Recent posts

Building custom kernel

Use VM when you practice, just in case.

1. Download kernel

Download from
For example,

sudo apt-get install -y wget xz-utils
tar xf linux-4.9.28.tar.xz

2. Make your modification

Patch the files, add code, … etc.

3. Config

Copy current setting.

sudo cat /boot/config-`uname -r` > .config
make olddefconfig

4. Build

make -j4
make -j4 modules

5. Install

sudo make modules_install
sudo make install

Files will be written to /boot directory.

6. Reboot

Reboot the computer. If anything goes wrong, reboot again and select original kernel.

(Optional) Change default boot kernel

See here

Codegate 2017 finals - BMP

BMP is a Windows pwnable task.


1. Reversing

This program opens a BMP image and extracts LSB of each pixel. Then they are saved as another BMP image (*_out.bmp). The image can be opened by either “File > Open” menu or command line argument.

The main logic looks like this:

Read more

Codegate 2017 quals - meow

Linux ELF binary and a service port is given. So I assume it’s a pwnable task.

1. First look

This binary receives 10 byte input and checks its MD5 hash. If the check passes, the string is used to decrypt two data blobs. Then two decrypted blobs are mmaped to fixed addresses 0x12000 and 0x14000 with RWE permission. Then at the end of the program, we can ‘call’ the code at 0x12000 just like a function.

Since finding preimage of the MD5 hash is hopeless, our goal is now finding the 10 byte key that makes the decoded blob plausible. To do that, we had to analyze the decryption function 0xD1D. But I felt I will definitely make mistake during understanding it. So my teammate took another way.

2. Simplifying the decryption routine

The decryption seemed to be composed of simple XORs. So we used angr to derive the symbolic relation between input and output.

First load the binary in angr.

import angr
proj = angr.Project('./meow')

Read more

HITCON CTF 2016 Quals - MixerBox

Linux x86 ELF Reverse challenge.

Mixed-arch, mixerbox


Why is this mixed-arch? There are these instructions everywhere.

  push 0x33
  call change_arch();
  call f();
  call restore_arch();


  mov [ebp+4], 0x23

Read more

Running ARM in QEMU

QEMU에서 ARM debian을 돌리는 방법 정리.를 참고하면 쉽게 할 수 있다.

1. Install

먼저 qemu를 설치한다.

sudo apt-get install qemu

그 다음 이미지들을 다운받는다.

  • debian_wheezy_armhf_standard.qcow2는 debian wheezy가 설치된 디스크 이미지,
  • initrd.img-3.2.0-4-vexpress는 부팅에 필요한 임시 파일시스템 (initrd; initial ramdisk) 이미지,
  • vmlinuz-3.2.0-4-vexpress는 리눅스 커널 이미지이다.

이 중에서 qcow2 이미지는 시스템을 사용하면 내용이 바뀌기 때문에 (디스크 이미지니까) 깨끗한 버전을 하나 백업해 두는 것도 좋은 생각이다.

Read more