Changochen

The repository for the assignment is public and Github does not allow the creation of private forks for public repositories.

The correct way of creating a private frok by duplicating the repo is documented here.

For this assignment the commands are:

1. Create a bare clone of the repository. (This is temporary and will be removed so just do it wherever.)

git clone --bare git@github.com:usi-systems/easytrace.git

Changochen

Common

export OPT=/opt
export BUILDS=/some/where/mini_linux
mkdir -p $BUILDS

Linux kernel

Changochen

People

:bowtie:	😄 :smile:	😆 :laughing:
😊 :blush:	😃 :smiley:	☺️ :relaxed:
😏 :smirk:	😍 :heart_eyes:	😘 :kissing_heart:
😚 :kissing_closed_eyes:	😳 :flushed:	😌 :relieved:
😆 :satisfied:	😁 :grin:	😉 :wink:
😜 :stuck_out_tongue_winking_eye:	😝 :stuck_out_tongue_closed_eyes:	😀 :grinning:
😗 :kissing:	😙 :kissing_smiling_eyes:	😛 :stuck_out_tongue:

Changochen

Latency Comparison Numbers (~2012)
----------------------------------
L1 cache reference                           0.5 ns
Branch mispredict                            5   ns
L2 cache reference                           7   ns                      14x L1 cache
Mutex lock/unlock                           25   ns
Main memory reference                      100   ns                      20x L2 cache, 200x L1 cache
Compress 1K bytes with Zippy             3,000   ns        3 us
Send 1K bytes over 1 Gbps network       10,000   ns       10 us
Read 4K randomly from SSD*             150,000   ns      150 us          ~1GB/sec SSD

Changochen

Flamegraphing in Rust can now be done with a new cargo subcommand. Please check this out before embarking on the legacy journey below: https://github.com/flamegraph-rs/flamegraph

flamegraphing rust binaries' cpu usage with perf

One-time setup

1. Install perf, using Brendan Gregg's guide: http://www.brendangregg.com/perf.html#Prerequisites
2. Install flamegraph from repo:

Changochen

/*
 * Find php md5 collisions (var_dump(md5('240610708') == md5('QNKCDZO'));)
 *
 * gcc -Ofast -std=c99 -lcrypto -o phpcoll phpcoll.c
 *
 * Copyright (c) 2015 Samuel Groß
 */

#include <stdio.h>
#include <unistd.h>

Changochen

//
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
//
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
//
// Copyright (c) 2018 Samuel Groß
//

//

Changochen

Pwnable.kr md5 calculator writeup

ihciah@gmail.com

In process_hash, the size of input is 1024, the size after b64d is 512, however, it should be 1024*3/4, so there's a buffer overflow here.

Because of the stack canary, we can do nothing. I was confused here until I noticed the canary is also used in my_hash to generate random number. Since the canary is gs:0x14, it's always the same in all function calls.

We can calculate the canary value from the captcha because the seed of randomization is the current time, we can fetch it from http request to http://pwnable.kr.

After trying input b64e("AAAA"*(768/4)) to the program, jump to pass the canary check and break at ret, we can notice that the top of stack is AAAA....