Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Unicornを用いたDead Code除去
Search
@tkmru
March 20, 2017
0
230
Unicornを用いたDead Code除去
セキュリティ・キャンプ フォーラム 2017
@tkmru
March 20, 2017
Tweet
Share
More Decks by @tkmru
See All by @tkmru
リバースエンジニアリング新時代へ! GhidraとClaude DesktopをMCPで繋ぐ/findy202507
tkmru
8
1.9k
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
2
1.5k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
350
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
tkmru
0
190
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
5.4k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
4.6k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
900
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
210
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
4.2k
Featured
See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.5k
Typedesign – Prime Four
hannesfritz
42
2.8k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
Producing Creativity
orderedlist
PRO
347
40k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
The Power of CSS Pseudo Elements
geoffreycrofte
77
6k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Writing Fast Ruby
sferik
628
62k
Imperfection Machines: The Place of Print at Facebook
scottboms
268
13k
Facilitating Awesome Meetings
lara
55
6.5k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
131
19k
Transcript
UnicornΛ༻͍ͨDead Codeআڈ Security Camp Forum 2017 tkmruɹ
ࣗݾհ • ໊લ: ͚ͨ·Δ • ηΩϡϦςΟɾΩϟϯϓ શࠃେձ 2015 ଔۀੜ •
twitter ID: @tkmru • CTFνʔϜ: TomoriNao
Dead Codeͱ • Dead Code࣮ߦͯ͠ҙຯ͕ͳ͍ίʔυ • ΞϯνσόοάͷͨΊʹϚϧΣΞʹେྔʹDead Codeؚ͕·ΕΔ • ղੳͷোͱͳΔ
؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,
0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800
؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,
0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 จࣈҎ֎Dead Code
ྫ) Themida(Packer) A Generic Approach to Automatic Deobfuscation of Executable
Code http://www.sysnet.ucsd.edu/~bjohanne/assets/papers/oakland2015.pdf
Nao(No-meaning Assembly Omiter) • Dead CodeআڈΛ͢ΔIDAϓϥάΠϯΛOSSͱͯ͠։ൃ • IDAPython • Unicorn(CPUΤϛϡϨʔλͷํ)
• https://github.com/tkmru/nao • ࣮ࡍʹΤϛϡϨʔλ্Ͱ࣮ߦ͢ΔͷͰɺߴ͍ਫ਼Ͱআ ڈͰ͖Δ • ෳͷΞʔΩςΫνϟʔʹରԠՄೳ
Unicornͱ • QEMU forkͷϚϧνϓϥοτϑΥʔϜɺϚϧνΞʔΩς ΫνϟͳCPUΤϛϡϨʔλ • όΠφϦղੳπʔϧ angrͰ༻͍ΒΕ͍ͯΔͷΛ͡ Ίɺ֤छπʔϧ։ൃͰΘΕ͍ͯΔ •
ηΩϡϦςΟք۾ͰͷOSS
Unicorn
Unicornͷshowcaseʹܝࡌ
ΞϧΰϦζϜ • IDAͷάϥϑϏϡʔʹදࣔ͞Ε͍ͯΔόΠφϦΛऔΓग़ ͢ • NOP໋ྩʹҰߦͣͭมߋ͠ɺUnicornΛ༻͍࣮ͯߦ • ࠷ऴతͳϨδελͷΛൺֱͯ͠அ • มߋ͞Ε͍ͯͨΒɺ݁ՌʹӨڹ͢ΔͷͰDead
Code Ͱͳ͍ • มߋ͞Ε͍ͯͳ͚Εɺ݁ՌʹӨڹ͍ͯ͠ͳ͍ͷͰɹ Dead CodeͰ͋Δͱஅ
؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,
0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800
؆୯ͳྫ x86 asm • mov eax, 0x100000 → nop •
shr eax, 0x10 → nop • add eax, 0x913 → nop • and eax, 0x1fff → nop • mov ecx, eax → nop • mov eax, 0x1918632 • and ecx, 0x600 → nop • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800 ফڈͯ݁͠ՌʹӨڹ͕ͳ͍ͷͰDead CodeͱஅͰ͖Δ
σϞ
͓ΘΓʹ • ಈ࡞ʹ͕͋ΔͷͰɺ·ͩमਖ਼͍ͯ͘͠ • Unicornͷ࡞ऀʹධՁͯ͠Β͑ͯΑ͔ͬͨ • ղੳऀͷิॿͱͳΔΑ͏ͳπʔϧΛOSSͱͯ͠ࠓޙ࡞ Γଓ͚͍͖͍ͯͨ
tkmru
sstephenson
bcantrill
hannesfritz
reverentgeek
orderedlist
csswizardry
geoffreycrofte
keithpitt
sferik
scottboms
lara
morganepeng
