Recent posts

Codegate 2017 finals - BMP

BMP is a Windows pwnable task.


1. Reversing

This program opens a BMP image and extracts LSB of each pixel. Then they are saved as another BMP image (*_out.bmp). The image can be opened by either “File > Open” menu or command line argument.

The main logic looks like this:

Read more

Codegate 2017 quals - meow

Linux ELF binary and a service port is given. So I assume it’s a pwnable task.

1. First look

This binary receives 10 byte input and checks its MD5 hash. If the check passes, the string is used to decrypt two data blobs. Then two decrypted blobs are mmaped to fixed addresses 0x12000 and 0x14000 with RWE permission. Then at the end of the program, we can ‘call’ the code at 0x12000 just like a function.

Since finding preimage of the MD5 hash is hopeless, our goal is now finding the 10 byte key that makes the decoded blob plausible. To do that, we had to analyze the decryption function 0xD1D. But I felt I will definitely make mistake during understanding it. So my teammate took another way.

2. Simplifying the decryption routine

The decryption seemed to be composed of simple XORs. So we used angr to derive the symbolic relation between input and output.

First load the binary in angr.

import angr
proj = angr.Project('./meow')

Read more

HITCON CTF 2016 Quals - MixerBox

Linux x86 ELF Reverse challenge.

Mixed-arch, mixerbox


Why is this mixed-arch? There are these instructions everywhere.

  push 0x33
  call change_arch();
  call f();
  call restore_arch();


  mov [ebp+4], 0x23

Read more

Running ARM in QEMU

QEMU에서 ARM debian을 돌리는 방법 정리.를 참고하면 쉽게 할 수 있다.

1. Install

먼저 qemu를 설치한다.

sudo apt-get install qemu

그 다음 이미지들을 다운받는다.

  • debian_wheezy_armhf_standard.qcow2는 debian wheezy가 설치된 디스크 이미지,
  • initrd.img-3.2.0-4-vexpress는 부팅에 필요한 임시 파일시스템 (initrd; initial ramdisk) 이미지,
  • vmlinuz-3.2.0-4-vexpress는 리눅스 커널 이미지이다.

이 중에서 qcow2 이미지는 시스템을 사용하면 내용이 바뀌기 때문에 (디스크 이미지니까) 깨끗한 버전을 하나 백업해 두는 것도 좋은 생각이다.

Read more

DEF CON 2016 Quals - feedme

feedme is a baby’s first pwnable task.

The binary is a fork-based server. There is an obvious buffer overflow vulnerability in the child process routine.

int handler()
	char buf[32];  // [ebp-0x2c]
	int canary;    // [ebp-0xc]

	printf("FEED ME!\n");
	int size = read_byte();
	readn(buf, size);
	// Shows up to 16 bytes. Cannot leak canary with this.
	printf("ATE %s\n", tohex(buf, size, 16));
	return size;

void server()
	while (1) {
		int pid = fork();
		if (pid == 0) {
			int n = handler();
			printf("YUM, got %d bytes!", n);
		else {
			waitpid(pid, &status, 0);
			printf("child exit.\n");

So we can exploit this program by brute-forcing stack canary and doing ROP to get a shell. Classic.

Read more