Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Unicornを用いたDead Code除去

@tkmru
March 20, 2017
0
210

Unicornを用いたDead Code除去

セキュリティ・キャンプ フォーラム 2017

@tkmru

March 20, 2017
Tweet

More Decks by @tkmru

See All by @tkmru
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
270
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
tkmru
0
140
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
4.8k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
4.2k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
820
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
190
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
4k
めんどうくさいゲームセキュリティ
tkmru
20
10k
Linux Rootkit Internals
tkmru
1
1.9k

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k
Designing for humans not robots
tammielis
249
25k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Navigating Team Friction
lara
183
14k
Agile that works and the tools we love
rasmusluckow
327
21k
Docker and Python
trallard
40
3.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
290
Typedesign – Prime Four
hannesfritz
39
2.4k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
RailsConf 2023
tenderlove
29
880

Transcript

  1. UnicornΛ༻͍ͨDead Codeআڈ Security Camp Forum 2017 tkmruɹ

  2. ࣗݾ঺հ • ໊લ: ͚ͨ·Δ • ηΩϡϦςΟɾΩϟϯϓ શࠃେձ 2015 ଔۀੜ •

    twitter ID: @tkmru • CTFνʔϜ: TomoriNao

  3. Dead Codeͱ͸ • Dead Code͸࣮ߦͯ͠΋ҙຯ͕ͳ͍ίʔυ • ΞϯνσόοάͷͨΊʹϚϧ΢ΣΞʹ͸େྔʹDead Codeؚ͕·ΕΔ • ղੳͷো֐ͱͳΔ

  4. ؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,

    0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800

  5. ؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,

    0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 ੺จࣈҎ֎͸Dead Code

  6. ྫ) Themida(Packer) A Generic Approach to Automatic Deobfuscation of Executable

    Code http://www.sysnet.ucsd.edu/~bjohanne/assets/papers/oakland2015.pdf

  7. Nao(No-meaning Assembly Omiter) • Dead CodeআڈΛ͢ΔIDAϓϥάΠϯΛOSSͱͯ͠։ൃ • IDAPython • Unicorn(CPUΤϛϡϨʔλͷํ)

    • https://github.com/tkmru/nao • ࣮ࡍʹΤϛϡϨʔλ্Ͱ࣮ߦ͢ΔͷͰɺߴ͍ਫ਼౓Ͱআ ڈͰ͖Δ • ෳ਺ͷΞʔΩςΫνϟʔʹରԠՄೳ

  8. Unicornͱ͸ • QEMU forkͷϚϧνϓϥοτϑΥʔϜɺϚϧνΞʔΩς ΫνϟͳCPUΤϛϡϨʔλ • όΠφϦղੳπʔϧ angrͰ༻͍ΒΕ͍ͯΔͷΛ͸͡ Ίɺ֤छπʔϧ։ൃͰ࢖ΘΕ͍ͯΔ •

    ηΩϡϦςΟք۾Ͱ஫໨ͷOSS

  9. Unicorn

  10. Unicornͷshowcaseʹܝࡌ

  11. ΞϧΰϦζϜ • IDAͷάϥϑϏϡʔʹදࣔ͞Ε͍ͯΔόΠφϦΛऔΓग़ ͢ • NOP໋ྩʹҰߦͣͭมߋ͠ɺUnicornΛ༻͍࣮ͯߦ • ࠷ऴతͳϨδελͷ஋Λൺֱͯ͠൑அ • มߋ͞Ε͍ͯͨΒɺ݁ՌʹӨڹ͢ΔͷͰDead

    Code Ͱ͸ͳ͍ • มߋ͞Ε͍ͯͳ͚Ε͹ɺ݁ՌʹӨڹ͍ͯ͠ͳ͍ͷͰɹ Dead CodeͰ͋Δͱ൑அ

  12. ؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,

    0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800

  13. ؆୯ͳྫ x86 asm • mov eax, 0x100000 → nop •

    shr eax, 0x10 → nop • add eax, 0x913 → nop • and eax, 0x1fff → nop • mov ecx, eax → nop • mov eax, 0x1918632 • and ecx, 0x600 → nop • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800 ফڈͯ͠΋݁ՌʹӨڹ͕ͳ͍ͷͰDead Codeͱ൑அͰ͖Δ

  14. σϞ

  15. ͓ΘΓʹ • ಈ࡞ʹ೉͕͋ΔͷͰɺ·ͩमਖ਼͍ͯ͘͠ • Unicornͷ࡞ऀʹධՁͯ͠΋Β͑ͯΑ͔ͬͨ • ղੳऀͷิॿͱͳΔΑ͏ͳπʔϧΛOSSͱͯ͠ࠓޙ΋࡞ Γଓ͚͍͖͍ͯͨ