Tweet
Tweet

Slide 1

Slide 1 text

4&$$0/#FHJOOFST౦ژ #JOBSZฤ © SECCON2017 All Rights Reserved

Slide 2

Slide 2 text

४උ ԋशϑΝΠϧΛμ΢ϯϩʔυ͍ͯͩ͘͠͞ IUUQGJMFTCJOBSZCJOBSZ[JQ λʔϛφϧΛ։͖μ΢ϯϩʔυͨ͠[JQΛղౚ͍ͯͩ͘͠͞ DEd%PXOMPBET VO[JQCJOBSZ[JQ DECJOBSZ © SECCON2017 All Rights Reserved 2 仮想環境内で⾏って下さい

Slide 3

Slide 3 text

ࣗݾ঺հ جຊ৘ใ ௕୩઒ ઍ޿ ͪͻΖ େֶ೥ ˠ ࣾձਓ $5'νʔϜ 5PLZP8FTUFSOT ޷͖ $ݴޠɼ3VCZɼ&NBDT © SECCON2017 All Rights Reserved 3

Slide 4

Slide 4 text

໨࣍ ͸͡Ίʹ dόΠφϦղੳͱ͸d ϓϩάϥϜ࣮ߦͷ࢓૊Έ ΞηϯϒϦݴޠೖ໳ Y ͓ΘΓʹ d$5'ʹ޲͚ͯd © SECCON2017 All Rights Reserved 4

Slide 5

Slide 5 text

5 © SECCON2017 All Rights Reserved ͸͡Ίʹ

Slide 6

Slide 6 text

͸͡Ίʹ ຊߨٛͷ໨ඪ ˘όΠφϦղੳͱ͸Կ͔Λ஌Δ ˘ΞηϯϒϦݴޠ Y ΛಡΊΔΑ͏ʹͳΔ ˘͜ͷߨٛͷޙʹ͋Δ$5'Ͱ3FWFSTJOH໰୊Λղ͘ʂ © SECCON2017 All Rights Reserved 6

Slide 7

Slide 7 text

͸͡Ίʹ όΠφϦͱ͸ • ʮʯͱʮʯͰදݱ͞ΕΔσʔλܗࣜͷ͜ͱ όΠφϦղੳͱ͸ • ओʹ࣮ߦϑΝΠϧΛղੳͯ͠ಈ࡞ݪཧΛղ໌͢Δ • $5'ͷδϟϯϧͰ͸ʮ3FWʯ΍ʮ3FWFSTJOHʯ͕૬౰ © SECCON2017 All Rights Reserved 7

Slide 8

Slide 8 text

͸͡Ίʹ $5'ʹ͓͚Δ3FWFSTJOHͷ໰୊ྫ • -JOVYͷ࣮ߦϑΝΠϧͷղੳ • 8JOEPXTͷ࣮ߦϑΝΠϧͷղੳ • "OESPJEΞϓϦͷղੳ • ͦͷଞ༷ʑͳόΠτίʔυͷղੳ © SECCON2017 All Rights Reserved 8

Slide 9

Slide 9 text

͸͡Ίʹ $5'ʹ͓͚Δ3FWFSTJOHͷ໰୊ྫ • -JOVYͷ࣮ߦϑΝΠϧͷղੳ • 8JOEPXTͷ࣮ߦϑΝΠϧͷղੳ • "OESPJEΞϓϦͷղੳ • ͦͷଞ༷ʑͳόΠτίʔυͷղੳ © SECCON2017 All Rights Reserved 9

Slide 10

Slide 10 text

͸͡Ίʹ &-'όΠφϦ &-'&YFDVUBCMF-JOLBCMF'PSNBU • ଟ͘ͷ-JOVYܥɼ#4%ܥͷ04Ͱ࣮ߦϑΝΠϧܗࣜͱͯ͠ ࠾༻͞Ε͍ͯΔ © SECCON2017 All Rights Reserved 10 コンピュータはどのようにして プログラムを実⾏しているのか?

Slide 11

Slide 11 text

ϓϩάϥϜ࣮ߦͷ࢓૊Έ 11 © SECCON2017 All Rights Reserved

Slide 12

Slide 12 text

ϓϩάϥϜ࣮ߦͷ࢓૊Έ $16 $FOUSBM1SPDFTTJOH6OJU • ػցޠΛಡΈɼ໋ྩ࣮ͣͭߦ͢Δ Ϩδελ • $16಺ʹ͋Δ࡞ۀ༻ྖҬ • ૣ͍ɼখ༰ྔ ϝϞϦ • σʔλΛهԱ͢Δ૷ஔ • ஗͍ɼେ༰ྔ © SECCON2017 All Rights Reserved 12 アドレス 値 0x804860 0xdeadbeef 0x804864 Rev! 0x804868 0x90909090 メモリのイメージ図

Slide 13

Slide 13 text

ϓϩάϥϜ࣮ߦͷ࢓૊Έ © SECCON2017 All Rights Reserved 13 ίϯύΠϧ 55 89 e5 51 83 ec 04 83 ec 0c 68 c0 84 04 08 ・・・・ 機械語 ソースコード(C⾔語) ࣮ߦϑΝΠϧ

Slide 14

Slide 14 text

ϓϩάϥϜ࣮ߦͷ࢓૊Έ ػցޠ͸ਓؒʹ͸ಡΉ͜ͱ͕ग़དྷͳ͍ Ͱ΋ɼ׳Εͯ͘Δͱɾɾɾʁ © SECCON2017 All Rights Reserved 14 55 89 e5 51 83 ec 04 83 ec 0c 68 c0 84 04 08 ・・・・ 機械語

Slide 15

Slide 15 text

ΞηϯϒϦݴޠೖ໳ Y 15 © SECCON2017 All Rights Reserved

Slide 16

Slide 16 text

ΞηϯϒϦݴޠೖ໳ Y ΞηϯϒϦݴޠ • ػցޠͱରͰରԠͨ͠ݴޠ • ਓ͕ؒಡΈ΍͍͢ • ໋ྩ Φϖίʔυ Ҿ਺ Φϖϥϯυ ه๏ • *OUFMه๏ɼ"55ه๏ © SECCON2017 All Rights Reserved 16 b8 0a 00 00 00 mov eax, 0xa 機械語 アセンブリ⾔語 *例外あり

Slide 17

Slide 17 text

ΞηϯϒϦݴޠೖ໳ Y *OUFMه๏ ᶃసૹઌσΟεςΟωʔγϣϯΦϖϥϯυ ᶄసૹݩιʔεΦϖϥϯυ © SECCON2017 All Rights Reserved 17 mov eax ,0xa オペコード オペランド ① ② → 付録A 10/16進数, ASCIIコード早⾒表

Slide 18

Slide 18 text

ΞηϯϒϦݴޠೖ໳ Y ٯΞηϯϒϧ • ػցޠΛΞηϯϒϦݴޠʹม׵͢Δ͜ͱ © SECCON2017 All Rights Reserved 18 b8 0a 00 00 00 mov eax, 0xa 機械語 アセンブリ⾔語

Slide 19

Slide 19 text

ΞηϯϒϦݴޠೖ໳ Y ԋश ഑෍όΠφϦΛ࣮ߦͯ͠ΈΔ DINPE VY PCKEVNQ@TBNQMF PCKEVNQ@TBNQMF )FMMP8PSME © SECCON2017 All Rights Reserved 19 ˡ࣮ߦݖݶΛ෇༩͢Δ

Slide 20

Slide 20 text

ΞηϯϒϦݴޠೖ໳ Y ԋश PCKEVNQίϚϯυΛ࢖ͬͯٯΞηϯϒϧͯ͠ΈΔ PCKEVNQ EPCKEVNQ@TBNQMF .JOUFM © SECCON2017 All Rights Reserved 20

Slide 21

Slide 21 text

ΞηϯϒϦݴޠೖ໳ Y *%"EFNP Ծ૝؀ڥͷը໘ࠨԼͷΞΠίϯΛબ୒ ʮͦͷଞʯ͔Β*%"EFNPΛىಈͯ͠OFXΛબ୒ ղੳ͢Δ࣮ߦϑΝΠϧΛબ୒ ʮ&-'GPSJOUFMʯΛ֬ೝͯ͠0, © SECCON2017 All Rights Reserved 21

Slide 22

Slide 22 text

ΞηϯϒϦݴޠೖ໳ Y Ϩδελ • ܭࢉ݁ՌͳͲͷҰ࣌อଘʹར༻ • ൚༻Ϩδελ FBY FCY FDY FEY FTJ FEJ ࣗ༝ʹ࢖ͬͯྑ͍Ϩδελ • ಛघϨδελ FCQ FTQ FJQ ಛघ໨తͷͨΊͷϨδελ © SECCON2017 All Rights Reserved 22

Slide 23

Slide 23 text

ΞηϯϒϦݴޠೖ໳ Y Ϩδελ • ܭࢉ݁ՌͳͲͷҰ࣌อଘʹར༻ • ൚༻Ϩδελ FBY FCY FDY FEY FTJ FEJ ࣗ༝ʹ࢖ͬͯྑ͍Ϩδελ • ಛघϨδελ FCQ FTQ FJQ ಛघ໨తͷͨΊͷϨδελ © SECCON2017 All Rights Reserved 23

Slide 24

Slide 24 text

ΞηϯϒϦݴޠೖ໳ Y ൚༻Ϩδελ FBY • ܭࢉ΍ؔ਺ͷ໭Γ஋ʹར༻ FCY • ܭࢉʹར༻ FDY • ܭࢉ΍ϧʔϓॲཧͷΧ΢ϯλʹར༻ FEY • ܭࢉ ಛʹ৐ࢉ΍আࢉͰසൟ ʹར༻ © SECCON2017 All Rights Reserved 24 ಛघϨδελ FTQ • ݱࡏελοΫͷ௖্ͷΞυϨεΛࢦ͢ FCQ • ؔ਺಺ͰελοΫͷఈͷΞυϨεΛࢦ͢ FJQ • ࣍ʹ࣮ߦ͢Δ໋ྩͷΞυϨεΛࢦ͢ ※必ずしもこれらの意味を準拠するとは限らない

Slide 25

Slide 25 text

ΞηϯϒϦݴޠೖ໳ Y ࠓճѻ͏໋ྩҰཡ • NPW • MFB • BEETVC • JNVMJEJW • BOEPSYPSOPU • JODEFD © SECCON2017 All Rights Reserved 25 • DNQ • KNQܥ • QVTI • QPQ • DBMM • MFBWF • SFU 3.1 代⼊命令 3.2 算術命令 3.3 条件分岐命令 3.4 スタック操作命令 3.5 関数呼び出しの命令

Slide 26

Slide 26 text

୅ೖ໋ྩ © SECCON2017 All Rights Reserved 26

Slide 27

Slide 27 text

ΞηϯϒϦݴޠೖ໳ Y NPW໋ྩ .07F • ஋ͷҠಈΛߦ͏໋ྩ • సૹݩͷ஋͸มԽ͠ͳ͍ సૹݩͷ஋Λసૹઌʹίϐʔ • ϝϞϦʹ֨ೲ͞Εͨ஋ʹΞΫηε͢Δʹ͸ɼ<>Λར༻ NPW FBY FCY FCYͷ஋ΛFBYʹҠಈ NPW FBY %803%153 FCYͷ஋ΛΞυϨεͱͯ͠ߟ͑ɼͦ͜ʹ֨ೲ͞Ε͍ͯΔ஋ΛFBYʹҠಈ NPW %803%153 FCY FBYͷ஋ΛΞυϨεͱͯ͠ߟ͑ɼͦ͜ʹFCYͷ஋ΛҠಈ %803%%PVCMF8PSE CZUF ୯ҐͰΞΫηε͢Δ͜ͱΛද͢ © SECCON2017 All Rights Reserved 27

Slide 28

Slide 28 text

ΞηϯϒϦݴޠೖ໳ Y MFB໋ྩ -PBE &GGFDUJWF"EESFTT • సૹݩͷΞυϨεΛܭࢉͯ͠ɼసૹઌʹ֨ೲ • ΞυϨεܭࢉͷ໋ྩ͕ͩɼࢉज़ԋࢉʹར༻͞ΕΔ৔߹΋ • NPW໋ྩͱ͸ҟͳΓܭࢉͨ͠ΞυϨεʹ֨ೲ͞Εͨ஋΁ ΞΫηε͢Δ΋ͷͰ͸ͳ͍ MFBFBY FCYͷ஋ʹΛ଍ͨ͠஋ΛFBYʹ֨ೲ͢Δ ˞FCYͷ஋ࣗ਎͸มԽ͠ͳ͍ © SECCON2017 All Rights Reserved 28

Slide 29

Slide 29 text

ΞηϯϒϦݴޠೖ໳ Y ԋश ࠷ޙʹ֨ೲ͞Ε͍ͯΔFBYͷ஋ΛٻΊΑ͏ʂ © SECCON2017 All Rights Reserved 29 プログラム eax ebx mov eax, 0x1 lea ebx, [eax + 0x5] mov eax, ebx ?

Slide 30

Slide 30 text

ΞηϯϒϦݴޠೖ໳ Y ղ౴ ࠷ޙʹ֨ೲ͞Ε͍ͯΔFBYͷ஋ΛٻΊΑ͏ʂ © SECCON2017 All Rights Reserved 30 プログラム eax ebx mov eax, 0x1 1 lea ebx, [eax + 0x5] 1 6 mov eax, ebx 6 6

Slide 31

Slide 31 text

ࢉज़໋ྩ © SECCON2017 All Rights Reserved 31

Slide 32

Slide 32 text

ΞηϯϒϦݴޠೖ໳ Y BEETVC໋ྩ "%%JUJPO 46#USBDUJPO • Ճࢉݮࢉ BEEFBY Y FBY ͨ͠஋ΛFBYʹ֨ೲ͢Δ JODEFD໋ྩ */$SFNFOU %&$SFNFOU • ஋Λ૿΍͢ݮΒ͢ JOD FBY FBY ͨ͠஋ΛFBYʹ֨ೲ͢Δ ্هͷBEEFBY Yͱಉ͡ಇ͖ © SECCON2017 All Rights Reserved 32

Slide 33

Slide 33 text

ΞηϯϒϦݴޠೖ໳ Y JNVMJEJW໋ྩ T*HOFE .VMUJQMZ %JWJEF • ৐ࢉআࢉ JNVM FBY FCY FBY ✕ FCYͷ݁ՌΛFBYʹ֨ೲ͢Δ ˞ܭࢉ݁ՌʹΑͬͯ͸FEYʹ΋֨ೲ͞ΕΔ JEJW FCY FBY × FCYͷ঎ΛFBYɼ༨ΓΛFEYʹ֨ೲ͢Δ © SECCON2017 All Rights Reserved 33

Slide 34

Slide 34 text

ΞηϯϒϦݴޠೖ໳ Y BOEPSYPSOPU໋ྩ • ࿦ཧੵ࿦ཧ࿨ഉଞత࿦ཧ࿨൱ఆ YPS FBY FBY FBYͱFBYͷഉଞత࿦ཧ࿨ΛFBYʹ֨ೲ͢Δ ಉ͡஋ಉ࢜ͷഉଞత࿦ཧ࿨͸ʹͳΔ ˠϨδελͷॳظԽʹར༻Մೳ © SECCON2017 All Rights Reserved 34 mov eax, 0x0 = b8 00 00 00 00 xor eax, eax = 31 c0 余談:xorによる0初期化の⽅が機械語が短い!

Slide 35

Slide 35 text

ΞηϯϒϦݴޠೖ໳ Y ԋश ࠷ޙʹ֨ೲ͞Ε͍ͯΔFBYͷ஋ΛٻΊΑ͏ʂ © SECCON2017 All Rights Reserved 35 プログラム eax ebx mov eax, 0x1 mov ebx, 0x2 add eax, 0x5 dec eax imul eax, ebx ?

Slide 36

Slide 36 text

ΞηϯϒϦݴޠೖ໳ Y ղ౴ ࠷ޙʹ֨ೲ͞Ε͍ͯΔFBYͷ஋ΛٻΊΑ͏ʂ © SECCON2017 All Rights Reserved 36 プログラム eax ebx mov eax, 0x1 1 mov ebx, 0x2 1 2 add eax, 0x5 6 2 dec eax 5 2 imul eax, ebx 10 2

Slide 37

Slide 37 text

৚݅෼ذ໋ྩ © SECCON2017 All Rights Reserved 37

Slide 38

Slide 38 text

ΞηϯϒϦݴޠೖ໳ Y ৚݅෼ذ • DNQ໋ྩͱKNQܥ໋ྩͷ૊Έ߹ΘͤʹΑΓ࣮ݱ • ৚݅෼ذΛ࢖͏͜ͱͰϧʔϓॲཧΛ࣮ݱՄೳ DNQ໋ྩ $P.1BSF • Φϖϥϯυಉ࢜Λൺֱ͠ɼ݁ՌʹΑͬͯϑϥάϨδελΛߋ৽͢Δ KNQܥ໋ྩ • Φϖϥϯυ͕ࢦ͢ΞυϨεʹ੍ޚΛҠ͢ • DNQ໋ྩͷ݁ՌʹΑΓ੍ޚΛҠ͔͢Ͳ͏͔Λ෼ذͰ͖Δ © SECCON2017 All Rights Reserved 38

Slide 39

Slide 39 text

ΞηϯϒϦݴޠೖ໳ Y KNQܥ໋ྩ Ұྫ • KNQ+V.1 ৚݅ແ͠ • KF+VNQJG&RVBM ౳͍͠ • KOF +VNQJG/PU&RVBM ౳͘͠ͳ͍ • KMF +VNQJG-FTTPS&RVBM ҎԼ • KHF +VNQJG(SFBUFS&RVBM Ҏ্ • KM +VNQJG-FTT ະຬ • KH +VNQJG(SFBUFS ΑΓେ͖͍ • KB+VNQJG"CPWF ΑΓେ͖͍ ˞ූ߸ແ͠੔਺ͱͯ͠ߟ͑Δ • KCF +VNQJG#FMPXPG&RVBM ҎԼ ˞ූ߸ແ͠੔਺ͱͯ͠ߟ͑Δ © SECCON2017 All Rights Reserved 39

Slide 40

Slide 40 text

ΞηϯϒϦݴޠೖ໳ Y ԋश ࠷ޙʹ֨ೲ͞Ε͍ͯΔFBYͷ஋ΛٻΊΑ͏ʂ © SECCON2017 All Rights Reserved 40 アドレス プログラム eax ecx 0x8048060 mov eax, 0x1 0x8048065 mov ecx, 0x0 0x804806a jmp 0x804806c 0x804806c add eax, ecx 0x804806e inc ecx 0x804806f cmp eax, 0x3 0x8048072 jl 0x804806c

Slide 41

Slide 41 text

ΞηϯϒϦݴޠೖ໳ Y ղ౴ ࠷ޙʹ֨ೲ͞Ε͍ͯΔFBYͷ஋ΛٻΊΑ͏ʂ © SECCON2017 All Rights Reserved 41 アドレス プログラム eax ecx 0x8048060 mov eax, 0x1 1 0x8048065 mov ecx, 0x0 1 0 0x804806a jmp 0x804806c 1 0 0x804806c add eax, ecx 1 0 0x804806e inc ecx 1 1 0x804806f cmp eax, 0x3 1 1 0x8048072 jl 0x804806c 1 1 ①

Slide 42

Slide 42 text

ΞηϯϒϦݴޠೖ໳ Y ղ౴ ࠷ޙʹ֨ೲ͞Ε͍ͯΔFBYͷ஋ΛٻΊΑ͏ʂ © SECCON2017 All Rights Reserved 42 アドレス プログラム eax ecx 0x8048060 mov eax, 0x1 1 0x8048065 mov ecx, 0x0 1 0 0x804806a jmp 0x804806c 1 0 0x804806c add eax, ecx 2 1 0x804806e inc ecx 2 2 0x804806f cmp eax, 0x3 2 2 0x8048072 jl 0x804806c 2 2 ②

Slide 43

Slide 43 text

ΞηϯϒϦݴޠೖ໳ Y ղ౴ ࠷ޙʹ֨ೲ͞Ε͍ͯΔFBYͷ஋ΛٻΊΑ͏ʂ © SECCON2017 All Rights Reserved 43 アドレス プログラム eax ecx 0x8048060 mov eax, 0x1 1 0x8048065 mov ecx, 0x0 1 0 0x804806a jmp 0x804806c 1 0 0x804806c add eax, ecx 4 2 0x804806e inc ecx 4 3 0x804806f cmp eax, 0x3 4 3 0x8048072 jl 0x804806c 4 3

Slide 44

Slide 44 text

ελοΫૢ࡞໋ྩ © SECCON2017 All Rights Reserved 44

Slide 45

Slide 45 text

ΞηϯϒϦݴޠೖ໳ Y QVTIQPQ໋ྩ 164)101 • ελοΫΛૢ࡞͢Δ໋ྩ • QVTI͕ελοΫʹ஋ΛੵΉ • ࣗಈతʹFTQ͕ݮΔ • QPQ͕ελοΫ͔Β஋ΛϨδελʹҠ͢ • ࣗಈతʹFTQ͕૿͑Δ © SECCON2017 All Rights Reserved 45

Slide 46

Slide 46 text

ελοΫ -*'0 -BTU*O'JSTU0VU ࠷ޙʹೖΕͨ΋ͷ͕࠷ॳʹग़Δ © SECCON2017 All Rights Reserved 46 10 push 0xa esp

Slide 47

Slide 47 text

ελοΫ -*'0 -BTU*O'JSTU0VU ࠷ޙʹೖΕͨ΋ͷ͕࠷ॳʹग़Δ © SECCON2017 All Rights Reserved 47 10 push 0xa esp 10

Slide 48

Slide 48 text

ελοΫ -*'0 -BTU*O'JSTU0VU ࠷ޙʹೖΕͨ΋ͷ͕࠷ॳʹग़Δ © SECCON2017 All Rights Reserved 48 ecx pop ecx 10 esp

Slide 49

Slide 49 text

ελοΫ -*'0 -BTU*O'JSTU0VU ࠷ޙʹೖΕͨ΋ͷ͕࠷ॳʹग़Δ © SECCON2017 All Rights Reserved 49 ecx pop ecx 10 esp = 10

Slide 50

Slide 50 text

ؔ਺ݺͼग़໋͠ྩ © SECCON2017 All Rights Reserved 50

Slide 51

Slide 51 text

ΞηϯϒϦݴޠೖ໳ Y ؔ਺ • ϓϩάϥϜ͸௨ৗɼػೳຖʹؔ਺ʹ෼ׂ͞Ε͍ͯΔ DBMM໋ྩ $"-- • ؔ਺ͷݺͼग़࣌͠ʹར༻ • ࣮ߦ࣌ʹDBMM໋ྩͷ࣍ͷ໋ྩ͕֨ೲ͞Ε͍ͯΔΞυϨεΛελοΫʹQVTI • ؔ਺͔ΒݟΔͱ͜ͷΞυϨε͸໭ΓઌͳͷͰϦλʔϯΞυϨεͱݺ͹ΕΔ • ؔ਺ͷҾ਺͸༧ΊελοΫʹੵΜͰ͓͘ SFU໋ྩ 3&5VSO • ؔ਺͔Βݩͷؔ਺ʹ໭Δࡍʹར༻ • DBMM໋ྩͰελοΫʹอଘ͓͍ͯͨ͠ϦλʔϯΞυϨεʹ੍ޚΛ໭͢ © SECCON2017 All Rights Reserved 51

Slide 52

Slide 52 text

ΞηϯϒϦݴޠೖ໳ Y ྫ ༩͑ΒΕͨ̎ͭͷ஋B CΛ଍ͨ͠஋Λฦؔ͢਺BEE © SECCON2017 All Rights Reserved 52 main: sub esp, 0x8 mov DWORD PTR [esp], 1 mov DWORD PTR [esp+0x4], 2 call add mov ebx, eax (以降省略) add: push ebp mov ebp, esp sub esp, 16 mov edx, DWORD PTR [ebp+0x8] mov eax, DWORD PTR [ebp+0xc] add eax, edx mov DWORD PTR [ebp-0x4], eax leave ret ※ スライドの都合上DWORD PTRを以後省略

Slide 53

Slide 53 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 53 sub esp, 0x8 mov [esp], 1 mov [esp+0x4], 2 call add mov ebx, eax esp ebp N byte ※スライドの都合上ebpとespがすごく近くなっていますが, 実際にはもっと離れているものとして考えてください

Slide 54

Slide 54 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 54 esp 8byte sub esp, 0x8 mov [esp], 1 mov [esp+0x4], 2 call add mov ebx, eax esp+0x8 ebp Ҿ਺ΛελοΫʹੵΉͨΊʹFTQΛখ͘͢͞Δ

Slide 55

Slide 55 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 55 1 4byte esp esp+0x4 esp+0x8 sub esp, 0x8 mov [esp], 1 mov [esp+0x4], 2 call add mov ebx, eax ebp ̍ͭ໨ͷҾ਺ΛελοΫʹੵΉ

Slide 56

Slide 56 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 56 1 4byte esp 2 4byte sub esp, 0x8 mov [esp], 1 mov [esp+0x4], 2 call add mov ebx, eax esp+0x4 esp+0x8 ebp ※push 2 → push 1でも同様の処理を実現可能 ̎ͭ໨ͷҾ਺ΛελοΫʹੵΉ

Slide 57

Slide 57 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 57 1 4byte esp リターンアドレス 4byte esp+0xc DBMM໋ྩ͸ɼݺͼग़͠ޙͷ໋ྩͷΞυϨεΛελοΫʹQVTIͯ͠BEEʹKNQ sub esp, 0x8 mov [esp], 1 mov [esp+0x4], 2 call add mov ebx, eax esp+0x8 esp+0x4 2 4byte ebp

Slide 58

Slide 58 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 58 1 4byte esp esp+4 esp+8 リターンアドレス 4byte esp+12 ݺͼग़͠ݩͷؔ਺ͷFCQΛελοΫʹQVTIͯ͠อଘ add: push ebp mov ebp, esp sub esp, 16 mov edx, [ebp+8] mov eax, [ebp+12] add eax, edx mov [ebp-4], eax leave ret main関数のebp 4byte esp+16 2 4byte ebp

Slide 59

Slide 59 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 59 1 4byte esp esp+4 esp+8 リターンアドレス 4byte esp+12 ݺͼग़͠ݩͷؔ਺ͷFCQΛελοΫʹQVTIͯ͠อଘ main関数のebp 4byte esp+16 ebp add: push ebp mov ebp, esp sub esp, 16 mov edx, [ebp+8] mov eax, [ebp+12] add eax, edx mov [ebp-4], eax leave ret 2 4byte

Slide 60

Slide 60 text

add: push ebp mov ebp, esp sub esp, 16 mov edx, [ebp+8] mov eax, [ebp+12] add eax, edx mov [ebp-4], eax leave ret ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 60 esp 1 4byte 2 4byte リターンアドレス 4byte 呼び出し元の関数のebp 4byte ebp 16byte ebp+4 ebp+8 ebp+12 BEEؔ਺಺Ͱར༻͢Δ ྖҬ ྖҬ֬อͷͨΊFTQΛখ͘͢͞Δ

Slide 61

Slide 61 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 61 esp 1 4byte 2 4byte リターンアドレス 4byte main関数のebp 4byte ebp 16byte ebp+4 ebp+8 ebp+12 省略 3 4byte ebp-4 add: push ebp mov ebp, esp sub esp, 16 mov edx, [ebp+8] mov eax, [ebp+12] add eax, edx ; eax = 1 + 2 mov [ebp-4], eax leave ret

Slide 62

Slide 62 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 62 esp 1 4byte 2 4byte リターンアドレス 4byte main関数のebp 4byte ebp 16byte ebp+4 ebp+8 ebp+12 3 4byte ebp-4 ؔ਺ʹ౉͞ΕͨҾ਺͸ɼ ͰୈҰҾ਺ ͰୈೋҾ਺ ɾ ɾ ɾ ؔ਺಺ͷม਺͸ɼ ɾɾɾ ͷΑ͏ʹΞΫηεͰ͖Δ

Slide 63

Slide 63 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 63 esp add: (省略) leave ret 1 4byte 2 4byte リターンアドレス 4byte main関数のebp 4byte 16byte leave命令は以下の動き mov esp, ebp pop ebp 3 4byte ebp

Slide 64

Slide 64 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 64 esp add: (省略) leave ret 1 4byte 2 4byte リターンアドレス 4byte main関数のebp 4byte 16byte leave命令は以下の動き mov esp, ebp pop ebp ebp 3 4byte

Slide 65

Slide 65 text

ΞηϯϒϦݴޠೖ໳ Y © SECCON2017 All Rights Reserved 65 esp add: (省略) leave ret 1 4byte 2 4byte リターンアドレス 4byte main関数のebp 4byte 16byte ret命令は以下のような動き pop eip ※ pop eip命令は存在しない eip 3 4byte

Slide 66

Slide 66 text

ΞηϯϒϦݴޠೖ໳ Y ࠓճѻ໋ͬͨྩҰཡ • NPW • MFB • BEETVC • JNVMJEJW • BOEPSYPSOPU • JODEFD © SECCON2017 All Rights Reserved 66 • DNQ • KNQܥ • QVTI • QPQ • DBMM • MFBWF • SFU 3.1 代⼊命令 3.2 算術命令 3.3 条件分岐命令 3.4 スタック操作命令 3.5 関数呼び出しの命令 → 付録F 参考書籍/pdf等

Slide 67

Slide 67 text

͓ΘΓʹ 67 © SECCON2017 All Rights Reserved

Slide 68

Slide 68 text

͓ΘΓʹ 3FWFSTJOH໰୊ͷղ͖ํखॱ ϑΝΠϧΛμ΢ϯϩʔυ͢Δ ݖݶΛ෇༩͢Δ DINPE VY ର৅ϑΝΠϧ ࣮ߦͯ͠ڍಈΛ֬ೝ PCKEVNQ΍*%"ͳͲͰٯΞηϯϒϧͯ͠ղੳ © SECCON2017 All Rights Reserved 68

Slide 69

Slide 69 text

͓ΘΓʹ ͜Ε͔Β্ͷεςοϓʹਐΉͨΊʹ͸ ݸਓతͳҙݟ • $$ݴޠʹ׳ΕΔ ˠ ෇࿥( • HEC ͳ Ͳ σ ό ο Ψ ΍ τ Ϩ ʔ α ʔ Λ ༻ ͍ ͨ ಈ త ղ ੳ Λ ֶ Ϳ ඞ ਢ ˠ ෇࿥$ % • 3FWFSTJOH͸҉߸΍਺ֶɼΞϧΰϦζϜͷཁૉ͕໰୊ʹ ࠞͬͯ͘͟Δ͜ͱ͕ଟ͍ͷͰɼ෯޿͍஌ࣝΛ෇͚Δ • ෆඞཁͳॲཧ͸ಡΈඈ͹͢׳Ε © SECCON2017 All Rights Reserved 69

Slide 70

Slide 70 text

͓ΘΓʹ © SECCON2017 All Rights Reserved 70 ຊߨٛͷ໨ඪ ☑όΠφϦղੳͱ͸Կ͔Λ஌Δ ☑ ΞηϯϒϦݴޠ Y ΛಡΊΔΑ͏ʹͳΔ ˘ ͜ͷߨٛͷޙʹ͋Δ$5'Ͱ3FWFSTJOH໰୊Λղ͘ʂ

Slide 71

Slide 71 text

͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ © SECCON2017 All Rights Reserved 71

Slide 72

Slide 72 text

෇࿥ © SECCON2017 All Rights Reserved

Slide 73

Slide 73 text

෇࿥"ਐ਺ "4$**ίʔυૣݟද © SECCON2017 All Rights Reserved 73 ⾒⽅: 10進数の65は,16進数だと0x41,ASCIIコードに変換するとAという⽂字

Slide 74

Slide 74 text

෇࿥# 1ZUIPOʹΑΔࢉज़ԋࢉ λʔϛφϧͰʮQZUIPOʯͱೖྗͯ͠ΠϯλϓϦλΛىಈ͢Δ • ਐ਺ 㱻 ਐ਺ม׵ • ࢛ଇԋࢉ • ࿦ཧԋࢉ c? ͕Մೳ • "4$**ม׵ DISؔ਺ɼPSEؔ਺ © SECCON2017 All Rights Reserved 74

Slide 75

Slide 75 text

෇࿥$HEC HECQFEB ͷ࢖͍ํ HEC • (/6੡ͷσόοΨ • QFEB͸1ZUIPOʹΑΔHECͷ֦ு ਪ঑ σόοΨ • ର࿩తʹϓϩάϥϜΛղੳ͢Δπʔϧ ϒϨʔΫϙΠϯτ • σόοΨ͕ೝࣝͯ͠ϓϩάϥϜΛࢭΊͯ͘ΕΔ໨ҹ σόοΨΛ࢖͏ϝϦοτ • Ϩδελ΍ม਺ͷ஋ΛݟΕΔ • ϒϨʔΫϙΠϯτΛுͬͯɼͱ͋Δ໋ྩ·Ͱࣗಈ࣮ߦ © SECCON2017 All Rights Reserved 75

Slide 76

Slide 76 text

෇࿥$HEC HECQFEB ͷ࢖͍ํ © SECCON2017 All Rights Reserved 76 レジスタ プログラム スタック

Slide 77

Slide 77 text

෇࿥$HEC HECQFEB ͷ࢖͍ํ • ىಈ HEC ର৅ϑΝΠϧ໊ • NBJOؔ਺ʹϒϨʔΫϙΠϯτΛுΔ HECQFEBCSFBLNBJO • ΞυϨεʹϒϨʔΫϙΠϯτΛுΔ ྫYʹϒϨʔΫϙΠϯτுΔ HECQFEBCSFBLY • ໋̍ྩ࣮ͣͭߦ ؔ਺ͷதʹೖΒͳ͍ HECQFEBOFYU • ໋ྩ࣮ͣͭߦ ؔ਺ͷதʹೖΔ HECQFEBTUFQ • ϒϨʔΫϙΠϯτ·ͰࣗಈͰଓ͚Δ HECQFEBDPOUJOVF © SECCON2017 All Rights Reserved 77 • ࣮ߦ HECQFEBSVO • NBJOؔ਺Ͱࣗಈతʹࢭ·Δ࣮ߦ HECQFEBTUBSU

Slide 78

Slide 78 text

෇࿥$HEC HECQFEB ͷ࢖͍ํ • ϝϞϦʹ֨ೲ͞Ε͍ͯΔ஋Λදࣔ ྫCZUF෼Λਐ਺Ͱදࣔ HECQFEBYXY ΞυϨε • ϝϞϦʹ֨ೲ͞Ε͍ͯΔจࣈྻΛදࣔ HECQFEBYTΞυϨε • Ϩδελͷத਎Λม͑Δ ྫFBYΛʹॻ͖׵͑ HECQFEBTFUFBY • ϝϞϦͷத਎Λม͑Δ ྫYGGGGEΛʹॻ͖׵͑ HECQFEBTFU\JOU^YGGGGE • ελοΫΛݟΔ ྫߦ෼දࣔ HECQFEBUFMFTDPQF © SECCON2017 All Rights Reserved 78

Slide 79

Slide 79 text

෇࿥%MUSBDFTUSBDFͷ࢖͍ํ MUSBDFίϚϯυ • ϥΠϒϥϦؔ਺ͷݺͼग़͠ΛΘ͔Γ΍͍͢ܗࣜͰදࣔ MUSBDF ࣮ߦ͢ΔϑΝΠϧ © SECCON2017 All Rights Reserved 79

Slide 80

Slide 80 text

෇࿥%MUSBDFTUSBDFͷ࢖͍ํ TUSBDFίϚϯυ • γεςϜίʔϧͷݺͼग़͠ΛΘ͔Γ΍͍͢ܗࣜͰදࣔ TUSBDF ࣮ߦ͢ΔϑΝΠϧ © SECCON2017 All Rights Reserved 80 システムコール: OSの持つ機能を 呼び出すための機構

Slide 81

Slide 81 text

෇࿥&Yͱ͸ • *OUFMͷͱݺ͹ΕΔCJUͷ$16͕ॳ୅Y$16 • ͷޙܧʹ͸ɼ΍ͳͲ͕͋Δ • ಛʹ͸CJUͷ$16ͱͳ͍ͬͯͯɼࠓճͷߨٛ͸ ͜ͷ$16ͷ͜ͱΛऔΓѻ͍ͬͯΔ • ࠓ͸Yͱݺ͹ΕΔCJU$16͕ओྲྀʹ ͪ͜Β΋$5'Ͱ͸සग़ͳͷͰֶͿ͜ͱΛਪ঑ © SECCON2017 All Rights Reserved 81

Slide 82

Slide 82 text

෇࿥'ࢀߟॻ੶QEG౳ • ηΩϡϦςΟίϯςετνϟϨϯδϒοΫ • ηΩϡϦςΟίϯςετͷͨΊͷ$5'໰୊ू • σόοΨʹΑΔYϓϩάϥϜղੳೖ໳ʲYରԠ൛ʳ • ͨͷ͍͠όΠφϦͷา͖ํ • ϦόʔεΤϯδχΞϦϯάόΠϒϧ • ࣗ࡞ΤϛϡϨʔλͰֶͿYΞʔΩςΫνϟ • #*/"3:)"$,4 • େ೤݂Ξηϯϒϥೖ໳ • *"ΠϯςϧšΞʔΩςΫνϟιϑτ΢ΣΞσϕϩούʔζɾϚχϡΞϧ © SECCON2017 All Rights Reserved 82

Slide 83

Slide 83 text

෇࿥($ݴޠͷසग़ؔ਺ QSJOUGؔ਺ • ୈҰҾ਺ʹ༩͑ΒΕͨΞυϨεʹ֨ೲ͞ΕͨจࣈΛग़ྗ͢Δ TDBOGؔ਺ • จࣈΛೖྗ͢ΔɽୈೋҾ਺ʹ஋͕֨ೲ͞ΕΔɽ TUSMFOؔ਺ • ୈҰҾ਺ʹ༩͑ΒΕͨΞυϨεʹ֨ೲ͞Εͨจࣈྻͷ௕͞Λฦ͢ BUPJؔ਺ • ୈҰҾ਺ʹ༩͑ΒΕͨΞυϨεʹ֨ೲ͞ΕͨจࣈྻΛ ਺஋ʹม׵͢Δ © SECCON2017 All Rights Reserved 83

Slide 84

Slide 84 text

෇࿥)ٯΞηϯϒϧΛಡΉίπ •DBMM໋ྩͷޙ͸FBYʹண໨͢Δ • ؔ਺ͷ໭Γ஋͸FBYʹ֨ೲ͞ΕΔ •DBMM໋ྩͷલʹQVTI͍ͯ͠Δ஋ʹண໨͢Δ • ؔ਺ͷҾ਺͸ελοΫʹੵΉ •όΠφϦதͷ"4$**จࣈʹண໨͢Δ • Y ൒֯εϖʔε dYF d ͸ҹࣈՄೳͳจࣈ © SECCON2017 All Rights Reserved 84