2020 交大程式安全：逆向工程上課講義－第一週(第二段)

Transcript

1. ৽஛ਓ࠷Ѫٯ޲ ޻ఔ terrynini38514 terrynini

2. WHO AM I ?

3. 附上⼈權指數 ID : Terrynini38514 ▸ ᪑զ༗ᴍख़ɿ 
 ٯٯ
   ▸ ᪑զຑ٢ຑɿ

   
 ᅳཱަ௨େላ
   
   
   -"#
   
 ࢿిҫ٬ᢛ҆શ੽࢜ላҐላఔ௠ఊӉ
   ▸ ᜗ඍೳ፤ိਧత౦੢ɿ 
 
   ೥ۚ६ᘋף܉ 
 
   
   'JSF&ZF
   'MBSF
   0O
   $IBMMFOHF
   ഁ୆
   ▸ $5'
   5FBNɿ 
 %PVCMF4JHNBʢቮ጗ૺ
   #BMTO
   ซ吞Խ࡞ଖ݂೑ʣ 
 #BMTO  3 ᔒরยՄ༻
   ٹ໋

4. C 4XJUDI
   MFTT
   UIBO
   
   DBTF  4

5. C 4XJUDI
   NPSF
   UIBO
   
   DBTF
   PSEFSFE
   OPQJF  5

6. C 4XJUDI
   NPSF
   UIBO
   
   DBTF
   PSEFSFE
   QJF  6

7. C 4XJUDI
   NPSF
   UIBO
   
   DBTF
   PSEFSFE
   QJF  7 ▸ 補⼀張 jump

   table 在這裡

8. DEMO?

9. C 4XJUDI
   NPSF
   UIBO
   
   DBTF
   SBOEPN  9

10. DEMO?

11. C EPXIJMF
    MPPQ  11

12. C XIJMF
    MPPQ  12

13. C GPS
    MPPQ  13

14. PRACTICE-02

15. MEMORY

16. MEMORY &OEJBO  16 low memory address high memory address

    0x12345678 高位 低位 1 byte 1 byte 1 byte 1 byte 1 byte . . .

17. MEMORY &OEJBO  17 low memory address high memory address

    0x12 0x34 0x56 0x78 0x12345678 高位 低位

18. MEMORY -JUUMF&OEJBO  18 low memory address high memory address

    0x12 0x34 0x56 0x78 0x12345678 高位 低位 低位 高位

19. MEMORY -JUUMF&OEJBO  19 low memory address high memory address

    0x12 0x34 0x56 0x78 低位 高位 rax -> byte ptr [rax] word ptr [rax] 0x78 0x5678 0x12345678 dword ptr [rax] qword ptr [rax] oword ptr [rax]

20. STACK FRAME

21. BABY STEP 4UBDL
    
    'SBNF
    "CTUSBDUJPO  21 main's stack frame high

    memory address bossA's stack frame bossB's stack frame grows up toward 0 low memory address

22. BABY STEP 4UBDL
    
    'SBNF
    "CTUSBDUJPO  22 main's stack frame high

    memory address bossA's stack frame bossB's stack frame grows up toward 0 low memory address

23. BABY STEP 4UBDL
    
    'SBNF  23 low memory address high memory

    address highlight means RIP points to here ʢ၊ઃզ၇త༌ೖੋ
    Yʣ

24. BABY STEP 4UBDL
    
    'SBNF  24 low memory address high memory

    address highlight means RIP points to here 0x40 0x1000 esp -> ʢ၊ઃզ၇త༌ೖੋ
    Yʣ

25. BABY STEP 4UBDL
    
    'SBNF  25 low memory address high memory

    address highlight means RIP points to here 0x40 0x8048536 return address 0xffc esp -> 0x1000

26. BABY STEP 4UBDL
    
    'SBNF  26 low memory address high memory

    address highlight means RIP points to here 0x40 0x8048536 return address esp -> 0xffc 0x1000

27. BABY STEP 4UBDL
    
    'SBNF  27 low memory address high memory

    address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp 0xff8 esp -> 0xffc 0x1000

28. BABY STEP 4UBDL
    
    'SBNF  28 low memory address high memory

    address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000

29. BABY STEP 4UBDL
    
    'SBNF  29 low memory address high memory

    address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> buffer for bossA's local variables 0xfe0 0xff8 0xffc 0x1000

30. BABY STEP 4UBDL
    
    'SBNF  30 low memory address high memory

    address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> buffer for bossA's local variables 0xff8 0xffc 0x1000 eax: 0x40 0xfe0

31. BABY STEP 4UBDL
    
    'SBNF  31 low memory address high memory

    address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> buffer for bossA's local variables 0xff8 0xffc 0x1000 eax: 0x40 SKIP SOME OPERATIONS ! //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 0xfe0

32. BABY STEP 4UBDL
    
    'SBNF  32 low memory address high memory

    address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> buffer for bossA's local variables 0xff8 0xffc 0x1000 eax: 0x20 0xfe0