Some quick notes after uploading the video: - I forgot to include a good ROP reference from Exploit DB (Shaif El-Sherei): www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf - A ROP gadget is any instruction sequence that ends with an instruction that modifies the RIP register, typically a RET (but it could be any other instruction, like JMP). In the video, in order to keep things simple, I mentioned only the RET case. - Yes, around 14:45 I mispronounce the word "contriving" :(
This is by far the clearest explanation of ROP ive ever seen and you are the only channel ive seen to break it down into the very basics, and make it super clear to understand. Glad to be one of your first 500 subs, but you deserve more than the big CTF youtubers out there and I can see your channel blowing up. Thanks a lot!
Every single one of your videos has taught me 10 x anything I have ever learned from any other instructor. Your approach with explaining each subject and all of the complex details is just phenomenal. So grateful to have stumbled across you. Working my way through your content and loving every minute.
Wow. I cant wait for your channel to explode! You have a deep understanding of what you're doing and present the material in a clear and approachable way. I really enjoyed this, thank you!
Hello! One of the best videos about ROPs. One thing I would like o mention: After: payload = b"A" * 0x28 I also need an address of just 'ret' got with ROPgadget so: payload += return_address. Moreover I need to push it further to "usefulFunction" address. So: payload += usefullFunction_address So now I can add the other 3 addresses that you have in your video. I don't know why it is not working with what you just present there...
@@RazviOverflow I am saying that on my end, it doesn't work just with those 3 added addresses to the payload. I need 2 more (1 of a ret address and the address of the "usefulFunction")
Possibly already pointed out - at around 8:30 the picture of the stack being overflowed is backwards. The stack grows from high memory addresses to low. Everything that was drawn into the stack should be flipped upside down. Nonetheless, still a great video and explanation.
Incorrect. As you stated, stack grows from higher (H) addresses toward lower (L) ones. At the right of the drawing there is a huge arrow that goes downwards from H to L to indicate just that. There is no such thing as flipping the stack upside down. It doesn't matter how you draw it as long as you specify where the higher or lower addresses are. If you check the whole series from the beginning or the process I usually follow to draw the stack, you will notice I always do it like so. Thanks for the comment.
Can you make a Cutter setup video. My cutter shows addresses relative to stack. Which is pretty confusing... I was wondering why isn't my exploit working... It shows var void *buf @ stack - 0x28 whereas on yours it shows var void *buf @ rbp - 0x20 @14:53
They changed that in recent versions of cutter. I'm not sure if you can change it back to the older form (like in my video). Anyways, you just have to realize that what they call "stack" is the base stack address (right where the saved return address ends), and right above it lies the rbp. So rbp-0x20 and stack-0x28 are equivalent given that rbp is 8 bytes long.
@@RazviOverflow Just look at the illustration at 12:30, it may be not even your fault, just assembly is ... insane, everything goes everywhere all the time and i fail to map this in my brain
Some quick notes after uploading the video:
- I forgot to include a good ROP reference from Exploit DB (Shaif El-Sherei): www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf
- A ROP gadget is any instruction sequence that ends with an instruction that modifies the RIP register, typically a RET (but it could be any other instruction, like JMP). In the video, in order to keep things simple, I mentioned only the RET case.
- Yes, around 14:45 I mispronounce the word "contriving" :(
This is by far the clearest explanation of ROP ive ever seen and you are the only channel ive seen to break it down into the very basics, and make it super clear to understand. Glad to be one of your first 500 subs, but you deserve more than the big CTF youtubers out there and I can see your channel blowing up. Thanks a lot!
Thank you. I really appreciate your words :)
Every single one of your videos has taught me 10 x anything I have ever learned from any other instructor. Your approach with explaining each subject and all of the complex details is just phenomenal. So grateful to have stumbled across you. Working my way through your content and loving every minute.
Thank you for your kind words ❤Glad my videos are useful to you :)
This is seriously the best explanation i've found on ROP. The explanation is so clear and detailed. So helpful 😄 Loved it!
I'm happy it helped you :)
Wow. I cant wait for your channel to explode! You have a deep understanding of what you're doing and present the material in a clear and approachable way. I really enjoyed this, thank you!
Thank you very much! Glad you liked the video. I try to make things as simple as I can.
Your content is super clear and well explained. Thanks for explaining the rop concept in the best possible way.
You are more than welcome :)
Thank you so much, this is by far the clearest rop tutorial ive ever seen. keep up the good work
Thank you. Glad it helps!
wanted to comment this as well. Beautiful side-by-side visual.
@@petermackinnon6546 Thank you :) I find it a bit rudimentary and definitely home made (it's plain paint), but pretty effective at the same time
Wow - this is by far the best explanation if seen on the topic so far. Thank you very much!
Glad you liked the video :)
Truely said, you deserve subs more than top CTF RUclipsrs out there, absolutely clear content, loved it!
Thank you :)
Hello! One of the best videos about ROPs. One thing I would like o mention:
After:
payload = b"A" * 0x28
I also need an address of just 'ret' got with ROPgadget so:
payload += return_address.
Moreover I need to push it further to "usefulFunction" address. So:
payload += usefullFunction_address
So now I can add the other 3 addresses that you have in your video. I don't know why it is not working with what you just present there...
Hello, thank you. I'm not sure if I understand correctly. All I show in the video is tested and working.
@@RazviOverflow I am saying that on my end, it doesn't work just with those 3 added addresses to the payload. I need 2 more (1 of a ret address and the address of the "usefulFunction")
Can u share your code ?
Mine also is not working
Woah! loved the explanation, you surely deserve more number.
Thank you :)
Excellent content, this actually helped me a lot. Please keep posting!
Glad it helped!
Possibly already pointed out - at around 8:30 the picture of the stack being overflowed is backwards. The stack grows from high memory addresses to low. Everything that was drawn into the stack should be flipped upside down. Nonetheless, still a great video and explanation.
Incorrect. As you stated, stack grows from higher (H) addresses toward lower (L) ones. At the right of the drawing there is a huge arrow that goes downwards from H to L to indicate just that. There is no such thing as flipping the stack upside down. It doesn't matter how you draw it as long as you specify where the higher or lower addresses are.
If you check the whole series from the beginning or the process I usually follow to draw the stack, you will notice I always do it like so.
Thanks for the comment.
Can somebody advice the debugger for NASM?
Check out GDB (GNU Debugger)
Extremely clear explanations thank you for this video
You are welcome :)
Very very good explained broo
Thank you :)
Nice one once again. Looking forwards to more content.
I appreciate your comments. This week I'm uploading (at last) the ret2libc video :)
Ciao POLIMI
Can you make a Cutter setup video. My cutter shows addresses relative to stack. Which is pretty confusing... I was wondering why isn't my exploit working...
It shows var void *buf @ stack - 0x28 whereas on yours it shows var void *buf @ rbp - 0x20 @14:53
They changed that in recent versions of cutter. I'm not sure if you can change it back to the older form (like in my video). Anyways, you just have to realize that what they call "stack" is the base stack address (right where the saved return address ends), and right above it lies the rbp. So rbp-0x20 and stack-0x28 are equivalent given that rbp is 8 bytes long.
Hola Razvi! Volverás a meterle caña al otro canal o ya lo has abandonado del todo? Se te echa de menos!
Gracias :) Pues la verdad es que no sabría decirte. No descarto volver a hacer vídeos, pero ahora mismo tengo otras prioridades en la vida.
Pues mucha suerte en tus nuevos proyectos y si vuelves a colgar algun video, al menos tendrás mi visualización y mi like. Suerte camarada!
@@polmarin2911 Muchas gracias. Un abrazo!
very nice. well done!
Thank you!
hello,thanks for all but where is the file i didn't find . Can u share please ?
I think it is pretty easy to find in ROPEmporium page: ropemporium.com/challenge/split.html
@@RazviOverflow well, thank u. i looked tryhackme for binary
@@cgrbro Around 0:30 I mention we will exploit the split challenge from ROPemporium, which is shown around 0:53
@@RazviOverflow yes i just realized thank u so much
@@cgrbro You are most welcome, glad to help
Great, keep up the good work.
Thank you! :D
polino mi manchi
Excellent, as always :)
Thank you! :)
Nice expression
i dont understand a shit from all of this, i don't know what is the flow or next instruction when you talk about things, i don't see the context
You are the first one (so far) pointing out the context is missing. Please tell me why and how the video could be improved.
@@RazviOverflow Just look at the illustration at 12:30, it may be not even your fault, just assembly is ... insane, everything goes everywhere all the time and i fail to map this in my brain
@@ragnarlothbrok367 Ok, then the problem is not the video. Have you tried watching easier videos?