Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
LJP-TW
May 26, 2021
Technology
58
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.8k
Reverse Engineering - 2
ljptw
0
780
Reverse Engineering - 3
ljptw
0
630
Re:0 從零開始的逆向工程
ljptw
1
1.3k
Linux 極入門篇
ljptw
1
320
Fuzzing 101
ljptw
1
230
Binary Exploitation - File Structure
ljptw
1
320
Binary Exploitation - Heap
ljptw
1
190
Binary Exploitation - Basic
ljptw
1
150
Other Decks in Technology
See All in Technology
探して_入れて_作って_使う_Agent_Skills___LT.pdf
peintangos
2
180
LLMにもCAP定理があるという話
harukasakihara
0
100
Oracle AI Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
4
2.9k
Agentic Web
dynamis
1
180
AgentGatewayを試してみたかった
tkikuchi
0
120
Platform Engineering as a Product: Criteria for Improvement and Multi-Tenant Design
kumorn5s
0
520
Building applications in the Gemini API family.
line_developers_tw
PRO
0
2.2k
Dynamic Workersについて
yusukebe
2
630
あなたの AI ワークスペースに、 専門コーダーを連れてくる - Amazon Quick Desktop 最新情報
kawaji_scratch
1
110
作って終わりにしない タイミーのセマンティックレイヤー育成の現在地
chanyou0311
1
420
実装は速くなった、レビューはどうする? ― 自身のレビューをAIで再現させるサーヴァントエンジニアリングのすゝめ / Implementation got faster. So what about reviews? — An invitation to Servant Engineering: Recreating your own code reviews with AI
nrslib
7
4.2k
運用を見据えたAIエージェント設計実践
amacbee
1
3.2k
Featured
See All Featured
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
200
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
320
We Have a Design System, Now What?
morganepeng
55
8.2k
Everyday Curiosity
cassininazir
0
220
Technical Leadership for Architectural Decision Making
baasie
3
400
A designer walks into a library…
pauljervisheath
211
24k
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
200
jQuery: Nuts, Bolts and Bling
dougneiner
66
8.5k
Paper Plane
katiecoart
PRO
1
51k
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4.1k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
62k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
peintangos
harukasakihara
oracle4engineer
dynamis
tkikuchi
kumorn5s
line_developers_tw
yusukebe
kawaji_scratch
chanyou0311
nrslib
amacbee
cassininazir
mkilby
skoyamalab
morganepeng
baasie
pauljervisheath
katarinadahlin
dougneiner
katiecoart
productmarketing
lemiorhan
