lessons learned while playing
play

Lessons learned while playing CoreWars8086 Shapira Elad (Zest) | - PowerPoint PPT Presentation

Dec 07, 2022 •38 likes •649 views

Lessons learned while playing CoreWars8086 Shapira Elad (Zest) | Security Researcher | 29-6-2014 #Whois Elad Shapira (Zest) Reverser from the Holy Land. Mobile Security Researcher @AVG. Highly passionate for RE, Assembly and

  1. Lessons learned while playing CoreWars8086 Shapira Elad (‘Zest’) | Security Researcher | 29-6-2014

  2. #Whois Elad Shapira (‘Zest’) • Reverser from the Holy Land. • Mobile Security Researcher @AVG. • Highly passionate for RE, Assembly and Low-Level. • Speaker (ClubHack, Ground Zero Summit..). • Co-Organizer of CoreWars8086 competition (IL). 2

  3. 3

  4. 4

  5. 5

  6. Why CoreWars8086? Does it got any sports in it? “No Starch”..  6 ng

  7. Agenda • Timeline of the CoreWars8086 competition. • Arena, Engines and rules. • How to analyze and write survivors. • Optimization. • Anti reversing techniques. • Future / Improvements. • Share ideas Create new ideas! • Hangover. 7

  8. Origin • Alexander Dewdney / D.G. Jones. • CoreWars / RedCode • http://vyznev.net/corewar/guide.html Red's dead baby. Red's dead. 8

  9. Fight Club – The digital version.. 9

  10. Cameras usually add 5 kg .. Timeline of the competition We got cool T-shirts from our sponsors! • Getting zombies from the organizers. Zombies • 1st round (remote) – 25% • 2nd round (Face-2-face) – 25% 09:00 AM Other competitors • 3rd round (Face-2-face) – 50% 12:01PM • Top 4 survivors get to the final. • Final Winners! 10

  11. Survivors in general • Download, Unzip & play (Google Code). • Survivor's name == file's name (without extension). • 8086 opcodes, 16bit instructions. • Not all instructions are supported (Pusha,Popa,..). • Compiled as ‘com’ file • DOS command file format. • Maximal survivor size - 512 bytes. • Each team can submit two survivors . • Rocky1 & Rocky2. 11

  12. Virtual Arena • Loaded to the virtual arena each time with random address (copied “as is”). • Distance between two survivors and the sides is at least 1024 bytes. • All cells initialized to ‘ CCh ‘ before start. • End of the battle • 200,000 rounds or one survivor left . • Order of the survivors is determined randomly at the beginning and cannot be changed. 12

  13. Arena (NOT virtual) 13

  14. Arena & Addresses 00 01 .. FE FF .. 00 0000 0001 .. .. 00FE 00FF mov [2041h], al 01 0100 0101 .. .. 01FE 01FF mov [2045h], al : : : : : mov [2243h], al : : : : : FE FE00 FF01 .. .. FEFE FEFF mov [2340h], al FF FF00 FF01 .. .. FFFE FFFF mov [2441h], al mov [2542h], ax mov [2444h], al mov [2345h], al 14

  15. Survivor’s Registers (before 1 st round) • BX,CX,DX,SI,DI,BP = 00s. • Flags = 00s. • AX, IP - Initial location of the survivor, offset. • CS, DS - Segment that was assigned to the survivors. • ES - Segment for survivors from same team (shared memory) – 2048 bytes. • SS - Beginning of the personal stack (2048). • ss:0x00 - ss:0x7ff, initialized to 0x00. • SP - Offset of beginning of personal stack (00s). 15

  16. How survivor gets killed • Running illegal command • The 060h byte does not translated to an assembly command. • Engine: “Died due to CPU”. • Running commands that are not supported by the engine • For example ‘ int 21 h’. • Access to memory not in the arena or not in the range of the survivor's personal stack. • For example ES:0x1234. • Engine: “Died to memory exception”. 16

  17. Zombies • Sent by organizers before competition begins. • Regular survivors that do not get points . • Different CPU states problem. • Direction flag (MOVSW will kill master). • Zombies can still win the battle • less points for us. • We need to encourage them to commit suicide. • Contain Math Riddles (That you need to solve). 17

  18. Pwning bugs in the engine How to make your survivors be the firsts to run? 0 SurvivorName What is the advantage? 18

  19. Zombies can fix your survivor’s code 0SurvivorTeam1 (x2) SurvivorTeam2 (x2) SurvivorTeam3 (x2) Zombie1 Zombie2 19

  20. Zombies can fix your survivors code 0SurvivorTeam1 (x2) SurvivorTeam2 (x2) SurvivorTeam3 (x2) Zombie1 Zombie2 20

  21. Zombies can fix your survivors code 0SurvivorTeam1 (x2) SurvivorTeam2 (x2) SurvivorTeam3 (x2) Zombie1 Zombie2 21

  22. Zombies can fix your survivors code 0Survivo Team1 (x2) SurvivorTeam2 (x2) SurvivorTeam3 (x2) Zombie1 Zombie2 22

  23. To stay on the safe side.. 23

  24. Safe Cracking 24

  25. Safe example#1 loop: [1234] = AAAB mov AX,[1234] mov BX,3 3*AX=1 mul AX BX*AX=1 sub AX,1 AX=1 jnz loop ZF=1 killer: mov AX, AAAB Solution: mov ptr word [1234], AX JMP killer 25

  26. Safe example#2 loop: mov AL,[111] [111] = 49H add AL,0A8h 73+168=241(F1) mov AH, [112] [112] = 42H xor AH,0ADh ADH xor 42H = EFH (239d) mul AH AX = AH * AL = 239 * 241 = 57599 cmp AX,0xe0ff AX=57599d ZF=1 jne loop 26

  27. Safe example#2 loop: Solution: mov AL,[111] killer: add AL,0A8h mov AL, 49H mov AH, [112] mov AH, 42H xor AH,0ADh mov ptr byte [111], AL mul AH mov ptr byte [112], AH jmp killer cmp AX,0xe0ff jne loop 27

  28. Important factors • Survivors usually contain • Initialization. • Bombing loop . • Write -> Update address for next writing -> Jumping to beginning of loop • We usually measure survivors by • ‘Area of vulnerability’ • ‘Attack rate’ . • We can cause unexpected phenomenon • mov AX, 0000 -> mov ax, 0cccch (2,3 bytes). 28

  29. Looper • Smallest functional survivor (EBFE, jmp $): Loop: Jmp loop • Good to test other survivors. 29

  30. Attack Vulnerability sequence profile 3 / 1 5 Bomber Demo mov al, 0CCh mov bx, 0 @loop: mov [bx], al inc bx jmp @loop 30

  31. Attack Vulnerability sequence profile 7 3 / 1 Cannon Demo @start: mov bx, ax add bx, (@end - @start) mov al, 0CCh @loop: mov [bx], al add bx, 8 jmp @loop @end: 31

  32. Attack Vulnerability sequence profile 6 3 / 2 Shooter Demo MOV DI,AX MOV AX,0CCCCh @loop: STOSW ADD DI,9 JMP @loop 32

  33. Heavy Bombing • Writes on 256 bytes (es:di -> 255 addresses) • es same value as cs -> if not memory exception after the interrupt • CLD/STD -> change direction • 2 Heavy Bombing each battle • We can bomb shared segment al ah dl dh • INT 86h CC CC CC CC es:di es:di+2 Direction flag es di 0/1 0000 0000 33

  34. Heavy Bombing Demo (Opposite direction) push cs pop es xor di,di mov ax, 0cccch mov dx, ax std int 86h jmp $ 34

  35. Smart Bombing • Bombing the first occurrence of AX:DX in memory. • Replacing it with data we want • Illegal commands or jmp to our code. • We can attack ourselves.. • 1 Smart Bombing each battle. • INT 87 AX DX CX BX 39d8h 7405h v v es:di es:di+2 es Direction flag di 39d8h 7405h ? ? 0 35

  36. Protection from Smart Bombing • Change functionality of registers (BX <-> BP). • Usually does not matter. • Change order of independent commands • Put 3 values to 3 registers = Few different ways. • copy parts of the code • To the beginning and the end. • Variable that changed during runtime near main loop/code part (SP). • Encoding with random numbers. • XORing (will be discussed later). 36

  37. Smart bombing FAIL protection (CGX#9.5) jmp short 0x12 std mov si,0x95a0 cmp ax,bx push cs xchg ax,bx jnc 0x1c cld or al,0x90 pop es lodsw lodsw mov ax, 0 F4E2 h std loop 0x16 mov dx, 0 A0BE h cmp ax,bx mov si,0x95a0 jnc 0xc xchg ax,bx mov cx, 0cccch or al,0x90 cld mov bx,cx lodsw lodsw STD E2F4 loop 0x6 std mov si,0x95a0 cmp ax,bx Int 87h BEA0 xchg ax,bx jnc 0x2c Jmp $ Cld or al,0x90 lodsw lodsw Zombie ==? loop 0x26 37

  38. Binary search (“Lion in the desert”) Jumping to body jmp short 0×12 .. The "talking location" that the mov si,0x95a0 survivors and the zombie talk in xchg ax,bx Keep loading address on the side cld lodsw (LODSW will change AX) std Clears the direction flag (DF=0) cmp ax,bx jnc 0x1c LODSW === MOV AX,[SI++ or SI--] or al,0×90 lodsw AX will hold the ‘talking location’ loop 0×16 DF=1 ( later SUB SI, 2 to change back) 38

  39. Binary search (“Lion in the desert”) jmp short 0×12 Compare his address (BX) to talking .. location (AX) - change only flags. mov si,0x95a0 AX >= BX xchg ax,bx cld jumps into itself (IP increased by 1) lodsw std 73 FF 73 FF Next cell Dec [si] cmp ax,bx 0C 90 0C 90 nop jnc 0x1c changes AL + AX changed again? or al,0×90 lodsw hidden Dec[Si] command  loop 0×16 DF=1 (sub si, 2 to change back) 39

  40. Zombie ==? 6 Zombies mov bl,[0xc0de] mov bl,[0xc1de] mov bl,[0xc2de] push cs mov bl,[0xc3de] pop es int 0x87 mov bl,[0xc4de] and ax,0x7fff mov bl,[0xc4de] push ax mov bl,[0xc0de] mov [0xc0dd],ah test bl,bl mov [0xc1dd],ah jns 0x16 div bl mov [0xc2dd],ah mov [0xc0dd],ah mov [0xc3dd],ah pop ax mov [0xc4dd],ah jmp short 0x7 mov [0xc4dd],ah 40

  41. Not to be confused with the military theorist Sun Tzu Chinese Remainder Theorem Formula used to find all the zombies: input = ? a1 = (input%254); a2 = (input%255); input = ( a1*255*1 + a2*254*254 )%( 255*254 ); 41

  42. Sometime, the organizers send invalid zombies… 42

  43. Optimization 43

  44. How not to be seen 44

  45. IamAramAcham CGX9 #1 – Anti Disassembly Mu-Ha-Ha-Ha! FF = Original will never Disassembly happen 1F = pop ds 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Protg 2006, July 26th, Stanford I R I S A C 1 R E C Saint-Cyr Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From Ontology Ontology Design Design Ontology Ontology Design Design Jean Andr B

371 views • 12 slides
Institutionalizing Lessons Learned October 25, 2006 Loren Plisco Region II Background

Institutionalizing Lessons Learned October 25, 2006 Loren Plisco Region II Background

Institutionalizing Lessons Learned October 25, 2006 Loren Plisco Region II Background SEP 2002 Davis-Besse Lessons Learned Task Force AUG 2004 - Effectiveness Review Lessons Learned Task Force JAN 2005 - EDO Charters

269 views • 22 slides
OSHA Lessons Learned Adam Fries OSHA Compliance Officer February 13, 2018 OSHA Lessons Learned

OSHA Lessons Learned Adam Fries OSHA Compliance Officer February 13, 2018 OSHA Lessons Learned

OSHA Lessons Learned Adam Fries OSHA Compliance Officer February 13, 2018 OSHA Lessons Learned Jobsite Safety and Health Inspections/Audits better known as; PAPER WORK You hate it, Your safety director requires it, OSHA loves it, Does it

926 views • 35 slides
3/8/2019 Epidemiology, Risk Factors, and Outcomes of Pediatric PVD: LESSONS learned from the

3/8/2019 Epidemiology, Risk Factors, and Outcomes of Pediatric PVD: LESSONS learned from the

3/8/2019 Epidemiology, Risk Factors, and Outcomes of Pediatric PVD: LESSONS learned from the Spanish Registry: Lessons Learned from the Registries o Is It possible (and worthy) to do a national registry? Lessons learned from the o

1.16k views • 43 slides
DEBUGGING LESSONS LEARNED WHILE DEBUGGING LESSONS LEARNED WHILE FIXING NETBSD FIXING NETBSD

DEBUGGING LESSONS LEARNED WHILE DEBUGGING LESSONS LEARNED WHILE FIXING NETBSD FIXING NETBSD

DEBUGGING LESSONS LEARNED WHILE DEBUGGING LESSONS LEARNED WHILE FIXING NETBSD FIXING NETBSD ABOUT ME ABOUT ME maya@NetBSD.org coypu@sdf.org NetBSD/pkgsrc for the last 3 years THIS TALK THIS TALK Mix of a bunch of bugs Not solo work

695 views • 31 slides
Lessons Learned A Value Added Product of the Project Life Cycle R Gilman April 19, 2006 Agenda

Lessons Learned A Value Added Product of the Project Life Cycle R Gilman April 19, 2006 Agenda

Lessons Learned A Value Added Product of the Project Life Cycle R Gilman April 19, 2006 Agenda Introduction What are Lessons Learned? Value to the Project Process and Organization Keanes Approach to Lessons Learned Keys to

261 views • 24 slides
Four Major Events in Our History and the Lessons Learned Coleen Reiswig, Isobel McDonald, Ted

Four Major Events in Our History and the Lessons Learned Coleen Reiswig, Isobel McDonald, Ted

Four Major Events in Our History and the Lessons Learned Coleen Reiswig, Isobel McDonald, Ted Pincock, Carolyn Bouchard Joanne Archer Outline: 1) Common Themes 2) The Event and lessons learned: Spanish Influenza 1918 SARS

417 views • 38 slides
Lessons Learned from Japans NPL Experience Ladies and gentlemen, today I would like to discuss

Lessons Learned from Japans NPL Experience Ladies and gentlemen, today I would like to discuss

Beijing International Finance Forum Chairman Junichi Ujiie 2004/05/19 Lessons Learned from Japans NPL Experience Ladies and gentlemen, today I would like to discuss the lessons to be learned from Japans NPL problems: first, the disposal

344 views • 3 slides
Some lessons learned from Team Science Some lessons learned from Team Science Lewis Cantley Weill

Some lessons learned from Team Science Some lessons learned from Team Science Lewis Cantley Weill

Some lessons learned from Team Science Some lessons learned from Team Science Lewis Cantley Weill Cornell Medical College, New York Presbyterian Hospital Past participation in Team Science Period Period Type of grant Type of grant Role in Grant

380 views • 20 slides
MDG-SDG TRANSITION IN IVORY COAST: LESSONS LEARNED AND IMPLICATIONS ON CURRENT PUBLIC POLICIES

MDG-SDG TRANSITION IN IVORY COAST: LESSONS LEARNED AND IMPLICATIONS ON CURRENT PUBLIC POLICIES

MDG-SDG TRANSITION IN IVORY COAST: LESSONS LEARNED AND IMPLICATIONS ON CURRENT PUBLIC POLICIES SAKO G. . Oumar CONTENTS I. Context II. Assessment and lessons learned from implemention of MDGs III. Domestication/contextaulisation of SDGs

151 views • 12 slides
VALUE: Lessons Learned Kate McConnell &amp; Erin Horan Association of American Colleges and

VALUE: Lessons Learned Kate McConnell &amp; Erin Horan Association of American Colleges and

VALUE: Lessons Learned Kate McConnell &amp; Erin Horan Association of American Colleges and Universities Todays session Overview of the MSC Scoring and reporting Lessons learned as related to validity Unintended consequences?

661 views • 40 slides
FACILITATED BY: Robin Booth, CPA 2 Training Topics Lessons Learned Best Practices

FACILITATED BY: Robin Booth, CPA 2 Training Topics Lessons Learned Best Practices

Office of Housing Counseling Best 9/20/2016 Practices/Lessons Learned - LHCAs U.S. Department of Housing and Urban Development Office of Housing Counseling Best Practices/Lessons Learned LHCAs September 20, 2016 12:00 PM Eastern Standard

569 views • 9 slides
Lessons learned - viewpoints on increasing analytical capabilities Elizabeth Riczko, FCAS,

Lessons learned - viewpoints on increasing analytical capabilities Elizabeth Riczko, FCAS,

Lessons Learned 3/22/2011 Lessons learned - viewpoints on increasing analytical capabilities Elizabeth Riczko, FCAS, MAAA, CPCU 1 What are we doing? 2 It starts with a goal NOT a method A business question Ask why (and repeat)

338 views • 10 slides
MTN-001 Menu Lessons Learned Patrick Karugaba MU-JHU Core Lab, Kampala Uganda Objectives

MTN-001 Menu Lessons Learned Patrick Karugaba MU-JHU Core Lab, Kampala Uganda Objectives

MTN-001 Menu Lessons Learned Patrick Karugaba MU-JHU Core Lab, Kampala Uganda Objectives Introduction Identifying strength &amp; resources at our disposal. Enumeration of challenges/tasks Lessons learned Conclusion

614 views • 13 slides
Lessons Learned (the Hard Way) in an Organization from Predictive Modeling Projects Predictive

Lessons Learned (the Hard Way) in an Organization from Predictive Modeling Projects Predictive

Lessons Learned: Viewpoints on Increasing Analytical Capabilities Lessons Learned (the Hard Way) in an Organization from Predictive Modeling Projects Predictive Modeling Projects from a Company Perspective Greg Hansen, FCAS, MAAA Actuarial

349 views • 18 slides
SPP Integrated Marketplace Day 2 Market Lessons Learned &amp; Project Approach Bill Clarke

SPP Integrated Marketplace Day 2 Market Lessons Learned &amp; Project Approach Bill Clarke

SPP Integrated Marketplace Day 2 Market Lessons Learned &amp; Project Approach Bill Clarke Tyler Wolford Jon Sunneberg June 22, 2011 Agenda Introduction Day 2 Market Lessons Learned Operations Trading Tools &amp;

1.4k views • 65 slides
Tractable Constraint Languages Zion Schell Based on Chapter 11 of Rina Dechter's Constraint

Tractable Constraint Languages Zion Schell Based on Chapter 11 of Rina Dechter's Constraint

Tractable Constraint Languages Zion Schell Based on Chapter 11 of Rina Dechter's Constraint Processing by David Cohen and Peter Jeavons Zion Schell Tractable Constraint Languages - 1 4-15-13 Disclaimer This chapter is a bit weird It

1.03k views • 74 slides
Anders Lindgren Senior Researcher RISE SICS Working on: ICN, IoT, low latency

Anders Lindgren Senior Researcher RISE SICS Working on: ICN, IoT, low latency

I NTERNET OF P EOPLE D AGSTUHL SEMINAR 17412 9 O CTOBER 2017 Participants One-pagers Anders Lindgren Senior Researcher RISE SICS Working on: ICN, IoT, low latency communication, challenged networks (Past: Internet of Reindeer

367 views • 22 slides
Small-investor Horticultural Farmers in Lume district of Ethiopia: Opportunities and Challenges

Small-investor Horticultural Farmers in Lume district of Ethiopia: Opportunities and Challenges

Small-investor Horticultural Farmers in Lume district of Ethiopia: Opportunities and Challenges to transform the growth process on and beyond their farm. Samuel Gebreselassie, EEA and FAC sgebreselassie@gmail.com 1 Background Over the

731 views • 28 slides
Letter From America Michael Whiteman International Restaurant Consultant Baum + Whiteman Ugly

Letter From America Michael Whiteman International Restaurant Consultant Baum + Whiteman Ugly

Letter From America Michael Whiteman International Restaurant Consultant Baum + Whiteman Ugly Root Vegetables Moving from Sweet to Savoury Large Format Meals Beer in Cocktails Bitter is Better Grandmothers Drinks Repurposed Bar Collides

1.08k views • 51 slides
ON-GOING PROJECT (2008-) Ar#s#c techniques for archiving life Jacek Smolicki

ON-GOING PROJECT (2008-) Ar#s#c techniques for archiving life Jacek Smolicki

ON-GOING PROJECT (2008-) Ar#s#c techniques for archiving life Jacek Smolicki ar-st/researcher/curator Malm University Sweden SOUNDTRACKING From technologies to techniques and prac0ces SELF-TRACKING SELF-TRACKING MISQUOTING MISQUOTING

581 views • 29 slides
IHI Virtual Expedition Improving Transitions to Post Acute Care Settings, Including Home

IHI Virtual Expedition Improving Transitions to Post Acute Care Settings, Including Home

8/18/2017 April 27, 2017 These presenters have nothing to disclose IHI Virtual Expedition Improving Transitions to Post Acute Care Settings, Including Home Session 1: Building the Will, Ideas and Execution for Successful Transitions Peg

591 views • 40 slides
P C R Randomized comparison of a sirolimus-eluting stent with a biolimus-eluting stent in

P C R Randomized comparison of a sirolimus-eluting stent with a biolimus-eluting stent in

euro P C R Randomized comparison of a sirolimus-eluting stent with a biolimus-eluting stent in patients treated with PCI: the SORT OUT VII trial Lisette Okkels Jensen, Per Thayssen, Michael Maeng, Jan Ravkilde, Lars Krusell, Hans-Henrik

829 views • 14 slides
Investments in Worker Health and Labor Productivity: Evidence from Vietnam Massimo Filippini 1

Investments in Worker Health and Labor Productivity: Evidence from Vietnam Massimo Filippini 1

Investments in Worker Health and Labor Productivity: Evidence from Vietnam Massimo Filippini 1 &amp; Suchita Srinivasan 2 1 Centre for Energy Policy and Economics, ETH Z urich, Z urich, Switzerland and Universita della Svizzera Italiana

327 views • 18 slides

More recommend