Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
LJP-TW
May 26, 2021
Technology
1
50
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.7k
Reverse Engineering - 2
ljptw
0
730
Reverse Engineering - 3
ljptw
0
590
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
290
Fuzzing 101
ljptw
1
190
Binary Exploitation - File Structure
ljptw
1
280
Binary Exploitation - Heap
ljptw
1
150
Binary Exploitation - Basic
ljptw
1
120
Other Decks in Technology
See All in Technology
primeNumber DATA MANAGEMENT CAMP #2:
masatoshi0205
1
470
ブログの作成に音声AIツールを使って音声入力しようとした話
smt7174
1
170
Java ランタイムからカスタムランタイムに行き着くまで
ririru0325
0
110
[続・営業向け 誰でも話せるOCI セールストーク] AWSよりOCIの優位性が分からない編(2026年2月20日開催)
oracle4engineer
PRO
0
100
GoとWasmでつくる軽量ブラウザUI
keyl0ve
0
130
欲しいを叶える個人開発の進め方 / How to Run an Indie Project That Brings Your Ideas to Life
endohizumi
0
340
React 19時代のコンポーネント設計ベストプラクティス
uhyo
17
6.8k
Databricks (と気合い)で頑張るAI Agent 運用
kameitomohiro
0
240
技術キャッチアップ効率化を実現する記事推薦システムの構築
yudai00
2
140
LINEヤフーにおけるAI駆動開発組織のプロデュース施策
lycorptech_jp
PRO
0
140
LINEアプリ開発のための Claude Code活用基盤の構築
lycorptech_jp
PRO
1
940
ソフトウェアアーキテクトのための意思決定術: Create Decision Readiness—The Real Skill Behind Architectural Decision
snoozer05
PRO
5
910
Featured
See All Featured
GraphQLの誤解/rethinking-graphql
sonatard
74
11k
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
190
Ruling the World: When Life Gets Gamed
codingconduct
0
160
Heart Work Chapter 1 - Part 1
lfama
PRO
5
35k
ラッコキーワード サービス紹介資料
rakko
1
2.4M
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.4k
Utilizing Notion as your number one productivity tool
mfonobong
3
230
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
59
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
YesSQL, Process and Tooling at Scale
rocio
174
15k
Applied NLP in the Age of Generative AI
inesmontani
PRO
4
2.1k
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.1k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
SiteGround - Reliable hosting with speed, security, and support you can count on.
ljptw
masatoshi0205
smt7174
ririru0325
oracle4engineer
keyl0ve
endohizumi
uhyo
kameitomohiro
yudai00
lycorptech_jp
snoozer05
sonatard
skoyamalab
codingconduct
lfama
rakko
tammyeverts
mfonobong
akademiya2063
smashingmag
rocio
inesmontani
charlesmeaden
