zachriggle

gdb-peda$ x/i $pc => 0xf763d100 <__libc_system>: push ebx gdb-peda$ telescope $sp 2 00:0000| esp 0x188340de --> 0x8048c0d (add esp,0x10) 01:0004| 0x188340e2 --> 0x188340f2 ("/tmp/note||bash") gdb-peda$ continue ... Stopped reason: SIGSEGV 0xf763ce3c in do_system (line=0x188340f2 "/tmp/note||bash") at ../sysdeps/posix/system.c:153

zachriggle

apt-get install python2.7-dev python2.7
apt-get build-dep gdb
apt-get source gdb
sed -i -E "s|python3|/usr/bin/python2.7|" debian/rules
dpkg-buildpackage -uc -us -j8
dpkg-install ../*.deb

zachriggle

>>> class A(object): pass
...
>>> a = A()
>>> a.__len__ = lambda: 3
>>> a.__len__()
3
>>> len(a)
Traceback (most recent call last):
...
TypeError: object of type 'A' has no len()

zachriggle

import argparse
import fileinput
import re
import binascii
import struct

unhex   = binascii.unhexlify
u32     = lambda x: struct.unpack('>L', x)[0]
hexa    = r'[0-9A-F]'
pattern = r'(%s{8}): (%s{2}) (%s{2})' % (hexa, hexa, hexa)

zachriggle

[  ]  anal: ldr code analysis             
[OK]
[  ]  anal: endian                        
[OK]
[  ]  anal: af java multiple classes loaded via malloc and ib
[BR]

Command:  /usr/local/bin/radare2 -e scr.color=0 -N -q -i /tmp/r2-regressions//anal-rad.Snxmol  malloc://1023 > /tmp/r2-regressions//anal-out.pyjpEd 2> /tmp/r2-regressions//anal-err.xuWjRM
Script: 
e asm.comments=false

zachriggle

gdb-peda$ set disable-randomization off
gdb-peda$ break main
gdb-peda$ run
gdb-peda$ vmmap
0x00007fe6e01d7000 0x00007fe6e01d8000 r-xp  /home/user/a.out
0xffffffffff600000 0xffffffffff601000 r-xp  [vsyscall]
gdb-peda$ run
gdb-peda$ vmmap
0x00007f7acee88000 0x00007f7acee89000 r-xp  /home/user/a.out
0xffffffffff600000 0xffffffffff601000 r-xp  [vsyscall]

zachriggle

### Keybase proof

I hereby claim:

  * I am zachriggle on github.
  * I am zachriggle (https://keybase.io/zachriggle) on keybase.
  * I have a public key whose fingerprint is C5BE 5AF8 DD76 E311 630E  5E26 683A C112 1586 0611

To claim this, I am signing this object:

zachriggle

RARVM reversible/patchme
 
Modified 'unrar' source to dump context and disassembly.
 
Wrote two separate solvers since the challenge was broken.

To build the disassembler/debugger:

- unzip unrar-src-disassembler.zip -d unrar
- cd unrar

zachriggle

import scapy, struct, socket, binascii, logging
from scapy.all import *
from collections import defaultdict


#
# Entry
#
def USBIP(PacketData):
    if PacketData[:2] == '\x01\x11':

zachriggle

msf  auxiliary(mysql_schemadump) > run

[*] Schema stored in: /Users/zachriggle/.msf4/loot/20130527165753_default_192.168.1.79_mysql_schema_235782.txt
[+] MySQL Server Schema
 Host: 192.168.1.79
 Port: 3306
 ====================

---
- DBName: BadApple