ntustxtdoh 資訊安全基礎工作坊 基礎逆向教育訓練
TRANSCRIPT
![Page 1: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/1.jpg)
TEEMO KNOWS BINARYTDOH x TAIWAN TECH 2015/11/29
aaaddress1
![Page 2: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/2.jpg)
SELF INTRODUCTION➤ 馬聖豪 (aaaddress1)➤ 義守大學資訊工程二年級➤ Reverse Engineering Skills
➤ Windows / Mac OS /Android➤ TDoHacker Core Member➤ HITCON 2015 CMT:
➤ AIDS➤ x86 靜態手花詐欺術
➤ Wooyun WhiteHat: x86 手花詐欺➤ 逢甲 2015 行動計算研討會 :
AIDS➤ 成功大學 2015 行動 APP 競賽
![Page 3: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/3.jpg)
SELF INTRODUCTION➤ Hack BOT
➤ CrackShield / MapleHack➤ Tower Of Savior➤ FaceBook: Adr’s FB➤ Isu Hack➤ 競時通防爆 PING
➤ CSharp,VB,C/CPlus,x86,Python,Smali,Swift
![Page 4: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/4.jpg)
OUTLINE➤ main() is not the really
main➤ OllyDBG:Baby First (Exam)➤ Return-oriented
Programming➤ Overflow: Revo Wolf(Exam)➤ Fuzzing➤ Make a fuzzer in C++ ➤ How to fuzzing with Z3
![Page 5: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/5.jpg)
SWEET REMINDER
Tool https://goo.gl/4sJRtB
Examhttps://goo.gl/xUYkoz
![Page 6: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/6.jpg)
REALLYMAIN
![Page 7: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/7.jpg)
REALLY MAIN
![Page 8: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/8.jpg)
REALLY MAIN
![Page 9: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/9.jpg)
REALLY MAIN
![Page 10: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/10.jpg)
REALLY MAIN
![Page 11: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/11.jpg)
REALLY MAIN
![Page 12: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/12.jpg)
REALLY MAIN
![Page 13: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/13.jpg)
REALLY MAIN
_Start
![Page 14: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/14.jpg)
REALLY MAIN
![Page 15: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/15.jpg)
REALLY MAINParameter Data
![Page 16: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/16.jpg)
REALLY MAIN➤ Label “_start” is really main.
➤ CRTStartUp is loaded in label “_start”.(To init RTC/new/delete/arg…etc)
➤ Find programmer’s main (normal c plus compile)➤ Find the address calling GetCommandLine➤ Find the address calling exit() or cexit()➤ Programmer’s main function is between them.
![Page 17: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/17.jpg)
DEMOOlly Debugger:Really Main
![Page 18: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/18.jpg)
EXAMOlly Debugger: Baby First&Take a break!
![Page 19: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/19.jpg)
ROPReturn-oriented-Programming
![Page 20: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/20.jpg)
WE NEED TO KNOW MOREBEFORE ROP
![Page 21: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/21.jpg)
X86 CALLING COVENTION
&STACK FRAMES
![Page 22: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/22.jpg)
ROP
![Page 23: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/23.jpg)
ROP
![Page 24: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/24.jpg)
ROP
![Page 25: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/25.jpg)
ROP
![Page 26: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/26.jpg)
ROP
![Page 27: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/27.jpg)
ROP[EBP+0 ] = Pointer to old EBP[EBP+4 ] = Return Address[EBP+8 ] = First Parameter[EBP+C ] = Second Parameter[EBP+10 ] = Third Parameter…etc[EBP+8 + 4*index] = Parameter[index]
![Page 28: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/28.jpg)
ROP VOID FUNC(){ INT A = 0; INT B = 1; INT C = 2;}
[EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2
push EBPmov
EBP,ESPSUB ESP,
LEN
![Page 29: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/29.jpg)
ROPVOID FUNC(){ NFUNC(ARG1,ARG2,ARG3…)}
push ebp mov ebp,esp
.
.push arg3push arg2push arg1call nFunc
![Page 30: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/30.jpg)
ROP
![Page 31: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/31.jpg)
ROP
![Page 32: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/32.jpg)
ROP
![Page 33: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/33.jpg)
ROP
![Page 34: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/34.jpg)
WHY?
![Page 35: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/35.jpg)
ROP
StackESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
![Page 36: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/36.jpg)
ROP
StackESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP
![Page 37: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/37.jpg)
ROP
StackEBP + 0
=ESP Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP
![Page 38: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/38.jpg)
ROP
StackEBP - 8
=ESP Buffer
EBP - 4 Buffer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP
![Page 39: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/39.jpg)
ROP
StackEBP - 8
=ESP 1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP
![Page 40: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/40.jpg)
ROP
StackEBP - 8
=ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
![Page 41: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/41.jpg)
ROP
StackEBP - 8
=ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
![Page 42: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/42.jpg)
ROP
StackEBP - 8
=ESP EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buffer
EBP + 8 Buffer
EBP + C Old EBP
_______EIP
![Page 43: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/43.jpg)
ROP
StackEBP + 0
=ESP EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
![Page 44: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/44.jpg)
ROP
StackEBP + 0
=ESP EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
![Page 45: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/45.jpg)
ROP
_______EIP
StackEBP - 8
=ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
![Page 46: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/46.jpg)
ROP
_______EIP
StackEBP - 8
=ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
![Page 47: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/47.jpg)
ROP
StackEBP - 4
=ESP 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP
![Page 48: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/48.jpg)
ROP
StackEBP + 0
= ESP Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP
![Page 49: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/49.jpg)
LET’S PLAY WITHBEEF
OVERFLOW
![Page 50: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/50.jpg)
BOFOVERFLOW AND RIP…
![Page 51: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/51.jpg)
BUFFER OVERFLOW➤ We just can see , cannot modify the application.➤ For Exploit?➤ Overflow local variables. (EBP+N are good friend to us) ➤ Do something for get control EIP/RIP.
![Page 52: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/52.jpg)
BUFFER OVERFLOW
[EBP-8] [EBP-10]
![Page 53: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/53.jpg)
BUFFER OVERFLOW
![Page 54: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/54.jpg)
BUFFER OVERFLOW
![Page 55: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/55.jpg)
BUFFER OVERFLOW
![Page 56: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/56.jpg)
BUFFER OVERFLOW
![Page 57: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/57.jpg)
BUFFER OVERFLOW
![Page 58: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/58.jpg)
BUFFER OVERFLOW
How to let data == “admin”?
![Page 59: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/59.jpg)
BUFFER OVERFLOW
[EBP-8] [EBP-10]
![Page 60: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/60.jpg)
BUFFER OVERFLOW
Stack
![Page 61: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/61.jpg)
BUFFER OVERFLOW
StackESP Old EBP
_______EIP
![Page 62: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/62.jpg)
BUFFER OVERFLOW
StackEBP
=ESP Old EBP
_______EIP
![Page 63: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/63.jpg)
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP
_______EIP
![Page 64: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/64.jpg)
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP
_______EIP
Variable “name”
![Page 65: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/65.jpg)
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP
_______EIP
Variable “data”
![Page 66: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/66.jpg)
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
![Page 67: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/67.jpg)
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
If you input “aaaa”
![Page 68: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/68.jpg)
BUFFER OVERFLOW
StackEBP - 10 aaaa
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
If you input “aaaa”
![Page 69: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/69.jpg)
BUFFER OVERFLOW
StackEBP - 10 aaaa
EBP - C BBBB
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
If you input “aaaaBBBB”
![Page 70: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/70.jpg)
BUFFER OVERFLOW
StackEBP - 10 REVO
EBP - C WOLF
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
If you input “OVERFLOW”
![Page 71: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/71.jpg)
IF WE INPUT MORE WORDS…?
MAGIC!
![Page 72: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/72.jpg)
BUFFER OVERFLOW
StackEBP - 10 REVO
EBP - C WOLF
EBP - 8 revo
EBP - 4 wolf
EBP=ESP Old EBP_______EIP
If you input “OVERFLOWoverflow”
![Page 73: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/73.jpg)
BUFFER OVERFLOW
StackEBP - 10 AAAA
EBP - C AAAA
EBP - 8 imda
EBP - 4 \x00\x00\x00n
EBP=ESP Old EBP_______EIP
SO, We can input“AAAAAAAAadmin”
![Page 74: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/74.jpg)
BUFFER OVERFLOW
![Page 75: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/75.jpg)
DANGER FUNCTION
#include <iostream>printf, fprintf, snprintf, vprintf, …etc
![Page 76: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/76.jpg)
DEMOOverflow
![Page 77: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/77.jpg)
EXAMOverflow: Revo wolf&Take a break!
![Page 78: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/78.jpg)
EXAMOverflow: 7$BUY TICKETS&Take a break!
![Page 79: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/79.jpg)
EXAMOverflow: Lee Sin can Read&Take a break!
![Page 80: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/80.jpg)
FUZZING Fuzzing the key with Z3.py
![Page 81: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/81.jpg)
“Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software.
From Wikipedia
WHAT IS FUZZING?
![Page 82: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/82.jpg)
When we need to fuzz?A.Prove that something is always true
B.Fuzzing for something unexpectedC.Fuckinnnnnnnnnnnnng CryptoD.A lot of choice, find one is correct
![Page 83: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/83.jpg)
FUZZING FOR WHAT?
![Page 84: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/84.jpg)
![Page 85: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/85.jpg)
Your said :Get the key is easy?
![Page 86: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/86.jpg)
![Page 87: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/87.jpg)
![Page 88: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/88.jpg)
![Page 89: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/89.jpg)
![Page 90: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/90.jpg)
YOU THINK REVERSING IS:
SOLVING PROBLEMS?
BRAIN FUCKING (O)
![Page 91: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/91.jpg)
FUZZING
![Page 92: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/92.jpg)
FUZZING
Key= adr
‘a’ = 0x61,’d’ = 0x64, r = 0x72
![Page 93: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/93.jpg)
FUZZING
![Page 94: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/94.jpg)
FUZZING
Key= adr
0x00726461 = \x00\x72\x64\x61= \x00adr
![Page 95: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/95.jpg)
FUZZING
![Page 96: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/96.jpg)
![Page 97: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/97.jpg)
FUZZING
How to find the key matching the factors?
![Page 98: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/98.jpg)
![Page 99: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/99.jpg)
MAKE A MINI FUZZER
IN C PLUS PLUS
![Page 100: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/100.jpg)
![Page 101: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/101.jpg)
Check Current Temp Key
![Page 102: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/102.jpg)
0x20 to 0x7E, Visible ASCII Char Range
![Page 103: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/103.jpg)
Display to us.
![Page 104: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/104.jpg)
![Page 105: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/105.jpg)
![Page 106: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/106.jpg)
BUT…IF LENGT OF THE KEY ISN’T JUST 3 WORDS?
![Page 107: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/107.jpg)
Z3Prove Tool
![Page 108: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/108.jpg)
Z3 BEGIN
➤Get and Install Python2.7✴ Z3.py script environment✴ www.python.org
➤You can use python basically➤Get Z3.py for Windows
✴ Prove tool✴ github.com/Z3Prover/z3/wiki/Using-Z3Py-on-Window
s
![Page 109: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/109.jpg)
猜謎➤ 無腦➤ 很軟➤ 手有毒
![Page 110: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/110.jpg)
FUZZING(Z3)
Include Z3 function to your python scriptlike you use #include <iostream> in C++
![Page 111: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/111.jpg)
FUZZING(Z3)
BitVec(“Name” , BitCount)For example:
1.char a => a = BitVec(“a”, 8)2.short b => b = BitVec(“b”, 16)3.int c => c = BitVec(“C”, 32) =>
Int(“c”)4.bool e => e = BitVec(‘e’, 8)
![Page 112: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/112.jpg)
FUZZING(Z3)
Solve(All rules ), Z3 will auto fuzz all variables,and find a result(JUST ONE RESULT!).Then, print all results of variables.
![Page 113: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/113.jpg)
FUZZING(Z3)
If you have a looooot of rules,you can use Solver().
Solver.add() can remember all rules you requested.
![Page 114: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/114.jpg)
FUZZING(Z3)
If you want to check currentwhether rules can come true, you just use: Solver.check()
![Page 115: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/115.jpg)
FUZZING(Z3)
If Z3 cannot find any result,check() will reply you “unsat”.
![Page 116: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/116.jpg)
FUZZING(Z3)
If Z3 can find any result,check() will reply you “sat”.
![Page 117: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/117.jpg)
FUZZING(Z3)
Finally, if you get “sat”,you can use: Solver.model()It will save a result in it.
Use model[Variable Name],and get the answer by String
![Page 118: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/118.jpg)
FUZZING(Z3)
So,How to fuzz the key with z3?
![Page 119: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/119.jpg)
![Page 120: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/120.jpg)
![Page 121: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/121.jpg)
DEMOFuzzing with z3.py
![Page 122: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/122.jpg)
EXAMFuzzing: ShacoBuysCrusts&Take a Break!
![Page 123: NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練](https://reader031.vdocuments.site/reader031/viewer/2022020919/587a71d01a28ab8a2a8b7fe1/html5/thumbnails/123.jpg)
EXAMFuzzing: AIS3 Final Exam Binary