Recent posts

HITCON CTF 2016 Quals - MixerBox

Linux x86 ELF Reverse challenge.

Mixed-arch, mixerbox

Mixed-arch?

Why is this mixed-arch? There are these instructions everywhere.

  ...
  push 0x33
  call change_arch();
  call f();
  call restore_arch();
  ...

change_arch:
  retf

restore_arch:
  mov [ebp+4], 0x23
  retf

Read more


Running ARM in QEMU

QEMU에서 ARM debian을 돌리는 방법 정리.

https://www.aurel32.net/info/debian_arm_qemu.php
https://people.debian.org/~aurel32/qemu/armhf/를 참고하면 쉽게 할 수 있다.

1. Install

먼저 qemu를 설치한다.

sudo apt-get install qemu

그 다음 이미지들을 다운받는다.

wget https://people.debian.org/~aurel32/qemu/armhf/debian_wheezy_armhf_standard.qcow2
wget https://people.debian.org/~aurel32/qemu/armhf/initrd.img-3.2.0-4-vexpress
wget https://people.debian.org/~aurel32/qemu/armhf/vmlinuz-3.2.0-4-vexpress
  • debian_wheezy_armhf_standard.qcow2는 debian wheezy가 설치된 디스크 이미지,
  • initrd.img-3.2.0-4-vexpress는 부팅에 필요한 임시 파일시스템 (initrd; initial ramdisk) 이미지,
  • vmlinuz-3.2.0-4-vexpress는 리눅스 커널 이미지이다.

이 중에서 qcow2 이미지는 시스템을 사용하면 내용이 바뀌기 때문에 (디스크 이미지니까) 깨끗한 버전을 하나 백업해 두는 것도 좋은 생각이다.

Read more


DEF CON 2016 Quals - feedme

feedme is a baby’s first pwnable task.

The binary is a fork-based server. There is an obvious buffer overflow vulnerability in the child process routine.

int handler()
{
	char buf[32];  // [ebp-0x2c]
	int canary;    // [ebp-0xc]

	printf("FEED ME!\n");
	int size = read_byte();
	readn(buf, size);
	// Shows up to 16 bytes. Cannot leak canary with this.
	printf("ATE %s\n", tohex(buf, size, 16));
	return size;
}

void server()
{
	while (1) {
		int pid = fork();
		if (pid == 0) {
			int n = handler();
			printf("YUM, got %d bytes!", n);
			return;
		}
		else {
			waitpid(pid, &status, 0);
			printf("child exit.\n");
		}
	}
}

So we can exploit this program by brute-forcing stack canary and doing ROP to get a shell. Classic.

Read more


PlaidCTF 2016 - quite quixotic quest writeup

Well yes, it certainly is quite quixotic. (Yes, the flag format is PCTF{} )

It’s a reversing task. We have an x86 ELF binary. I’ve just ran it firsthand.

$ ./qqq
curl: try 'curl --help' or 'curl --manual' for more information
$ ./qqq --version
curl 7.49.0-DEV (i686-pc-linux-gnu) libcurl/7.49.0-DEV
Protocols: dict file ftp gopher http imap pop3 rtsp smtp telnet tftp
Features: IPv6 Largefile UnixSockets

It seems the binary is a modified curl. Since the problem mentioned about the flag format, I naturally searched for “PCTF” string in the binary.

Read more


Building Android App Without an IDE

UPDATE 2018-03-12: “android create project” command is removed from newer sdk tools (since 25.3.0). But you still can download older sdk from these links:

where [rev] is the exact revision number such as 24, 25.2.5. Lookup the revision at this page.


To build an Android app, the recommended tool is Android Studio. But I decided to do it without Android Studio nor Eclipse. I did this, to understand how Android app works and because I prefer command line over heavy IDEs. I have to admit though, that you will need an IDE to build a serious app. In this article, I will walk through how to build a simple Android App from command line. The app will have proguard enabled, and use JNI feature.

This tutorial is tested only in Ubuntu 14.04 LTS x86_64.

Read more