DEFCON 21 CTF Quals `linked` writeup

June 17th, 2013

linked was a shellcoding challenge worth 3 points at DEFCON 21 CTF Quals

http://assets.shallweplayaga.me/linked.txt
Running at linked.shallweplayaga.me:22222 OR linked2.shallweplayaga.me:22222

linked.txt:

 typedef struct _llist {
   struct _llist *next;
   uint32_t tag;
   char data[100];
 llist;

and:

register char *answer;
char *(*func)();
llist *head;
...
func = (char *(*)(llist *))userBuf;
answer = (char *)(*func)(head);
send_string(answer);
exit(0);

Write me shellcode that traverses the randomly generated linked list, looking for a node with a tag 0x41414100, and returns a pointer to the data associated with that tag, such that the call to send_string will output the answer.

Tests showed that linked was running on x86 – and by tests I mean “\xeb\xfe” :P. After trying to write and optimize shellcode for doing the job, I thought of an easier attack vector. Instead of writing the shellcode to find the node with the given tag, I thought of scanning memory in order to find the key directly (since all keys start with “The key is:”), much like an egg hunter. The shellcode turned out to be a whole lot shorter than the limit (a whole 2 bytes :).

Code:

bits 32

pop edx
pop eax
mov ebx, 'The '

_loop:
    inc eax
    cmp [eax], ebx
    jnz _loop

jmp edx

; yep, i can afford nops
nop
nop

See it in action:

x-n2o@istari:~$ nasm linked.asm -o linked
x-n2o@istari:~$ nc linked.shallweplayaga.me 22222 < linked
List built.  Send me your shellcode.  Max size: 16
The key is: Who says ESP isn't general purpose!?!?

~ X-N2O

‘Positive’ – BaltCTF 2013

May 14th, 2013

‘Positive’ (ppc task) was worth 300 points at BaltCTF 2013. I decided to solve it using the Z3 SAT solver. ‘数独’, the sudoku task, was solved similarly.

Read the rest of this entry »

DEFCON 20 CTF Quals B400 writeup

June 5th, 2012

This weekend I had the best time playing the DEFCON 20 CTF Quals with Sapheads. My favorite challenges were B400 (for which this writeup is about) and PP300, where t1g3r and I had to come up with some shellcode designed to be resistant to sorting. We did good overall and ended up 33rd.
Read the rest of this entry »

Huffman encoder in 8086 ASM

August 24th, 2010

While working on my 8086 emulator, I figured I might write something nice in 8086 assembly as well. This is what I came up with. Read the rest of this entry »

Clever tricks against antiviruses

April 19th, 2010

I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called. Read the rest of this entry »

AES Explained

November 22nd, 2009

Hello people,
It’s been a while since I have last posted an article. I decided to write an article about the Advanced Encryption Standard. I will explain certain concepts regarding AES and how it basically works. I will provide step by step C code, to make it even easier to understand. You can find the full source code at the end of this article. Actually many websites around the net provide source code for AES. This one is supposed to be easy to understand ;) Read the rest of this entry »

Multithreading

March 19th, 2009

Making an application multithreaded means having several threads,
several functions running at the same time. This may look simple,
and not complicated, but there are certain ‘problems’ that could appear.
The most important factor of multithreading is synchronization!
Read the rest of this entry »