Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
1
44
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.6k
Reverse Engineering - 2
ljptw
0
710
Reverse Engineering - 3
ljptw
0
560
Re:0 從零開始的逆向工程
ljptw
1
1.1k
Linux 極入門篇
ljptw
1
280
Fuzzing 101
ljptw
1
170
Binary Exploitation - File Structure
ljptw
1
270
Binary Exploitation - Heap
ljptw
1
140
Binary Exploitation - Basic
ljptw
1
110
Other Decks in Technology
See All in Technology
GopherCon Tour 概略
logica0419
2
160
いまさら聞けない ABテスト入門
skmr2348
1
170
RailsのPostgreSQL 18対応
yahonda
0
1.3k
Tomorrow graphlib, Let us use everybody
hayaosuzuki
0
150
AI×Data×SaaS×Operation
sansantech
PRO
0
110
Trust as Infrastructure
bcantrill
0
250
動画データのポテンシャルを引き出す! Databricks と AI活用への奮闘記(現在進行形)
databricksjapan
0
120
今改めてServiceクラスについて考える 〜あるRails開発者の10年〜
joker1007
20
9.6k
自作LLM Native GORM Pluginで実現する AI Agentバックテスト基盤構築
po3rin
2
220
“2件同時配達”の開発舞台裏 〜出前館PMが挑んだダブルピック実現に向けた体験設計〜
demaecan
0
160
AI時代だからこそ考える、僕らが本当につくりたいスクラムチーム / A Scrum Team we really want to create in this AI era
takaking22
2
850
AI Agentと MCP Serverで実現する iOSアプリの 自動テスト作成の効率化
spiderplus_cb
0
310
Featured
See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
2.6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.2k
Building an army of robots
kneath
306
46k
Producing Creativity
orderedlist
PRO
347
40k
Designing for humans not robots
tammielis
254
25k
Six Lessons from altMBA
skipperchong
28
4k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
53k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8