Tweet
Tweet

Slide 1

Slide 1 text

IBSJCPUF04ͷྫʹݟΔ খ͞ͳ04ͷϒʔτͷྲྀΕ !ZVZBCV

Slide 2

Slide 2 text

ࣗݾ঺հ #MPHIUUQZVZVCVIBUFOBCMPHDPN 5XJUUFSIUUQTUXJUUFSDPNZVZBCV ˞εϥΠυʹؒҧͬͨ಺༰͕ೖ͍ͬͯΔ͔΋͠Ε·ͤΜ͕ɺ ͓ؾ෇͖ͷ఺͕͋Ε͹Ұํ͍ͩ͘͞

Slide 3

Slide 3 text

ର৅ ॳ৺ऀ޲͚ ɾσόοΨʔ (%# Λ஌͍ͬͯΔ͕࢖ͬͨ͜ͱ͕ͳ͍Ϩϕϧͷਓ ɹˠ྘৭ͷςΩετ͸ίϐϖ͙ͯ͢͠࢖͑Δ(%#ͷίϚϯυ ɾ04ࣗ࡞ຊΛੵΜಡ͍ͯ͠Δਓ ɾ͜Ε͔Βࣗ࡞ຊΛಡΉਓ ͪΐͬͱ೉͍͔͠΋  ্ڃऀͷਓ͸͋·Γ໘ന͘ͳ͍͔΋͠Εͳ͍Ͱ͢ ˞೔04ࣗ࡞ຊͷωλόϨؚ͕·ΕΔͷͰ ݏͳਓ͸ݟͳ͍Ͱ͍ͩ͘͞ɻ

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

ൃදऀͷ؀ڥ ൃදऀͷ؀ڥ͸ҎԼͷΑ͏ʹͳ͍ͬͯ·͢ɻ ϗετOS:macOS High Sierra 10.13.6 όΠφϦΤσΟλ:0xED MakeFileͳͲ:sandaiࢯ࡞੒(https://github.com/sandai/30nichideosjisaku) QEMU emulator version 2.11.0 haribote OS͸࠷ऴ೔(30೔໨)ͷharibote27fΛ࢖͍ͬͯ·͢ ΋͔ͨ͠͠ΒΈͳ͞Μͷ؀ڥͰ͸ಈ͔ͳ͔ͬͨΓɺ ൃදதͷΞυϨεͳͲ͕ҧ͍ͬͯΔ͔΋͠Ε·ͤΜɻ

Slide 6

Slide 6 text

RFNVNPOJUPS(%#ઃఆ 04ࣗ࡞ຊͷ؀ڥʹ؆୯ʹઃఆՄೳ 1.z_tools/qemu/Makefileʹগ͠ॻ͖଍͢ 2&.6@"3(4 -NMPDBMUJNFWHBTUEGEBGEJNBHFCJONPOJUPSTUEJPT4 2.Make runޙɺଞͷίϯιʔϧ͔ΒҎԼͷίϚϯυͰgdbʹ઀ଓ gdb -ex 'target remote localhost:1234'

Slide 7

Slide 7 text

ιʔεΛͪΐͬͱ͚ͩ આ໌

Slide 8

Slide 8 text

04ͷ̏૚ bootpack.hrb OSͷຊମͬΆ͍ίʔυɻϝϞϦ؅ཧΩʔϘʔυϚϧνλεΫ౳ ιʔε:bootpack.c fifo.c int.c mouse.c tek.c console.c file.c keyboard.c mtask.c timer.c dsctbl.c graphic.c memory.c sheet.c window.c naskfunc.nas IPL(ϒʔτηΫλ) ໾ׂ2ηΫλҎ߱ͷϑϩοϐʔಡΈࠐΈ ιʔεɿipl09.nas asmhead.bin ໾ׂ:ը໘αΠζઃఆ,16bit/32bit੾Γସ͑ ιʔε:asmhead.nas IBSJCPUFTZT IBSJCPUFJNH Y"" ηΫλ్தd Y ηΫλd Y ηΫλd ʙY.#

Slide 9

Slide 9 text

04͕ϝϞϦ্ʹ ϩʔυ͞ΕΔ༷ࢠ

Slide 10

Slide 10 text

04͕ϩʔυ͞ΕΔ·Ͱ #*04͕ϑϩοϐʔͷϒʔτηΫλ ઌ಄#  ΛϝϞϦͷY$ʹಡΈࠐΈ·͢ *1-͕࢒Γͷ෦෼ΛYʹಡΈࠐΈɺ BTNIFBEOBTͷ෦෼Λݺͼग़͢ *1- ϒʔτηΫλ  ipl09.nas Y$ Y Y

Slide 11

Slide 11 text

04͕ϩʔυ͞ΕΔ·Ͱ BTNIFBEOBTதͰ 04ຊମ CPPUQBDLISC Λ Y൪஍ʹίϐʔͯ͠ ίϐʔઌͷCPPUQBDLISCΛݺͼग़͠·͢ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 12

Slide 12 text

bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT bootpack.hrb bootpack.c౳ Y$ Y Y 04͕ϩʔυ͞ΕΔ·Ͱ Y൪஍ʹϩʔυ͞Εͨ04ຊମΛ࣮ߦ͢Δ

Slide 13

Slide 13 text

ϩʔυҎ֎ʹ΍ͬͯΔ͜ͱ asmhead.nas ը໘αΠζઃఆ,16bit/32bit(CPU)੾Γସ͑ ipl09.nas ϑϩοϐʔಡΈࠐΈҎ֎͸ಛʹͳ͠ bootpack.c ϚϧνλεΫͷઃఆ ηάϝϯτͷઃఆ ը໘ඳը ΩʔϘʔυɾϚ΢εͷઃఆ ϝϞϦ؅ཧ etc… *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT bootpack.hrb bootpack.c౳ Y$ Y Y

Slide 14

Slide 14 text

ϑϩοϐʔಡΈࠐΈ͔Β ຊମ࣮ߦ·ͰΛৄࡉʹઆ໌

Slide 15

Slide 15 text

ϑϩοϐʔͷಡΈࠐΈ *1- ϒʔτηΫλ  ipl09.nas Y$ Y Y 00007CD2 CD 13 INT 0x13 ; σΟεΫBIOSݺͼग़͠

Slide 16

Slide 16 text

ϑϩοϐʔͷಡΈࠐΈ INT(0x13); σΟεΫؔ܎ ◦ AH = 0x02; ʢಡΈࠐΈ࣌ʣ ◦ AH = 0x0c; ʢγʔΫ࣌ʣ ◦ AL = ॲཧ͢ΔηΫλ਺; ◦ CH = γϦϯμ൪߸ & 0xff; ◦ CL = ηΫλ൪߸(bit0-5) ◦ DH = ϔου൪߸; ◦ DL = υϥΠϒ൪߸; ◦ ES:BX = όοϑΝΞυϨε; Ҿ༻ݩɿIUUQPTXJLJPTBTLKQ "5 #*04 00007CD2 CD 13 INT 0x13 ; σΟεΫBIOSݺͼग़͠ *1- ϒʔτηΫλ  ipl09.nas Y$ Y Y

Slide 17

Slide 17 text

ϑϩοϐʔͷಡΈࠐΈ 00007CD2 CD 13 INT 0x13 ; σΟεΫBIOSݺͼग़͠ *1- ϒʔτηΫλ  ipl09.nas Y$ Y Y INT(0x13); σΟεΫؔ܎ ◦ AH = 0x02; ʢಡΈࠐΈ࣌ʣ ◦ AH = 0x0c; ʢγʔΫ࣌ʣ ◦ AL = ॲཧ͢ΔηΫλ਺; ◦ CH = γϦϯμ൪߸ & 0xff; ◦ CL = ηΫλ൪߸(bit0-5) ◦ DH = ϔου൪߸; ◦ DL = υϥΠϒ൪߸; ◦ ES:BX = όοϑΝΞυϨε; b *0x7CD2 continue info register eax 0x211 ecx 0x2 edx 0x0 ebx 0x0 eip 0x7cd2 es 0x820 2080

Slide 18

Slide 18 text

ϑϩοϐʔͷಡΈࠐΈ INT(0x13); σΟεΫؔ܎ ◦ AH = 0x02; ʢಡΈࠐΈ࣌ʣ ◦ AH = 0x0c; ʢγʔΫ࣌ʣ ◦ AL = 0x11 ॲཧ͢ΔηΫλ਺; ◦ CH = 0x00 γϦϯμ൪߸ & 0xff; ◦ CL = 0x2 ηΫλ൪߸(bit0-5) ◦ DH = 0x0 ϔου൪߸; ◦ DL = 0x0 υϥΠϒ൪߸; ◦ ES:BX = 0x820 όοϑΝΞυϨε; 00007CD2 CD 13 INT 0x13 ; σΟεΫBIOSݺͼग़͠ b *0x7CD2 continue info register eax 0x211 ecx 0x2 edx 0x0 ebx 0x0 eip 0x7cd2 es 0x820 2080 *1- ϒʔτηΫλ  ipl09.nas Y$ Y Y

Slide 19

Slide 19 text

b *0x7CD2 continue info register eax 0x211 ecx 0x2 edx 0x0 ebx 0x0 eip 0x7cd2 es 0x820 2080 ϑϩοϐʔͷಡΈࠐΈ INT(0x13); σΟεΫؔ܎ ◦ AH = 0x02; ʢಡΈࠐΈ࣌ʣ ◦ AH = 0x0c; ʢγʔΫ࣌ʣ ◦ AL = 0x11 ॲཧ͢ΔηΫλ਺; ◦ CH = 0x00 γϦϯμ൪߸ & 0xff; ◦ CL = 0x2 ηΫλ൪߸(bit0-5) ◦ DH = 0x0 ϔου൪߸; ◦ DL = 0x0 υϥΠϒ൪߸; ◦ ES:BX = 0x820 όοϑΝΞυϨε; 00007CD2 CD 13 INT 0x13 ; σΟεΫBIOSݺͼग़͠ *1- ϒʔτηΫλ  ipl09.nas Y$ Y Y ཁ͸YͷҐஔʹdηΫλΛಡΈࠐΉʂ

Slide 20

Slide 20 text

ϑϩοϐʔͷಡΈࠐΈ 76 00007C9E readfast: ; ALΛ࢖ͬͯͰ͖Δ͚ͩ·ͱΊͯಡΈग़͢ ...(ུ)... 112 00007CD2 CD 13 INT 0x13 ; σΟεΫBIOSݺͼग़͠ 113 00007CD4 73 14 JNC next ; Τϥʔ͕͓͖ͳ͚Ε͹next΁ ※0x8200 + 0x1400 -0x200 = 0x9400 b *0x7CD2 b *0x7CD4 display/8b 0x8200 1: x/8xb 0x8200 0x8200: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Slide 21

Slide 21 text

ϑϩοϐʔͷಡΈࠐΈ 76 00007C9E readfast: ; ALΛ࢖ͬͯͰ͖Δ͚ͩ·ͱΊͯಡΈग़͢ ...(ུ)... 112 00007CD2 CD 13 INT 0x13 ; σΟεΫBIOSݺͼग़͠ 113 00007CD4 73 14 JNC next ; Τϥʔ͕͓͖ͳ͚Ε͹next΁ ※0x8200 + 0x1400 -0x200 = 0x9400 b *0x7CD2 b *0x7CD4 display/8b 0x8200 1: x/8xb 0x8200 0x8200: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 continue Continuing. Breakpoint 1, 0x00007cd4 in ?? ()

Slide 22

Slide 22 text

ϑϩοϐʔͷಡΈࠐΈ 76 00007C9E readfast: ; ALΛ࢖ͬͯͰ͖Δ͚ͩ·ͱΊͯಡΈग़͢ ...(ུ)... 112 00007CD2 CD 13 INT 0x13 ; σΟεΫBIOSݺͼग़͠ 113 00007CD4 73 14 JNC next ; Τϥʔ͕͓͖ͳ͚Ε͹next΁ ※0x8200 + 0x1400 -0x200 = 0x9400 b *0x7CD2 b *0x7CD4 display/8b 0x8200 1: x/8xb 0x8200 0x8200: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 continue Continuing. Breakpoint 1, 0x00007cd4 in ?? () 1: x/8xb 0x8200 0x8200: 0xf0 0xff 0xff 0x03 0x40 0x00 0x05 0x60

Slide 23

Slide 23 text

ϑϩοϐʔͷಡΈࠐΈ 76 00007C9E readfast: ; ALΛ࢖ͬͯͰ͖Δ͚ͩ·ͱΊͯಡΈग़͢ ...(ུ)... 112 00007CD2 CD 13 INT 0x13 ; σΟεΫBIOSݺͼग़͠ 113 00007CD4 73 14 JNC next ; Τϥʔ͕͓͖ͳ͚Ε͹next΁ ※0x8200 + 0x1400 -0x200 = 0x9400 b *0x7CD2 b *0x7CD4 display/8b 0x8200 1: x/8xb 0x8200 0x8200: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 continue Continuing. Breakpoint 1, 0x00007cd4 in ?? () 1: x/8xb 0x8200 0x8200: 0xf0 0xff 0xff 0x03 0x40 0x00 0x05 0x60

Slide 24

Slide 24 text

ϑϩοϐʔͷಡΈࠐΈ BM ηΫλ਺ DI γϦϯμ൪߸ DM ηΫλ൪߸ EI ϔου൪߸ EM υϥΠϒ൪߸ FT ಡΈࠐΈઌ CY ಡΈࠐΈઌ Y Y Y Y Y Y Y Y Y Y Y Y YB Y Y Y Y Y Y YD Y YB Y Y Y Y YFD Y Y Y YC Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y YD Y Y Y Y Y Y YB Y Y Y Y Y Y YD Y YD Y Y Y Y YF Y Y Y YE Y Y Y Y Y Y Y Y Y YD Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y YD Y Y Y Y Y Y YD Y YF Y Y Y Y YF Y Y Y YG Y Y Y Y

Slide 25

Slide 25 text

ϑϩοϐʔͷಡΈࠐΈ C Y$% EJTQMBZYBM EJTQMBZYDI EJTQMBZYDM EJTQMBZYEI EJTQMBZYEM EJTQMBZYFT EJTQMBZYCY DPOUJOVF ҎޙɹFOUFS࿈ଧ

Slide 26

Slide 26 text

૚໨ʹҠಈ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y 00007C6B ; ಡΈऴΘͬͨͷͰharibote.sysΛ࣮ߦͩʂ ɾɾɾ(ུ) 00007C70 E9 458D JMP 0xc200

Slide 27

Slide 27 text

ը໘Ϟʔυͷ੾Γସ͑ 7#& 7&4"#*04&YUFOTJPO ͷը໘੾Γସ͑ INT 0x10 "9YG#9ը໘Ϟʔυ൪߸ ը໘Ϟʔυ൪߸ YɿYCJU YɿYCJU YɿYCJU YɿYCJU ˞ͨͩ͠CYʹ͸Y଍ͨ͠஋Λࢦఆ͠ͳ͍ͱ ͏·͍͔͘ͳ͍Β͍͠ຊॻQΑΓ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 28

Slide 28 text

ը໘Ϟʔυͷ੾Γସ͑ ղ૾౓ઃఆͷ໋ྩ͸Y$&dY$ʹϩʔυ͞Ε͍ͯΔ asmhead.lstΑΓൈਮ 64 0000C23E BB 4105 MOV BX,VBEMODE+0x4000 65 0000C241 B8 4F02 MOV AX,0x4f02 66 0000C244 CD 10 INT 0x10 67 0000C246 C6 06 0FF2 08 MOV BYTE [VMODE],8 bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 29

Slide 29 text

asmhead.lstΑΓൈਮ 64 0000C23E BB 4105 MOV BX,VBEMODE+0x4000 65 0000C241 B8 4F02 MOV AX,0x4f02 66 0000C244 CD 10 INT 0x10 67 0000C246 C6 06 0FF2 08 MOV BYTE [VMODE],8 ը໘Ϟʔυͷ੾Γସ͑ b *0xc244 b *0xc246 continue bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 30

Slide 30 text

$16ಈ࡞Ϟʔυ੾Γସ͑ ϦΞϧϞʔυϓϩςΫτϞʔυ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 31

Slide 31 text

$16ಈ࡞Ϟʔυ੾Γସ͑ ϦΞϧϞʔυϓϩςΫτϞʔυ CJU CJU bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 32

Slide 32 text

$16ಈ࡞Ϟʔυ੾Γସ͑ ϦΞϧϞʔυϓϩςΫτϞʔυ CJU ηάϝϯτͳ͠ CJU ηάϝϯτΛ࢖͏ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 33

Slide 33 text

$16ಈ࡞Ϟʔυ੾Γସ͑ ϦΞϧϞʔυϓϩςΫτϞʔυ CJU ηάϝϯτͳ͠ อޢػೳͳ͠ CJU ηάϝϯτΛ࢖͏ อޢ ϓϩςΫτ ػೳ͋Γ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 34

Slide 34 text

$16ಈ࡞Ϟʔυ੾Γସ͑ ϦΞϧϞʔυϓϩςΫτϞʔυ CJU ηάϝϯτͳ͠ อޢػೳͳ͠ ϦΞϧΞυϨογϯά CJU ηάϝϯτΛ࢖͏ อޢ ϓϩςΫτ ػೳ͋Γ όʔνϟϧΞυϨογϯά bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 35

Slide 35 text

$16ಈ࡞Ϟʔυ੾Γସ͑ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y ࢑ఆͷGDT *OEFY MJNJU CBTF ҙຯ  ໿(# Y σʔλ  ໿,# Y ίʔυ

Slide 36

Slide 36 text

$16ಈ࡞Ϟʔυ੾Γସ͑ 0000C2A4 ; ϓϩςΫτϞʔυҠߦ 0000C2A4 0000C2A4 LGDT [GDTR0]; ࢑ఆGDTΛઃఆ 0000C2A9 MOV EAX,CR0 0000C2AC AND EAX,0x7fffffff 0000C2B2 OR EAX,0x00000001 0000C2B6 MOV CR0,EAX 0000C2B9 JMP pipelineflush 0000C2BB pipelineflush: 0000C2BB MOV AX,1*8 0000C2BE MOV DS,AX 0000C2C0 MOV ES,AX 0000C2C2 MOV FS,AX 0000C2C4 MOV GS,AX 0000C2C6 MOV SS,AX 0000C2C8 0000C2C8 ; bootpackͷసૹ 0000C2C8 0000C2C8 MOV ESI,bootpack ; సૹݩ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y

Slide 37

Slide 37 text

$16ಈ࡞Ϟʔυ੾Γସ͑ 0000C2A4 ; ϓϩςΫτϞʔυҠߦ 0000C2A4 0000C2A4 LGDT [GDTR0]; ࢑ఆGDTΛઃఆ 0000C2A9 MOV EAX,CR0 0000C2AC AND EAX,0x7fffffff 0000C2B2 OR EAX,0x00000001 0000C2B6 MOV CR0,EAX 0000C2B9 JMP pipelineflush 0000C2BB pipelineflush: 0000C2BB MOV AX,1*8 0000C2BE MOV DS,AX 0000C2C0 MOV ES,AX 0000C2C2 MOV FS,AX 0000C2C4 MOV GS,AX 0000C2C6 MOV SS,AX 0000C2C8 0000C2C8 ; bootpackͷసૹ 0000C2C8 0000C2C8 MOV ESI,bootpack ; సૹݩ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y C Y$" C Y$$ DPOUJOVF

Slide 38

Slide 38 text

$16ಈ࡞Ϟʔυ੾Γସ͑ bootpack.hrb bootpack.c౳ *1- ϒʔτηΫλ  ipl09.nas asmhead.nas IBSJCPUFTZT Y$ Y Y ࣮ߦલ EIP=0000c2a4 ES =9000 CS =0000 SS =0000 DS =0000 FS =0000 GS =0000 GDT=00000000 CR0=00000010 C Y$" C Y$$ DPOUJOVF ࣮ߦޙ EIP=0000c2c8 ES =0008 CS =0000 SS =0008 DS =0008 FS =0008 GS =0008 GDT=0000c370 CR0=00000011 (qemu) info registers

Slide 39

Slide 39 text

04ຊମίϐʔ ུ *1- ϒʔτϩʔμʔ  ipl09.nas asmhead.nas IBSJCPUFTZT bootpack.hrb bootpack.c౳ Y$ Y Y

Slide 40

Slide 40 text

04ຊମ࣮ߦ *1- ϒʔτϩʔμʔ  ipl09.nas asmhead.nas IBSJCPUFTZT bootpack.hrb bootpack.c౳ Y$ Y Y 0000C319 ; bootpackͷىಈ ...OSຊମίϐʔͷ໋ྩͳͷͰུ 0000C33E skip: 0000C33E MOV ESP,[EBX+12] ; ελοΫॳظ஋ 0000C343 JMP DWORD 2*8:0x0000001b

Slide 41

Slide 41 text

EIP=0000c343 CS =0000 ※උߟ:ଞͷηάϝϯτϨδελ͸શͯ0x008 ES =0008 SS =0008 DS =0008 FS =0008 GS =0008 04ຊମ࣮ߦ GBSKVNQ ֤Ϩδελ࣮ߦલ RFNVNPOJUPS *1- ϒʔτϩʔμʔ  ipl09.nas asmhead.nas IBSJCPUFTZT bootpack.hrb bootpack.c౳ Y$ Y Y JMP DWORD 2*8:0x0000001b

Slide 42

Slide 42 text

04ຊମ࣮ߦ GBSKVNQ *1- ϒʔτϩʔμʔ  ipl09.nas asmhead.nas IBSJCPUFTZT bootpack.hrb bootpack.c౳ Y$ Y Y EIP=0000001b CS =0010 ※උߟ:ଞͷηάϝϯτϨδελ͸શͯ0x008 ES =0008 SS =0008 DS =0008 FS =0008 GS =0008 ֤Ϩδελ࣮ߦޙ RFNVNPOJUPS JMP DWORD 2*8:0x0000001b

Slide 43

Slide 43 text

04ຊମ࣮ߦ OFBSKVNQ ※ϝϞϦμϯϓ 0x28001b: 0xe9075a ̍C൪஍ bootpack.hrb bootpack.c౳ Y

Slide 44

Slide 44 text

04ຊମ࣮ߦ OFBSKVNQ 0x28001b: 0xe9075a ̍C൪஍ʹISCϔομͷͲਅΜத

Slide 45

Slide 45 text

04ຊମ࣮ߦ OFBSKVNQ 0x28001b: 0xe9075a 1b= ඞͣ0xe9 = JMP໋ྩ 1c=mainؔ਺ͷΞυϨε(32bit) - 0x20 ̍C൪஍ʹISCϔομͷͲਅΜத

Slide 46

Slide 46 text

04ຊମ࣮ߦ OFBSKVNQ 0x28001b: 0xe9075a0000 ͳͥ 0x28001b: 0xe9075a 0000 0x280020←͔͜͜ΒͷΦϑηοτͰδϟϯϓ͢Δ͔Β

Slide 47

Slide 47 text

04ຊମ࣮ߦ OFBSKVNQ 0x28001b: 0xe9075a0000 = JMP 0x00005a07 ※0x5a07 = ϓϩάϥϜͷ࣮ߦ൪஍͔Β-20ͨ͠൪஍

Slide 48

Slide 48 text

04ຊମ࣮ߦ OFBSKVNQ GDBʹΑΔٯΞηϯϒϧ 0x28001b: jmp 0x285a27 0x28001b: 0xe9075a0000 = JMP 0x00005a07 ※0x5a07 = ϓϩάϥϜͷ࣮ߦ൪஍͔Β-20ͨ͠൪஍

Slide 49

Slide 49 text

04ຊମ࣮ߦ OFBSKVNQ ࣌ؒͷ౎߹্ௐ΂੾Ε͍ͯ·ͤΜ͕ɺ OSຊମͷϝΠϯؔ਺ʹඈͿલʹ΋͏Ұ౓near jumpͯ͠·͢ 0x28001b: jmp 0x285a27 ɾɾɾ 0x285a27: push ebp 0x285a28: mov ebp,esp 0x285a2a: pop ebp 0x285a2b: jmp 0x280024 ɾɾɾ 0x280024: push ebp ←mainؔ਺

Slide 50

Slide 50 text

΍ͬͱ.BJOؔ਺ʹ͖·ͨ͠ Dιʔε WPJE)BSJ.BJO WPJE .lstϑΝΠϧ 31 [SECTION .text] 318 0000000 GLOBAL _HariMain 319 0000000 _HariMain: 320 00000000 5 PUSH EBP 321 00000001 89 E MOV EBP,ESP GBDͷϝϞϦμϯϓ&ٯΞηϯϒϧ (gdb) x/10i 0x280024 0x280024: push ebp 0x280025: mov ebp,esp 0x280027: push edi 0x28001b -> 0x285a27 -> 0x280024

Slide 51

Slide 51 text

ը໘͕มΘΔͱ͜Ζ͚ͩͰ΋ C YEF C YF C YGD 0x2802d9: call 0x2823b1 0x2802de: push 0x1 0x2802e0: push edi 0x2802e1: call 0x2823b1 0x2802e6: push 0x2 0x2802e8: push DWORD PTR [ebp-0x434] 0x2802ee: call 0x2823b1 0x2802f3: add esp,0x24  TIFFU@VQEPXO TIU@CBDL    TIFFU@VQEPXO LFZ@XJO    TIFFU@VQEPXO TIU@NPVTF  

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

͝੩ௌ ͋Γ͕ͱ͏͍͟͝·ͨ͠