Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
1
41
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.4k
Reverse Engineering - 2
ljptw
0
640
Reverse Engineering - 3
ljptw
0
530
Re:0 從零開始的逆向工程
ljptw
1
940
Linux 極入門篇
ljptw
1
280
Fuzzing 101
ljptw
1
160
Binary Exploitation - File Structure
ljptw
1
260
Binary Exploitation - Heap
ljptw
1
130
Binary Exploitation - Basic
ljptw
1
100
Other Decks in Technology
See All in Technology
ゆるくVPC Latticeについてまとめてみたら、意外と奥深い件
masakiokuda
2
200
10分でわかるfreeeのQA
freee
1
11k
Enterprise AI in 2025?
pamelafox
0
130
コンソールで学ぶ!AWS CodePipelineの機能とオプション
umekou
3
130
お問い合わせ対応の改善取り組みとその進め方
masartz
1
590
モンテカルロ木探索のパフォーマンスを予測する Kaggleコンペ解説 〜生成AIによる未知のゲーム生成〜
rist
4
1.3k
Vision Language Modelを活用した メルカリの類似画像レコメンドの性能改善
yadayuki
9
1.3k
SaaSプロダクト開発におけるバグの早期検出のためのAcceptance testの取り組み
kworkdev
PRO
0
540
SSH公開鍵認証による接続 / Connecting with SSH Public Key Authentication
kaityo256
PRO
2
260
こんなデータマートは嫌だ。どんな? / waiwai-data-meetup-202504
shuntak
3
580
「家族アルバム みてね」を支えるS3ライフサイクル戦略
fanglang
4
600
17年のQA経験が導いたスクラムマスターへの道 / 17 Years in QA to Scrum Master
toma_sm
0
510
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Automating Front-end Workflow
addyosmani
1369
200k
Unsuck your backbone
ammeep
670
57k
The Invisible Side of Design
smashingmag
299
50k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
177
52k
What's in a price? How to price your products and services
michaelherold
245
12k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2.1k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
12
1.4k
Reflections from 52 weeks, 52 projects
jeffersonlam
349
20k
Large-scale JavaScript Application Architecture
addyosmani
511
110k
Six Lessons from altMBA
skipperchong
27
3.7k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
135
33k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
masakiokuda
freee
pamelafox
umekou
masartz
rist
yadayuki
kworkdev
kaityo256
shuntak
fanglang
toma_sm
chriscoyier
addyosmani
ammeep
smashingmag
soudai
michaelherold
bcantrill
reverentgeek
jeffersonlam
skipperchong
eileencodes
