Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Unicornを用いたDead Code除去
Search
@tkmru
March 20, 2017
0
230
Unicornを用いたDead Code除去
セキュリティ・キャンプ フォーラム 2017
@tkmru
March 20, 2017
Tweet
Share
More Decks by @tkmru
See All by @tkmru
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
2
1.5k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
330
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
tkmru
0
170
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
5.4k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
4.5k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
890
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
200
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
4.2k
めんどうくさいゲームセキュリティ
tkmru
20
11k
Featured
See All Featured
RailsConf 2023
tenderlove
30
1.1k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
GraphQLとの向き合い方2022年版
quramy
49
14k
Unsuck your backbone
ammeep
671
58k
Embracing the Ebb and Flow
colly
86
4.7k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
6
310
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
20
1.3k
Speed Design
sergeychernyshev
32
1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
107
19k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.3k
Bash Introduction
62gerente
613
210k
Transcript
UnicornΛ༻͍ͨDead Codeআڈ Security Camp Forum 2017 tkmruɹ
ࣗݾհ • ໊લ: ͚ͨ·Δ • ηΩϡϦςΟɾΩϟϯϓ શࠃେձ 2015 ଔۀੜ •
twitter ID: @tkmru • CTFνʔϜ: TomoriNao
Dead Codeͱ • Dead Code࣮ߦͯ͠ҙຯ͕ͳ͍ίʔυ • ΞϯνσόοάͷͨΊʹϚϧΣΞʹେྔʹDead Codeؚ͕·ΕΔ • ղੳͷোͱͳΔ
؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,
0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800
؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,
0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 จࣈҎ֎Dead Code
ྫ) Themida(Packer) A Generic Approach to Automatic Deobfuscation of Executable
Code http://www.sysnet.ucsd.edu/~bjohanne/assets/papers/oakland2015.pdf
Nao(No-meaning Assembly Omiter) • Dead CodeআڈΛ͢ΔIDAϓϥάΠϯΛOSSͱͯ͠։ൃ • IDAPython • Unicorn(CPUΤϛϡϨʔλͷํ)
• https://github.com/tkmru/nao • ࣮ࡍʹΤϛϡϨʔλ্Ͱ࣮ߦ͢ΔͷͰɺߴ͍ਫ਼Ͱআ ڈͰ͖Δ • ෳͷΞʔΩςΫνϟʔʹରԠՄೳ
Unicornͱ • QEMU forkͷϚϧνϓϥοτϑΥʔϜɺϚϧνΞʔΩς ΫνϟͳCPUΤϛϡϨʔλ • όΠφϦղੳπʔϧ angrͰ༻͍ΒΕ͍ͯΔͷΛ͡ Ίɺ֤छπʔϧ։ൃͰΘΕ͍ͯΔ •
ηΩϡϦςΟք۾ͰͷOSS
Unicorn
Unicornͷshowcaseʹܝࡌ
ΞϧΰϦζϜ • IDAͷάϥϑϏϡʔʹදࣔ͞Ε͍ͯΔόΠφϦΛऔΓग़ ͢ • NOP໋ྩʹҰߦͣͭมߋ͠ɺUnicornΛ༻͍࣮ͯߦ • ࠷ऴతͳϨδελͷΛൺֱͯ͠அ • มߋ͞Ε͍ͯͨΒɺ݁ՌʹӨڹ͢ΔͷͰDead
Code Ͱͳ͍ • มߋ͞Ε͍ͯͳ͚Εɺ݁ՌʹӨڹ͍ͯ͠ͳ͍ͷͰɹ Dead CodeͰ͋Δͱஅ
؆୯ͳྫ x86 asm • mov eax, 0x100000 • shr eax,
0x10 • add eax, 0x913 • and eax, 0x1fff • mov ecx, eax • mov eax, 0x1918632 • and ecx, 0x600 • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800
؆୯ͳྫ x86 asm • mov eax, 0x100000 → nop •
shr eax, 0x10 → nop • add eax, 0x913 → nop • and eax, 0x1fff → nop • mov ecx, eax → nop • mov eax, 0x1918632 • and ecx, 0x600 → nop • mov ecx, 0x800 ݁Ռ eax: 0x1918632 ecx: 0x800 ফڈͯ݁͠ՌʹӨڹ͕ͳ͍ͷͰDead CodeͱஅͰ͖Δ
σϞ
͓ΘΓʹ • ಈ࡞ʹ͕͋ΔͷͰɺ·ͩमਖ਼͍ͯ͘͠ • Unicornͷ࡞ऀʹධՁͯ͠Β͑ͯΑ͔ͬͨ • ղੳऀͷิॿͱͳΔΑ͏ͳπʔϧΛOSSͱͯ͠ࠓޙ࡞ Γଓ͚͍͖͍ͯͨ
tkmru
tenderlove
eileencodes
quramy
ammeep
colly
swwweet
tammyeverts
honnibal
sergeychernyshev
panda_program
garrettdimon
62gerente
