WEBVTT 1 00:01.610 --> 00:02.900 Hello and welcome. 2 00:02.900 --> 00:10.100 In this section, we are going to take a look at the first jump instruction, which is an unconditional 3 00:10.100 --> 00:10.790 jump. 4 00:11.240 --> 00:15.050 It is the instruction called JMP. 5 00:15.560 --> 00:21.860 And this instruction will cause a jump to happen irrespective of any conditions in the -. 6 00:21.890 --> 00:24.080 It does not depend on the - registers. 7 00:24.590 --> 00:31.340 And the syntax for this JMP is JMP followed by destination. 8 00:31.430 --> 00:33.620 And you have three forms. 9 00:33.620 --> 00:40.790 The destination can be an address, which in this case will be a jump to an address, or it could 10 00:40.790 --> 00:42.650 be a register. 11 00:42.650 --> 00:49.040 So it will jump to the register, and the register will contain an address. 12 00:49.040 --> 00:55.250 So whatever is in the address in the register, it will jump to that address. 13 00:55.490 --> 01:03.620 And the third form is jump memory, which means whatever address is in that memory, it will jump to that 14 01:03.620 --> 01:04.370 address. 15 01:04.370 --> 01:13.910 So we start off now by first opening the template2.exe in the x64dbg, and then put a breakpoint at 16 01:13.910 --> 01:14.930 this location. 17 01:15.350 --> 01:19.340 So let's say now we want to jump to address direct. 18 01:19.340 --> 01:22.880 So we can select an address we want to jump to. 19 01:22.910 --> 01:26.000 Let's say we want to jump to this address here. 20 01:26.330 --> 01:30.320 But first, let us put some dummy instruction here. 21 01:30.650 --> 01:36.710 So let's say we put an instruction to move something to -. 22 01:38.690 --> 01:41.150 Move one to -. 23 01:43.470 --> 01:51.300 And now we are going to put another instruction here which will cause it to jump to this address. 24 01:52.020 --> 01:55.680 So we will copy this address by right-clicking this address. 25 01:59.890 --> 02:01.090 And copying it. 26 02:02.110 --> 02:05.140 And then we come back here and put our jump. 27 02:07.390 --> 02:12.490 Put the prefix 0x, paste your address there, hit okay. 28 02:13.150 --> 02:16.540 And now immediately you will see that there is a jump here. 29 02:16.540 --> 02:22.090 If you click on the jump here, you will see that there is a red arrow going down to the address that 30 02:22.090 --> 02:23.500 you are going to jump to. 31 02:23.620 --> 02:28.660 So it is going to jump to this address 0x401150, which is over here. 32 02:28.660 --> 02:30.340 And then execute this line. 33 02:30.850 --> 02:35.170 Now, what happens to all the instructions in between? 34 02:35.620 --> 02:37.120 It will skip it totally. 35 02:37.120 --> 02:38.530 It will not execute it. 36 02:38.710 --> 02:45.580 So just for demonstration, let us put an instruction here to do something. 37 02:45.580 --> 02:49.720 Let's say we move two to -. 38 02:49.720 --> 02:54.160 So move - two. 39 02:59.340 --> 03:07.320 Now let's run to our breakpoint here and step over until we come to this line. 40 03:07.350 --> 03:13.830 So once we are now in this line, you will notice the red arrow here, which indicates that it will 41 03:13.830 --> 03:15.120 jump down here. 42 03:15.540 --> 03:22.980 And you will see that after this jump is supposed to move two to -, but this will be jumped 43 03:22.980 --> 03:23.400 over. 44 03:23.400 --> 03:25.680 That means this instruction will never happen. 45 03:26.460 --> 03:28.170 Let's step over and see what happens. 46 03:28.920 --> 03:31.290 And immediately you see it jumps down here. 47 03:31.950 --> 03:37.200 So the value in - remains as one. 48 03:37.590 --> 03:41.730 It has not changed because this instruction did not happen. 49 03:42.210 --> 03:43.830 Now let's step over this. 50 03:45.150 --> 03:46.920 So now we move one to -. 51 03:47.040 --> 03:48.390 So one is in -. 52 03:49.140 --> 03:51.000 So this is how we jump. 53 03:51.240 --> 03:53.730 Next one is jump register. 54 03:54.600 --> 03:58.770 So now for this, we have to put an address in a register. 55 03:58.770 --> 04:01.680 Let's say we put an address in the - register. 56 04:02.160 --> 04:04.950 So let's choose an address for that demonstration. 57 04:04.980 --> 04:06.900 Let's choose this one. 58 04:07.620 --> 04:09.750 Right-click on this. 59 04:09.750 --> 04:11.520 Let's put some instruction there. 60 04:14.270 --> 04:17.690 Let's say we move three to -. 61 04:23.680 --> 04:24.010 All right. 62 04:24.010 --> 04:29.890 Now we are going to jump to this address, and we are going to put this address in the register. 63 04:30.190 --> 04:33.220 So we copy this address first. 64 04:36.650 --> 04:44.330 And then go to the register -, right-click on it, modify value, and paste the address here. 65 04:44.840 --> 04:45.650 Hit okay. 66 04:46.280 --> 04:52.100 So this address 0x401580 is referring to this location here. 67 04:52.430 --> 04:53.900 So we want to jump there. 68 04:55.070 --> 04:56.990 So we assemble a jump here. 69 05:00.030 --> 05:02.610 Jump to the register -. 70 05:04.170 --> 05:12.030 So what will happen is it's supposed to jump to the - register and fetch the address there, and 71 05:12.030 --> 05:15.750 then it will jump to that address, which is this address here. 72 05:16.260 --> 05:19.500 So let's execute it now by running, stepping over it. 73 05:20.640 --> 05:27.660 So we jump to fetch this address here and jump to that address. 74 05:27.660 --> 05:29.040 And so now we are here. 75 05:29.640 --> 05:34.590 And now if we run this, it's supposed to move three to -. 76 05:35.010 --> 05:39.150 Step over that, and you find three in -. 77 05:41.490 --> 05:42.060 All right. 78 05:42.060 --> 05:47.880 So let's take a look at the next example, which is to jump to the memory. 79 05:47.880 --> 05:51.420 So to do that, we will first choose a memory. 80 05:51.420 --> 05:54.990 We want to jump to an address we want to jump to. 81 05:55.020 --> 06:01.200 So let's say we choose this address over here, 0x...598. 82 06:01.740 --> 06:04.110 And we put the instruction there. 83 06:05.910 --> 06:09.390 Move maybe eight 84 06:12.000 --> 06:13.320 to -. 85 06:18.910 --> 06:24.220 Now we want to jump to this address, but we want to put this address in memory. 86 06:24.460 --> 06:29.770 So what we do is we will click on dump one, then click on memory map. 87 06:30.610 --> 06:32.920 Then look for data segment. 88 06:32.920 --> 06:34.630 You can also use BSS. 89 06:35.760 --> 06:40.620 So we double-click the data segment, and it will show us the data segment in dump one. 90 06:40.830 --> 06:48.000 Now we scroll down and look for empty space in memory, and we choose this one. 91 06:48.960 --> 06:50.850 So we need to use the QWORD. 92 06:52.080 --> 06:53.490 QWORD is 93 06:54.380 --> 06:57.290 quad word, so 16... 8 bytes. 94 06:58.010 --> 06:59.660 We cannot use part of it. 95 06:59.660 --> 07:05.930 We cannot use DWORD because in the syntax for JMP, it must be a QWORD. 96 07:06.650 --> 07:10.070 So we are going to store this address in memory here. 97 07:10.790 --> 07:12.680 And this address is also a QWORD. 98 07:13.550 --> 07:21.530 So this address here must be stored in memory in reverse order because of the little-endian convention. 99 07:21.620 --> 07:26.510 So we need to store 98, 15, and 40. 100 07:26.750 --> 07:30.800 So we right-click this and we binary edit. 101 07:32.150 --> 07:34.370 And here we store in reverse order. 102 07:34.760 --> 07:44.990 So 98 will be here, followed by 15, followed by 40. 103 07:46.310 --> 07:49.610 40, and then we hit okay. 104 07:50.450 --> 07:56.360 Now we see that our address is stored here in reverse order from the right to the left. 105 07:57.290 --> 08:02.630 So if you read it from the right to the left, the first 00 here, the first byte 00 will 106 08:02.630 --> 08:05.180 be referring to this 00 here. 107 08:06.500 --> 08:08.060 And then you read backwards. 108 08:08.060 --> 08:09.710 Read backwards all the way. 109 08:09.710 --> 08:16.130 Then you will count to 40 over here, 15 over here, 98 over here. 110 08:16.520 --> 08:23.930 So we have our QWORD address in this address 0x403140. 111 08:24.200 --> 08:27.470 Now what we need to do is we need to jump to this address here. 112 08:27.650 --> 08:32.420 So we right-click this and we copy this address. 113 08:33.830 --> 08:40.550 And we come up to here and assemble our jump. 114 08:41.660 --> 08:48.020 Jump QWORD PTR to dereference it. 115 08:48.020 --> 08:51.500 And then we put our 0x prefix. 116 08:51.500 --> 08:56.240 And then we paste our address there and hit okay. 117 08:58.270 --> 09:00.520 So now we have a jump here. 118 09:00.550 --> 09:08.050 So when it executes, it will jump to this address 0x403140. 119 09:08.170 --> 09:13.540 And then dereference the address by fetching the value stored there. 120 09:13.840 --> 09:18.130 So it will get the value stored there, which is 0x401598. 121 09:18.130 --> 09:20.290 And jump to that address. 122 09:20.320 --> 09:23.320 As you can see, the arrow points over here already. 123 09:23.620 --> 09:29.590 So let's step over, and it jumps to that address 0x401598. 124 09:29.800 --> 09:36.850 So what happens is when it goes to this address 0x403140, it will then fetch the value stored there. 125 09:37.210 --> 09:41.500 And it will deconstruct it back into the reverse order. 126 09:41.500 --> 09:42.970 So it will get back the address 127 09:42.970 --> 09:45.400 0x401598 and then jump there. 128 09:45.400 --> 09:47.860 So that is why it jumps over there. 129 09:48.400 --> 09:51.310 And now it's going to execute this instruction. 130 09:51.310 --> 09:55.780 And let's step over that and watch E, watch -. 131 09:55.960 --> 10:00.400 So we step over, and it has moved it to -. 132 10:01.390 --> 10:06.460 So this is how you can use jump inside your assembly code. 133 10:06.610 --> 10:15.040 And very often you will find that certain programs will use this method, jump - or even jump 134 10:15.040 --> 10:15.790 memory. 135 10:15.790 --> 10:21.700 And this is part of the obfuscation to prevent analysis. 136 10:22.330 --> 10:28.780 Usually those software which use some kind of protection, software protection, will use this method 137 10:28.780 --> 10:31.180 so that it prevents analysis. 138 10:31.180 --> 10:31.720 Why? 139 10:31.750 --> 10:40.210 Because static analysis especially will depend on the static values stored in the 140 10:40.210 --> 10:43.600 code to understand how the program flow logic. 141 10:43.600 --> 10:49.840 But for those software which use software protection, then the address that you jump to will only 142 10:49.840 --> 10:52.390 be calculated during runtime. 143 10:52.390 --> 10:54.550 And so that defeats static analysis. 144 10:54.670 --> 11:00.670 So this is a way of enforcing or implementing software security. 145 11:00.670 --> 11:03.940 So that is why understanding this is important. 146 11:04.120 --> 11:06.250 So that's all for this video. 147 11:06.250 --> 11:07.720 Thank you for watching.