リバースエンジニアリング的シェル開発

ϦόʔεΤϯδχΞϦϯάత γΣϧ։ൃ ઙؒਖ਼࿨!&#6(

γΣϧͬΆ͍΋ͷΛࣗ࡞͍ͨ͠ w λϒͰิ׬ͨ͠ΓϔϧϓΛදࣔͨ͠Γ͍ͨ͠ w ͱΓ͋͑ͣೖྗͨ͠΋ͷΛͦͷ··ฦ͚ͩ͢ͷϓϩάϥϜΛॻ͍ͯΈΔ w ໼ҹͰͷΧʔιϧͷҠಈ͸ࠓճ͸ύε w ཤྺػೳ΋ࠓճ͸ύε

45&1 w ιʔείʔυ͸ͪ͜Β

45&1 w Ұจࣈͣͭೖྗ͞Εͳ͍

$BOPOJDBMPS/PU w 104*9TZTUFNTTVQQPSUUXPCBTJDNPEFTPGJOQVUDBOPOJDBMBOE OPODBOPOJDBM w *ODBOPOJDBMJOQVUQSPDFTTJOHNPEF UFSNJOBMJOQVUJTQSPDFTTFEJOMJOFT UFSNJOBUFECZOFXMJOF aO &0'
PS&0-DIBSBDUFST/PJOQVUDBOCFSFBE VOUJMBOFOUJSFMJOFIBTCFFOUZQFECZUIFVTFS BOEUIFSFBEGVODUJPO TFF *OQVUBOE0VUQVU1SJNJUJWFT SFUVSOTBUNPTUBTJOHMFMJOFPGJOQVU OPNBUUFS IPXNBOZCZUFTBSFSFRVFTUFE w *ODBOPOJDBMJOQVUNPEF UIFPQFSBUJOHTZTUFNQSPWJEFTJOQVUFEJUJOHGBDJMJUJFT TPNFDIBSBDUFSTBSFJOUFSQSFUFETQFDJBMMZUPQFSGPSNFEJUJOHPQFSBUJPOT XJUIJOUIFDVSSFOUMJOFPGUFYU TVDIBT&3"4&BOE,*--4FF$IBSBDUFSTGPS *OQVU&EJUJOH w 5IF(/6$-JCSBSZͷ5XP4UZMFTPG*OQVU$BOPOJDBMPS/PU͔ΒҾ༻

45&1 w ιʔείʔυ͸ͪ͜Β w 45&1͔Βͷࠩ෼͸ͪ͜Β

45&1 w จࣈͷ࡟আ͕͏·͍͔͘ͳ͍

LUSBDFLEVNQ w LUSBDF w ϓϩηε͔Βݺ͹ΕͨγεςϜίʔϧͷ৘ใΛϑΝΠϧʹॻ͖ग़ͨ͢Ί ͷίϚϯυ w QͰϓϩηε*%ΛߜͬͨΓ$Ͱॻ͖ग़͢ର৅ΛΫϦΞͨ͠ΓͰ͖Δ w LEVNQ
w ϑΝΠϧʹॻ͖ग़͞Εͨ৘ใΛ੔ܗͯ͠දࣔ͢ΔͨΊͷίϚϯυ 3666 sh CALL read(0,0x2aa05ae6ca9a,0x1) 3666 sh GIO fd 0 read 1 byte "a" 3666 sh RET read 1 3666 sh CALL write(0x2,0x46a068085000,0x1) 3666 sh GIO fd 2 wrote 1 byte "a" 3666 sh RET write 1

'TIBೖྗ 3666 sh CALL read(0,0x2aa05ae6ca9a,0x1) 3666 sh GIO fd 0
read 1 byte "a" 3666 sh RET read 1 3666 sh CALL write(0x2,0x46a068085000,0x1) 3666 sh GIO fd 2 wrote 1 byte "a" 3666 sh RET write 1 ˣ

'CBTIBೖྗ 4387 bash CALL read(0,0x820f93c8f,0x1) 4387 bash GIO fd 0
read 1 byte "a" 4387 bash RET read 1 4387 bash CALL write(0x2,0x30ea67428000,0x1) 4387 bash GIO fd 2 wrote 1 byte "a" 4387 bash RET write 1 ˣ

0LTIBೖྗ 67335 ksh CALL read(0,0x75cfeb32e30f,0x1) 67335 ksh GIO fd 0
read 1 bytes "a" 67335 ksh RET read 1 67335 ksh CALL write(2,0xd0c0abf8a10,0x1) 67335 ksh GIO fd 2 wrote 1 bytes "a" 67335 ksh RET write 1 ˣ

'TI%&-ೖྗ 3666 sh CALL read(0,0x2aa05ae6ca9a,0x1) 3666 sh GIO fd 0
read 1 byte 0x0000 7f |.| 3666 sh RET read 1 3666 sh CALL write(0x2,0x46a068085000,0x9) 3666 sh GIO fd 2 wrote 9 bytes 0x0000 0d1b 5b31 3843 1b5b 4b |..[18C.[K| 3666 sh RET write 9 ˣ YG%&- %FMFUF YE$3 $BSSJBHF3FUVSO YCC&4$<$ΧʔιϧΛਐΊΔ YCCC&4$<,ΧʔιϧΑΓઌΛফ͢

'CBTI%&-ೖྗ 4387 bash CALL read(0,0x820f93c8f,0x1) 4387 bash GIO fd 0
read 1 byte 0x0000 7f |.| 4387 bash RET read 1 4387 bash CALL write(0x2,0x30ea67428000,0x4) 4387 bash GIO fd 2 wrote 4 bytes 0x0000 081b 5b4b |..[K| 4387 bash RET write 4 ˣ YG%&- %FMFUF Y#4 #BDL4QBDF YCCC&4$<,ΧʔιϧΑΓઌΛফ͢

0LTI%&-ೖྗ 67335 ksh CALL read(0,0x75cfeb32e30f,0x1) 67335 ksh GIO fd 0
read 1 bytes "\^?" 67335 ksh RET read 1 67335 ksh CALL write(2,0xd0c0abf8a10,0x3) 67335 ksh GIO fd 2 wrote 3 bytes "\b \b" 67335 ksh RET write 3 ˣ

"/4*FTDBQFDPEF w λʔϛφϧͷΧʔιϧҐஔ΍৭ͳͲΛมߋ͢ΔͨΊͷඪ४ w IUUQTFOXJLJQFEJBPSHXJLJ"/4*@FTDBQF@DPEF w &4$ʹଓ͚ͯόΠτྻΛૹΔ͜ͱͰ੍ޚ͢Δ w ྫ
w &4$<"ΧʔιϧΛ্͛Δ w &4$<$ΧʔιϧΛਐΊΔ w &4$<,ߦͷΧʔιϧΑΓઌΛফ͢

45&1 w Ұߦʹऩ·Βͳ͍࣌ͷڍಈ͕ո͍͠

'TIBೖྗͰߦᷓΕ 3666 sh CALL read(0,0x2aa05ae6ca9a,0x1) 3666 sh GIO fd 0
read 1 byte "a" 3666 sh RET read 1 3666 sh CALL write(0x2,0x46a068085000,0x3) 3666 sh GIO fd 2 wrote 3 bytes 0x0000 6120 08 |a .| 3666 sh RET write 3 ˣ YB Y Y#4 #BDL4QBDF

'CBTIBೖྗͰߦᷓΕ 4387 bash CALL read(0,0x820f93c8f,0x1) 4387 bash GIO fd 0
read 1 byte "a" 4387 bash RET read 1 4387 bash CALL write(0x2,0x30ea67428000,0x3) 4387 bash GIO fd 2 wrote 3 bytes "a \r" 4387 bash RET write 3 ˣ

0LTIBೖྗͰߦᷓΕ 67335 ksh CALL read(0,0x75cfeb32e30f,0x1) 67335 ksh GIO fd 0
read 1 bytes "a" 67335 ksh RET read 1 67335 ksh CALL write(2,0xd0c0abf8a10,0x2) 67335 ksh GIO fd 2 wrote 2 bytes "a\r" 67335 ksh RET write 2 67335 ksh CALL write(2,0xd0c0abf8a10,0x44) 67335 ksh GIO fd 2 wrote 68 bytes "aaaaaaaaaa <\b\b\b\b\b\b\b\b\b\b\b \b\b\b\b\b\b\b\b\b\b\b\b\b\b" 67335 ksh RET write 68/0x44 ˣ

'TI%&-ೖྗͰߦ෮ؼ 3666 sh CALL read(0,0x2aa05ae6ca9a,0x1) 3666 sh GIO fd 0
read 1 byte 0x0000 7f |.| 3666 sh RET read 1 3666 sh CALL write(0x2,0x46a068085000,0xc) 3666 sh GIO fd 2 wrote 12 bytes 0x0000 1b5b 411b 5b33 3943 1b5b 4b0a |.[A.[39C.[K.| 3666 sh RET write 12/0xc 3666 sh CALL write(0x2,0x46a068085000,0xb) 3666 sh GIO fd 2 wrote 11 bytes 0x0000 1b5b 4b1b 5b41 1b5b 3339 43 |.[K.[A.[39C| 3666 sh RET write 11/0xb ˣ YCCC&4$<,ΧʔιϧΑΓઌΛফ͢ YCC&4$<"ΧʔιϧΛ্͛Δ YCC&4$<$ΧʔιϧΛਐΊΔ

'CBTI%&-ೖྗͰߦ෮ؼ 4387 bash CALL read(0,0x820f93c8f,0x1) 4387 bash GIO fd 0
read 1 byte 0x0000 7f |.| 4387 bash RET read 1 4387 bash CALL write(0x2,0x30ea67428000,0x7c) 4387 bash GIO fd 2 wrote 124 bytes 0x0000 1b5b 411b 5b43 1b5b 431b 5b43 1b5b 431b |.[A.[C.[C.[C. ... 0x0070 5b43 1b5b 431b 5b43 1b5b 4b0a |[C.[C.[C.[K.| 4387 bash RET write 124/0x7c 4387 bash CALL write(0x2,0x30ea67428000,0x7c) 4387 bash GIO fd 2 wrote 124 bytes 0x0000 0d1b 5b4b 1b5b 411b 5b43 1b5b 431b 5b43 |..[K.[A.[C.[C ... 0x0070 1b5b 431b 5b43 1b5b 431b 5b43 |.[C.[C.[C.[C| 4387 bash RET write 124/0x7c ˣ

0LTI%&-ೖྗͰߦ෮ؼ 67335 ksh CALL read(0,0x75cfeb32e30f,0x1) 67335 ksh GIO fd 0
read 1 bytes "\^?" 67335 ksh RET read 1 67335 ksh CALL write(2,0xd0c0abf8a10,0x1) 67335 ksh GIO fd 2 wrote 1 bytes "\r" 67335 ksh RET write 1 67335 ksh CALL write(2,0xd0c0abf8a10,0x12) 67335 ksh GIO fd 2 wrote 18 bytes "revengsh-openbsd$ " 67335 ksh RET write 18/0x12 67335 ksh CALL write(2,0xd0c0abf8a10,0x21) 67335 ksh GIO fd 2 wrote 33 bytes "aaaaaaaaaa \b\b\b\b\b\b\b\b\b\b\b\b" 67335 ksh RET write 33/0x21 67335 ksh CALL write(2,0xd0c0abf8a10,0x2) 67335 ksh GIO fd 2 wrote 2 bytes " \b" 67335 ksh RET write 2 ˣ

55: HFOFSBMUFSNJOBMJOUFSGBDF w "MMPGUIFGPMMPXJOHPQFSBUJPOTBSFJOWPLFEVTJOHUIFJPDUM TZTUFNDBMM w 5*0$(8*/4;TUSVDUXJOTJ[F
XT w 1VUUIFXJOEPXTJ[FJOGPSNBUJPOBTTPDJBUFEXJUIUIFUFSNJOBMJO UIFXJOTJ[FTUSVDUVSFQPJOUFEUPCZXT5IFXJOEPXTJ[F TUSVDUVSFDPOUBJOTUIFOVNCFSPGSPXTBOEDPMVNOT BOEQJYFMT JGBQQSPQSJBUF PGUIFEFWJDFTBUUBDIFEUPUIFUFSNJOBM*UJTTFU CZVTFSTPGUXBSFBOEJTUIFNFBOTCZXIJDINPTUGVMMTDSFFO PSJFOUFEQSPHSBNTEFUFSNJOFUIFTDSFFOTJ[F5IFXJOTJ[F TUSVDUVSFJTEF fi OFEJOTZTJPDUMI

45&1 w λʔϛφϧͷେ͖͞Λม͑Δͱ͓͔͘͠ͳΔ

'TIαΠζมߋ ˣ

'CBTIαΠζมߋ 4387 bash PSIG SIGWINCH caught handler=0x822dc4c80 mask=0x0 co 4387
bash CALL sigreturn(0x820f936c0) 4387 bash RET sigreturn JUSTRETURN 4387 bash CALL ioctl(0,TIOCGWINSZ,0x820f93b88) 4387 bash RET ioctl 0 ˣ

0LTIαΠζมߋ 67335 ksh PSIG SIGWINCH caught handler=0xd0991f1a4f0 mask=0<> 67335 ksh
RET read -1 errno 4 Interrupted system call ˣ

4*("$5*0/ TPGUXBSFTJHOBMGBDJMJUJFT w 5IFTZTUFNEF fi OFTBTFU PGTJHOBMTUIBU NBZCFEFMJWFSFEUPB QSPDFTT
w 5IFTJHBDUJPO TZTUFNDBMMBTTJHOTBOBDUJPOGPSBTJHOBMTQFDJ fi FE CZTJH NAME Default Action Description SIGWINCH discard signal window size change

45&1 w ೔ຊޠ͕ո͍͠

'TI͋ೖྗ 3666 sh CALL read(0,0x2aa05ae6ca9a,0x1) 3666 sh GIO fd 0
read 1 byte 0x0000 e3 |.| 3666 sh RET read 1 3666 sh CALL read(0,0x2aa05ae6ca9b,0x1) 3666 sh GIO fd 0 read 1 byte 0x0000 81 |.| 3666 sh RET read 1 3666 sh CALL read(0,0x2aa05ae6ca9c,0x1) 3666 sh GIO fd 0 read 1 byte 0x0000 82 |.| 3666 sh RET read 1 3666 sh CALL write(0x2,0x46a068085000,0x3) 3666 sh GIO fd 2 wrote 3 bytes 0x0000 e381 82 |...| 3666 sh RET write 3 ˣ

'CBTI͋ೖྗ 4387 bash CALL read(0,0x820f93c8f,0x1) 4387 bash GIO fd 0
read 1 byte 0x0000 e3 |.| 4387 bash RET read 1 4387 bash CALL read(0,0x820f93c0f,0x1) 4387 bash GIO fd 0 read 1 byte 0x0000 81 |.| 4387 bash RET read 1 4387 bash CALL read(0,0x820f93c0f,0x1) 4387 bash GIO fd 0 read 1 byte 0x0000 82 |.| 4387 bash RET read 1 4387 bash CALL write(0x2,0x30ea67428000,0x3) 4387 bash GIO fd 2 wrote 3 bytes 0x0000 e381 82 |...| 4387 bash RET write 3 ˣ

0LTI͋ೖྗ 67335 ksh CALL read(0,0x75cfeb32e30f,0x1) 67335 ksh GIO fd 0
read 1 bytes "\M-c" 67335 ksh RET read 1 67335 ksh CALL read(0,0x75cfeb32e30f,0x1) 67335 ksh GIO fd 0 read 1 bytes "\M^A" 67335 ksh RET read 1 67335 ksh CALL read(0,0x75cfeb32e30f,0x1) 67335 ksh GIO fd 0 read 1 bytes "\M^B" 67335 ksh RET read 1 67335 ksh CALL write(2,0xd0c0abf8a10,0x3) 67335 ksh GIO fd 2 wrote 3 bytes "\M-c\M^A\M^B" 67335 ksh RET write 3 ˣ

'TI%&-ೖྗͰ͋࡟আ 3666 sh CALL read(0,0x2aa05ae6ca9a,0x1) 3666 sh GIO fd 0
read 1 byte 0x0000 7f |.| 3666 sh RET read 1 3666 sh CALL write(0x2,0x46a068085000,0x9) 3666 sh GIO fd 2 wrote 9 bytes 0x0000 0d1b 5b31 3843 1b5b 4b |..[18C.[K| 3666 sh RET write 9 ˣ

'CBTI%&-ೖྗͰ͋࡟আ 4387 bash CALL read(0,0x820f93c8f,0x1) 4387 bash GIO fd 0
read 1 byte 0x0000 7f |.| 4387 bash RET read 1 4387 bash CALL write(0x2,0x30ea67428000,0x5) 4387 bash GIO fd 2 wrote 5 bytes 0x0000 0808 1b5b 4b |...[K| 4387 bash RET write 5 ˣ

0LTI%&-ೖྗͰ͋࡟আ 67335 ksh CALL read(0,0x75cfeb32e30f,0x1) 67335 ksh GIO fd 0
read 1 bytes "\^?" 67335 ksh RET read 1 67335 ksh CALL write(2,0xd0c0abf8a10,0x3) 67335 ksh GIO fd 2 wrote 3 bytes "\b \b" 67335 ksh RET write 3 ˣ

6OJDPEF&BTU"TJBO8JEUI w 6OJDPEFʹ͸࢓༷ʹ&BTU"TJBO8JEUIͱ͍͏"OOFY͕͋Δ w IUUQTKBXJLJQFEJBPSHXJLJ౦ΞδΞͷจࣈ෯ w 'ʢ'VMMXJEUIશ֯ʣɺ)ʢ)BMGXJEUI൒֯ʣɺ8ʢ8JEF޿ʣɺ/B ʢ/BSSPXڱʣɺ"ʢ"NCJHVPVTᐆດʣɺ/ʢ/FVUSBMதཱʣͷͭ w "ʢ"NCJHVPVTᐆດʣ͸6OJDPEFͷςΩετΛ౦ΞδΞͷैདྷจࣈ
ίʔυͷจ຺Ͱѻ͏৔߹ʹશ֯ͷจࣈ GVMMXJEUI ͱͯ͠ѻ͏͜ͱΛਪ঑ ͍ͯ͠ΔΒ͍͕͠΄ͱΜͲͷλʔϛφϧͰ൒֯ͱͯ͠ѻΘΕ͍ͯΔ w &6$+1ͳΜ͔͸࢓༷ͰόΠτจࣈ൒֯ɺόΠτจࣈશ֯ͱܾ ·͍ͬͯΔΒ͍͠ʁ

$1ͷશ֯Ͱ6OJDPEFʹରԠ͢Δจࣈͷ͏ͪ "ʢ"NCJHVPVTᐆດʣͷΈදࣔͨ͠ྫ

45&1 w ιʔείʔυ͸ͪ͜Βͱͪ͜Β w 45&1͔Βͷࠩ෼͸ͪ͜Β

45&1 w ໼ҹΩʔΛԡ͢ͱ͓͔͘͠ͳΔ

ΈΜͳେ޷͖ঢ়ଶભҠਤ 4 &4$ < YYFҎ֎ YYF > #&- &4$ &4$#&-Ҏ֎
><Ҏ֎ a &4$Ҏ֎ aҎ֎

·ͱΊ w γΣϧࢥͬͨΑΓ৭ʑ΍ͬͯͯେม

リバースエンジニアリング的シェル開発

リバースエンジニアリング的シェル開発

More Decks by Masakazu Asama

Other Decks in Programming

Featured

Transcript