Lock in $30 Savings on PRO—Offer Ends Soon! ⏳
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
1
45
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.6k
Reverse Engineering - 2
ljptw
0
720
Reverse Engineering - 3
ljptw
0
570
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
290
Fuzzing 101
ljptw
1
180
Binary Exploitation - File Structure
ljptw
1
280
Binary Exploitation - Heap
ljptw
1
150
Binary Exploitation - Basic
ljptw
1
110
Other Decks in Technology
See All in Technology
RAG/Agent開発のアップデートまとめ
taka0709
0
150
「Managed Instances」と「durable functions」で広がるAWS Lambdaのユースケース
lamaglama39
0
290
Challenging Hardware Contests with Zephyr and Lessons Learned
iotengineer22
0
150
pmconf2025 - データを活用し「価値」へ繋げる
glorypulse
0
720
WordPress は終わったのか ~今のWordPress の制作手法ってなにがあんねん?~ / Is WordPress Over? How We Build with WordPress Today
tbshiki
1
600
[CMU-DB-2025FALL] Apache Fluss - A Streaming Storage for Real-Time Lakehouse
jark
0
110
寫了幾年 Code,然後呢?軟體工程師必須重新認識的 DevOps
cheng_wei_chen
1
1.2k
Microsoft Agent 365 を 30 分でなんとなく理解する
skmkzyk
1
1k
多様なデジタルアイデンティティを攻撃からどうやって守るのか / 20251212
ayokura
0
390
EM歴1年10ヶ月のぼくがぶち当たった苦悩とこれからへ向けて
maaaato
0
270
regrowth_tokyo_2025_securityagent
hiashisan
0
200
今からでも間に合う!速習Devin入門とその活用方法
ismk
1
600
Featured
See All Featured
Designing Experiences People Love
moore
143
24k
Git: the NoSQL Database
bkeepers
PRO
432
66k
Being A Developer After 40
akosma
91
590k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.8k
[RailsConf 2023] Rails as a piece of cake
palkan
58
6.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.1k
Six Lessons from altMBA
skipperchong
29
4.1k
GraphQLとの向き合い方2022年版
quramy
50
14k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Embracing the Ebb and Flow
colly
88
4.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
38
3k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
9
1k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
taka0709
.jpg){kind=avatar}
lamaglama39
iotengineer22
glorypulse
tbshiki
jark
cheng_wei_chen
skmkzyk
ayokura
maaaato
hiashisan
ismk
moore
bkeepers
akosma
mongodb
palkan
irinanazarova
skipperchong
quramy
malarkey
colly
maggiecrowley
addyosmani
