circleous

about me: security r&d; ctf player w/ valgrind; vuln research

2024 0xL4ugh CTF - Ada Indonesia Coy 🇮🇩

The Problem

There are tons of files for this challenge, but our main focus would be these 2 files which defines the electron app.

https://gist.github.com/nolangilardi/fc8b30441d669a985b471364bb3d07e6

Our BroweserWindow loaded with this config as nodeIntegration and contextIsolation set to false. This means that the renderer doesnt get access to node feature except for the preload script (nodeIntegration:false), but both the preload and electron internal shares the same Javascript context (contextIsolation:false).

The BrowserWindow is loaded with the following configuration:

Read more →

Decompiling WASM

The Problem

Have you ever looked at WASM decompiled code using wasm2c from wabt toolkit and thought, “there has to be a better way”? While WASM’s instruction set keeps things simple (except for those vectors and floating-point numbers!), the stack machine design can sometimes lead to less-than-optimal code after decompilation.

Take a look at this code snippet: (taken from revsite2 challenge LITCTF 2024)

static void w2c_visit_ad(Z_revsite2_instance_t* instance) {
  // [SNIP]
  FUNC_PROLOGUE;
  /* push rbp */
  /* mov rbp, rsp */
  u32 w2c_i0, w2c_i1, w2c_i2;
  u64 w2c_j0, w2c_j1;
  w2c_i0 = instance->w2c_g0;
  w2c_l0 = w2c_i0;
  /* sub rsp, N */
  w2c_i0 = 2048u;
  w2c_l1 = w2c_i0;
  w2c_i0 = w2c_l0;
  w2c_i1 = w2c_l1;
  w2c_i0 -= w2c_i1;
  w2c_l2 = w2c_i0;
  w2c_i0 = w2c_l2;
  instance->w2c_g0 = w2c_i0;
  // [SNIP]

This might look familiar if you’ve dabbled in C/C++ before. It’s just a standard function prologue, but thanks to WASM’s design, it ends up a bit bloated. What could potentially be a single instruction gets broken down into multiple steps. It’s readable, sure, but not exactly optimized.

Read more →

Gemastik 2022 - Fast Miner

Ide awal dari soal ini sederhana sebenernya buat aware orang tentang Bitcoin block hash. Bitcoin block hash ini punya satu karakteristik dimana hasil double hash (SHA-256) dari block header harus memiliki beberapa bit nol di belakangnya sebagai bentuk Proof-of-Work. Ide ini sebenernya lebih cocok untuk jadi soal misc-cryptography, but here we are :p

Ide penggunaan bitcoin block hash ini sudah ada di beberapa CTF sebelumnya, i.e.

Ringkasan Soal

source code bisa diakses di https://gist.github.com/circleous/a97be308540c9163592a540750456589#file-main-py

Read more →

View all posts →