overengineered 1337 crackme 100
play

Overengineered : 1337 * crackme- 100 Generated by machines for - PowerPoint PPT Presentation

Sep 20, 2022 •167 likes •672 views

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent MONJALET Commissariat lnergie Atomique et aux nergies alternatives Direction des Applications Militaires 17 novembre 2017 Guidelines :

  1. Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent MONJALET Commissariat à l’Énergie Atomique et aux Énergies alternatives Direction des Applications Militaires 17 novembre 2017

  2. Guidelines : Reverse challenge Last step should be... tedious challenging ! No guess Idea : force people to use tools because it’s the future, bro Focus on automation, not on efficient manual analysis Prevent trivial attacks Miasm should not be the only viable solution (tough one) There should be some hype at the end Once Upon a Time Overengineering xarkes: hey guys, why don’t you write the last step of this year’s challenge? (freely translated and edited) CEA/DAM | 17 novembre 2017 | PAGE 2/25

  3. Idea : force people to use tools because it’s the future, bro Focus on automation, not on efficient manual analysis Prevent trivial attacks Miasm should not be the only viable solution (tough one) There should be some hype at the end Once Upon a Time Overengineering xarkes: hey guys, why don’t you write the last step of this year’s challenge? (freely translated and edited) Guidelines : Reverse challenge Last step ⇒ should be... tedious challenging ! No guess CEA/DAM | 17 novembre 2017 | PAGE 2/25

  4. Once Upon a Time Overengineering xarkes: hey guys, why don’t you write the last step of this year’s challenge? (freely translated and edited) Guidelines : Reverse challenge Last step ⇒ should be... tedious challenging ! No guess Idea : force people to use tools because it’s the future, bro Focus on automation, not on efficient manual analysis Prevent trivial attacks Miasm should not be the only viable solution (tough one) There should be some hype at the end CEA/DAM | 17 novembre 2017 | PAGE 2/25

  5. More is more Overengineering Implementation : Loads of binaries (let’s say 1337) 4 architectures : x86, x86_64, ARM, AARCH64 2 OS : Windows, Linux ARM and AARCH64 are linux only, and there are fewer of them (5 of each) Each binary is a different equation to solve Each binary has its own packer Validator is an unnecessary concurrent rust source code CEA/DAM | 17 novembre 2017 | PAGE 3/25

  6. Inspiration Overengineering Misc Inspired by the DefCon 2017 challenge Should not be solvable with grep We really hope it wasn’t... objdump -M intel -d magic/* | grep -P ”cmp\s+rdi”\ | grep -oP ”0x\w{1,2}” | xxd -r -p objdump -M intel -d sorcery/* | grep -P ” 3\w{3}.*cmp\s+[ac]l”\ | grep -oP ”0x\w{1,2}” | xxd -r -p objdump -M intel -d alchemy/* | grep -P ” 4[012]\w{4}:.*cmp\s+r[ac]x,0x\w{2}$”\ | grep -oP ”0x\w{1,2}” | xxd -r -p objdump -M intel -d witchcraft/* | grep -P ”[add|sub|cmp]\s+rdi,0x”\ | cut -c33-80 | sed ’s/ /,/’ | python parser.py Source : https ://github.com/sinfocol/ctfs CEA/DAM | 17 novembre 2017 | PAGE 4/25

  7. Approach 2 : lazy way Brute-force random equations Ask a SMT solver for the one and only one answer constraint we have a winner! Do it 1337 times Producing equations Overengineering Approach 1 : smart way Produce a function f with one and only one value x such that f ( x ) = 0 Apply reversible transformation, expand, reduce, … Do it 1337 times CEA/DAM | 17 novembre 2017 | PAGE 5/25

  8. we have a winner! Do it 1337 times Producing equations Overengineering Approach 1 : smart way Produce a function f with one and only one value x such that f ( x ) = 0 Apply reversible transformation, expand, reduce, … Do it 1337 times Approach 2 : lazy way Brute-force random equations Ask a SMT solver for the one and only one answer constraint CEA/DAM | 17 novembre 2017 | PAGE 5/25

  9. Producing equations Overengineering Approach 1 : smart way Produce a function f with one and only one value x such that f ( x ) = 0 Apply reversible transformation, expand, reduce, … Do it 1337 times Approach 2 : lazy way Brute-force random equations Ask a SMT solver for the one and only one answer constraint → we have a winner! Do it 1337 times CEA/DAM | 17 novembre 2017 | PAGE 5/25

  10. Mix these intermediate variables together with random operations Evaluate the sum of all variables (final equation) with one random value Ask z3 (through Miasm) if there is only one way of getting this result Save the input for later (expected input) Translate to C (Miasm IR (unreadable) C) Producing equations Overengineering Implementation Operations in the 2 n bit world → Miasm IR! Start with the input, apply random operations with random constants to produces intermediates variables CEA/DAM | 17 novembre 2017 | PAGE 6/25

  11. Evaluate the sum of all variables (final equation) with one random value Ask z3 (through Miasm) if there is only one way of getting this result Save the input for later (expected input) Translate to C (Miasm IR (unreadable) C) Producing equations Overengineering Implementation Operations in the 2 n bit world → Miasm IR! Start with the input, apply random operations with random constants to produces intermediates variables Mix these intermediate variables together with random operations CEA/DAM | 17 novembre 2017 | PAGE 6/25

  12. Ask z3 (through Miasm) if there is only one way of getting this result Save the input for later (expected input) Translate to C (Miasm IR (unreadable) C) Producing equations Overengineering Implementation Operations in the 2 n bit world → Miasm IR! Start with the input, apply random operations with random constants to produces intermediates variables Mix these intermediate variables together with random operations Evaluate the sum of all variables (final equation) with one random value CEA/DAM | 17 novembre 2017 | PAGE 6/25

  13. Save the input for later (expected input) Translate to C (Miasm IR (unreadable) C) Producing equations Overengineering Implementation Operations in the 2 n bit world → Miasm IR! Start with the input, apply random operations with random constants to produces intermediates variables Mix these intermediate variables together with random operations Evaluate the sum of all variables (final equation) with one random value Ask z3 (through Miasm) if there is only one way of getting this result CEA/DAM | 17 novembre 2017 | PAGE 6/25

  14. Translate to C (Miasm IR (unreadable) C) Producing equations Overengineering Implementation Operations in the 2 n bit world → Miasm IR! Start with the input, apply random operations with random constants to produces intermediates variables Mix these intermediate variables together with random operations Evaluate the sum of all variables (final equation) with one random value Ask z3 (through Miasm) if there is only one way of getting this result Save the input for later (expected input) CEA/DAM | 17 novembre 2017 | PAGE 6/25

  15. Producing equations Overengineering Implementation Operations in the 2 n bit world → Miasm IR! Start with the input, apply random operations with random constants to produces intermediates variables Mix these intermediate variables together with random operations Evaluate the sum of all variables (final equation) with one random value Ask z3 (through Miasm) if there is only one way of getting this result Save the input for later (expected input) Translate to C (Miasm IR → (unreadable) C) CEA/DAM | 17 novembre 2017 | PAGE 6/25

  16. uint64_t test(uint64_t x) { uint64_t var0, var1, var2, var3, var4, var5, var6, var7, var8, var9; var0 = (x^x); var1 = (0x2BECFB880A6B7B72+var0); var2 = (var1+0x620D004B294BA344); if ((var1 & 0x2040080405110022) != 0x2040080000010022) return -1; var3 = (var2+var0); var4 = (0x671F8D008D0800D|var3); var5 = (var3&0x6E67FB8012DA33A); var6 = (var2+(- var5)); var7 = (var4|0xC98A8C805C4FF93C); var8 = (var6|var0); if ((var8 & 0x608100018209001) != 0x8000010001000) return -1; var9 = (0x27A81200F061A58B+(- var3)); return x + var0 + var1 + var2 + var3 + var4 + var5 + var6 + var7 + var8 + var9 - 0x8738A051601EC7DE; } Misc Overengineering Avoid common attacks Avoid brute-force : input is 64 bits Patterns are random to avoid “grep attack” Avoid too easy tracing : insert randoms checks to avoid full equation dumping in one run CEA/DAM | 17 novembre 2017 | PAGE 7/25

  17. Misc Overengineering Avoid common attacks Avoid brute-force : input is 64 bits Patterns are random to avoid “grep attack” Avoid too easy tracing : insert randoms checks to avoid full equation dumping in one run uint64_t test(uint64_t x) { uint64_t var0, var1, var2, var3, var4, var5, var6, var7, var8, var9; var0 = (x^x); var1 = (0x2BECFB880A6B7B72+var0); var2 = (var1+0x620D004B294BA344); if ((var1 & 0x2040080405110022) != 0x2040080000010022) return -1; var3 = (var2+var0); var4 = (0x671F8D008D0800D|var3); var5 = (var3&0x6E67FB8012DA33A); var6 = (var2+(- var5)); var7 = (var4|0xC98A8C805C4FF93C); var8 = (var6|var0); if ((var8 & 0x608100018209001) != 0x8000010001000) return -1; var9 = (0x27A81200F061A58B+(- var3)); return x + var0 + var1 + var2 + var3 + var4 + var5 + var6 + var7 + var8 + var9 - 0x8738A051601EC7DE; } CEA/DAM | 17 novembre 2017 | PAGE 7/25

  18. Multiple tools Overengineering Several tools could be used Only a few challenges on ARM / AARCH64 : do-able by hand No float, no (too) exotic opcodes, no loops, … (probably) suitable tools Triton Manticore Angr Miasm … Working methods (on Miasm) Symbolic execution with state splitting Dynamic Symbolic Execution Dependency Graph CEA/DAM | 17 novembre 2017 | PAGE 8/25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Hundred Years War 1337 - 1453 Causes of The Hundred Years War William of Normandy (the

The Hundred Years War 1337 - 1453 Causes of The Hundred Years War William of Normandy (the

The Hundred Years War 1337 - 1453 Causes of The Hundred Years War William of Normandy (the Conqueror) became King of England in 1066 Edward III of England refused to pay homage to Philip VI of France, so he took Edwards

347 views • 8 slides
Contributopia To De-google-ify is not enough Hello (its me) Pouhiou Technical Skills

Contributopia To De-google-ify is not enough Hello (its me) Pouhiou Technical Skills

Contributopia To De-google-ify is not enough Hello (its me) Pouhiou Technical Skills Languages: fr, en, es, 1337, Frameworks: Storytelling, Empathy Web Development: PEBCAK, n00b Experience Tourist Guide

702 views • 34 slides
United States Court of Appeals for the Federal Circuit __________________________ TRI-STAR

United States Court of Appeals for the Federal Circuit __________________________ TRI-STAR

United States Court of Appeals for the Federal Circuit __________________________ TRI-STAR ELECTRONICS INTERNATIONAL, INC., Plaintiff-Appellee, v. PRECI-DIP DURTAL SA, Defendant-Appellant, __________________________ 2009-1337

750 views • 6 slides
Emergent bubbling geometries in gauge theories with SU(2|4) symmetry Goro Ishiki (YITP)

Emergent bubbling geometries in gauge theories with SU(2|4) symmetry Goro Ishiki (YITP)

Emergent bubbling geometries in gauge theories with SU(2|4) symmetry Goro Ishiki (YITP) arXiv:1406.1337[hep-th] JHEP 1405,075(2014) JHEP 1302,148(2013) Collaborators Y. Asano (Kyoto U), T. Okada (Riken), S.Shimasaki

372 views • 20 slides
DEEP LEARNING WITH COTS HPC SYSTEMS Adam Coates, Brody Huval, Tao Wang, David Wu, Bryan

DEEP LEARNING WITH COTS HPC SYSTEMS Adam Coates, Brody Huval, Tao Wang, David Wu, Bryan

DEEP LEARNING WITH COTS HPC SYSTEMS Adam Coates, Brody Huval, Tao Wang, David Wu, Bryan Catanzaro, Ng Andrew ; Proceedings of the 30th International Conference on Machine Learning, PMLR 28(3):1337-1345, 2013. MODELS NOW Larger and larger

732 views • 46 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network

R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network

R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network security researcher IPv6, DNS, TLS, BGP, DDoS mitigation, ... Scapy co-maintainer Python-based packet manipulation program & library neither

1.1k views • 61 slides
USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart fuzzer that uses code coverage needs an initial corpus ~20 different mutations strategies only keep mutated inputs that modify coverage source

868 views • 29 slides
Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie

Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie

Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie atomique et aux nergies alternatives June 17, 2017 Summary 1 Introduction 2 Use case: Shellcode Use case: EquationDrug from EquationGroup 3 Use

1.66k views • 143 slides
An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

Background Evaluation An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle Malte Helmert University of Basel Switzerland June 15, 2016 Background Evaluation Outline Background 1 Evaluation 2

413 views • 23 slides
Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017 Introduction Merge-and-Shrink Evaluation of Merge Strategies Implementation Conclusion Motivation An important factor for the performance of

489 views • 22 slides
From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

89 views • 7 slides
Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Grtz Institute for IT-Security Bochum, Germany About me Playing with InfoSec since 2010 Currently in academia

1.13k views • 84 slides
Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International

Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International

Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International Conference on Audio for Virtual and Augmented Reality September 30th, 2016 Joseph G. Tylka (presenter) Edgar Y. Choueiri 3D Audio and Applied

441 views • 22 slides
Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick

Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick

Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick Richardson, Brian Nemsick and Douglas Reynolds Odyssey 2016 June 22, 2016 This work was sponsored by the Department of Defense under Air Force

413 views • 18 slides
Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows

Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows

Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows the recording of audio and video ( via webcam ) and slides together which can be shared with students. Its not a live broadcast and can be used

404 views • 11 slides
MICE Cavity Microphone Tests MTA Weekly RF Meeting Peter Lane Illinois Institute of Technology

MICE Cavity Microphone Tests MTA Weekly RF Meeting Peter Lane Illinois Institute of Technology

MICE Cavity Microphone Tests MTA Weekly RF Meeting Peter Lane Illinois Institute of Technology 1 Tests Description Use trigger hammer to capture physical taps trigger DAQ by completing a circuit on contact Tap ~5 times on each

390 views • 11 slides
Whats inside These slides are provided for GoToWebinar users. Please feel free to adapt

Whats inside These slides are provided for GoToWebinar users. Please feel free to adapt

Whats inside These slides are provided for GoToWebinar users. Please feel free to adapt these slides for your personal use and add them to your own PowerPoint files. Using these slides to perform GoToWebinar housekeeping and provide

287 views • 7 slides
CS 423 Operating System Design: Historical Memory Management Tianyin Xu (MIC) * Thanks for

CS 423 Operating System Design: Historical Memory Management Tianyin Xu (MIC) * Thanks for

CS 423 Operating System Design: Historical Memory Management Tianyin Xu (MIC) * Thanks for Prof. Adam Bates for the slides. CS 423: Operating Systems Design Storage Hierarchy CPU Registers Size Performance 32-64 bits Cache 4-128 words

994 views • 32 slides
Pattern Recognition Part 3: Beamforming Gerhard Schmidt Christian-Albrechts-Universitt zu Kiel

Pattern Recognition Part 3: Beamforming Gerhard Schmidt Christian-Albrechts-Universitt zu Kiel

Pattern Recognition Part 3: Beamforming Gerhard Schmidt Christian-Albrechts-Universitt zu Kiel Faculty of Engineering Institute of Electrical and Information Engineering Digital Signal Processing and System Theory Beamforming Contents

820 views • 44 slides
Meeting Recorder: Audio Processing Dan Ellis <dpwe@ee.columbia.edu> Lab ROSA , Columbia

Meeting Recorder: Audio Processing Dan Ellis <dpwe@ee.columbia.edu> Lab ROSA , Columbia

Meeting Recorder: Audio Processing Dan Ellis <dpwe@ee.columbia.edu> Lab ROSA , Columbia University and ICSI, Berkeley Outline 1 ICSI Meeting Recorder 2 Close-mics: cancellation & turn estimation 3 Tabletop mics: turns &

491 views • 11 slides
Regular logarithmic connections Motivic Geometry CAS Oslo Sep 8, 2020 Piotr Achinger IMPAN

Regular logarithmic connections Motivic Geometry CAS Oslo Sep 8, 2020 Piotr Achinger IMPAN

Regular logarithmic connections Motivic Geometry CAS Oslo Sep 8, 2020 Piotr Achinger IMPAN Warsaw I Regular connections (after Deligne) Regularity in dimension one = t d K = C (( t )) C [[ t ]] = O dt M fin. dim. over K

379 views • 22 slides
Open Microphone Meeting: USP General Chapter <797> Pharmaceutical Compounding Sterile

Open Microphone Meeting: USP General Chapter <797> Pharmaceutical Compounding Sterile

Open Microphone Meeting: USP General Chapter <797> Pharmaceutical Compounding Sterile Preparations October 21, 2015 2:00 p.m. to 4:00 p.m. EDT Agenda Welcome Overview of USPs Revision Process Overview of Revised General

506 views • 25 slides
OPTIMISING PARALLEL PROGRAMS ON XEON PHI Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc

OPTIMISING PARALLEL PROGRAMS ON XEON PHI Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc

OPTIMISING PARALLEL PROGRAMS ON XEON PHI Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Specialised Optimisations Some optimisation are specific to Xeon Phi only Offloading MPI performance Thread and process placement

138 views • 9 slides

More recommend