Tweet
Tweet

Slide 1

Slide 1 text

৽஛ਓ࠷Ѫٯ޲ ޻ఔ terrynini38514 terrynini

Slide 2

Slide 2 text

WHO AM I ?

Slide 3

Slide 3 text

附上⼈權指數 ID : Terrynini38514 ▸ ᪑զ༗ᴍख़ɿ 
 ٯٯ ▸ ᪑զຑ٢ຑɿ 
 ᅳཱަ௨େላ  -"# 
 ࢿిҫ٬ᢛ҆શ੽࢜ላҐላఔ௠ఊӉ ▸ ᜗ඍೳ፤ိਧత౦੢ɿ 
 ೥ۚ६ᘋף܉ 
 'JSF&ZF'MBSF0O$IBMMFOHFഁ୆ ▸ $5'5FBNɿ 
 %PVCMF4JHNBʢቮ጗ૺ#BMTOซ吞Խ࡞ଖ݂೑ʣ 
 #BMTO  3 ᔒরยՄ༻ٹ໋

Slide 4

Slide 4 text

INTRODUCTION & REVIEW

Slide 5

Slide 5 text

INSTRODUCTION & REVIEW ೈᱪ ٯ޲޻ఔੋॄኄʁ ▸ ࡏ᠍গݪ࢝ᛰత৘گԼ෼ੳఔࣜతઃܭ ዱҙఔࣜ෼ੳFH8BOOB$SZ ೈᱪߦҝ෼ੳFH[PPN ։ᚙೈᱪपᬑጯ༻FHOPVWFBV 4BNCB 4LZQFQSPUPDPM 挖۷ೈᱪ࿙ಎFH8JOEPXT J1IPOF ඇ๏ߦҝFHᓘ൛ೈᱪ ,FZHFO ೺खػ༡ፍཫతషᅷ৲ग़ိ์ਐUFMFHSBN  5

Slide 6

Slide 6 text

▸ ⃧Ճٯ޲޻ఔత੒ຊ Ճີ ᧋ࢮ ޡಋ ఔࣜᛰࠞᔿ ࢖ࣥߦ檔೉Ҏऔಘ ៃৗੑߋ৽ INSTRODUCTION & REVIEW ఍ڔٯ޲޻ఔ  6

Slide 7

Slide 7 text

INSTRODUCTION & REVIEW ओཁ෼ੳํ๏ ▸ ᯩଶ෼ੳ ෆࣥߦ໨ඪఔࣜɼ௚઀෼ੳఔࣜతࣥߦ檔 ෼ੳQSPHSBN ▸ ಈଶ෼ੳ ׬੔҃෦෼ࣥߦ໨ඪఔࣜɼ௚઀҃ؒ઀᧺࡯ଖߦҝ ෼ੳQSPDFTT  7

Slide 8

Slide 8 text

INSTRODUCTION & REVIEW ओཁ෼ੳ޻۩ ᯩଶ෼ੳ *%"QSP 
 و ை ڧେ (IJESB ݐٞ՝ಊத࢖༻ 
 /4"։ݯ޻۩ +BWB SBEBSF 
 ։ݯ޻۩ $-*  8 ಈଶ෼ੳ 8JOECHQSFWJFX 
 ڧେ YECH ݐٞ՝ಊத࢖༻ 
 (6* ։ݯ޻۩ Ꮇॆޭೳ HEC ݐٞ՝ಊத࢖༻ 
 $-* ڧେ FEC 
 (6* ෆश׳$-*ՄҎઌࢼࢼ

Slide 9

Slide 9 text

▸ Accumulator register ▸ Base register ▸ Counter register ▸ Data register ▸ Source Index ▸ Destination Index ▸ Stack Pointer ▸ Stack Base Pointer ▸ Instruction Pointer INSTRODUCTION & REVIEW Y *" SFHJTUFS  9 ") "- #) #- $) $- %) %- 4* %* 41 #1 "9 #9 $9 %9 &"9 CJUT CJUT CJUT &$9 &%9 &4* &%* &41 &*1

Slide 10

Slide 10 text

INSTRODUCTION & REVIEW Y ".% SFHJTUFS  10 ▸ additional r8~r15 &"9 ") "- #) #- &$9 $) $- &%9 %) %- &4* TJM &%* EJM &41 TQM CQM 3E 3C "9 #9 $9 %9 3"9 CJUT CJUT CJUT 3#9 3$9 3%9 34* 3%* 341 3#1 3 3*1 CJUT 38 #1 41 %* 4*

Slide 11

Slide 11 text

INSTRODUCTION & REVIEW 4FHNFOU3FHJTUFST ▸ CS, DS, SS, ES, FS, GS ▸ cs:0x1000 (= 0x31000) ▸ OS use flat memory model nowadays ▸ Segment Register no longer represent the base of a segment, but the index in Descriptor Table  11

Slide 12

Slide 12 text

INSTRODUCTION & REVIEW *OTUSVDUJPO  12

Slide 13

Slide 13 text

INSTRODUCTION & REVIEW *OTUSVDUJPO  13

Slide 14

Slide 14 text

INSTRODUCTION & REVIEW '-"(4SFHJTUFS &'-"(4 3'-"(4 ▸ Zero Flag set if result is 0 e.g. 100-100=0 ▸ Carry Flag set if carry of borrow a bit beyond the size of register e.g. 0 - 1 = 4294967295 e.g. 4294967295 + 1 = 0  14

Slide 15

Slide 15 text

INSTRODUCTION & REVIEW '-"(4SFHJTUFS &'-"(4 3'-"(4 ▸ Overflow Flag set if singed result overflow e.g. 2147483647 + 1 = - 2147483648 ▸ Sign Flag set if operation result is negative (sign bit is 1) e.g. 0 - 1 = -1  15

Slide 16

Slide 16 text

INSTRODUCTION & REVIEW '-"(4SFHJTUFS &'-"(4 3'-"(4  16 ;' $' ୅ද݁Ռ '"-4& 536& FBYFCY '"-4& '"-4& FBYFCY 536& '"-4& FBYFCY &'-"( ୅ද݁Ռ TJHOGMBHʺPWFSGMPXGMBH FBYFCY TJHOGMBHPWFSGMPXGMBH FBYFCY ;'5SVF FBYFCY cmp eax, ebx 無號整數 有號整數 compare 時並不管有號還無號、flag 全部會設好,Jcc 指令決定看什麼

Slide 17

Slide 17 text

INSTRODUCTION & REVIEW +DD  17 無號整數 有號整數 JA Jump if above JNBE Jump if not below or not equal ( Jump if above) JAE Jump if above or equal JNB Jump if not below (=JAE) JB Jump if below JNAE Jump if not above or not equal(=JB) JBE Jump if below or equal JNA Jump if not above(=JBE) JG Jump if greater JNLE Jump if not less or not equal(=JG) JGE Jump if greater or equal JNL Jump if not less (=JGE) JL Jump if less JNGE Jump if not greater or not equal(=JL) JLE Jump if less or equal JNG Jump if not greater (=JLE) JE Jump if equal JNE Jump if not equal JMP 不管,跳 普通 其他 JC Jump if carry flag set JS Jump if sign flag set 各種...

Slide 18

Slide 18 text

INSTRODUCTION & REVIEW *OTUSVDUJPO  18

Slide 19

Slide 19 text

INSTRODUCTION & REVIEW *OTUSVDUJPO  19

Slide 20

Slide 20 text

INSTRODUCTION & REVIEW *OTUSVDUJPO  20 Intel syntax ebx = 100 的概念 AT&T syntax 100 -> ebx 的概念

Slide 21

Slide 21 text

ABEX'S CRACKME #1

Slide 22

Slide 22 text

HELLO

Slide 23

Slide 23 text

HELLO 1SPHSBN &OUSZ1PJOU 4UVC$PEF .BJOඇ.BJO  23

Slide 24

Slide 24 text

HELLO ፙ౸᮫ݤDPEFతํ๏ ▸ ௚઀׈ىိ ▸ ਘፙჩᏐ TUSJOHPSNBHJDOVNCFS ▸ #SFBLPO"1* ▸ #SFBLJO"1* SVOUJNFQBDLFS QSPUFDUPS  24

Slide 25

Slide 25 text

BABY STEP

Slide 26

Slide 26 text

▸ Ұݸઅᴍ୅දҰݸ## #BTJD#MPDL ▸ ##୞༗ҰݸೖޱᴍҎٴग़ޱᴍ ▸ ##बੋJOTUSVDUJPOతTFRVFODF ▸ ##தҰݸJOTUSVDUJPOతࣥߦ҉ࣔྃಉ 
 ##தతଖଞJOTUSVDUJPOቮៃ҃ଈሡඃࣥߦ 
 ʢෆߟྀFYDFQUJPOʣ BABY STEP $POUSPMGMPXHSBQI  26

Slide 27

Slide 27 text

▸ 這是⼀個平淡無奇的 BB (Basic Block) BABY STEP $POUSPMGMPXHSBQI  27 mov edi, offset s ;"Do the right thing" call _puts jmp short loc_4008AB

Slide 28

Slide 28 text

▸ 這是⼀個不知道要往哪的 BB BABY STEP $POUSPMGMPXHSBQI  28 mov eax, [rbp+var_7C] movsxd rbx, eax lea rax, [rbp+ptr] mov rdi, rax call _strlen cmp rbx, rax jb short loc_400838 true branch false branch

Slide 29

Slide 29 text

BABY STEP $POUSPMGMPXHSBQI  29 cmp rbx, rax jb short loc_400838 true branch false branch add rbx, 1 ▸ 這是⼀個走回頭路的 BB

Slide 30

Slide 30 text

C

Slide 31

Slide 31 text

C DPNQJMFXBMLUISPVHIU  31 HelloWorld.c HelloWorld.i HelloWorld.s ߶ላ။$తզ HelloWorld.o Library *.obj HelloWorld 1SFQSPDFTTPSલ႔ཧث $PNQJMFSฤᩄث "TTFNCMFS૊ᩄث -JOLFS࿈݁ث 1SFQSPDFTT $PNQJMF "TTFNCMF -JOL

Slide 32

Slide 32 text

C JG  32

Slide 33

Slide 33 text

C JGFMTF  33

Slide 34

Slide 34 text

PRACTICE