whitequark

"%" means not tested by me personally.

Reference material

• syscall.sh: Linux ARMv7/AArch64/x86/x86_64 ABI and syscall tables

Disassemblers and decompilers

• Binary Ninja: interactive native code disassembler, decompiler, and debugger
  • BinExport: companion tool for BinDiff
    • when building, replace the BN SDK it downloads with a path to BN API library
  • SENinja: symbolic execution engine for BN with a debugger-like API, based on Z3

bjoern-r

#!/usr/bin/python3
#
# Simple Bloom filter implementation in Python 3
# Copyright 2017 Hector Martin "marcan" <[email protected]>
# Licensed under the terms of the MIT license
#
# Written to be used with the Have I been pwned? password list:
#   https://haveibeenpwned.com/passwords
#
# Download the pre-computed filter here (968MB, k=11, false positive p=0.0005):

ArcaneNibble

global call_64_from_64
global call_32_from_64
global call_32_from_32

section .text

call_64_from_64:
    push rsi
    push rdi
    mov rax, 1

smola

#!/bin/bash
set -e

if [[ -z ${K8S_JVM_POD} ]]; then
    echo "K8S_JVM_POD not defined"
    exit 1
fi

EXEC="kubectl exec ${K8S_JVM_POD}"
CP="kubectl cp ${K8S_JVM_POD}"

egirault

Dumping the flash of the Syscan 2015 badge

The badge of the Syscan 2015 conference included an ARM-based STM32F030R8 processor running some challenges. Although SWD pins are accessible on the badge, some have noted that the STM32 is readout-protected, meaning that it will refuse to dump its flash memory.

Fortunately, two researchers (Johannes Obermaier and Stefan Tatschner) recently published a paper at the WOOT '17 conference, in which they reveal a vulnerability allowing to bypass the readout protection. Their technique allows to dump the flash one DWORD at a time, rebooting the CPU between each access.

I implemented this attack using a BusPirate and the PySWD module. Here is a quick'n dirty PoC to