Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
LJP-TW
May 26, 2021
Technology
55
1
Share
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.7k
Reverse Engineering - 2
ljptw
0
750
Reverse Engineering - 3
ljptw
0
610
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
300
Fuzzing 101
ljptw
1
210
Binary Exploitation - File Structure
ljptw
1
300
Binary Exploitation - Heap
ljptw
1
170
Binary Exploitation - Basic
ljptw
1
130
Other Decks in Technology
See All in Technology
20260428_Product Management Summit_tadokoroyoshiro
tadokoro_yoshiro
14
15k
Rapid Start: Faster Internet Connections, with Ruby's Help
kazuho
2
790
実践ハーネスエンジニアリング:TAKTで実現するAIエージェント制御 / Practical Harness Engineering: AI Agent Control Enabled by TAKT
nrslib
13
4.9k
Claude Code を安全に使おう勉強会 / Claude Code Security Basics
masahirokawahara
12
37k
「責任あるAIエージェント」こそ自社で開発しよう!
minorun365
9
2.2k
Expiration of Secure Boot Certificates for vSphere Virtual Machines
mirie_sd
0
110
AIはハッカーを減らすのか、増やすのか?──現役ホワイトハッカーから見るAI時代のリアル【MEGU-Meet】
cscengineer
PRO
0
210
Agents CLI と Gemini Enterprise Agent Platform で マルチエージェント開発が楽しくなる!
kaz1437
0
160
Percolatorを廃止し、マルチ検索サービスへ刷新した話 / Search Engineering Tech Talk 2026 Spring
visional_engineering_and_design
0
150
ハーネスエンジニアリングをやりすぎた話 ~そのハーネスは解体された~
gotalab555
5
1.9k
国内外の生成AIセキュリティの最新動向 & AIガードレール製品「chakoshi」のご紹介 / Latest Trends in Generative AI Security (Domestic & International) & Introduction to AI Guardrail Product "chakoshi"
nttcom
4
1.4k
独断と偏見で試してみる、 シングル or マルチエージェント どっちがいいの?
shichijoyuhi
1
160
Featured
See All Featured
Marketing to machines
jonoalderson
1
5.2k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.4k
The Invisible Side of Design
smashingmag
303
52k
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
140
Un-Boring Meetings
codingconduct
0
270
How to Ace a Technical Interview
jacobian
281
24k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.8k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
chikuwait
0
490
Exploring anti-patterns in Rails
aemeredith
3
320
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.2k
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
220
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
tadokoro_yoshiro
kazuho
nrslib
masahirokawahara
minorun365
mirie_sd
cscengineer
kaz1437
visional_engineering_and_design
gotalab555
nttcom
shichijoyuhi
jonoalderson
wjessup
sergeychernyshev
smashingmag
techseoconnect
codingconduct
jacobian
eileencodes
chikuwait
aemeredith
charlesmeaden
cassininazir
