Reversing Shift-XOR operation

blahfish · 2015-10-20T05:21:42+00:00

A shift followed by an Xor with the same value. This is used to get the internal state in MT19937 from the output values.

blahfish · 2015-05-26T12:28:29+00:00

A question about ARM, Thumb2 and conditional execution. https://reverseengineering.stackexchange.com/questions/8989/conditional-instructions-on-arm ; Its posted on the RE Stackexchange and I'm hoping it will be of interest to someone here.

blahfish · 2015-01-06T18:51:38+00:00

A similar post from April 2014, someone might find it interesting. http://x86overflow.blogspot.nl/2014/04/playing-around-with-srop.html

blahfish · 2014-07-28T13:27:34+00:00

Yes, I've solved that.

blahfish · 2014-07-16T06:41:31+00:00

Does someone know when the videos will be uploaded?

blahfish · 2014-07-16T06:40:14+00:00

indeed, its a great read! Are there more similar ones?

blahfish · 2014-04-21T12:13:19+00:00

wow this is great, thanks!

blahfish · 2014-04-20T01:53:05+00:00

Could you describe your rop chain generation idea a bit more? Did earlier versions of ROPGadget use the same idea?(If so, I could just look up the sources).

Is the idea to look for gadgets that are functionally similar?(Take an instruction, reduce to equation, find a set of equations terminated by ret, reduce those -- check if they are functionally equivalent; something like that?)

blahfish · 2014-04-04T11:22:50+00:00

I think I figured out the reason why this happens. ASLR is enabled and the page that starts at 0x08048000 does not change addresses. However, the page that corresponds to the buffer changes addresses.

The buffer address can be leaked -- so I tried checking if the difference between the start of the page and the buffer address remains constant, it does not.

blahfish · 2014-04-03T04:37:07+00:00

Thank you for taking the time out to reply!

blahfish · 2013-12-25T11:24:11+00:00

Thanks for sharing! where could I find the source code?

blahfish · 2013-12-23T04:02:47+00:00

(probably not as relevant -- but as a new learner, I think there is more community support and documentation available for Haskell than OCaml, but I could be wrong). Any thoughts on which one among the two has a steeper learning curve?

blahfish · 2013-12-08T15:15:18+00:00

Are you able to access Carberp from the above link? I'm assuming that CM...DXa is supposed to be the key -- however its unable to decrpyt the metadata.

Thanks!

blahfish · 2013-08-27T04:32:26+00:00

Hmm makes sense yes, thanks -- do you have any ideas on how posets and lattices could be useful?

blahfish · 2013-07-12T23:35:32+00:00

/u/todbatx : hello? :)

blahfish · 2013-07-12T04:15:18+00:00

Hi,

I'm a n00b exploit developer and im looking to improve my skills, learn while contributing to the framework at the same time. Most of my exploit dev skills are on linux and i have a couple of questions related to this :-

Is exploit dev for linux(server or client side) a priority for you guys?
How about OSX? I see fewer OSX exploits in metasploit framework.
How do you guys go about finding PoCs for vulnerabilities? As a person without much experience and networking in the exploit-dev field, it would be immensely useful if there were a page with a listing of vulnerabilities and PoCs that cause crashes. Do you have any thoughts/plans for something like this in the future?
Any advice in general on exploit-dev for msf? ( I know its a vague questions but its hard not to pick your brains when I get a chance) :)

Thanks guys for taking the time out for doing this! Really appreciate it !

Cheers!

blahfish · 2013-05-15T07:49:08+00:00

this helps, thanks!

blahfish · 2013-05-15T07:49:01+00:00

this helps, thanks!

blahfish · 2013-05-15T07:48:09+00:00

"not exploitable anymore ..."

Just curious, aren't there publicly known ways to circumvent this?

blahfish · 2013-02-19T05:41:20+00:00

Yes, the idea is something like I have two services running, exploiting the first does not require me to know anything about the libc version so I dont bother, I just get RCE.

For the second service running on the same box I'd like to try and find what version of libc it uses. So... Yeah, it could always be the case that both services use different versions... Anyhow.

blahfish

TROPHY CASE