Tweet
Tweet

Slide 1

Slide 1 text

逆 DoubleSigma Terrynini 逆逆!忍術!F5消失之術

Slide 2

Slide 2 text

下忍之卷常識篇

Slide 3

Slide 3 text

逆 $ C 語言程式編譯流程 #include int main(){ puts(“Hello world”); return 0; } Preprocess gcc -E hello.c -o hello.i hello.c hello.i tepedef .. .. .. .. .. .. .. . . .. . #include int main(){ puts(“Hello world”); return 0; } Preprocessor

Slide 4

Slide 4 text

逆 $ C 語言程式編譯流程 typedef .. .. .. .. .. .. .. . . .. . #include int main(){ puts(“Hello world”); return 0; } Compile gcc -S hello.c -o hello.s hello.i hello.s subq $16, %rsp leaq L_.str(%rip), %rdi movl $0, -4(%rbp) callq _puts xorl %ecx, %ecx movl %eax, -8(%rbp) movl %ecx, %eax addq $16, %rsp popq %rbp retq Compiler

Slide 5

Slide 5 text

逆 $ C 語言程式編譯流程 Assemble gcc -c hello.c -o hello.o hello.s hello.o ^ELF^B^A^A^@^@^@^@^ @^@^@^@^@^A^@>^@^A^ @^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@¸ ^B^@^@^@^@^@^@^@^@^ @^@@^@^@^@^@^@@^@^M ^@^L^@UH<89>åH<8d>= ^@^@^@^@è^@^@^@^@¸^ @^@^@^@]ÃS^@^@GCC Assembler subq $16, %rsp leaq L_.str(%rip), %rdi movl $0, -4(%rbp) callq _puts xorl %ecx, %ecx movl %eax, -8(%rbp) movl %ecx, %eax addq $16, %rsp popq %rbp retq

Slide 6

Slide 6 text

逆 $ C 語言程式編譯流程 Link(Dynamic) hello.o hello ^ELF^B^A^A^@^@^@^@^ @^@^@^@^@^A^@>^@^A^ @^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@¸ ^B^@^@^@^@^@^@^@^@^ @^@@^@^@^@^@^@@^@^M ^@^L^@UH<89>åH<8d>= ^@^@^@^@è^@^@^@^@¸^ @^@^@^@]ÃS^@^@GCC Linker ^ELF^B^A^A^@^@^@^@^ @^@^@^@^@^A^@>^@^A^ @^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@¸ ^B^@^@^@^@^@^@^@^@^ @^@@^@^@^@^@^@@^@^M ^@^L^@UH<89>åH<8d>= ^@^@^@^@è^@^@^@^@¸^ @^@^@^@]ÃS^@^@GCC gcc hello.c -o hello 加上-m32 編成 32bit 版本

Slide 7

Slide 7 text

逆 memory 0xde 0xad 0xbe 0xef 0x12 0x34 0x56 0x78 RAM high address low address basic unit is Byte

Slide 8

Slide 8 text

逆 memory 0xde 0xad 0xbe 0xef 0x12 0x34 0x56 0x78 RAM high address low address basic unit is Byte char -> 1 byte int -> 4 bytes long long int -> 8 bytes 2 bytes -> 1 word 2 word -> 1 dword 2 dword -> 1 qword d means double q means quadruple 通常在x86和x86-64下

Slide 9

Slide 9 text

逆 memory 0 0 0 0 ? ? ? ? RAM high address low address !!? int a = 4207849484; (0xfaceb00c)

Slide 10

Slide 10 text

逆 memory 0 0 0 0 0xfa 0xce 0xb0 0x0c RAM high address low address 0xfa 0xce 0xb0 0x0c 高位 低位 Little endian

Slide 11

Slide 11 text

逆 memory 0xfaceb00c RAM 0 0 0 0 0 0xfa 0xce 0xb0 0x0c RAM 簡化 ???????? ???????? 0xfffec1b4 0xfffec1b5 0xfffec1b6 0xfffec1ba 0xfffec1bb 0xfffec1b7 0xfffec1b8 0xfffec1b9 0xfffec1b4 0xfffec1b8

Slide 12

Slide 12 text

逆 pointer int a = 0x1234; int *b = &a; 0x1234 0xffedc6f4 a 0xffedc6f4 0xffedc500 b

Slide 13

Slide 13 text

逆 pointer * 取值 & 取址 0x1234 0xffedc6f4 a 0xffedc6f4 0xffedc500 b a = 0x1234 b = 0xffedc6f4 &a = 0xffedc6f4 &b = 0xffedc500 *b = 0x1234 *a segment fault

Slide 14

Slide 14 text

逆 pointer int a = 0x1234; int *b = &a; 0xffedc6f4 ???????? RAM 0xffedc6f4 ???????? 0x1234 0xffedc500 a = 0x1234 b = 0xffedc6f4 &a = 0xffedc6f4 &b = 0xffedc500 *b = 0x1234

Slide 15

Slide 15 text

下忍之卷工具篇

Slide 16

Slide 16 text

逆 $ 二進制檔案 strings hello /lib64/ld-linux-x86-64.so.2 libc.so.6 puts __cxa_finalize __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable AWAVI AUATL []A\A]A^A_ hello world ;*3$"

Slide 17

Slide 17 text

逆 $ 二進制檔案 xxd hello 00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............ 00000010: 0300 3e00 0100 0000 3005 0000 0000 0000 ..>.....0....... 00000020: 4000 0000 0000 0000 6821 0000 0000 0000 @.......h!...... 00000030: 0000 0000 4000 3800 0900 4000 2200 2100 [email protected]...@.”.!. 00000040: 0600 0000 0400 0000 4000 0000 0000 0000 ........@....... 00000050: 4000 0000 0000 0000 4000 0000 0000 0000 @.......@....... 00000060: f801 0000 0000 0000 f801 0000 0000 0000 ................ 00000070: 0800 0000 0000 0000 0300 0000 0400 0000 ................ 00000080: 3802 0000 0000 0000 3802 0000 0000 0000 8.......8....... 00000090: 3802 0000 0000 0000 1c00 0000 0000 0000 8............... 000000a0: 1c00 0000 0000 0000 0100 0000 0000 0000 ................ 000000b0: 0100 0000 0500 0000 0000 0000 0000 0000 ................ 000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000d0: 3808 0000 0000 0000 3808 0000 0000 0000 8.......8....... offset hex ascii

Slide 18

Slide 18 text

逆 $ 二進制檔案 objdump -d hello -M intel hello: file format elf32-i386 Disassembly of section .init: 00000378 <_init>: 378: 53 push ebx 379: 83 ec 08 sub esp,0x8 37c: e8 9f 00 00 00 call 420 <__x86.get_pc_thunk.bx> 381: 81 c3 57 1c 00 00 add ebx,0x1c57 387: 8b 83 1c 00 00 00 mov eax,DWORD PTR [ebx+0x1c] 38d: 85 c0 test eax,eax 38f: 74 05 je 396 <_init+0x1e> 391: e8 42 00 00 00 call 3d8 <__gmon_start__@plt> 396: 83 c4 08 add esp,0x8 399: 5b pop ebx 39a: c3 ret offset machine code assembly in intel syntax

Slide 19

Slide 19 text

逆 $ 二進制檔案 readelf -a hello ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: DYN (Shared object file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x3e0 Start of program headers: 52 (bytes into file) Start of section headers: 6056 (bytes into file) Flags: 0x0

Slide 20

Slide 20 text

逆 $ 二進制檔案 ltrace ./hello puts("hello world"hello world ) = 12 +++ exited (status 0) +++ ltrace = library call tracer

Slide 21

Slide 21 text

逆 $ 二進制檔案 strace ./hello execve("./hello", ["./hello"], 0x7fff729c99f0 /* 64 vars */) = 0 brk(NULL) = 0x5574b4488000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=121489, ...}) = 0 mmap(NULL, 121489, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3f61a6d000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\34\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=2030544, ...}) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3f61a6b000 mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3f61473000 mprotect(0x7f3f6165a000, 2097152, PROT_NONE) = 0 trace system calls and signals

Slide 22

Slide 22 text

實戰時間

Slide 23

Slide 23 text

下忍之卷解剖篇 下載程式範例,或是最後一頁有附

Slide 24

Slide 24 text

逆 $ 從逆向學逆向 gcc -O0 -m32 -no-pie nini_01.c -o nini_01 no optimization 32-bit don’t produce position independent executable

Slide 25

Slide 25 text

逆 x86 calling convention 000004fa : 4fa: 55 push ebp 4fb: 89 e5 mov ebp,esp 4fd: 6a 06 push 0x6 4ff: 6a 01 push 0x1 501: e8 e7 ff ff ff call 4ed 506: 83 c4 08 add esp,0x8 509: b8 00 00 00 00 mov eax,0x0 50e: c9 leave 50f: c3 ret 由右而左把參數依序推上堆疊 add(1,6);

Slide 26

Slide 26 text

逆 x86 calling convention 000004fa : 4fa: 55 push ebp 4fb: 89 e5 mov ebp,esp 4fd: 6a 06 push 0x6 4ff: 6a 01 push 0x1 501: e8 e7 ff ff ff call 4ed 506: 83 c4 08 add esp,0x8 509: b8 00 00 00 00 mov eax,0x0 50e: c9 leave 50f: c3 ret 6 1 6 1 6

Slide 27

Slide 27 text

逆 x86 calling convention 6 1

Slide 28

Slide 28 text

逆 x86 calling convention 1 + 6 1

Slide 29

Slide 29 text

逆 x86 calling convention 6 1 + 6

Slide 30

Slide 30 text

逆 x86 calling convention 000004fa : 4fa: 55 push ebp 4fb: 89 e5 mov ebp,esp 4fd: 6a 06 push 0x6 4ff: 6a 01 push 0x1 501: e8 e7 ff ff ff call 4ed 506: 83 c4 08 add esp,0x8 509: b8 00 00 00 00 mov eax,0x0 50e: c9 leave 50f: c3 ret 6 1 6 6 1

Slide 31

Slide 31 text

逆 x86 calling convention 000004ed : 4ed: 55 push ebp 4ee: 89 e5 mov ebp,esp 4f0: 8b 55 08 mov edx,DWORD PTR [ebp+0x8] 4f3: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 4f6: 01 d0 add eax,edx 4f8: 5d pop ebp 4f9: c3 ret What !? Where is the pop you said ??

Slide 32

Slide 32 text

逆 x86 calling convention RAM OS Stack Heap BSS Data Text image base High address Low address

Slide 33

Slide 33 text

逆 x86 calling convention 6 1 RAM OS Heap BSS Data Text image base High address Low address 6 1

Slide 34

Slide 34 text

逆 x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1cc 1 6 ebp ebp = 0xfffec1cc *ebp = 0xfffec000 ebp + 0x8 = 0xfffec1b4 ebp + 0xc = 0xfffec1b8 0xffec1cc Dword ptr [ebp] = 0xfffec000

Slide 35

Slide 35 text

逆 x86 calling convention 0xff 0xfe 0xc0 0x00 RAM 0xfffec1cc 0xfffec1cd 0xfffec1ce 0xfffec1cf ebp 0xffec1cc Byte ptr [ebp] = 0x00 word ptr [ebp] = 0xc000 Dword ptr [ebp] = 0xfffec000

Slide 36

Slide 36 text

逆 x86 calling convention 注意! 以下情況在使用浮點數時有所不同

Slide 37

Slide 37 text

逆 x86 calling convention 000004ed : push ebp mov ebp,esp mov edx,DWORD PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax ?????? edx ??????

Slide 38

Slide 38 text

逆 x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax ?????? edx 1 000004ed : push ebp mov ebp,esp mov edx,DWORD PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret

Slide 39

Slide 39 text

逆 x86 calling convention push ebp mov ebp,esp mov edx,DWORD PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax 6 edx 1

Slide 40

Slide 40 text

逆 push ebp mov ebp,esp mov edx,DWORD PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax 6 edx 1 7

Slide 41

Slide 41 text

逆 x86 calling convention push ebp mov ebp,esp mov edx,DWORD PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret eax 6 edx 1 + = 7 eax 7 eax = eax + edx

Slide 42

Slide 42 text

逆 push ebp mov ebp,esp mov edx,DWORD PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax 7 edx 1

Slide 43

Slide 43 text

逆 x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax 7 return value 統一放 eax

Slide 44

Slide 44 text

逆 $ 從逆向學逆向 gcc -O0 -m32 -no-pie nini_02.c -o nini_02

Slide 45

Slide 45 text

逆 stack frame 804846e: 6a 06 push 0x6 8048470: 6a 01 push 0x1 8048472: e8 af ff ff ff call 8048426 8048477: 83 c4 08 add esp,0x8 RAM ??????? ebp esp 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c ebp 0xfffec1b8 esp 0xfffec1b8

Slide 46

Slide 46 text

逆 stack frame 804846e: 6a 06 push 0x6 8048470: 6a 01 push 0x1 8048472: e8 af ff ff ff call 8048426 8048477: 83 c4 08 add esp,0x8 RAM ??????? ebp esp 6 ebp 0xfffec1b8 esp 0xfffec1b4 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 47

Slide 47 text

逆 stack frame 804846e: 6a 06 push 0x6 8048470: 6a 01 push 0x1 8048472: e8 af ff ff ff call 8048426 8048477: 83 c4 08 add esp,0x8 RAM ??????? ebp esp 6 1 ebp 0xfffec1b8 esp 0xfffec1b0 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 48

Slide 48 text

逆 stack frame 804846e: 6a 06 push 0x6 8048470: 6a 01 push 0x1 8048472: e8 af ff ff ff call 8048426 8048477: 83 c4 08 add esp,0x8 RAM ??????? ebp esp 6 1 0x8048477 ebp 0xfffec1b8 esp 0xfffec1ac 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 49

Slide 49 text

逆 stack frame 08048426 : 8048426: push ebp 8048427: mov ebp,esp 8048429: sub esp,0x10 804842c: mov eax,DWORD PTR [ebp+0x8] 804842f: add eax,eax 8048431: mov DWORD PTR [ebp-0x8],eax 8048434: mov edx,DWORD PTR [ebp+0xc] 8048437: mov eax,edx 8048439: add eax,eax 804843b: add eax,edx 804843d: mov DWORD PTR [ebp-0x4],eax 8048440: mov edx,DWORD PTR [ebp-0x8] 8048443: mov eax,DWORD PTR [ebp-0x4] 8048446: add eax,edx 8048448: leave 8048449: ret RAM ??????? ebp esp 6 1 0x8048477 ebp 0xfffec1b8 esp 0xfffec1ac 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 50

Slide 50 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 ebp 0xfffec1b8 esp 0xfffec1a8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 51

Slide 51 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 ebp 0xfffec1a8 esp 0xfffec1a8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 52

Slide 52 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer ebp 0xfffec1a8 esp 0xfffec198 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 53

Slide 53 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret ebp 0xfffec1a8 esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 1 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 54

Slide 54 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret ebp 0xfffec1a8 esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 55

Slide 55 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret ebp 0xfffec1a8 esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 2 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 56

Slide 56 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret edx 6 esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 2 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c ebp 0xfffec1a8

Slide 57

Slide 57 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 6 eax 6 ebp 0xfffec1a8

Slide 58

Slide 58 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 6 eax 0xc ebp 0xfffec1a8

Slide 59

Slide 59 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 6 eax 0x12 ebp 0xfffec1a8

Slide 60

Slide 60 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 6 eax 0x12 ebp 0xfffec1a8

Slide 61

Slide 61 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 2 eax 0x12 ebp 0xfffec1a8

Slide 62

Slide 62 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 2 eax 0x12 ebp 0xfffec1a8

Slide 63

Slide 63 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 2 eax 0x14 ebp 0xfffec1a8

Slide 64

Slide 64 text

逆 stack frame RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 leave = mov esp, ebp pop ebp 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 65

Slide 65 text

逆 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx mov esp,ebp pop ebp ret stack frame RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 leave = mov esp, ebp pop ebp 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 66

Slide 66 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx mov esp,ebp pop ebp ret esp 0xfffec1a8 RAM ??????? ebp esp 1 0x8048477 0xfffec1b8 Local variable buffer eax 0x14 2 0x12 ebp 0xfffec1a8 6 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 67

Slide 67 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx mov esp,ebp pop ebp ret esp 0xfffec1ac RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 0x14 2 0x12 ebp 0xfffec1b8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 68

Slide 68 text

逆 stack frame 08048426 : push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx mov esp,ebp pop ebp ret RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 ret = pop eip (illegal) 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c OR ret = jmp DWORD PTR [esp]

Slide 69

Slide 69 text

逆 stack frame RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 eip 0x8048477 804846e: 6a 06 push 0x6 8048470: 6a 01 push 0x1 8048472: e8 af ff ff ff call 8048426 8048477: 83 c4 08 add esp,0x8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

Slide 70

Slide 70 text

逆 stack frame RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 804846e: 6a 06 push 0x6 8048470: 6a 01 push 0x1 8048472: e8 af ff ff ff call 8048426 8048477: 83 c4 08 add esp,0x8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c esp 0xfffec1b8 ebp 0xfffec1b8

Slide 71

Slide 71 text

逆 register esp 0xfffec1a8 eax 0x14 ebp 0xfffec1a8 eip 0x804847a 所以這些東西在哪裡呢?

Slide 72

Slide 72 text

逆 0xfffec1c8 0x14 0xfffec1c8 0x804847a 在CPU 裡面以硬體的方式實作,如正反器 register

Slide 73

Slide 73 text

逆 EAX EBX ECX EDX ESI EDI ESP EBP EIP register ax bx cx dx AL AH BL BH CL CH DL DH 32bit 16bit 8bit

Slide 74

Slide 74 text

逆 register $ nasm -f elf32 nini_03.asm 32-bit elf (executable linkable format) $ gcc -m32 -nostdlib nini_03.o -o nini_03 dont use standard library

Slide 75

Slide 75 text

逆 Number 0xffffffff -1 4294967295 int unsigned int

Slide 76

Slide 76 text

逆 Number 00000001001100111111000011011110 binary number(4bytes) 20181214

Slide 77

Slide 77 text

逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214

Slide 78

Slide 78 text

逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214 11111110110011000000111100100010 +1

Slide 79

Slide 79 text

逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214 11111110110011000000111100100010 +1 0xfecc0f22 hex

Slide 80

Slide 80 text

逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214 0x133f0de hex 11111110110011000000111100100010 +1 0xfecc0f22 hex

Slide 81

Slide 81 text

逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214 0x133f0de hex 11111110110011000000111100100010 +1 0xfecc0f22 hex + = 0

Slide 82

Slide 82 text

逆 Control Flow $ gcc -O0 -m32 -no-pie nini_04.c -o nini_04

Slide 83

Slide 83 text

逆 Control Flow signed unsigned common ja: jump if above jb: jump if below jae: jump if above or equal jbe: jump if below or equal jna: jump if not above jnb: jump if not below jnae: jump if not above or equal jnbe: jump if not below or equal jg: jump if greater jl: jump if less jge: jump if greater or equal jbe: jump if less or equal jng: jump if not greater jnl: jump if not less jnge: jump if not greater or equal jnle: jump if not less or equal je: jump if equal jne: jump if not equal jmp: shut up! jump!

Slide 84

Slide 84 text

逆 RAX RBX RCX RDX RSI RDI RSP RBP RIP EAX x86-64 register ax bx cx dx AL AH 64bit 32bit EBX BL BH ECX CL CH EDX DL DH

Slide 85

Slide 85 text

逆 x86 calling convention 用暫存器傳參,太多才放堆疊 這是linux下的calling convention printf(“%c: %d %d %d %d”, arg2, arg3, arg4, arg5, arg6); rdi rsi rdx rcx r8 r9

Slide 86

Slide 86 text

實戰時間

Slide 87

Slide 87 text

下忍之卷分析篇

Slide 88

Slide 88 text

逆 分析 靜態 動態 IDA Binary ninja radare2 objdump Hopper gdb ollydbg x64dbg windbg bochs

Slide 89

Slide 89 text

逆 分析 IDA 去官網載freeware版本 x64dbg 開源軟體,某些功能不夠強可以找得到插件 gdb gnu debugger,強大. radare2 開源軟體,指令列式的分析工具,也有圖形介面

Slide 90

Slide 90 text

逆 分析 介紹檔案結構會讓你痛苦不堪 我們從IDA來學習必要的部份 import, export, string table, debug symbol, segment

Slide 91

Slide 91 text

實戰時間 patch

Slide 92

Slide 92 text

麵非麵 下忍之卷特級廚師篇

Slide 93

Slide 93 text

逆 麵非麵 loader _start _libc_start_main main _libc_csu_init exit

Slide 94

Slide 94 text

實戰時間

Slide 95

Slide 95 text

下忍之卷檔案篇

Slide 96

Slide 96 text

逆 $ magic number file jojo.png jojo.png: PNG image data, 2880 x 1800, 8-bit/color RGBA, non-interlaced 透過事先建立好的特徵來分辨檔案 格式可以透過 man magic 查看

Slide 97

Slide 97 text

逆 magic number magic number 基本上是一些特徵值, 直接被規定是某個數字, 就像魔術一樣的直接變出來, 如 MZ,0x7fELF,GIF89a

Slide 98

Slide 98 text

實戰時間

Slide 99

Slide 99 text

下忍之卷暗號篇

Slide 100

Slide 100 text

逆 加密與編碼 不需要key的視為編碼(encode), 如 base64 是因為字元在傳輸或表達上會造成問題, 所以需要先編碼 A 0 0 0 0 0 1 1 0 B 0 0 0 0 1 0 1 0 C 0 0 0 0 1 1 1 0 Q U J D

Slide 101

Slide 101 text

逆 加密與編碼 xor, 快速簡單有效
 簡直像化成灰,認都認不出來

Slide 102

Slide 102 text

逆 加密與編碼 plaintext: bo55man69 key: \00
 cipher: bo55man69 例外:

Slide 103

Slide 103 text

逆 加密與編碼 plaintext: StarbustStream key: modohiyaku
 cipher: >\x1b\x05\x1d\n\x1c\n\x158\x01\x1f\n\x05\x02

Slide 104

Slide 104 text

逆 加密與編碼 但若獲取足夠長的密文, 可以從詞頻分析取得幾乎正確或完全正確的key, 而某些特定格式的檔案可以直接取得部份或全部key

Slide 105

Slide 105 text

下忍之卷大蛇篇

Slide 106

Slide 106 text

逆 大蛇 面對trivial又大量的任務, 你需要一條有各種套件的蛇, 組譯,反組譯,跑模擬,呼叫系統api

Slide 107

Slide 107 text

實戰時間

Slide 108

Slide 108 text

逆 到這裡還有時間就教別的

Slide 109

Slide 109 text

逆 範例程式

Slide 110

Slide 110 text

逆 #include int add(int a, int b){ return a+b; } int main(){ add(1, 6); } nini_01.c

Slide 111

Slide 111 text

逆 #include int add(int a, int b){ int ma = a*2; int mb = b*3; return ma+mb; } int main(){ printf("%d", add(1,6)); } nini_02.c

Slide 112

Slide 112 text

逆 global _start section .text _start: mov eax, 0x12345678 mov ax, 0 mov ax, 0x5678 sub al, 0x77 sub al, 2 add al, 0x79 nini_03.asm

Slide 113

Slide 113 text

逆 void flow3(){ int a = 36; int bread = 36; if( a + bread == 92){ puts(" Yummy "); }else{ puts(" Cheap "); } } int main(){ flow1(); flow2(); flow3(); return 0; } nini_04.c #include void flow1(){ int Z = -100; int B = 100; if( Z > B){ puts(" Z > B !!!!!" ); }else{ puts(" Z > B !!!!!" ); } } void flow2(){ unsigned int DINDIN = 577566; unsigned int KERKER = 580820; if (KERKER >= DINDIN){ puts(" NINBO !! xuan ju wu xiao no jutsu"); } else{ puts(" impossible "); } }