CTF-All-In-One/SUMMARY.md

# Summary

GitHub 地址：https://github.com/firmianay/CTF-All-In-One


* [简介](README.md)
* [前言](doc/0_preface.md)
* [一、基础知识篇](doc/1_basic.md)
  * [1.1 CTF 简介](doc/1.1_ctf.md)
  * [1.2 学习方法](doc/1.2_how_to_learn.md)
  * [1.3 Linux 基础](doc/1.3_linux_basic.md)
  * [1.4 Web 安全基础](doc/1.4_web_basic.md)
    * [1.4.1 HTML 基础](doc/1.4.1_html_basic.md)
    * [1.4.2 HTTP 协议基础](doc/1.4.2_http_basic.md)
    * [1.4.3 JavaScript 基础](doc/1.4.3_javascript_basic.md)
    * [1.4.4 常见 Web 服务器基础](doc/1.4.4_webserver_basic.md)
    * [1.4.5 OWASP Top Ten Project 漏洞基础](doc/1.4.5_owasp_basic.md)
    * [1.4.6 PHP 源码审计基础](doc/1.4.6_php_basic.md)
  * [1.5 逆向工程基础](doc/1.5_reverse_basic.md)
    * [1.5.1 C 语言基础](doc/1.5.1_c_basic.md)
    * [1.5.2 x86/x86-64 汇编基础](doc/1.5.2_x86&x64.md)
    * [1.5.3 Linux ELF](doc/1.5.3_elf.md)
    * [1.5.4 Windows PE](doc/1.5.4_pe.md)
    * [1.5.5 静态链接](doc/1.5.5_static_link.md)
    * [1.5.6 动态链接](doc/1.5.6_dynamic_link.md)
    * [1.5.7 内存管理](doc/1.5.7_memory.md)
    * [1.5.8 glibc malloc](doc/1.5.8_glibc_malloc.md)
    * [1.5.9 Linux 内核](doc/1.5.9_linux_kernel.md)
    * [1.5.10 Windows 内核](doc/1.5.10_windows_kernel.md)
  * [1.6 密码学基础](doc/1.6_crypto_basic.md)
    * [1.6.1 初等数论](doc/1.6.1_number_theory.md)
    * [1.6.2 近世代数](doc/1.6.2_modern_algebra.md)
    * [1.6.3 流密码](doc/1.6.3_stream_cipher.md)
    * [1.6.4 分组密码](doc/1.6.4_block_cipher.md)
    * [1.6.5 公钥密码](doc/1.6.5_public-key_crypto.md)
    * [1.6.6 哈希函数](doc/1.6.6_hash.md)
    * [1.6.7 数字签名](doc/1.6.7_digital_signature.md)
  * [1.7 Android 安全基础](doc/1.7_android_basic.md)
    * [1.7.1 Android 环境搭建](doc/1.7.1_android_env.md)
    * [1.7.2 Dalvik 指令集](doc/1.7.2_dalvik.md)
    * [1.7.3 ARM 汇编基础](doc/1.7.3_arm.md)
    * [1.7.4 Android 常用工具](doc/1.7.4_android_tools.md)
* [二、工具篇](doc/2_tools.md)
  * 虚拟化分析环境
    * [2.1.1 VirtualBox](doc/2.1.1_virtualbox.md)
    * [2.1.2 QEMU](doc/2.1.2_qemu.md)
    * [2.1.3 Docker](doc/2.1.3_docker.md)
    * [2.1.4 Unicorn](doc/2.1.4_unicorn.md)
  * 静态分析工具
    * [2.2.1 radare2](doc/2.2.1_radare2.md)
    * [2.2.2 IDA Pro](doc/2.2.2_idapro.md)
    * [2.2.3 JEB](doc/2.2.3_jeb.md)
    * [2.2.4 Capstone](doc/2.2.4_capstone.md)
    * [2.2.5 Keystone](doc/2.2.5_keystone.md)
  * 动态分析工具
    * [2.3.1 GDB](doc/2.3.1_gdb.md)
    * [2.3.2 OllyDbg](doc/2.3.2_ollydbg.md)
    * [2.3.3 x64dbg](doc/2.3.3_x64dbg.md)
    * [2.3.4 WinDbg](doc/2.3.4_windbg.md)
    * [2.3.5 LLDB](doc/2.3.5_lldb.md)
  * 其他工具
    * [2.4.1 pwntools](doc/2.4.1_pwntools.md)
    * [2.4.2 zio](doc/2.4.2_zio.md)
    * [2.4.3 metasploit](doc/2.4.3_metasploit.md)
    * [2.4.4 binwalk](doc/2.4.4_binwalk.md)
    * [2.4.5 Burp Suite](doc/2.4.5_burpsuite.md)
    * [2.4.6 Wireshark](doc/2.4.6_wireshark.md)
* [三、分类专题篇](doc/3_topics.md)
  * Pwn
    * [3.1.1 格式化字符串漏洞](doc/3.1.1_format_string.md)
    * [3.1.2 整数溢出](doc/3.1.2_integer_overflow.md)
    * [3.1.3 栈溢出](doc/3.1.3_stack_overflow.md)
    * [3.1.4 返回导向编程（ROP）（x86）](doc/3.1.4_rop_x86.md)
    * [3.1.5 返回导向编程（ROP）（ARM）](doc/3.1.5_rop_arm.md)
    * [3.1.6 Linux 堆利用（上）](doc/3.1.6_heap_exploit_1.md)
    * [3.1.7 Linux 堆利用（中）](doc/3.1.7_heap_exploit_2.md)
    * [3.1.8 Linux 堆利用（下）](doc/3.1.8_heap_exploit_3.md)
    * [3.1.9 内核 ROP](doc/3.1.9_kernel_rop.md)
    * [3.1.10 Linux 内核漏洞利用](doc/3.1.10_linux_kernel_exploit.md)
    * [3.1.11 Windows 内核漏洞利用](doc/3.1.11_windows_kernel_exploit.md)
    * [3.1.12 竞争条件](doc/3.1.12_race_condition.md)
  * Reverse
  * Web
    * [3.3.1 SQL 注入利用](doc/3.3.1_sql_injection.md)
    * [3.3.2 XSS 漏洞利用](doc/3.3.2_xss.md)
  * Crypto
  * Misc
  * Mobile
* [四、技巧篇](doc/4_tips.md)
  * [4.1 Linux 内核调试](doc/4.1_linux_kernel_debug.md)
  * [4.2 Linux 命令行技巧](doc/4.2_Linux_terminal_tips.md)
  * [4.3 GCC 编译参数解析](doc/4.3_gcc_arg.md)
  * [4.4 GCC 堆栈保护技术](doc/4.4_gcc_sec.md)
  * [4.5 ROP 防御技术](doc/4.5_defense_rop.md)
  * [4.6 one-gadget RCE](doc/4.6_one-gadget_rce.md)
  * [4.7 通用 gadget](doc/4.7_common_gadget.md)
  * [4.8 使用 DynELF 泄露函数地址](doc/4.8_dynelf.md)
  * [4.9 patch 二进制文件](doc/4.9_patch_binary.md)
  * [4.10 反调试技术](doc/4.10_antidbg.md)
  * [4.11 指令混淆](doc/4.11_instruction_confusion.md)
  * [4.12 利用 __stack_chk_fail](doc/4.12_stack_chk_fail.md)
  * [4.13 利用 _IO_FILE 结构](doc/4.13_io_file.md)
  * [4.14 glibc tcache 机制](doc/4.14_glibc_tcache.md)
  * [4.15 利用 vsyscall 和 vDSO](doc/4.15_vsyscall_vdso.md)
* [五、高级篇](doc/5_advanced.md)
  * [5.0 软件漏洞分析](doc/5.0_vulnerability.md)
  * [5.1 模糊测试](doc/5.1_fuzzing.md)
    * [5.1.1 AFL fuzzer](doc/5.1.1_afl_fuzzer.md)
    * [5.1.2 libFuzzer](doc/5.1.2_libfuzzer.md)
  * [5.2 动态二进制插桩](doc/5.2_dyn_binary_instrumentation.md)
    * [5.2.1 Pin](doc/5.2.1_pin.md)
    * [5.2.2 DynamoRio](doc/5.2.2_dynamorio.md)
    * [5.2.3 Valgrind](doc/5.2.3_valgrind.md)
  * [5.3 符号执行](doc/5.3_symbolic_execution.md)
    * [5.3.1 angr](doc/5.3.1_angr.md)
    * [5.3.2 Triton](doc/5.3.2_triton.md)
    * [5.3.3 KLEE](doc/5.3.3_klee.md)
    * [5.3.4 S²E](doc/5.3.4_s2e.md)
  * [5.4 数据流分析](doc/5.4_dataflow_analysis.md)
    * [5.4.1 Soot](doc/5.4.1_soot.md)
  * [5.5 污点分析](doc/5.5_taint_analysis.md)
    * [5.5.1 动态污点分析](doc/5.5.1_dyn_taint_analysis.md)
  * [5.6 LLVM](doc/5.6_llvm.md)
    * [5.6.1 Clang](doc/5.6.1_clang.md)
  * [5.7 程序切片](doc/5.7_slicing.md)
  * [5.8 SAT/SMT](doc/5.8_sat-smt.md)
    * [5.8.1 Z3](doc/5.8.1_z3.md)
  * [5.9 基于模式的漏洞分析](doc/5.9_pattern_based_detection.md)
  * [5.10 基于二进制比对的漏洞分析](doc/5.10_diff_based_detection.md)
  * [5.11 反编译技术](doc/5.11_decompiling.md)
    * [5.11.1 RetDec](doc/5.11.1_retdec.md)
* [六、题解篇](doc/6_writeup.md)
  * Pwn
    * [6.1.1 pwn HCTF2016 brop](doc/6.1.1_pwn_hctf2016_brop.md)
    * [6.1.2 pwn NJCTF2017 pingme](doc/6.1.2_pwn_njctf2017_pingme.md)
    * [6.1.3 pwn XDCTF2015 pwn200](doc/6.1.3_pwn_xdctf2015_pwn200.md)
    * [6.1.4 pwn BackdoorCTF2017 Fun-Signals](doc/6.1.4_pwn_backdoorctf2017_fun_signals.md)
    * [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md)
    * [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md)
    * [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md)
    * [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
    * [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_pwn_rhme3_exploitation.md)
    * [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_pwn_0ctf2017_babyheap2017.md)
    * [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_pwn_9447ctf2015_search_engine.md)
    * [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_pwn_n1ctf2018_vote.md)
    * [6.1.13 pwn 34C3CTF2017 readme_revenge](doc/6.1.13_pwn_34c3ctf2017_readme_revenge.md)
    * [6.1.14 pwn 32C3CTF2015 readme](doc/6.1.14_pwn_32c3ctf2015_readme.md)
    * [6.1.15 pwn 34C3CTF2017 SimpleGC](doc/6.1.15_pwn_34c3ctf2017_simplegc.md)
    * [6.1.16 pwn HITBCTF2017 1000levels](doc/6.1.16_pwn_hitbctf2017_1000levels.md)
    * [6.1.17 pwn SECCONCTF2016 jmper](doc/6.1.17_pwn_secconctf2016_jmper.md)
    * [6.1.18 pwn HITBCTF2017 Sentosa](doc/6.1.18_pwn_hitbctf2017_sentosa.md)
    * [6.1.19 pwn HITBCTF2018 gundam](doc/6.1.19_pwn_hitbctf2018_gundam.md)
    * [6.1.20 pwn 33C3CTF2016 babyfengshui](doc/6.1.20_pwn_33c3ctf2016_babyfengshui.md)
    * [6.1.21 pwn HITCONCTF2016 Secret_Holder](doc/6.1.21_pwn_hitconctf2016_secret_holder.md)
    * [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md)
    * [6.1.23 pwn BCTF2016 bcloud](doc/6.1.23_pwn_bctf2016_bcloud.md)
  * Reverse
    * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
    * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
    * [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md)
    * [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md)
    * [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md)
    * [6.2.6 re SECCON2017 printf_machine](doc/6.2.6_re_seccon2017_printf_machine.md)
  * Web
    * [6.3.1 web HCTF2017 babycrack](doc/6.3.1_web_hctf2017_babycrack.md)
  * Crypto
  * Misc
  * Mobile
* [七、实战篇](doc/7_exploit.md)
  * CVE
    * [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](doc/7.1.1_tcpdump_2017-11543.md)
    * [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](doc/7.1.2_glibc_2015-0235.md)
    * [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](doc/7.1.3_wget_2016-4971.md)
    * [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](doc/7.1.4_wget_2017-13089.md)
    * [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md)
    * [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md)
    * [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md)
  * Malware
* [八、学术篇](doc/8_academic.md)
  * [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md)
  * [8.2 Return-Oriented Programming without Returns](doc/8.2_rop_without_returns.md)
  * [8.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms](doc/8.3_rop_rootkits.md)
  * [8.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks](doc/8.4_ropdefender.md)
  * [8.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks](doc/8.5_dop.md)
  * [8.6 Hacking Blind](doc/8.6_brop.md)
  * [8.7 What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses](doc/8.7_jit-rop_defenses.md)
  * [8.8 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.8_dynamic_taint_analysis.md)
  * [8.9 Symbolic Execution for Software Testing: Three Decades Later](doc/8.9_symbolic_execution.md)
  * [8.10 AEG: Automatic Exploit Generation](doc/8.10_aeg.md)
  * [8.11 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](doc/8.11_aslp.md)
  * [8.12 ASLR on the Line: Practical Cache Attacks on the MMU](doc/8.12_aslr_on_the_line.md)
  * [8.13 New Frontiers of Reverse Engineering](doc/8.13_reverse_engineering.md)
  * [8.14 Who Allocated My Memory? Detecting Custom Memory Allocators in C Binaries](doc/8.14_detecting_memory_allocators.md)
  * [8.15 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning](doc/8.15_emulator_vs_real_phone.md)
  * [8.16 DynaLog: An automated dynamic analysis framework for characterizing Android applications](doc/8.16_dynalog.md)
  * [8.17 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls](doc/8.17_actual_used_permissions.md)
  * [8.18 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models](doc/8.18_malware_markov_chains.md)
  * [8.19 DroidNative: Semantic-Based Detection of Android Native Code Malware](doc/8.19_droidnative.md)
  * [8.20 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware](doc/8.20_droidanalytics.md)
  * [8.21 Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks](doc/8.21_tracing_to_detect_spraying.md)
  * [8.22 Practical Memory Checking With Dr. Memory](doc/8.22_memory_checking.md)
  * [8.23 Evaluating the Effectiveness of Current Anti-ROP Defenses](doc/8.23_current_anti-rop.md)
  * [8.24 How to Make ASLR Win the Clone Wars: Runtime Re-Randomization](doc/8.24_runtime_re-randomization.md)
* [九、附录](doc/9_appendix.md)
  * [9.1 更多 Linux 工具](doc/9.1_Linuxtools.md)
  * [9.2 更多 Windows 工具](doc/9.2_wintools.md)
  * [9.3 更多资源](doc/9.3_books_blogs.md)
  * [9.4 Linux 系统调用表](doc/9.4_linux_syscall.md)
  * [9.5 幻灯片](doc/9.5_slides.md)
-												gitbook

											
										
										
											2017-08-11 23:24:19 +07:00
+								# Summary
-												add 4.9_patch_elf

											
										
										
											2017-11-30 18:54:38 +07:00
+								GitHub 地址：https://github.com/firmianay/CTF-All-In-One
-												gitbook

											
										
										
											2017-08-11 23:24:19 +07:00
+								* [简介](README.md)
-												plan to rewrite with latex and make pdf great again

											
										
										
											2017-12-14 09:21:13 +07:00
+								* [前言](doc/0_preface.md)
-												gitbook

											
										
										
											2017-08-11 23:24:19 +07:00
+								* [一、基础知识篇](doc/1_basic.md)
-												add 1.6.* crypto

											
										
										
											2017-12-25 14:07:24 +07:00
+								  * [1.1 CTF 简介](doc/1.1_ctf.md)
 								  * [1.2 学习方法](doc/1.2_how_to_learn.md)
 								  * [1.3 Linux 基础](doc/1.3_linux_basic.md)
 								  * [1.4 Web 安全基础](doc/1.4_web_basic.md)
-.4.1&1.4.2 merge request (#8)

* update 1.4.1

* update 1.4.1&1.4.2

* Update 1.4.2_http_basic.md

* 修改索引大小写

* Update 1.4.1_html_basic.md

* 修正格式

* Update 1.4.1_html_basic.md

* 修正格式

* 修正格式

* 修正格式

* Update 2.12_burpsuite.md

											
										
										
											2017-12-26 15:15:13 +07:00
+								    * [1.4.1 HTML 基础](doc/1.4.1_html_basic.md)
 								    * [1.4.2 HTTP 协议基础](doc/1.4.2_http_basic.md)
 								    * [1.4.3 JavaScript 基础](doc/1.4.3_javascript_basic.md)
 								    * [1.4.4 常见 Web 服务器基础](doc/1.4.4_webserver_basic.md)
 								    * [1.4.5 OWASP Top Ten Project 漏洞基础](doc/1.4.5_owasp_basic.md)
 								    * [1.4.6 PHP 源码审计基础](doc/1.4.6_php_basic.md)
-												add 1.6.* crypto

											
										
										
											2017-12-25 14:07:24 +07:00
+								  * [1.5 逆向工程基础](doc/1.5_reverse_basic.md)
 								    * [1.5.1 C 语言基础](doc/1.5.1_c_basic.md)
 								    * [1.5.2 x86/x86-64 汇编基础](doc/1.5.2_x86&x64.md)
 								    * [1.5.3 Linux ELF](doc/1.5.3_elf.md)
 								    * [1.5.4 Windows PE](doc/1.5.4_pe.md)
 								    * [1.5.5 静态链接](doc/1.5.5_static_link.md)
 								    * [1.5.6 动态链接](doc/1.5.6_dynamic_link.md)
 								    * [1.5.7 内存管理](doc/1.5.7_memory.md)
 								    * [1.5.8 glibc malloc](doc/1.5.8_glibc_malloc.md)
-												update 3.3.10

											
										
										
											2018-03-30 20:18:28 +07:00
+								    * [1.5.9 Linux 内核](doc/1.5.9_linux_kernel.md)
 								    * [1.5.10 Windows 内核](doc/1.5.10_windows_kernel.md)
-												add 1.6.* crypto

											
										
										
											2017-12-25 14:07:24 +07:00
+								  * [1.6 密码学基础](doc/1.6_crypto_basic.md)
 								    * [1.6.1 初等数论](doc/1.6.1_number_theory.md)
 								    * [1.6.2 近世代数](doc/1.6.2_modern_algebra.md)
 								    * [1.6.3 流密码](doc/1.6.3_stream_cipher.md)
 								    * [1.6.4 分组密码](doc/1.6.4_block_cipher.md)
 								    * [1.6.5 公钥密码](doc/1.6.5_public-key_crypto.md)
 								    * [1.6.6 哈希函数](doc/1.6.6_hash.md)
 								    * [1.6.7 数字签名](doc/1.6.7_digital_signature.md)
 								  * [1.7 Android 安全基础](doc/1.7_android_basic.md)
 								    * [1.7.1 Android 环境搭建](doc/1.7.1_android_env.md)
 								    * [1.7.2 Dalvik 指令集](doc/1.7.2_dalvik.md)
 								    * [1.7.3 ARM 汇编基础](doc/1.7.3_arm.md)
 								    * [1.7.4 Android 常用工具](doc/1.7.4_android_tools.md)
-												gitbook

											
										
										
											2017-08-11 23:24:19 +07:00
+								* [二、工具篇](doc/2_tools.md)
-												fix

											
										
										
											2018-04-29 21:21:55 +07:00
+								  * 虚拟化分析环境
 								    * [2.1.1 VirtualBox](doc/2.1.1_virtualbox.md)
 								    * [2.1.2 QEMU](doc/2.1.2_qemu.md)
 								    * [2.1.3 Docker](doc/2.1.3_docker.md)
 								    * [2.1.4 Unicorn](doc/2.1.4_unicorn.md)
 								  * 静态分析工具
 								    * [2.2.1 radare2](doc/2.2.1_radare2.md)
 								    * [2.2.2 IDA Pro](doc/2.2.2_idapro.md)
 								    * [2.2.3 JEB](doc/2.2.3_jeb.md)
 								    * [2.2.4 Capstone](doc/2.2.4_capstone.md)
 								    * [2.2.5 Keystone](doc/2.2.5_keystone.md)
 								  * 动态分析工具
 								    * [2.3.1 GDB](doc/2.3.1_gdb.md)
 								    * [2.3.2 OllyDbg](doc/2.3.2_ollydbg.md)
 								    * [2.3.3 x64dbg](doc/2.3.3_x64dbg.md)
 								    * [2.3.4 WinDbg](doc/2.3.4_windbg.md)
 								    * [2.3.5 LLDB](doc/2.3.5_lldb.md)
 								  * 其他工具
 								    * [2.4.1 pwntools](doc/2.4.1_pwntools.md)
 								    * [2.4.2 zio](doc/2.4.2_zio.md)
 								    * [2.4.3 metasploit](doc/2.4.3_metasploit.md)
 								    * [2.4.4 binwalk](doc/2.4.4_binwalk.md)
 								    * [2.4.5 Burp Suite](doc/2.4.5_burpsuite.md)
 								    * [2.4.6 Wireshark](doc/2.4.6_wireshark.md)
-												gitbook

											
										
										
											2017-08-11 23:24:19 +07:00
+								* [三、分类专题篇](doc/3_topics.md)
-												fix

											
										
										
											2018-04-29 21:21:55 +07:00
+								  * Pwn
 								    * [3.1.1 格式化字符串漏洞](doc/3.1.1_format_string.md)
 								    * [3.1.2 整数溢出](doc/3.1.2_integer_overflow.md)
 								    * [3.1.3 栈溢出](doc/3.1.3_stack_overflow.md)
 								    * [3.1.4 返回导向编程（ROP）（x86）](doc/3.1.4_rop_x86.md)
 								    * [3.1.5 返回导向编程（ROP）（ARM）](doc/3.1.5_rop_arm.md)
 								    * [3.1.6 Linux 堆利用（上）](doc/3.1.6_heap_exploit_1.md)
 								    * [3.1.7 Linux 堆利用（中）](doc/3.1.7_heap_exploit_2.md)
 								    * [3.1.8 Linux 堆利用（下）](doc/3.1.8_heap_exploit_3.md)
 								    * [3.1.9 内核 ROP](doc/3.1.9_kernel_rop.md)
 								    * [3.1.10 Linux 内核漏洞利用](doc/3.1.10_linux_kernel_exploit.md)
 								    * [3.1.11 Windows 内核漏洞利用](doc/3.1.11_windows_kernel_exploit.md)
 								    * [3.1.12 竞争条件](doc/3.1.12_race_condition.md)
 								  * Reverse
 								  * Web
 								    * [3.3.1 SQL 注入利用](doc/3.3.1_sql_injection.md)
 								    * [3.3.2 XSS 漏洞利用](doc/3.3.2_xss.md)
 								  * Crypto
 								  * Misc
 								  * Mobile
-												gitbook

											
										
										
											2017-08-11 23:24:19 +07:00
+								* [四、技巧篇](doc/4_tips.md)
-												finish 8.2.2

											
										
										
											2018-04-12 21:16:00 +07:00
+								  * [4.1 Linux 内核调试](doc/4.1_linux_kernel_debug.md)
-												add 1.6.* crypto

											
										
										
											2017-12-25 14:07:24 +07:00
+								  * [4.2 Linux 命令行技巧](doc/4.2_Linux_terminal_tips.md)
 								  * [4.3 GCC 编译参数解析](doc/4.3_gcc_arg.md)
 								  * [4.4 GCC 堆栈保护技术](doc/4.4_gcc_sec.md)
-												emmm

											
										
										
											2018-03-18 15:45:52 +07:00
+								  * [4.5 ROP 防御技术](doc/4.5_defense_rop.md)
-												add 1.6.* crypto

											
										
										
											2017-12-25 14:07:24 +07:00
+								  * [4.6 one-gadget RCE](doc/4.6_one-gadget_rce.md)
 								  * [4.7 通用 gadget](doc/4.7_common_gadget.md)
 								  * [4.8 使用 DynELF 泄露函数地址](doc/4.8_dynelf.md)
-												update 4.10

											
										
										
											2018-03-24 00:05:55 +07:00
+								  * [4.9 patch 二进制文件](doc/4.9_patch_binary.md)
 								  * [4.10 反调试技术](doc/4.10_antidbg.md)
-												update 4.11

											
										
										
											2018-03-24 18:16:03 +07:00
+								  * [4.11 指令混淆](doc/4.11_instruction_confusion.md)
-												finish 6.1.13

											
										
										
											2018-04-09 00:12:57 +07:00
+								  * [4.12 利用 __stack_chk_fail](doc/4.12_stack_chk_fail.md)
-												add 6.1.15

											
										
										
											2018-04-14 19:52:17 +07:00
+								  * [4.13 利用 _IO_FILE 结构](doc/4.13_io_file.md)
 								  * [4.14 glibc tcache 机制](doc/4.14_glibc_tcache.md)
-												update

											
										
										
											2018-04-18 21:15:42 +07:00
+								  * [4.15 利用 vsyscall 和 vDSO](doc/4.15_vsyscall_vdso.md)
-												gitbook

											
										
										
											2017-08-11 23:24:19 +07:00
+								* [五、高级篇](doc/5_advanced.md)
-												update 5.0

											
										
										
											2018-03-28 21:51:35 +07:00
+								  * [5.0 软件漏洞分析](doc/5.0_vulnerability.md)
-												update

											
										
										
											2018-03-15 22:16:56 +07:00
+								  * [5.1 模糊测试](doc/5.1_fuzzing.md)
-												add 5.1.1

											
										
										
											2018-01-21 21:41:35 +07:00
+								    * [5.1.1 AFL fuzzer](doc/5.1.1_afl_fuzzer.md)
-												add 7.1.2

											
										
										
											2018-01-25 23:50:41 +07:00
+								    * [5.1.2 libFuzzer](doc/5.1.2_libfuzzer.md)
-												add new mds

											
										
										
											2018-03-24 18:51:04 +07:00
+								  * [5.2 动态二进制插桩](doc/5.2_dyn_binary_instrumentation.md)
 								    * [5.2.1 Pin](doc/5.2.1_pin.md)
 								    * [5.2.2 DynamoRio](doc/5.2.2_dynamorio.md)
 								    * [5.2.3 Valgrind](doc/5.2.3_valgrind.md)
-												change some files' name

											
										
										
											2018-02-06 13:30:35 +07:00
+								  * [5.3 符号执行](doc/5.3_symbolic_execution.md)
 								    * [5.3.1 angr](doc/5.3.1_angr.md)
 								    * [5.3.2 Triton](doc/5.3.2_triton.md)
 								    * [5.3.3 KLEE](doc/5.3.3_klee.md)
 								    * [5.3.4 S²E](doc/5.3.4_s2e.md)
-												add new mds

											
										
										
											2018-03-24 18:51:04 +07:00
+								  * [5.4 数据流分析](doc/5.4_dataflow_analysis.md)
-												update 5.4

											
										
										
											2018-03-31 20:27:09 +07:00
+								    * [5.4.1 Soot](doc/5.4.1_soot.md)
-												add new mds

											
										
										
											2018-03-24 18:51:04 +07:00
+								  * [5.5 污点分析](doc/5.5_taint_analysis.md)
 								    * [5.5.1 动态污点分析](doc/5.5.1_dyn_taint_analysis.md)
-												add 1.6.* crypto

											
										
										
											2017-12-25 14:07:24 +07:00
+								  * [5.6 LLVM](doc/5.6_llvm.md)
-												add new mds

											
										
										
											2018-03-24 18:51:04 +07:00
+								    * [5.6.1 Clang](doc/5.6.1_clang.md)
-												fix

											
										
										
											2018-04-29 21:21:55 +07:00
+								  * [5.7 程序切片](doc/5.7_slicing.md)
-												add 1.6.* crypto

											
										
										
											2017-12-25 14:07:24 +07:00
+								  * [5.8 SAT/SMT](doc/5.8_sat-smt.md)
-												change some files' name

											
										
										
											2018-02-06 13:30:35 +07:00
+								    * [5.8.1 Z3](doc/5.8.1_z3.md)
-												update 5.0

											
										
										
											2018-03-28 21:51:35 +07:00
+								  * [5.9 基于模式的漏洞分析](doc/5.9_pattern_based_detection.md)
 								  * [5.10 基于二进制比对的漏洞分析](doc/5.10_diff_based_detection.md)
 								  * [5.11 反编译技术](doc/5.11_decompiling.md)
 								    * [5.11.1 RetDec](doc/5.11.1_retdec.md)
-												add new chapter 6

											
										
										
											2017-11-05 16:21:02 +07:00
+								* [六、题解篇](doc/6_writeup.md)
-												fix

											
										
										
											2018-04-29 21:21:55 +07:00
+								  * Pwn
-												big change

											
										
										
											2017-11-23 20:32:22 +07:00
+								    * [6.1.1 pwn HCTF2016 brop](doc/6.1.1_pwn_hctf2016_brop.md)
 								    * [6.1.2 pwn NJCTF2017 pingme](doc/6.1.2_pwn_njctf2017_pingme.md)
 								    * [6.1.3 pwn XDCTF2015 pwn200](doc/6.1.3_pwn_xdctf2015_pwn200.md)
 								    * [6.1.4 pwn BackdoorCTF2017 Fun-Signals](doc/6.1.4_pwn_backdoorctf2017_fun_signals.md)
 								    * [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md)
 								    * [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md)
 								    * [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md)
-												add 6.1.8

											
										
										
											2017-12-09 09:35:26 +07:00
+								    * [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
-												rename some writeups

											
										
										
											2018-04-08 08:43:42 +07:00
+								    * [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_pwn_rhme3_exploitation.md)
 								    * [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_pwn_0ctf2017_babyheap2017.md)
 								    * [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_pwn_9447ctf2015_search_engine.md)
 								    * [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_pwn_n1ctf2018_vote.md)
 								    * [6.1.13 pwn 34C3CTF2017 readme_revenge](doc/6.1.13_pwn_34c3ctf2017_readme_revenge.md)
-												finish 6.1.13

											
										
										
											2018-04-09 00:12:57 +07:00
+								    * [6.1.14 pwn 32C3CTF2015 readme](doc/6.1.14_pwn_32c3ctf2015_readme.md)
-												add 6.1.15

											
										
										
											2018-04-14 19:52:17 +07:00
+								    * [6.1.15 pwn 34C3CTF2017 SimpleGC](doc/6.1.15_pwn_34c3ctf2017_simplegc.md)
-												add 6.1.18

											
										
										
											2018-04-21 11:02:03 +07:00
+								    * [6.1.16 pwn HITBCTF2017 1000levels](doc/6.1.16_pwn_hitbctf2017_1000levels.md)
-												add 6.1.17

											
										
										
											2018-04-19 13:37:37 +07:00
+								    * [6.1.17 pwn SECCONCTF2016 jmper](doc/6.1.17_pwn_secconctf2016_jmper.md)
-												add 6.1.18

											
										
										
											2018-04-21 11:02:03 +07:00
+								    * [6.1.18 pwn HITBCTF2017 Sentosa](doc/6.1.18_pwn_hitbctf2017_sentosa.md)
-												add 6.1.19

											
										
										
											2018-04-23 10:59:21 +07:00
+								    * [6.1.19 pwn HITBCTF2018 gundam](doc/6.1.19_pwn_hitbctf2018_gundam.md)
-												add 6.1.20

											
										
										
											2018-04-23 23:06:38 +07:00
+								    * [6.1.20 pwn 33C3CTF2016 babyfengshui](doc/6.1.20_pwn_33c3ctf2016_babyfengshui.md)
-												add 6.1.23 and fix

											
										
										
											2018-05-02 21:27:00 +07:00
+								    * [6.1.21 pwn HITCONCTF2016 Secret_Holder](doc/6.1.21_pwn_hitconctf2016_secret_holder.md)
 								    * [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md)
 								    * [6.1.23 pwn BCTF2016 bcloud](doc/6.1.23_pwn_bctf2016_bcloud.md)
-												fix

											
										
										
											2018-04-29 21:21:55 +07:00
+								  * Reverse
-												big change

											
										
										
											2017-11-23 20:32:22 +07:00
+								    * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
-												finish 4.5; add 6.2.2

											
										
										
											2017-11-28 16:12:21 +07:00
+								    * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
-												some fix

											
										
										
											2017-12-02 22:38:19 +07:00
+								    * [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md)
-												add 6.2.4

											
										
										
											2017-12-04 15:13:39 +07:00
+								    * [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md)
-												add 6.2.5

											
										
										
											2017-12-05 18:06:40 +07:00
+								    * [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md)
-												add 6.2.6

											
										
										
											2017-12-18 15:39:33 +07:00
+								    * [6.2.6 re SECCON2017 printf_machine](doc/6.2.6_re_seccon2017_printf_machine.md)
-												fix

											
										
										
											2018-04-29 21:21:55 +07:00
+								  * Web
-												update (#9)


											
										
										
											2018-01-11 20:30:41 +07:00
+								    * [6.3.1 web HCTF2017 babycrack](doc/6.3.1_web_hctf2017_babycrack.md)
-												fix

											
										
										
											2018-04-29 21:21:55 +07:00
+								  * Crypto
 								  * Misc
 								  * Mobile
-												add new chapter 7 exploit

											
										
										
											2017-12-07 08:30:58 +07:00
+								* [七、实战篇](doc/7_exploit.md)
-												fix

											
										
										
											2018-03-08 20:05:51 +07:00
+								  * CVE
 								    * [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](doc/7.1.1_tcpdump_2017-11543.md)
 								    * [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](doc/7.1.2_glibc_2015-0235.md)
 								    * [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](doc/7.1.3_wget_2016-4971.md)
 								    * [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](doc/7.1.4_wget_2017-13089.md)
 								    * [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md)
 								    * [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md)
 								    * [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md)
 								  * Malware
-												add chapter 8 academic

											
										
										
											2018-03-19 11:33:57 +07:00
+								* [八、学术篇](doc/8_academic.md)
-												make reviews clear again

											
										
										
											2018-04-26 20:27:37 +07:00
+								  * [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md)
 								  * [8.2 Return-Oriented Programming without Returns](doc/8.2_rop_without_returns.md)
 								  * [8.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms](doc/8.3_rop_rootkits.md)
 								  * [8.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks](doc/8.4_ropdefender.md)
 								  * [8.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks](doc/8.5_dop.md)
 								  * [8.6 Hacking Blind](doc/8.6_brop.md)
 								  * [8.7 What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses](doc/8.7_jit-rop_defenses.md)
 								  * [8.8 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.8_dynamic_taint_analysis.md)
 								  * [8.9 Symbolic Execution for Software Testing: Three Decades Later](doc/8.9_symbolic_execution.md)
 								  * [8.10 AEG: Automatic Exploit Generation](doc/8.10_aeg.md)
 								  * [8.11 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](doc/8.11_aslp.md)
 								  * [8.12 ASLR on the Line: Practical Cache Attacks on the MMU](doc/8.12_aslr_on_the_line.md)
 								  * [8.13 New Frontiers of Reverse Engineering](doc/8.13_reverse_engineering.md)
 								  * [8.14 Who Allocated My Memory? Detecting Custom Memory Allocators in C Binaries](doc/8.14_detecting_memory_allocators.md)
 								  * [8.15 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning](doc/8.15_emulator_vs_real_phone.md)
 								  * [8.16 DynaLog: An automated dynamic analysis framework for characterizing Android applications](doc/8.16_dynalog.md)
 								  * [8.17 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls](doc/8.17_actual_used_permissions.md)
 								  * [8.18 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models](doc/8.18_malware_markov_chains.md)
 								  * [8.19 DroidNative: Semantic-Based Detection of Android Native Code Malware](doc/8.19_droidnative.md)
 								  * [8.20 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware](doc/8.20_droidanalytics.md)
 								  * [8.21 Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks](doc/8.21_tracing_to_detect_spraying.md)
 								  * [8.22 Practical Memory Checking With Dr. Memory](doc/8.22_memory_checking.md)
 								  * [8.23 Evaluating the Effectiveness of Current Anti-ROP Defenses](doc/8.23_current_anti-rop.md)
 								  * [8.24 How to Make ASLR Win the Clone Wars: Runtime Re-Randomization](doc/8.24_runtime_re-randomization.md)
-												add chapter 8 academic

											
										
										
											2018-03-19 11:33:57 +07:00
+								* [九、附录](doc/9_appendix.md)
 								  * [9.1 更多 Linux 工具](doc/9.1_Linuxtools.md)
 								  * [9.2 更多 Windows 工具](doc/9.2_wintools.md)
 								  * [9.3 更多资源](doc/9.3_books_blogs.md)
-												fix

											
										
										
											2018-04-29 21:21:55 +07:00
+								  * [9.4 Linux 系统调用表](doc/9.4_linux_syscall.md)
-												add chapter 8 academic

											
										
										
											2018-03-19 11:33:57 +07:00
+								  * [9.5 幻灯片](doc/9.5_slides.md)