Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
1
39
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.3k
Reverse Engineering - 2
ljptw
0
550
Reverse Engineering - 3
ljptw
0
460
Re:0 從零開始的逆向工程
ljptw
1
760
Linux 極入門篇
ljptw
1
270
Fuzzing 101
ljptw
1
150
Binary Exploitation - File Structure
ljptw
1
250
Binary Exploitation - Heap
ljptw
1
120
Binary Exploitation - Basic
ljptw
1
98
Other Decks in Technology
See All in Technology
TSKaigi 2024 の登壇から広がったコミュニティ活動について
tsukuha
0
160
【re:Invent 2024 アプデ】 Prompt Routing の紹介
champ
0
140
KubeCon NA 2024 Recap / Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads
z63d
1
250
Fanstaの1年を大解剖! 一人SREはどこまでできるのか!?
syossan27
2
170
kargoの魅力について伝える
magisystem0408
0
210
Microsoft Azure全冠になってみた ~アレを使い倒した者が試験を制す!?~/Obtained all Microsoft Azure certifications Those who use "that" to the full will win the exam! ?
yuj1osm
2
110
Wvlet: A New Flow-Style Query Language For Functional Data Modeling and Interactive Data Analysis - Trino Summit 2024
xerial
1
120
統計データで2024年の クラウド・インフラ動向を眺める
ysknsid25
2
840
マルチプロダクト開発の現場でAWS Security Hubを1年以上運用して得た教訓
muziyoshiz
3
2.3k
GitHub Copilot のテクニック集/GitHub Copilot Techniques
rayuron
34
13k
Amazon VPC Lattice 最新アップデート紹介 - PrivateLink も似たようなアップデートあったけど違いとは
bigmuramura
0
190
AWS re:Invent 2024 ふりかえり
kongmingstrap
0
130
Featured
See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.5k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.9k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Being A Developer After 40
akosma
87
590k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
It's Worth the Effort
3n
183
28k
GitHub's CSS Performance
jonrohan
1030
460k
Site-Speed That Sticks
csswizardry
2
190
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
tsukuha
champ
z63d
syossan27
magisystem0408
yuj1osm
xerial
ysknsid25
muziyoshiz
rayuron
bigmuramura
kongmingstrap
dougneiner
bluesmoon
philnash
bcantrill
danielanewman
akosma
maggiecrowley
zakiyama
lemiorhan
3n
jonrohan
csswizardry
