Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
LJP-TW
May 26, 2021
Technology
57
1
Share
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.8k
Reverse Engineering - 2
ljptw
0
770
Reverse Engineering - 3
ljptw
0
620
Re:0 從零開始的逆向工程
ljptw
1
1.3k
Linux 極入門篇
ljptw
1
310
Fuzzing 101
ljptw
1
230
Binary Exploitation - File Structure
ljptw
1
310
Binary Exploitation - Heap
ljptw
1
180
Binary Exploitation - Basic
ljptw
1
140
Other Decks in Technology
See All in Technology
Gradle×GitHub_ActionsでCI時間を約50%短縮 ジョブ分割の設計と落とし穴 / Cutting CI Time by ~50% with Gradle and GitHub Actions: Job-Splitting Design and Pitfalls
takatty
0
560
Oracle AI Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
6
1.8k
GitHub Copilot CLIでWebアクセシビリティを改善した話
tomokusaba
0
140
脅威をエンジニアリングの糧にして:恐怖を乗り越えた先にあったもの / Turn threats into fuel for engineering: what lay beyond overcoming fear
nrslib
1
360
インフラが苦手でも大丈夫! 紙芝居 Kubernetes -WWGT 10周年編-
aoi1
1
320
新規ゲーム開発におけるAI駆動開発のリアル
202409e2
0
530
APIテストとは?
nagix
0
160
開発を止めない CI/CD ~CI Visibilityによる継続的最適化~
pensuke628
0
230
Claude Codeですべての日常業務を爆速化しよう!
minorun365
PRO
17
16k
Generative UI × A2UI で AI エージェントを作った話 AI-DLC も使ってみた!
kmiya84377
1
300
関西に縁あるMicrosoft MVPsが語るCopilotの未来
kasada
0
920
AIが変えた"品質の守り方"
kkakizaki
13
5.5k
Featured
See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
231
23k
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
uxyall
0
300
How to Talk to Developers About Accessibility
jct
2
210
Digital Ethics as a Driver of Design Innovation
axbom
PRO
1
300
A Modern Web Designer's Workflow
chriscoyier
698
190k
Principles of Awesome APIs and How to Build Them.
keavy
128
17k
How STYLIGHT went responsive
nonsquared
100
6.1k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Rebuilding a faster, lazier Slack
samanthasiow
85
9.5k
Odyssey Design
rkendrick25
PRO
2
660
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
200
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
takatty
oracle4engineer
tomokusaba
nrslib
.jpg){kind=avatar}
aoi1
202409e2
nagix
pensuke628
minorun365
kmiya84377
kasada
kkakizaki
danielanewman
uxyall
jct
axbom
chriscoyier
keavy
nonsquared
tammyeverts
samanthasiow
rkendrick25
aleyda
stephenakadiri
