ATTENTION! An editing error has been spotted! Around minute 33:57, the value of the `output` variable is changed (apparently off screen). It went from `output = recvall().split(b" ")` to `output = p.recvuntil(b"ahead").split(b" ")`. Bear in mind that the main purpose of the videos is to help everybody understand what's going on, there is no need of literally copying the exploits shown in the video. There are always several different ways of achieving the same objective, just make sure you do it the ways it is most clear to yourself!
Hello, I have a problem at around 23:12 , When I execute the script, the leaked puts address always output 0x0, and the gets address sometimes output 0x50. Do you know the reason why and how to resolve it?
Thanks for a great video! I have one question: because we overwrited the RBP with 'B'*0x8, wouldn't the "leave" assembly code set RSP = RBP, sending the stack pointer into an invalid location and failing the code?
Hi there. Yes, that's totally correct. Overwriting old rbp with random padding bytes implies the old stack frame (the one about to be restored with mov rsp, rbp; pop rbp) becoming invalid. Depending on what you are trying to achieve, you may or may not have to care about the state of the stack. In this case, it is irrelevant.
Hey Razvi, great video as always. So I got the virtual address of puts() from libc and I subtracted this address by its offset (last 3 hex values) so I should get the base address of libc. However, jumping to the resulting address in IDA does not show the text segment but some random data bytes. I wanna ask you if you think using a (virtual address + offset) is an unreliable way to obtain the base address of a segment, thanks!
@@RazviOverflow Thanks for the reply Razvi! The issue with the offset bits in a virtual address is that they are only 12 bits long. But you can have a starting virtual address of 0x7FABCDEF0000A000 in the text segment and a virtual address within the segment at 0x7FABCDEF0000B000. So the real offset here is not “000” but 0x1000, which is more than 12 bits.
@@rgb123-jm5mc I think I'm not fully understanding your problem. In order to get the offset, you shouldn't care about how many bits are used for this specific addressing. If you know the base address and the dynamic address, simply subtract them. Now, where does it say the offset has to be 12 bits? Could you link some docs?
@@RazviOverflow Hey Razvi, I think I might have mistaken the segment offset with page offset (lower 12 bits in virtual address). Since TH-cam filters link, I found it in the first entry from the Google search “Cornell virtual address 12 bit offset”. Even though it uses 32-bit architecture, 12 bit virtual address offset is still used in 64-bit systems
@@RazviOverflow I think YT has deleted my comment for some reason, but I searched up Cornell Linux Virtual Address Offset and clicked on the first entry. Even though the webpage talks about 32-bit architecture, the offset is still 12 bits in 64-bit architecture.
Why did you use ret "0x000000000040101a"? like based on what you chose it? do we use any ret gadget cuz it won't modify the code? just pop the address and go to it? Thank you
@@RazviOverflow I am a user from China. It is difficult to find such excellent learning materials in China. My English is very poor. I can only use TH-cam's automatic subtitle recognition to understand the meaning. However, TH-cam's automatic recognition sometimes doesn't work well. I couldn't understand some parts of the video. It would be great if the video had Chinese and English subtitles. Finally, thank you so much for making such a great video.我是来自中国的用户。 在国内很难找到这么优秀的学习资料。 我的英文很差。 我只能用TH-cam的自动字幕识别来理解意思。 然而,TH-cam 的自动识别有时效果不佳。 我无法理解视频中的某些部分。 如果视频有中文和英文字幕就太好了。 最后,非常感谢您制作了如此精彩的视频。
![Hacker Documentary: Unauthorized Access by Annaliza Savage [1994]](http://i.ytimg.com/vi/fDk82bLYscg/mqdefault.jpg)
ATTENTION! An editing error has been spotted! Around minute 33:57, the value of the `output` variable is changed (apparently off screen). It went from `output = recvall().split(b"
")` to `output = p.recvuntil(b"ahead").split(b"
")`. Bear in mind that the main purpose of the videos is to help everybody understand what's going on, there is no need of literally copying the exploits shown in the video. There are always several different ways of achieving the same objective, just make sure you do it the ways it is most clear to yourself!
This is the most well explained content i've could finded on ret2libc !
Thank you :) Glad you liked the video.
Hostia Razvi, no sabía que ahora te dedicabas a esto. Me viene genial la verdad.
Un saludo.
Espero que te sean de ayuda los vídeos :)
Each video goes up in quality, thank you so much for sharing!
You are welcome, thank you :)
Hello Razvi! Thank you very much for your videos, the explanations are very clear, thanks again 😁
You are more than welcome. I'm happy you like my videos and they help in any way :)
Hello, I have a problem at around 23:12 , When I execute the script, the leaked puts address always output 0x0, and the gets address sometimes output 0x50. Do you know the reason why and how to resolve it?
I think 23:40 answers your question.
Thanks for a great video! I have one question: because we overwrited the RBP with 'B'*0x8, wouldn't the "leave" assembly code set RSP = RBP, sending the stack pointer into an invalid location and failing the code?
Hi there. Yes, that's totally correct. Overwriting old rbp with random padding bytes implies the old stack frame (the one about to be restored with mov rsp, rbp; pop rbp) becoming invalid. Depending on what you are trying to achieve, you may or may not have to care about the state of the stack. In this case, it is irrelevant.
Hey Razvi, great video as always. So I got the virtual address of puts() from libc and I subtracted this address by its offset (last 3 hex values) so I should get the base address of libc. However, jumping to the resulting address in IDA does not show the text segment but some random data bytes. I wanna ask you if you think using a (virtual address + offset) is an unreliable way to obtain the base address of a segment, thanks!
If the library is loaded and you got its dynamic base address you should be able to see it.
@@RazviOverflow Thanks for the reply Razvi! The issue with the offset bits in a virtual address is that they are only 12 bits long. But you can have a starting virtual address of 0x7FABCDEF0000A000 in the text segment and a virtual address within the segment at 0x7FABCDEF0000B000.
So the real offset here is not “000” but 0x1000, which is more than 12 bits.
@@rgb123-jm5mc I think I'm not fully understanding your problem. In order to get the offset, you shouldn't care about how many bits are used for this specific addressing. If you know the base address and the dynamic address, simply subtract them.
Now, where does it say the offset has to be 12 bits? Could you link some docs?
@@RazviOverflow Hey Razvi, I think I might have mistaken the segment offset with page offset (lower 12 bits in virtual address). Since TH-cam filters link, I found it in the first entry from the Google search “Cornell virtual address 12 bit offset”. Even though it uses 32-bit architecture, 12 bit virtual address offset is still used in 64-bit systems
@@RazviOverflow I think YT has deleted my comment for some reason, but I searched up Cornell Linux Virtual Address Offset and clicked on the first entry. Even though the webpage talks about 32-bit architecture, the offset is still 12 bits in 64-bit architecture.
Why did you use ret "0x000000000040101a"? like based on what you chose it?
do we use any ret gadget cuz it won't modify the code? just pop the address and go to it?
Thank you
Any ret instruction would have the same effect.
Hi, the binaries i compiled on my machine, they don't have "pop rdi" gadget even
I'm not sure what binaries are you talking about, but you can place arbitrary instructions with the asm() function.
Amazing!
Thank you
Maybe you should make a discord server ; )
Banck employees
Hello sir, pls any Twitter account? I would like to follow
Hi there. Yes, sure. At the end of the description of the video you'll finde one :)
@@RazviOverflow thank u sir
☺️ քʀօʍօֆʍ
Thank you
You're welcome :)
@@RazviOverflow I am a user from China. It is difficult to find such excellent learning materials in China. My English is very poor. I can only use TH-cam's automatic subtitle recognition to understand the meaning. However, TH-cam's automatic recognition sometimes doesn't work well. I couldn't understand some parts of the video. It would be great if the video had Chinese and English subtitles. Finally, thank you so much for making such a great video.我是来自中国的用户。 在国内很难找到这么优秀的学习资料。 我的英文很差。 我只能用TH-cam的自动字幕识别来理解意思。 然而,TH-cam 的自动识别有时效果不佳。 我无法理解视频中的某些部分。 如果视频有中文和英文字幕就太好了。 最后,非常感谢您制作了如此精彩的视频。
I'm happy my videos are helping you. Unfortunately, I cannot help with Chinese @@user-ul3kv6nv8t
when will you make more videos ?
@@RazviOverflow
@@dzgamer4832As soon as I have the time and something interesting to show :)