Upgrade to Pro — share decks privately, control downloads, hide ads and more …

NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練

adr
September 29, 2015
Technology
0
470

NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練

簡易入門基礎逆向需要的觀念
入門解析ROP、Buffer Overflow、CRT、Fuzzing

Slide中的練習題目&Source Code:
https://github.com/aaaddress1/NTUSTxTDOH-Reversing-Game

adr

September 29, 2015
Tweet

More Decks by adr

See All by adr
Skrull Like A King: 從重兵看守的天眼防線殺出重圍
aaaddress1
3
1.5k
Rebuild The Heaven's Gate: from 32 bit Hell back to Heaven Wonderland
aaaddress1
0
1.1k
重建天堂之門:從 32bit 地獄一路打回天堂聖地
aaaddress1
0
390
Reversing In Wonderland: Neural Network Based Malware Detection Techniques
aaaddress1
2
700
CYBERSEC: 唉唷,你的簽章根本沒在驗啦。
aaaddress1
1
3.9k
SITCON: Playing Win32 Like a K!NG ;)
aaaddress1
2
1.1k
NTUST [2019]: Windows Reversing
aaaddress1
0
1.1k
Duplicate Paths Attack: Get Elevated Privilege from Forged Identities
aaaddress1
0
1.5k
SDN Final Report
aaaddress1
0
440

Other Decks in Technology

See All in Technology
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530
複雑なState管理からの脱却
sansantech
PRO
1
140
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
270
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
170

Featured

See All Featured
Optimizing for Happiness
mojombo
376
70k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
How GitHub (no longer) Works
holman
310
140k
Writing Fast Ruby
sferik
627
61k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Raft: Consensus for Rubyists
vanstee
136
6.6k
How STYLIGHT went responsive
nonsquared
95
5.2k
Building Adaptive Systems
keathley
38
2.3k
Documentation Writing (for coders)
carmenintech
65
4.4k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k

Transcript

  1. TEEMO KNOWS BINARY TDOH x TAIWAN TECH 2015/11/29 aaaddress1

  2. SELF INTRODUCTION ➤ 馬聖豪 (aaaddress1) ➤ 義守大學資訊工程二年級 ➤ Reverse Engineering

    Skills ➤ Windows / Mac OS /Android ➤ TDoHacker Core Member ➤ HITCON 2015 CMT: ➤ AIDS ➤ x86靜態手花詐欺術 ➤ Wooyun WhiteHat: x86手花詐欺 ➤ 逢甲2015行動計算研討會: AIDS ➤ 成功大學2015行動APP競賽

  3. SELF INTRODUCTION ➤ Hack BOT ➤ CrackShield / MapleHack ➤

    Tower Of Savior ➤ FaceBook: Adr’s FB ➤ Isu Hack ➤ 競時通防爆PING ➤ CSharp,VB,C/CPlus, x86,Python,Smali,Swift

  4. OUTLINE ➤ main() is not the really main ➤ OllyDBG:Baby

    First (Exam) ➤ Return-oriented Programming ➤ Overflow: Revo Wolf(Exam) ➤ Fuzzing ➤ Make a fuzzer in C++ ➤ How to fuzzing with Z3

  5. SWEET REMINDER 5PPM IUUQTHPPHMT+3U# &YBN IUUQTHPPHMY6:LP[

  6. REALLYMAIN

  7. REALLY MAIN

  8. REALLY MAIN

  9. REALLY MAIN

  10. REALLY MAIN

  11. REALLY MAIN

  12. REALLY MAIN

  13. REALLY MAIN _Start

  14. REALLY MAIN

  15. REALLY MAIN Parameter Data

  16. REALLY MAIN ➤ Label “_start” is really main. ➤ CRTStartUp

    is loaded in label “_start”. (To init RTC/new/delete/arg…etc) ➤ Find programmer’s main (normal c plus compile) ➤ Find the address calling GetCommandLine ➤ Find the address calling exit() or cexit() ➤ Programmer’s main function is between them.

  17. DEMO Olly Debugger:Really Main

  18. EXAM Olly Debugger: Baby First & Take a break!

  19. ROP Return-oriented-Programming

  20. WE NEED TO KNOW MORE BEFORE ROP

  21. X86 CALLING COVENTION & STACK FRAMES

  22. ROP

  23. ROP

  24. ROP

  25. ROP

  26. ROP

  27. ROP [EBP+0 ] = Pointer to old EBP [EBP+4 ]

    = Return Address [EBP+8 ] = First Parameter [EBP+C ] = Second Parameter [EBP+10 ] = Third Parameter …etc [EBP+8 + 4*index] = Parameter[index]

  28. ROP VOID FUNC() { INT A = 0; INT B

    = 1; INT C = 2; } [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP SUB ESP, LEN

  29. ROP VOID FUNC(){ NFUNC(ARG1,ARG2,AR G3…) } push ebp mov ebp,esp

    . . push arg3 push arg2 push arg1 call nFunc

  30. ROP

  31. ROP

  32. ROP

  33. ROP

  34. WHY?

  35. ROP Stack ESP + 0 ESP + 4 ESP +

    8 ESP + C ESP + 10 ESP + 14

  36. ROP Stack ESP + 0 Old EBP ESP + 4

    ESP + 8 ESP + C ESP + 10 ESP + 14 _______EIP

  37. ROP Stack EBP + 0 =ESP Old EBP EBP +

    4 EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP

  38. ROP Stack EBP - 8 =ESP Buffer EBP - 4

    Buffer EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP

  39. ROP Stack EBP - 8 =ESP 1 EBP - 4

    Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP

  40. ROP Stack EBP - 8 =ESP return Address EBP -

    4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP

  41. ROP Stack EBP - 8 =ESP return Address EBP -

    4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C

  42. ROP Stack EBP - 8 =ESP EBP EBP - 4

    return Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP

  43. ROP Stack EBP + 0 =ESP EBP EBP + 4

    return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP

  44. ROP Stack EBP + 0 =ESP EBP EBP + 4

    return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP

  45. ROP _______EIP Stack EBP - 8 =ESP return Address EBP

    - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C

  46. ROP _______EIP Stack EBP - 8 =ESP return Address EBP

    - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C

  47. ROP Stack EBP - 4 =ESP 1 EBP + 0

    Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP

  48. ROP Stack EBP + 0 = ESP Buffer EBP +

    4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP

  49. LET’S PLAY WITH BEEF OVERFLOW

  50. BOF OVERFLOW AND RIP…

  51. BUFFER OVERFLOW ➤ We just can see , cannot modify

    the application. ➤ For Exploit? ➤ Overflow local variables. (EBP+N are good friend to us) ➤ Do something for get control EIP/RIP.

  52. BUFFER OVERFLOW [EBP-8] [EBP-10]

  53. BUFFER OVERFLOW

  54. BUFFER OVERFLOW

  55. BUFFER OVERFLOW

  56. BUFFER OVERFLOW

  57. BUFFER OVERFLOW

  58. BUFFER OVERFLOW How to let data == “admin”?

  59. BUFFER OVERFLOW [EBP-8] [EBP-10]

  60. BUFFER OVERFLOW Stack

  61. BUFFER OVERFLOW Stack ESP Old EBP _______EIP

  62. BUFFER OVERFLOW Stack EBP =ESP Old EBP _______EIP

  63. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP

  64. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “name”

  65. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “data”

  66. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP

  67. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”

  68. BUFFER OVERFLOW Stack EBP - 10 aaaa EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”

  69. BUFFER OVERFLOW Stack EBP - 10 aaaa EBP - C

    BBBB EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaaBBBB”

  70. BUFFER OVERFLOW Stack EBP - 10 REVO EBP - C

    WOLF EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “OVERFLOW”

  71. IF WE INPUT MORE WORDS…? MAGIC!

  72. BUFFER OVERFLOW Stack EBP - 10 REVO EBP - C

    WOLF EBP - 8 revo EBP - 4 wolf EBP =ESP Old EBP _______EIP If you input “OVERFLOWoverflow ”

  73. BUFFER OVERFLOW Stack EBP - 10 AAAA EBP - C

    AAAA EBP - 8 imda EBP - 4 \x00\x00\x00n EBP =ESP Old EBP _______EIP SO, We can input “AAAAAAAAadmin”

  74. BUFFER OVERFLOW

  75. DANGER FUNCTION #include <iostream> printf, fprintf, snprintf, vprintf, …etc

  76. DEMO Overflow

  77. EXAM Overflow: Revo wolf & Take a break!

  78. EXAM Overflow: 7$BUY TICKETS & Take a break!

  79. EXAM Overflow: Lee Sin can Read & Take a break!

  80. FUZZING Fuzzing the key with Z3.py

  81. “Fuzz testing or fuzzing is a software testing technique, often

    automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software. From Wikipedia WHAT IS FUZZING?

  82. When we need to fuzz? A.Prove that something is always

    true B.Fuzzing for something unexpected C.Fuckinnnnnnnnnnnnng Crypto D.A lot of choice, find one is correct

  83. FUZZING FOR WHAT?

  84. None

  85. Your said : Get the key is easy?

  86. None
  87. None
  88. None
  89. None

  90. YOU THINK REVERSING IS: SOLVING PROBLEMS? BRAIN FUCKING (O)

  91. FUZZING

  92. FUZZING Key= adr ‘a’ = 0x61,’d’ = 0x64, r =

    0x72

  93. FUZZING

  94. FUZZING Key= adr 0x00726461 = \x00\x72\x64\x61 = \x00adr

  95. FUZZING

  96. None

  97. FUZZING How to find the key matching the factors?

  98. None

  99. MAKE A MINI FUZZER IN C PLUS PLUS

  100. None

  101. Check Current Temp Key

  102. 0x20 to 0x7E, Visible ASCII Char Range

  103. Display to us.

  104. None
  105. None

  106. BUT… IF LENGT OF THE KEY ISN’T JUST 3 WORDS?

  107. Z3 Prove Tool

  108. Z3 BEGIN ➤Get and Install Python2.7 ✴ Z3.py script environment

    ✴ www.python.org ➤You can use python basically ➤Get Z3.py for Windows ✴ Prove tool ✴ github.com/Z3Prover/z3/wiki/Using-Z3Py-on-Windows

  109. 猜謎 ➤ 無腦 ➤ 很軟 ➤ 手有毒

  110. FUZZING(Z3) Include Z3 function to your python script like you

    use #include <iostream> in C++

  111. FUZZING(Z3) BitVec(“Name” , BitCount) For example: 1.char a => a

    = BitVec(“a”, 8) 2.short b => b = BitVec(“b”, 16) 3.int c => c = BitVec(“C”, 32) => Int(“c”) 4.bool e => e = BitVec(‘e’, 8)

  112. FUZZING(Z3) Solve(All rules ), Z3 will auto fuzz all variables,

    and find a result(JUST ONE RESULT!). Then, print all results of variables.

  113. FUZZING(Z3) If you have a looooot of rules, you can

    use Solver(). Solver.add() can remember all rules you requested.

  114. FUZZING(Z3) If you want to check current whether rules can

    come true, you just use: Solver.check()

  115. FUZZING(Z3) If Z3 cannot find any result, check() will reply

    you “unsat”.

  116. FUZZING(Z3) If Z3 can find any result, check() will reply

    you “sat”.

  117. FUZZING(Z3) Finally, if you get “sat”, you can use: Solver.model()

    It will save a result in it. Use model[Variable Name], and get the answer by String

  118. FUZZING(Z3) So,How to fuzz the key with z3?

  119. None
  120. None

  121. DEMO Fuzzing with z3.py

  122. EXAM Fuzzing: ShacoBuysCrusts & Take a Break!

  123. EXAM Fuzzing: AIS3 Final Exam Binary

  124. Q&A [email protected]