Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
55
1
Share
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.7k
Reverse Engineering - 2
ljptw
0
750
Reverse Engineering - 3
ljptw
0
600
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
300
Fuzzing 101
ljptw
1
200
Binary Exploitation - File Structure
ljptw
1
300
Binary Exploitation - Heap
ljptw
1
160
Binary Exploitation - Basic
ljptw
1
130
Other Decks in Technology
See All in Technology
Databricks Appsで実現する社内向けAIアプリ開発の効率化
r_miura
0
320
組織的なAI活用を阻む 最大のハードルは コンテキストデザインだった
ixbox
1
610
AWSで2番目にリリースされたサービスについてお話しします(諸説あります)
yama3133
0
120
スクラムを支える内部品質の話
iij_pr
0
270
Oracle AI Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
4
2.1k
【AWS】CloudTrail LakeとCloudWatch Logs Insightsの使い分け方針
tsurunosd
0
130
BIツール「Omni」の紹介 @Snowflake中部UG
sagara
0
190
仕様通り動くの先へ。Claude Codeで「使える」を検証する
gotalab555
8
2.3k
TUNA Camp 2026 京都Stage ヒューリスティックアルゴリズム入門
terryu16
0
670
チームで育てるAI自走環境_20260409
fuktig
0
730
出版記念イベントin大阪「書籍紹介&私がよく使うMCPサーバー3選と社内で安全に活用する方法」
kintotechdev
0
150
Tour of Agent Protocols: MCP, A2A, AG-UI, A2UI with ADK
meteatamel
1
210
Featured
See All Featured
How to Ace a Technical Interview
jacobian
281
24k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.4k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
davidcarrasco
3
100
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
140
The SEO Collaboration Effect
kristinabergwall1
0
410
The browser strikes back
jonoalderson
0
890
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
510
Embracing the Ebb and Flow
colly
88
5k
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
1
1.2k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
110
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
.png){kind=avatar}
r_miura
ixbox
yama3133
iij_pr
oracle4engineer
tsurunosd
sagara
gotalab555
terryu16
fuktig
kintotechdev
meteatamel
jacobian
afnizarnur
marcduiker
davidcarrasco
tmiket
kristinabergwall1
jonoalderson
inesmontani
colly
aarron
aleyda
auna
