Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
LJP-TW
May 26, 2021
Technology
58
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.8k
Reverse Engineering - 2
ljptw
0
780
Reverse Engineering - 3
ljptw
0
630
Re:0 從零開始的逆向工程
ljptw
1
1.3k
Linux 極入門篇
ljptw
1
320
Fuzzing 101
ljptw
1
230
Binary Exploitation - File Structure
ljptw
1
320
Binary Exploitation - Heap
ljptw
1
190
Binary Exploitation - Basic
ljptw
1
150
Other Decks in Technology
See All in Technology
新規事業を牽引する技術選定 〜フルスタックTypeScript開発の実践事例〜
nullnull
3
370
AI駆動開発が変える、大規模開発の前提 ーHuman in the Loop から Human on the Loop へ / AIE2026
visional_engineering_and_design
28
19k
個人の発見を、組織の知恵に 〜生成AI活用を"探索"から"組織の仕組み"へ〜
kintotechdev
3
1.1k
Oracle Cloud Infrastructure IaaS 新機能アップデート 2026/3 - 2026/5
oracle4engineer
PRO
1
220
実装は速くなった、レビューはどうする? ― 自身のレビューをAIで再現させるサーヴァントエンジニアリングのすゝめ / Implementation got faster. So what about reviews? — An invitation to Servant Engineering: Recreating your own code reviews with AI
nrslib
7
4.2k
PHP と TypeScript の型システム比較:AI 時代の「型」は誰のためにあるのか? #frontend_phpcon_do / frontend_phpcon_do_2026
shogogg
1
260
AI Engineering Summit Tokyo 2026 AIの前に、やることがある 〜医療データ企業の4フェーズ〜
dtaniwaki
0
2.2k
AI-DLCを活用した高品質・安全なAI駆動開発実践 / AI Driven Development with AI-DLC
yoshidashingo
0
150
Platform engineering for developers, architects & the rest of us (AI agents)
danielbryantuk
0
190
あなたの AI ワークスペースに、 専門コーダーを連れてくる - Amazon Quick Desktop 最新情報
kawaji_scratch
1
110
サプライチェーンセキュリティの空白地帯 - 信頼できる”依存性”の未来を考える
rung
PRO
2
780
Claude Code×Terraform IaC テンプレート駆動開発
itouhi
1
440
Featured
See All Featured
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
71
40k
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
380
Ruling the World: When Life Gets Gamed
codingconduct
0
250
Unsuck your backbone
ammeep
672
58k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
580
Between Models and Reality
mayunak
4
330
Leo the Paperboy
mayatellez
7
1.8k
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
600
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
133
19k
Scaling GitHub
holman
464
140k
Skip the Path - Find Your Career Trail
mkilby
1
140
Believing is Seeing
oripsolob
1
140
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
nullnull
visional_engineering_and_design
kintotechdev
oracle4engineer
nrslib
shogogg
dtaniwaki
yoshidashingo
danielbryantuk
kawaji_scratch
rung
itouhi
akihiro_kokubo
rkendrick25
codingconduct
ammeep
baasie
mayunak
mayatellez
inesmontani
morganepeng
holman
mkilby
oripsolob
