home

Recent Posts — Page 2

Reverse Engineering By Hand

March 01, 2018 ❖ Tags: tutorial, reverse-engineering, x86, c, linux

My capture-the-flag team played in the Insomni'hack teaser this year. During the competition, I worked on a single challenge titled "sapeloshop." It was labeled as "Medium-Hard," and it was in the binary exploitation category. The source code for the server wasn't provided, so reverse engineering was necessary. I don't think that having to reverse the binary was supposed to be the hard part, as most of the behavior could have been inferred through some high-level analysis, yet I spent nearly five hours fruitlessly trying to reverse it, and the subsequent burnout was bad enough that I went home early. This wasn't the first time a reversing task had gotten the best of me; there had been a few competitions last year where I felt a similar loss in motivation. Noticing this recurring pattern frustrated me, and that frustration drove me to think about ways to improve myself as a reverse engineer.

read more →

Duke on Fluidsynth

January 13, 2018 ❖ Tags: writeup, programming, video-games, audio, c++

My first experiences with Duke Nukem 3D were with EDuke32 ages ago. This was back when I was running Windows Vista, and while my memory is a bit lacking, I swear that I had working music then. Ever since I made the switch to Linux, I haven't had working music playback in EDuke. Frustrated at the fact that my past few years of Duke 3D have been devoid of all sound besides the screams of death and Duke's trash talking, I've finally decided to troubleshoot it.

read more →

Bad BEHAVIOR

January 04, 2018 ❖ Tags: writeup, security, binary-exploitation, video-games, x86, doom

TL;DR, I discovered a stack-smashing vulnerability in GZDoom's interpreter for ACS. As a preface, there's a tendency for whitepapers like this in the security community to be written with a somewhat condescending tone towards the product's vendor. I do not mean for any portion of this writeup to come off as degrading to the developers involved. Yes, the bug was obvious to me, but it was still subtle enough that it went under the radar for nearly 23 years. Most developers aren't actively thinking about this kind of attack while writing a bytecode interpreter. I have an enormous amount of respect for the development teams of both GZDoom and Zandronum, who were quick to issue a patch addressing the issue and were respectful of my wishes to release this whitepaper to the public. I'd also like to thank everyone I had the pleasure of working with during this process; it warms my heart to know that the communities behind these open-source software projects are this friendly.

read more →

BackdoorCTF 2017: FUNSIGNALS

September 24, 2017 ❖ Tags: writeup, security, capture-the-flag, binary-exploitation, x86, linux

"funsignals" was a 250 point binary exploitation challenge with 58 solves. The challenge itself was a very trivial example of sigreturn-oriented programming.

read more →

Understand Game Hacking In One Post

September 05, 2017 ❖ Tags: tutorial, reverse-engineering, video-games, game-hacking, x86, c++, radare2

At a first glance, it might seem that game cheats like AimTux are something that could only be conjured by the most talented of reverse engineers. That was at least my initial view on it, especially since I always saw these game hackers using outlandish terms that I hadn't heard in over a year of playing in CTF's. Don't be fooled; game hacking isn't nearly as complex as its community makes it seem. In this post, I will explain the concepts in a way that is familiar to people with experience in binary exploitation and reverse engineering, but it shouldn't be too hard to understand if you lack that background.

read more →

Analyzing Executable Size, part 0 - A Small Proof-of-Concept Loader

July 31, 2017 ❖ Tags: writeup, programming, operating-systems, c, linux

It seems that static linking is back in style, or at least popular among all the hip new programming languages of today. I don't have anything against statically linked binaries, nor do I have a problem with larger executables, but I've noticed that the acceptable size for an executable is a lot larger now than it was a few years ago; that is, the new kids on the block have significantly more leeway than their predecessors. For example - a C program that spits out "hello world" is 7 KB when statically linked to musl. It's 12 KB when dynamically linked to glibc. The same program in D, where the reference compiler doesn't allow dynamic linking to the standard library, is 896 KB. A blog post I read recently about certificate chain verification in Go made a point of praising the toolchain for being able to spit out a binary that was "less than 6 MB!" I'm being more facetious than with my D example, as this was statically linked to an SSL-capable web server, but 6 MB is a little over half the size of a fully-functioning operating system. I'm not so interested in why we settle binaries the size of a few videos, but instead I'd like to look at why they're that large to begin with. To peer in and see what wealth of information is stored inside, and how certain programming languages make use of that information.

read more →

Making Your Own Music Player: A Gentle Introduction to Audio Programming

July 15, 2017 ❖ Tags: tutorial, programming, audio, c

To start off, I'd like to say that I know very little about audio programming and digital audio in general. I've never formally studied signal processing, and hell, I haven't even started high school physics yet. This post merely documents what I've learned while trying to get sound working in my game, because there aren't really any other learning resources about this out there.

read more →

Game Hacking on Linux - scanmem Basics

June 18, 2017 ↻ Crosspost ❖ Tags: tutorial, reverse-engineering, linux, video-games, game-hacking

Hey, this is a very brief tutorial on scanmem, a memory manipulation tool for Linux that’s well suited to game hacking. I’ll be using GZDoom as an example, but you should be able to follow along with any game you want.

read more →

Reverse Engineering Babby's First Archive Format

March 02, 2017 ❖ Tags: writeup, programming, reverse-engineering, video-games, x86, c, python

About two months have passed since the first release of Nekopack - a tool I wrote for extracting game data from Nekopara's XP3 archives. While the process wasn't an amazing reverse-engineering war story that will keep you on the edge of your seat, I feel it deserves a small blog post explaining how I did it. Additionally, there's no real documentation on the XP3 format as far as I'm aware, so hopefully this post will serve as an informal specification.

read more →

SDL Tutorial Part 0x00 - Boilerplate, Windowing and Rendering

September 14, 2016 ❖ Tags: tutorial, programming, game-development, c

This is one of my older tutorials and follows a style unlike my current one. I also no longer hold the same claims I made about the SDL documentation that I originally made in this article. I think it's perfectly fine, you just need to spend some time looking around because it's not organized like other documentation is. For that reason, I have no plans to continue this tutorial series unless someone specifically asks for me to continue it.

read more →