Record to the Cloud, hide this thing. Really important topic here. I'm just calling conventions and maybe that doesn't sound like too much to you or anything else. But it's really important to use the young hackers and to all kind of like X86 soft or whatever and so on. And it's the essence of our first credit. Okay, so we've got weird machines that just do Marvel stuff, right? So we're, we're pretty good at that now. We're like flow-through command, command, command, command, moving around registers and John or whatever, and so on. Okay. You are a developer and you have made some really nice functionality. Fibonacci calculator or whatever. And everybody really loves your Fibonacci implementation. It's voted number one on StackOverflow for the question, how do I get Fibonacci? Or it's if you using it yourself or whatever. And you just factored your code in such a way that you have a subroutine that you're going to call. You guys have been doing that since Cisco six, It's a pretty common thing to do. So the question is, how does our stupid marble machine use a subroutine or a function call? So calling conventions, it's really saying, how do I jump from the main idea of what I'm doing into what you wanna do and then come back. Let's look at that. And just like Python or something, you know, now that this adds too much elimination, but let's say I've got a function and this is like my subroutine. And it'll take in a and B, and it will return a times b mod 26 for some reason. And now here's my main function. Main is a little silly in Python or whatever, but I'll say x equals 23, y equals 56, z equals subroutine of x and y, x equals x plus z return x. Okay? So perfectly valid, Python, the return value if you're doing the math in your head or whatever is 37, fine. Don't have to think too much about that. Now, why do I care about this? Well, this simple little problem is kinda what we're use all I'm in function. I have some arguments. When to jump into some other function, pass it my arguments, and then get the return value. Uses referring to that myself. Okay, So in this kind of functional paradigm of code, how is it that I go from function a to function B and back? Alright, that's the story we're here to study probably all week, but at least today. If not tomorrow. It's mastery task C. Alright, with me on the story we're here to tell. Okay? So what makes that hard or not, or whatever? Well, let's do it in C. Maybe actually, so maybe I shouldn't have jumped straight into Python. I could have just been in C, which is, you know, our language here. Do okay. Okay. We're gonna make a new directory called calling conventions. All right, so let's write our dumping return, x plus y. Seven half Python half see, zooms in the way as the wild little moment. Alright. Class is really exciting today. Cool. Alright. I don't need to think hard about these numbers. Fine. Okay. Does might actually be too complex. So let's say I'm going to calculate f of a plus B. Yeah, I've done that's fine. Whatever. That's fine. Okay. Let's make and run this program. Okay, get rid of this junk again. Okay, So here's the story we're here to tell. Now how do we see the human behind the code? Well, that's setting 23 and go local variable instead of 89.2 local variables. Here is the call to a function called f. Now it's so called sin dot F because it's a symbol. That's how assembly works with gotos essentially, you know, that thing that you've never been allowed to touch because we'll trust you or whatever. Again, I feel this way about seat belt, warning lights, just like my wife needs to deal with this five-year-old lower on the highway. So you should be able to unbundle for a few seconds and take that risk could give. Quit yelling at me. Anyway. Fine. Seat belts are in your soul now so that you feel dangerous. You're not wearing your seat belt colonized your brain. I'm here to fight back. You have the choice to make risk. You have the choice to autonomy anyway. So this symbol is go-to. We were never taught CO2s or whatever because they're Ancients, but they are how your computer really works. And that is, I'm going to jump to a symbol. Alright, fine. Then we go to that symbol. Yep. I should've done mod. Mod looks weird. Fine. But here's my function. It's going to do some stuff and then it's going to come back and return here. So step one, I know that I wanted to do something here and then continue here. Okay. How do I get my dumb marble machine to do that? In fact, I can almost write these down just like emotional goals of a common convention. When I get into the subroutine, it is going to want places for its local variables, just like this function, it's just as specials than the other. And every subroutine should feel just as special as main does. Alright, how do I do that? That is, hey, look where these local variables that are rbp minus whatever. Well, I want my subroutine and feel the same way. Everything is close to RSVP. Base pointer is where home is. That's where my toothbrushes from spend a night at someplace. Wherever my toothbrushes, that's my base pointer right now. And I want this place to feel this as homilies I can make it. Alright. How do I get arguments to it or whatever? Like, how does that work? When all this really does? Okay, I'm going to tell this story in five parts. And also we call it a convention. A convention is like a cultural protocol. It's kind of like this. I could do this. That can be what to do. Right? I didn't. I just said I can do this. And he reached out and grabbed my hand and shook it. If that wasn't expected by me, it would frequently the hell out right. This minute shakes it. But what the hell are you doing, right? But, but but because we had a shared convention, it's totally sensible. And so like a convention is something where AB is. Maybe it's not, I don't know. Handshakes have probably about medieval people being armed or not or something like, I don't know where they came from. The French like cheek kiss or whatever. But the point is that there's a convention in play here in order to let the marble machines do the work that we need to do, which is jumping to routine, make it feel like home, and then come back and resume review. Upper right, that's our job. And so we want to understand what does that convention, why? And write it into our hearts so that we know what to do in the situation where somebody offers us their hand. We can we can get along and his new country and order coffee and stuff. Okay, with me. Alright. And then we're going to use that convention against it. Social engineer, a Ocean's 11 heist or whatever kind of a thing based on the cultural norms of this place. Now this Martian landscape. Alright. So let's tell that story. Here are the five parts of the story. One, what exactly happens when I do recall at the start of every function, this, the handshake, pardon, at the start of every single function is a push, rbp, move, RDP, RSP. And at the end of every function is a leave and a rent. Now, I'm going to, I'm going to replace leave with these two. And sometimes you'll see it as the word leave. Sometimes you might see it as these students sometimes have just seen, is that one depending on what they did with the stack pointer. But these are all leaving and then that is rest. So my convention here is that call and caps here. This is the thing that I see and this is what I think. And this is what I see. And this is what I think. These are sort of be what are the operations that take place in order to pull off these things, right? Those three of the first, That's probably all today is telling that story. And then we get into our perimeters past. But really can mess around with parameters. Do I feel God bolts on here? Just to come on now, some cool. I'm cool. Okay. I think that was over-simplified history and my voice there. It's interesting I to happen. Anyway. So here's the convention. I've got call, and then I've got another call. And inside the subroutine, push, move, pop, ret. So these, these sort of five lines exists in every subroutine call. They even exist at the beginning of main itself and at the end of main itself. All right, so let's tell a story now. If this style is not for you, or you want to hear this story in a different way. This is the, this is the story of this first chapter at home wizard.com, which is a, a simple choose your own adventure story with chapters and pages. Here's page one. No op. Just read the texts and turn the page. Okay. Just read the page. There's a wizard and I picture your operating system is this dude who's got all sorts of crazy books and stuff. Gripping them with all its feet and things like that. But it's a really kindly kind of narrator that every time they read, they make you feel like you're the only person in the world and they're just reading you their story, but they're actually reading a whole bunch of stories that wants to whatever have you guys seen that movie with Joaquin Phoenix where he falls in love with an operating system. It's called her know. All right. We just launched and it's pretty wild. Yes. Joker doesn't help us at all now. Maybe I don't know, I haven't done that analysis my head quickly, but I won't give away the plot line of her then. But, you know, it's fine. Operating systems make you feel like you're the only person in the world. You're not. Okay. And this thing is a magical library. So your CPU is a wizard. So as they read stuff, it actually happens, right? So they reading spells and they read the spells that affects the world or whatever. Alright, that's, that's what the plot line of my story. If you want to hear this in an analogy style, that's that. The very next page is, get a piece of graph paper, write the number three in the rightmost square, and then turn street to chapter two. This is equivalent to call chapter two, which is kinda what we're talking about today. So page three, which we're going to skip right over, is, you know, you're at the end congrats or whatever, but we don't get to go to page three. We have to go all the way to chapter two. Alright, gearing up. And so tell the wizard where to write your name on the graph paper. See, write their name on the graph paper. Pick a weapon. Write your name on the graph paper, whatever. Now a journey into the battle. Now it's going to call the great battle. So please turn your books at the beginning of Chapter, won a great battle. The next page is congrats, but we don't go there yet. But you'll note in my dumb little poem wizard, when we jumped to Chapter two, we wrote down page three. Why? Because we have to go back to page 31, chapter two is done. When we are going into battle, we're gonna write down page nine. Why? Because we have to go back to page nine when we're done. This is a weird choose your own adventure story. And in order for the plots make sense, you have to know where the next page is, what I call the chapters in whatever order the story tells me to. Page nine is congrats, but I haven't gotten there yet. I'm just running debt written down page nine while I'm on page eight, we every time I do a call. Alright, so that's sort of part one of the Convention is, whenever I'm going to go someplace, remember the next line, right? And why is that? Because this, if I'm going to go someplace, I have to come back. And so I have to write down somewhere that I'm coming back. Now, what are my choices for where am I going to write down that instruction pointer? So you're imagining we're going to create a submission from scratch. I'm going to jump into some function. I need to remember that this line, I've got two choices for where to remember it, register or the stack. That's it. I got my RAM. I've got my registers. Well, if I write a registered, then part of my colleague conventions to say, Hey, core little Apollo computer or whatever, I'm going to take away one of your only registers or whatever because you can't use your registered and more exhibit, leave it fixed for the whole duration of your program, so that makes it feel less special. And if I've got a recursive call, that's going to call the same thing 100 times or whatever. Then I don't have 100 registers and I feel like keep track of each register. So I think registries or out as an option for writing my return address. It only works for one function call and it makes it to the function less powerful. And I can't compose my function. I just said that, but I can compose functions and take away register or whatever. I'm not going to write etc. What does that leave me? That leaves me the stack. Alright, got it right into stacks. That was my piece of graph paper. So I'm just going to write down the next page. I'll take you back to the cone wizard adventure with our monkey CPU. Wizard, monkey CPU. Alright. Chapter eight, we're calling the great battle. Great. Please turn to chapter one. Chapter won a great battle. Okay? Have your hero fight a dragon using the weapon they previously chose. Okay? The Wizard says, the great hero, whatever the name on paper, 11 boxes to the right, uses a blank whatever is written on the paper just there to slay the dragon. Okay, cool. So that's just, you know, I wrote some arguments into the stack. I jump into this place that's vitally passing arguments is I'm going to write the arguments on the stack to in this case. And now I'm going to return from battle, which is leaving rep. Okay, how do I do that? Well, you're at the end of the chapter to turn to the page indicated by the leftmost number on your piece of paper and erase the number. In our case that was number nine. And so we're going to jump to number nine. And page nine was congrats, leave the magical room and return to reality. Okay, cool. I conquer the dragon. Now it's time to leave the store and go back to reality. Clear the name and weapons parts and your piece of paper by erasing the 20 squares, we allocate it earlier. And now, like at the end of all chapters, jumped to the most, you know, the last page left over, which is page three, jumped back to page three and welcomed back at venture where at the end, we can erase the number. We're all done. Your venture is over. Okay? There is a secret chapter at the end, Chapter 666. And it really shouldn't be there. But if you can trick the wizard into reading this page, kinda like a genie saying, I'll make Eugenie or whatever, it will grant you all of the wizards power and mute the wizard, you know, up until this point the wizard is the only one talking and things like that or whatever. But if you can get the wizard to read this out loud, then there's a magic spell that will give you control of the computer. That's sort of what we're here to do it. Okay, So trick the computer into reading the magic spell that gives you all of its power. All right. Okay, cool. So that's pulling wizard.com. Very silly thing. Fine. But the idea is this, the call instruction. What are we going to do? Well, we're going to push an instruction pointer. Then we're going to jump to the function. Alright? So we run instruction one and instruction two. What I need to write down is where instruction three, where do I come to afterward? So the call instruction doesn't exactly pushed the instruction pointer and pushes the next instruction pointer onto the stack. Okay, let's observe that. So step one is this, you guys. So this is literally what I think when I see the word call, that is I'm going to write on the next Saturday and I'm going to jump to that summary. Why? Because I need to come home. Because Amelie and people go to that subroutine. I don't know who else is using that subroutine. It's Fibonacci. Whatever. My function when it's done should come to mind functions home, that's somebody else's house, buses to school or something. We all go to school, but you take your bus home. Alright. So let's see that in action. Oh, what, what probably I've broken this by now, but we'll see if I can set a breakpoint. Yeah, good. Alright, We are here. I'm going to take a look at a few things. Alright. I am saying that the two things that will happen when I run this command is that it's going to take this address 561 VOD OF C19 three and push it onto the stack. Scenes in radar land. That next, the stack will go down by eight bytes, make room for that address. And that address will show up where the stack pointer is somebody, the first eight bytes here, and everything else will shift off to the right. Then I'm going to jump into the next instruction I run will not be this one, but it will be the one inside the function. Let's see it. Okay, observe where we are. The stack pointer went down by eight bytes. The address that I predicted by 61o DOS C19 three is in fact, the next thing on the stack has been pushed onto the stack, being Secretary McDonald wrote it onto the graph paper. You can think of the graph papers going left to right as a stack is moving to the left and a right heel push and pop moving to the right lingo problem. And I have talked to the beginning of my separate. Cool, too slow. So what is the next part of my calling convention? Well, take a look at this moment in time. This is an awkward moment in time. I don't even know what an NDR C64 does. Some ignoring. Am I thinking? Let's take a look here. For those in the back. This has like a local variable set where the local variables live. Rbd minus four, minus eight. Okay? That's what this function is going to expect for its local variables. Now, where's the base pointer right now? It's way up here. The base pointer is up here. And what's in the base pointer stack? Five-ninths in hexadecimal. That's probably one of those variables like threw in there, right? Like that's one of my Andy values over there. The base pointer is over here. And even my return address, it's sort of in a weird place, whatever. Now that's because this base pointer right now is what I would call the old base partner. This is not the new functions, base pointer. This is the base pointer of my previous function. Okay. Are you with me on that idea? The base pointer is where my local's live. And if I were to not do anything else, then this thing is going to look for values AT base pair minus four. Let's say somebody has yet made the other day, Hey, we're doing something and you're like looking around and you saw the base pointer, you just would have looked. How to do that. It's like, Well, that's a great question. Which is to say, here I can see base pointer ends and 21. And here I can see this is 208. And so I can use this grid that is going to be the next byte that ends in zero lives here. So if I'm looking for where is 21o on this grid of the stack, just kinda moving grid. Then I see here is where my base pointer, which means base point or minus four, is the four bytes just to the left of it. Base pointer minus eight are these four bytes. Alright? What is five times 16 plus nine. Now, what variable did I write into my local variables? So this is 89. Okay? So question, if my base pointer right now is from the oldest function where the old local variables, what should I do with seven FF, D6 to ABC, to one out? Can I throw it away? Pros and cons of throwing it away? If I throw it away, I can at least start fresh and make a new kind of base pointer for this new function. And I can say, alright, I'm just going to start making space on the stack for you. Dysfunction. What I wanted to feel like most important thing in the world. But if I throw it away, I'll never get back by local variables from before the functions. There's two people I have to try to keep happy in this compromise. Person called me and the person I'm going to okay. Are you with me on that kind of vague notion? That is to say the old base pointer gives me access to the old local variables. It's like a math or a key. Your GPS coordinates. Lift and identify my old neighborhood. Within this neighborhood of three houses to the right. That's my house. Okay. Which means that the next part of our calling convention is something that allows me to get back my local variables from whence I came. Okay? So all functions start with these two commands. Push our VP, RSP, and Darby. Okay? Those commands you'll see at the start of every single function. And so far I've just said just ignore those. They happen everywhere. They have nothing to do with a person. Because so far the goal was, what is the human on the other side, mastery test B is all about you seeing the coder through the code, through the assembly has a seed setting up us, the hackers, we have to understand these conventions in order to build a social engineer. Them were like CIA agents and we're preparing for what life is like on the ground in Kiev or whatever. So that when you land on the ground, you're going to be received warmly and you can sort of blend in. Alright. So what is pushed RPG loop where we feel about this one stores the old base pointer. And this one will replace the base pointer and make a new home. So this is sort of saying, you know, make sure you have your keys when you leave your house. And when you get to a new place, you know, take your toothbrush out and put it in or whatever. I don't know when I'm going back to the house and I need here for a long time. So I'm going to settle in and kick off my shoes, take off my jacket, whatever. But don't lose my keys because then I can't get back into my old house. That's roughly that's like three different analogies for this or whatever. Hopefully one of them works for you. Hopefully they compliment each other or something. Let's take a look at why and how that works. Here's push ebp, move our VP. Alright, so what's going to happen? I'm going to hit S to do the DOM command that I don't think there's anything. I don't know what it does. I don't know. Npr 64 speaking, Google it and be like, oh, it's actually missed the ball. Push our VP. Here we go. What's going to happen? To ten? The seven FF D6 to a bc21o is going to get pushed onto the stack. Alright? That is the old base pointer is now stored. So that means that the old return address, and we've talked to the right, the base pointer came on here. Okay. Now what the next command sets up the new stack frame. That's the first time I've said that word stack frame. But it's just saying your local variables always lived between the base pointer and the stack pointer. And so we need a new base pointer to represent this new clean camp site that where we're going to set up a tent or hotel or whatever. Right, So what changed here? I, I saved base pointer, and I just made the new base pointer equal in the sack of the stack is, is sort of like keeping track of everything is just sort of move in wherever there's data. And it represents the Wilton, the frontier, basically, like a stack is anything to the left. The stack is the frontier. And so what this just did, it says, okay, we're coming back together, stacking the base, you're here. And you can now put your local variables off this way. And your base pointer with a state fixed for this entire function call. If ever you've done Python or any coding language, any of your classes. If you have a variable inside a function and you have another function, they don't get access to each other unless you make it a global. That's called scoping. Scoping is just another word for base pointer changing. So whenever the baseline and change, your scope has changed, all the rules that you learned or whatever, and just sort of above that, you replace the base pointer. Does it automatically get a new stack pointer? The stack pointer is where it is. So let's see. Let's take a look at a fourth visualization. Actually, our first visualization, these other ones have been word-based. Maybe I'm a word based learner, I don't know. Alright. This, by the way, was made by a student. We were farting around during COVID time doing things or whatever. And this was her way of visualizing it or whatever. It was down the other day, I reached out to her to ask her to be like, Hey, can you bring that back up? I really liked your little burger stack thing. And then she came and hung out with us on Friday for the CTF or whatever. So we were only one problem away from perfect score isn't Alright, cool. So it's nice to reach out, connect anyway. Alright, so that's Cortina. This is the stack burger shack. Fine. My, I'm at the base pointer here, and I met the stack pointer here. This is sort of the world that we find ourselves right in at the moment of time He's question, these are the same. Now I'm going to make a local variable, local var x. I'm going to push that onto the stack. Every time I push the stack pointer is going to kind of move to the left. In this visualization, the base pointer is moving down or something or whatever, but they're getting further apart. Local y. Now, the instruction pointer is often a completely different address space. The instruction pointer is going to address, address, address, address, address like that. Okay? So if this thing is that this address. And now we're gonna do a call. I'm going to call a function. Alright. What is the next thing that gets? So let's pretend I'm gonna call cook me. Let's say it's a burger thing. I don't know. I call cook cook something. What does what goes on the stack next? What's the next thing I'm gonna do to this burger? Yeah, sure. I'm going to push the instruction pointer. So this is like call cook. And then this maybe is the instruction for server or something like that. Then, then I might push the next address, which could be served a burger or something. The burger I probably should serve fries or something. Okay, so I'm about to go into my calling convention. I push the next address. That was part one of the calling convention. Now, where does the instruction pointer go? Well, it jumps over to the cook routine. Alright, so now the path of consciousness of Emil was now on the short order cook. Alright, cool, this thing up. Alright. So that was push the next instruction and then jump to the cooking. All right, that's what we just did. Now, what's the next part of our thing? Well, it's push rbp. Why? Because I need to recover local variable x and y. Alright? So we're going to push rbp. So I'm gonna call this old base pointer push. Alright. Now, what is in old base pointer? It's literally the address of this bottom bun right now. Alright, And where's the stack pointer always at the top. Okay. Now what's the last little part? It is to move the base pointer to the stack pointer. Alright, I am now in the Cook Cook subroutine. And as far as the cook subroutine is concerned, I've started all over again with a fresh empty burger. And now we can just do whatever it's going to do inside of there. And that's sort of a new stack frame, my base point or my stack pointer together. My stack pointer can move off to the left and I can put local variables. I can do whatever the heck I want inside of this function and have no awareness that I came from someplace else. We're all actually aliens or whatever, but we don t know that, you know, we just pretend like we're just live in this human life or whatever. We have no idea. I don't, I don't actually think where it came from, aliens or anything. But if we did, we wouldn't have to know or care because we have our own little stack frame where we have our own little truth. Okay? We found that sort of red pill, blue pill. Beyond your frame is old stuff that matters. Let's go back and take a look at our code in the context of that. Okay? At this moment in time, I am inside of a subroutine, my bass player, my stack pointer, the same amount of fresh burger I can make new variables here. Okay, cool. But if I were that crazy, mean guy that says like aliens on the History Channel or whatever. Then I might say, Hey, we're all on a separate team man. And like what's beyond the base pointer. But you don't like doing like serious injury stopped me on the baseball. And it gets out a telescope or whatever it is like. Look, that's an address that's totally an address written beyond the base pointer or whatever. And there's another address beyond the baseline. So part of what we're doing is hackers were transcending the particular function wherein we're going to control that stack. Now imagine that you can control that stack. That is, if I'm in this function and I'm writing two things, they're being a little bit lazy with compiler optimizations here. I'm going to hit S. S is going to copy RDI, which is 17. What does x 17? 16 plus seven is 23. That was one of the numbers I typed. It's going to copy 23 and the base pointer minus four, I'm gonna hit S. I don't see it on my stack because it didn't actually move the stack pointer because they know I'm just here to do some simple arithmetic, which is just a little bit lazy on their part. So I'm gonna hit C. So I can kinda scroll up and see where the action is. Alright? So I moved away from where the second normally it's just to kind of inspect what's on my actual frame S. And now it's copying that other values. So you see that just to the left of the old base pointer is 175,923.9. So my values got copied into my local space works. Okay? Now imagine that I did a, a gets command right here, which is what basic D3 does. Pcv13 is this exact same setup. But here, Here I start writing things to this variable. And the flaw and PCV13 is that the right doesn't stop you from writing beyond just the few bites that was made for you to write your string. So the flaw and DCP3 is it you can keep on writing deep into the stack. Okay, For question. If you are here and you're writing at this point, and you're allowed to start screwing with the graph paper well beyond the area that you should be screwing with graph paper. What sort of malicious notice can you get into? So what was this value here? It's the old base pointer. Alright, so by screwing the old base pointer, what will happen? Well, if it went back to main, lose track of its local variables. Local variables at the base pointer minus four. So if I screw with this base pointer, I can change its concept of what the local variables are. Maybe that's interesting, maybe that's done. Far more interesting to me. Is this one. What is this? Minus seven numbers here? You remember? Already forgotten. This is part one of our convention. We did it push next address. And then if you jump into a subroutine, is one, this thing is the address that I will come back to that depend on my subroutine. Imagined that I can edit that. We can actually, if I can edit the address that's supposed to return to. Now, I don't have to go back to earth. I got a spaceship man. I can go wherever the hell I want any address space, as long as I know a valid address. That's a lot of computing power. That'll be our first exploited. And that is the first exploited PC3, all the instruction pointer, put it someplace, it wasn't supposed to go. So to do that, you have to know an address. You have to be able to put a payload. How long did my payload have to be? In this case, if I started reading into 591-23-4567, 8910, 1112, 1314, 1516 bytes of junk that I don't care about an eight bytes of a malicious address. Right? So that kind of math is very simple math, but that's the math you're going to do a block for the next three weeks or whatever it is. How deep is, how long does my family need to be? And how do I get a malicious address to jump? And that's gonna be a question you think a lot about as we draw the first step, the next. Okay? Alright. Now, calling convention wise, I'm just gonna do a bunch of crap in here is a really long-winded way of doing a mod. Alright, mine, mine, mine, mine, mine, mine, mine, mine, mine, mine, mine, mine, mine, mine, mine. Okay. Now, I'm back where I was going to put myself back with a stack pointers. Okay. Now for the last part of the calling convention, where my stack, stack Bergerac, okay, So the equivalent of what we just did was sort of a subroutine Local a. Now the base pointer would be here, subroutine local b, that goes here. So the subroutines just gonna do some math with this stuff or whatever it's going to do, Fibonacci. Alright, now we get to the end. You guys with me so far. We've got just a few parts to this calling convention. They are, you know, call, which is really just the next address and jump the beginning of the function, which is sort of setting up a new stack frame. And now we're going to talk about leaving a function. What happens when I leave the function? Now? These have a certain symmetry to them. I should have lined up the text so you see the cemetery perfectly. But if you take a look at this push, move, move, pop. These are perfect inverses. You guys know the, the socks and shoes theorem. If in the morning you first put on your socks and then your shoes, then in the evening, you must first take off your shoes and then your socks. If you attempted to take off your socks before taking off your shoes, you are a silly person. Okay? So when you do function composition, you do function a and function B. I'm going to go to invert you invert function B and then invert function a in order to get back to the world you are in. Okay? So let's take a look at what happens when I leave. Leaving does the opposite of setting up the stack frame, it tears down the step. How do we set up the stack frame where we can remember the old base pointer? And we moved the base pointer to the stack one. Alright, so leave today's who do the opposite. I'm going to move the stack pointer to the base pointer. And then I'm going to recover the old base. So this is going to reach from the stack the old value and put it into the base pointer. So this is betting back-up my function contexts so that I have my local variables again back where I came from. So those are exact opposites. These two commands here and delete command, because the opposite now in our case, they were lazy and they stack pointer null. So all we got was a pop, RBD is a sec when you're already was the biggest one. So they're like you said, too overbearing. Like you don't really need to like this, that clarity. Okay. So just left it there the whole time. So you kind of did this but not that. Fine. Then basically the RET command is the most important command for us hackers for the next month. That's because every time the recommend is run, there's an opportunity for malicious. Ron all the freaking time. All of you, you're getting all of your pockets are running it right now. Alright? The read command is full of malicious intent or opportunity. Okay? Here's the correct command does it will take an address from the stack and basically set the instruction pointer to the address on the stack. So really see it as pop RIP. But it's take the next eight bytes off the stack and set instruction pointer to those bytes. That's what red does. That is the most powerful command we've gotten moment. That's the most interesting command we haven't moment, which is an address from volatile memory. Will we use to jump instruction parts? First time we really had an instruction pointer jumped is today, right? Normally it starts, somebody's going, boom, boom, boom. But now we're jumping in and jumping back. Okay? Which means that if you can control the sack, you can control the instruction pointer. That Mario video and I'm washing they want or whatever. Yes, what was controlling the stack locations at turtle shells? If this turtle shell is that this x address or whatever, something like that, remember is that in the stack and if you like, overflowing with turtle shells and things or whatever, you're controlling more of a stack and you should have the right to control its controls and instruction pointer. You can set. Alright? So things that control the stack, our power, and what controls the stack, essentially everything you ever do, right? And so, so the essence of secure software design on, at this level is keeping your stacks in their box. There are no aliens. Just be happy with your little blue pill life, whatever. And don't think about anything beyond your contexts. Live between the secondary interface prime. Okay, cool. So that is the leave in red. Let's do, let's do it here. As we pack up, I'm going to return the old base pointer, which basically sets my new contexts. So one F0 is where my new stuff was. And if I hit S, now I'm back to 2100, that's where my main addresses lived. My main locals live near here. Then finally, red is going to read this address off the stack and jump the instruction pointer to the address it finds here which will end in 193. Sure enough, is the expected behavior. By the way, that we've been learning programming. You've been learning this your whole life. You know, you just didn't know that that was the calling convention, whatever. This is, just Python as far as you're concerned. But how does Python work? Works like this? Why does Python work because of this? Why is Python structured the way it is? Because that's how the operators work. Like it's the chip drives you, not the other way around. Alright? Okay, that's the first calling convention without arguments, things like that, cetera. I could not get my PCP to work in time, so I don't have a PCP right now I could do. There was another one that's like write me a poem or make me something creative that shows that you understand calling conventions that might be a fine PCP in the event that my binary didn't work. So just tell me a story that says you get calling conventions, but that's maybe silly. Alright, cool questions. Alright, there's five little commands. They're tall. Push rbp, move the base pointer to the stack pointer. Do your crap. Move the stack pointer to the base pointer, pop rbp, and then pop RIP. That's the convention. Cool. You could probably try Po1 three at this point, roughly, you might need a little bit of tooling.

Calling Conventions in x86

From Andrew Novocin February 20, 2023

34 plays 0 comments You unliked the media.

Zoom Recording ID: 4159319948 UUID: F+mjUexlSPeDLvQViFODMQ== Meeting Time: 2023-02-20 03:12:33pmGMT

Tags: x86calling conventions

Department Name: ECE
Department Division: Engineering
Date Established: February 20, 2023
Appears In: x86 and Secure Software Design 2023

Comments

Add a comment