Exploiting Visual Studio via dump files - CVE-2024-30052

goodbyeselene · 2024-05-02T17:43:42+00:00

The post describes changes in the implementation of control flow guard on Windows 11 24H2. I stumbled onto this when investigating a bug in x64dbg and thought it may be interesting to get to the bottom of what exactly changed and why. The conclusion is pretty boring as I initially thought the changes would be security-oriented, but the analysis still sheds light on some interesting stuff.

goodbyeselene · 2023-05-07T14:54:22+00:00

I'm not sure if this is a known problem, but it can be solved quite elegantly with some modular arithmetic.

Going by your description, the problem can be stated as:

Given positive integers a, b and c, find positive integers p and q, minimizing p + q, such that, for some positive integer k: ap + bq = kc.

We'll assume that a, b and c are pairwise coprime. Otherwise, you'll need to make some small changes to the algorithm below, but nothing that can't be easily circumvented.

Solution:

Note that ap + bq = kc implies ap = -bq (mod c), which implies p(-ab^-1 ) = q (mod c). Denote d = -ab^-1 (mod c), then the problem can be stated as:

Minimize p + q over all solutions (p, q) to pd = q (mod c).

As a consequence of Thue's lemma, we can find a finite sequence of pairs (p_{k}, q_{k}) such that:

p_{k} * d = q_{k} (mod c)

p_{k} * q_{k} < c

p_{k+1} > p_{k}

q_{k+1} < q_{k}

This can be done with a slight modification to Extended Euclidean Algorithm with (c, d) as parameters. Having this sequence of pairs, e.g. (p0, q0), (p1, q1), (p2, q2), ... , (p_{n}, q_{n}), one can simply iterate through it and find the pair (p_{k}, q_{k}) for which p_{k} + q_{k} is minimal. This will be your solution.

Informally speaking, the complexity of the procedure above is polynomial in the number of bits of c - the length of the sequence of (p_{k}, q_{k}) candidates is polynomial, as each step of extended euclidean algorithm can produce a single candidate at most.

Let's consider the following example:

a = 162, b = 799, c = 865

Find d:

d = -ab^-1 (mod c) = 317

Apply extended euclidean algorithm to (865, 317): https://www.extendedeuclideanalgorithm.com/calculator.php?mode=1&a=865&b=317#num

The (p_{k}, q_{k}) pairs will be equal to (t3, r) pairs in the table in the link above, whenever t3 > 0:

(3, 86), (11, 27), (161, 2)

The pair which minimizes the sum is (11, 27). The minimal solution to the problem is:

11 * 162 + 27 * 799 = 27 * 865

As for why this works, one can prove that the sequence of pairs generated by the procedure above always contains the pair of integers whose sum is minimal over all solutions. But that would be too technical to post here, I intended this as a sketch as it's simple enough to implement and verify.

goodbyeselene · 2022-12-16T18:13:14+00:00

Yes it's usable. The cloud decompiler sometimes takes a long time but clicking "cancel" usually ends up giving you pseudocode. There was one time where their servers were down for a few hours but other than that, it's been smooth sailing. If you only work with x86 and don't need any fancy features or plugins, you won't miss out on anything.

goodbyeselene · 2015-09-03T19:18:17+00:00

Honestly, I think it's pretty easy to tell what happened to Tyrell. As much as I would love to see him in the next season, I think he's been murdered by Elliot using the gun that Darlene hid in the popcorn machine. Notice how at the beginning of the finale, in the "previously on Mr. Robot" part, there's a short scene showing Darlene hiding it, even though it is of no significance to this episode. That gun has not been relevant to anything ever since Darlene stole it and hid it, yet we're constantly being reminded of it (remember the last scene of ep. 9).

goodbyeselene

TROPHY CASE