Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
1
44
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.6k
Reverse Engineering - 2
ljptw
0
690
Reverse Engineering - 3
ljptw
0
550
Re:0 從零開始的逆向工程
ljptw
1
1.1k
Linux 極入門篇
ljptw
1
280
Fuzzing 101
ljptw
1
170
Binary Exploitation - File Structure
ljptw
1
270
Binary Exploitation - Heap
ljptw
1
140
Binary Exploitation - Basic
ljptw
1
110
Other Decks in Technology
See All in Technology
AIに頼りすぎない新人育成術
cuebic9bic
3
310
Claude Codeは仕様駆動の夢を見ない
gotalab555
23
6.7k
Eval-Centric AI: Agent 開発におけるベストプラクティスの探求
asei
0
130
生成AI時代におけるAI・機械学習技術を用いたプロダクト開発の深化と進化 #BetAIDay
layerx
PRO
1
1.2k
마라톤 끝의 단거리 스퍼트: 2025년의 AI
inureyes
PRO
1
750
[OCI Technical Deep Dive] OracleのAI戦略(2025年8月5日開催)
oracle4engineer
PRO
1
180
Oracle Exadata Database Service on Cloud@Customer X11M (ExaDB-C@C) サービス概要
oracle4engineer
PRO
2
6.3k
テストを実行してSorbetのsigを書こう!
sansantech
PRO
1
110
アカデミーキャンプ 2025 SuuuuuuMMeR「燃えろ!!ロボコン」 / Academy Camp 2025 SuuuuuuMMeR "Burn the Spirit, Robocon!!" DAY 1
ks91
PRO
0
150
React Server ComponentsでAPI不要の開発体験
polidog
PRO
0
280
僕たちが「開発しやすさ」を求め 模索し続けたアーキテクチャ #アーキテクチャ勉強会_findy
bengo4com
0
2.4k
風が吹けばWHOISが使えなくなる~なぜWHOIS・RDAPはサーバー証明書のメール認証に使えなくなったのか~
orangemorishita
15
5.8k
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.5k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Visualization
eitanlees
146
16k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
50
5.5k
A better future with KSS
kneath
239
17k
Music & Morning Musume
bryan
46
6.7k
Typedesign – Prime Four
hannesfritz
42
2.8k
Adopting Sorbet at Scale
ufuk
77
9.5k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Measuring & Analyzing Core Web Vitals
bluesmoon
8
550
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
cuebic9bic
gotalab555
asei
layerx
inureyes
oracle4engineer
sansantech
ks91
polidog
bengo4com
orangemorishita
chrisshort
jnunemaker
smashingmag
eitanlees
reverentgeek
kneath
bryan
hannesfritz
ufuk
sonatard
keithpitt
bluesmoon
