2020 交大程式安全：逆向工程上課講義－第一週(第三段)

Slide 1

Slide 1 text

৽஛ਓ࠷Ѫٯ޲ ޻ఔ terrynini38514 terrynini

Slide 2

Slide 2 text

WHO AM I ?

Slide 3

Slide 3 text

附上⼈權指數 ID : Terrynini38514 ▸ ᪑զ༗ᴍख़ɿ   ٯٯ ▸ ᪑զຑ٢ຑɿ   ᅳཱަ௨େላ -"#   ࢿిҫ٬ᢛ҆શ੽࢜ላҐላఔ௠ఊӉ ▸ ᜗ඍೳ፤ိਧత౦੢ɿ   ೥ۚ६ᘋף܉   'JSF&ZF'MBSF0O$IBMMFOHFഁ୆ ▸ $5'5FBNɿ   %PVCMF4JHNBʢቮ጗ૺ#BMTOซ吞Խ࡞ଖ݂೑ʣ   #BMTO 3 ᔒরยՄ༻ٹ໋

Slide 4

Slide 4 text

BABY STEP 4UBDL'SBNF 4 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 eax: 0x20 0x20 bossA_want 0xfec 0xfe0

Slide 5

Slide 5 text

BABY STEP 4UBDL'SBNF 5 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 eax: 0x20 0x20 bossA_want 0xfec SKIP SOME OPERATIONS ! //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 0xfe0

Slide 6

Slide 6 text

BABY STEP 4UBDL'SBNF 6 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 0x20 bossA_want 0xfec 0xfe0

Slide 7

Slide 7 text

BABY STEP 4UBDL'SBNF 7 low memory address high memory address highlight means RIP points to here esp -> ebp -> 0xfe0 0xff8 0x20 bossA_want 0xfec

Slide 8

Slide 8 text

BABY STEP 4UBDL'SBNF 8 low memory address high memory address highlight means RIP points to here esp -> ebp -> 0xfe0 0xff8 0x20 bossA_want 0xfec just for alignment 0xfd4

Slide 9

Slide 9 text

BABY STEP 4UBDL'SBNF 9 low memory address high memory address highlight means RIP points to here esp -> ebp -> 0xfe0 0xff8 0x20 bossA_want 0xfec just for alignment 0xfd4 0x20 0xfd0

Slide 10

Slide 10 text

BABY STEP 4UBDL'SBNF 10 low memory address high memory address highlight means RIP points to here esp -> just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0

Slide 11

Slide 11 text

BABY STEP 4UBDL'SBNF 11 low memory address high memory address just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 esp ->

Slide 12

Slide 12 text

BABY STEP 4UBDL'SBNF 12 low memory address high memory address esp -> just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 0xff8 old ebp 0xfc8

Slide 13

Slide 13 text

BABY STEP 4UBDL'SBNF 13 low memory address high memory address just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 0xff8 old ebp 0xfc8 esp -> ebp -> leave = mov esp, ebp   pop ebp

Slide 14

Slide 14 text

BABY STEP 4UBDL'SBNF 14 low memory address high memory address just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 leave = mov esp, ebp   pop ebp 0xff8 old ebp 0xfc8 esp -> ebp ->

Slide 15

Slide 15 text

BABY STEP 4UBDL'SBNF 15 low memory address high memory address just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 esp -> ret = pop eip

Slide 16

Slide 16 text

BABY STEP 4UBDL'SBNF 16 low memory address high memory address highlight means RIP points to here esp -> just for alignment 0xfd4 0x20 0xfd0 0xfe0

Slide 17

Slide 17 text

BABY STEP 4UBDL'SBNF 17 highlight means RIP points to here low memory address high memory address 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 0x20 bossA_want 0xfec 0xfe0

Slide 18

Slide 18 text

BABY STEP 4UBDL'SBNF 18 highlight means RIP points to here low memory address high memory address 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 0x20 bossA_want 0xfec 0xfe0 leave = mov esp, ebp   pop ebp

Slide 19

Slide 19 text

BABY STEP 4UBDL'SBNF 19 highlight means RIP points to here low memory address high memory address 0x40 0x8048536 return address main's ebp old ebp esp -> 0xff8 0xffc 0x1000 leave = mov esp, ebp   pop ebp ebp ->

Slide 20

Slide 20 text

BABY STEP 4UBDL'SBNF 20 highlight means RIP points to here low memory address high memory address 0x40 0x8048536 return address esp -> 0xff8 0xffc 0x1000

Slide 21

Slide 21 text

BABY STEP 4UBDL'SBNF 21 prologue epilogue

Slide 22

Slide 22 text

BABY STEP $BMMJOH$POWFOUJPODEFDM 22 caller pop stack from right to left low memory address high memory address 1 0x8048536 return address main's ebp old ebp ebp -> 0xff8 0x1000 2 3 ༝DBMMFSਗ਼ۭTUBDLൺֱ༰қመ࡞QSJOUG೭ྨతෆఆ௕ҾᏐവࣜ

Slide 23

Slide 23 text

BABY STEP $BMMJOH$POWFOUJPOTUEDBMM XJOBQJVTFUIJTDPOWFOUJPO 23 callee pop stack ༝DBMMFFਗ਼ۭTUBDLൺֱઅলۭؒ

Slide 24

Slide 24 text

BABY STEP $BMMJOH$POWFOUJPOGBTUDBMM 24 put first two args in regs put rest args on stack callee pop stack

Slide 25

Slide 25 text

BABY STEP $BMMJOH$POWFOUJPOUIJTDBMM 25 put "this" in ecx

Slide 26

Slide 26 text

BABY STEP Y@$BMMJOH$POWFOUJPO windows function(rcx, rdx, r8, r9) 26 Linux function(rdi, rsi, rdx, rcx, r8, r9) ೗ՌჩᏐ௒աݸ࣌ɼ௒աతಉYDBMMJOHDPOWFOUJPOɼ௚઀์TUBDL XJOEPXT์తҐஔཁ஫ҙҰԼ

Slide 27

Slide 27 text

OPTIMIZATION

Slide 28

Slide 28 text

OPTIMIZATION $POTUBOU'PMEJOH 28 i = 320 * 200 * 32; >> i = 2048000; (example from wiki)

Slide 29

Slide 29 text

OPTIMIZATION $POTUBOU1SPQBHBUJPO 'PMEJOH 29 >> >> (example from wiki)

Slide 30

Slide 30 text

OPTIMIZATION 5BJM$BMM 30 >> (example from wiki)

Slide 31

Slide 31 text

OPTIMIZATION 4PNFNBHJDUSJDL 31

Slide 32

Slide 32 text

OPTIMIZATION 4PNFNBHJDUSJDL 32 edx:eax = input*0x38e38e39 edx = (input*0x38e38e39)>>33 eax = input >> 31 edx = edx - eax

Slide 33

Slide 33 text

OPTIMIZATION 4PNFNBHJDUSJDL 33

Slide 34

Slide 34 text

CLASS & STRUCT

Slide 35

Slide 35 text

DEMO

Slide 36

Slide 36 text

CLASS & STRUCT .FNPGPSEFNP OBNFNBOHMJOH ੒һؒሣᴡऔNJO TJ[FPG NFNCFS QBDL ݁ߏ࠷ޙሣᴡऔNJO NBY.FNCFS4J[F QBDL ቕ౟݁ߏෆҎ੔ᱪ௕౓ိܭࢉɼࣕੋҎ֘݁ߏॴ࢖༻తሣᴡ值ိሣᴡ ҝྃመݱଟଶɼDMBTTతୈҰݸNFNCFS။ࢦ޲WUBCMF 36

Slide 37

Slide 37 text

BYEBYE Լिओ୊ ▸ Anti-Debug & Anti-Analyze ▸ PE-File format ▸ PE related trick 37