blukat29

Blog.

© 2024. All rights reserved.

Recent posts

dev

Building custom kernel

17 May 2017

Use VM when you practice, just in case.

1. Download kernel

Download from https://www.kernel.org/pub/linux/kernel/.
For example,

sudo apt-get install -y wget xz-utils
wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.28.tar.xz
tar xf linux-4.9.28.tar.xz

2. Make your modification

Patch the files, add code, … etc.

3. Config

Copy current setting.

sudo cat /boot/config-`uname -r` > .config
make olddefconfig

4. Build

make -j4
make -j4 modules

5. Install

sudo make modules_install
sudo make install

Files will be written to /boot directory.

6. Reboot

Reboot the computer. If anything goes wrong, reboot again and select original kernel.

(Optional) Change default boot kernel

See here

writeup

Codegate 2017 finals - BMP

14 Apr 2017

BMP is a Windows pwnable task.

bmp_gui.png

1. Reversing

This program opens a BMP image and extracts LSB of each pixel. Then they are saved as another BMP image (*_out.bmp). The image can be opened by either “File > Open” menu or command line argument.

The main logic looks like this:

Read more

writeup

Codegate 2017 quals - meow

15 Feb 2017

Linux ELF binary and a service port is given. So I assume it’s a pwnable task.

1. First look

This binary receives 10 byte input and checks its MD5 hash. If the check passes, the string is used to decrypt two data blobs. Then two decrypted blobs are mmaped to fixed addresses 0x12000 and 0x14000 with RWE permission. Then at the end of the program, we can ‘call’ the code at 0x12000 just like a function.

Since finding preimage of the MD5 hash is hopeless, our goal is now finding the 10 byte key that makes the decoded blob plausible. To do that, we had to analyze the decryption function 0xD1D. But I felt I will definitely make mistake during understanding it. So my teammate took another way.

2. Simplifying the decryption routine

The decryption seemed to be composed of simple XORs. So we used angr to derive the symbolic relation between input and output.

First load the binary in angr.

import angr
proj = angr.Project('./meow')

Read more

writeup

HITCON CTF 2016 Quals - MixerBox

10 Oct 2016

Linux x86 ELF Reverse challenge.

Mixed-arch, mixerbox

Mixed-arch?

Why is this mixed-arch? There are these instructions everywhere.

  ...
  push 0x33
  call change_arch();
  call f();
  call restore_arch();
  ...

change_arch:
  retf

restore_arch:
  mov [ebp+4], 0x23
  retf

Read more

dev

Running ARM in QEMU

19 Aug 2016

QEMU에서 ARM debian을 돌리는 방법 정리.

https://www.aurel32.net/info/debian_arm_qemu.php
https://people.debian.org/~aurel32/qemu/armhf/를 참고하면 쉽게 할 수 있다.

1. Install

먼저 qemu를 설치한다.

sudo apt-get install qemu

그 다음 이미지들을 다운받는다.

wget https://people.debian.org/~aurel32/qemu/armhf/debian_wheezy_armhf_standard.qcow2
wget https://people.debian.org/~aurel32/qemu/armhf/initrd.img-3.2.0-4-vexpress
wget https://people.debian.org/~aurel32/qemu/armhf/vmlinuz-3.2.0-4-vexpress
  • debian_wheezy_armhf_standard.qcow2는 debian wheezy가 설치된 디스크 이미지,
  • initrd.img-3.2.0-4-vexpress는 부팅에 필요한 임시 파일시스템 (initrd; initial ramdisk) 이미지,
  • vmlinuz-3.2.0-4-vexpress는 리눅스 커널 이미지이다.

이 중에서 qcow2 이미지는 시스템을 사용하면 내용이 바뀌기 때문에 (디스크 이미지니까) 깨끗한 버전을 하나 백업해 두는 것도 좋은 생각이다.

Read more