SlideShare a Scribd company logo

HacknamStyle Plaid CTF write-up

V
vanhoefm

The document describes the reversing of a Tiffany binary that spawns 7 child processes. Each child process handles messages from the parent process using ptrace calls. The parent initializes the children by sending configuration data, then sends each character of a password to be verified. Each child performs a simple computation on its local data and passes the character to the next child. The password is only accepted if all children accept after processing all characters.

TechnologyNews & Politics
1 of 28
Download to read offline
HacknamStyle Plaid CTF 2014 Write-ups
Reversing: g++
Reversing: g++
Reversing: g++
Reversing: g++
Reversing: g++
Reversing: g++ Makefile: echo '${KEY}' | perl -p -e 's/(.)/<DEL>/ge' > key.h Key.h: K(0,116) // 't' K(1,101) // 'e' K(2,115) // 's' K(3,116) // 't‘ Solveme.cpp: template <int i> struct key { static int r = 0; }; #define K(i,v) template<> struct key<i> { S r = v; };
Reversing: g++ • Template metaprogramming • Password verified during compilation • “key<i>::r” gives i-th char of password • Result printed at runtime
Reversing: g++ int main() { if (!vv<0>::r) // print 16 characters else std::cout << "Wrongn"; }
Reversing: g++ Analyzing templates: • vv<0>::r zero iff gg<i>::r zero (for 0 <= i < 16) • gg<i>::r = hiddenkey<a, b> - makefilekey<a, b> • Parameter `a` and `b` depend on `i` • Hiddenkey is constant, extract value. How is makefilekey constructed?
Calculation makefilekey<a, b> Let g++ replace #define’s: • g++ -E -o solveme2.cpp solveme.cpp <boring reversing> makefilekey<a,b> = ( lookup<a*4> * key<b> + lookup<a*4+1> * key<b+4> + lookup<a*4+2> * key<b+8> + lookup<a*4+3> * key<b+12>) % 257;
Solution Method 1: • Key can be bruteforced in groups of 4 chars • Extract constants, implement algorithm Method 2: • Solve linear equations
Reversing: Tiffany From Child's Play (Chucky)
Reversing: Tiffany Initialization Computation
Reversing: Tiffany • Spawns 7 children, many ptrace calls • Hint: “Each instance does a very simple thing” • ltrace fails during initialization • strace fails after computation <DEMO> strace ./tiffany 2>&1 | less
Parent spawns 7 children getpid() = 15866 clone(...) = 15867 clone(...) = 15868 clone(...) = 15869 clone(...) = 15870 clone(...) = 15871 clone(...) = 15872 clone(...) = 15873 = 0x3e01  Child knows PID of parent and previous children.
Ptrace communication • Parent sends messages to children using ptrace • Similarly, children send each other messages using ptrace. One of the reasons why the program is slow…
Ptrace communication ptrace(PTRACE_ATTACH, 15823, 0, 0) = 0 --- SIGCHLD (Child exited) @ 0 (0) --- wait4(-1, NULL, 0, NULL) = 15823 ptrace(PTRACE_POKEDATA, 15823, 0x618180, 0x1) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x618184, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x618188, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x61818c, 0x3e01) = 0 ptrace(PTRACE_DETACH, 15823, 0, SIG_0) = 0 kill(15823, SIGUSR1) = 0
Ptrace communication ptrace(PTRACE_ATTACH, 15823, 0, 0) = 0 --- SIGCHLD (Child exited) @ 0 (0) --- wait4(-1, NULL, 0, NULL) = 15823 ptrace(PTRACE_POKEDATA, 15823, 0x618180, 0x1) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x618184, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x618188, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x61818c, 0x3e01) = 0 ptrace(PTRACE_DETACH, 15823, 0, SIG_0) = 0 kill(15823, SIGUSR1) = 0
Ptrace communication ptrace(PTRACE_ATTACH, 15823, 0, 0) = 0 --- SIGCHLD (Child exited) @ 0 (0) --- wait4(-1, NULL, 0, NULL) = 15823 ptrace(PTRACE_POKEDATA, 15823, POKE1, 0x1) = 0 ptrace(PTRACE_POKEDATA, 15823, POKE2, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, POKE3, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x61818c, 0x3e01) = 0 ptrace(PTRACE_DETACH, 15823, 0, SIG_0) = 0 kill(15823, SIGUSR1) = 0
Child Message Handler
Command #0 0x618180 = POKE1 = 1 # message available 0x618184 = POKE2 = 0 # destination ID 0x618188 = POKE3 = 0 # command ID 0x61818C = ARGS = 0x3e01 kill(15823, SIGUSR1) # notify child  Parent sends CMD #0 to first child  Send PID of last child to the first child.
Command #1 • Copies large amount of data • Child handler makes local copy  Each child is given unique data
Initialization Complete Password now requested
Command #3 • Parent sends every char to first child Child handler: • Updates states according to char and local data • Forwards char to previous child • Last child informs parent to send next char  Every child gets char and “performs a step”
Parent sends command #2 to first child.
Password okay? • Password OK if final `bitokay` is 1 • All children must “accept” the password • Every child is a DFA • Local data is state transition function Extract DFA, intersect, find witness Minimize DFA while intersecting!
HacknamStyle Plaid CTF write-up

Recommended

Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and C
Eleanor McHugh
 
Encrypt all transports
Encrypt all transportsEncrypt all transports
Encrypt all transports
Eleanor McHugh
 
Implementing Software Machines in C and Go
Implementing Software Machines in C and GoImplementing Software Machines in C and Go
Implementing Software Machines in C and Go
Eleanor McHugh
 
Whispered secrets
Whispered secretsWhispered secrets
Whispered secrets
Eleanor McHugh
 
Go a crash course
Go a crash courseGo a crash course
Go a crash course
Eleanor McHugh
 
Whispered secrets
Whispered secretsWhispered secrets
Whispered secrets
Eleanor McHugh
 
Introducing to Asynchronous Programming
Introducing to Asynchronous ProgrammingIntroducing to Asynchronous Programming
Introducing to Asynchronous Programming
Александр Федоров
 
Joe Bew - Apprendi un nuovo linguaggio sfruttando il TDD e il Clean Code - Co...
Joe Bew - Apprendi un nuovo linguaggio sfruttando il TDD e il Clean Code - Co...Joe Bew - Apprendi un nuovo linguaggio sfruttando il TDD e il Clean Code - Co...
Joe Bew - Apprendi un nuovo linguaggio sfruttando il TDD e il Clean Code - Co...
Codemotion
 

Recommended

Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and C
Eleanor McHugh
 
Encrypt all transports
Encrypt all transportsEncrypt all transports
Encrypt all transports
Eleanor McHugh
 
Implementing Software Machines in C and Go
Implementing Software Machines in C and GoImplementing Software Machines in C and Go
Implementing Software Machines in C and Go
Eleanor McHugh
 
Whispered secrets
Whispered secretsWhispered secrets
Whispered secrets
Eleanor McHugh
 
Go a crash course
Go a crash courseGo a crash course
Go a crash course
Eleanor McHugh
 
Whispered secrets
Whispered secretsWhispered secrets
Whispered secrets
Eleanor McHugh
 
Introducing to Asynchronous Programming
Introducing to Asynchronous ProgrammingIntroducing to Asynchronous Programming
Introducing to Asynchronous Programming
Александр Федоров
 
Joe Bew - Apprendi un nuovo linguaggio sfruttando il TDD e il Clean Code - Co...
Joe Bew - Apprendi un nuovo linguaggio sfruttando il TDD e il Clean Code - Co...Joe Bew - Apprendi un nuovo linguaggio sfruttando il TDD e il Clean Code - Co...
Joe Bew - Apprendi un nuovo linguaggio sfruttando il TDD e il Clean Code - Co...
Codemotion
 
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIThe Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
Eleanor McHugh
 
T-DOSE 2015: Using Python, PHP, JQuery and Linux to visualize the heartrate a...
T-DOSE 2015: Using Python, PHP, JQuery and Linux to visualize the heartrate a...T-DOSE 2015: Using Python, PHP, JQuery and Linux to visualize the heartrate a...
T-DOSE 2015: Using Python, PHP, JQuery and Linux to visualize the heartrate a...
Jeroen Baten
 
Why Learn Python?
Why Learn Python?Why Learn Python?
Why Learn Python?
Christine Cheung
 
The why and how of moving to php 5.4/5.5
The why and how of moving to php 5.4/5.5The why and how of moving to php 5.4/5.5
The why and how of moving to php 5.4/5.5
Wim Godden
 
Davide Cerbo - Kotlin: forse è la volta buona - Codemotion Milan 2017
Davide Cerbo - Kotlin: forse è la volta buona - Codemotion Milan 2017 Davide Cerbo - Kotlin: forse è la volta buona - Codemotion Milan 2017
Davide Cerbo - Kotlin: forse è la volta buona - Codemotion Milan 2017
Codemotion
 
Go for the paranoid network programmer
Go for the paranoid network programmerGo for the paranoid network programmer
Go for the paranoid network programmer
Eleanor McHugh
 
Lucio Floretta - TensorFlow and Deep Learning without a PhD - Codemotion Mila...
Lucio Floretta - TensorFlow and Deep Learning without a PhD - Codemotion Mila...Lucio Floretta - TensorFlow and Deep Learning without a PhD - Codemotion Mila...
Lucio Floretta - TensorFlow and Deep Learning without a PhD - Codemotion Mila...
Codemotion
 
Abusing text/template for data transformation
Abusing text/template for data transformationAbusing text/template for data transformation
Abusing text/template for data transformation
Arnaud Porterie
 
Python postgre sql a wonderful wedding
Python postgre sql a wonderful weddingPython postgre sql a wonderful wedding
Python postgre sql a wonderful wedding
Stéphane Wirtel
 
Networking Core Concept
Networking Core ConceptNetworking Core Concept
Networking Core Concept
Rays Technologies
 
Network lab manual
Network lab manualNetwork lab manual
Network lab manual
Prabhu D
 
ScalaFlavor4J
ScalaFlavor4JScalaFlavor4J
ScalaFlavor4J
Kazuhiro Sera
 
IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up
idsecconf
 
Php 5.6
Php 5.6Php 5.6
Php 5.6
Federico Damián Lozada Mosto
 
Whats new in_csharp4
Whats new in_csharp4Whats new in_csharp4
Whats new in_csharp4
Abed Bukhari
 
Kotlin from-scratch 2 - functions
Kotlin from-scratch 2 - functionsKotlin from-scratch 2 - functions
Kotlin from-scratch 2 - functions
Franco Lombardo
 
Being functional in PHP
Being functional in PHPBeing functional in PHP
Being functional in PHP
David de Boer
 
"PostgreSQL and Python" Lightning Talk @EuroPython2014
"PostgreSQL and Python" Lightning Talk @EuroPython2014"PostgreSQL and Python" Lightning Talk @EuroPython2014
"PostgreSQL and Python" Lightning Talk @EuroPython2014
Henning Jacobs
 
PHP Quiz
PHP QuizPHP Quiz
PHP Quiz
Thomas Gasc
 
Hands on lua
Hands on luaHands on lua
Hands on lua
Javier Arauz
 
Stateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven ProgramsStateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven Programs
vanhoefm
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
vanhoefm
 

More Related Content

What's hot

Network lab manual
Network lab manualNetwork lab manual
Network lab manual
Prabhu D
 
Whats new in_csharp4
Whats new in_csharp4Whats new in_csharp4
Whats new in_csharp4
Abed Bukhari
 
Being functional in PHP
Being functional in PHPBeing functional in PHP
Being functional in PHP
David de Boer
 

What's hot (20)

The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIThe Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
 
T-DOSE 2015: Using Python, PHP, JQuery and Linux to visualize the heartrate a...
T-DOSE 2015: Using Python, PHP, JQuery and Linux to visualize the heartrate a...T-DOSE 2015: Using Python, PHP, JQuery and Linux to visualize the heartrate a...
T-DOSE 2015: Using Python, PHP, JQuery and Linux to visualize the heartrate a...
 
Why Learn Python?
Why Learn Python?Why Learn Python?
Why Learn Python?
 
The why and how of moving to php 5.4/5.5
The why and how of moving to php 5.4/5.5The why and how of moving to php 5.4/5.5
The why and how of moving to php 5.4/5.5
 
Davide Cerbo - Kotlin: forse è la volta buona - Codemotion Milan 2017
Davide Cerbo - Kotlin: forse è la volta buona - Codemotion Milan 2017 Davide Cerbo - Kotlin: forse è la volta buona - Codemotion Milan 2017
Davide Cerbo - Kotlin: forse è la volta buona - Codemotion Milan 2017
 
Go for the paranoid network programmer
Go for the paranoid network programmerGo for the paranoid network programmer
Go for the paranoid network programmer
 
Lucio Floretta - TensorFlow and Deep Learning without a PhD - Codemotion Mila...
Lucio Floretta - TensorFlow and Deep Learning without a PhD - Codemotion Mila...Lucio Floretta - TensorFlow and Deep Learning without a PhD - Codemotion Mila...
Lucio Floretta - TensorFlow and Deep Learning without a PhD - Codemotion Mila...
 
Abusing text/template for data transformation
Abusing text/template for data transformationAbusing text/template for data transformation
Abusing text/template for data transformation
 
Python postgre sql a wonderful wedding
Python postgre sql a wonderful weddingPython postgre sql a wonderful wedding
Python postgre sql a wonderful wedding
 
Networking Core Concept
Networking Core ConceptNetworking Core Concept
Networking Core Concept
 
Network lab manual
Network lab manualNetwork lab manual
Network lab manual
 
ScalaFlavor4J
ScalaFlavor4JScalaFlavor4J
ScalaFlavor4J
 
IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up
 
Php 5.6
Php 5.6Php 5.6
Php 5.6
 
Whats new in_csharp4
Whats new in_csharp4Whats new in_csharp4
Whats new in_csharp4
 
Kotlin from-scratch 2 - functions
Kotlin from-scratch 2 - functionsKotlin from-scratch 2 - functions
Kotlin from-scratch 2 - functions
 
Being functional in PHP
Being functional in PHPBeing functional in PHP
Being functional in PHP
 
"PostgreSQL and Python" Lightning Talk @EuroPython2014
"PostgreSQL and Python" Lightning Talk @EuroPython2014"PostgreSQL and Python" Lightning Talk @EuroPython2014
"PostgreSQL and Python" Lightning Talk @EuroPython2014
 
PHP Quiz
PHP QuizPHP Quiz
PHP Quiz
 
Hands on lua
Hands on luaHands on lua
Hands on lua
 

Viewers also liked

TEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hackedTEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hacked
vanhoefm
 
Lesvoorbereiding actief leren
Lesvoorbereiding actief lerenLesvoorbereiding actief leren
Lesvoorbereiding actief leren
MonaOunis
 
illusoryTLS: Impersonate, Tamper, and Exploit
illusoryTLS: Impersonate, Tamper, and ExploitillusoryTLS: Impersonate, Tamper, and Exploit
illusoryTLS: Impersonate, Tamper, and Exploit
a001
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -final
PacSecJP
 

Viewers also liked (20)

Stateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven ProgramsStateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven Programs
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
 
TEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hackedTEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hacked
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
Lesvoorbereiding actief leren
Lesvoorbereiding actief lerenLesvoorbereiding actief leren
Lesvoorbereiding actief leren
 
Content Marketing from Affinity Marketing & Sales
Content Marketing from Affinity Marketing & SalesContent Marketing from Affinity Marketing & Sales
Content Marketing from Affinity Marketing & Sales
 
How to use a search engine
How to use a search engineHow to use a search engine
How to use a search engine
 
Chirurgia Estetica in Italia nel 2012 - LaCLINIQUE®
Chirurgia Estetica in Italia nel 2012 - LaCLINIQUE®Chirurgia Estetica in Italia nel 2012 - LaCLINIQUE®
Chirurgia Estetica in Italia nel 2012 - LaCLINIQUE®
 
From Tufte to the Magic Kingdom: presenting the story behind data
From Tufte to the Magic Kingdom: presenting the story behind dataFrom Tufte to the Magic Kingdom: presenting the story behind data
From Tufte to the Magic Kingdom: presenting the story behind data
 
How to get on the first page of google
How to get on the first page of googleHow to get on the first page of google
How to get on the first page of google
 
Do an tot nghiep
Do an tot nghiepDo an tot nghiep
Do an tot nghiep
 
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit
illusoryTLS: Nobody But Us Impersonate, Tamper, ExploitillusoryTLS: Nobody But Us Impersonate, Tamper, Exploit
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit
 
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
 
illusoryTLS: Impersonate, Tamper, and Exploit
illusoryTLS: Impersonate, Tamper, and ExploitillusoryTLS: Impersonate, Tamper, and Exploit
illusoryTLS: Impersonate, Tamper, and Exploit
 
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
 
tls_resumption_detailed_final
tls_resumption_detailed_finaltls_resumption_detailed_final
tls_resumption_detailed_final
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -final
 

Similar to HacknamStyle Plaid CTF write-up

Compilation of COSMO for GPU using LLVM
Compilation of COSMO for GPU using LLVMCompilation of COSMO for GPU using LLVM
Compilation of COSMO for GPU using LLVM
Linaro
 
So I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdfSo I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdf
ezonesolutions
 
Please help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdfPlease help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdf
support58
 

Similar to HacknamStyle Plaid CTF write-up (20)

Encryption and Decryption using Tag Design
Encryption and Decryption using Tag Design Encryption and Decryption using Tag Design
Encryption and Decryption using Tag Design
 
SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and Scheduling
 
10. Getting Spatial
10. Getting Spatial10. Getting Spatial
10. Getting Spatial
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
 
Program flowchart
Program flowchartProgram flowchart
Program flowchart
 
Big Data Day LA 2016/ Hadoop/ Spark/ Kafka track - Data Provenance Support in...
Big Data Day LA 2016/ Hadoop/ Spark/ Kafka track - Data Provenance Support in...Big Data Day LA 2016/ Hadoop/ Spark/ Kafka track - Data Provenance Support in...
Big Data Day LA 2016/ Hadoop/ Spark/ Kafka track - Data Provenance Support in...
 
Compilation of COSMO for GPU using LLVM
Compilation of COSMO for GPU using LLVMCompilation of COSMO for GPU using LLVM
Compilation of COSMO for GPU using LLVM
 
lecture56.ppt
lecture56.pptlecture56.ppt
lecture56.ppt
 
C++ Programming - 4th Study
C++ Programming - 4th StudyC++ Programming - 4th Study
C++ Programming - 4th Study
 
DSA 103 Object Oriented Programming :: Week 3
DSA 103 Object Oriented Programming :: Week 3DSA 103 Object Oriented Programming :: Week 3
DSA 103 Object Oriented Programming :: Week 3
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
 
So I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdfSo I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdf
 
C++ in 10 Hours.pdf.pdf
C++ in 10 Hours.pdf.pdfC++ in 10 Hours.pdf.pdf
C++ in 10 Hours.pdf.pdf
 
Frsa
FrsaFrsa
Frsa
 
UNIT 2 LOOP CONTROL.pptx
UNIT 2 LOOP CONTROL.pptxUNIT 2 LOOP CONTROL.pptx
UNIT 2 LOOP CONTROL.pptx
 
Cc code cards
Cc code cardsCc code cards
Cc code cards
 
Mutation @ Spotify
Mutation @ Spotify Mutation @ Spotify
Mutation @ Spotify
 
Sparse Matrix and Polynomial
Sparse Matrix and PolynomialSparse Matrix and Polynomial
Sparse Matrix and Polynomial
 
Please help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdfPlease help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdf
 
runtimestack
runtimestackruntimestack
runtimestack
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

HacknamStyle Plaid CTF write-up

  • 7. Reversing: g++ Makefile: echo '${KEY}' | perl -p -e 's/(.)/<DEL>/ge' > key.h Key.h: K(0,116) // 't' K(1,101) // 'e' K(2,115) // 's' K(3,116) // 't‘ Solveme.cpp: template <int i> struct key { static int r = 0; }; #define K(i,v) template<> struct key<i> { S r = v; };
  • 8. Reversing: g++ • Template metaprogramming • Password verified during compilation • “key<i>::r” gives i-th char of password • Result printed at runtime
  • 9. Reversing: g++ int main() { if (!vv<0>::r) // print 16 characters else std::cout << "Wrongn"; }
  • 10. Reversing: g++ Analyzing templates: • vv<0>::r zero iff gg<i>::r zero (for 0 <= i < 16) • gg<i>::r = hiddenkey<a, b> - makefilekey<a, b> • Parameter `a` and `b` depend on `i` • Hiddenkey is constant, extract value. How is makefilekey constructed?
  • 11. Calculation makefilekey<a, b> Let g++ replace #define’s: • g++ -E -o solveme2.cpp solveme.cpp <boring reversing> makefilekey<a,b> = ( lookup<a*4> * key<b> + lookup<a*4+1> * key<b+4> + lookup<a*4+2> * key<b+8> + lookup<a*4+3> * key<b+12>) % 257;
  • 12. Solution Method 1: • Key can be bruteforced in groups of 4 chars • Extract constants, implement algorithm Method 2: • Solve linear equations
  • 15. Reversing: Tiffany • Spawns 7 children, many ptrace calls • Hint: “Each instance does a very simple thing” • ltrace fails during initialization • strace fails after computation <DEMO> strace ./tiffany 2>&1 | less
  • 16. Parent spawns 7 children getpid() = 15866 clone(...) = 15867 clone(...) = 15868 clone(...) = 15869 clone(...) = 15870 clone(...) = 15871 clone(...) = 15872 clone(...) = 15873 = 0x3e01  Child knows PID of parent and previous children.
  • 17. Ptrace communication • Parent sends messages to children using ptrace • Similarly, children send each other messages using ptrace. One of the reasons why the program is slow…
  • 18. Ptrace communication ptrace(PTRACE_ATTACH, 15823, 0, 0) = 0 --- SIGCHLD (Child exited) @ 0 (0) --- wait4(-1, NULL, 0, NULL) = 15823 ptrace(PTRACE_POKEDATA, 15823, 0x618180, 0x1) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x618184, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x618188, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x61818c, 0x3e01) = 0 ptrace(PTRACE_DETACH, 15823, 0, SIG_0) = 0 kill(15823, SIGUSR1) = 0
  • 19. Ptrace communication ptrace(PTRACE_ATTACH, 15823, 0, 0) = 0 --- SIGCHLD (Child exited) @ 0 (0) --- wait4(-1, NULL, 0, NULL) = 15823 ptrace(PTRACE_POKEDATA, 15823, 0x618180, 0x1) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x618184, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x618188, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x61818c, 0x3e01) = 0 ptrace(PTRACE_DETACH, 15823, 0, SIG_0) = 0 kill(15823, SIGUSR1) = 0
  • 20. Ptrace communication ptrace(PTRACE_ATTACH, 15823, 0, 0) = 0 --- SIGCHLD (Child exited) @ 0 (0) --- wait4(-1, NULL, 0, NULL) = 15823 ptrace(PTRACE_POKEDATA, 15823, POKE1, 0x1) = 0 ptrace(PTRACE_POKEDATA, 15823, POKE2, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, POKE3, 0) = 0 ptrace(PTRACE_POKEDATA, 15823, 0x61818c, 0x3e01) = 0 ptrace(PTRACE_DETACH, 15823, 0, SIG_0) = 0 kill(15823, SIGUSR1) = 0
  • 22. Command #0 0x618180 = POKE1 = 1 # message available 0x618184 = POKE2 = 0 # destination ID 0x618188 = POKE3 = 0 # command ID 0x61818C = ARGS = 0x3e01 kill(15823, SIGUSR1) # notify child  Parent sends CMD #0 to first child  Send PID of last child to the first child.
  • 23. Command #1 • Copies large amount of data • Child handler makes local copy  Each child is given unique data
  • 25. Command #3 • Parent sends every char to first child Child handler: • Updates states according to char and local data • Forwards char to previous child • Last child informs parent to send next char  Every child gets char and “performs a step”
  • 26. Parent sends command #2 to first child.
  • 27. Password okay? • Password OK if final `bitokay` is 1 • All children must “accept” the password • Every child is a DFA • Local data is state transition function Extract DFA, intersect, find witness Minimize DFA while intersecting!