WEBVTT

1
00:00.890 --> 00:03.080
Hello and welcome to a new section.

2
00:03.080 --> 00:06.500
In this section, we are going to learn how to use the memory.

3
00:07.370 --> 00:09.860
So let's open our template.

4
00:13.420 --> 00:18.220
To use memory, you will have to go to the memory map here, click on it.

5
00:18.220 --> 00:20.200
And then there are two kinds of memory.

6
00:20.200 --> 00:27.070
Here you have the initialized data and you also have the uninitialized data.

7
00:27.790 --> 00:31.210
So the initialized data is called the data section.

8
00:32.110 --> 00:36.190
The uninitialized data is called the BSS section.

9
00:36.760 --> 00:41.860
So if you are going to store constants, you put it in here.

10
00:42.460 --> 00:46.300
If you are going to create variables, then you will put it in here.

11
00:46.780 --> 00:53.800
So for this video, I'm going to show you how to create constants by storing in here. We are going to store

12
00:53.800 --> 00:54.400
numbers—

13
00:54.880 --> 00:56.110
number constants.

14
00:56.320 --> 01:01.690
So just double-click on this now, and below here you will see the memory dumps.

15
01:01.960 --> 01:04.300
You can use 1, 2, 3, and so on,

16
01:04.300 --> 01:07.030
but Dump 1 is selected by default.

17
01:07.600 --> 01:13.930
When you click on the memory map like this, it will show you the memory in Dump 1.

18
01:14.500 --> 01:21.040
So this is the data segment of the memory where all the constants are stored.

19
01:21.040 --> 01:24.040
Constants are nothing more than initialized data.

20
01:24.730 --> 01:27.910
And you can see here there are already some initialized data here.

21
01:27.910 --> 01:29.530
So we are not going to touch those.

22
01:29.590 --> 01:32.770
We look for some empty space down here.

23
01:32.770 --> 01:36.190
For example, from here onwards you have empty spaces.

24
01:36.190 --> 01:37.330
You can even use this.

25
01:38.170 --> 01:39.760
So let's say use this.

26
01:39.760 --> 01:44.140
So to create a constant here, you can right-click on this.

27
01:44.140 --> 01:46.750
Let's say I want to create the number 1234.

28
01:46.750 --> 01:48.310
So I will select two bytes.

29
01:48.310 --> 01:51.730
Here I'm going to store the number 1234 here.

30
01:51.730 --> 01:53.320
So I right-click this two bytes,

31
01:53.770 --> 01:56.530
and then I will click "Binary," "Edit."

32
01:56.680 --> 01:59.050
And I will key in 1234,

33
01:59.170 --> 02:01.330
but I need to key in reverse order.

34
02:01.330 --> 02:05.170
So I need to key 34 and then 12.

35
02:06.130 --> 02:13.840
This is because of what we call the little-endian convention in Intel processors, where you would

36
02:13.840 --> 02:20.140
store the lower bytes first on the right-hand side and the higher bytes on the left-hand side.

37
02:20.380 --> 02:22.090
So remember that.

38
02:22.090 --> 02:24.370
So just click "OK" now and you will see—

39
02:24.370 --> 02:26.080
now 1234 is stored there.

40
02:27.460 --> 02:31.120
So remember, whenever you are storing numbers, it needs to be in reverse order.

41
02:31.780 --> 02:36.760
I mean, the most significant number bytes are on the right and the least significant bytes are on the

42
02:36.760 --> 02:37.270
left.

43
02:37.510 --> 02:39.850
So 1234 will be reversed like this.

44
02:40.690 --> 02:42.730
So now you can make use of this.

45
02:42.730 --> 02:49.180
Now over here, for example, let's go to our code and hollow this section.

46
02:49.180 --> 02:52.540
Here you can hollow everything under here.

47
02:56.580 --> 02:58.230
And fill with NOPs.

48
03:00.130 --> 03:01.300
And it's now coded.

49
03:01.300 --> 03:08.530
So we can actually move this number from memory into register -.

50
03:08.680 --> 03:09.790
So let's try to do that.

51
03:09.790 --> 03:13.450
Now remember, when you want to assemble anything, press the spacebar first.

52
03:13.990 --> 03:21.520
Then type "MOV -" and then "DWORD"— "QWORD," sorry— "QWORD PTR,"

53
03:21.670 --> 03:23.230
and then "0x."

54
03:23.980 --> 03:26.740
And now you copy this address and put it here.

55
03:26.740 --> 03:28.750
So before we do that, let's copy the address

56
03:28.750 --> 03:32.890
first: right-click, "Copy Address."

57
03:33.280 --> 03:34.900
So we just copied this address.

58
03:34.900 --> 03:36.190
So let's repeat that.

59
03:36.430 --> 03:39.280
Press spacebar, "MOV -,"

60
03:40.030 --> 03:41.950
"DWORD PTR"—

61
03:43.000 --> 03:45.670
sorry, it should be "QWORD PTR."

62
03:46.210 --> 03:49.810
And then in brackets, put "0x" for hex,

63
03:49.810 --> 03:52.810
and then paste the address there by pressing Ctrl+V

64
03:52.810 --> 03:56.410
or just right-click and paste, and close the bracket.

65
03:56.920 --> 04:01.480
So these square brackets here means that you are accessing the value stored at that address.

66
04:01.720 --> 04:09.160
And you need to put the "QWORD PTR" to tell the program that this is actually a quad word.

67
04:10.180 --> 04:16.150
The value stored here is a quad word, and "pointer" is just another name for address.

68
04:16.150 --> 04:21.070
So what it's saying is that, go to this address because of the "WORD PTR,"

69
04:21.070 --> 04:22.450
you know this is the address.

70
04:22.450 --> 04:25.900
And then because of the bracket here, you know that this is a quad word.

71
04:26.620 --> 04:28.870
So "quad word" means quad word,

72
04:28.900 --> 04:31.510
that means it's eight bytes here.

73
04:31.990 --> 04:38.530
So it's going to access all these values: 00000000001234.

74
04:38.530 --> 04:42.160
So quad word is from here to here: eight bytes.

75
04:42.580 --> 04:48.790
And then, so access the value stored at that address and then store it in -.

76
04:49.510 --> 04:50.260
Click "OK."

77
04:52.030 --> 04:52.570
Close.

78
04:52.810 --> 04:54.700
So now let's put the breakpoint.

79
04:54.700 --> 04:59.650
If you have not already done that, to toggle a breakpoint, just right-click and "Breakpoint," "Toggle."

80
04:59.650 --> 05:00.910
I've already done that.

81
05:01.450 --> 05:04.480
Now I run and it will hit the breakpoint.

82
05:04.480 --> 05:07.330
Then I step over until I come to this line.

83
05:07.720 --> 05:11.320
So now watch what happens when I step over this.

84
05:11.320 --> 05:13.720
What it will do is it will go to that address,

85
05:13.900 --> 05:14.920
fetch the value

86
05:14.920 --> 05:20.530
00000000001234

87
05:20.530 --> 05:22.420
and copy it into -.

88
05:22.990 --> 05:24.580
So let's step over now.

89
05:24.850 --> 05:27.340
And you see now - has got 1234.

90
05:27.880 --> 05:31.180
So it has inverted the bytes here.

91
05:31.180 --> 05:33.160
It was in reverse order: 3412,

92
05:33.160 --> 05:36.820
but when you copy it into -, it is in the correct order: 1234.

93
05:37.930 --> 05:44.800
You can also copy values into memory, for example.

94
05:44.950 --> 05:51.130
For example, you can move a register value into memory, assuming you want to move the value

95
05:51.130 --> 05:55.990
one from a register into memory, into this memory here, let's say.

96
05:55.990 --> 06:00.580
So we copy this first—copy this address.

97
06:02.170 --> 06:07.870
Come to this next line and then press spacebar and type "MOV."

98
06:07.900 --> 06:19.690
Then you type "QWORD PTR 0x," and press Ctrl+V to paste this memory here, and then close

99
06:19.690 --> 06:20.350
the bracket.

100
06:22.190 --> 06:24.470
And then here you need to put the

101
06:25.060 --> 06:25.810
-.

102
06:26.710 --> 06:30.490
Because you are moving one to this memory address.

103
06:30.490 --> 06:31.960
So let's close that now.

104
06:32.350 --> 06:32.770
OK.

105
06:32.770 --> 06:33.400
And close.

106
06:33.610 --> 06:34.240
Now you see.

107
06:34.480 --> 06:37.480
So now it is going to execute this.

108
06:37.810 --> 06:40.240
So let's step over this and see what happens.

109
06:40.270 --> 06:44.320
It's supposed to move one to this location here.

110
06:44.320 --> 06:45.220
So let's step over.

111
06:46.090 --> 06:47.410
And now you see one is there.

112
06:47.920 --> 06:54.940
So it has actually moved all these zeros and one and copied here in reverse order.

113
06:55.840 --> 06:59.410
That means from here, 01, to here.

114
07:00.160 --> 07:10.960
So this is how you can make use of memory by copying memory to registers or copying the register

115
07:10.960 --> 07:12.490
value to the memory.

116
07:13.750 --> 07:17.050
Note that you can also move register to register.

117
07:17.590 --> 07:19.660
So you can do stuff like this.

118
07:19.660 --> 07:20.890
For example, "MOV"—

119
07:20.890 --> 07:25.420
uh, let's say I want to copy 1234 to register -.

120
07:26.410 --> 07:28.360
So I will do it like this.

121
07:29.170 --> 07:29.680
-, -.

122
07:29.680 --> 07:30.520
-.

123
07:33.850 --> 07:35.860
So I "MOV -, -."

124
07:36.160 --> 07:39.280
So I step over that now and I will see—

125
07:39.280 --> 07:41.350
now - has also got 1234.

126
07:41.890 --> 07:49.720
After that, I can copy whatever is in - into memory if I want to, just like what I did here:

127
07:49.720 --> 07:51.190
- followed by memory,

128
07:51.190 --> 07:51.790
like this.

129
07:53.200 --> 07:53.680
All right.

130
07:53.680 --> 07:57.250
Or I can even move something directly into a register.

131
07:57.250 --> 07:58.750
For example, "MOV"—

132
07:59.050 --> 08:03.970
let's say I want to move 4568 into -.

133
08:03.970 --> 08:07.330
So I will do this: -.

134
08:10.120 --> 08:10.330
Then

135
08:10.330 --> 08:12.730
hex 4568.

136
08:17.400 --> 08:19.200
OK, so I step over this now.

137
08:19.920 --> 08:22.710
And you see we have 4568 in the - now.

138
08:23.580 --> 08:29.730
After that, I can move whatever is in the - into this another location in memory.

139
08:29.730 --> 08:30.870
Let's say I want to move—

140
08:30.870 --> 08:34.890
I want to move whatever is in -.

141
08:35.610 --> 08:35.910
OK.

142
08:35.910 --> 08:41.250
So here it changes to - because the value is small: 4568. But actually it's -, not -.

143
08:41.250 --> 08:42.450
Here it doesn't matter.

144
08:42.450 --> 08:43.170
It's OK.

145
08:43.350 --> 08:50.340
So over here, now let's say I want to move whatever's in - into this location here. I can do that.

146
08:50.340 --> 08:53.580
So I right-click this, copy the address,

147
08:53.790 --> 08:55.290
come over here.

148
08:58.190 --> 09:08.060
"MOV" to - into the memory location, so it should be "QWORD PTR 0x,"

149
09:08.720 --> 09:12.650
paste the address, and put your -.

150
09:13.550 --> 09:15.800
So - has got 4568,

151
09:15.800 --> 09:17.840
so all these 00004568.

152
09:18.410 --> 09:20.960
This will be quad word—sorry, quad word.

153
09:22.610 --> 09:22.760
Yeah.

154
09:22.760 --> 09:23.420
OK.

155
09:24.140 --> 09:24.440
All right.

156
09:24.440 --> 09:25.850
So now I'm going to step over this.

157
09:26.210 --> 09:27.380
See what happens.

158
09:27.440 --> 09:32.480
We know that - has got the value of 00000—

159
09:32.480 --> 09:33.770
all this—4568.

160
09:34.040 --> 09:38.630
So let's step over and take a look at this location now.

161
09:39.620 --> 09:40.070
Yes,

162
09:40.100 --> 09:45.350
got 00000000004568.

163
09:45.800 --> 09:48.470
So this came—all this thing here,

164
09:48.470 --> 09:51.680
this quad word came from -.

165
09:52.220 --> 09:52.910
Yes.

166
09:52.910 --> 09:55.850
And before that, you moved from a constant to -.

167
09:56.240 --> 09:58.940
And then now you moved - to memory.

168
09:58.940 --> 10:08.090
So these are how we can intermingle registers and memory and register and register and constant

169
10:08.090 --> 10:09.470
and register, and so on.

170
10:09.560 --> 10:14.060
So these are what we can do using memory itself.

171
10:14.720 --> 10:18.170
So now I'm going to show you how to save this file.

172
10:18.680 --> 10:26.900
So when you have already made alterations by hollowing the .EXE and then injecting your own code inside

173
10:26.900 --> 10:29.450
here, you need to patch it.

174
10:29.690 --> 10:33.320
So when you patch it means that you are saving it.

175
10:33.320 --> 10:34.970
So how do we do that?

176
10:35.990 --> 10:38.270
We click on "File," "Patch File."

177
10:38.600 --> 10:41.600
And then here are all the patches that will be made.

178
10:41.600 --> 10:43.880
Click "Patch File," then—

179
10:43.880 --> 10:50.450
now give a new name, so you can call this maybe "01_MOV_

180
10:52.260 --> 10:53.700
Memory."

181
10:55.060 --> 10:56.020
And click "OK."

182
10:57.280 --> 11:02.590
So it has already saved your file into the new file name.

183
11:04.570 --> 11:09.100
Now if you go to the location where you saved it, you can open it in x64dbg.

184
11:12.140 --> 11:16.790
And now you can scroll down and see your new code over here.

185
11:16.910 --> 11:17.540
See that?

186
11:18.440 --> 11:19.970
And then you can put a breakpoint.

187
11:21.890 --> 11:23.810
And run and step over.

188
11:26.310 --> 11:29.010
If you inspect memory, select Dump 1,

189
11:29.670 --> 11:30.720
go to "Memory Map,"

190
11:30.930 --> 11:32.940
inspect the data segment.

191
11:32.970 --> 11:35.130
You will see all your values there:

192
11:35.280 --> 11:36.510
1234

193
11:36.540 --> 11:38.220
that you initialized was there.

194
11:38.340 --> 11:39.030
Yeah,

195
11:39.030 --> 11:39.660
it's there.

196
11:40.530 --> 11:42.930
All right, so step over.

197
11:44.160 --> 11:45.450
1234 to -,

198
11:45.450 --> 11:47.550
and then - is equal to one.

199
11:47.550 --> 11:50.280
So you're going to move it to this address here.

200
11:51.990 --> 11:52.830
Step over.

201
11:54.450 --> 11:57.660
So now this address has got 01 which came from -.

202
11:57.780 --> 11:59.700
Now we're going to move to -.

203
11:59.850 --> 12:04.320
That means it's going to move 1234 into this -.

204
12:04.440 --> 12:07.590
So step over and you can see 1234 in -.

205
12:07.770 --> 12:10.170
Whenever something has been changed, it will be in red.

206
12:11.130 --> 12:13.290
Now it's going to move 4568 to it.

207
12:13.920 --> 12:14.280
OK.

208
12:14.280 --> 12:15.330
Let's step over that now.

209
12:15.720 --> 12:18.900
And you see 4568 now in -.

210
12:19.200 --> 12:25.440
Now it's going to move - to this memory location, 403F0, which is here.

211
12:26.610 --> 12:29.790
So let's step over this there.

212
12:30.180 --> 12:35.280
So one thing you need to note: that even though this is the initialized data segment, you can still

213
12:35.280 --> 12:35.970
write to it.

214
12:36.150 --> 12:37.260
You can still write to it,

215
12:37.260 --> 12:38.430
so it's OK.

216
12:39.120 --> 12:39.540
Right.

217
12:39.540 --> 12:45.270
But normally when we want to write something to a location, we will use the BSS segment.

218
12:45.270 --> 12:47.910
But it also works for the data segment.

219
12:48.090 --> 12:48.390
OK.

220
12:48.390 --> 12:49.170
So it's fine.

221
12:49.170 --> 12:56.520
So in this lesson, you have already learned how to access the memory itself,

222
12:56.520 --> 13:02.670
and you also learned there are two kinds of memory: the initialized data segment and the variables, which

223
13:02.670 --> 13:12.960
is BSS, the initialized data, and how to access it, and then how to also modify the memory itself directly,

224
13:12.960 --> 13:22.290
and also how to use the instruction to write data into the memory itself, how to move values from one

225
13:22.290 --> 13:23.520
register to another,

226
13:23.520 --> 13:27.330
how to move the values from the register to the memory.

227
13:27.570 --> 13:29.370
So that's all for this lesson.

228
13:29.370 --> 13:30.870
Thank you for watching.