Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
55
1
Share
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.7k
Reverse Engineering - 2
ljptw
0
750
Reverse Engineering - 3
ljptw
0
600
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
300
Fuzzing 101
ljptw
1
200
Binary Exploitation - File Structure
ljptw
1
300
Binary Exploitation - Heap
ljptw
1
170
Binary Exploitation - Basic
ljptw
1
130
Other Decks in Technology
See All in Technology
AWS Agent Registry の基礎・概要を理解する/aws-agent-registry-intro
ren8k
3
380
Master Dataグループ紹介資料
sansan33
PRO
1
4.6k
Keeping Ruby Running on Cygwin
fd0
0
160
Rapid Start: Faster Internet Connections, with Ruby's Help
kazuho
2
570
AWS認定資格は本当に意味があるのか?
nrinetcom
PRO
2
270
国内外の生成AIセキュリティの最新動向 & AIガードレール製品「chakoshi」のご紹介 / Latest Trends in Generative AI Security (Domestic & International) & Introduction to AI Guardrail Product "chakoshi"
nttcom
2
900
[OAWTT26][THR1028] Oracle AI Database 26ai へのアップグレード:ベストプラクティスと最新情報
oracle4engineer
PRO
1
110
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
sansan33
PRO
0
3.1k
実践ハーネスエンジニアリング:TAKTで実現するAIエージェント制御 / Practical Harness Engineering: AI Agent Control Enabled by TAKT
nrslib
11
4.6k
みんなの「データ活用」を支えるストレージ担当から持ち込むAWS活用/コミュニティー設計TIPS 10選~「作れる」より、「続けられる」設計へ~
yoshiki0705
0
250
社内エンジニア勉強会の醍醐味と苦しみ/tamadev
nishiuma
0
210
「責任あるAIエージェント」こそ自社で開発しよう!
minorun365
9
2k
Featured
See All Featured
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
340
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.9k
Designing Powerful Visuals for Engaging Learning
tmiket
1
340
Bash Introduction
62gerente
615
210k
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
118
110k
Ethics towards AI in product and experience design
skipperchong
2
260
How to Think Like a Performance Engineer
csswizardry
28
2.6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.2k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
0
1.1k
The Spectacular Lies of Maps
axbom
PRO
1
700
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
120
Chasing Engaging Ingredients in Design
codingconduct
0
170
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
ren8k
sansan33
fd0
kazuho
nrinetcom
nttcom
oracle4engineer
nrslib
yoshiki0705
nishiuma
minorun365
rkendrick25
reverentgeek
tmiket
62gerente
twada
skipperchong
csswizardry
danielanewman
uxyall
axbom
auna
codingconduct
