WEBVTT

00:01.280 --> 00:06.120
Let's start writing some simple assembly programs using sixty four assembly.

00:06.770 --> 00:12.990
I have a directory called X 86 and escort 64 in my home country.

00:13.560 --> 00:14.750
Let's navigate there.

00:15.710 --> 00:23.060
And inside this bakery, I'm going to create another directorate called Ehrsson and let's navigate to

00:23.060 --> 00:24.110
ask them directly.

00:25.460 --> 00:29.660
And let's create a new file called Move Dot Nazim.

00:34.670 --> 00:35.300
Here it is.

00:35.300 --> 00:36.770
I'm using them here.

00:36.800 --> 00:39.370
You can use your favorite text editor.

00:39.860 --> 00:46.760
And let's start with a directive called Global, which tells our link with the entry point of this program

00:46.760 --> 00:52.370
is So I'm typing Global Space Underscore Stop.

00:53.560 --> 01:01.600
So we are basically specifying that the entry point of this program is underscored start and let's start

01:01.600 --> 01:08.350
writing our actual code within this entry point, which is underscore, start, select type, underscore,

01:08.500 --> 01:10.710
start calling.

01:11.020 --> 01:13.030
And this is going to be our entry point.

01:13.510 --> 01:17.130
Now let's begin writing some move instructions.

01:17.560 --> 01:23.650
Let's begin by writing a move instruction to move the valuate into Register IREX.

01:24.700 --> 01:30.840
We can do that by typing move on x comma eight.

01:33.010 --> 01:35.820
We can also move hex values into the registers.

01:36.220 --> 01:47.080
Let's try moving hex a which is decimal then into our X move at X zero x a.

01:48.410 --> 01:55.370
In the first instruction, we are moving decimal eight and in the next instruction we are moving Hecks

01:55.370 --> 02:02.960
A we are telling the program that we are moving a hex value that stem by preventing zero to eight.

02:03.530 --> 02:07.830
Now let's try to move the value of a register into another register.

02:08.180 --> 02:12.950
For instance, we have the value of hex error in the register Artex.

02:13.310 --> 02:16.300
Let's try to move that into the RBA register.

02:17.300 --> 02:22.610
So I'm typing move r, b, x, comma r x.

02:23.840 --> 02:30.500
There is another type of move instruction which will essentially move the value which is pointed by

02:30.500 --> 02:32.000
the address of the register.

02:32.480 --> 02:39.530
Let's see one such instruction move as the X comma.

02:42.260 --> 02:50.420
RSP, which is surrounded by square brackets, it will try to pick the edges of Arizpe and it will move

02:50.420 --> 02:55.650
the value that is pointed by this arizpe register into Rs6.

02:56.030 --> 03:01.820
Now, it may sound confusing, but let's try to debunk this program using GDB in a moment and you will

03:01.820 --> 03:03.260
understand what I mean.

03:04.010 --> 03:05.600
OK, that's pretty much it.

03:05.780 --> 03:14.330
We can now save the program and Taiping Control see and Colin WQ, so the changes will be saved.

03:15.260 --> 03:18.530
Now let's use Nazan to assemble this program.

03:18.920 --> 03:23.120
So I'm typing Nazan moved out nazem.

03:24.150 --> 03:29.990
Basco moved out of Dasht f f 64.

03:30.270 --> 03:35.580
We are specifying that it's a 64 week program I'm hitting enter now.

03:35.580 --> 03:37.760
Let's link it using Ellie.

03:38.340 --> 03:43.260
Ellie moved at all, which is the output from the previous command.

03:43.890 --> 03:47.640
And let's produce the output and let's name it.

03:47.640 --> 03:49.380
Move, let's render.

03:50.460 --> 03:56.820
So move is going to be the final binary to be able to examine the registers and the values that are

03:56.820 --> 03:58.270
being moved into registers.

03:58.630 --> 04:00.770
Let's open this program using Jilib.

04:01.470 --> 04:03.270
So I'm typing GDB.

04:03.810 --> 04:05.430
Don't move.

04:07.620 --> 04:13.890
If you notice we are seeing a Jeff terminal because we have installed Jeff for GDB.

04:14.340 --> 04:17.550
This makes our life so easy during exploit development.

04:18.180 --> 04:21.960
Trust me, you are going to love it by the time you reach the end of the course.

04:22.300 --> 04:26.490
Now let's set up a breakpoint at the entry point of this program.

04:26.910 --> 04:31.920
If you remember, our entry point is underscored start.

04:32.280 --> 04:37.380
So I'm typing break space and let's go start hitting enter.

04:38.160 --> 04:42.230
If you notice there is a breakpoint set at this particular address.

04:43.200 --> 04:51.060
Now if we type run, the program will run and it will pass the execution at the entry point because

04:51.060 --> 04:52.710
we did set up a breakpoint.

04:53.190 --> 04:54.180
I am hitting enter.

04:55.700 --> 05:02.810
And look at this, currently, the next instruction to be executed is this, and if you notice, there

05:02.810 --> 05:06.290
is a breakpoint, so the execution is stopped.

05:07.280 --> 05:10.780
Now, there are a few things that we would need to observe in this output.

05:11.420 --> 05:15.750
Number one, call, if you notice, this is the code section.

05:15.830 --> 05:16.970
You can see it here.

05:17.270 --> 05:24.330
It is highlighted and these are the instructions that are going to be executed when we run this program.

05:24.800 --> 05:30.420
So this is the area where we are going to notice all the instructions that get executed.

05:31.370 --> 05:33.800
So the next section is stack.

05:34.280 --> 05:36.200
This area shows the stack.

05:36.890 --> 05:39.830
We are going to use it extensively later in this course.

05:39.860 --> 05:44.540
So it is good to know where the stack is in our output after that.

05:44.750 --> 05:47.110
Let's take a look at the registers.

05:47.630 --> 05:51.860
If you see this, these are the registers once again.

05:51.890 --> 05:58.220
Remember, we are going to make extreme use of these registers stack and the code section.

05:58.850 --> 06:02.520
So it is good to note when they are in your output.

06:02.990 --> 06:07.850
Now, within these registers, let's take a look at the RHP register.

06:08.570 --> 06:15.290
If you notice, the IP register is pointing to this address, which is ending with four zero one triple

06:15.290 --> 06:15.620
zero.

06:16.130 --> 06:18.110
So let's scroll down.

06:19.690 --> 06:26.140
And if you notice, this is the address and as you can see, this is the beginning of our program and

06:26.170 --> 06:28.710
this is the next instruction to be executed.

06:29.260 --> 06:35.220
And if you look at this address, this is same as what we have just seen in the AP register.

06:35.710 --> 06:42.850
What it means is RHP always holds the address of the next instruction to be executed.

06:43.540 --> 06:51.730
One interesting thing to note here is that the first instruction has the register egs instead of adex.

06:52.210 --> 06:56.350
This means some optimisations have been made by the assembler.

06:56.830 --> 07:04.530
Now let's try to execute this instruction and see what happens to the value of attacks before that.

07:04.780 --> 07:07.570
Let's check what we have in Artex register.

07:09.560 --> 07:17.450
If you notice, IREX currently has the zero and we are about to execute the instruction, which is going

07:17.450 --> 07:20.900
to move the valuate into the register area.

07:21.830 --> 07:29.190
So let's type aside, which stands for single step, which means execute one instruction.

07:30.140 --> 07:34.370
OK, so let's hit enter and see what happens to Alex Register.

07:36.610 --> 07:42.010
I have executed one instruction, if you notice, this is the next instruction to be executed now,

07:42.490 --> 07:46.480
but before executing that, let's take a look at the ATX register.

07:47.320 --> 07:52.150
If you notice, the valuate is now placed in Artex register.

07:52.900 --> 07:53.440
All right.

07:53.470 --> 07:54.430
That is expected.

07:54.550 --> 08:02.590
Now, let's step aside once again and see if this value zero eight is going to be moved into this register.

08:03.160 --> 08:10.210
So let's take a let's once again examine Artex register and look at that.

08:10.480 --> 08:16.600
The value of zero eight is now placed in Artex and the value valuate is overridden.

08:18.610 --> 08:25.990
And the next instruction to be executed is move objects, come up attacks, this means whatever the

08:25.990 --> 08:31.420
value that we have in our eggs is going to be moved into the register RBA.

08:32.210 --> 08:35.980
So let's first take what we have in the RBA register.

08:39.020 --> 08:45.920
Here it is, currently Albrecht's registered contains the Value Zero and the ATX register contains the

08:45.920 --> 08:47.460
value zero eight.

08:47.990 --> 08:55.910
So once the instruction gets executed, Disvalue zero eight should also be available in our register.

08:56.450 --> 09:00.020
Remember, more is not literally moving.

09:00.270 --> 09:01.990
It is basically copying.

09:02.390 --> 09:06.180
So we will still have the value in ATX register as well.

09:06.620 --> 09:10.240
So let's try aside now.

09:10.250 --> 09:12.650
Once again, let's examine the registers.

09:14.660 --> 09:19.940
Look at that, the register RBA is now holding the value zero eight.

09:21.200 --> 09:27.110
All right, now, if you notice the next instruction, as I mentioned earlier, it is going to move

09:27.110 --> 09:31.430
the value that is pointed by the address of Arizpe into R6.

09:31.760 --> 09:39.980
So let's first check what fees arizpe or stack pointer is always going to point to the top of the stack.

09:41.190 --> 09:47.430
If you look at this, Arizpe is currently pointing to this particular value, this is the address off

09:47.430 --> 09:51.640
the top of the stack and it is pointing to this particular value.

09:51.930 --> 09:56.170
So currently on the top of the stack, we have the value one.

09:56.640 --> 10:04.230
So if you type a site, which is a single step, we should see this value one in register Rs6.

10:04.800 --> 10:07.110
So let's see if our theory is correct.

10:07.770 --> 10:13.200
First, as usual, let's once again check what R6 currently contains.

10:14.430 --> 10:16.780
As you can see, it contains the value of zero.

10:17.280 --> 10:19.500
So I'm just going to type site.

10:21.170 --> 10:28.340
And let's once again go back and check what R6 has, as you can see, it now contains the value one,

10:28.610 --> 10:31.130
which is actually taken from the top of the stack.

10:32.270 --> 10:33.550
Well, that's the end of it.

10:33.560 --> 10:38.450
And this is how more inspections work in 64 bit assembly language.