cato447/BinexProject
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

finishing touches on presentation

Browse Source
This commit is contained in:
cato447
2024-02-06 20:02:01 +01:00
parent e33df5cb42
commit 5df3832489
1 changed files with 36 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
presentation/presentation.tex
View File

@@ -196,9 +196,8 @@
\only<1-2> { \only<1-2> {
\begin{itemize} \begin{itemize}
\item Use \lstinline{COPY} to generate \lstinline{mov}, overflow into modifier bits \item Use \lstinline{COPY} to generate \lstinline{mov}, overflow into modifier bits
\item Register id constraints: $\text{reg1\_id} = 0\text{b}0\text{xxx}, \text{reg2\_id}=0\text{b}1\text{xxx}$ \item Register id constraints: $\text{\textcolor{ForestGreen}{reg1\_id}} = 0\text{b}0\text{xxx}, \text{\textcolor{blue}{reg2\_id}}=0\text{b}1\text{xxx}$
\item[$\Rightarrow$] But can rename registers freely \item Example: \texttt{mov \textcolor{ForestGreen}{rax}, \textcolor{blue}{r8}} $\Rightarrow$ \texttt{mov [\textcolor{ForestGreen}{rax}], \textcolor{blue}{r8}}
\item Example: \texttt{mov [\textcolor{ForestGreen}{rax}], \textcolor{blue}{r8}}
\end{itemize} \end{itemize}
\begin{center} \begin{center}
@@ -220,6 +219,8 @@
\textcolor<2>{ForestGreen}{0} \& \textcolor<2>{ForestGreen}{0} \&
\textcolor<2>{ForestGreen}{0} \\ \textcolor<2>{ForestGreen}{0} \\
}; };
\draw[semithick, decorate, decoration={brace, amplitude=10pt, mirror, raise=4pt}] (modrm-1-1.south west) -- (modrm-1-8.south east) node[midway, below=14pt] {ModR/M Byte};
\end{tikzpicture} \end{tikzpicture}
\end{center} \end{center}
} }
@@ -230,20 +231,41 @@
\item Actually: \lstinline{mov reg1, 0; add reg1, [reg2]} \item Actually: \lstinline{mov reg1, 0; add reg1, [reg2]}
\item Use same trick as for write \item Use same trick as for write
\item There exists multiple opcodes for add\footnote{Also for most other standard x86 operations.}, for example: \item There exists multiple opcodes for add\footnote{Also for most other standard x86 operations.}, for example:
\item Opcode $= 0x1$: \lstinline{mov [reg1], reg2} \item Opcode $= 0x1$: \lstinline{add [reg2], reg1}
\item Opcode $= 0x3$: \lstinline{mov reg1, [reg2]} \item Opcode $= 0x3$: \lstinline{add reg1, [reg2]}
\end{itemize} \end{itemize}
} }
\item Stack access \item Stack access
\only<4> { \only<4-5> {
\begin{itemize} \begin{itemize}
\item Another overflow, but this time into \lstinline{reg2_id} \item Achieved by overflow into \lstinline{reg2_id}
\item Can create \lstinline{reg2_id + 1}, using reg1\_id = $0\text{b}1$xxx \item \lstinline{COPY G, B} should be compiled to: \lstinline{mov r8, rbx}
\item Id of \lstinline{rsp} is $0\text{b}0100$ \item<5> Actually compiled: \lstinline{mov r8, rsp}
\item[$\Rightarrow$] For \lstinline{COPY G, B} is actually \lstinline{mov r8, rsp} generated \end{itemize}
\item Combined allow those primitives unlimited access to the stack \begin{center}
\end{itemize} \begin{tikzpicture}
\matrix (modrm) [
below=20pt of rex,
matrix of nodes,
nodes={draw, minimum size=18pt, anchor=center},
column sep=-\pgflinewidth,
row sep=-\pgflinewidth,
ampersand replacement=\&
] {
1 \&
1 \&
\textcolor<5>{red}{\alt<5>{1}{0}} \&
\textcolor<5>{red}{\alt<5>{0}{1}} \&
\textcolor<5>{red}{\alt<5>{0}{1}} \&
\textcolor<5>{blue}{0} \&
\textcolor<5>{blue}{0} \&
\textcolor<5>{blue}{0} \\
};
\draw[semithick, decorate, decoration={brace, amplitude=10pt, mirror, raise=4pt}] (modrm-1-1.south west) -- (modrm-1-8.south east) node[midway, below=14pt] {ModR/M Byte};
\end{tikzpicture}
\end{center}
} }
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@@ -255,9 +277,8 @@
\item Leak activation key \item Leak activation key
\only<2>{ \only<2>{
\begin{itemize} \begin{itemize}
\item Activation key is stored in a variable in the binary \item Activation key is located in the binary
\item The provided program returns into the binary after execution \item Use stack access primitive to leak return address
\item Use stack access primitive to leak the return address
\item Use arbitrary read primitive to leak the key byte by byte \item Use arbitrary read primitive to leak the key byte by byte
\end{itemize} \end{itemize}
} }