shikata ga nai
play

shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on - PowerPoint PPT Presentation

Jun 23, 2023 •148 likes •539 views

October 22, 2015 Radare2 workshop hack.lu 2015 shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on ideas and scripts from 2 disclaimer 3 Please look at the shikata_ga_nai folder in the virtual machine where to find the

  1. October 22, 2015 Radare2 workshop hack.lu 2015 shikata ga nai

  2. Jaime (@NighetMan) Peñalba. This workshop is based on ideas and scripts from 2 disclaimer

  3. 3 Please look at the shikata_ga_nai folder in the virtual machine where to find the material?

  4. what are we going to do?

  5. 5 Unpack Shikata ga nai! shikata ga nai

  6. • 320 lines of msf-powered OOP Ruby • Polymorphic • We want the unpacked shellcode 6 shikata ga nai

  7. how do we do it?

  8. • Use radare2 with ESIL! • Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine 8 solutions

  9. • Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine • Use radare2 with ESIL! 8 solutions

  10. • Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine • Use radare2 with ESIL! 8 solutions

  11. • Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine 8 solutions • Use radare2 with ESIL!

  12. but what is esil?

  13. • Evaluable String Intermediary Language • Yet another intermediary language • RPN-ish 10 esil • jz 0 xaabbccdd : zf , ? , 0 xaabbccdd , eip , = ,

  14. what can we do with this ���� ?

  15. • Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil

  16. • Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil

  17. • Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil

  18. • Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil

  19. how does emulation help us to dump the shellcode?

  20. We can emulate the shellcode, but where do we stop? • Instructions aren’t fixed. • Blocks are permutated. • Registers are dynamically selected. So what can we do? 14 where to stop?

  21. So we can emulate the shellcode, and dump the result from It seems that the last instruction will always be loop. the last loop instruction till then end. 15 reading the source code

  22. So we can emulate the shellcode, and dump the result from It seems that the last instruction will always be loop. the last loop instruction till then end. 15 reading the source code

  23. how do we use radare2/esil anyway?

  24. 17 r2pipe

  25. npm install r2pipe pip install r2pipe gem install r2pipe 18 languages NodeJS Python Ruby

  26. so let’s use esil?

  27. • FPU is currently not supported in ESIL :D • Polymorphic FPU instructions 20 plot twist • FPU is used to get EIP with FNSTENV

  28. 20 plot twist

  29. can we emulate them the ������ ��� ?

  30. • You’ve got the hello_world.py code family • Feel free to do it in your favourite language! 22 are those detected as fpu by r2? • Check if every opcode in the test_fpu.py one has the fpu

  31. 23 my solution

  32. ready to unpack shikata ga nai?

  33. 1. Initialize the ESIL vm 2.1 We’re at the end! 2.2 Dump from the last encountered loop instruction to the end 3. Else, if the instruction is an fpu one 3.2 Else, store eip 4. Else, if the instruction is loop, store its location 25 sum up 2. If the instruction is invalid 3.1 If it’s fnstenv, write the previously stored eip at esp 5. Step and goto 2 .

  34. your turn!

  35. 27 my solution

  36. conclusion

  37. • Still WIP • ESIL is cool • More to come! 29 conclusion

  38. You should use it. Radare2 is nice. 29 conclusion

  39. • Github repo • Official website • The r2 blog • The r2 book • Twitter 30 resources

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Note on Aggregate MAC Schemes Shoichi Hirose 1 Junji Shikata 2 1 University of Fukui, Japan 2

A Note on Aggregate MAC Schemes Shoichi Hirose 1 Junji Shikata 2 1 University of Fukui, Japan 2

A Note on Aggregate MAC Schemes Shoichi Hirose 1 Junji Shikata 2 1 University of Fukui, Japan 2 Yokohama National University, Japan 13/11/2018 ASK 2018, Kolkata S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 1

1.2k views • 33 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes

Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes

IEEE IS IE ISIT IT 20 2020 Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes Yoshinori Ogawa *, Shingo Sato** Junji Shikata*, Hideki Imai*** *Yokohama National University, Japan **NICT, Japan

254 views • 13 slides
Lower Bounds on Lattice Enumeration with Extreme Pruning Yoshinori Aono Phong Nguyn Takenobu

Lower Bounds on Lattice Enumeration with Extreme Pruning Yoshinori Aono Phong Nguyn Takenobu

Title Lower Bounds on Lattice Enumeration with Extreme Pruning Yoshinori Aono Phong Nguyn Takenobu Seito Junji Shikata @Crypto2018, Santa Barbara, 20, Aug. *The views expressed in this talk do not necessarily reflect the official views of

492 views • 28 slides
Distributed Version Control Systems Matthieu Moy Computer Science and Automation Indian

Distributed Version Control Systems Matthieu Moy Computer Science and Automation Indian

Prehistory History Linux Bazaar Conclusion Distributed Version Control Systems Matthieu Moy Computer Science and Automation Indian Institute of Science Bangalore October 2006 Matthieu Moy (CSA/IISc) DVC October 2006 < 1 / 43 >

1.1k views • 89 slides
Data Quality in Gravitational Wave Burst and Inspiral Searches in the 2 n d Virgo Science Run

Data Quality in Gravitational Wave Burst and Inspiral Searches in the 2 n d Virgo Science Run

Data Quality in Gravitational Wave Burst and Inspiral Searches in the 2 n d Virgo Science Run Florent Robinet For the Virgo and the LSC Collaborations The Virgo Data Quality Group Activities Online analysis pipelines Kleine Welle triggers

288 views • 27 slides
Cosmic Magne-sm Science with KAT-7 Anna Scaife Chris

Cosmic Magne-sm Science with KAT-7 Anna Scaife Chris

Cosmic Magne-sm Science with KAT-7 Anna Scaife Chris Riseley, Nadeem Oozeer, Lindsay Magnus & the KAT-7 Commissioning Team. Karoo region, South

513 views • 17 slides
Shifan Zuo NAOC September 19, 2018 Outline The Tianlai data processing pipeline tlpipe 1

Shifan Zuo NAOC September 19, 2018 Outline The Tianlai data processing pipeline tlpipe 1

Overview of Tianlais data processing pipeline and some results Shifan Zuo NAOC September 19, 2018 Outline The Tianlai data processing pipeline tlpipe 1 Overview Main Results 2 RFI Flagging Calibration Map-making Issues and Plans

516 views • 17 slides
Designing with Free tools in an Open Community: Designing with Free tools in an Open Community:

Designing with Free tools in an Open Community: Designing with Free tools in an Open Community:

Designing with Free tools in an Open Community: Designing with Free tools in an Open Community: experiences from the Fedora Design Team experiences from the Fedora Design Team Nicu Buculei & Martin Sourada: Fedora Design contributors Nicu

542 views • 13 slides
Using Git Matthieu Moy Matthieu.Moy@univ-lyon1.fr https://matthieu-moy.fr/ September 2018

Using Git Matthieu Moy Matthieu.Moy@univ-lyon1.fr https://matthieu-moy.fr/ September 2018

Intro Git Others Example Advices Using Git Matthieu Moy Matthieu.Moy@univ-lyon1.fr https://matthieu-moy.fr/ September 2018 Matthieu Moy (Matthieu.Moy@imag.fr) Git September 2018 < 1 / 35 > Intro Git Others Example Advices

1.09k views • 80 slides
Linux in der Schule Holger Levsen, 12. November 2007 Vorwort These slides are written in in

Linux in der Schule Holger Levsen, 12. November 2007 Vorwort These slides are written in in

aka Debian-Edu Linux in der Schule Holger Levsen, 12. November 2007 Vorwort These slides are written in in english, even though the talk will be held in german. Unless the audience wants it in english ;-) Reasons: easy

327 views • 22 slides
debian-community.org Holger Levsen June 23 rd 2007 Outline some bits about me & my

debian-community.org Holger Levsen June 23 rd 2007 Outline some bits about me & my

debian-community.org Holger Levsen June 23 rd 2007 Outline some bits about me & my inspiriation for this basic ideas: email, planets, t-shirts more goals, i18n simple code of conduct debian endorsement status, timeline

572 views • 31 slides
Adventures with CO 2 at the Mt. Bachelor Observatory Dan Jaffe 1 , Jon Hee 1 , Arlyn Andrews 2 ,

Adventures with CO 2 at the Mt. Bachelor Observatory Dan Jaffe 1 , Jon Hee 1 , Arlyn Andrews 2 ,

Adventures with CO 2 at the Mt. Bachelor Observatory Dan Jaffe 1 , Jon Hee 1 , Arlyn Andrews 2 , Jon Kofler 2 1 University of Washington 2 NOAA-GMD Mt. Bachelor 2.8 km asl Oregon, USA Dan Jaffe Mt. Bachelor, Oregon, (MBO) 2.8 km asl The

540 views • 15 slides
Approved Sound Proofed Systems Building owners, consultants and contractors who want to know if

Approved Sound Proofed Systems Building owners, consultants and contractors who want to know if

Approved Sound Proofed Systems Building owners, consultants and contractors who want to know if the considered Soundproof System fulfill the requirements of the DIN4109 should ask the piping system supplier for the official Test Report and

465 views • 10 slides
Iola Missionary Baptist Church Come, thou Fount of evry blessing Tune my heart to sing Thy

Iola Missionary Baptist Church Come, thou Fount of evry blessing Tune my heart to sing Thy

Iola Missionary Baptist Church Come, thou Fount of evry blessing Tune my heart to sing Thy grace; Streams of mercy, never ceasing, Call for songs of loudest praise: Teach me some melodious sonnet, Sung by flaming tongues above. Praise the

977 views • 63 slides
RoP Hooks Shane.Macaulay@IOACTIVE.com Introduction K2 / ktwo@ktwo.ca Shane.Macaulay

RoP Hooks Shane.Macaulay@IOACTIVE.com Introduction K2 / ktwo@ktwo.ca Shane.Macaulay

RoP Hooks Shane.Macaulay@IOACTIVE.com Introduction K2 / ktwo@ktwo.ca Shane.Macaulay @ioactive.com Intro/Outline Hooking/Tracing What is a binary doing? Can we modify/detour Frustrations/Hurdles Friendly inputs

397 views • 27 slides
Blue Bible pg 1245 Ephesians 6:10-20 Blue Bible pg 1245 Ephesians 6:10-20 ESV The Whole Armor of

Blue Bible pg 1245 Ephesians 6:10-20 Blue Bible pg 1245 Ephesians 6:10-20 ESV The Whole Armor of

Ephesians 6:10-20 Blue Bible pg 1245 Ephesians 6:10-20 Blue Bible pg 1245 Ephesians 6:10-20 ESV The Whole Armor of God 10 Finally, be strong in the Lord and in the strength of his might. 11 Put on the whole armor of God, that you may be able

624 views • 23 slides
Why we should prayer? Well my Mum taught / told me to. What harm can it do? It seems

Why we should prayer? Well my Mum taught / told me to. What harm can it do? It seems

Why we should prayer? Well my Mum taught / told me to. What harm can it do? It seems like a good idea. When all else fails. Why not? Why we should prayer? The Bible tells us too. Why we should prayer? The Bible tells us

299 views • 11 slides
Ma Mark 1 k 12:30-31 31 ANNOUNCEMENTS CO COME T ME THO HOU F U FOUNT UNT Co Come e

Ma Mark 1 k 12:30-31 31 ANNOUNCEMENTS CO COME T ME THO HOU F U FOUNT UNT Co Come e

Ma Mark 1 k 12:30-31 31 ANNOUNCEMENTS CO COME T ME THO HOU F U FOUNT UNT Co Come e Thou Fo Fount t of ev ev'ry 'ry ble blessing ing Tu Tune my heart rt to si sing Th Thy gra race St Streams of of m mercy ne neve ver c

1.03k views • 86 slides
ELEC / COMP 177 Fall 2012 Some slides from Kurose

ELEC / COMP 177 Fall 2012 Some slides from Kurose

ELEC / COMP 177 Fall 2012 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Homework #1 Assigned today Due in one

712 views • 56 slides
Hackers Corner Passive Advertising Profiling STRICTLY CONFIDENTIAL 13 Agosto 2011 Tonacci

Hackers Corner Passive Advertising Profiling STRICTLY CONFIDENTIAL 13 Agosto 2011 Tonacci

Hackers Corner Passive Advertising Profiling STRICTLY CONFIDENTIAL 13 Agosto 2011 Tonacci & Mensurati ...& Matteo Flora :) Entropia.... (http://panopticlick.eff.org/browser-uniqueness.pdf) Entropia....

714 views • 25 slides
61A Lecture 24 Wednesday, October 29 Announcements Homework 7 due Wednesday 11/5 @ 11:59pm

61A Lecture 24 Wednesday, October 29 Announcements Homework 7 due Wednesday 11/5 @ 11:59pm

61A Lecture 24 Wednesday, October 29 Announcements Homework 7 due Wednesday 11/5 @ 11:59pm Project 1 composition revisions due Wednesday 11/5 @ 11:59pm Make changes to your project based on the composition feedback you received

511 views • 16 slides
* * Perdido Key Chamber of Commerce is excited to offer a new MVP Program exclusively to our

* * Perdido Key Chamber of Commerce is excited to offer a new MVP Program exclusively to our

The Perdido Key Chamber of Commerce * * Perdido Key Chamber of Commerce is excited to offer a new MVP Program exclusively to our members. The purpose of the Member Value Partner Program is to provide an exclusive discount rate on quality

701 views • 4 slides
MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): 100 people are preparing

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): 100 people are preparing

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): 100 people are preparing a Thriller flashmob, but arent sure where to have it. Initially they are torn between Ovids and K-Lair, but Zombie Jared suggests Subway as an

179 views • 5 slides

More recommend