The document is a detailed exploration of reverse engineering and fuzzing techniques related to binary exploitation, including methods for buffer overflows, return-oriented programming, and utilizing the Z3 solver for fuzz testing. It features a self-introduction of a speaker with experience in various hacking contests and tools, emphasizing the importance of understanding low-level programming, memory management, and application vulnerabilities. The text serves as both a tutorial and a set of exam questions on these hacking concepts.

1. TEEMO KNOWS BINARY
TDOH x TAIWAN TECH 2015/11/29
aaaddress1

2. SELF INTRODUCTION
➤ 馬聖豪 (aaaddress1)
➤ 義守大學資訊工程二年級
➤ Reverse Engineering Skills
➤ Windows / Mac OS /Android
➤ TDoHacker Core Member
➤ HITCON 2015 CMT:
➤ AIDS
➤ x86靜態手花詐欺術
➤ Wooyun WhiteHat: x86手花詐欺
➤ 逢甲2015行動計算研討會: AIDS
➤ 成功大學2015行動APP競賽

3. SELF INTRODUCTION
➤ Hack BOT
➤ CrackShield / MapleHack
➤ Tower Of Savior
➤ FaceBook: Adr’s FB
➤ Isu Hack
➤ 競時通防爆PING
➤ CSharp,VB,C/CPlus,
x86,Python,Smali,Swift

4. OUTLINE
➤ main() is not the really main
➤ OllyDBG:Baby First (Exam)
➤ Return-oriented Programming
➤ Overflow: Revo Wolf(Exam)
➤ Fuzzing
➤ Make a fuzzer in C++
➤ How to fuzzing with Z3

5. SWEET REMINDER
Tool
https://goo.gl/4sJRtB
Exam
https://goo.gl/xUYkoz

6. REALLYMAIN

7. REALLY MAIN

8. REALLY MAIN

9. REALLY MAIN

10. REALLY MAIN

11. REALLY MAIN

12. REALLY MAIN

13. REALLY MAIN
_Start

14. REALLY MAIN

15. REALLY MAIN
Parameter
Data

16. REALLY MAIN
➤ Label “_start” is really main.
➤ CRTStartUp is loaded in label “_start”.
(To init RTC/new/delete/arg…etc)
➤ Find programmer’s main (normal c plus compile)
➤ Find the address calling GetCommandLine
➤ Find the address calling exit() or cexit()
➤ Programmer’s main function is between them.

17. DEMO
Olly Debugger:Really Main

18. EXAM
Olly Debugger: Baby First
&
Take a break!

19. ROPReturn-oriented-Programming

20. WE NEED TO
KNOW MORE
BEFORE ROP

21. X86 CALLING
COVENTION
&
STACK FRAMES

22. ROP

23. ROP

24. ROP

25. ROP

26. ROP

27. ROP
[EBP+0 ] = Pointer to old EBP
[EBP+4 ] = Return Address
[EBP+8 ] = First Parameter
[EBP+C ] = Second Parameter
[EBP+10 ] = Third Parameter
…etc
[EBP+8 + 4*index] =
Parameter[index]

28. ROP
VOID
FUNC()
{
INT A =
0;
INT B =
1;
INT C =
2;
[EBP - 4] =0
[EBP - 8] =1
[EBP - C] =2
push EBP
mov
EBP,ESP
SUB ESP,
LEN

29. ROP
VOID FUNC(){
NFUNC(ARG1,ARG2,AR
G3…)
}
push ebp
mov ebp,esp
.
.
push arg3
push arg2
push arg1
call nFunc

30. ROP

31. ROP

32. ROP

33. ROP

34. WHY?

35. ROP
Stack
ESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14

36. ROP
Stack
ESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP

37. ROP
Stack
EBP + 0
=ESP
Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP

38. ROP
Stack
EBP - 8
=ESP
Buffer
EBP - 4 Buffer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP

39. ROP
Stack
EBP - 8
=ESP
1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP

40. ROP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP

41. ROP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C

42. ROP
Stack
EBP - 8
=ESP
EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buffer
EBP + 8 Buffer
EBP + C Old EBP
_______EIP

43. ROP
Stack
EBP + 0
=ESP
EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP

44. ROP
Stack
EBP + 0
=ESP
EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP

45. ROP
_______EIP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C

46. ROP
_______EIP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C

47. ROP
Stack
EBP - 4
=ESP
1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP

48. ROP
Stack
EBP + 0
= ESP
Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP

49. LET’S PLAY
WITH
BEEF
OVERFLOW

50. BOFOVERFLOW AND RIP…

51. BUFFER OVERFLOW
➤ We just can see , cannot modify the application.
➤ For Exploit?
➤ Overflow local variables. (EBP+N are good friend to us)
➤ Do something for get control EIP/RIP.

52. BUFFER OVERFLOW
[EBP-8]
[EBP-10]

53. BUFFER OVERFLOW

54. BUFFER OVERFLOW

55. BUFFER OVERFLOW

56. BUFFER OVERFLOW

57. BUFFER OVERFLOW

58. BUFFER OVERFLOW
How to let data ==
“admin”?

59. BUFFER OVERFLOW
[EBP-8]
[EBP-10]

60. BUFFER OVERFLOW
Stack

61. BUFFER OVERFLOW
Stack
ESP Old EBP
_______EIP

62. BUFFER OVERFLOW
Stack
EBP
=ESP
Old EBP
_______EIP

63. BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP

64. BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
Variable “name”

65. BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
Variable “data”

66. BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP_______EIP

67. BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP_______EIP
If you input “aaaa”

68. BUFFER OVERFLOW
Stack
EBP - 10 aaaa
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP_______EIP
If you input “aaaa”

69. BUFFER OVERFLOW
Stack
EBP - 10 aaaa
EBP - C BBBB
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP_______EIP
If you input “aaaaBBBB”

70. BUFFER OVERFLOW
Stack
EBP - 10 REVO
EBP - C WOLF
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP_______EIP
If you input
“OVERFLOW”

71. IF WE INPUT MORE
WORDS…?
MAGIC!

72. BUFFER OVERFLOW
Stack
EBP - 10 REVO
EBP - C WOLF
EBP - 8 revo
EBP - 4 wolf
EBP
=ESP
Old EBP_______EIP
If you input
“OVERFLOWoverflow”

73. BUFFER OVERFLOW
Stack
EBP - 10 AAAA
EBP - C AAAA
EBP - 8 imda
EBP - 4 x00x00x00n
EBP
=ESP
Old EBP_______EIP
SO, We can input
“AAAAAAAAadmin”

74. BUFFER OVERFLOW

75. DANGER FUNCTION
#include <iostream>
printf, fprintf, snprintf, vprintf, …etc

76. DEMO
Overflow

77. EXAM
Overflow: Revo wolf
&
Take a break!

78. EXAM
Overflow: 7$BUY TICKETS
&
Take a break!

79. EXAM
Overflow: Lee Sin can Read
&
Take a break!

80. FUZZING
Fuzzing the key with
Z3.py

81. “ Fuzz testing or fuzzing is a software testing technique,
often automated or semi-automated, that involves
providing invalid, unexpected, or random data to the
inputs of a computer program. The program is then
monitored for exceptions such as crashes, or failing
built-in code assertions or for finding potential memory
leaks. Fuzzing is commonly used to test for security
problems in software or computer systems. It is a form
of random testing which has been used for testing
hardware or software.
From Wikipedia
WHAT IS
FUZZING?

82. When we need to
fuzz?A. Prove that something is always true
B. Fuzzing for something unexpected
C.Fuckinnnnnnnnnnnnng Crypto
D.A lot of choice, find one is correct

83. FUZZING FOR
WHAT?

85. Your said :
Get the key is easy?

90. YOU THINK
REVERSING IS:
SOLVING
PROBLEMS?
BRAIN FUCKING (O)

91. FUZZING

92. FUZZING
Key= adr
‘a’ = 0x61,’d’ = 0x64, r =
0x72

93. FUZZING

94. FUZZING
Key= adr
0x00726461
= x00x72x64x61
= x00adr

95. FUZZING

97. FUZZING
How to find the key
matching the factors?

99. MAKE A MINI
FUZZER
IN C PLUS PLUS

101. Check Current Temp Key

102. 0x20 to 0x7E,
Visible ASCII Char Range

103. Display to us.

106. BUT…
IF LENGT OF THE KEY
ISN’T JUST 3 WORDS?

107. Z3Prove Tool

108. Z3 BEGIN
➤Get and Install Python2.7
✴ Z3.py script environment
✴ www.python.org
➤You can use python basically
➤Get Z3.py for Windows
✴ Prove tool
✴ github.com/Z3Prover/z3/wiki/Using-Z3Py-on-Windows

109. 猜謎
➤ 無腦
➤ 很軟
➤ 手有毒

110. FUZZING(Z3)
Include Z3 function to your python script
like you use #include <iostream> in C++

111. FUZZING(Z3)
BitVec(“Name” , BitCount)
For example:
1.char a => a = BitVec(“a”, 8)
2.short b => b = BitVec(“b”, 16)
3.int c => c = BitVec(“C”, 32) => Int(“c”)
4.bool e => e = BitVec(‘e’, 8)

112. FUZZING(Z3)
Solve(All rules ), Z3 will auto fuzz all variables,
and find a result(JUST ONE RESULT!).
Then, print all results of variables.

113. FUZZING(Z3)
If you have a looooot of rules,
you can use Solver().
Solver.add() can remember
all rules you requested.

114. FUZZING(Z3)
If you want to check current
whether rules can come true,
you just use: Solver.check()

115. FUZZING(Z3)
If Z3 cannot find any result,
check() will reply you “unsat”.

116. FUZZING(Z3)
If Z3 can find any result,
check() will reply you “sat”.

117. FUZZING(Z3)
Finally, if you get “sat”,
you can use: Solver.model()
It will save a result in it.
Use model[Variable Name],
and get the answer by String

118. FUZZING(Z3)
So,How to fuzz the key with z3?

121. DEMO
Fuzzing with z3.py

122. EXAM
Fuzzing: ShacoBuysCrusts
&
Take a Break!

123. EXAM
Fuzzing:
AIS3 Final Exam Binary

124. Q&A
aaaddress1@gmail.com