Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
LJP-TW
May 26, 2021
Technology
1
50
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.7k
Reverse Engineering - 2
ljptw
0
730
Reverse Engineering - 3
ljptw
0
590
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
290
Fuzzing 101
ljptw
1
190
Binary Exploitation - File Structure
ljptw
1
290
Binary Exploitation - Heap
ljptw
1
160
Binary Exploitation - Basic
ljptw
1
120
Other Decks in Technology
See All in Technology
Sansan Engineering Unit 紹介資料
sansan33
PRO
1
4k
パネルディスカッション資料 (at Tableau Now! - 2026-02-26)
yoshitakaarakawa
0
760
AI Coding Agentの地殻変動 ~ ai-coding.info の定点観測 ~
kotauchisunsun
1
490
全自動で回せ!Claude Codeマーケットプレイス運用術
yukyu30
3
140
[続・営業向け 誰でも話せるOCI セールストーク] AWSよりOCIの優位性が分からない編(2026年2月20日開催)
oracle4engineer
PRO
0
140
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
43k
AI が Approve する開発フロー / How AI Reviewers Accelerate Our Development
zaimy
1
230
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
sansan33
PRO
0
3k
NW構成図の自動描画は何が難しいのか?/netdevnight3
corestate55
2
490
論文検索を日本語でできるアプリを作ってみた
sailen2
0
140
Digitization部 紹介資料
sansan33
PRO
1
6.9k
Databricks (と気合い)で頑張るAI Agent 運用
kameitomohiro
0
340
Featured
See All Featured
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
83
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
90
GraphQLとの向き合い方2022年版
quramy
50
14k
Site-Speed That Sticks
csswizardry
13
1.1k
YesSQL, Process and Tooling at Scale
rocio
174
15k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
GraphQLの誤解/rethinking-graphql
sonatard
75
11k
Optimizing for Happiness
mojombo
379
71k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
11
850
Bootstrapping a Software Product
garrettdimon
PRO
307
120k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
60
42k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
78
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
sansan33
yoshitakaarakawa
kotauchisunsun
yukyu30
oracle4engineer
safie_recruit
zaimy
corestate55
sailen2
kameitomohiro
ryanjones
marketingsoph
quramy
csswizardry
rocio
eileencodes
sonatard
mojombo
tammyeverts
garrettdimon
rkaga
techseoconnect
