逆逆_忍術_F5_消失之術_.pdf

Transcript

1. 逆 DoubleSigma Terrynini 逆逆！忍術！Ｆ5消失之術

2. 下忍之卷常識篇

3. 逆 $ C 語言程式編譯流程 #include<stdio.h> int main(){ puts(“Hello world”); return

   0; } Preprocess gcc -E hello.c -o hello.i hello.c hello.i tepedef .. .. .. .. .. .. .. . . .. . #include<stdio.h> int main(){ puts(“Hello world”); return 0; } Preprocessor

4. 逆 $ C 語言程式編譯流程 typedef .. .. .. .. ..

   .. .. . . .. . #include<stdio.h> int main(){ puts(“Hello world”); return 0; } Compile gcc -S hello.c -o hello.s hello.i hello.s subq $16, %rsp leaq L_.str(%rip), %rdi movl $0, -4(%rbp) callq _puts xorl %ecx, %ecx movl %eax, -8(%rbp) movl %ecx, %eax addq $16, %rsp popq %rbp retq Compiler

5. 逆 $ C 語言程式編譯流程 Assemble gcc -c hello.c -o hello.o

   hello.s hello.o ^ELF^B^A^A^@^@^@^@^ @^@^@^@^@^A^@>^@^A^ @^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@¸ ^B^@^@^@^@^@^@^@^@^ @^@@^@^@^@^@^@@^@^M ^@^L^@UH<89>åH<8d>= ^@^@^@^@è^@^@^@^@¸^ @^@^@^@]ÃS^@^@GCC Assembler subq $16, %rsp leaq L_.str(%rip), %rdi movl $0, -4(%rbp) callq _puts xorl %ecx, %ecx movl %eax, -8(%rbp) movl %ecx, %eax addq $16, %rsp popq %rbp retq

6. 逆 $ C 語言程式編譯流程 Link(Dynamic) hello.o hello ^ELF^B^A^A^@^@^@^@^ @^@^@^@^@^A^@>^@^A^ @^@^@^@^@^@^@^@^@^@

   ^@^@^@^@^@^@^@^@^@¸ ^B^@^@^@^@^@^@^@^@^ @^@@^@^@^@^@^@@^@^M ^@^L^@UH<89>åH<8d>= ^@^@^@^@è^@^@^@^@¸^ @^@^@^@]ÃS^@^@GCC Linker ^ELF^B^A^A^@^@^@^@^ @^@^@^@^@^A^@>^@^A^ @^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@¸ ^B^@^@^@^@^@^@^@^@^ @^@@^@^@^@^@^@@^@^M ^@^L^@UH<89>åH<8d>= ^@^@^@^@è^@^@^@^@¸^ @^@^@^@]ÃS^@^@GCC gcc hello.c -o hello 加上-m32 編成 32bit 版本

7. 逆 memory 0xde 0xad 0xbe 0xef 0x12 0x34 0x56 0x78

   RAM high address low address basic unit is Byte

8. 逆 memory 0xde 0xad 0xbe 0xef 0x12 0x34 0x56 0x78

   RAM high address low address basic unit is Byte char -> 1 byte int -> 4 bytes long long int -> 8 bytes 2 bytes -> 1 word 2 word -> 1 dword 2 dword -> 1 qword d means double q means quadruple 通常在x86和x86-64下

9. 逆 memory 0 0 0 0 ? ? ? ?

   RAM high address low address !!? int a = 4207849484; (0xfaceb00c)

10. 逆 memory 0 0 0 0 0xfa 0xce 0xb0 0x0c

    RAM high address low address 0xfa 0xce 0xb0 0x0c 高位 低位 Little endian

11. 逆 memory 0xfaceb00c RAM 0 0 0 0 0 0xfa

    0xce 0xb0 0x0c RAM 簡化 ???????? ???????? 0xfffec1b4 0xfffec1b5 0xfffec1b6 0xfffec1ba 0xfffec1bb 0xfffec1b7 0xfffec1b8 0xfffec1b9 0xfffec1b4 0xfffec1b8

12. 逆 pointer int a = 0x1234; int *b = &a;

    0x1234 0xffedc6f4 a 0xffedc6f4 0xffedc500 b

13. 逆 pointer * 取值 & 取址 0x1234 0xffedc6f4 a 0xffedc6f4

    0xffedc500 b a = 0x1234 b = 0xffedc6f4 &a = 0xffedc6f4 &b = 0xffedc500 *b = 0x1234 *a segment fault

14. 逆 pointer int a = 0x1234; int *b = &a;

    0xffedc6f4 ???????? RAM 0xffedc6f4 ???????? 0x1234 0xffedc500 a = 0x1234 b = 0xffedc6f4 &a = 0xffedc6f4 &b = 0xffedc500 *b = 0x1234

15. 下忍之卷工具篇

16. 逆 $ 二進制檔案 strings hello /lib64/ld-linux-x86-64.so.2 libc.so.6 puts __cxa_finalize __libc_start_main

    GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable AWAVI AUATL []A\A]A^A_ hello world ;*3$"

17. 逆 $ 二進制檔案 xxd hello 00000000: 7f45 4c46 0201 0100

    0000 0000 0000 0000 .ELF............ 00000010: 0300 3e00 0100 0000 3005 0000 0000 0000 ..>.....0....... 00000020: 4000 0000 0000 0000 6821 0000 0000 0000 @.......h!...... 00000030: 0000 0000 4000 3800 0900 4000 2200 2100 [email protected]...@.”.!. 00000040: 0600 0000 0400 0000 4000 0000 0000 0000 ........@....... 00000050: 4000 0000 0000 0000 4000 0000 0000 0000 @.......@....... 00000060: f801 0000 0000 0000 f801 0000 0000 0000 ................ 00000070: 0800 0000 0000 0000 0300 0000 0400 0000 ................ 00000080: 3802 0000 0000 0000 3802 0000 0000 0000 8.......8....... 00000090: 3802 0000 0000 0000 1c00 0000 0000 0000 8............... 000000a0: 1c00 0000 0000 0000 0100 0000 0000 0000 ................ 000000b0: 0100 0000 0500 0000 0000 0000 0000 0000 ................ 000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000d0: 3808 0000 0000 0000 3808 0000 0000 0000 8.......8....... offset hex ascii

18. 逆 $ 二進制檔案 objdump -d hello -M intel hello: file

    format elf32-i386 Disassembly of section .init: 00000378 <_init>: 378: 53 push ebx 379: 83 ec 08 sub esp,0x8 37c: e8 9f 00 00 00 call 420 <__x86.get_pc_thunk.bx> 381: 81 c3 57 1c 00 00 add ebx,0x1c57 387: 8b 83 1c 00 00 00 mov eax,DWORD PTR [ebx+0x1c] 38d: 85 c0 test eax,eax 38f: 74 05 je 396 <_init+0x1e> 391: e8 42 00 00 00 call 3d8 <__gmon_start__@plt> 396: 83 c4 08 add esp,0x8 399: 5b pop ebx 39a: c3 ret offset machine code assembly in intel syntax

19. 逆 $ 二進制檔案 readelf -a hello ELF Header: Magic: 7f

    45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: DYN (Shared object file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x3e0 Start of program headers: 52 (bytes into file) Start of section headers: 6056 (bytes into file) Flags: 0x0

20. 逆 $ 二進制檔案 ltrace ./hello puts("hello world"hello world ) =

    12 +++ exited (status 0) +++ ltrace = library call tracer

21. 逆 $ 二進制檔案 strace ./hello execve("./hello", ["./hello"], 0x7fff729c99f0 /* 64

    vars */) = 0 brk(NULL) = 0x5574b4488000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=121489, ...}) = 0 mmap(NULL, 121489, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3f61a6d000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\34\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=2030544, ...}) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3f61a6b000 mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3f61473000 mprotect(0x7f3f6165a000, 2097152, PROT_NONE) = 0 trace system calls and signals

22. 實戰時間

23. 下忍之卷解剖篇 下載程式範例，或是最後一頁有附

24. 逆 $ 從逆向學逆向 gcc -O0 -m32 -no-pie nini_01.c -o nini_01

    no optimization 32-bit don’t produce position independent executable

25. 逆 x86 calling convention 000004fa <main>: 4fa: 55 push ebp

    4fb: 89 e5 mov ebp,esp 4fd: 6a 06 push 0x6 4ff: 6a 01 push 0x1 501: e8 e7 ff ff ff call 4ed <add> 506: 83 c4 08 add esp,0x8 509: b8 00 00 00 00 mov eax,0x0 50e: c9 leave 50f: c3 ret 由右而左把參數依序推上堆疊 add(1,6);

26. 逆 x86 calling convention 000004fa <main>: 4fa: 55 push ebp

    4fb: 89 e5 mov ebp,esp 4fd: 6a 06 push 0x6 4ff: 6a 01 push 0x1 501: e8 e7 ff ff ff call 4ed <add> 506: 83 c4 08 add esp,0x8 509: b8 00 00 00 00 mov eax,0x0 50e: c9 leave 50f: c3 ret 6 1 6 1 6 <main> <main> <main>

27. 逆 x86 calling convention 6 1 <add>

28. 逆 x86 calling convention 1 + 6 1 <add>

29. 逆 x86 calling convention 6 1 + 6 <add>

30. 逆 x86 calling convention 000004fa <main>: 4fa: 55 push ebp

    4fb: 89 e5 mov ebp,esp 4fd: 6a 06 push 0x6 4ff: 6a 01 push 0x1 501: e8 e7 ff ff ff call 4ed <add> 506: 83 c4 08 add esp,0x8 509: b8 00 00 00 00 mov eax,0x0 50e: c9 leave 50f: c3 ret 6 1 6 6 1 <add> <add> <add>

31. 逆 x86 calling convention 000004ed <add>: 4ed: 55 push ebp

    4ee: 89 e5 mov ebp,esp 4f0: 8b 55 08 mov edx,DWORD PTR [ebp+0x8] 4f3: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 4f6: 01 d0 add eax,edx 4f8: 5d pop ebp 4f9: c3 ret What !? Where is the pop you said ??

32. 逆 x86 calling convention RAM OS Stack Heap BSS Data

    Text image base High address Low address

33. 逆 x86 calling convention 6 1 RAM OS Heap BSS

    Data Text image base High address Low address 6 1

34. 逆 x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ????????

    0xfffec1b8 0xfffec000 0xfffec1cc 1 6 ebp ebp = 0xfffec1cc *ebp = 0xfffec000 ebp + 0x8 = 0xfffec1b4 ebp + 0xc = 0xfffec1b8 0xffec1cc Dword ptr [ebp] = 0xfffec000

35. 逆 x86 calling convention 0xff 0xfe 0xc0 0x00 RAM 0xfffec1cc

    0xfffec1cd 0xfffec1ce 0xfffec1cf ebp 0xffec1cc Byte ptr [ebp] = 0x00 word ptr [ebp] = 0xc000 Dword ptr [ebp] = 0xfffec000

36. 逆 x86 calling convention 注意！ 以下情況在使用浮點數時有所不同

37. 逆 x86 calling convention 000004ed <add>: push ebp mov ebp,esp

    mov edx,DWORD PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax ?????? edx ??????

38. 逆 x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ????????

    0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax ?????? edx 1 000004ed <add>: push ebp mov ebp,esp mov edx,DWORD PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret

39. 逆 x86 calling convention push ebp mov ebp,esp mov edx,DWORD

    PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax 6 edx 1

40. 逆 push ebp mov ebp,esp mov edx,DWORD PTR [ebp+0x8] mov

    eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax 6 edx 1 7

41. 逆 x86 calling convention push ebp mov ebp,esp mov edx,DWORD

    PTR [ebp+0x8] mov eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret eax 6 edx 1 + = 7 eax 7 eax = eax + edx

42. 逆 push ebp mov ebp,esp mov edx,DWORD PTR [ebp+0x8] mov

    eax,DWORD PTR [ebp+0xc] add eax,edx pop ebp ret x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ???????? 0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax 7 edx 1

43. 逆 x86 calling convention ???????? RAM ???????? 0xfffec1b4 0xfffec1b0 ????????

    0xfffec1b8 0xfffec000 0xfffec1ac 1 6 ebp 0xfffec1ac eax 7 return value 統一放 eax

44. 逆 $ 從逆向學逆向 gcc -O0 -m32 -no-pie nini_02.c -o nini_02

45. 逆 stack frame 804846e: 6a 06 push 0x6 8048470: 6a

    01 push 0x1 8048472: e8 af ff ff ff call 8048426 <add> 8048477: 83 c4 08 add esp,0x8 RAM ??????? ebp esp 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c ebp 0xfffec1b8 esp 0xfffec1b8

46. 逆 stack frame 804846e: 6a 06 push 0x6 8048470: 6a

    01 push 0x1 8048472: e8 af ff ff ff call 8048426 <add> 8048477: 83 c4 08 add esp,0x8 RAM ??????? ebp esp 6 ebp 0xfffec1b8 esp 0xfffec1b4 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

47. 逆 stack frame 804846e: 6a 06 push 0x6 8048470: 6a

    01 push 0x1 8048472: e8 af ff ff ff call 8048426 <add> 8048477: 83 c4 08 add esp,0x8 RAM ??????? ebp esp 6 1 ebp 0xfffec1b8 esp 0xfffec1b0 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

48. 逆 stack frame 804846e: 6a 06 push 0x6 8048470: 6a

    01 push 0x1 8048472: e8 af ff ff ff call 8048426 <add> 8048477: 83 c4 08 add esp,0x8 RAM ??????? ebp esp 6 1 0x8048477 ebp 0xfffec1b8 esp 0xfffec1ac 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

49. 逆 stack frame 08048426 <add>: 8048426: push ebp 8048427: mov

    ebp,esp 8048429: sub esp,0x10 804842c: mov eax,DWORD PTR [ebp+0x8] 804842f: add eax,eax 8048431: mov DWORD PTR [ebp-0x8],eax 8048434: mov edx,DWORD PTR [ebp+0xc] 8048437: mov eax,edx 8048439: add eax,eax 804843b: add eax,edx 804843d: mov DWORD PTR [ebp-0x4],eax 8048440: mov edx,DWORD PTR [ebp-0x8] 8048443: mov eax,DWORD PTR [ebp-0x4] 8048446: add eax,edx 8048448: leave 8048449: ret RAM ??????? ebp esp 6 1 0x8048477 ebp 0xfffec1b8 esp 0xfffec1ac 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

50. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 ebp 0xfffec1b8 esp 0xfffec1a8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

51. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 ebp 0xfffec1a8 esp 0xfffec1a8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

52. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer ebp 0xfffec1a8 esp 0xfffec198 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

53. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret ebp 0xfffec1a8 esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 1 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

54. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret ebp 0xfffec1a8 esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

55. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret ebp 0xfffec1a8 esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 2 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

56. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret edx 6 esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 2 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c ebp 0xfffec1a8

57. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 6 eax 6 ebp 0xfffec1a8

58. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 6 eax 0xc ebp 0xfffec1a8

59. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 6 eax 0x12 ebp 0xfffec1a8

60. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 6 eax 0x12 ebp 0xfffec1a8

61. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 2 eax 0x12 ebp 0xfffec1a8

62. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 2 eax 0x12 ebp 0xfffec1a8

63. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret esp 0xfffec198 RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c edx 2 eax 0x14 ebp 0xfffec1a8

64. 逆 stack frame RAM ??????? ebp esp 6 1 0x8048477

    0xfffec1b8 Local variable buffer 2 0x12 leave = mov esp, ebp pop ebp 08048426 <add>: push ebp mov ebp,esp sub esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx leave ret 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

65. 逆 08048426 <add>: push ebp mov ebp,esp sub esp,0x10 mov

    eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx mov esp,ebp pop ebp ret stack frame RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 leave = mov esp, ebp pop ebp 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

66. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx mov esp,ebp pop ebp ret esp 0xfffec1a8 RAM ??????? ebp esp 1 0x8048477 0xfffec1b8 Local variable buffer eax 0x14 2 0x12 ebp 0xfffec1a8 6 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

67. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx mov esp,ebp pop ebp ret esp 0xfffec1ac RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer eax 0x14 2 0x12 ebp 0xfffec1b8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

68. 逆 stack frame 08048426 <add>: push ebp mov ebp,esp sub

    esp,0x10 mov eax,DWORD PTR [ebp+0x8] add eax,eax mov DWORD PTR [ebp-0x8],eax mov edx,DWORD PTR [ebp+0xc] mov eax,edx add eax,eax add eax,edx mov DWORD PTR [ebp-0x4],eax mov edx,DWORD PTR [ebp-0x8] mov eax,DWORD PTR [ebp-0x4] add eax,edx mov esp,ebp pop ebp ret RAM ??????? ebp esp 6 1 0x8048477 0xfffec1b8 Local variable buffer 2 0x12 ret = pop eip (illegal) 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c OR ret = jmp DWORD PTR [esp]

69. 逆 stack frame RAM ??????? ebp esp 6 1 0x8048477

    0xfffec1b8 Local variable buffer 2 0x12 eip 0x8048477 804846e: 6a 06 push 0x6 8048470: 6a 01 push 0x1 8048472: e8 af ff ff ff call 8048426 <add> 8048477: 83 c4 08 add esp,0x8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c

70. 逆 stack frame RAM ??????? ebp esp 6 1 0x8048477

    0xfffec1b8 Local variable buffer 2 0x12 804846e: 6a 06 push 0x6 8048470: 6a 01 push 0x1 8048472: e8 af ff ff ff call 8048426 <add> 8048477: 83 c4 08 add esp,0x8 0xfffec1b4 0xfffec1b0 0xfffec1b8 0xfffec1ac 0xfffec1a8 0xfffec1a4 0xfffec1a0 0xfffec198 0xfffec19c esp 0xfffec1b8 ebp 0xfffec1b8

71. 逆 register esp 0xfffec1a8 eax 0x14 ebp 0xfffec1a8 eip 0x804847a

    所以這些東西在哪裡呢？

72. 逆 0xfffec1c8 0x14 0xfffec1c8 0x804847a 在CPU 裡面以硬體的方式實作,如正反器 register

73. 逆 EAX EBX ECX EDX ESI EDI ESP EBP EIP

    register ax bx cx dx AL AH BL BH CL CH DL DH 32bit 16bit 8bit

74. 逆 register $ nasm -f elf32 nini_03.asm 32-bit elf (executable

    linkable format) $ gcc -m32 -nostdlib nini_03.o -o nini_03 dont use standard library

75. 逆 Number 0xffffffff -1 4294967295 int unsigned int

76. 逆 Number 00000001001100111111000011011110 binary number(4bytes) 20181214

77. 逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214

78. 逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214

    11111110110011000000111100100010 +1

79. 逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214

    11111110110011000000111100100010 +1 0xfecc0f22 hex

80. 逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214

    0x133f0de hex 11111110110011000000111100100010 +1 0xfecc0f22 hex

81. 逆 Number 00000001001100111111000011011110 binary number(4bytes) 11111110110011000000111100100001 flip all bits 20181214

    0x133f0de hex 11111110110011000000111100100010 +1 0xfecc0f22 hex + = 0

82. 逆 Ｃontrol Flow $ gcc -O0 -m32 -no-pie nini_04.c -o

    nini_04

83. 逆 Ｃontrol Flow signed unsigned common ja: jump if above

    jb: jump if below jae: jump if above or equal jbe: jump if below or equal jna: jump if not above jnb: jump if not below jnae: jump if not above or equal jnbe: jump if not below or equal jg: jump if greater jl: jump if less jge: jump if greater or equal jbe: jump if less or equal jng: jump if not greater jnl: jump if not less jnge: jump if not greater or equal jnle: jump if not less or equal je: jump if equal jne: jump if not equal jmp: shut up! jump!

84. 逆 RAX RBX RCX RDX RSI RDI RSP RBP RIP

    EAX x86-64 register ax bx cx dx AL AH 64bit 32bit EBX BL BH ECX CL CH EDX DL DH

85. 逆 x86 calling convention 用暫存器傳參，太多才放堆疊 這是linux下的calling convention printf(“%c: %d %d

    %d %d”, arg2, arg3, arg4, arg5, arg6); rdi rsi rdx rcx r8 r9

86. 實戰時間

87. 下忍之卷分析篇

88. 逆 分析 靜態 動態 IDA Binary ninja radare2 objdump Ｈopper

    gdb ollydbg x64dbg windbg bochs

89. 逆 分析 IDA 去官網載freeware版本 x64dbg 開源軟體，某些功能不夠強可以找得到插件 gdb gnu debugger,強大. radare2

    開源軟體,指令列式的分析工具,也有圖形介面

90. 逆 分析 介紹檔案結構會讓你痛苦不堪 我們從IDA來學習必要的部份 import, export, string table, debug symbol,

    segment

91. 實戰時間 patch

92. 麵非麵 下忍之卷特級廚師篇

93. 逆 麵非麵 loader _start _libc_start_main main _libc_csu_init exit

94. 實戰時間

95. 下忍之卷檔案篇

96. 逆 $ magic number file jojo.png jojo.png: PNG image data,

    2880 x 1800, 8-bit/color RGBA, non-interlaced 透過事先建立好的特徵來分辨檔案 格式可以透過 man magic 查看

97. 逆 magic number magic number 基本上是一些特徵值, 直接被規定是某個數字, 就像魔術一樣的直接變出來, 如 MZ,0x7fELF,GIF89a

98. 實戰時間

99. 下忍之卷暗號篇

100. 逆 加密與編碼 不需要key的視為編碼(encode), 如 base64 是因為字元在傳輸或表達上會造成問題, 所以需要先編碼 A 0 0

     0 0 0 1 1 0 B 0 0 0 0 1 0 1 0 C 0 0 0 0 1 1 1 0 Q U J D

101. 逆 加密與編碼 xor, 快速簡單有效
 簡直像化成灰,認都認不出來

102. 逆 加密與編碼 plaintext: bo55man69 key: \00
 cipher: bo55man69 例外：

103. 逆 加密與編碼 plaintext: StarbustStream key: modohiyaku
 cipher: >\x1b\x05\x1d\n\x1c\n\x158\x01\x1f\n\x05\x02

104. 逆 加密與編碼 但若獲取足夠長的密文, 可以從詞頻分析取得幾乎正確或完全正確的key, 而某些特定格式的檔案可以直接取得部份或全部key

105. 下忍之卷大蛇篇

106. 逆 大蛇 面對trivial又大量的任務, 你需要一條有各種套件的蛇, 組譯,反組譯,跑模擬,呼叫系統api

107. 實戰時間

108. 逆 到這裡還有時間就教別的

109. 逆 範例程式

110. 逆 #include <stdio.h> int add(int a, int b){ return a+b;

     } int main(){ add(1, 6); } nini_01.c

111. 逆 #include <stdio.h> int add(int a, int b){ int ma

     = a*2; int mb = b*3; return ma+mb; } int main(){ printf("%d", add(1,6)); } nini_02.c

112. 逆 global _start section .text _start: mov eax, 0x12345678 mov

     ax, 0 mov ax, 0x5678 sub al, 0x77 sub al, 2 add al, 0x79 nini_03.asm

113. 逆 void flow3(){ int a = 36; int bread =

     36; if( a + bread == 92){ puts(" Yummy "); }else{ puts(" Cheap "); } } int main(){ flow1(); flow2(); flow3(); return 0; } nini_04.c #include <stdio.h> void flow1(){ int Z = -100; int B = 100; if( Z > B){ puts(" Z > B !!!!!" ); }else{ puts(" Z > B !!!!!" ); } } void flow2(){ unsigned int DINDIN = 577566; unsigned int KERKER = 580820; if (KERKER >= DINDIN){ puts(" NINBO !! xuan ju wu xiao no jutsu"); } else{ puts(" impossible "); } }