Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
1
39
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.2k
Reverse Engineering - 2
ljptw
0
540
Reverse Engineering - 3
ljptw
0
450
Re:0 從零開始的逆向工程
ljptw
1
750
Linux 極入門篇
ljptw
1
270
Fuzzing 101
ljptw
1
150
Binary Exploitation - File Structure
ljptw
1
250
Binary Exploitation - Heap
ljptw
1
120
Binary Exploitation - Basic
ljptw
1
94
Other Decks in Technology
See All in Technology
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
220
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
Lexical Analysis
shigashiyama
1
150
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
300
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.7k
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
900
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
180
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
110
Featured
See All Featured
How to train your dragon (web standard)
notwaldorf
88
5.7k
Teambox: Starting and Learning
jrom
133
8.8k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
GitHub's CSS Performance
jonrohan
1030
460k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Six Lessons from altMBA
skipperchong
27
3.5k
Rails Girls Zürich Keynote
gr2m
94
13k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
A Philosophy of Restraint
colly
203
16k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
oracle4engineer
fumiyasac0921
sudoakiy
eijikominami
kamina_zzz
shigashiyama
tsumita
nobutomurata
ysknsid25
sansantech
yoshidashingo
.jpeg){kind=avatar}
ostk0069
notwaldorf
jrom
jponch
jnunemaker
jonrohan
hatefulcrawdad
eileencodes
skipperchong
gr2m
jeffersonlam
colly
danielanewman
