Tweet
Tweet

Slide 1

Slide 1 text

৽஛ਓ࠷Ѫٯ޲ ޻ఔ terrynini38514 terrynini

Slide 2

Slide 2 text

WHO AM I ?

Slide 3

Slide 3 text

附上⼈權指數 ID : Terrynini38514 ▸ ᪑զ༗ᴍख़ɿ 
 ٯٯ ▸ ᪑զຑ٢ຑɿ 
 ᅳཱަ௨େላ  -"# 
 ࢿిҫ٬ᢛ҆શ੽࢜ላҐላఔ௠ఊӉ ▸ ᜗ඍೳ፤ိਧత౦੢ɿ 
 ೥ۚ६ᘋף܉ 
 'JSF&ZF'MBSF0O$IBMMFOHFഁ୆ ▸ $5'5FBNɿ 
 %PVCMF4JHNBʢቮ጗ૺ#BMTOซ吞Խ࡞ଖ݂೑ʣ 
 #BMTO  3 ᔒরยՄ༻ٹ໋

Slide 4

Slide 4 text

C 4XJUDI MFTTUIBODBTF  4

Slide 5

Slide 5 text

C 4XJUDI NPSFUIBODBTF PSEFSFE OPQJF  5

Slide 6

Slide 6 text

C 4XJUDI NPSFUIBODBTF PSEFSFE QJF  6

Slide 7

Slide 7 text

C 4XJUDI NPSFUIBODBTF PSEFSFE QJF  7 ▸ 補⼀張 jump table 在這裡

Slide 8

Slide 8 text

DEMO?

Slide 9

Slide 9 text

C 4XJUDI NPSFUIBODBTF SBOEPN  9

Slide 10

Slide 10 text

DEMO?

Slide 11

Slide 11 text

C EPXIJMFMPPQ  11

Slide 12

Slide 12 text

C XIJMFMPPQ  12

Slide 13

Slide 13 text

C GPSMPPQ  13

Slide 14

Slide 14 text

PRACTICE-02

Slide 15

Slide 15 text

MEMORY

Slide 16

Slide 16 text

MEMORY &OEJBO  16 low memory address high memory address 0x12345678 高位 低位 1 byte 1 byte 1 byte 1 byte 1 byte . . .

Slide 17

Slide 17 text

MEMORY &OEJBO  17 low memory address high memory address 0x12 0x34 0x56 0x78 0x12345678 高位 低位

Slide 18

Slide 18 text

MEMORY -JUUMF&OEJBO  18 low memory address high memory address 0x12 0x34 0x56 0x78 0x12345678 高位 低位 低位 高位

Slide 19

Slide 19 text

MEMORY -JUUMF&OEJBO  19 low memory address high memory address 0x12 0x34 0x56 0x78 低位 高位 rax -> byte ptr [rax] word ptr [rax] 0x78 0x5678 0x12345678 dword ptr [rax] qword ptr [rax] oword ptr [rax]

Slide 20

Slide 20 text

STACK FRAME

Slide 21

Slide 21 text

BABY STEP 4UBDL'SBNF "CTUSBDUJPO  21 main's stack frame high memory address bossA's stack frame bossB's stack frame grows up toward 0 low memory address

Slide 22

Slide 22 text

BABY STEP 4UBDL'SBNF "CTUSBDUJPO  22 main's stack frame high memory address bossA's stack frame bossB's stack frame grows up toward 0 low memory address

Slide 23

Slide 23 text

BABY STEP 4UBDL'SBNF  23 low memory address high memory address highlight means RIP points to here ʢ၊ઃզ၇త༌ೖੋYʣ

Slide 24

Slide 24 text

BABY STEP 4UBDL'SBNF  24 low memory address high memory address highlight means RIP points to here 0x40 0x1000 esp -> ʢ၊ઃզ၇త༌ೖੋYʣ

Slide 25

Slide 25 text

BABY STEP 4UBDL'SBNF  25 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address 0xffc esp -> 0x1000

Slide 26

Slide 26 text

BABY STEP 4UBDL'SBNF  26 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address esp -> 0xffc 0x1000

Slide 27

Slide 27 text

BABY STEP 4UBDL'SBNF  27 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp 0xff8 esp -> 0xffc 0x1000

Slide 28

Slide 28 text

BABY STEP 4UBDL'SBNF  28 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000

Slide 29

Slide 29 text

BABY STEP 4UBDL'SBNF  29 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> buffer for bossA's local variables 0xfe0 0xff8 0xffc 0x1000

Slide 30

Slide 30 text

BABY STEP 4UBDL'SBNF  30 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> buffer for bossA's local variables 0xff8 0xffc 0x1000 eax: 0x40 0xfe0

Slide 31

Slide 31 text

BABY STEP 4UBDL'SBNF  31 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> buffer for bossA's local variables 0xff8 0xffc 0x1000 eax: 0x40 SKIP SOME OPERATIONS ! //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 0xfe0

Slide 32

Slide 32 text

BABY STEP 4UBDL'SBNF  32 low memory address high memory address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> buffer for bossA's local variables 0xff8 0xffc 0x1000 eax: 0x20 0xfe0