WEBVTT

00:00.660 --> 00:03.210
Well, this is where we left off in the previous video.

00:03.360 --> 00:07.770
Now let's try to fix this animal rights issue first.

00:08.050 --> 00:17.550
Let's copy this exit, not Nazan and let's say he does exit dash no nul not Nazan.

00:18.780 --> 00:21.380
No, let's open this exit Dasht.

00:21.390 --> 00:25.230
No, no not Nazem and work on this file instead.

00:25.980 --> 00:30.540
Let's first clear these two registers by placing zero in them.

00:31.080 --> 00:38.730
We can do something like this more are X comma zero and move the AI comma zero.

00:39.150 --> 00:41.130
So we are just clearing the registers.

00:41.460 --> 00:47.250
However, these two move instructions are going to cause null bytes once again.

00:47.790 --> 00:48.900
Let's try to change them.

00:50.280 --> 01:01.290
Let's assemble and linked this file nazem exit dasht no null not nazan bargepole exit Dasch no null

01:01.320 --> 01:09.650
dot o f sixty four early exit Dasch.

01:09.660 --> 01:17.070
No no not all national exit Dasch no null and hit enter.

01:17.460 --> 01:17.760
No.

01:17.760 --> 01:24.480
Let's once again try running object done on this to take a look at the machine code.

01:29.850 --> 01:30.510
Here it is.

01:30.510 --> 01:36.750
If you notice the move X and move area instructions are actually causing a lot of null bytes.

01:37.320 --> 01:41.310
If you remember I have discussed about our instruction.

01:42.000 --> 01:46.980
One popular technique to avoid null bytes is to guard the register with itself.

01:47.550 --> 01:55.710
If you use Addicks comma eggs, the machine code will not contain any rights, but we will still have

01:55.710 --> 01:57.810
the value zero into attacks.

01:58.110 --> 02:01.580
Similarly, we can use the same technique with Oduye register.

02:02.040 --> 02:09.630
So let's open our exit dasht no null Darwinism once again and let's try to fix that part first.

02:11.940 --> 02:21.330
So let's remove this more instruction and let's replace that with God IREX cosmonautics and let's also

02:21.330 --> 02:25.080
change this second instruction to how things are.

02:28.800 --> 02:37.710
All right, so we have got our common area and our idea, common idea and quickly going to assemble

02:37.710 --> 02:42.620
and link it once again and we are going to execute object dump.

02:43.020 --> 02:45.920
But check if those nailbiter are remote.

02:47.670 --> 02:48.300
Look at that.

02:48.510 --> 02:51.900
These two instructions do not have any metal bytes anymore.

02:52.470 --> 02:55.680
Now we will have to deal with the next two instructions.

02:56.130 --> 03:00.930
Now, ATX and Ideato, this does contain the values Xeros.

03:01.600 --> 03:08.270
Now all we have to do is we have to use the same register of our eggs to place this value zero x three,

03:08.420 --> 03:09.750
which is decimal 60.

03:10.230 --> 03:17.020
Similarly, we can use a sub register of this idea to place this value to in the register.

03:17.550 --> 03:20.910
Don't get confused with this eggs and area here.

03:21.270 --> 03:27.110
Probably because of this assembler optimization Harrex is replaced with eggs.

03:27.120 --> 03:30.030
An idea is replaced with Eddi.

03:31.560 --> 03:33.480
So let's open this file once again.

03:37.580 --> 03:47.120
And let's use air comma 60 and the L comma to.

03:49.490 --> 03:57.310
Let me show you the 64 bit registers before we assemble and link this program, if you remember, Al

03:57.320 --> 04:01.810
is the lowest, a bit sad register of attacks register.

04:02.270 --> 04:04.730
So we are using this to avoid null votes.

04:05.240 --> 04:10.750
Similarly for ardia, BHL is the lowest a bit register.

04:10.940 --> 04:14.920
So we are using this register to place their exit status.

04:15.560 --> 04:19.770
So that's the reason why we are using and register and be and register.

04:20.210 --> 04:25.790
Let's switch back to our washing machine and let's assemble and link this file.

04:31.050 --> 04:39.660
Let's once again use object to check if these Nele whites are removed, Dirigo, there are no nail biters

04:39.660 --> 04:46.530
at all in this final machine called No, let's run the alpha binary and observe the exit status

04:49.620 --> 04:50.110
exit.

04:50.400 --> 04:51.690
Nash, no null.

04:56.460 --> 05:03.120
There it is, the program is still working, so we have avoided all the non VIPs and we still managed

05:03.120 --> 05:05.640
to keep the functionality of this program as is.

05:06.090 --> 05:10.770
Now, let's run this through GDP and not if everything is working as expected.

05:11.580 --> 05:17.010
So I'm just using GDP, not exit Dasch normal.

05:17.850 --> 05:25.020
And let's set up a breakpoint at underscore start, which is the entry point, and let's run this binary.

05:26.730 --> 05:30.550
The first instruction is that our eggs are eggs.

05:30.870 --> 05:35.620
So after executing this instruction, our eggs should contain zero.

05:36.180 --> 05:41.910
Similarly, the idea idea is going to place the value zero into our deregister.

05:42.570 --> 05:48.210
In this case, these registers already have the value of zero, but generally it is a good practice

05:48.210 --> 05:51.560
to clear the registers before using them for any operations.

05:52.050 --> 06:01.460
So let's do a quick assay twice and we should observe zeros being there even after this.

06:02.400 --> 06:07.040
Dirigo are still has zero idea, still has zero.

06:07.980 --> 06:13.580
Now the next instruction is to move zero X 3C into the register.

06:13.590 --> 06:15.810
And let's type aside.

06:16.140 --> 06:21.540
And once this instruction is executed, we should see this value in attacks register.

06:22.940 --> 06:26.280
Let's go back to the registers and look at that zero.

06:26.490 --> 06:29.940
Tracy is now placed in our X register.

06:32.310 --> 06:40.650
Finally, we are moving this value zero x two into this BHL register, so let's step aside and we should

06:40.650 --> 06:43.540
see the value to in the register.

06:45.450 --> 06:46.200
Here it is.

06:46.200 --> 06:50.070
Oduye registered now contains the value to finally.

06:50.070 --> 06:55.230
We are executing the instructions iscan which is going to execute exit Swisscom.

06:55.560 --> 06:56.780
So let's step aside.

06:57.690 --> 07:03.000
And if you see the process exited with code zero two, that's expected.

07:03.220 --> 07:06.440
That means our program is working as expected.

07:08.350 --> 07:14.530
Everything looks fine, and congratulations on writing your first program to produce custom shall code.

07:15.200 --> 07:21.790
Now, if you want to use the cell code in your exploit from this program, we can simply copy the codes

07:22.000 --> 07:24.280
that are seen in the object dump output.

07:24.940 --> 07:31.000
Let me quickly show that let's execute the object dump.

07:31.030 --> 07:31.510
Come on.

07:31.520 --> 07:37.570
Once again, if you want to copy the shell code from this particular binary and if you want to use that

07:37.570 --> 07:41.290
in your exploits, we can simply copy these bytes from here.

07:41.740 --> 07:51.430
So the shell code becomes slash, exfoliate, slash X 31, slash X C0, slash X 48, slash X 31, slash

07:51.430 --> 07:54.520
x f, which is the next three bytes.

07:55.180 --> 08:01.450
And after that we are going to copy these two bytes, which is going to be slash X, be zero, slash

08:01.450 --> 08:02.590
X 3C.

08:03.760 --> 08:14.170
Similarly, the next three bytes will be slash four zero seven zero two and then slash zero slash 05.

08:14.860 --> 08:19.660
This is how we can simplify the financial code that can be used in our exploits.

08:20.230 --> 08:24.790
Of course, this can be automated using some commands which are already available online.

08:25.150 --> 08:31.610
So let's quickly search for one such command to extract shell code being shown using our object tool.

08:32.560 --> 08:41.380
So this is going to use a quick Google search extract shall code from binary.

08:42.160 --> 08:44.440
The first link is what I'm going to use.

08:48.510 --> 08:49.400
Here it is.

08:49.420 --> 08:57.280
I'm just going to copy this, this command automatically extract the entire shell code from our program

08:57.490 --> 09:04.960
using object and a couple of other Linux command line utility, like said, grep, cut and paste.

09:05.380 --> 09:09.850
So I'm just copying it here and I'm going to pass it here.

09:11.170 --> 09:16.930
And I just replace this dot slash program using our exit dasht.

09:16.930 --> 09:18.280
No, no binary.

09:22.870 --> 09:23.350
All right.

09:23.470 --> 09:26.560
So let's hit enter and look at that.

09:27.070 --> 09:31.200
We have gotten the exact same shell code that we have manually copied here.

09:32.440 --> 09:32.810
Right.

09:32.830 --> 09:43.150
If you see this slash exfoliated 31 C0 slash X 48 31 C0, this is how we can write very basic shell

09:43.150 --> 09:43.530
code.

09:43.900 --> 09:50.200
Of course, you may not want to use this code itself in your exploits and you probably are interested

09:50.200 --> 09:55.040
in something like reverse shell code or exactly been a shell code.

09:55.540 --> 10:01.270
We are going to discuss those in the next few lectures, but I hope this video has given you a basic

10:01.270 --> 10:04.300
idea of how we can start writing shall code.

10:04.810 --> 10:08.620
In the next video we are going to discuss exec BHL called.