Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
1
39
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.3k
Reverse Engineering - 2
ljptw
0
550
Reverse Engineering - 3
ljptw
0
460
Re:0 從零開始的逆向工程
ljptw
1
760
Linux 極入門篇
ljptw
1
270
Fuzzing 101
ljptw
1
150
Binary Exploitation - File Structure
ljptw
1
250
Binary Exploitation - Heap
ljptw
1
120
Binary Exploitation - Basic
ljptw
1
98
Other Decks in Technology
See All in Technology
Snykで始めるセキュリティ担当者とSREと開発者が楽になる脆弱性対応 / Getting started with Snyk Vulnerability Response
yamaguchitk333
2
190
宇宙ベンチャーにおける最近の情シス取り組みについて
axelmizu
0
110
C++26 エラー性動作
faithandbrave
2
760
権威ドキュメントで振り返る2024 #年忘れセキュリティ2024
hirotomotaguchi
2
750
PHPerのための計算量入門/Complexity101 for PHPer
hanhan1978
5
190
バクラクのドキュメント解析技術と実データにおける課題 / layerx-ccc-winter-2024
shimacos
2
1.1k
Qiita埋め込み用スライド
naoki_0531
0
5.1k
NW-JAWS #14 re:Invent 2024(予選落ち含)で 発表された推しアップデートについて
nagisa53
0
270
サーバレスアプリ開発者向けアップデートをキャッチアップしてきた #AWSreInvent #regrowth_fuk
drumnistnakano
0
200
GitHub Copilot のテクニック集/GitHub Copilot Techniques
rayuron
37
15k
alecthomas/kong はいいぞ / kamakura.go#7
fujiwara3
1
300
多領域インシデントマネジメントへの挑戦:ハードウェアとソフトウェアの融合が生む課題/Challenge to multidisciplinary incident management: Issues created by the fusion of hardware and software
bitkey
PRO
2
110
Featured
See All Featured
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.3k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
The Cult of Friendly URLs
andyhume
78
6.1k
A designer walks into a library…
pauljervisheath
204
24k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Keith and Marios Guide to Fast Websites
keithpitt
410
22k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Building Adaptive Systems
keathley
38
2.3k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.4k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
VelocityConf: Rendering Performance Case Studies
addyosmani
326
24k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8