@@rlc9399 I am studying it in software security

Amazing! :3

:3 @@LiveOverflow

Same here!

Joke so bad bro had to tell us in parentheses

NO, pop, add, then push so you can still use ASLR 😈

Just compile with only mov instructions 😂😂😂

yeah, thought the same thing after watching this video. It really becomes a simple explaination for anyone already aware of some of the internal workings of theese things.

don't refresh just wait, it will start after a while

is that an 'eip' pun?

You probably wanted to say: you'll RETURN later.

@@allmycircuits8850 GOLD

Just enjoy knowing about it :)

Apologies if I sound rude but how do you understand any of this in a meaningful way if you don't know programming, more specifically reverse engineering? You likely have never heard of a "register", "instruction pointer" or "buffer overflows".

@@whocares4598 I wasn't either at the time but it was layed out nicely enough that it wasn't so bad to understand.

@@Handlessuck1 I used to be kind of a dick back then. Person may not have fully understood, but definitely had a glimpse

Eliana Griffith ctf?

@@davidjohansson1416 capture the flag. It's hacking but we need to get strings (flags)

Oh, i've heard of that. It's really popular in taiwan i think. @@elianagriffith9510

A good example of sophisticated ROP chains used in the wild is for example in the 3DS hacking scene: They implemented a huge chunk of code in ROP to use after they get code execution from a vulnerability that uses functions and gadgets from the home menu and uses ROP to further exploit the system and make it possible to remap something as executable. They have ROP chains that include equivalents of for loops and if conditions (they set the stack pointer somewhere else to simulate a goto, and conditionally setting the stack pointer can be an if) There is also the challenge flropyd of the currently running 0ctf 2019, where you have to implement an algorithm in ROP. I'm sure there will be good writeups for that challenge afterwards

basically any binary that is vulnerable to buffer overflows that don't have executable stacks :)

If the CPU could detect this, we wouldn’t have those issues :P

@@LiveOverflow okay either you didn't understand my question or i didn't understand your answer(most probably this one). So what i understood from the video is that you have to overflow the buffer or have some other way to overwrite the return pointer with a value we choose so that we can start chaining rop gadgets but won't there be a stack cookie between the first buffer and rip. so won't the first return fail (the ret in add_invoice) since the stack cookie has been changed. OR IS there no stack cookie in this example? was that feature disables when you compiled the invoice program.

That's because the stack grows from top to bottom, and the heap bottom to top.

@@pwnagotchi I know the stack goes from higher to lower addresses as it fills up. but i meant that usually i've seen memory being represented with lower addresses at the top, and higher addresses at the bottom which sounds weird but that's how humans read stuff

I know nothing about this level of programming. I still enjoy the videos though

github.com/6l0ryteam/6l0ry-wargame/tree/master/pwn/chal/rop This is a simple ROP challenge for my CTF team wargame. I think it uses the same technique as the video’s.

move is already turing-complete.

Yep

You get the meaning, quit being pedantic.

As far as I know it's hand written with a graphic tablet.

@@profiluefter ok thx

Yeah, there are many ROP chain generators basically doing that ;)

@@LiveOverflow Great, thank you

Yeah, conditional jumps will get really really weird

oh noch ein deutscher hier

Nur deutsche hier....

@Richard Vaughn ok so that last sentence of yours was gold to me. B/c these cpus are different, bytecode takes a program, lets say Java, and branches to the correct opcode? Maybe we have a java program compiling on an AMD64 so those bytecodes trigger the correct opcodes for AMD64, as opposed to this same program running on an old machine, maybe a 32 bit intel chip. I wonder if the AMD/Intel design are so siimilar, and opcodes are called the same, so maybe a better exam would have been for me to refer to an ARM chip? I mean that's CISC vs RISC so I imagine even those opcodes are different, along with many many other things. I can see the adder doing it's thing in your description about taking 2 numbers from registers and putting those bits together one by one, what I didn't know is those are called "ROM data lines!" I now feel a little silly, I thought ROM was done with it's job after the initial boot sequence. Maybe you can help me with this next question. During my research I found a funky sentence from the wikipedia explanation of bytescode: "Bytecode may often be either directly executed on a virtual machine, or it may be further compiled into machine code for better performance." My problem is with the second half of that sentence, isn't everything executed turned into machine code? I'm struggling to understand how a vm would directly execute, wouldn't that be a silly vm b/c these things are usually created for portability? Thanks for your help, I love this stuff!

How would you propose implementing this without having awful performance ramifications?

@@tedbrownlow4617 The performance impact would mostly be at the compile stage. Each function would need a table of addresses it can jump to and instead of pushing an address to the stack you push an index. Perhaps a better approach would be a custom CPU. The CPU already maintains an internal call stack that it uses for speculative execution. Perhaps if ret tried to use an address from the call stack which isn't from the internal call stack it would cause an interrupt and trigger some more expensive checks.

They're not executable. All of the 'gadgets' are snippets that exist within the vulnerable executable. By hijacking the stack, we can control the flow of these gadgets because of the way an x86 ret works.

Sure. Be creative ;)