Hex, which is 16

196
00:15:00,470 --> 00:15:04,250
for the array and eight for the maximum argument space required.

197
00:15:04,670 --> 00:15:07,850
Since this one was used the same.

198
00:15:07,850 --> 00:15:11,690
We didn't need to allocate that space twice.

199
00:15:11,690 --> 00:15:16,070
We just used it once or sixteen and then four, which means twenty.

200
00:15:16,070 --> 00:15:18,010
And then another four, which means 24 four.

201
00:15:18,110 --> 00:15:26,150
OK, so that's how the compiler will decide, oh yeah, this code needs 24 bytes because this one is

202
00:15:26,150 --> 00:15:26,990
16 bytes.

203
00:15:27,020 --> 00:15:28,050
This one is four bytes.

204
00:15:28,070 --> 00:15:29,870
This one is four bytes and so on and so forth.

205
00:15:30,530 --> 00:15:34,010
Now, if you also, let's say, look at the code here.

206
00:15:34,010 --> 00:15:41,210
When we let's say we are executing the IP ATSDR copy as your copy will take two values, which is the

207
00:15:41,210 --> 00:15:42,460
source and the destination.

208
00:15:43,010 --> 00:15:51,830
So we can see that SBP here, which is pointing here, and SBP minus 40, B minus eight, 12 and 16.

209
00:15:51,860 --> 00:15:53,720
This is where the buffer started.

210
00:15:53,750 --> 00:15:57,200
So this is the location where that buffer is located at.

211
00:15:57,220 --> 00:16:05,660
So that's why you can see here we are saying load the effective address of SBP minus 16 into X, OK,

212
00:16:06,050 --> 00:16:06,870
and then.

213
00:16:06,890 --> 00:16:10,460
So this is where our destination is.

214
00:16:10,730 --> 00:16:17,800
And then what we did is here we copied that address into what E.S.P is pointing to.

215
00:16:17,810 --> 00:16:19,640
So that's is pinpointing here.

216
00:16:19,670 --> 00:16:21,360
So that became the destination.

217
00:16:21,590 --> 00:16:23,860
So that's why this code is this way.

218
00:16:24,770 --> 00:16:26,270
That's what's happening over here.

219
00:16:26,480 --> 00:16:35,180
OK, if we continue so by default, TBP points to the saved IP, OK of the caller in this example,

220
00:16:35,180 --> 00:16:43,070
it will be mean and SBP points to the sort of SBP plus four plus four points to the the next instruction

221
00:16:43,070 --> 00:16:46,700
or IP or the position where we want to go back.

222
00:16:46,700 --> 00:16:57,260
In our case it's me, OK, and SBP itself is pointing to the saved EVP of me OK, which is for the previous

223
00:16:57,260 --> 00:16:57,650
function.

224
00:16:57,660 --> 00:17:04,760
So SBP this one is pointing for the the base pointer of the main function.

225
00:17:04,970 --> 00:17:12,340
OK now again as the R takes to arguments destination pastie and the source as RC.

226
00:17:12,470 --> 00:17:18,980
So that's these, all of this is just to prepare all of this on the stack.

227
00:17:19,520 --> 00:17:26,300
OK, now SBP plus eight is the cent value by the caller main to the colly.

228
00:17:26,300 --> 00:17:33,900
My function one OK SBP plus eight, so SBP plus eight is what the value which we sent.

229
00:17:34,070 --> 00:17:40,310
I remember this, that this program, what it does is takes a string and then it sends it to be printed.

230
00:17:40,550 --> 00:17:44,370
So SBP plus eight is our value.

231
00:17:44,370 --> 00:17:53,360
ATSDR, OK, which has been copied where it was being passed to my my function.

232
00:17:53,540 --> 00:17:54,800
OK, my function one.

233
00:17:55,790 --> 00:17:56,520
Let's continue.

234
00:17:57,050 --> 00:18:02,810
So, um, my function to here takes one argument, which is X, which actually if you go back here,

235
00:18:02,840 --> 00:18:04,820
we'll see what it says is the destination.

236
00:18:04,970 --> 00:18:10,580
It's the same thing, destination, which was the buffer because this is the source and this is the

237
00:18:10,580 --> 00:18:11,420
destination.

238
00:18:11,730 --> 00:18:13,860
How that's how ACOR copy works.

239
00:18:14,210 --> 00:18:16,370
So this is a source and this is a destination.

240
00:18:16,610 --> 00:18:22,850
And because the destination is still already on the stack, I just changed it here to see to make sure

241
00:18:22,850 --> 00:18:24,470
you you, you understand that.

242
00:18:25,250 --> 00:18:29,690
So X is still the destination, OK, which we are passing.

243
00:18:29,690 --> 00:18:30,860
Where to my function one.

244
00:18:33,090 --> 00:18:40,440
And now here what happens is when we go to my function to, let's say, hip's at here, what's going

245
00:18:40,440 --> 00:18:48,180
to happen here is we can see is SBP plus eight points to the first argument and or SBP plus eight is

246
00:18:48,180 --> 00:18:54,600
the first argument sent to my function to which is actually, again, what it's a destination.

247
00:18:54,820 --> 00:19:02,330
OK, the pointer to the destination and SBP plus eight points to the second arguments and so on.

248
00:19:02,340 --> 00:19:05,920
But in our case my function too only has one.

249
00:19:05,940 --> 00:19:08,960
So actually this will be irrelevant to that function.

250
00:19:08,970 --> 00:19:14,730
Therefore, SBP plus 12 points to an irrelevant location for my function to.

251
00:19:14,850 --> 00:19:20,730
That's what I was saying because sbp sorry my function to only takes one argument.

252
00:19:20,760 --> 00:19:23,070
So this is still on the stack.

253
00:19:23,070 --> 00:19:26,370
It's still there, but it's irrelevant to my function to.

254
00:19:26,490 --> 00:19:26,910
Okay.

255
00:19:27,840 --> 00:19:31,360
Now can you guess what is currently served in SBP plus 12.

256
00:19:31,650 --> 00:19:34,660
We already saw that this was the destination and this was the source.

257
00:19:34,920 --> 00:19:41,260
So if I just go back a couple of slides, we can see it was actually the source of my strength, the

258
00:19:41,370 --> 00:19:43,590
this one as they are the still value.

259
00:19:44,600 --> 00:19:46,600
OK, so let's continue.

260
00:19:48,030 --> 00:19:54,840
Now, here, this is one quiz I want you to I leave that for you to think about now again, Maine,

261
00:19:55,020 --> 00:19:57,620
Maine by itself is a function.

262
00:19:57,630 --> 00:20:05,100
So when when when we finish executing my function, one, we need to go back to Maine and continue execution

263
00:20:05,100 --> 00:20:05,610
from there.

264
00:20:05,880 --> 00:20:11,540
Again, Maine is just a function, so it will have the frame will be created for me.

265
00:20:12,000 --> 00:20:17,280
A frame will be destroyed after Maine is destroyed or after Maine is finished execution and similar

266
00:20:17,280 --> 00:20:18,790
to any other function.

267
00:20:19,220 --> 00:20:22,280
Now, what do these memory locations contain?

268
00:20:22,290 --> 00:20:25,710
And one and two and three, some basic ways.

269
00:20:26,070 --> 00:20:33,690
If you understood what I was talking about over this when we talked about here, if you understood what

270
00:20:33,690 --> 00:20:39,720
these are, then you will be able if you understood what I mean, the session of the explanation and

271
00:20:39,720 --> 00:20:46,180
the code in here, you will be able to figure out what was an M1, what's in M2 and what's in M3.

272
00:20:46,390 --> 00:20:49,660
OK, so I'm going to leave that as a quiz for you to figure out.

273
00:20:50,520 --> 00:20:54,330
Now, also, these instructions, can you also tell what these instructions do?

274
00:20:54,330 --> 00:20:56,370
I'm also going to leave that for you to figure out.

275
00:20:56,370 --> 00:21:00,120
Just try to trace the program and understand what's happening over here.

276
00:21:00,340 --> 00:21:06,090
OK, just try to trace the program and understand what's actually happening over here.

277
00:21:07,610 --> 00:21:18,200
Now, at the end of of our session, what we can that's a conclusion that we can come up with is what

278
00:21:18,200 --> 00:21:25,580
if we can locate the caller's IP on the stack and change it using, let's say, a move operation or

279
00:21:25,610 --> 00:21:28,020
move instruction or any other instruction.

280
00:21:28,070 --> 00:21:32,240
So if we can locate where there is this.

281
00:21:32,450 --> 00:21:32,870
This.

282
00:21:33,940 --> 00:21:41,350
Value is on the stock, which is the position to where I should be going next after my function finishes.

283
00:21:41,380 --> 00:21:48,050
OK, which is where I should be going next after my function finishes the execution.

284
00:21:48,160 --> 00:21:55,670
So if we can if we can figure this out and what if the new value is a location of another block?

285
00:21:55,720 --> 00:22:00,480
So what if the new value which we put in there is a location of another block?

286
00:22:00,880 --> 00:22:06,360
And what if that other block is actually somehow harmful court?

287
00:22:07,130 --> 00:22:12,500
Again, let's say we managed to locate this where it is on the stack at the end.

288
00:22:12,520 --> 00:22:13,730
What is this is an address.

289
00:22:14,080 --> 00:22:20,340
So if we manage to locate where that address is, so we figured out where the address is, that's one.

290
00:22:20,650 --> 00:22:25,510
Then we managed to override that address with an address to some other location.

291
00:22:26,140 --> 00:22:34,690
And now that other location includes some harmful code or some malicious code that's worth when what

292
00:22:34,690 --> 00:22:41,890
exploitation will happen, because we can then once the function execution finishes, it needs to go

293
00:22:41,890 --> 00:22:48,280
back to the stored position, which in our case, we overloaded with some malicious code.

294
00:22:48,640 --> 00:22:54,590
That's what is going to be bad for the user, good for our exploit and for our exploitation.

295
00:22:55,150 --> 00:23:01,270
Now, these are other references which we use to create this presentation.

296
00:23:01,720 --> 00:23:09,160
I highly recommend you go check them out, especially Xenos intro to Eighty-six, the assembly codes.

297
00:23:09,670 --> 00:23:13,290
And yet that's all for this video.

298
00:23:13,960 --> 00:23:19,000
We now have finished, I would say, the introduction to memory.

299
00:23:19,170 --> 00:23:26,560
And now we will start talking more about hands on stuff and exploiting an application.

300
00:23:26,920 --> 00:23:28,730
OK, so that's all for this video.

301
00:23:28,870 --> 00:23:31,480
See you in the next video.

302
00:23:31,600 --> 00:23:32,730
Thank you and bye bye.