background top icon
background center wave icon
background filled rhombus icon
background two lines icon
background stroke rhombus icon
header logo icon

Download "Реверс инжиниринг и разработка эксплойтов"

input logo icon
Cover of audio
Please wait. We're preparing links for easy ad-free video watching and downloading.
console placeholder icon
Previous video: BIG TECH makes LINUX. Is that a problem?Next video: Основные команды Linux, которые должен знать каждый | Linux для начинающих
Similar videos from our catalog
|

Similar videos from our catalog

Основные команды Linux, которые должен знать каждый | Linux для начинающих
11:22

Основные команды Linux, которые должен знать каждый | Linux для начинающих

Channel: Мир IT с Антоном Павленко
BIG TECH makes LINUX. Is that a problem?
15:33

BIG TECH makes LINUX. Is that a problem?

Channel: The Linux Experiment
Пушкаш: Преподавание румынского языка в школах–результат слабости власти и влияния внешних партнеров
0:40

Пушкаш: Преподавание румынского языка в школах–результат слабости власти и влияния внешних партнеров

Channel: tvc21channel
Astra Linux Локальная сеть Обмен файлами Debian Ubuntu Mint
11:09

Astra Linux Локальная сеть Обмен файлами Debian Ubuntu Mint

Channel: DET.impact
БЕШЕНСТВО РАШКИ
8:23

БЕШЕНСТВО РАШКИ

Channel: Sotnik-TV Live
Arch Linux OCENAUDIO ЛУЧШИЙ РЕДАКТОР АУДИО
8:12

Arch Linux OCENAUDIO ЛУЧШИЙ РЕДАКТОР АУДИО

Channel: Константин Либерти (ВРЕМЕННО НЕ АКТИВЕН)
В Британии приступили к работам над танком следующего поколения Challenger 3
4:06

В Британии приступили к работам над танком следующего поколения Challenger 3

Channel: 56-я Параллель
ПОД ПЛЕШИВЫМ ЗНАМЕНЕМ
7:00

ПОД ПЛЕШИВЫМ ЗНАМЕНЕМ

Channel: Sasha Sotnik
No Change | Putin Selling Stability to the Russians (English subtitles)
15:08

No Change | Putin Selling Stability to the Russians (English subtitles)

Channel: Maxim Katz
Подкаст МВР – Юрий Подоляка: «Война была неизбежна»
20:45

Подкаст МВР – Юрий Подоляка: «Война была неизбежна»

Channel: Михаил Русаков
Video tags
|

Video tags

hacker
хакер
взлом
Полный курс по взлому
Линукс
ОС
Операционная
защита
ПО
программа
программирование
программист
Linux
для чайников
Hacker School
США
Россия
Украина
linux
ubuntu
linux tutorial
fedora
open source
linux for beginners
unix
distro
linux distro
learn linux
debian
manjaro
arch linux
distribution
mint
линукс
linux commands
best linux distro
linux vs windows
free software
mental outlaw
distrotube
хакеры
как стать хакером
кибербезопасность
osint
чатрулеткабитбокс
приколывчатрулетке
неадекватныелюди
реакциядевушки
голосваси
маска
зеленый
вбалаклаве
балаклава
тролинг
вмаске
ворвался
хакерь
прикол
рулетка
чатрулетка
пранк
алик
чатрулеткареакциядевушек
реакция
дрожжин
мацони
видеочат
девушки
русскиехакеры
хакервчатрулетке
какстатьхакером
Subtitles
|

Subtitles

subtitles menu arrow
  • ruRussian
Download
00:00:13
Hello everyone Welcome to the course
00:00:15
reverse Engineering and development
00:00:17
exploits I'm Dr. Phil half-stra and I
00:00:20
I will be an instructor in this course in this
00:00:22
video I would like to talk generally about
00:00:24
this course So we'll start it with
00:00:27
reviewing various tools for
00:00:28
reversing these are ordinary things that
00:00:30
used by people working in this
00:00:32
areas for reverse engineering we will begin
00:00:34
our conversation with debugger dibaggers is
00:00:37
their whole families that people love
00:00:39
use to find
00:00:41
possible problems in applications on
00:00:43
Windows Linux Android and macos 10 also
00:00:46
we will look at the families of compilers
00:00:49
compilers allow you to take already
00:00:51
compiled application and turn
00:00:53
it back to a year in si and only then
00:00:55
you can search in this code for some
00:00:57
standard holes
00:00:59
We will also discuss the metasployd meta layer
00:01:03
this is a very popular tool for those
00:01:05
of us who work in the field
00:01:06
information security is
00:01:08
framework for working with exploits On
00:01:10
allows automated development
00:01:12
exploits and then use them
00:01:15
we will also talk about applications that
00:01:17
are called phasers phasers This is
00:01:19
program that can be used for
00:01:21
transmission of a large number of random
00:01:23
input data in the application to
00:01:25
try to make it so
00:01:27
crashed and you can try again
00:01:28
find out if this hole can be used
00:01:31
which led to the crash of the program for
00:01:32
hacking or not There are two main types
00:01:35
phasers network phasers that send
00:01:37
data on the network they are the focus
00:01:39
most reversers and also have
00:01:42
file phasers we still have quite a lot
00:01:45
let's talk about the language about the earthmover's language
00:01:47
assembly language is a language that is in
00:01:49
one step away from the computer's native language
00:01:51
we are only one step away from machine code
00:01:53
let's talk about all the blir on 32 and
00:01:55
64-bit Windows 32 and 64 bit
00:02:00
Linux-10 and also talk about
00:02:02
assembler is a slightly different thing
00:02:05
at the same time, when discussing assembler it is very
00:02:07
will pop up quickly One more thing This is what
00:02:10
we call the calling convention something like
00:02:12
various functions are called in our
00:02:14
programs we will see how important this is
00:02:16
when developing exploits we will talk about
00:02:19
stack buffer overflow is one of
00:02:21
most common types of holes
00:02:23
which can be found in the applications we
00:02:25
let's talk about it for 32 and 64 bit
00:02:28
Windows and Linux will also talk about this
00:02:31
for macos10 and we'll talk about various
00:02:33
methods to prevent hole problems
00:02:36
Stack buffer overflow for example About
00:02:38
using stack protector stack
00:02:40
default protector
00:02:41
present in various operating rooms
00:02:43
systems in particular in Linux and macos10
00:02:45
we will also talk about various techniques
00:02:48
exploits for overflow holes
00:02:50
boner And we'll also briefly look at
00:02:52
arm based stack overflow
00:02:55
then we turn our attention to
00:02:58
heap buffer overflow and again we
00:03:00
Let's look at 32 and 64-bit platforms
00:03:02
Windows and Linux, consider Mac os10
00:03:05
let's talk about different techniques
00:03:07
there will be few exploits
00:03:08
differ between these platforms and
00:03:11
We'll also take a quick look at the ARM platform
00:03:13
and how it differs further we
00:03:16
Let's move on to the holes in string formatting
00:03:18
This is another common type of hole.
00:03:21
and these holes don't really depend on
00:03:23
any specific operating room
00:03:24
systems So in this course we
00:03:27
consider these holes that apply to
00:03:29
all operating systems and all
00:03:31
processors we will also talk about
00:03:34
methods of protection that are provided
00:03:35
each of these operating systems in
00:03:38
in particular Linux and macos10 provide
00:03:40
such protection by default, and in Windows it
00:03:43
initially No we will talk about various
00:03:45
exploit techniques and then go through
00:03:48
very detailed examples that
00:03:49
will show you how to use these holes
00:03:52
We will also look at other various
00:03:55
vulnerabilities such as section overflow
00:03:57
that is, in additions to overflow
00:03:59
different buffers you can also
00:04:01
make different sections overflow
00:04:03
your programs and we will talk about it
00:04:05
There are still holes in the core of the operating room
00:04:08
systems that can also be used
00:04:10
so we'll talk about finding such
00:04:12
holes we'll talk briefly about
00:04:15
Android applications and how to search and
00:04:17
use the holes and in them and we'll talk
00:04:19
about vulnerabilities they are divided into two
00:04:22
generalized groups these can be Holes in
00:04:24
sites That is, these are problems with the
00:04:26
website, such as a website or web server
00:04:29
incorrectly configured or something else and
00:04:31
it could also be holes in the code itself
00:04:33
site these are possible errors in the site code
00:04:36
which the developer himself allowed
00:04:38
site we will also briefly look at
00:04:40
database vulnerabilities they are usually
00:04:42
consist of various injections and
00:04:45
often used in conjunction with
00:04:46
web vulnerabilities That is, it could be
00:04:48
with a database and he has some
00:04:51
Holes in which can be used in
00:04:53
we'll talk about this later
00:04:55
Let's talk about automation, for example
00:04:58
how to use scripting for
00:04:59
vulnerability detection we tell you
00:05:01
decompiled something and now for
00:05:03
can you help me further?
00:05:04
use scripting Well, actually
00:05:06
we'll talk about exploited scripting
00:05:08
Next we will take a deep look at the creation
00:05:11
Shelcode Shelcode is, let's say, useful
00:05:13
load That is, you have found a vulnerability and
00:05:15
determined that you can use it and
00:05:17
Now you need to deliver the code to the machine
00:05:19
sacrifice and fulfilling it is silk
00:05:22
and we'll take a closer look at it
00:05:23
development for 32 and 64-bit Windows and
00:05:27
We'll also take a quick look at the ARM platform and
00:05:30
macos 10
00:05:31
Well, I repeat, we’ll talk about meta-sloyd
00:05:34
It is a good development tool and
00:05:36
delivery exploito we'll talk about how
00:05:39
create a module in a meta layer from a script
00:05:41
exploit we will also talk about how
00:05:43
encode encrypt silk To
00:05:45
avoid detection by antivirus and
00:05:47
intrusion detection systems and
00:05:49
Let's discuss the use of meta layers for
00:05:51
search in exploits and exploits on
00:05:54
Android Well, at the same time we will see a little
00:05:56
scripting on pysson a little scripting
00:05:59
in perl even command line scripting
00:06:01
And along the way we learn other tricks and
00:06:03
tips I'm very glad that I can show you
00:06:05
I hope this is the course for you
00:06:07
you will like it and you will learn something new soon
00:06:09
see you translation
00:06:13
in this video I'll tell you a little about
00:06:15
My name is Dr. Phil Polstra and I
00:06:18
the author of this course is the first thing you need
00:06:20
to know about me is what I am
00:06:22
I'm a professional teacher now
00:06:24
Associate Professor, Department of Forensic Digital
00:06:25
identification at Bloomberg University
00:06:27
Pennsylvania also I'm a recent author
00:06:30
published book hacking and
00:06:31
penetration testing using
00:06:33
low-power devices this whole book is about
00:06:35
how to hack and infiltrate
00:06:37
using devices powered by
00:06:39
batteries such as ran Bone
00:06:41
Black also talks about how
00:06:43
connect such devices together into a network
00:06:45
and launch a coordinated attack with
00:06:47
using these devices
00:06:48
located far from each other
00:06:51
You may have seen me at conferences
00:06:53
I performed at several big
00:06:55
conferences and also at small ones
00:06:58
I spoke at the defcon conference
00:07:01
last three years in a row at defcon 2012
00:07:03
I even performed twice I also performed
00:07:06
several times on blackhead 44con it
00:07:09
Great Security Conference
00:07:11
I spoke at Foren Secure in Chicago If
00:07:14
I'm not mistaken 4 times several times
00:07:16
performed at the Jarkon in Grand Rapid
00:07:18
Michigan and also on all the actors in Turin
00:07:21
pump-can Philadelphia Bruckon in Belgium
00:07:25
Cocoon in India and Jackal in Hawaii all
00:07:28
this is a wonderful conference and I'm there
00:07:30
can be seen with reports about what I
00:07:32
I've been working for the last few years
00:07:35
I'm mostly known as a hacker
00:07:36
I program computer hardware with 8
00:07:39
years old but I quickly got tired of it and
00:07:41
at the age of 10 I learned assembler
00:07:44
electronics hacking where I've been doing since I was 12
00:07:46
years I developed my own
00:07:48
custom Linux for begalbond device
00:07:51
from the series board also I have a rich one
00:07:54
experience in software development I held
00:07:56
various positions from the developer
00:07:58
entry level to master
00:08:00
I developed the project developer
00:08:02
custom hardware for testing
00:08:04
penetration is mainly based on
00:08:06
bigbone Black and I also developed
00:08:08
some USB hardware for forensics
00:08:10
use which was shown on
00:08:12
conferences blackhead defcon and others and
00:08:14
I'm currently working on something new How
00:08:17
you may have guessed what I'm doing
00:08:18
security research I developed
00:08:21
some new testing methods for
00:08:22
penetration for example using
00:08:24
low-power devices and this is described in
00:08:26
I am also developing my book
00:08:27
open source hardware and software for
00:08:30
penetration testing and
00:08:31
judicial use and naturally
00:08:33
as can be expected from the author of the course on
00:08:35
I also pay quite a lot of attention to reversing
00:08:37
time to reverse code for search
00:08:39
vulnerabilities
00:08:41
If you would like to contact me regarding
00:08:43
completing this course or in general you
00:08:45
You can always find me on Twitter Ed
00:08:47
pi half strat and also contact me at
00:08:50
online on my website Phil
00:08:53
polstra.com and there I will do whatever I can
00:08:56
I will help you on this difficult path
00:08:57
studying reversing translation completed
00:09:02
in this video I would like to talk about
00:09:04
some ethical thoughts about
00:09:06
worth remembering If you
00:09:08
do reverse engineering and
00:09:10
development of exploits main goal
00:09:12
this course is to help you learn more
00:09:14
help about software at the lowest level
00:09:16
You will find out what makes the software vulnerable and then
00:09:19
how these vulnerabilities can be exploited
00:09:22
these things will help you improve
00:09:24
security of your organization you
00:09:26
you can detect vulnerabilities and then
00:09:28
show what you find to the person
00:09:30
who can fix these problems
00:09:34
this course is not about how to hack systems
00:09:36
it's not about how to hack other people
00:09:39
software of your competitors in order to
00:09:41
hurt them and give yourself let's say
00:09:43
some advantage he's not talking about how
00:09:46
hack the system or log in
00:09:47
which you are not given access to and
00:09:50
it's not about how to do reverse
00:09:52
software engineering in cases where
00:09:54
this is illegal So there you go
00:09:57
fundamental principles all work
00:09:59
must be carried out on machines that
00:10:01
you own or to which you have
00:10:03
access permission all detected
00:10:06
vulnerabilities must be disclosed
00:10:07
corresponding people to the author or
00:10:09
companies don't just have to be
00:10:11
disclosed to the general public use
00:10:13
vulnerabilities on machines you don't
00:10:15
own or for which you don't have
00:10:17
permission to test most likely
00:10:19
illegal in any country you are in
00:10:21
neither were there and so let’s sum it up
00:10:23
be an [ __ ] but if you don't
00:10:25
listen and want to become even bigger
00:10:27
[ __ ] thanks to this course then we are for
00:10:29
this is not the answer so remember let's
00:10:31
let's make the world a better place don't be
00:10:33
I hope you enjoy this course
00:10:37
translator in this video we will look at
00:10:40
some most commonly used
00:10:42
tools for reversing let's start with
00:10:45
the operating system itself unconditionally
00:10:47
best choice of operating system
00:10:49
for reversing is Linux But why
00:10:52
that's it Linux is an operating system
00:10:54
from programmers for programmers and this
00:10:57
means that on the Linux platform you can
00:11:00
find almost everything you ever need
00:11:02
will be required regarding reversing
00:11:04
Some of you may think but I
00:11:06
I want to reverse engineer an application
00:11:08
Windows and this is normal we will show you
00:11:11
that it is absolutely possible to do this
00:11:12
there are two ways to do these things under Linux
00:11:15
is to make one of them is to use
00:11:17
product called Wine translation of the acronym
00:11:20
vine means vine it's not an emulator it's
00:11:24
take Windows calls and translate them to
00:11:27
native Linux system calls essentially
00:11:29
it may even be that you have
00:11:31
Windows application will work better
00:11:33
and under Linux than this happens under itself
00:11:36
Windows but still not all
00:11:38
applications some applications may
00:11:40
be through surprisal and their need
00:11:42
run inside virtualbox itself
00:11:44
this is the second method for Linux
00:11:46
further to do reversing alone
00:11:49
something you definitely need
00:11:51
will have This is a good debugger debugger
00:11:53
one of the most popular debuggers
00:11:56
this is im Unity and to get it
00:11:58
Go online and do
00:12:00
related search or just go
00:12:02
on debagr community ing.com and there you are
00:12:06
you will see that the community has several available
00:12:08
products one of which is
00:12:11
debugger You can click download
00:12:13
lates de buga download latest
00:12:15
Dibager and there you will need to drive
00:12:17
full name address and mail and company and
00:12:20
Then you can download it now I
00:12:23
I'll pause the video to do this and
00:12:25
then when I come back I'll show you how
00:12:27
install it So I downloaded it
00:12:30
unitybager to my downloads folder
00:12:32
downloaded and opened but terminal now
00:12:35
to install it all I need
00:12:38
do this execute Wine and then
00:12:40
specify the imunity installation file
00:12:42
and launch it also If you will
00:12:45
run it under Windows, know that
00:12:48
you may also need
00:12:49
install payson 2.7.1 or higher
00:12:53
accept the license terms and then
00:12:56
by default it will be installed in Program
00:12:58
Files x86 click the Install button
00:13:02
install and everything is ready So ​​and now
00:13:05
if I want to run this program from
00:13:07
Linux I have several options
00:13:09
let me minimize this window then
00:13:13
I'll go to my files and open
00:13:16
Home directory and here I need
00:13:19
will go to the directory vine name
00:13:21
the vine directory will start with a dot
00:13:24
by default this way in Linux you can
00:13:27
hide a file or directory so how
00:13:30
you see here I don’t have this directory
00:13:32
is displayed and I need to change
00:13:34
some of my settings if I click
00:13:37
view and select show hidden Files show
00:13:39
hidden files now I can
00:13:41
find here the directory dot Wine do
00:13:44
double click then go to Drive CD disk
00:13:47
C Program Files x86 then in Unity
00:13:51
incommunity debugard and there we will see
00:13:53
imunity bugar.exe file and I can just
00:13:57
click on it to launch it but
00:13:59
I want to add a shortcut to my desktop
00:14:01
table So how do I create this shortcut?
00:14:04
right click on the file and select
00:14:06
maclink create a link now in the same
00:14:09
folder I have a shortcut and I can
00:14:10
just drag it to your desktop and
00:14:12
now to run the municipal bager that's it
00:14:15
that I need to do this twice
00:14:17
click on the shortcut and here I am
00:14:19
he launched Unity, we'll take a closer look
00:14:23
Unity in subsequent videos And in this video
00:14:25
just to show you how he is
00:14:27
works, I'll open another digger in it and
00:14:30
this debugger is now called Old
00:14:32
Let's take a look and the first thing you can do is
00:14:35
you will see that the font is too much
00:14:37
small later I'll show you how to do it
00:14:38
change and here you see four
00:14:40
main window here in this area
00:14:43
you see the dissimulated code And here it is
00:14:46
here on the right you see different
00:14:48
system registers are essentially areas
00:14:51
high-speed memory at its most
00:14:53
processor here below you see hex
00:14:56
dumps of various memory areas that
00:14:58
you can ask And here you see
00:15:01
something that will be very important for us and
00:15:03
it's called a stack, let's make a small one
00:15:06
pause and when we return we will consider others
00:15:08
tools translation completed
00:15:12
Welcome back, we continue our
00:15:14
discussion of tools for reversing
00:15:16
Now let's look at another Oli dibagger
00:15:19
dbg You can find Ollie's dbg debugger at
00:15:23
search or go to the site
00:15:25
oli.uly dbg.de This will take you to
00:15:29
Oli's debugger website dbg Oli's debugger
00:15:33
dbg is almost as popular as
00:15:35
Dibager and community and Pay attention to
00:15:38
their website says that they are now
00:15:40
are working on a 64-bit version which will
00:15:43
by the time you watch this course
00:15:45
maybe check this on Linux
00:15:47
the debugger works freely I guess
00:15:49
as on Windows it is also possible
00:15:50
launch So let's go to the website
00:15:52
click download download scroll
00:15:55
down and there we find the latest one
00:15:57
version click on the link registration as
00:16:00
this was not required in the case of Unity and
00:16:03
when the download is complete you can click
00:16:05
from the archive and then unpack it
00:16:08
and here be careful in this archive
00:16:11
there are no directories often inside
00:16:14
Zip files have directories but in this
00:16:17
there are none in the file. Therefore, when
00:16:19
when unzipping, keep this in mind. Where to?
00:16:21
this needs to be placed this needs to be placed
00:16:24
put in that directory dot Wine in
00:16:26
in principle, it can be entered in the line itself
00:16:29
addresses that is a point
00:16:31
wine/drive C and then slash Program Files
00:16:35
x86 and there I think a good name for
00:16:39
the folders where we will put this will be Olya dbg
00:16:41
and click extract unpack here I
00:16:44
click replace All to replace everything here
00:16:46
Quit quit And how we did it in case
00:16:49
with the community to launch Oli dbg in
00:16:52
Linux was more easy you can create
00:16:55
shortcut and place it on your desktop
00:16:58
table so I'll go to the directory again
00:17:01
dot Wine you may need
00:17:03
change the setting to display
00:17:05
hidden files and here is my directory dot
00:17:08
va double click drive c double click in
00:17:12
Program Files x86 find the OLED dbg folder
00:17:15
do a right click on Ole dbg.exe
00:17:17
select Make Link to create a link and
00:17:20
again drag this link to
00:17:22
desktop and when you start
00:17:24
debagger Oli dbg you will notice that it
00:17:27
looks, well, just very similar to
00:17:29
community and they have a reason for this
00:17:32
general code base Let's open Oli
00:17:35
dbg in itself and here you see those
00:17:38
We have four windows in this window
00:17:41
we have dissimulated code in this window
00:17:44
those high speed memory areas
00:17:46
called registers down here
00:17:50
us hex dumps of memory cells and here
00:17:53
that very important stack and if you want
00:17:56
It's easy to change your appearance
00:17:58
if you go to options options appearance
00:18:02
there go to the fonts fund and say which one
00:18:05
font you need for example Here I can
00:18:07
select fund and also I can change
00:18:10
what font will this be click on?
00:18:12
change change and here I can say
00:18:15
what do I want for example font courier New and
00:18:17
I want him to have a sixteenth
00:18:19
size so it will be easier to read and then I
00:18:22
I can make it the default by clicking
00:18:23
defaults by default and select here
00:18:26
fund 6 this will be the default font new
00:18:29
the font will display right away but I can
00:18:31
do a Right Click on any of the windows there
00:18:33
select appearance appearance and select there
00:18:36
fund font for all fund 6 and now
00:18:40
fonts will become much larger and so will you
00:18:44
you can customize the color scheme if so
00:18:46
you don't like it we'll make another one
00:18:48
take a break and then talk about others
00:18:50
translation reversing tools
00:18:54
continuing our conversation about tools
00:18:57
for reversing we will consider one more
00:18:59
debugar and it's called Evans debugar
00:19:02
Evans debagr is actually native
00:19:04
Linux app so you don't need it
00:19:07
worry about vine running something in
00:19:09
virtualbox or something else So where
00:19:12
take it you can find it in search or
00:19:15
if you go to the coud website
00:19:17
f00.com Project lattice debagr you
00:19:20
you will also get to the Evans jibagr page
00:19:23
known as and db click on the link
00:19:26
download here will download the archive file from
00:19:29
TG Z extension, click on it and
00:19:31
remove it for example your home
00:19:34
directory click extract extract and
00:19:37
now if I want to run it I can
00:19:39
just go to that directory and there
00:19:41
run and db
00:19:43
and now it is also worth noting here that
00:19:46
Evans debugar usually comes in the form
00:19:49
source code so maybe you
00:19:51
will need to be completed
00:19:53
q-make then execute Make And after
00:19:55
this debugger will be assembled
00:19:58
Dibager may take some time and
00:20:01
it depends on your system it may
00:20:03
take from a few minutes to somewhere
00:20:05
half an hour, I'll put the video on now
00:20:08
pause and wait until my assembly
00:20:10
will end and then we will return
00:20:13
let's continue So now my assembly
00:20:16
ended and to start Evans
00:20:18
debagr just type go-bi sign
00:20:20
and the bugard should open now
00:20:23
I need to go to Open the file and open it
00:20:27
here I will open this executable file itself
00:20:30
and this should already be familiar to you
00:20:32
here I have an area here
00:20:34
I have the assimilated code here
00:20:36
registers are high-speed cells
00:20:39
memory dumps of certain ones here
00:20:42
areas of memory that I can select and
00:20:45
here we have that one again
00:20:47
an important stack Well, of course how
00:20:50
can be expected in any Linux application A
00:20:53
in Linux you can often change a lot of things
00:20:55
you can change how it looks
00:20:57
selecting options options then preferences
00:21:00
settings here go to pirance
00:21:03
appearance and here you can change everything
00:21:05
these fonts are all installed now
00:21:07
manusspace 8 I can choose for example 10
00:21:11
size is our font for display
00:21:13
stack and I can change all fonts if
00:21:16
I'll do it very quickly if I want
00:21:19
then I'll close this window now it will be
00:21:21
to make it more readable we will make another one
00:21:24
break and When we return we will consider and
00:21:26
other options for dibaggers translation
00:21:30
continuing our conversation adibaggerah
00:21:32
which are well suited for reversing
00:21:34
Let's consider another option called
00:21:36
X64 or
00:21:39
x64g it is Open which is often
00:21:42
advantage and also he has two
00:21:45
versions 32-bit and 64-bit
00:21:48
version for Windows And it's also good
00:21:50
works under Linux too so what about it?
00:21:52
you can get it as always
00:21:54
use the search or if you
00:21:57
go to sourcewords.net Projects X64
00:22:00
dbg then you will be taken to its main page
00:22:03
page there you can click download
00:22:06
load you will be taken to the page
00:22:07
similar to this one where it will be displayed
00:22:09
some kind of advertising if you have any
00:22:12
there are problems with loading here
00:22:13
direct link So when is it loading?
00:22:15
you will end up with a 7 Zip file
00:22:17
click on it and extract it
00:22:19
content again Please note that
00:22:22
there is no main directory here so
00:22:24
when you remove it, be careful
00:22:26
and make sure you extract in
00:22:29
no need for a separate directory
00:22:30
pollute your system I'm now
00:22:32
I'll install it here, extract it here
00:22:36
I'll skip replacing files because I already
00:22:38
downloaded it now you can run it
00:22:41
from under Wine go according to
00:22:43
directory and there is a directory for
00:22:46
plugins and release directory Go to
00:22:48
release directory and there you will see
00:22:50
something cool you will see x96 file
00:22:53
dbg.exe and you will also see under directories
00:22:56
x32 and X64 You can try directly
00:23:00
run the x96 file and it will try
00:23:03
guess what system you have or if with
00:23:05
this is the problem, just go to
00:23:07
one of the directories and if you look at
00:23:09
its contents then there you will see another
00:23:11
executable file for example here
00:23:13
32-bit executable file fortunately
00:23:16
such executable files are highlighted here
00:23:18
in green If this is not the case for you
00:23:21
then you can execute the command cah Mode
00:23:23
from change Mode change mode plus x and
00:23:26
make all files with ending
00:23:27
point exe executable write
00:23:30
asterisk.exe
00:23:32
after that run the Wine command and
00:23:35
run the required executable file and you
00:23:38
again you will see what is already in principle
00:23:39
You should be familiar with this
00:23:42
it is our application And how we did and
00:23:45
sooner we will open this debugger again ourselves
00:23:47
in yourself Please note that initially
00:23:49
the settings are not the best for this
00:23:51
screen resolution I'm using
00:23:53
for these videos therefore as possible
00:23:55
expect I can go to options options
00:23:58
appearance and you can change fonts there
00:24:01
make them bigger you can use
00:24:02
different font and so on So we are already
00:24:06
We looked at several dibaggers of course
00:24:08
there are many more of them and please note
00:24:10
that They look very similar but they have
00:24:12
there are slightly different functions so you
00:24:14
you can choose the one that suits you
00:24:16
and work with him to make another one
00:24:18
short break and when we'll be back
00:24:20
let's talk about other tools for
00:24:22
reversing translation completed
00:24:25
Let's continue our conversation about tools
00:24:28
for reversing we should consider
00:24:30
very old debugger and at the same time very
00:24:32
popular debugger it's called gdb
00:24:35
turned down gnu debuga usually it by
00:24:39
default can be found in almost
00:24:41
any Linux system that you can
00:24:42
install it has some
00:24:45
useful features But usually it's not like that
00:24:47
good for reversing it is more directional
00:24:50
to debugg the application that you
00:24:52
develop he likes it better when
00:24:55
there is Source code but basically without
00:24:57
this is no less useful and he has
00:25:00
its interesting functions, for example this
00:25:02
possibility as remote support
00:25:04
debugging This is great If you
00:25:06
You also work with other architectures
00:25:08
for example, I work a lot, beat off the sbilbon
00:25:11
board is such a small computer
00:25:13
systems based on ARM architecture
00:25:15
so for me it is very convenient to have
00:25:17
ability to debug an ARM device with
00:25:20
desktops based on Intel or AMD also
00:25:23
this tool is available for Windows and
00:25:26
it has some graphics
00:25:27
user interfaces are nevertheless
00:25:30
for the most part it is a command tool
00:25:32
lines if you do not have it installed Then
00:25:34
it can probably be installed using
00:25:36
Linux package manager or if you
00:25:39
want to use it on Windows
00:25:41
Use the search and find it in
00:25:43
It's very easy to run gdb on the Internet
00:25:45
just write jdb and it will start
00:25:49
usually it can be tied to
00:25:52
running process or in it you can
00:25:54
specify the executable file and this will allow
00:25:56
show you some other
00:25:59
information
00:26:00
another tool is Ida pro
00:26:04
unlike most instruments
00:26:05
which we mentioned Ida about this
00:26:07
It's a commercial tool and it's not free.
00:26:10
So if you work out a lot
00:26:12
reversing might be worth it
00:26:14
consider nevertheless If you only
00:26:16
start doing reversing then
00:26:18
it may be difficult to pay for it
00:26:20
this price So if you go to HEX
00:26:23
hyphen race.com then go there
00:26:27
the products section and then the woad is there
00:26:29
you can read what Aida is
00:26:32
professional tool and therefore
00:26:34
it has many useful functions. It
00:26:36
works under Windows under Linux and also
00:26:39
under Mac and it's multiprocessor
00:26:41
disassembler and debugger also He
00:26:44
supports a very large number
00:26:45
platforms For example, if you want
00:26:48
debugging the phone for
00:26:49
this can be used Ida pro also
00:26:52
It is worth noting that there is a trial version AND
00:26:55
there is also an outdated free version
00:26:58
free version is outdated version
00:27:01
for several generations and there is no
00:27:03
Linux or Mac support That is, this
00:27:06
application only for Windows In general
00:27:09
if you look at this dibagger it
00:27:11
will look very similar to those
00:27:13
buggers that we have already reviewed but he
00:27:15
will not be exactly the same and there will be
00:27:17
additional features If you
00:27:19
buy another dibagger with a closed
00:27:22
Microsoft has the source code
00:27:24
works only under Windows and is called
00:27:27
wherein
00:27:29
free if you go to
00:27:35
msdn.microsoft.com/us slash Windows slash
00:27:37
Hardware Slash h852 365 then you are there
00:27:42
will be able to load this divagen Please note
00:27:45
Please note that it often comes with
00:27:47
driver development kit for
00:27:49
Windows but it can also be downloaded
00:27:52
separately if you scroll quite a lot
00:27:54
down you can download this debugger
00:27:56
separately by itself for example here
00:27:59
you can download it for Windows 8.1
00:28:03
in general, just remember that this is
00:28:05
the tool is also there Good again
00:28:08
let's take a short break and when
00:28:10
Let's go back and look at more tools for
00:28:12
reversing translation made in the CDS club
00:28:14
lalchik.com continuing our discussion
00:28:17
tools for reversing we
00:28:19
Let's finally pay attention to something
00:28:21
is not a debugger This is a product
00:28:23
called pi browser pi is short for
00:28:27
Portable is a file format that
00:28:30
used on Windows
00:28:32
allows you to view 64-bit and
00:28:35
32-bit executables It allows
00:28:38
view the different sections inside
00:28:40
these files such files may have
00:28:43
various parts and we will find out how to make
00:28:46
so that instead of one part
00:28:47
executable file was executed by another
00:28:50
in this way the program can be applied
00:28:52
some harm and so how to get and
00:28:55
brows you can use the search or
00:28:57
go to here on Friday on the media website
00:28:59
johnsoft and there you will see that pi and brows
00:29:03
pro available for download click on
00:29:05
the type of executable file you need
00:29:07
need 64 or 32 bit version
00:29:11
depending on what kind of support
00:29:12
Windows version you need and then this
00:29:15
can be run on Linux using Wine
00:29:17
Now let's see how to do it
00:29:18
download we received the zip file And now
00:29:21
I think that you already understand that we
00:29:23
you need to extract this zip file to a directory
00:29:25
Vine Drive C and install it on mine
00:29:29
the car has already done this. So here he is
00:29:33
installed in Program Files x86 media
00:29:36
johnsoft and browser pro if you look at what
00:29:40
in this Folder we will see there
00:29:41
executable just run vine
00:29:44
then write the name of the executable file and
00:29:46
in theory everything should be ready Now I
00:29:50
I will open myself in this program
00:29:53
will parse this file and show
00:29:55
its various sections are here and the headings are
00:29:59
file headers and optional
00:30:01
headers I can look at them and then
00:30:04
I have sections of my file and I also
00:30:07
I can get information about them So this is
00:30:10
was the p/brows tool last
00:30:13
the tool I want to discuss
00:30:15
it's called nezm nezem, it's an assembler
00:30:19
what does assembler do on computers?
00:30:21
communicate in machine code is very
00:30:23
simple instructions When something is given
00:30:25
code and this code says add 2 to this
00:30:28
register or add to this memory location
00:30:31
or Save the results somewhere else this
00:30:35
done in machine code and in one step
00:30:37
before it stands what we call
00:30:39
assembler we will learn a little about it when
00:30:41
completing this course and so on. But what about
00:30:44
go from the assembler to the code itself
00:30:47
program code of the executable file for
00:30:49
that's what assembler is needed
00:30:51
nezem can be downloaded for almost
00:30:54
any platform and it supports
00:30:55
many formats and like gdb and others
00:30:59
tools that come first
00:31:01
designed for Linux it is very flexible
00:31:03
and very powerful If you use
00:31:06
You probably already have a Linux system
00:31:08
there is nezm, but if you don’t have it, you can
00:31:11
install using package manager
00:31:13
Please note that I printed nezm and
00:31:16
it was not said that it was not installed
00:31:17
it just says that I didn’t indicate any
00:31:20
file And here is help on working with Nez If
00:31:22
I would need to install it
00:31:24
you just need to print suzu EPS
00:31:28
then enter the password and it will tell me
00:31:31
that it is already installed and it says more
00:31:34
a couple of things But now they are not Important anyway
00:31:36
it was nezm If you use
00:31:39
Windows I repeat I do not recommend
00:31:41
do reversing on Windows But
00:31:43
if you still insist, come in
00:31:45
we are not beyond point C and there you can
00:31:47
download for various platforms
00:31:50
Open the latest version and there you are
00:31:52
you will see the DOS Linux macos X and Win32 folders
00:31:56
that is, different translation options are available
00:31:59
made in the club CDS lanchik.com
00:32:01
Welcome to your Infinite course
00:32:04
skills this video will make it easy for you
00:32:06
find working files for your course
00:32:07
Infinite skills and work with them
00:32:09
working files are intended for
00:32:11
so that you follow the author when
00:32:13
passing the material and in most
00:32:14
cases the author will say when
00:32:16
working files are available please note that the course
00:32:19
which you will see in this video can
00:32:20
be not the course you are studying
00:32:22
this video is just for
00:32:24
demonstrate how to get workers
00:32:26
files if you are a subscriber
00:32:28
our library then you will see a button
00:32:30
to upload working files on the page
00:32:32
with course information to download them
00:32:34
just left click and your
00:32:36
the browser will automatically download the working ones
00:32:38
files as a Zip file after finishing
00:32:40
downloads you can simply extract the files
00:32:42
from the archive and place them directly on your
00:32:44
desktop is very simple If you
00:32:47
download the course from ours then you will get
00:32:50
like you'll see on the download page
00:32:52
that working files are a separate file for
00:32:54
downloads After downloading working files
00:32:56
Again, you can extract them directly to
00:32:59
your desktop
00:33:00
If you use the player you will see
00:33:03
panel with various buttons right above
00:33:05
video in this player menu bar Find
00:33:07
this button if you hover your mouse over it
00:33:10
the Open working Files label will appear
00:33:12
open working files do left
00:33:15
Click on this button and a window will open with
00:33:17
you can see the working files there
00:33:19
different folders and files depending on
00:33:21
organizing your work files so that you
00:33:23
it was easier, we advise you to copy all
00:33:25
working Files folder on your desktop
00:33:26
Please note that if you downloaded
00:33:28
working files separately as we mentioned
00:33:30
Previously, you won’t see them here, however
00:33:33
less you yourself should know where they are
00:33:34
because they have already taken it out and placed it
00:33:36
somewhere on a computer, for example on a work computer
00:33:38
table If you are watching the course on DVD then
00:33:41
there are several ways to get into
00:33:43
folder with work files to open
00:33:44
them but with DVD you can only Open
00:33:47
these files if you make some
00:33:49
changes and want to save these files
00:33:51
you will need to save it on your computer in
00:33:53
in general it’s more convenient Just copy the working ones
00:33:55
files to the desktop as we showed
00:33:57
earlier this way it will be easier and faster to find them
00:33:59
and you can save changes when
00:34:01
completing lessons also work files
00:34:04
can be found if you go directly to
00:34:06
course files to go to this folder on
00:34:09
DVD on your PC go to my computer
00:34:11
Locate your DVD drive and
00:34:14
open it you will see what is on the disk
00:34:16
there will be a working Files folder which you can
00:34:18
grab it and drag it to your desktop as well
00:34:20
you can copy it by right clicking
00:34:22
and selecting copy and then do
00:34:24
Right Click on desktop and select
00:34:26
insert If you are on a Mac then click
00:34:29
by the DVD disk icon on your desktop
00:34:31
a window will open on the table and all
00:34:33
folders and files on the disk and you can
00:34:35
drag work files to desktop
00:34:37
you can also copy them by doing the right
00:34:39
Click on the folder and select copy a
00:34:41
then right click on the desktop
00:34:42
table and insert translation
00:34:47
Hello In this video we will talk a little
00:34:49
about vulnerabilities
00:34:51
generally speaking, most vulnerabilities
00:34:53
These are holes in the program that can
00:34:56
lead to some situation that
00:34:58
the developer did not foresee sometimes
00:35:00
There are, for example, Protocols that
00:35:03
vulnerable in themselves and in such cases
00:35:05
you can use these Holes in these
00:35:08
protocols but still the majority
00:35:10
vulnerabilities that can be found
00:35:11
allowed by mediocre developers
00:35:14
So the most common vulnerability is
00:35:17
stack buffer overflow or just
00:35:20
stack overflow What is this?
00:35:22
vulnerability looks something like this
00:35:25
Do you have a program similar to this very
00:35:27
a simple program that I have here in
00:35:29
to this program you ask something like
00:35:32
Buffer Basically you specify a buffer and
00:35:35
maybe this buffer is not big enough
00:35:37
for all possible inputs this is
00:35:40
may simply lead to bugs in
00:35:42
program But what's even worse is if you
00:35:45
the user will have full control over
00:35:47
with these input data, that is, to allow
00:35:49
the user has full control
00:35:51
input data This is bad Understandable Yes
00:35:54
this is the program I wrote
00:35:56
very simple program in C And by the way C
00:35:59
used for writing practically
00:36:01
all operating systems on our
00:36:03
planet and because of this many such things
00:36:05
like stack buffer overflow and many
00:36:08
others depend on the language itself
00:36:10
C programming so here I have
00:36:12
I will repeat a very simple program in it
00:36:15
there is one function called
00:36:17
function function we'll come back to it
00:36:20
in a few seconds and here we are
00:36:22
Main function is the main thing in C programs or
00:36:25
si plus plus standard callable
00:36:27
Main function Takes two parameters
00:36:29
The first parameter is the quantity
00:36:31
the arguments we specify
00:36:33
traditionally it is called You can
00:36:36
call it whatever you want, but usually it's
00:36:38
call it like that and then the Main function goes
00:36:42
array of strings looks interesting
00:36:44
Char asterisk asterisk what in fact
00:36:47
means it's a pointer to a pointer
00:36:49
in C language, strings are essentially simple
00:36:52
processed as arrays let's say
00:36:55
so just a list of characters in memory
00:36:57
each such character is usually encoded in
00:37:00
ask and require one byte for each
00:37:03
character in a string is all I'm doing here
00:37:06
This takes the user's input and
00:37:08
by the way this is a terrible program because
00:37:10
I just call function function and
00:37:12
I don’t check anything That is, if not
00:37:14
specify parameters This program will
00:37:16
crumble so I call function
00:37:18
function and take the very first argument
00:37:20
which is transmitted This is my first
00:37:22
argument in this call is possible for you
00:37:25
interesting Why Odin because you
00:37:28
do you know what the indexes of these arrays are?
00:37:29
start from scratch and the answer is this
00:37:32
indicates the name of the program that
00:37:35
is fulfilled that is
00:37:39
I indicate the number 42 and 3 digits of Pi in
00:37:43
the following videos will make it clear why
00:37:45
I did this So And here in this function
00:37:49
We take this parameter which is
00:37:51
line it is user controlled
00:37:53
and this is the danger, never let
00:37:56
users have full control
00:37:57
any function input especially
00:38:00
if there is a risk of overflow or any
00:38:02
other problems you need to check everything
00:38:04
user enters then I create
00:38:07
local buffer called Local now
00:38:10
I say here that he will be
00:38:12
1024 bytes long but let's reduce it
00:38:15
it to make our example easier and then I
00:38:19
I call
00:38:20
this function will produce
00:38:22
copying from second parameter from
00:38:25
ferry to my buffer lokol and that's it
00:38:28
problem I allocated 10 bytes 10 bytes gives
00:38:32
I have 9 characters and the ending character
00:38:35
line in lines at the end of the line usually
00:38:38
the character starting the line and
00:38:41
it has a value of 0 So we're like
00:38:43
we'd say Hey we're done here
00:38:46
copying copying will be
00:38:47
continue until it comes to this
00:38:49
zero if I specify 9 characters or less
00:38:52
everything will be fine if I indicate 10
00:38:54
symbols or more, not everything can do it anymore
00:38:57
it's okay to be because now I'm
00:38:59
I will overflow this buffer and everything that is
00:39:01
in memory immediately after this buffer can
00:39:04
be re-recorded, let's make it short
00:39:06
break and when we come back I'll show you
00:39:08
how to compile this program and
00:39:10
make it crash translation completed
00:39:12
at the club dot com Welcome back
00:39:15
continue our discussion overflow
00:39:17
buffer boner now I'll go to mine
00:39:20
command line in My Terminal and Me
00:39:23
I will compile this program using gcc
00:39:26
This is a standard compiler for systems
00:39:29
Linux which is also available for systems
00:39:31
Windows and Mac and just write the command
00:39:34
gcc and then give it the name of our program
00:39:37
of our C file we have Stack buffer
00:39:41
overflow.c and we can give it a name
00:39:44
conclusion if we don't do this then he
00:39:47
will create a program called i.out a
00:39:50
This is not what we need, so I'll ask here
00:39:53
another name But before I do that I
00:39:56
I'll do one more thing Jessie This is very
00:39:59
good compiler it is open source and with
00:40:02
people work with him all over the world
00:40:04
used to create Linux systems
00:40:07
Linux is an operating system from
00:40:09
programmers for programmers and how
00:40:11
can you expect they want this
00:40:13
the compiler was very good They don't need
00:40:15
so that people can have an overflow
00:40:17
stack so by default you are protected
00:40:19
from such things if you use jcc
00:40:22
So we need to disable this is done
00:40:25
this is using the switch hyphen f Well
00:40:28
hyphen
00:40:30
So we say we don't need
00:40:33
this protection We want to study more about
00:40:35
stack overflow next I will write and give
00:40:38
The name of my program is stack buffer Overflow
00:40:41
and the program compiles easily
00:40:43
then I run my program and
00:40:46
I show her the line I show her 9
00:40:49
characters this is successful I tell her 10
00:40:52
characters and this is also successful then I already
00:40:55
I'm starting to overwrite another memory.
00:40:57
bit and I get a segmentation fault
00:40:59
segmentation Fold we caused theft
00:41:02
programs but for this purpose crash
00:41:04
it took a little more than just
00:41:06
10 characters in more detail why this is so
00:41:09
we'll look at what happens next
00:41:11
video in this video I just want
00:41:13
show you what these vulnerabilities are
00:41:15
go deeper into the specifics and how it is
00:41:18
looks on different platforms we
00:41:19
we'll be back later and we'll also find out how
00:41:22
protect yourself from this How to find such
00:41:23
vulnerabilities, etc. Okay, let's
00:41:27
let's go back to our editor and talk about
00:41:29
Another possible vulnerability is
00:41:31
heap buffer overflow we can
00:41:34
allocate memory in the same way as we do
00:41:36
do in our example with overflow
00:41:38
riser buffer about variable when
00:41:40
declaring a variable like this
00:41:42
here as in the case of the Local variable
00:41:44
this variable lives and dies in those
00:41:47
brackets where it was declared for example
00:41:49
here it is created inside these
00:41:51
brackets and when it comes to this one
00:41:53
brackets dies and where does she live on
00:41:55
during this time she lives in such
00:41:57
called stack and we will be very much
00:42:00
talk about the stack because the stack is very
00:42:02
important in understanding vulnerabilities But if you
00:42:05
want to allocate a large amount
00:42:07
memory is generally considered poor
00:42:09
the idea of ​​allocating a large amount of memory
00:42:11
on the stack instead it is allocated like this
00:42:14
called heap heap It's so big
00:42:17
amount of memory and for your program you
00:42:20
you can allocate Memory from this heap and
00:42:22
Then you use it until
00:42:24
Free what by the way in this
00:42:26
I don’t do the program and this is bad here
00:42:29
shows what it looks like when you
00:42:32
use a heap Function that you
00:42:34
call it and I'm not here anymore
00:42:38
I call no other methods I just
00:42:40
I say that I will create a buffer with a name
00:42:42
buff and with the help of the chalk command I will say Dai
00:42:45
I have 20 bytes, that is, I can
00:42:47
overwrite subsequent memory cells
00:42:49
if I enter more than 19 characters this
00:42:52
will happen Thanks to this function with
00:42:54
circape and will cause problems Well, what if I
00:42:57
I want to improve my program here
00:42:59
it's worth calling the Free buff to free up memory
00:43:01
So I'll have a heap overflow
00:43:04
I can compile this to protect against
00:43:07
I don't need stack overflow here
00:43:09
so I'll just take it and compile it
00:43:12
I'll say this Jesse hip buffer Overflow Si
00:43:16
and then output
00:43:18
hyphen Overflow program compiles
00:43:21
and a couple of warnings are displayed AND
00:43:24
now I can run it I say
00:43:26
hipbuffer Overflow then I give some
00:43:29
input data then I give a little more and
00:43:32
as we see this may not happen right away
00:43:34
paint To make the program color
00:43:36
may need a little more
00:43:37
input data please note that I
00:43:40
crashed my program again with
00:43:42
abort interrupted by mistake
00:43:44
different from segmentation fault So
00:43:47
Let's take a short break again and when
00:43:49
Let's go back and look at another vulnerability
00:43:51
translation made by cube dslic.com
00:43:54
continuing our discussion of vulnerabilities
00:43:57
Next we will look at the so-called
00:43:59
format string vulnerability So what?
00:44:02
this is it Well, if I want to display something
00:44:05
for example using C or C-like
00:44:07
languages ​​Usually you need to call a function
00:44:10
called Print F So here I have
00:44:13
there is a very simple program, all it does is
00:44:15
does it cause Print F and again I
00:44:18
I intentionally allow the user
00:44:19
control the arguments that
00:44:20
are transmitted to print F And this is a problem
00:44:23
here I just call Print F normally
00:44:26
it works fine as long as
00:44:28
the user won't enter anything
00:44:30
crazy is the real root of this
00:44:32
the problem is that Print F is possible
00:44:34
call and give it one argument and it
00:44:37
will it just be taken out or can it be
00:44:39
call and give it the first argument like
00:44:42
format string formatting
00:44:44
the line determines how you have
00:44:47
what you want will be displayed
00:44:48
for example you may need to
00:44:51
after the decimal point there was a definite
00:44:52
number of digits or at the beginning of numbers B
00:44:55
In general, there are different formatting methods
00:44:57
your line and Print F takes first
00:44:59
argument as format string Or
00:45:01
she just takes only one
00:45:03
argument In general the problem here is
00:45:05
that the programmer in this case is me and I
00:45:08
I didn't do it here on purpose
00:45:10
called this function with instructions
00:45:11
format string and This program
00:45:13
you can fix it simply by changing this
00:45:16
function That's how we talk How to withdraw
00:45:19
this line but I won't do it
00:45:21
because I want to show you what will work
00:45:23
not so good Now let's
00:45:26
Let's compile this program and go to
00:45:28
our terminal we say gcc and write the format
00:45:33
string.c and then the output is string format and
00:45:37
Please note here it says that
00:45:39
format is not a character string So what
00:45:42
there is no format argument here and also
00:45:44
It says how to turn it off
00:45:45
warning So again si This
00:45:48
very good product and it is by default
00:45:50
warns you about such stupid things
00:45:52
things next I will do the following
00:45:54
my program by specifying something in it
00:45:57
simple like hi-field and of course she
00:45:59
outputs High Fill But it's difficult
00:46:01
read because there is no transition to
00:46:03
the following line works as expected
00:46:05
What if I give this program something?
00:46:07
this is how we write the format string percentage and
00:46:10
percent pi percent pi percent pi percent
00:46:13
N the programmer hardly expects this And
00:46:16
now we have segmentation fault A
00:46:19
what if I take away the percentage from me too
00:46:22
there is some problem and please contact
00:46:24
attention something happened here
00:46:26
interesting so I wrote some letters and
00:46:29
numbers and later we find out what these numbers are on
00:46:31
in fact, these are pointers to certain
00:46:34
things in memory if we are certain
00:46:36
So let's work with these lines then
00:46:38
we can make the program
00:46:39
painted exactly the way we needed
00:46:41
in other words, we can intercept
00:46:43
control over this program that we
00:46:45
we will do in future videos So we
00:46:47
talked about the most common vulnerabilities in
00:46:49
programs and these vulnerabilities can also
00:46:52
exist in the operating system kernel
00:46:54
all modern operating systems
00:46:56
which we use are based on
00:46:58
some kernel and the programmers who use them
00:47:00
create are subject to errors as well as
00:47:02
others Generally speaking in the core
00:47:04
operating system can also be
00:47:06
holes and it is very dangerous we find out that
00:47:10
programs that run in the kernel can
00:47:12
they can have higher rights
00:47:14
do things that normal programs do
00:47:16
these Holes in the
00:47:19
core become but simply very dangerous
00:47:22
but we will talk about this in future videos
00:47:24
translation done dot com now we
00:47:29
let's talk a little about phasing phasing This
00:47:31
passing random input data to
00:47:33
application to try
00:47:35
cause this app to crash
00:47:37
let's say the previous actions
00:47:39
vulnerability detection must first
00:47:42
cause the application to crash And when you
00:47:44
you discover that there is a vulnerability there
00:47:45
you can try to use this
00:47:47
vulnerability and see if this is possible
00:47:49
how to hack the program and what you need
00:47:51
so that it doesn't just get colored
00:47:52
painted exactly as needed and
00:47:55
we will talk about this in this course
00:47:56
quite a lot when it comes to
00:47:59
we look for phasing applications in this way
00:48:00
possible vulnerabilities like us
00:48:03
covered in previous videos for example
00:48:04
overflow of various types of buffers and
00:48:07
to hack these applications we must
00:48:09
feed them bad input data into
00:48:11
command line naturally This
00:48:13
it is possible and there may be benefits from hacking
00:48:15
applications that are vulnerable through input
00:48:17
data on the command line but much more
00:48:19
more useful and popular to hack
00:48:21
vulnerable application which is
00:48:23
let's say network applications are clear
00:48:26
that this is in any case more desirable
00:48:28
because it allows over the network or
00:48:30
It is possible to find a system on the Internet in
00:48:33
which has a vulnerable application and then
00:48:34
exploit this vulnerability
00:48:37
So to prepare for phasing
00:48:40
the first thing we need to do is
00:48:42
customize our virtual environment I love
00:48:45
using virtualbox is very
00:48:46
popular virtualization tool
00:48:48
it is free and available for systems
00:48:51
Windows Linux and also for MAC And when
00:48:54
virtualbox will be installed for you
00:48:56
you will need to organize a network and so
00:48:59
Here on my virtualbox machine is the first
00:49:01
what I need to do is organize
00:49:03
network interacting only with the host
00:49:05
For example, if you create a virtual
00:49:07
car I'll just click on one of
00:49:09
virtual machines that I already have
00:49:11
here it is and look at the settings you
00:49:13
you will see that in the Network tab the network is
00:49:16
by default there will be one adapter Usually it
00:49:19
will be enabled and the connection type will be
00:49:21
above above means network broadcast
00:49:24
addresses this will allow the virtual machine
00:49:27
connect to the Internet What could be
00:49:29
necessary But for our purposes We need
00:49:32
access to vertualbox guest machine from
00:49:34
our host machine and for this we
00:49:37
we need the adapter to have a type
00:49:39
connecting virtual host adapter
00:49:42
Notice here the second adapter
00:49:45
disabled But before I configure the adapter
00:49:48
how do I get a virtual host adapter?
00:49:50
first you need to go to the main window
00:49:52
virtualbox there go to the file and then
00:49:55
preferences settings already here click
00:49:59
network and there you will see a tab
00:50:01
Host virtual networks click on this
00:50:04
tab and initially there may be nothing here
00:50:06
not be then you need to click here
00:50:09
here by plus and thus add
00:50:11
virtual network in my case I have
00:50:14
there was already one, so the one I
00:50:17
added I will delete and then clicked OK
00:50:20
So and if I now go back to my
00:50:23
virtual machine to my guest
00:50:25
car and click on it Then click
00:50:27
settings and go to the section
00:50:30
Network network there I will click on adapter 2 and
00:50:33
I'll tell you to turn it on and then I'll say what
00:50:35
I want it to be a virtual adapter
00:50:37
Host and default if you only have
00:50:40
one host virtual network This is the field
00:50:42
will be filled in automatically and then you can
00:50:45
click OK great Now let's
00:50:47
let's switch to one of our virtual
00:50:49
cars and install some on it
00:50:51
vulnerable software and then I'll show you how
00:50:53
use the phaser to find this one
00:50:55
vulnerability So I'll go ahead and launch
00:50:58
machine with Windows 7 It will take some time
00:51:00
time because it's still Windows 7
00:51:06
Looks like we've finally loaded up
00:51:08
Let's go in
00:51:12
Let's launch our browser and enter in the search
00:51:15
waves server
00:51:17
let's enter load the wave server here Gray
00:51:21
Corner is what we need, let's move to
00:51:24
Let's scroll down this page and somewhere here
00:51:27
it will be here right before the comments
00:51:29
link Let's download our vulnerable
00:51:32
The app is very small and
00:51:35
will load very quickly, open the archive
00:51:38
and we see that there is a folder with files with
00:51:40
source code of the executable file and a couple
00:51:42
text files I need to extract everything
00:51:45
this is from a Zip file I will extract these files to
00:51:48
drive C colon backslash waves
00:51:51
server and after unpacking
00:51:53
will end these files will be in our
00:51:55
created wave folder server and we will do
00:51:58
short break and when we'll be back
00:52:00
let's continue our discussion of phasing with
00:52:02
vulnerable server translations performed
00:52:05
continuing our discussion of phasing
00:52:08
let's take a look at our vulnerable server
00:52:10
waves server which we style go to
00:52:13
the directory in which you placed it
00:52:15
and run it you will see a message
00:52:18
Like this one where it says that
00:52:20
vulnerable software is running
00:52:21
software does not need to be connected to
00:52:24
networks or the Internet and also What
00:52:26
client connection is expected Now we
00:52:28
Let's go back to our host machine on
00:52:30
Linux and let's see what happens
00:52:32
happen when we do
00:52:33
let's connect to this server But there is one thing
00:52:36
but it's possible that we don't know the address
00:52:39
specifically this server if we don't
00:52:42
we know, we can watch it if we
00:52:45
open another command line and
00:52:47
Let's type ipconfig then we will see
00:52:49
information about two network interfaces
00:52:52
which we have configured about the interface above and
00:52:54
and the virtual Host adapter Here
00:52:57
we see information about the virtual
00:52:58
Host adapter Typically default
00:53:01
virtualbox uses
00:53:05
192.168.56 or other number dot and
00:53:08
first bootable virtual machine
00:53:10
usually gets address 10 check this
00:53:13
for a host machine on Linux, the address must be
00:53:15
just end with point one and so
00:53:18
if I switch back to a Linux machine
00:53:21
and go to the command line then I can
00:53:23
connect to this machine but before
00:53:25
We'll do it. I want to talk a little.
00:53:27
about the product called zizaf zizav is
00:53:31
phasing tool if you have
00:53:33
Linux system is based on Debian or
00:53:35
Ubuntu You can install it quite
00:53:37
easy It should be in the repository
00:53:39
for example on my machine I can check
00:53:42
I will write this EPS hyphen cache Search ziza and
00:53:46
he answers yes it’s me I’m an inconspicuous phaser
00:53:49
applications if I want to install it
00:53:51
need to print
00:53:56
ask for your password and in my case
00:53:58
he says Hey Phil, you already have it installed
00:54:01
zizav but otherwise it will give
00:54:03
message Do you really want it?
00:54:05
install or not but sometimes a message
00:54:07
The installation may or may not begin
00:54:09
immediately in general this is ziza and we’ll talk about
00:54:12
later, but now we need to determine
00:54:14
how can I connect to remote
00:54:17
server I want to use the product with
00:54:19
called netcat This is standard
00:54:22
a tool that probably goes in yours
00:54:24
Linux system by default If not
00:54:26
it can be easily installed by netcat or NC
00:54:29
it works like this you give it an address
00:54:32
cars
00:54:33
192.168 56 101 and specify port 999
00:54:38
press
00:54:39
Enter and he replies Welcome to
00:54:42
vulnerable server enter Help for help
00:54:44
The first thing I want to check is sensitivity
00:54:46
Is it to the register I print Help small
00:54:48
in letters and he says he doesn't know what
00:54:50
this is what it means that it turns out that he has
00:54:52
structure is case sensitive So
00:54:54
that I will type Help in capital letters and
00:54:57
I will see several teams that
00:54:59
supports this vulnerable server alone
00:55:01
from them help then some commands
00:55:04
exit Please note that Help and
00:55:07
Exit no other parameters
00:55:10
nevertheless they accept some
00:55:11
parameters let's see what happens if
00:55:14
I'll type Help and then just something
00:55:16
line and it gives me a message that
00:55:19
there are no specific commands? What?
00:55:22
if I give him a very long line
00:55:25
I’ll type Help and then many, many letters
00:55:29
Will this lead to crash No it won't
00:55:32
At least not with this one it works
00:55:34
number of letters A is one way
00:55:36
using netcat but we rather
00:55:39
would prefer to run it in some
00:55:41
script than just sitting like this and
00:55:43
blindly manually enter all sorts of stuff
00:55:45
so I'll go out and just come back to
00:55:48
command line I wonder if there is a way
00:55:50
send Help command to my vulnerable
00:55:53
server and then go back and reply
00:55:56
yes that's what I can do if I want
00:55:59
send some string
00:56:00
to some process over the network I can
00:56:03
run the Help command like this Eco Help
00:56:06
and redirect it to the same address 192
00:56:13
68.56.101 port 999 what will happen
00:56:17
now I typed this and press Enter my
00:56:21
the Help command was executed and returned
00:56:23
the result and I'm back on the command line
00:56:25
if I put something like this in the script then
00:56:28
the script can try something else before
00:56:30
until he finally achieves it
00:56:32
failure I can also add here and
00:56:35
parameter for example a lot of letters A and I’ll get
00:56:37
same result
00:56:39
Let's take a short break at this point.
00:56:42
and when we return we will discuss
00:56:44
semi-automatic Input methods are very
00:56:46
long lines to your network server
00:56:49
translation completed
00:56:52
we continue our discussion of phasing
00:56:55
They said that we can make this process easier
00:56:57
using automation we saw that
00:57:00
we can write something like this:
00:57:02
Eco Help to our server using netcat
00:57:05
and it does what we expected But
00:57:08
then we also said that it would be
00:57:09
it would be nice if it was possible somehow
00:57:11
make it easier and here's what we can do
00:57:13
if I want to add something to the end of this
00:57:15
commands then I can specify one more here
00:57:18
the command that will be executed and
00:57:20
the results of this command will be placed in
00:57:22
my Eco expression is done as follows
00:57:25
way the team we want
00:57:26
perform is in the back tick
00:57:29
this is the key located on Tap on
00:57:31
standard keyboard So I'll say
00:57:34
run and indicate along with this
00:57:37
command line please on prince
00:57:40
letter A five times and then I finish
00:57:43
quote this command and then end it
00:57:46
finger command using reverse
00:57:48
ticks and now it will correctly output 5
00:57:51
beech And after this command it is possible to
00:57:54
the first time it's hard to understand what's here
00:57:55
is happening Therefore it will be easier if we
00:57:58
instead of redirecting this to netcat
00:58:00
first let's just display it on the screen and
00:58:03
we'll see what it does and of course I can
00:58:05
increase this number to say 5000 And
00:58:09
now we can try to use
00:58:10
this is to paint the server Let's
00:58:13
let's try to do this quickly
00:58:14
redirect this to net5 and here
00:58:17
They say two things, which in itself
00:58:20
strangely the first line says that
00:58:22
such a specific Help command is not
00:58:24
exists And the second one says
00:58:25
Unknown command this is due to
00:58:28
that there are some restrictions
00:58:30
the length of the ECO command on the command line is
00:58:33
breaks and turns out to be more than one
00:58:35
line So I'll do the following instead
00:58:38
redirecting this begin to say I
00:58:40
I'll grab this file First, my team
00:58:42
then the greater than sign and then the file name
00:58:46
test.txt and now let's look at
00:58:48
this file we say Nano test.txt Nano this
00:58:52
simple editor that installs
00:58:54
default on most Linux systems
00:58:56
and here it is, this is the team we have
00:59:00
leaving now I'll go out it turns out
00:59:03
that this alone is not enough
00:59:05
to paint the system, but what if I
00:59:09
I'll send the command to Jimon, I'll change it a little
00:59:12
I will say this please do it here
00:59:15
this command And by the way in this
00:59:18
the program has a few holes if you
00:59:21
if you want you can even watch it
00:59:23
Source code But that's not the purpose of this
00:59:26
exercises The purpose of this exercise is to
00:59:28
to see if we can find these
00:59:30
vulnerabilities and if you are this way
00:59:32
you'll try different things in the end
00:59:34
eventually you will find that if you do
00:59:36
jimon command which will start with
00:59:39
pair dot slash then colon which
00:59:42
used to separate different paths
00:59:44
and then another slash then this
00:59:48
the program may crash So here I am
00:59:51
I will save this result to the file Test 2.txt
00:59:54
and again I will open this file in not But also
00:59:58
here is my team in some
01:00:00
In cases where it is not enough just to send
01:00:02
a lot of stuff sometimes it has to
01:00:05
there must be some kind of garbage
01:00:07
some Random data and here in
01:00:09
the game comes in let's start with the fact that
01:00:12
display the contents using the Cat command
01:00:14
cess 2 file on the screen and you see that in
01:00:17
there are a lot of letters A and by the way if you want
01:00:19
learn how to work print zizav
01:00:22
hyphen hyphen Help and this will display help
01:00:24
let's scroll here and see that the main
01:00:27
The syntax is the name of the program and then
01:00:29
some arguments in my case
01:00:31
the program I want to use
01:00:33
Cat that's why I'm typing
01:00:37
and you see that it has changed a little
01:00:40
some symbols are no longer symbols
01:00:43
takes some percentage of the input data and
01:00:47
changes them randomly and I can change them
01:00:50
this is the ratio of what changes A
01:00:53
which is not using the hyphen option R For example
01:00:56
if I say hyphen r0 then nothing will happen
01:01:00
change I will execute this command and have
01:01:02
I will be everyone or I can say
01:01:04
Change 38 percent and you see the output
01:01:08
changed or I can say Change five
01:01:11
percent that is possible here
01:01:13
options but for now let's use
01:01:15
standard percentage for
01:01:18
line output changes and here is
01:01:21
one problem is that
01:01:23
I don't want to change the very beginning of this
01:01:25
lines I'll take this and put the file
01:01:28
which I will call
01:01:29
phase.txt and if I open this file in Not
01:01:33
but then you will see this problem itself
01:01:35
the beginning of the file has also been modified
01:01:37
how to fix this there is more for this
01:01:40
one flag we can give zizaf
01:01:42
tell him what bytes he can
01:01:44
modify it by default
01:01:46
modifies them all I want to start with 12
01:01:48
bytes and everything that comes next from me
01:01:51
completely satisfied we do this
01:01:53
command open the file again in my
01:01:56
editor And now I see that the first
01:01:58
the bytes were not modified Let's
01:02:00
Let's see if we can paint ours
01:02:03
server I completed Kat
01:02:05
fast.txt and redirect it to netcat
01:02:08
I indicate my address here it says welcome
01:02:11
report to a vulnerable server but return
01:02:13
doesn't happen and if I switch to
01:02:16
vertul box then I’ll see what Windows says
01:02:18
that this program has stopped responding
01:02:19
great for this video that's enough
01:02:22
when we return we will continue our
01:02:25
discussion of phasing translation completed
01:02:29
continuing our discussions of phasing we
01:02:32
let's talk about how to use something
01:02:34
like a simple script to make it easier
01:02:35
this process
01:02:37
here I have a very simple script on
01:02:40
Pearl purl is a very ancient language and
01:02:43
I'm sure it's installed by default in
01:02:45
your Linux system and it has a lot
01:02:47
useful features and what this one looks like
01:02:50
script this script starts with
01:02:52
special comment in it first
01:02:54
there is a hash or sharp sign after it
01:02:57
exclamation point and then executed
01:03:00
team this can often be seen in
01:03:02
crypts in Linux This is a combination of characters
01:03:04
sometimes called poundbank or She Bang
01:03:07
or hasbank depending on who
01:03:10
you Ask In general it will launch
01:03:12
Pearl interpreter What will allow
01:03:14
do it directly without starting
01:03:16
command with the word pearl on the second line
01:03:18
the standard library is loaded here
01:03:20
juice and then I have two default
01:03:23
IP address parameter ending with
01:03:26
101 and port 999
01:03:29
then I check if the second one is
01:03:33
the command line argument passed is not
01:03:35
empty This is so that if the default
01:03:38
the settings don't suit us, we could
01:03:39
tell me what these settings should be
01:03:41
in this case, I make sure that these two
01:03:44
the variables were equal to what they were
01:03:46
indicated and then I create a variable
01:03:48
commands it starts with jimon then
01:03:52
period then slash then colon and again
01:03:55
slash followed by a very long line
01:03:57
on Linux systems the colon is often
01:03:59
used to separate directories
01:04:02
notice further I did a little
01:04:04
differently I send one thousand letters
01:04:06
and one thousand letters B and so on and
01:04:09
the reason why I did it this way is
01:04:12
we'll see how it goes
01:04:14
crumble in the debugger and we want to know
01:04:16
where exactly will this theft take place?
01:04:18
how long should this line be
01:04:20
This will be very useful for us
01:04:23
further work in this course after
01:04:25
how I prepared this I create a socket
01:04:27
tcp based
01:04:29
socket I send it some information
01:04:32
If I can't open this socket I
01:04:35
I use this command or Die or
01:04:37
die if this is unsuccessful then
01:04:40
the program will die and display a message
01:04:42
errors then I get up to 1024 bytes
01:04:46
This is to get something
01:04:48
greeting welcome to vulnerable
01:04:50
server I output using Print this
01:04:52
greeting and then send mine
01:04:55
command and if the program I
01:04:57
I'll send it can lead to a crash then this
01:04:59
crash will happen I want to point out that this
01:05:02
the script can be easily modified
01:05:03
for example, use a loop in it to
01:05:06
create these 5000 characters or do
01:05:08
something else I just want to do
01:05:11
it's easier I just want to give you an idea
01:05:14
what can be done So let's move on
01:05:16
to the virtual machine I already have there
01:05:18
the wave server is running and I want to start it
01:05:20
divagen Olya dbg I will launch another one
01:05:24
command line and go to that
01:05:26
directory where I downloaded Olya's dbg bugger
01:05:28
I'll run it and it gives me
01:05:31
warning that I am not authorized as
01:05:33
admin it's possible now
01:05:34
ignore when we met
01:05:37
with this program we talked about the fact that we
01:05:39
we can indicate in it the one running
01:05:40
process we need to click file and then
01:05:43
attauch connect to our working
01:05:46
server So I'll make this window
01:05:49
I'll scroll down a little wider and yeah, that's it
01:05:52
here is my vulnerable server click on it
01:05:55
and click A Touch connect will pass
01:05:57
some time and it will appear like this
01:06:00
warning here Ask if you want
01:06:02
do you use old data and i
01:06:04
I will say but no, it will take some time
01:06:08
then my program will open and Pay
01:06:11
attention here in the lower right corner
01:06:13
it says pausin we pause but by
01:06:16
for some reason this won't happen
01:06:18
successfully until I contact
01:06:20
this program so I'll come back to
01:06:23
Linux system and run my script If
01:06:26
you yourself created a similar script then you
01:06:28
you need to change it to be executable
01:06:30
and this is done simply by using the command
01:06:33
cah Mode + X and then the file name I'll run
01:06:37
I'll print it phases BL and now it
01:06:40
running But it looks like it has stopped
01:06:42
for a second and if I go back to
01:06:44
I will see my virtual machine Why
01:06:46
it now says Pause
01:06:48
paused I clicked on Play and again
01:06:51
it says Pause but still something
01:06:53
changed if I look down here
01:06:55
then it says violation of rights
01:06:57
access when writing to such and such a cell
01:06:59
memory and the program crumbles and pay
01:07:01
attention to one more thing we talked about
01:07:04
this window containing registers in
01:07:06
one of the registers has a large number
01:07:08
letters D and in the other there is one letter B and then
01:07:11
many, many C blocks in future videos we will
01:07:14
Let's see How to use this information
01:07:16
in order to determine what exactly
01:07:19
led to a crash What length should it be
01:07:21
line So we can control this
01:07:23
crash and redirect execution
01:07:25
programs based on code that we control
01:07:27
it could be some kind of silk or something else
01:07:30
what do we control and if I go to
01:07:32
see my Linux system first
01:07:34
the vulnerable person's greeting was displayed
01:07:36
server and then the program crashed
01:07:38
the translation was made at the CDS Warehouse club
01:07:40
dot com in this video we're a little
01:07:43
consider assembly language Native language
01:07:46
on which the computer communicates
01:07:48
machine code But for us as people
01:07:50
it's hard to understand that's why it's like this
01:07:52
called assembly language which stands
01:07:54
above it So here I have a very simple
01:07:58
program and in this program there is
01:08:00
some problems if you look at
01:08:02
my Main method then I will see what we take
01:08:05
as input possible list
01:08:07
arguments traditionally in the language
01:08:09
C programming We have
01:08:11
the number of arguments passed is
01:08:14
Arc and also has an array of strings for everyone
01:08:17
those things that come after that is
01:08:20
if I run my program and specify
01:08:22
parameter one and parameter 2 then it will be
01:08:24
it was said that the quantity was two and that
01:08:27
I indicated it will be transmitted as one and
01:08:30
arkvi 2
01:08:32
So here I create a string and call it
01:08:35
Local string and I put it inside
01:08:38
the value of Main function is nothing
01:08:41
does but later we will see how it does
01:08:43
stored in memory and it will help us
01:08:44
find certain things then I
01:08:47
I create another local variable and
01:08:49
this is an integer, a heck is stored inside it
01:08:52
values
01:08:53
112234 and then I call the function
01:08:57
function function passing it the first
01:08:59
the argument that the user specified in
01:09:01
command line and then return 0
01:09:04
So now let's quickly
01:09:06
consider function function it takes
01:09:08
one string parameter and also specifies
01:09:11
Local string again it does this for
01:09:14
to help us identify
01:09:15
various things in memory then we
01:09:18
define another local integer
01:09:20
number and buffer local string 2 length 10
01:09:23
this will give Us a maximum of 9 characters and a plus
01:09:26
null line terminator and then
01:09:29
save with circape where we get it
01:09:31
the parameter that was passed and copied
01:09:33
him in Local string 2 What's with this
01:09:36
problem Well, if this string has a length
01:09:38
there will be more than 9 characters
01:09:40
overflow and we'll see what
01:09:42
will happen to our program if this
01:09:44
will actually happen and then function
01:09:47
function returns value 1 So
01:09:50
to actually see what's here
01:09:52
is happening We will need to run our
01:09:54
debugger for them Unity I will launch the debugger for them
01:09:58
Unity and tell you what program he needs
01:10:00
we don't need to open this one
01:10:02
wave server program and program where
01:10:05
there is an overflow here you are
01:10:08
see I have a program called
01:10:10
buffer Overflow open it so Now
01:10:13
I opened this program of mine and here it is
01:10:16
this window displays on the left
01:10:17
dissimulated Source code of mine
01:10:20
programs
01:10:21
Here in this column right here I see
01:10:24
pure machine code or o code
01:10:26
operating code as it is often called
01:10:28
this code tells me that for example 55
01:10:31
means Push and BP put register and
01:10:35
BP put it where about this we
01:10:37
we'll talk later it's only one team
01:10:40
in general here we have a set of commands and
01:10:43
there are also addresses And here in this
01:10:46
window We have our registers here
01:10:49
we have a register called A which
01:10:51
also often called a battery and
01:10:54
there are also these other registers on
01:10:57
actually high speed cells
01:10:59
memory inside the processor itself But
01:11:02
here in this area we have Dump
01:11:05
memory and here on the right we have
01:11:08
stack In general, our debugger works If I
01:11:12
I'll go here and scroll down then
01:11:14
here I will see something that starts with
01:11:16
401 290 and ends with 401 Hey what
01:11:22
inside there is also a push command
01:11:25
there is a mom team, a sub team and then
01:11:28
my function line which is
01:11:30
moves to a specific cell and
01:11:33
also I see FF and DD CC value here
01:11:37
this value is the integer that
01:11:40
it was in my program but in a column
01:11:43
machine code - this value goes to
01:11:45
in reverse order, albeit in the most
01:11:47
program if you look it was not in
01:11:49
in reverse order the reason why in
01:11:51
in machine code it is displayed in
01:11:53
in reverse order is that Intel systems
01:11:56
use byte order from least significant to
01:11:58
to the eldest Little and This means that
01:12:00
if your value is more than 1 byte then
01:12:03
the smallest part comes first and this is typical
01:12:05
for most processors with which
01:12:07
We usually work and later in this course
01:12:09
we'll talk about some exceptions and
01:12:12
here we move the value 1 to
01:12:15
the desired cell and then exit So here
01:12:18
a little bit happens but you are already you
01:12:21
see what we do then here
01:12:24
we have more code, let's put it this way
01:12:27
preamble to our program then
01:12:29
a couple of standard calls are made and then
01:12:32
here we have the line Main function
01:12:34
is loaded into a specific cell here
01:12:37
our integer value then here
01:12:39
here we move more data and here
01:12:42
here we make a call we make a call to
01:12:45
memory cell 4.0.1 290 Well, actually
01:12:49
this is the cell where we have the call
01:12:51
functions function function After that we
01:12:54
return 0 and exit if we are again
01:12:58
let's look at our program there
01:13:00
we will see that Main function returns 0 and
01:13:03
that's exactly what's happening here we are
01:13:05
move 0 to then exit Live and
01:13:09
the function returns which terminates
01:13:11
Let's take a short break from the program and
01:13:14
When we get back we'll talk more about language
01:13:16
assembler translation
01:13:20
continuing our discussion of language
01:13:22
assembler we actually step by step
01:13:24
Let's go through this program in the debugger
01:13:26
to see how it all works
01:13:28
So let's look at this code again
01:13:32
sometimes you can get a little lost here
01:13:34
so it might be easier to just close
01:13:37
program and restart Unity
01:13:39
So I'll open my program in it again
01:13:42
Overflow buffer will be displayed in the community
01:13:45
somewhere The beginning of this program is here
01:13:48
some preliminary code which
01:13:49
must be completed and last time we
01:13:52
they said that if you scroll down then
01:13:54
somewhere here our code begins
01:13:55
functions function function and then goes
01:13:58
Main function code So to run
01:14:01
we need to make this program a couple
01:14:03
things The first thing is to go to the debugging item
01:14:07
and give her some arguments Because
01:14:10
if we don't do this this program
01:14:11
it will be painted because it is not very good
01:14:13
written let's give her an acceptable argument
01:14:16
range 1 2 3 4 5 6 7 8 9 in theory this is
01:14:22
the longest line that can be contained in it
01:14:24
indicate select OK and it says here
01:14:26
that we have changed the Arguments and that
01:14:28
the program needs to be restarted, but we
01:14:30
it hasn't been launched yet, so for
01:14:32
this is not a problem for us now we need
01:14:35
set breakpoint
01:14:37
Brake Point interruption we can click
01:14:39
on a certain line for example Here we are
01:14:42
load the value of the Main function if
01:14:44
here on this line make a right click
01:14:46
you will see that there are various
01:14:48
options and one of them is Brake Point point
01:14:51
interrupts we can enable it like this
01:14:54
or just press F2 I clicked on
01:14:57
tagl and Now you see that this line
01:14:59
memory cell is displayed differently
01:15:01
specifically this line of disenchanted
01:15:03
code is highlighted Now if I'm here
01:15:06
at the top by clicking on the Play button to
01:15:08
run this program It will execute
01:15:10
up to this line and so on when parsing this
01:15:13
programs I watch What changes in these
01:15:16
registers And perhaps more importantly
01:15:18
I look at the astek which is located here
01:15:22
here the stack is a place in memory
01:15:24
let's say a temporary place where you are
01:15:27
put some things on top Push and
01:15:29
then take what is on top pop in
01:15:32
for each program being executed there is how
01:15:34
at least one function and when calling this
01:15:36
functions its local variables
01:15:38
are pushed onto the stack we talked briefly about
01:15:40
this is when they talked about overflows
01:15:42
various buffers and other information
01:15:44
is also pushed onto the stack every time
01:15:46
function call some includes
01:15:49
for example such a thing as a return address
01:15:51
Let's walk through our
01:15:53
program And if you look up then
01:15:56
you will see that there are several for this
01:15:58
options there is a step forward step through
01:16:00
trace forward and skip
01:16:02
tracing So if you select Step
01:16:05
forward, you can also press f7 for this
01:16:07
then this line will be executed and
01:16:09
there will be a transition to the next one. Please note
01:16:12
attention I copy different values ​​into
01:16:15
memory cell, that is, nothing yet
01:16:17
this is what it says here: football
01:16:20
calling memory cell 401 290 what are we doing
01:16:25
said earlier is the address of the function
01:16:27
function I'll take it one step further and
01:16:30
look what's happening here's my stack
01:16:32
end 22 ff50 I note that in the system
01:16:36
Linux and most other systems stack
01:16:39
grows upward, that is, this value
01:16:41
will go down if my stack grows
01:16:44
So I'll take one step forward and pay attention
01:16:47
attention he just grew up
01:16:49
it says Return to return at 4:01
01:16:53
2 and From from this memory cell then
01:16:57
there is the first thing that happens when called
01:16:58
this function is what the return address is
01:17:01
pushed onto the stack the return address is that
01:17:03
memory cell in which you will need
01:17:05
return then when this function
01:17:07
will end that is immediately after the call
01:17:10
this will be this memory cell we can
01:17:12
it’s easy to confirm this if we scroll here
01:17:15
here down to 401 2 and F You see that
01:17:19
really right after this call
01:17:21
this memory cell goes Let's do one more
01:17:24
step and we see that there is even more information
01:17:26
pushed onto the stack then do another one
01:17:29
step and is taken from the stack by 8 others
01:17:33
with the words I said Let's make room
01:17:35
on the stack what will I do with these 8
01:17:37
bytes Look at the next two
01:17:40
lines I'm going to move the cell
01:17:42
memory for my function function string
01:17:45
and also for my integer and exactly
01:17:48
this is what happens Now I have
01:17:50
memory cells in my stack If you
01:17:53
look here you will see this
01:17:55
cell function function And here is my whole
01:17:59
number in machine code integer goes to
01:18:02
reverse order because order
01:18:03
bytes from least significant to most significant letuendian
01:18:06
Take one more step and we have completed the challenge.
01:18:09
couplings, that is, we moved the value 1 to
01:18:12
look here and of course there we have
01:18:17
value 1 Now when to leave this
01:18:21
commands special meaning stack will be
01:18:24
rewind Please note
01:18:26
my two values ​​have been removed and now
01:18:29
at the top of the stack the return address is here
01:18:32
it says return here from mine
01:18:34
call I take one more step and now I
01:18:37
back to my Main function I'll move to
01:18:40
x0 I'll call Live again this time for my
01:18:43
functions Main We see that there is something else
01:18:46
popped off the stack and then I call
01:18:48
diet return everything happens as
01:18:51
We should do it after a short break
01:18:53
for this program to behave
01:18:55
wrong and let's see what happens
01:18:56
translation made in the club
01:18:59
we continue our discussion of language
01:19:02
we will consider assembler further
01:19:04
this program and see what happens
01:19:07
if we overflow our small buffer
01:19:10
We said earlier that there could be 9
01:19:13
characters and I'll add some more
01:19:16
quantity here we say Okay and in point
01:19:19
menu select Restart restart then
01:19:22
execute the program until the breakpoint
01:19:24
Here it is here, I copy this value to
01:19:28
my local variable then comes my
01:19:30
second meaning
01:19:32
112234 I move values ​​back and forth
01:19:35
here I move 4 to X and then I
01:19:40
I indicate this line This is right here
01:19:44
the line I specified in the command line
01:19:46
line and now this value is in
01:19:49
X I'll take another step again And here it is
01:19:52
here I am ready to call my function
01:19:54
function function I call it
01:19:57
the preliminary code is executed as
01:19:59
before I push the value and BP onto the stack
01:20:02
then I move the pointer from the stack to bbp
01:20:05
and then I subtract 38 because now
01:20:09
I have some information that you need
01:20:11
send namely this is huge
01:20:13
string and so I take away this value and
01:20:17
The first thing I do is move it
01:20:18
function on stack If I take a step you
01:20:22
you will see that this is what is happening now I
01:20:25
I'll move my value FF and ddc it too
01:20:29
moves and here I have a function
01:20:31
function And here it is a different meaning
01:20:33
and the rest of the space will be used
01:20:36
for this big line I step and
01:20:39
Please note that we now have
01:20:41
the stack has this line now I'll do
01:20:45
this challenge is with circape and so I make the challenge
01:20:48
with zircape we jump over all this and
01:20:51
you see how it works now I
01:20:54
I put the Edi value on the stack and then we
01:20:58
move Edi another meaning We
01:21:01
move it into it This is the value 22 FF
01:21:05
2.0 is our memory cell for this one
01:21:09
functions
01:21:10
we continue to move on and at the same time
01:21:13
we are gradually consuming this
01:21:16
value from ecx
01:21:18
And now we're ready for I'm back again
01:21:21
back to my method If I do more
01:21:24
one step I move my return
01:21:26
value 1 here and I'm ready to call
01:21:29
Leave but now some
01:21:32
the problem is that I overwrote mine
01:21:35
return address Let's do a few more
01:21:37
steps and this is a potential problem
01:21:39
becomes obvious Now look here
01:21:42
It says here that a violation has occurred
01:21:45
access rights when reading this cell B
01:21:48
in general the following happened here I
01:21:51
overwrote part of my stack and
01:21:53
Specifically, I re-recorded the part where I was
01:21:55
return address in subsequent videos we
01:21:58
we'll talk about this a little more
01:22:00
let's talk about how to re-record it
01:22:02
exactly as needed to call
01:22:04
incorrect behavior translation completed
01:22:07
in this video we will look at overflow
01:22:10
stack buffer or just overflow
01:22:13
stack in previous videos we talked briefly
01:22:16
what is a buffer overflow?
01:22:18
ste and in this video we will go a little deeper
01:22:21
one of the things you need to understand
01:22:23
if you want to understand what it is
01:22:25
Stack Overflow - This is what we are
01:22:27
call the calling convention in
01:22:29
calling agreement is how we are
01:22:31
indicate the parameters in those functions
01:22:33
which we call when it comes to
01:22:36
32-bit Windows has three main
01:22:38
possibilities one agreement is called
01:22:44
and there is one more but not so popular
01:22:46
it's called Fast Call So how do they
01:22:50
look sijekl - this is the agreement about
01:22:52
call when all arguments are passed to
01:22:55
stack and when using sijekl clean
01:22:57
the stack should be the one who made the calls
01:22:59
the caller's arguments are pushed onto the stack
01:23:03
from right to left In some cases this
01:23:06
the calling convention is
01:23:07
necessary mainly when you have
01:23:10
varying number of arguments
01:23:12
which will be pushed onto the stack then
01:23:14
You need to use this method and
01:23:17
the reason for this is quite what if you will
01:23:20
push varying amounts onto the stack
01:23:22
arguments then the Function you
01:23:24
you call has no idea how much
01:23:26
space needs to be freed up when the function
01:23:28
will end Therefore in this case you
01:23:31
must use another sijcle
01:23:33
option is std Call from Standard Call
01:23:36
If you are using 32-bit Windows and
01:23:39
32-bit API sometimes called Win32
01:23:43
API then This is the standard interface
01:23:45
calls Here are also all the arguments
01:23:47
are passed onto the stack But here's the difference
01:23:50
clears the stack called by the wrong person
01:23:53
called a function and that function which
01:23:55
was called in charge of cleaning
01:23:57
stack there is one important thing in this
01:24:00
the advantage is that your code will
01:24:02
more concise because instead
01:24:04
so that everyone who calls some
01:24:06
a certain function every time after
01:24:08
this whole code cleared the stack
01:24:10
concentrated in one place but not
01:24:13
nothing less can be done with this method
01:24:15
certain things cannot be done using std
01:24:19
call a method with varying
01:24:21
arguments like Prince F and others
01:24:23
similar functions in this case you need
01:24:25
use Seed jackall and do the same
01:24:28
like C jackal here are the parameters
01:24:30
are placed on the stack from right to left one more
01:24:34
option called Fast Cold is when
01:24:36
the first two arguments are passed to
01:24:38
registers ecx and edx And the remaining ones
01:24:42
arguments are pushed onto the stack on the right
01:24:44
to the left and here the callee clears the stack
01:24:47
if necessary and I say if necessary
01:24:49
because if there's only one or two
01:24:52
parameter then there is nothing on the stack
01:24:54
no need to clean everything is done completely
01:24:56
within the registrars this is not the most
01:24:59
popular calling convention in
01:25:01
32-bit Windows but still like this
01:25:04
calling agreement is possible now
01:25:07
let's talk about a successful exploit
01:25:09
buffer overflow what it looks like to you
01:25:12
you need to do the following overwrite
01:25:14
function return address and also
01:25:16
was going to inject something
01:25:19
silk is some kind of malicious code
01:25:21
which you can develop yourself or
01:25:23
get from someone else So
01:25:26
silkscreen is easy to machine
01:25:28
the code that is used for
01:25:29
certain purposes and in many cases
01:25:31
you need to copy this shellcode to
01:25:34
area crowded with you and then
01:25:36
just execute it, we'll just download it
01:25:39
silk A great place to get it
01:25:42
find this shellstorm.org and when we
01:25:45
we'll get to the later stages of this
01:25:47
course and talk about development
01:25:48
exploits we will look at how to do this
01:25:51
And ourselves
01:25:52
The stack plays a major role in all this and
01:25:55
the ability to influence the stack and completely
01:25:57
understand how it works
01:26:00
important to be able to
01:26:02
write exploits that use
01:26:04
Stack Buffer Overflow Vulnerability
01:26:07
the general goal is to rewrite the address
01:26:09
return and what usually comes after it
01:26:12
this is achieved by overflowing local
01:26:15
variables And by the way, Intel stag is in
01:26:19
side of smaller addresses of memory cells we
01:26:22
We'll find out more about this in some
01:26:24
future videos after local variables
01:26:26
there is a so-called frame pointer
01:26:29
this usually refers to register and BP
01:26:33
In short, there is a return address and
01:26:36
after it comes some information like this
01:26:39
the goal is to rewrite the address
01:26:42
return and this information I need
01:26:44
change the return address so that it is
01:26:46
pointed to the space that goes
01:26:48
right after him and to do it to me
01:26:51
you need to overfill one of these
01:26:53
variables so that she goes through this
01:26:55
frame pointer set to return address
01:26:57
specific meaning by this specific
01:26:59
the value will be the address that follows
01:27:01
immediately after the return address and there I and
01:27:04
I will infect My silk translation
01:27:06
completed
01:27:09
in this video we will continue our
01:27:11
discussion of stack buffer overflow and
01:27:14
we'll go through some examples So
01:27:16
here I have a very simple one
01:27:18
the program has a Main method that takes
01:27:20
input from command line I
01:27:23
I declare a local variable Local
01:27:25
string I declare a local integer
01:27:27
variable and then call function
01:27:29
function with the first parameter specified in
01:27:31
the command line controls it
01:27:33
user and this means that it is possible
01:27:35
it may overflow my string So A
01:27:39
here function function I take the Same
01:27:41
the very line and also create several
01:27:43
local variables including and Local
01:27:45
string 2 which I give length 10 for
01:27:49
string length 10 means that this string
01:27:51
can have a maximum of 9 characters because
01:27:54
that I also need space for the symbol
01:27:57
line terminator
01:28:00
and I'm trying to specify this parameter there from
01:28:03
locale string 2 I hope it fits and
01:28:06
there will be no overflow And then I
01:28:08
I return this value one of mine
01:28:10
the functions in general are quite simple
01:28:12
the program further we have the Source code
01:28:15
this program but I want to quickly show
01:28:18
give you an example of how you can cause theft
01:28:20
this program Possibly without having
01:28:23
we need to test the source code
01:28:25
So here I have it very simple
01:28:28
finger script that will call
01:28:30
the compiled program that I
01:28:32
called the buff he will call her and
01:28:35
pass her some parameters and I
01:28:37
I will use these parameters to
01:28:39
find out exactly how long a string is
01:28:41
I need to indicate in the last video We
01:28:44
talked about how to re-record
01:28:46
return address and then give it to him
01:28:49
some silk but we need it for sure
01:28:51
know the address of the cell we will be
01:28:53
overwrite it depends on local
01:28:55
variables and where exactly they are
01:28:58
will end up So here in my script
01:29:01
with my finger I call import import
01:29:06
which allows me to do others
01:29:08
things I have a variable called
01:29:11
param and I make it equal to the line buff and
01:29:15
plus a space and then I call this
01:29:17
a small cycle and in this cycle of mine I
01:29:20
say in Range for ive in the range from
01:29:23
A1 to FF and this gives me the value for I
01:29:27
from hex A1 value to hex Fe value
01:29:31
Perhaps you say Phil I think you
01:29:33
mistaken must be before FF But there is one
01:29:36
thing you need to know about ranges in
01:29:39
pyson is that the last value is not
01:29:41
turns on, that is, it turns out until
01:29:43
the specified value Minus one and in my
01:29:46
in a for loop I add to my line
01:29:48
value A1 A2 and so on and then I
01:29:53
calling my program using
01:29:55
co-promotions with the Call param point like this
01:29:57
here I indicate this line it will give me
01:30:01
next When my program crashes
01:30:03
this will allow me to see exactly where
01:30:06
this theft occurred know what it could be
01:30:08
This is very useful So let me
01:30:11
I'll continue and go to my command
01:30:13
line now to execute this
01:30:15
program I need to run pyson
01:30:17
my pison is in another
01:30:19
directory I specify the full path and
01:30:21
I say
01:30:22
pison.exe test.py my program
01:30:25
will start and pay attention to it immediately
01:30:28
it crashes and it says here that if
01:30:30
click here and more will be displayed
01:30:32
information and here you see the offset
01:30:35
offset is the information that we and
01:30:37
needed here it says that there was an attempt
01:30:40
access memory location d0
01:30:43
cfcd remember some past videos
01:30:46
where we talked about byte order we
01:30:49
they said that on the Intel platform the numbers
01:30:51
saved in endian format
01:30:53
from youngest to oldest This means that
01:30:56
smallest byte comes first and so on
01:30:58
And when you see an address like this
01:31:01
indicates that in memory it will be a CD
01:31:04
CF d0 In general, in other words, simply and
01:31:09
begins this CD Now we have
01:31:11
Starting point So, how much?
01:31:14
At the same time, our line was long: I don’t
01:31:17
I will post a report here because
01:31:19
no one cares anyway and I can
01:31:21
use the built-in calculator
01:31:23
on Windows or just use here
01:31:25
Linux calculator any of them
01:31:28
suitable to get that information
01:31:29
which we need So I will
01:31:33
use Linux calculator here
01:31:35
I will use it in mode
01:31:36
programmer so I have a value
01:31:40
CD and from it I want to take away my initial
01:31:43
point we had A1 and this is the value
01:31:46
equals 2C And what is this value in
01:31:50
decimal system here you see
01:31:53
that this value is displayed as 44 then
01:31:56
there is 2C in decimal system equals 44
01:31:59
this tells me that I need to go 44
01:32:02
bytes and then insert the address I need
01:32:05
cells
01:32:09
we continue our discussion of overflows
01:32:11
buffers I have already loaded our program into
01:32:15
community I set the buffer somewhere at the beginning
01:32:18
near my main function Main there I am
01:32:20
I copy the line Main function to mine
01:32:23
variable I will execute our program until
01:32:26
this place and we'll see what's wrong with her
01:32:28
will happen So you may have noticed
01:32:31
a few things here for ours
01:32:34
multiple register values ​​were specified
01:32:36
What is the stack doing here?
01:32:39
here at the top of the stack the call return
01:32:42
Microsoft and then below you see and
01:32:45
some other information and so on
01:32:47
Let's go ahead and walk through this
01:32:49
step by step we will look at the change when
01:32:52
Every step now there will be a change
01:32:55
and here you see what happened I
01:32:58
I made this equal to the address
01:33:00
memory cells where the Main string is stored
01:33:03
function This is the cell address
01:33:06
4.03.011 if I look at the cell
01:33:09
memory then there I have to see this
01:33:12
saved string Aha in my dump
01:33:15
it didn't fit in my memory, but here we are all
01:33:17
we also see this value if I do
01:33:20
one more step and I’ll see what it is
01:33:22
Meaning
01:33:23
112234 was saved here it is
01:33:26
local variables that are stored in
01:33:29
steak now I will add AD 4 to the value
01:33:33
which is in X and then I will move
01:33:36
like some information and when I
01:33:39
I call this method and I move this
01:33:41
value and here it is, I have a line with
01:33:45
with a lot of A's remember that
01:33:48
if I want to set parameters for my
01:33:50
Dibager I can do this by selecting debug
01:33:52
debug and argument arguments here
01:33:55
the arguments I give are simple
01:33:57
a string of letters and now I'm ready for the challenge
01:34:00
this function let's say it was
01:34:02
preparing for this particular challenge
01:34:04
functions and now I will move
01:34:07
my details Taking another step now
01:34:10
this data has also been moved to my
01:34:12
stack so I have my data on the stack
01:34:15
And I'm ready to make the call
01:34:18
attention to the top of the stack 22 ff50 next
01:34:22
after I make the call it will happen
01:34:24
change what happened now I
01:34:28
push the return address to the top of the stack
01:34:30
the previous line was omitted
01:34:32
down and here I'll put more on the stack
01:34:34
something We take one step further and place it in
01:34:38
Push and BP stack we said is a pointer
01:34:41
frame Here we have it here 22 ff78 this
01:34:45
this is the address we say what it is
01:34:47
buffer boundary of this function and the previous one
01:34:49
functions and now I'll subtract 38 from
01:34:53
stack pointer this will change the size of my
01:34:55
riser and so you will see that after that
01:34:58
how do I make a step the stack will become larger So
01:35:01
Why is this so, I’m making room
01:35:04
for these local variables I once again
01:35:07
I'll call this method and move my
01:35:10
function line to my stack
01:35:12
remember that this is the bottom of my
01:35:15
current frame and Note that
01:35:18
I moved function function here and
01:35:20
I'm also going to move it to the stack and
01:35:22
some other things some other
01:35:24
local variables So here I am
01:35:27
moving even more data onto my stack
01:35:29
then I make a couple more calls and now I
01:35:32
getting ready to call a function with
01:35:34
circap Please note that in my
01:35:36
stack here is the source src I'm trying
01:35:39
copy this to memory location 22 FF
01:35:42
2.0 is here in my stack I'm here
01:35:46
I’ll rewrite all this information here Let’s do it
01:35:49
one more step then a couple more steps this
01:35:53
everything goes some library code and
01:35:55
thanks to optimization in this
01:35:57
library code all these things
01:35:59
move in parts step by step
01:36:01
let's go through and note that
01:36:03
happens here here with me
01:36:04
goes several times 41 41 41 41 this is Hey you
01:36:09
you see that I'm going step by step so
01:36:11
and the letters A are becoming more and more I
01:36:14
rewrote the variable now rewrote
01:36:16
function function and in general I continue
01:36:18
rewrite everything as if
01:36:20
crazy and so I continue on and on
01:36:23
maybe I went too far with the number of letters
01:36:26
A But this is basically nothing, I hope
01:36:28
I'll get out of this function soon though
01:36:30
I keep taking steps sometimes because
01:36:33
what you indicated is too much
01:36:34
You can get tired of this information
01:36:36
Of course the program will color the question
01:36:38
the only question is when it will happen
01:36:40
I finally got out of my function and
01:36:43
now when I call Live leave and
01:36:46
then the return program will be colored
01:36:48
we take one more step and of course there is a boom in thefts
01:36:51
programs here say that it is impossible
01:36:53
read this address which
01:36:55
matches all these A's and so that
01:36:57
prove what we talked about earlier I
01:36:59
wrote a simple script on a belt that
01:37:01
exploits this vulnerability So First I
01:37:04
I send 44 letters A then I send
01:37:08
return address which we saw in
01:37:10
community we can look at the community and
01:37:12
make sure it was 22
01:37:14
ff44 back to mine
01:37:17
script, this is exactly the order we have here
01:37:20
bytes from least significant to most significant and then
01:37:21
here is my shellcode that I took from the site
01:37:24
shellstorm but there is some
01:37:26
small problem this problem is in
01:37:29
this byte which contains 0 this
01:37:31
byte is interpreted as terminating
01:37:33
Nau symbol and it kind of cuts off the operation
01:37:36
with circape in future videos we will talk about
01:37:38
how to get around this problem but for this
01:37:41
you will need to use several
01:37:42
tricks when will I run this script?
01:37:45
will be a little dissatisfied with this anyway
01:37:47
let's try this script, I'll run it
01:37:50
I'll go to my command line
01:37:52
you need to run it and it contains an exploit script
01:37:56
And when I do this I will be told about
01:37:59
guy slow down you have zero
01:38:02
bytes in a string and that doesn’t suit me
01:38:04
but to show you what it really is
01:38:06
this is the right place I Replace Look
01:38:09
on Ali with two units I will keep mine
01:38:12
script and then run it again So I
01:38:15
again on my command line I run
01:38:17
script there is a problem program
01:38:19
crumbles and Pay attention to the address
01:38:22
offset address 1122 ff44 is exactly that
01:38:27
the value that I indicated and it says
01:38:29
I feel like I'm in the right place Well, about that
01:38:31
how to fix the problem with zeros we
01:38:33
Let's talk in future videos translation
01:38:35
completed dot com Did you like it?
01:38:37
like and write this video
01:38:39
comments Bye everyone
01:38:41
[music]

Description:

Обратная разработка (reverse engineering) — это процесс изучения образца печатной платы с целью изготовления аналога или улучшенной версии. Реверсинг ПО — восстановление принципов/идей/алгоритмов работы программы для исследования и/или создания аналогичного ПО. Часто применяется для (в курс не входит, но вы сами сможете потом это делать): Анализа вирусов/троянов/червей и прочего с целью создания средств защиты. Поиска дырок в закрытом софте с целью создания вирусов/троянов/червей/сплойтов и прочего. Создания описаний для форматов данных/протоколов, используемых в программах и т.д. Анализа работы закрытых драйверов и прочего для создания открытых линуксовых. Изготовление пиратских серверов серверных игр вроде WoW и допилка их рубанком до сходства с официальным. Год выпуска: 2015 Автор: Philip Polstra Оригинальное название: Reverse Engineering and Exploit Development Продолжительность: 02:00:34 В первую часть курса входит: 01. Начало работы Введение в реверс Об авторе Этические соображения Инструменты реверс-инжиниринга - Часть 1 Инструменты реверс-инжиниринга - Часть 2 Инструменты реверс-инжиниринга - Часть 3 Инструменты реверс-инжиниринга - Часть 4 Реверсивные Инструменты реверс-инжиниринга - часть 5 Реверсивные Инструменты реверс-инжиниринга - Часть 6 Как пользоваться файлами примеров (рабочими файлами) 02. Реверсивные скомпилированных приложений для Windows Обзор уязвимостей - Часть 1 Обзор уязвимостей - Часть 2 Обзор уязвимостей - Часть 3 Использование Fuzzing (методика тестирования, при которой на вход программы подаются невалидные, непредусмотренные или случайные данные) - Часть 1 Использование Fuzzing - Часть 2 Использование Fuzzing - Часть 3 Использование Fuzzing - Часть 4 Just Enough Assembly (Наверное, простой реверс) - Часть 1 Just Enough Assembly - Часть 2 Just Enough Assembly - Часть 3 Переполнение стека - Часть 1 Переполнение стека - Часть 2 Переполнение стека - Часть 3. Телеграмм канал: https://t.me/Hacking_School666 Донат Visa: 4890 4947 6096 6986 Ethereum (ERC20): 0x95c2c0a2de94840543d5f6ec69cdba9ff6f34692 Bitcoin(BTC): 3Bxr8E73NjWnQTv2Hoxm49gitNgCYZkfUR Dogecoin(DOGE): DQMvdBLNF6HptH5kRok66KQcePvYS4eQrp Cardano (ADA): DdzFFzCqrht9NC4q3LGk2GoY2LTSo6ipoPaxj8G43mcCacKwbtNeJNuVEwMHsTAvw7pLyA1zAv6AwYEFfsxzEmKzvocRSsVRAVSFQVyr

Preparing download options

popular icon
Popular
hd icon
HD video
audio icon
Only sound
total icon
All
* — If the video is playing in a new tab, go to it, then right-click on the video and select "Save video as..."
** — Link intended for online playback in specialized players

Questions about downloading video

mobile menu iconHow can I download "Реверс инжиниринг и разработка эксплойтов" video?mobile menu icon

  • http://unidownloader.com/ website is the best way to download a video or a separate audio track if you want to do without installing programs and extensions.

  • The UDL Helper extension is a convenient button that is seamlessly integrated into YouTube, Instagram and OK.ru sites for fast content download.

  • UDL Client program (for Windows) is the most powerful solution that supports more than 900 websites, social networks and video hosting sites, as well as any video quality that is available in the source.

  • UDL Lite is a really convenient way to access a website from your mobile device. With its help, you can easily download videos directly to your smartphone.

mobile menu iconWhich format of "Реверс инжиниринг и разработка эксплойтов" video should I choose?mobile menu icon

  • The best quality formats are FullHD (1080p), 2K (1440p), 4K (2160p) and 8K (4320p). The higher the resolution of your screen, the higher the video quality should be. However, there are other factors to consider: download speed, amount of free space, and device performance during playback.

mobile menu iconWhy does my computer freeze when loading a "Реверс инжиниринг и разработка эксплойтов" video?mobile menu icon

  • The browser/computer should not freeze completely! If this happens, please report it with a link to the video. Sometimes videos cannot be downloaded directly in a suitable format, so we have added the ability to convert the file to the desired format. In some cases, this process may actively use computer resources.

mobile menu iconHow can I download "Реверс инжиниринг и разработка эксплойтов" video to my phone?mobile menu icon

  • You can download a video to your smartphone using the website or the PWA application UDL Lite. It is also possible to send a download link via QR code using the UDL Helper extension.

mobile menu iconHow can I download an audio track (music) to MP3 "Реверс инжиниринг и разработка эксплойтов"?mobile menu icon

  • The most convenient way is to use the UDL Client program, which supports converting video to MP3 format. In some cases, MP3 can also be downloaded through the UDL Helper extension.

mobile menu iconHow can I save a frame from a video "Реверс инжиниринг и разработка эксплойтов"?mobile menu icon

  • This feature is available in the UDL Helper extension. Make sure that "Show the video snapshot button" is checked in the settings. A camera icon should appear in the lower right corner of the player to the left of the "Settings" icon. When you click on it, the current frame from the video will be saved to your computer in JPEG format.

mobile menu iconWhat's the price of all this stuff?mobile menu icon

  • It costs nothing. Our services are absolutely free for all users. There are no PRO subscriptions, no restrictions on the number or maximum length of downloaded videos.