IU CTF Tools

More tricks on radare2

Thu, 29 Jun 2017 20:42:20 +0000

More tricks on Radare2 (Cheat Sheet)

Cheat Sheet that we found on the web: https://github.com/pwntester/cheatsheets/blob/master/radare2.md

We try to keep all the useful tricks of Radare2 here.

Why do we put “@” in front of a register when we inspect it via “pxq”, “ps”, “pdf” and so on?

It is because the print commands starting with the letter 'p' reads all the
memory addresses starting from the beginning (0x0) of VM address.
The p? commands without using @ will print out way more than a user expects
in the radare2 screen. That's why radare2 gives a warning of this.
The @ sign in front of a register tells the p? commands to read from the
address where the register is pointing to for now.

What are local_4h, local_8h, …?

They are representing the local variables pointing the address
4/8/... bytes less than the "rbp" register
local_4h == rbp-4
local_12h == rbp-0x12 or rbp-18

Modern Binary Exploitation

Mon, 12 Jun 2017 00:00:00 +0000

Useful binary expolitation websites:

Modern Binary Exploitation

Raspberry Pi training in Camp CircleCity

Fri, 09 Jun 2017 00:00:00 +0000

Raspberry Pi Training in Camp CircleCity

The Circle City Con 4.0 was held on June 9-11, 2017. It was not a practical training course but I found that the materials in the course can be useful for the team.
Here are useful materials that I have learned in the training.

NSA Software Exploitation Course & Codebreaker Challenge

Thu, 08 Jun 2017 00:00:00 +0000

NSA Software Exploitation Course & Codebreaker Challenge

The NSA is tired of doing all the work and has provided resources for us to learn to do things ourselves. Check out lectures from their course on software exploitation.

https://codebreaker.ltsnet.net/resources

This page will be updated with writeups as team members work on the practice problems.

Playing with radare2

Mon, 05 Jun 2017 22:48:20 +0000

Playing with radare2 to dig into the CMU Bombs

We try to crack the cyber security bombs posted on CMU by using radare2.

Inspect the binary code in brief

[18:45] CREST-MacBook-Pro-2: bomb $ rabin2 -I bomb
arch     x86
binsz    26406
bintype  elf
bits     64
canary   true
class    ELF64
crypto   false
endian   little
havecode true
intrp    /lib64/ld-linux-x86-64.so.2
lang     c
linenum  true
lsyms    true
machine  AMD x86-64 architecture
maxopsz  16
minopsz  1
nx       true
os       linux
pcalign  0
pic      false
relocs   true
relro    partial relro
rpath    NONE
static   false
stripped false
subsys   linux
va       true
[18:45] CREST-MacBook-Pro-2: bomb $ rabin2 -l bomb
[Linked libraries]
libc.so.6
1 library
[18:45] CREST-MacBook-Pro-2: bomb $

Load up the binary code in radare2

[18:45] CREST-MacBook-Pro-2: bomb $ r2 bomb
syntax error: error in error handling
syntax error: error in error handling
syntax error: error in error handling
 -- THIS IS NOT A BUG
[0x00400c90]>

Cheat Sheet

// Package Manager
r2pm init
r2pm update
//Install www-m (material webui):
r2pm -i www-m

// General information about a file
rabin2 -I <file>
-l - dynamic libs
-i - symbols

// Load the binary code
r2 <binary_code>
aa - automatic analysis
afl - look at symbols and functions
s - seek to <symbol>
pdf - print disassembly of a function (e.g. pdf @ main)
V - enter visual mode, press V again to enter graph mode
hjkl - navigation

Running Unicorn, Capstone and Keystone on Docker

Sun, 28 May 2017 01:56:10 +0000

Running Unicorn, Capstone and Keystone on Docker

https://github.com/dikim33/unicorn.git

This is how I setup Docker for Unicorn, Capstone, and Keystone.

Get the Dockerfile and some test files from my forked github
```
git clone https://github.com/dikim33/unicorn.git uck 
```
Build a docker image with the given Dockerfile
```
cd uck
docker build -t <image_name> .
```

Run the challenge file

docker run --rm -it <image_name> uck/challenge.py uck/challenge.asm
docker run --rm -it <image_name> python uck/example_capstone.py
docker run --rm -it <image_name> python uck/example_keystone.py
docker run --rm -it <image_name> python uck/example_unicorn.py

Integration with Keystone and Capstone

Sun, 28 May 2017 00:28:15 +0000

Integration with Keystone and Capstone

When Unicorn is integrated with Keystone and Capstone, it becomes even more useful for the reverse engineering.

Installation/Configuration of Unicorn

Thu, 25 May 2017 18:30:13 +0000

Installation/Configuration of Unicorn

Unicorn can be installed in OSX (Sierra), Linux, and Windows. I have installed it on OSX and Linux. I will leave some workarounds that I used to manage the unexpected hiccups during the installation in OSX and Linux.

Unicorn official website: http://www.unicorn-engine.org/
Test codes: http://www.unicorn-engine.org/samples/test1.tgz
Installation: https://github.com/unicorn-engine/unicorn/blob/master/docs/COMPILE.md
OSX
There is an issue on testing with unicorn.
```
[21:03] 149-161-212-7: test1 $ make
cc  test1.c -L/usr/local/Cellar/glib/2.52.0/lib -L/usr/local/opt/gettext/lib -lglib-2.0 -lintl -lpthread -lm -lunicorn -o test1
test1.c:5:10: fatal error: 'unicorn/unicorn.h' file not found
#include <unicorn/unicorn.h>
       ^
1 error generated.
make: *** [test1] Error 1
```
It requires clang of XCode. In order to get the clang, make sure that XCode is installed with the “Command Line Tools”.
As The useful link of installation of “Command Line Tools” mentions, xcode-select --install did not work for me because it kept failing to get the “Command Line Tools” due to the network issues. My network was just fine but it seemed that my MBP could not get the “Command Line Tools” from the Apple App Store. So, I just downloaded the “Command Line Tools” dmg file from here as the above link suggests. Other than this, brew install unicorn made unicorn works just fine based on the unicorn tutorials.
Linux
So far I did not have any issues with the github version. UNICORN_ARCHS="arm aarch64 x86" ./make.sh I lied! There was an issue on ubuntu-16.04 (cc-5.4.0) which does not compile the unicorn test codes without “-pthread” option. So, the workaround is that we have to put the -pthread option in the Makefile or add it on the fly. The test codes that I played with is in here. I realized that this option is not necessary in Debian-8 (cc-4.9.5). It may not be necessary for the other distros either. Please check it out.

Introduction to Unicorn

Tue, 23 May 2017 22:49:37 +0000

Introduction to Unicorn

Unicorn is an open source CPU emulator based on QEMU.

Nice features that I would like to share (quoted from the unicorn page):

Framework: QEMU is a set of emulators, but not a framework. Therefore, you cannot build your own tools on top of QEMU, while this is the main purpose of Unicorn.
Flexible: QEMU cannot emulate a chunk of raw binary code without any context: it requires either a proper executable binary (for example, a file in ELF format), or a whole system image with a full OS inside. Meanwhile, Unicorn just focuses on CPU operations, and can emulate raw code without context
Instrumentation: QEMU does not support dynamic instrumentation, but with Unicorn you can register customized handlers for various kind of events from CPU execution to memory access. This feature gives tool programmers all the power they need to monitor and analyze the code under emulation.
Thread-safe: QEMU cannot handle more than one CPU at the same time. In contrast, Unicorn is designed and implemented as a framework so that one program can emulate multiple code of different kinds of CPU in a moment.
Bindings: QEMU does not have binding itself. But as a framework, Unicorn supports multiple bindings on top of the core written in C. This makes it easy to be adopted by developers. A rich list of efficient bindings - 4 languages have been supported in version 0.9 - lowers the barrier for every programmer.
Lightweight: Unicorn is much more lightweight than QEMU because we stripped all the subsystems that do not involve in CPU emulation. As a result, Unicorn is less than 10 times smaller in size and also in memory consumption.
Safety: QEMU has a bad track of security record with a lot of vulnerabilities that can be exploited to break out of the guest. Its history says that all of these bugs are from subsystems such as devices, BIOS, firmware etc, but none of them comes from CPU emulator component. Therefore, in principle Unicorn is much more secure because it has way smaller attack surface.

Welcome to Jekyll!

Tue, 23 Feb 2016 22:49:37 +0000

You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated.

To add new posts, simply add a file in the _posts directory that follows the convention YYYY-MM-DD-name-of-post.ext and includes the necessary front matter. Take a look at the source for this post to get an idea about how it works.

Jekyll also offers powerful support for code snippets:

def print_hi(name)
  puts "Hi, #{name}"
end
print_hi('Tom')
#=> prints 'Hi, Tom' to STDOUT.

Check out the Jekyll docs for more info on how to get the most out of Jekyll. File all bugs/feature requests at Jekyll’s GitHub repo. If you have questions, you can ask them on Jekyll Talk.