Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
LJP-TW
May 26, 2021
Technology
1
50
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.7k
Reverse Engineering - 2
ljptw
0
730
Reverse Engineering - 3
ljptw
0
590
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
290
Fuzzing 101
ljptw
1
180
Binary Exploitation - File Structure
ljptw
1
280
Binary Exploitation - Heap
ljptw
1
150
Binary Exploitation - Basic
ljptw
1
120
Other Decks in Technology
See All in Technology
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
tatsukoni
0
210
Tebiki Engineering Team Deck
tebiki
0
24k
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
riku_423
2
520
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
oracle4engineer
PRO
2
14k
Greatest Disaster Hits in Web Performance
guaca
0
120
15 years with Rails and DDD (AI Edition)
andrzejkrzywda
0
180
OWASP Top 10:2025 リリースと 少しの日本語化にまつわる裏話
okdt
PRO
3
570
会社紹介資料 / Sansan Company Profile
sansan33
PRO
15
400k
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
0
850
IaaS/SaaS管理における SREの実践 - SRE Kaigi 2026
bbqallstars
4
1.8k
SREが向き合う大規模リアーキテクチャ 〜信頼性とアジリティの両立〜
zepprix
0
430
AI駆動PjMの理想像 と現在地 -実践例を添えて-
masahiro_okamura
1
110
Featured
See All Featured
Color Theory Basics | Prateek | Gurzu
gurzu
0
200
How GitHub (no longer) Works
holman
316
140k
Between Models and Reality
mayunak
1
180
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
1.7k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
9.9k
Agile that works and the tools we love
rasmusluckow
331
21k
The SEO Collaboration Effect
kristinabergwall1
0
350
How to Think Like a Performance Engineer
csswizardry
28
2.4k
ラッコキーワード サービス紹介資料
rakko
1
2.2M
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
uxyall
0
160
Visual Storytelling: How to be a Superhuman Communicator
reverentgeek
2
430
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.9k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
tatsukoni
tebiki
riku_423
oracle4engineer
guaca
andrzejkrzywda
okdt
sansan33
0gm
bbqallstars
zepprix
masahiro_okamura
gurzu
holman
mayunak
honnibal
mongodb
rasmusluckow
kristinabergwall1
csswizardry
rakko
uxyall
reverentgeek
eileencodes
