WEBVTT

00:00.510 --> 00:03.090
Well, this is where we left off in the previous video.

00:04.000 --> 00:10.560
Let's copy our current working version of Reverse Qualified, which is The Darkness on Fire, and let's

00:10.560 --> 00:16.850
save it as reverse dash DCPI Dash Opt Dart Nazeem.

00:17.910 --> 00:19.590
Now let's work on this file.

00:19.920 --> 00:25.770
Reverse dash, DCP Dash Orbed Darwinism, where we are going to write some optimized code.

00:28.050 --> 00:28.500
All right.

00:28.620 --> 00:30.160
So let's scroll down.

00:30.720 --> 00:32.870
We can now remove all these comments.

00:32.880 --> 00:34.020
We don't need them anymore.

00:37.870 --> 00:38.560
There it is.

00:39.160 --> 00:47.710
Let's scroll down so these doctor calls are where we have some redundant instructions, let's first

00:47.710 --> 00:56.140
come in all these calls and let's write a simple loop to actually optimize this called.

01:07.150 --> 01:17.770
All right, so what I'll do is I will just use that ATX, ATX to start with and I will also are Odissi

01:20.860 --> 01:23.470
and then I will just add

01:26.540 --> 01:29.070
two to this RSA register.

01:29.530 --> 01:37.600
So we are initializing Odissi with the value to now when we want one, we can simply document it.

01:38.620 --> 01:44.370
And again, when we want zero in RSA register, we can just simply document autosite.

01:45.100 --> 01:45.400
Right.

01:45.460 --> 01:54.460
So now what I want to do is I want to set up a loop here so the loop will actually move.

01:54.790 --> 01:59.110
This is called number every time we want to execute dukedom.

01:59.710 --> 02:05.800
So first we are just moving the value Planetree into Orteig Register.

02:06.940 --> 02:13.380
Instead of moving, we can use add and then we can write this call here.

02:14.350 --> 02:19.810
If you notice this loop, this idea is going to contain thirty three for the first time.

02:20.110 --> 02:26.010
But for the second time, Auriga may contain some value and we are just adding 33 to it.

02:26.440 --> 02:30.610
So it's a good idea to actually zero out inside this loop.

02:31.060 --> 02:36.760
So let's use our are our eggs and let's probably remove this here.

02:37.660 --> 02:38.160
All right.

02:38.170 --> 02:43.960
So we have autosite, which is actually initialized with the value to after that.

02:44.080 --> 02:49.380
Every time we are inside the loop, we are just adding 33 to our eggs.

02:49.390 --> 02:54.730
Register on the register already contains the first argument, which is the target file descriptor.

02:54.740 --> 02:56.100
So we don't have to worry about that.

02:56.440 --> 03:03.190
The second argument for the first time is going to contain two, so it executes the error.

03:03.640 --> 03:09.510
Once that is done, we are going to use decrement autosite.

03:10.120 --> 03:13.300
So this is going to make the RSA value one.

03:13.630 --> 03:20.800
That's the right value for Doob to call for study out after documenting the value of our site, let's

03:20.800 --> 03:22.690
execute Jeunesse.

03:23.230 --> 03:28.750
What this instruction will do is it will take a short jump if same flag is not set.

03:29.170 --> 03:36.370
What it means is when this decrement RSA instruction is executed for the first time, I decide becomes

03:36.370 --> 03:36.670
two.

03:37.060 --> 03:41.520
So that won't set the same flag because it won't produce any negative value.

03:41.890 --> 03:44.710
So we are just going to take the loop.

03:45.220 --> 03:52.320
So when the loop is taken, we go here, we come back, we set up this is called value and execute this

03:52.360 --> 03:54.250
call with the RSA value one.

03:54.580 --> 04:00.460
So after that, we are going to be recommend Oddisee once again, which is going to make it zero.

04:00.970 --> 04:05.200
Zero is the value we will need for Doob to call for SJT in.

04:05.500 --> 04:09.490
Once again, the same flag is not set, so we are going to take the loop.

04:09.790 --> 04:13.720
So this time this call is going to be executed for Estulin.

04:14.200 --> 04:17.980
Once that is done, we are going to decrement RSA once again.

04:18.700 --> 04:24.070
We are diclemente zero this time, which is going to cause the same flag to be set.

04:25.210 --> 04:29.620
If same flag is set, this loop is not going to execute anymore.

04:29.950 --> 04:35.740
So we will break out of the loop and we have executed all three to two goals with this simple loop.

04:36.010 --> 04:37.630
Let's quickly check our program.

04:37.840 --> 04:44.350
I'm just going to save the file and let's assemble and link it.

04:45.970 --> 04:47.620
DCB Dash Opt.

04:48.910 --> 04:51.850
Similarly here, DCP Dash Opt.

04:53.110 --> 04:56.440
Let's also link it using L.E.

04:59.170 --> 04:59.670
Caulked.

05:03.350 --> 05:03.720
Part.

05:05.110 --> 05:09.290
All right, let's first check if the program itself is working fine or not,

05:12.260 --> 05:21.500
and the national repeat four four four four and executed reverse Nash Tsipi, Nash Oct.

05:24.470 --> 05:28.040
There it is, looks like our program is working fine now.

05:28.250 --> 05:37.160
Let's quickly check if it has animal rights once again, object dump bash deep and it was Dash Tsipi

05:37.160 --> 05:42.950
Dash upped the dash cam and I don't see any nail.

05:43.370 --> 05:49.430
No, let's compare the length of the skin caught in the reverse dash DCP file and the reverse dash to

05:49.430 --> 05:50.780
speed up time.

05:51.440 --> 05:55.700
So I'm going to use this one liner once again.

05:56.120 --> 06:01.070
Let me just copy this and let's start here.

06:02.060 --> 06:09.800
And instead of binary, let's use reverse dash DCP here.

06:10.670 --> 06:11.350
There it is.

06:11.630 --> 06:14.360
Let's also use reverse dash.

06:14.810 --> 06:18.470
Dash won't look at that.

06:18.740 --> 06:24.140
The length of the shell cord is significantly reduced in the optimized cord.

06:24.560 --> 06:30.530
So this should give you an idea of how we can reduce the length of the shell cord, because sometimes

06:30.530 --> 06:34.250
we may have to deal with the space issues as well when writing exploits.

06:34.460 --> 06:37.220
So we may want to have some shorter shell cord.

06:37.610 --> 06:43.310
So this is how we can reduce the shell cord by removing redundant instructions in the assembly program.

06:43.790 --> 06:45.260
So I'm just copying the shell cord.

06:45.260 --> 06:53.990
And let's quickly check if it works, we don't exploit I'm going to Xixi directly where we have our

06:54.410 --> 07:03.620
exploit dash final and let's once again command it out and let's use called.

07:07.880 --> 07:10.550
And it's past the corporate shell called.

07:22.230 --> 07:27.270
All right, now let's save the file and let's start at Lisner.

07:30.780 --> 07:44.070
And let's try to execute our exploit, not exploit Nasch final card, let's pipe it and execute not

07:44.150 --> 07:44.700
111.

07:47.450 --> 07:49.670
Look at that, we have gotten out of a shell.

07:50.030 --> 07:54.350
This is how we can write Shell called for Intel 64 bit processors.

07:54.830 --> 07:59.020
I hope the overall process of encored creation is clear enough.

07:59.330 --> 08:01.990
You can write any shell code in a similar fashion.

08:02.480 --> 08:05.210
And that brings us to the end of writing.

08:05.210 --> 08:05.870
Shell called.