index2.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Diary of a reverse-engineer</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="Axel '0vercl0k' Souchet">
    <link rel="stylesheet" href="./theme/css/bootstrap.min.css" type="text/css" />
    <style type="text/css">
      body {
        padding-top: 60px;
        padding-bottom: 40px;
      }
      .sidebar-nav {
        padding: 9px 0;
      }
      .tag-1 {
        font-size: 13pt;
      }
      .tag-2 {
        font-size: 10pt;
      }
      .tag-2 {
        font-size: 8pt;
      }
      .tag-4 {
        font-size: 6pt;
     }
    </style>
    <link href="./theme/css/bootstrap-responsive.min.css" rel="stylesheet" />
    <link href="./theme/css/font-awesome.css" rel="stylesheet" />
    <link href="./theme/css/pygments.css" rel="stylesheet" />

    <!--[if lt IE 9]>
      <script src="//html5shim.googlecode.com/svn/trunk/html5.js"></script>
    <![endif]-->

    <link href="./feeds/atom.xml" type="application/atom+xml" rel="alternate" title="Diary of a reverse-engineer ATOM Feed" />
    <link href="./feeds/rss.xml" type="application/atom+xml" rel="alternate" title="Diary of a reverse-engineer RSS Feed" />
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src='https://www.googletagmanager.com/gtag/js?id=G-MRPDMQ259W'></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-MRPDMQ259W');
</script>
  </head>

  <body>

    <div class="navbar navbar-fixed-top">
      <div class="navbar-inner">
        <div class="container-fluid">
          <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </a>
          <a class="brand" href="./index.html">Diary of a reverse-engineer </a>
          <div class="nav-collapse">
            <ul class="nav">
              <ul class="nav">
                    <li><a href="./archives.html"><i class="icon-th-list"></i>Archives</a></li>
              </ul>

                <li >
                    <a href="./category/debugging.html">
                      <i class="icon-folder-open icon-large"></i>debugging
                    </a>
                </li>
                <li >
                    <a href="./category/exploitation.html">
                      <i class="icon-folder-open icon-large"></i>exploitation
                    </a>
                </li>
                <li >
                    <a href="./category/misc.html">
                      <i class="icon-folder-open icon-large"></i>misc
                    </a>
                </li>
                <li >
                    <a href="./category/obfuscation.html">
                      <i class="icon-folder-open icon-large"></i>obfuscation
                    </a>
                </li>
                <li >
                    <a href="./category/reverse-engineering.html">
                      <i class="icon-folder-open icon-large"></i>reverse-engineering
                    </a>
                </li>

                <li><a href="./pages/about.html">About</a></li>
                <li><a href="./pages/presentations.html">Presentations</a></li>

            </ul>
          </div><!--/.nav-collapse -->
        </div>
      </div>
    </div>

    <div class="container-fluid">
      <div class="row">
        <div class="span9" id="content">
        <div class="article">
                <h1><a href="./blog/2018/07/14/cve-2017-2446-or-jscjsglobalobjectishavingabadtime/">CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime.</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2018-07-14T18:49:00-07:00">
        <i class="icon-calendar"></i>Sat 14 July 2018
</abbr>
<span class="label">By</span>
<a href="./author/yrp.html"><i class="icon-user"></i>yrp</a>
<span class="label">Category</span>
<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>


<span class="label">Tags</span>
	<a href="./tag/javascriptcore.html"><i class="icon-tag"></i>JavascriptCore</a>
	<a href="./tag/jsc.html"><i class="icon-tag"></i>jsc</a>
	<a href="./tag/cve-2017-2446.html"><i class="icon-tag"></i>cve-2017-2446</a>
	<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><h1 id="introduction">Introduction</h1>
<p>This post will cover the development of an exploit for JavaScriptCore (JSC) from the perspective of someone with no background in browser exploitation.</p>
<p>Around the start of the year, I was pretty burnt out on CTF problems and was interested in writing an exploit for something more complicated and …</p>
                        <a class="btn primary xsmall" href="./blog/2018/07/14/cve-2017-2446-or-jscjsglobalobjectishavingabadtime/">more ...</a>
                </div>
        </div>
        <hr />
        <div class="article">
                <h1><a href="./blog/2018/05/17/breaking-ledgerctfs-aes-white-box-challenge/">Breaking ledgerctf's AES white-box challenge</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2018-05-17T11:52:00-07:00">
        <i class="icon-calendar"></i>Thu 17 May 2018
</abbr>
<span class="label">By</span>
<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>
<span class="label">Category</span>
<a href="./category/reverse-engineering.html"><i class="icon-folder-open"></i>reverse-engineering</a>


<span class="label">Tags</span>
	<a href="./tag/reverse-engineering.html"><i class="icon-tag"></i>reverse-engineering</a>
	<a href="./tag/ledgerctf.html"><i class="icon-tag"></i>ledgerctf</a>
	<a href="./tag/whitebox.html"><i class="icon-tag"></i>whitebox</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><h1 id="introduction">Introduction</h1>
<p>About a month ago, my mate <a href="https://twitter.com/b0n0n">b0n0n</a> was working on the <a href="https://www.ledger.fr/ctf2018/">ledgerctf</a> puzzles and challenged me to have a look at the <em>ctf2</em> binary. I eventually did and this blogpost discusses the protection scheme and how I broke it. Before diving in though, here is a bit of background …</p>
                        <a class="btn primary xsmall" href="./blog/2018/05/17/breaking-ledgerctfs-aes-white-box-challenge/">more ...</a>
                </div>
        </div>
        <hr />
        <div class="article">
                <h1><a href="./blog/2018/03/11/bevx-challenge-on-the-operation-table/">beVX challenge on the operation table</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2018-03-11T17:22:00-07:00">
        <i class="icon-calendar"></i>Sun 11 March 2018
</abbr>
<span class="label">By</span>
<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>
<span class="label">Category</span>
<a href="./category/reverse-engineering.html"><i class="icon-folder-open"></i>reverse-engineering</a>


<span class="label">Tags</span>
	<a href="./tag/reverse-engineering.html"><i class="icon-tag"></i>reverse-engineering</a>
	<a href="./tag/bevx.html"><i class="icon-tag"></i>beVX</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><h1 id="introduction">Introduction</h1>
<p>About two weeks ago, my friend <a href="https://twitter.com/mongobug">mongo</a> challenged me to solve a reverse-engineering puzzle put up by the <a href="https://blogs.securiteam.com/">SSD</a> team for <a href="https://www.offensivecon.org/">OffensiveCon2018</a> (which is a security conference that took place in Berlin in February). The challenge binary is available for download <a href="https://www.beyondsecurity.com/bevxcon/bevx-challenge-1">here</a> and <a href="https://twitter.com/SecuriTeam_SSD/status/964459126960066560">here is one of the original …</a></p>
                        <a class="btn primary xsmall" href="./blog/2018/03/11/bevx-challenge-on-the-operation-table/">more ...</a>
                </div>
        </div>
        <hr />
        <div class="article">
                <h1><a href="./blog/2017/12/01/debugger-data-model/">Debugger data model, Javascript & x64 exception handling</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2017-12-01T06:59:00-08:00">
        <i class="icon-calendar"></i>Fri 01 December 2017
</abbr>
<span class="label">By</span>
<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>
<span class="label">Category</span>
<a href="./category/debugging.html"><i class="icon-folder-open"></i>debugging</a>


<span class="label">Tags</span>
	<a href="./tag/debugging.html"><i class="icon-tag"></i>debugging</a>
	<a href="./tag/javascript.html"><i class="icon-tag"></i>javascript</a>
	<a href="./tag/windbg.html"><i class="icon-tag"></i>windbg</a>
	<a href="./tag/exception-handling.html"><i class="icon-tag"></i>exception handling</a>
	<a href="./tag/seh.html"><i class="icon-tag"></i>seh</a>
	<a href="./tag/time-travel-debugging.html"><i class="icon-tag"></i>time-travel debugging</a>
	<a href="./tag/ttd.html"><i class="icon-tag"></i>ttd</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><h1 id="introduction">Introduction</h1>
<p>The main goal of today's post is to show a bit more of what is now possible with the latest Windbg (currently branded <a href="https://blogs.windows.com/buildingapps/2017/08/28/new-windbg-available-preview/">"WinDbg Preview"</a> in the Microsoft store) and the time travel debugging tools that Microsoft released a few months ago. When these finally got released, a bit …</p>
                        <a class="btn primary xsmall" href="./blog/2017/12/01/debugger-data-model/">more ...</a>
                </div>
        </div>
        <hr />
        <div class="article">
                <h1><a href="./blog/2017/08/05/binary-rewriting-with-syzygy/">Binary rewriting with syzygy, Pt. I</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2017-08-05T16:08:00-07:00">
        <i class="icon-calendar"></i>Sat 05 August 2017
</abbr>
<span class="label">By</span>
<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>
<span class="label">Category</span>
<a href="./category/misc.html"><i class="icon-folder-open"></i>misc</a>


<span class="label">Tags</span>
	<a href="./tag/binary-rewriting.html"><i class="icon-tag"></i>binary rewriting</a>
	<a href="./tag/syzygy.html"><i class="icon-tag"></i>syzygy</a>
	<a href="./tag/program-analysis.html"><i class="icon-tag"></i>program analysis</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><h1 id="introduction">Introduction</h1>
<p>Binary instrumentation and analysis have been subjects that I have always found fascinating. At compile time via <a href="http://doar-e.github.io/blog/2016/11/27/clang-and-passes/">clang</a>, or at runtime with dynamic binary instrumentation frameworks like <a href="https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool">Pin</a> or <a href="http://www.dynamorio.org/">DynamoRIO</a>. One thing I have always looked for though, is a framework able to statically instrument a PE image. A …</p>
                        <a class="btn primary xsmall" href="./blog/2017/08/05/binary-rewriting-with-syzygy/">more ...</a>
                </div>
        </div>
        <hr />
        <div class="article">
                <h1><a href="./blog/2016/12/21/happy-unikernels/">happy unikernels</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2016-12-21T18:59:00-08:00">
        <i class="icon-calendar"></i>Wed 21 December 2016
</abbr>
<span class="label">By</span>
<a href="./author/yrp.html"><i class="icon-user"></i>yrp</a>
<span class="label">Category</span>
<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>


<span class="label">Tags</span>
	<a href="./tag/unikernel.html"><i class="icon-tag"></i>unikernel</a>
	<a href="./tag/rumpkernel.html"><i class="icon-tag"></i>rumpkernel</a>
	<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><h1 id="intro">Intro</h1>
<p>Below is a collection of notes regarding unikernels. I had originally prepared this stuff to submit to EkoParty’s CFP, but ended up not wanting to devote time to stabilizing PHP7’s heap structures and I lost interest in the rest of the project before it was complete. However …</p>
                        <a class="btn primary xsmall" href="./blog/2016/12/21/happy-unikernels/">more ...</a>
                </div>
        </div>
        <hr />
        <div class="article">
                <h1><a href="./blog/2016/11/27/clang-and-passes/">Token capture via an llvm-based analysis pass</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2016-11-27T20:43:00-08:00">
        <i class="icon-calendar"></i>Sun 27 November 2016
</abbr>
<span class="label">By</span>
<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>
<span class="label">Category</span>
<a href="./category/misc.html"><i class="icon-folder-open"></i>misc</a>


<span class="label">Tags</span>
	<a href="./tag/fuzzing.html"><i class="icon-tag"></i>fuzzing</a>
	<a href="./tag/clang.html"><i class="icon-tag"></i>clang</a>
	<a href="./tag/llvm.html"><i class="icon-tag"></i>llvm</a>
	<a href="./tag/analysis-pass.html"><i class="icon-tag"></i>analysis pass</a>
	<a href="./tag/pass.html"><i class="icon-tag"></i>pass</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><h1 id="introduction">Introduction</h1>
<p>About three years ago, the LLVM framework started to pique my interest for a lot of different reasons. This collection of industrial strength compiler technology, as <a href="http://llvm.org/pubs/2008-10-04-ACAT-LLVM-Intro.pdf">Latner</a> said in 2008, was designed in a very modular way. It also looked like it had a lot of interesting features that …</p>
                        <a class="btn primary xsmall" href="./blog/2016/11/27/clang-and-passes/">more ...</a>
                </div>
        </div>
        <hr />
        <div class="article">
                <h1><a href="./blog/2015/08/18/keygenning-with-klee/">Keygenning with KLEE</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2015-08-18T22:12:00-07:00">
        <i class="icon-calendar"></i>Tue 18 August 2015
</abbr>
<span class="label">By</span>
<a href="./author/michele-brt_device-bertasi.html"><i class="icon-user"></i>Michele "brt_device" Bertasi</a>
<span class="label">Category</span>
<a href="./category/reverse-engineering.html"><i class="icon-folder-open"></i>reverse-engineering</a>


<span class="label">Tags</span>
	<a href="./tag/reverse-engineering.html"><i class="icon-tag"></i>reverse-engineering</a>
	<a href="./tag/symbolic-execution.html"><i class="icon-tag"></i>symbolic execution</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><h1 id="introduction">Introduction</h1>
<p>In the past weeks I enjoyed working on reversing a piece of software (don't ask me the name), to study how serial numbers are validated. The story the user has to follow is pretty common: download the trial, pay, get the serial number, use it in the annoying nag …</p>
                        <a class="btn primary xsmall" href="./blog/2015/08/18/keygenning-with-klee/">more ...</a>
                </div>
        </div>
        <hr />
        <div class="article">
                <h1><a href="./blog/2015/02/08/spotlight-on-an-unprotected-aes128-whitebox-implementation/">Spotlight on an unprotected AES128 white-box implementation</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2015-02-08T22:59:00-08:00">
        <i class="icon-calendar"></i>Sun 08 February 2015
</abbr>
<span class="label">By</span>
<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>
<span class="label">Category</span>
<a href="./category/obfuscation.html"><i class="icon-folder-open"></i>obfuscation</a>


<span class="label">Tags</span>
	<a href="./tag/obfuscation.html"><i class="icon-tag"></i>obfuscation</a>
	<a href="./tag/white-box.html"><i class="icon-tag"></i>white-box</a>
	<a href="./tag/practical-cryptography.html"><i class="icon-tag"></i>practical cryptography</a>
	<a href="./tag/aes128.html"><i class="icon-tag"></i>aes128</a>
	<a href="./tag/encryption.html"><i class="icon-tag"></i>encryption</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><h1 id="introduction">Introduction</h1>
<p>I think it all began when I've worked on the <a href="https://github.com/0vercl0k/stuffz/tree/master/NoSuchCon2013">NSC2013</a> crackme made by <a href="https://twitter.com/elvanderb">@elvanderb</a>, long story short you had an AES128 heavily obfuscated white-box implementation to break. The thing was you could actually solve the challenge in different ways: </p>
<ol>
<li>the first one was the easiest one: you didn't …</li></ol>
                        <a class="btn primary xsmall" href="./blog/2015/02/08/spotlight-on-an-unprotected-aes128-whitebox-implementation/">more ...</a>
                </div>
        </div>
        <hr />
        <div class="article">
                <h1><a href="./blog/2014/10/11/taiming-a-wild-nanomite-protected-mips-binary-with-symbolic-execution-no-such-crackme/">Taming a wild nanomite-protected MIPS binary with symbolic execution: No Such Crackme</a></h1>
                <div class="well small"><footer class="post-info">
<span class="label">Date</span>
<abbr class="published" title="2014-10-11T21:35:00-07:00">
        <i class="icon-calendar"></i>Sat 11 October 2014
</abbr>
<span class="label">By</span>
<a href="./author/axel-0vercl0k-souchet-emilien-tr4nce-girault.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet & Emilien "tr4nce" Girault</a>
<span class="label">Category</span>
<a href="./category/reverse-engineering.html"><i class="icon-folder-open"></i>reverse-engineering</a>


<span class="label">Tags</span>
	<a href="./tag/reverse-engineering.html"><i class="icon-tag"></i>reverse-engineering</a>
	<a href="./tag/z3py.html"><i class="icon-tag"></i>z3py</a>
	<a href="./tag/z3.html"><i class="icon-tag"></i>z3</a>
	<a href="./tag/symbolic-execution.html"><i class="icon-tag"></i>symbolic execution</a>
	<a href="./tag/mips.html"><i class="icon-tag"></i>MIPS</a>
	<a href="./tag/nosuchcon.html"><i class="icon-tag"></i>NoSuchCon</a>
</footer><!-- /.post-info --></div>
                <div class="summary"><p>As last year, the French conference <a href="http://www.nosuchcon.org/#challenge">No Such Con</a> returns for its second edition in Paris from the 19th of November until the 21th of November. And again, the brilliant <a href="https://twitter.com/elvanderb">Eloi Vanderbeken</a> &amp; his mates at <a href="http://synacktiv.fr/en/index.html">Synacktiv</a> put together a series of three security challenges especially for this occasion.
Apparently, the …</p>
                        <a class="btn primary xsmall" href="./blog/2014/10/11/taiming-a-wild-nanomite-protected-mips-binary-with-symbolic-execution-no-such-crackme/">more ...</a>
                </div>
        </div>
        <hr />

        <div class="pagination">
        <ul>
                        <li class="prev"><a href="./index.html">&larr; Previous</a></li>
                        <li class=""><a href="./index.html">1</a></li>
                        <li class="active"><a href="./index2.html">2</a></li>
                        <li class=""><a href="./index3.html">3</a></li>
                        <li class="next"><a href="./index3.html">Next &rarr;</a></li>
        </ul>
        </div>

        </div><!--/span-->
      </div><!--/row-->
      <hr>

      <footer style='background-color:#00000000'>
        <center>
          <address id="about">
                  Proudly powered by <a href="http://pelican.notmyidea.org/">Pelican <i class="icon-external-link"></i></a>,
                                  which takes great advantage of <a href="http://python.org">Python <i class="icon-external-link"></i></a>.
          </address><!-- /#about -->

          <p>The theme is from <a href="http://twitter.github.com/bootstrap/">Bootstrap from Twitter <i class="icon-external-link"></i></a>,
                     and <a href="http://fortawesome.github.com/Font-Awesome/">Font-Awesome <i class="icon-external-link"></i></a>, thanks!</p>
        </center>
      </footer>

    </div><!--/.fluid-container-->


    <script src="./theme/js/jquery-1.7.2.min.js"></script>
    <script src="./theme/js/bootstrap.min.js"></script>
  </body>
</html>