Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
55
1
Share
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.7k
Reverse Engineering - 2
ljptw
0
740
Reverse Engineering - 3
ljptw
0
600
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
300
Fuzzing 101
ljptw
1
200
Binary Exploitation - File Structure
ljptw
1
300
Binary Exploitation - Heap
ljptw
1
160
Binary Exploitation - Basic
ljptw
1
130
Other Decks in Technology
See All in Technology
JSTQB Expert Levelシラバス 「テストマネジメント」日本語版のご紹介
ymty
0
110
Zephyr(RTOS)でARMとRISC-Vのコア間通信をしてみた
iotengineer22
0
120
Cursor Subagentsはいいぞ
yug1224
2
130
Zephyr(RTOS)でOpenPLCを実装してみた
iotengineer22
0
180
非同期・イベント駆動処理の分散トレーシングの繋げ方
ichikawaken
1
250
AWS DevOps Agent or Kiro の使いどころを考える_20260402
masakiokuda
0
140
20260326_AIDD事例紹介_ULSC.pdf
findy_eventslides
0
400
MCPで決済に楽にする
mu7889yoon
0
170
脳が溶けた話 / Melted Brain
keisuke69
1
1.2k
AI時代のIssue駆動開発のススメ
moongift
PRO
0
350
Even G2 クイックスタートガイド(日本語版)
vrshinobi1
0
190
サイボウズ 開発本部採用ピッチ / Cybozu Engineer Recruit
cybozuinsideout
PRO
10
77k
Featured
See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
27
3.4k
Embracing the Ebb and Flow
colly
88
5k
More Than Pixels: Becoming A User Experience Designer
marktimemedia
3
370
Facilitating Awesome Meetings
lara
57
6.8k
Building Applications with DynamoDB
mza
96
7k
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
90
[SF Ruby Conf 2025] Rails X
palkan
2
880
Odyssey Design
rkendrick25
PRO
2
560
So, you think you're a good person
axbom
PRO
2
2k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
ymty
iotengineer22
yug1224
ichikawaken
masakiokuda
findy_eventslides
mu7889yoon
keisuke69
moongift
vrshinobi1
cybozuinsideout
eileencodes
colly
marktimemedia
lara
mza
tanoku
akademiya2063
palkan
rkendrick25
axbom
addyosmani
