Don’t read this post if you’re still in the processes of solving the previous challenge posted here. This post contains the solution and general information on virtualized code. Virtualization-obfuscations are techniques I’ve seen many times implemented in various malwares and rarely some software. Many times seen implemented in some reverse engineering challenges. Qvm32 the challenge I posted does follow a similar concept with an extra obfuscation part added to harden the process of reverse engineering the virtual read more
I had some free time and I wrote a new challenge just for fun, or not. It’s a virtualized crackme, you gotta get the password. It’s a 32 bit ELF binary. Also it’s highly obfuscated so good luck figuring how it works :P. It can be downloeded from http://0×80.org/code/app/qvm32.tgz (sha1:e12036b5b501f965c06f8ae6070381f13c4f65fb) . I might post the solution later if no one solves read more
Unforunatly I didn’t have the time to participate in CSAW. When I get time I’ll check out the rest of CSAW and will see if there’s anything interesting for a writeup (this one isn’t interesting). A friend of mine sent me an archive from the challenge to inspect before the game ended and find the flag for. The archive contained 5 files.
(╯°□°）u-boot-csaw/ # find . -type f | xargs file
./u-boot: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), statically read more
This is a solution for Krypto the crack me I posted a while back at here. This crackme was shiped in two versions a 32bit, 64bit I bet that no one bothered with the 64bit. Anyway, they’re both similar. Let’s talk a little bit about it.
It starts at sub_804A170 aka main, takes input from argv, 12 characters are taken from that input each 4 are put togeather. Then a call is made to sub_08048E10 once for each part of the input aka encrypt with a key used ‘for encryption’ the key is read more
Found a nice Linux crackme at crackmes.de by Snuker. The crackme uses two things, a key which is read here
.text:0804863E lea eax, [esp+18h] .text:08048642 mov [esp+4], eax .text:08048646 mov dword ptr [esp], offset asc_80487EB ; "%x" .text:0804864D call ___isoc99_scanf
and the username taken read more
I have written Krypto, a Linux crackme challenge. I will provide only the binaries for now for both x86 32bit and 64bit. Hint: You need to find the password (if you can *evil laught*)
if you give up pm me and we can discuss one of the read more
I saw that IDA Pro is lacking some plugin that create, search for cyclic patterns within IDA. These patterns are sometimes useful in some cases to speed up exploitation development so I have written three plugins. Pattern_create which creates cyclic patterns, Pattern_offset which find the offset of specific pattern, Pattern_search which searches the registers and all writeable memory of a process for any patterns. The plugins are open source and can be found here (github).
Debugging is an essential part to know. It can help you further understand in the low level and how things work step by step. You will be able to see more. Debugging the kernel or its modules seem like black magic at the beginning but when you get used to it the black part goes away. In this post I will talk a little about my current virtual solution setup to debug. To make it simple I will debug the module in the previous post in Archlinux running Qemu running Archlinux with kernel 3.2.9.
Getting things ready in the Host
First get qemu, create read more
In linux virtual memory is segregated into two parts kernel space and user space. Kernel space is intended to be used by kernel and reaching the kernel data structures or having control there can allow you to do all kind of crazy things. What I’m interested in, in this post is privilege escalation. Jumping from nothing to everything w00t!
Stack overflows exists in kernel too and we will talk basically about how they can happen and how they can be exploited. I have written a simple read more
I spend most of my time on the terminal and always need a running irssi client so I run it on my remote 99% (yeah right!) uptime machine, but I don’t check the irssi client all the time so I need some kind of notification, a GUI notification using libnotify. I use rnotify.pl, notify-remote, and esaurito.
First download rnotify.pl on the remote machine and move it to .irssi/scripts/autorun. rerun irssi or if you’re already running it type /load script autorun/rnotify.pl
Second in your local machine download read more