2020 交大程式安全：逆向工程上課講義－第一週(第三段)

Transcript

1. ৽஛ਓ࠷Ѫٯ޲ ޻ఔ terrynini38514 terrynini

2. WHO AM I ?

3. 附上⼈權指數 ID : Terrynini38514 ▸ ᪑զ༗ᴍख़ɿ 
 ٯٯ
   ▸ ᪑զຑ٢ຑɿ

   
 ᅳཱަ௨େላ
   
   
   -"#
   
 ࢿిҫ٬ᢛ҆શ੽࢜ላҐላఔ௠ఊӉ
   ▸ ᜗ඍೳ፤ိਧత౦੢ɿ 
 
   ೥ۚ६ᘋף܉ 
 
   
   'JSF&ZF
   'MBSF
   0O
   $IBMMFOHF
   ഁ୆
   ▸ $5'
   5FBNɿ 
 %PVCMF4JHNBʢቮ጗ૺ
   #BMTO
   ซ吞Խ࡞ଖ݂೑ʣ 
 #BMTO  3 ᔒরยՄ༻
   ٹ໋

4. BABY STEP 4UBDL
   
   'SBNF  4 low memory address high memory

   address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 eax: 0x20 0x20 bossA_want 0xfec 0xfe0

5. BABY STEP 4UBDL
   
   'SBNF  5 low memory address high memory

   address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 eax: 0x20 0x20 bossA_want 0xfec SKIP SOME OPERATIONS ! //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 0xfe0

6. BABY STEP 4UBDL
   
   'SBNF  6 low memory address high memory

   address highlight means RIP points to here 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 0x20 bossA_want 0xfec 0xfe0

7. BABY STEP 4UBDL
   
   'SBNF  7 low memory address high memory

   address highlight means RIP points to here esp -> ebp -> 0xfe0 0xff8 0x20 bossA_want 0xfec

8. BABY STEP 4UBDL
   
   'SBNF  8 low memory address high memory

   address highlight means RIP points to here esp -> ebp -> 0xfe0 0xff8 0x20 bossA_want 0xfec just for alignment 0xfd4

9. BABY STEP 4UBDL
   
   'SBNF  9 low memory address high memory

   address highlight means RIP points to here esp -> ebp -> 0xfe0 0xff8 0x20 bossA_want 0xfec just for alignment 0xfd4 0x20 0xfd0

10. BABY STEP 4UBDL
    
    'SBNF  10 low memory address high memory

    address highlight means RIP points to here esp -> just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0

11. BABY STEP 4UBDL
    
    'SBNF  11 low memory address high memory

    address just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 esp ->

12. BABY STEP 4UBDL
    
    'SBNF  12 low memory address high memory

    address esp -> just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 0xff8 old ebp 0xfc8

13. BABY STEP 4UBDL
    
    'SBNF  13 low memory address high memory

    address just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 0xff8 old ebp 0xfc8 esp -> ebp -> leave = mov esp, ebp 
 pop ebp

14. BABY STEP 4UBDL
    
    'SBNF  14 low memory address high memory

    address just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 leave = mov esp, ebp 
 pop ebp 0xff8 old ebp 0xfc8 esp -> ebp ->

15. BABY STEP 4UBDL
    
    'SBNF  15 low memory address high memory

    address just for alignment 0xfd4 0x20 0xfd0 0x80484ff return address 0xfcc 0xfe0 esp -> ret = pop eip

16. BABY STEP 4UBDL
    
    'SBNF  16 low memory address high memory

    address highlight means RIP points to here esp -> just for alignment 0xfd4 0x20 0xfd0 0xfe0

17. BABY STEP 4UBDL
    
    'SBNF  17 highlight means RIP points to

    here low memory address high memory address 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 0x20 bossA_want 0xfec 0xfe0

18. BABY STEP 4UBDL
    
    'SBNF  18 highlight means RIP points to

    here low memory address high memory address 0x40 0x8048536 return address main's ebp old ebp esp -> ebp -> 0xff8 0xffc 0x1000 0x20 bossA_want 0xfec 0xfe0 leave = mov esp, ebp 
 pop ebp

19. BABY STEP 4UBDL
    
    'SBNF  19 highlight means RIP points to

    here low memory address high memory address 0x40 0x8048536 return address main's ebp old ebp esp -> 0xff8 0xffc 0x1000 leave = mov esp, ebp 
 pop ebp ebp ->

20. BABY STEP 4UBDL
    
    'SBNF  20 highlight means RIP points to

    here low memory address high memory address 0x40 0x8048536 return address esp -> 0xff8 0xffc 0x1000

21. BABY STEP 4UBDL
    
    'SBNF  21 prologue epilogue

22. BABY STEP $BMMJOH
    $POWFOUJPO
    
    DEFDM  22 caller pop stack from right

    to left low memory address high memory address 1 0x8048536 return address main's ebp old ebp ebp -> 0xff8 0x1000 2 3 ༝
    DBMMFS
    ਗ਼ۭ
    TUBDL
    ൺֱ༰қመ࡞
    QSJOUG
    ೭ྨతෆఆ௕ҾᏐവࣜ

23. BABY STEP $BMMJOH
    $POWFOUJPO
    
    TUEDBMM
    XJOBQJ
    VTF
    UIJT
    DPOWFOUJPO  23 callee pop stack ༝
    DBMMFF
    ਗ਼ۭ
    TUBDL
    ൺֱઅলۭؒ

24. BABY STEP $BMMJOH
    $POWFOUJPO
    
    GBTUDBMM  24 put first two args in

    regs put rest args on stack callee pop stack

25. BABY STEP $BMMJOH
    $POWFOUJPO
    
    UIJTDBMM  25 put "this" in ecx

26. BABY STEP Y@
    $BMMJOH
    $POWFOUJPO windows function(rcx, rdx, r8, r9)  26

    Linux function(rdi, rsi, rdx, rcx, r8, r9) ೗ՌჩᏐ௒ա
    
    ݸ࣌ɼ௒աతಉ
    Y
    DBMMJOH
    DPOWFOUJPOɼ௚઀์
    TUBDL XJOEPXT
    ์తҐஔཁ஫ҙҰԼ

27. OPTIMIZATION

28. OPTIMIZATION $POTUBOU
    'PMEJOH  28 i = 320 * 200 *

    32; >> i = 2048000; (example from wiki)

29. OPTIMIZATION $POTUBOU
    1SPQBHBUJPO
    
    'PMEJOH  29 >> >> (example from wiki)

30. OPTIMIZATION 5BJM
    $BMM  30 >> (example from wiki)

31. OPTIMIZATION 4PNF
    NBHJD
    USJDL  31

32. OPTIMIZATION 4PNF
    NBHJD
    USJDL  32 edx:eax = input*0x38e38e39 edx = (input*0x38e38e39)>>33

    eax = input >> 31 edx = edx - eax

33. OPTIMIZATION 4PNF
    NBHJD
    USJDL  33

34. CLASS & STRUCT

35. DEMO

36. CLASS & STRUCT .FNP
    GPS
    EFNP OBNF
    NBOHMJOH
    ੒һؒሣᴡऔ
    NJO TJ[FPG NFNCFS QBDL
    

    ݁ߏ࠷ޙሣᴡऔ
    NJO NBY.FNCFS4J[F
    QBDL
    ቕ౟݁ߏෆҎ੔ᱪ௕౓ိܭࢉɼࣕੋҎ֘݁ߏॴ࢖༻తሣᴡ值ိሣᴡ
    ҝྃመݱଟଶɼDMBTT
    తୈҰݸ
    NFNCFS
    ။ࢦ޲
    WUBCMF  36

37. BYEBYE Լिओ୊ ▸ Anti-Debug & Anti-Analyze ▸ PE-File format ▸

    PE related trick  37