 Okay, I hope it makes two videos. I hope that other one doesn't get deleted. And now I will open it up to whatever you all want. So, Simon five questions. We can take this like office hours. Feel free type in the chat the chat won't be online if you want feel free to unmute say something. I'll share my screen I can show stuff so yeah feel free. Ask any questions. This is more of a. Sorry, this is more of a finals related question, like, it's going to be comprehensive right so we're going to see things from like our first CTF and stuff from our most recent. I mean you'll find out in two days right so it's. It'll test you on things obviously want to want to test you more on things the second half of the class because you haven't necessarily had that get yet so. So yeah that that's an important thing the other thing is will I'll be doing on Thursday. Thursday at 1030 is when we'll launch the final, and so I'll do so our class on Thursday will be like a mini review session for the final we'll show everyone how to use it. You should all be, you know, get your computers, get ready to use it then. And so we can. It's slightly different than what we've used in the past but it still should be very easy. Yeah, Thursday will be cool. Okay, the assembly challenges will get full credit of it says partially correct and 10. It's a good question I don't know. Ask on Piazza. How many questions are we expecting for the final enough to test your ability and understanding the course. I will tell you that I think we've said this that, you know, assignment five stuff will definitely be on the final. So that's why it's important to start it early and get comfortable with that things. Cool. Okay, people are asking about editing coding. Why are you asking that and do you have a specific question. You have a decompiler right so it's it just shows you what's in the binary. I mean, technically you can change things but it's not quite really what it's meant for. Can, if you have a specific Gdra related question, or I don't know I'm happy to answer more. So no you would not use Gdra to compile from assembly to see you also can't compile. Yeah, so Gdra should be able to show you what it's doing it doesn't, it won't quite recompile decompile and that's called decompilation so it's not going to decompile all the way to see it'll decompile the something similar to that. But Gdra object dump, these types of things are are basically reverse engineering tools to understand what's going on. If you want to like compile, you would write your own assembly code or your own C program and then compile it that way. I see when I perform x, turn what the function is. Yeah, the other thing is make sure you check out the Piazza post there's a lot of stuff on Piazza of people I've asked people who've made resources to post them on Piazza so you guys can all see that. Yeah, that was from the the walkthrough that Lambda had posted the X over I, and then the address you get right when you hit control see you which is where the bytes are stored was supposed to return what function was at that point I think add was in his walkthrough example, and I'm not getting anything I just get bad. What are you putting is that the address where the bytes are stored you mean where the are, I mean if you want to share your screen we can, I can look at it and see what we're doing. Yes. Let me allow you to share screen oh no you can share screen seems dangerous. Cool. Yeah, so I'm sorry I should have said CRSI pointer, which is the value that it returns when you just hop out. I'm not sure that's the right terminology. Yeah, I run an Xi on that, which is what he did in the walkthrough which is what I did in the stack overflow teaching example, and it would return what function it was add or whatever, but now I just get bad. I do press up and put a 20 before the eyes so this is only printing out one instruction I'd like to do 20 I or something to print out the 20 it says basically what this is saying is access whatever's that memory there you go. Access whatever's that memory, seven FFF 10 B88 E 90 whatever's there interpret the next 20 things as instruction. Okay, so this starts at that point and then goes 20 beyond that. Exactly. Not 20 bytes, but 20 instructions instructions, right because each instructions could be one byte or up to I think five or six bytes. So you can see on the left it's showing you the addresses right so you have E 90, E 91 E 93 so it means that your first byte is not a valid x 8664 instruction. So what you're putting in necessarily into the buff. I'm not putting anything at this point, right, right, right. So, so what this is showing you is it's showing you where this buffer is located and what's already in there right so it's just random gibberish basically. You know what I'm saying. Okay, so the RS point RSI pointers is pointing to random gibberish at this point. Yeah, because this is the read function right so what this means is. It says C up there right or it says program received interrupt and it's telling you it's in this lib C underscore read. So it's saying, okay, FD zero so it's reading from standard input. It's reading into buff and it's reading a total of 1056 bytes. Right so what read is going to do is when you give input it's going to copy the bytes from your input into that buffer, which is what you're looking at right now. Yeah, I'm just I'm trying to use what I learned from his walkthrough in this. I was assuming that was what it was for. And because it, like it's the same thing just minus the address is provided in the directions up there. So I'm trying to use his walkthrough and I'm just having trouble understanding how to do that how to use his walkthrough to solve this. Well, what's the point right here like what do you try what what's the goal of with printing this out this buffer as if it was instructions. Um, this particular one is just one of the steps he did in the walkthrough, and I'm why why I might have to watch that walkthrough again for the 10th time to see if I missed that. Basically, I could not figure out how to find the return pointer to continue on. I see, then, yeah, so at that point I just I've just been, you know, clicking around and then I got this, which I figured I would ask as well to see if something else is I'm doing something else wrong. I would not interpret it as instructions I would do X a hit up and do fix it so that it's X slash 20 G. So G is giant between 64 bytes. And this will show you the stack at that point or it's sorry this will show you all the bites on the stack up to that point. So this would be where I would say, Hey, this was the return address exactly description. Yes, now I don't know how to find that to to search through this list for it. Yeah. Do can hit BT BT. Yeah BT it's backtrace is what that stands for just BT no slash. Yep. Yeah, so what this is showing you is it's calling into read right that's hash zero, and then hash one is the address in volume. So what you're looking for is something that looks like that on the stack you probably didn't print out necessarily enough. So, go back up until you get to the 20 G and change it to like 40 G, maybe more like 50 G. Do you give an input in here now. I think the register you're looking for is way further away. I usually will look for the RBP, and then look at the registers in the RBP and that you really had what I was my RBP at this point though is zero. Did you look at that already. So check that address, do the x 40 G or 20 G or whatever on that address. Okay, yeah, I don't, I don't understand how I just got an RBP value. Usually it says there's a cannot cannot identify memory at zero X zero or something like that. That would be something maybe you would do before you started running the program because there wouldn't be an RBP. Well, I ran it in GBD and GBB and then terminated and then was looking for RBP. I'm going to go into control C. Guys, you don't even really need math. Like, there's not a whole lot of point and finding the base pointer if you can just, like, essentially guess and check. That's how I ended up having to figure out the value for overflow three. Like, put in 100 As and 100 B's. And then, I mean, you need more right. If you check in GBB and you see that you're like return pointer is full of B's then you know that you're in the second half of the string. And you can just keep doing that until eventually you see, like you can get exactly where the return pointer is, and then overwrite exactly that, and it just works. That makes less sense to me. So you can still look at the address there and you should be able to get the return address if you look at your RBP, the values in RBP. Let's do this. This will be easier. Go up, press, not go up, type in up. This is going to move you up the stack because right now you're in that read function, which we actually don't care about because read is just doing the overwriting. I'm sorry, which, which instruction like type in UP and hit enter. Okay. Yeah, now RB now it set all the value. So this is the now RBP will be will point to the base pointer in the vulnerable function. So if you do X slash 20 G and space. A dollar sign RBP. Boom, there we go. So you can see, so the base pointer always points to that somebody was posting this in discord, but it's a the way it works is the base pointer currently points to the saved base pointer. So that thing right there is saved base pointer and the next thing after it is saved instruction pointer. So if you overwrite that you are good. And you can calculate because you know up there, you can use math very simply it's just subtraction, not complicated math right. You have up there you know the address of your buffer. It's seven FF one zero B EE zero E 90. And you know that the address you want to overwrite is at B eight 91 D zero or actually D eight because it's that second. The left column is D zero the right column is D eight. And so subtract that so can you do that subtraction. And I'll tell you exactly how many bites you need to get to there. Sorry, where is the D eight. So D zero which bite here is D zero. Yeah, those eight bites are D zero. So the next eight bites on the right column. That's your saved instruction pointer. And we know that because when we looked at the back trace right, you can see that it's all 55 CC 41 a nine C whatever so that's a that's an instruction pointer right there. Okay, I, I understand what you're saying I, I, I don't know if I could understand I quite grasp it enough to use it outside of this one particular instance though. There's a office hour right after this class right. Whatever the course schedule says. Okay, I don't have this memorize. I'll go ahead and hand off to somebody else so somebody else can have a question because I think I just am still way too lost on this at this point. Um, okay so I have a question. Sure. Yeah. Okay, so I was, I was under the impression that like stack overflow to stack overflow to teaching where the same thing except for stack overflow to teaching gives you more information. Is that correct. You tell me I don't know. I was doing, I didn't say overflow to teaching and the method I used worked, and then I tried the same method in stack overflow to normal and didn't work and I'm wondering if I like have to change my process I'm doing because yeah I thought it was the same thing about the information. Why don't you can you show it to us. Yeah, I can hear. Um, we should screen. Uh, yep. Okay, so basically what I do is I set some breakpoints in the GED I do some stuff, and I ended up getting the register RSI. Okay. So I get this register right here. And then I do. Sorry, this is just right before the call to read. We will now read in some bytes and then I start getting my information. So I go okay so RSI I get this register, and I also get this register. And I subtract these two registers together, and I get the eight, which is, I'm pretty sure is the amount of bytes to overflow it or something like that to get there yeah so it's the difference between so if you're writing into that buffer and actually this goes back to the earlier right. So if you're writing into that buffer, the very first right will happen at 4490 and then 4491 and so on and so forth. And so if you do whatever that subtraction is, you'll get all the way up to right before the saved instruction pointer so the next eight bytes will be the instruction pointer. Exactly. Okay, and then what I do is because hang on, let me quit my jokes. Basically what I do is that with this B8 number. Sorry, I didn't know about info frame where did you learn that from that's very info frame. Actually, Tiffany used it in her example what she explained the first stack of the problem. He's way better than me. Cool. That's awesome. It prevents it, you know, saves you from having to do that calculation and look at it on the stack right that's right. Anyway, so what I do is, but what I do is I write my code and so I write my Python code. And my Python code is, is it goes, it writes a buffer with the amount of bytes to overflow it plus strict paths, and then the address of the wind function. And that's not the full address right. Sorry, go ahead. Right. Not the full address. It's like 0x1310. But um, yeah, and this, like this strategy of like going in, like obviously it's changed because I've had to get my, my B8 and I went at yours differently. But the point is that I've been using this and this has worked for the past two so I'm just curious if like I missed like something up or yeah something like something like that or if I'm just like me to completely change my process. On this one versus you're saying the stack overflow to teaching. Yeah. So this is that overflow to stack overflow to teaching this work. But yeah, I didn't work on this one. If you watch the last like five or six minutes of the TA's example he goes over how to like kind of go into approaching a problem like this where you're not given the information. That would be helpful as well because it's a different program that you have to run in that case. And like at least for me for stack overflow one and stack overflow, or excuse me stack overflow teaching and stack overflow to we're both I had to use a different program for each one. But if you watch the TA's video he kind of goes into it like the last five or six minutes. Right. So like that would probably work except for the information that was given in stack overflow to I didn't really use like at all. And so I figured that like they were the same I could just do the same thing. If again it's a different program then yeah I would should definitely do that. Can you debug it I don't know that it's necessarily the same rate. Yeah, just like you were doing before I think that's that you're you're on the correct process so we should. Did you find the new address for when because it's going to be different in this one than it was in the stack overflow to teaching. Yeah, I did. I did. Oh, let's go win. This is the address I used. Okay. Which also changes from run to run. Okay. So that that's why what the TA does go down. No to vulnerable. I would just want to make sure your offsets are correct right. Okay. So where where's the vulnerable. Read. Read the Python. Can we see the Python. Just a second. There we go the read so it's. So it's RSI. So coming back from there so EDI is zero that's the file descriptor RSI. RAX into RSI. So RAX is that so this is actually how you can just read this just from the assembly so you see if you move your mouse cursor up to that load effective address for lines above. It's moving negative B zero RBP into RAX and then two lines later moving RAX into RSI. So this means that our buffer is located at. B zero minus RBP and we know RBP always points to save RBP. So if you take it should be your difference should be B zero plus eight and that will take you to your. To the saved instruction pointer is I can do this just from looking at the assembly. All right and be zero plus eight is just the eight so that like that is correct like what I have right okay cool. So okay so that's good so my mouth is correct. So actually. Yeah so I didn't realize this does actually change between runs. So do I just like do I like in the middle I don't know if I can like run this while looking at the code and then like change my code and feed it input you cannot so when you. So if you like try to gdb or debug the program it drops the privileges that it needs to read the flags. That's why you can't do that let's do this. Can you open up gdb. So you have your input right. So you've ran that program it's a created output and slash temp. Yes, that is correct. Let me just make sure. Yeah, I did okay. So, then this is great yeah so yeah gdb that, and then what you can do. Oh yeah go ahead and then set your breakpoint like you would do. I usually like to set it right at the read function. Yeah. Hang on one second. Do you do that because doesn't that hex address change. And Steven look and chat. Oh there you go breakpoint on read at PLT that's great actually. Is that going to do it on all of them are there lots of reads throughout the entire program. There's one read. There's only one. What's their outputs. You can see it goes call queue read at PLT and that's where we're exploiting the problem right here is right we're not actually reading from that input that you wanted. So try our space. Less than here I'm going to write it in chat. So that this is how you can debug things while using an input file that you control right so this is the way I like to debug these these exploits. Or whatever that was so and an R is I think restart so it restarts it from the beginning with the breakpoint. So like, so like right now I should like, yeah, yeah, let's just reset it so we can get back here with the input that we want. So just like start from the beginning. Yeah. Okay. Can I answer breakpoint do. Okay so I'm going to have to read my breakpoints and direct. Yes. Okay, there's a good way for this. There's a way to actually view your breakpoints. I think it keeps the breakpoints though. Yeah, no, it does. Hang on, let me think quick. Hang on. Is that the right file name. Sorry, attack for two. Yes, it is. Okay. No, what happened is, I actually had this problem a while ago. What I need to do is I'm going to run it with, I'm going to run it right now. Right. Okay. Yeah. And what I'm going to do is do this. Continue, and then I'm going to set my breakpoint. F2, 6, 4, 3, 1. Right at that read the call queue read PLT. Yeah. Oops. No, I forgot the star. Yeah, I know it's annoying. Yeah. Yeah. It's annoying. It's annoying to me that GDB has its own syntax. That's different from other things. Yeah. Okay. So now when I continue, we'll not read some bytes. So now we're right out there. So yeah, if you do N I, right, that will step one instruction over the read. Yeah. And then now, so we've read in all the bytes. It's, you should have overwrite overwritten the saved instruction pointer to verify. You can do it in many ways. I usually do X slash 20 G. And then a space dollar sign. Our BP, the base pointer. All right. Yeah. 20 G X. Can you add X at the end? X at the end tells that we want hex. So G tells that we want 64 bit giant numbers. Okay. So it didn't overwrite that. That's weird. Oh, didn't overwrite it? Yeah. Look, it's not changed. So if you do that and do RSI, can you do RSI dollar sign or just RSI? Sorry. The exact same instructions before. So if you just do up and then change our BP to RSI. So RSI is your buffer. So this will tell us what it read in. Are you sure that instruction is. The file exists. Yeah. I mean, I can, do you want me to like, do you want me to read the file? Yeah. Okay. Change directory to 10 less. No, no, don't, don't cat it because it's weird bites. Do hex dump. A hex dump spaces dash capital C. And then the file name. Yeah. So why didn't it read in that? Is her address even on there? There shouldn't be like a one free one zero or something. Yeah. Yeah. The 10, 13 is the bytes that we have for that. So yeah, it totally makes sense. Right. These are, you can, there's 41. And we can see it's up to B zero. And we have eight of those at B zero. So we know it's B eight A's. And then 10, 13. Why didn't we see those A's. Let's just run. Can we run this program again and pass that input just like we did. So like without GDB. Okay. Yeah, I like to. Try to. Reduce as much. So like dot slash. Yeah. Simon five over a few and then pipe in. Okay. That's great. It's seg faulted. If you do LSS LA, does it show you a core dump? Actually create the core dump. Okay. Okay, let's try this. Just GDB, the assignment five underscore stack overflow to please. And then do run. Okay. So this is our space. Without any break points. So we don't want any break points. So just run it and then redirect. Yeah. That's slash temp slash. Perfect. Excellent. Excellent. Okay. So. It's a 0564 C five A eight A 13 10. Okay. So this is perfect. This means that this worked. I don't know why it didn't work before. There must have been something weird that we did. But we can see that. Here. So you've changed the instruction pointer, but it's saying nothing's there. So can you do. X slash like a five I space win. So we can figure out where the address of the wind function is here. Okay. I think I found part of your problem. I think you can see it. Yeah. Okay. Yes. Okay. C F A E. 1310. Okay. And what was a volume. If you. Yeah, if you like, what are the addresses of all these functions basically, like, so you do access five I space. Okay. Yeah. For the space. Okay. So please. Okay. Okay, cool. So. Key. A difference here. Is that like we said, all the positions are being randomized every run. Mm-hmm. Right. So, and the way the randomization works, if you ran this multiple times, like, if you, Yeah, I wonder if it will change. Can you do just go up until you get back to that are instruction the run instruction and just run it. Yes. Cool crashed again and is this a different address. It is awesome and then print out the locations of wind and foam. So what's changing between these runs so compare. It doesn't change. Oh, it is. Yeah, so which of the instructions are changing, or which of which bytes are changing, let's say. Oh, five, six, two, zero, five, six changing basically like all of these, except for what are what's not changing is the important part. You might need to scroll up a little bit. Oh, that's the other one function. Yeah, there you go. Yes, sorry. So when we have zero x five six four so five six two. CFA so zero five six so five six. And then we have eight eight and we have F one zero. So this, and then the three one zero isn't changing so it's just these fights. Exactly. So would this be an address like zero x five six three 110 because five six three 110 change or it was in the past, but it won't be in the future, right. Right, what you're looking at is right the it shows you that these bites are there, like, sorry. Yeah, so this is the last run but we can't predict the next run, but we do know that at least the last bite remains the same. Right. Okay. And so what if we just overwrote that last bite with that work. Like just the three 110. Well, we can't overwrite just the three 10 because that oh three is a whole bite. And that right earlier part of it changes every time so we don't necessarily know that off the top of my head, or off the top of our heads. You can just guess it though. Yes. So that's the other thing so the, if you put any random hex digit followed by a three, it will work one 16th of the time, which is what we have in here right so. Oh, so I believe going off of that if you run this 16 times it should give you your flag. You want to try it right now. Well, they're not independent. So you actually have a yeah. So if I run. Okay, so I run my program 16 times it'll work. Good. Yeah. It might take more than that because of statistics it might take less. Right. So okay so I'm going to quit my DVD. Yes. And I'm just going to like run my program 16 times. Up enters your friend. Attack. Okay, so then see that. Clear it. And then so. And so I just do this, like, I just keep running my program like Python dot attack the PY. You don't need to just up enter. Yeah, exactly just hit up and oh really. Yep. Okay, so I'll just like and keep doing it until you get the answer. There it is. So see just randomly write those fights all aligned. And so you were good and it's worked. So, and this is nobody else's flag. So it's fine that we see this. But anyways, if you want to wait when you submit that, otherwise you're. Wait, I should wait. No, it's fine. I was just saying, since you're showing your screen. But yeah, great job. Look at that team. Awesome. Thank you. So the TA shows a way to do that automated so that you don't have to hit up enter 16 or who knows, however, many times. But yeah, it's kind of the same thing. Yeah, you could theoretically be hitting up enter like all day and not actually get it just based off the magic of statistics. But that requires being very unlucky. Yeah. All right. Well, thanks everyone for doing this for sticking around. I think that's right. Yeah, we started. Oh no, no, we still have five minutes. Oh, wow. Sorry. Sorry. Sorry. Let's keep going. Anybody have anything else? I did have a question about just like what we were seeing there with a GDB dump, like those outputs that we were seeing on our screen. So on the left hand side, you had all the blue numbers and then two columns of light numbers. That column of blue numbers. Is that like the actual stack? Is that the addresses on the stack? It is the addresses itself. So the way to interpret that is the left hand side is all the addresses. And on the right hand side is what are the memory look what's in the in memory at that memory address. Okay. Yeah. So it's, it's like, if you think about the, you know, computer. It's like a, has a bunch of, I don't know, just as a bunch of memory, right? You're saying, okay, what's that memory 10? And then, you know, you're saying, and then what you're saying is, and that's when you set up those commands, you're saying, okay, show me what's that memory address 10. And then right there, interpret that as if it was a 64 bit integer or, or eight bite, you know, same thing. 64 bits, eight bytes, and then show it to me as hex. And then interpret eight after that, because you just showed me eight bytes, interpret eight bytes after that as a thing. Show me that and then keep doing that. So it's showing you the addresses of all those. That's why the addresses are all spaced out by eight. And we can also tell it to show it as an instruction to, or is that, yeah, exactly. If you do it with X, slash five I, so the I means interpreted as an instruction X means interpreted as a hex. But there's probably others as well to interpret it. You can end in the size changes. So G is about changing the size to 64 bit. If you do. Oh, I just did this the other day. I can't remember exactly what character is, but. If you look it up, you can set it to be 32 bits or even just a single byte. You have total control over how those look to you, which can be really very helpful in debugging slash s. It's interpreted as a string. So it will actually interpret it as a string and show you like the strings. It looks like you can do BH and. Yeah, yeah, yeah, exactly. Yeah, W is for wide. So that's 32 bits. And G is giant for 64 bits. It's very helpful for understanding what memory actually looks like. Any other questions? Just a quick question about the assembly challenges. So with assembly one. And with x 86 64 in general, the three arguments are RDI RSI and RDX. Is that correct? I have no idea. I have to look it up every time. Okay. It's one of those things like I knew. So the way to look it up, it's the system. System V or system. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Calling convention is what you're looking up. Okay. Calling convention. Yeah. And system V or I think it's system five is where that comes from, but obviously. So. In here. So for X86 64. Yes. So parameters are RDI. Yes. So you're exactly right. RDI RSI, RDX. Okay. And if we move. If, if there's a, if the first instruction in the. And then the first parameters are nine and the second parameters are CX. Those registers aren't initialized. So. Does it do anything? It always does something right. It does whatever. Yes. If the, if the registers like they don't have values to them because, because the values are stored in the other RDI RSI and RDX. Let's see. Well, the whole parameters are. It looks like. In registers RDI, RSI, RDX, RCX, R8, R9, and then other values would be passed on to the stack. Okay. So if, if there's only three parameters passed into the function, then only registers already are RSI and RDX would be stored. Correct. Yeah. Okay. They're the only ones that should be used, but it's a. It's a. Technically, you can write assembly to do anything, right? The only thing these calling conventions do, it means that when you write a C program and it's compiled to a binary and I write a C program that uses those functions. I know how to match them up and they'll actually work together. Right. Okay. So yeah, in general, you know, if something, so like the, if you look at the recorded office hour video I made from last week, you can see that. Yeah. So if you look at our BP and RSP, right? The base pointer and the stack pointer. We don't know what those values are when our function is called, but we still operate on them, right? We copy. We like push the base pointer onto the stack. We set the current base pointer to the stack pointer. And those are all values that we don't necessarily know. It's not that nothing happens. Right. It's that we just don't know statically what those exact values are, but we don't think about those values. Okay. Awesome. Thank you. I'll check out that, that office hour video that'll probably help. Yeah, I think that that helps a lot with understanding. It was in the context of the Caesar app. Okay. Yeah, the Caesar challenge. Yeah, I'm gonna post the link in chat. Yeah, I walked through the first, I think 20 instructions of that or something. So it's a, I think useful to see what's going on. But cool. Okay. This was great. Thanks for sticking around. And yeah, see y'all on Thursday for our last class. Isn't that crazy?