Back in the day, I was always confused about how a “professional” analysis looks like. I has indeed gained some experience of binary analysis from CTF games, such as re-constructing a control flow, and resolving a function as well as data structure somehow. Unlike program analysis, we have access to source code and origin of programming languages. A good example is that java developers usually facilitate reflection to decouple modules according to principles of software engineering. A binary file does not embody original programming logic and language features, and even a stripped binary file loses information about symbols of its project and libraries.

The challenge and its firmware could be accessed in this link. Basically, this challenge is all about password guess against authentication. This firmware is built for arduino boards which run on atmega328p processor.

You could find more inforamtion about this challenge at this link. I am going to propose three different approaches to solve this challenge, and those approaches range from hardware to emulation, instead of just static analysis.

This is the first time when I have developed a heap exploitation on tcache. Even though a huge number of guys have agreed the difficulty in heap exploitation, I feel things are becoming way easier only if one has a solid understanding of heap and masters debugging. Not only does this post explains a solution, but also uncovers the pains that I went through while developing an exploit script. The attachment could be downloaded here.

This challenge is really cool, which I did not actually solve during this year’s GoogleCTF. Furthermore, this is my first participation for international CTF events and I enjoyed a lot (“struggling all the way through” lol). Due to the official write-up that has been published after the contest finished, this post merely adds more detail and demonstrates how I tried to approach (“fail”) towards a solution. The attachment could be downloaded here.

This post introduces paraphrasing, in terms of its definition, why and how.

This post links to a fuzzing project for sqlite3, explaining my approach and implementation to fuzz sqlite3 sort of effectively.

This post demonstrates an in-depth analysis of a fairly typical heap challenge - fastbin attack. Even though this is a very first time on analyzing heap challenges, it does not mean that I have to follow common approaches, limiting the use of other novel techiniques. Additionally, I find it more educative to share some patterns of this type of vulnerability, so as to apply those patterns in a next similar challenge. The attachment consists of an executable and a libc library of the version 2.23. This challenge comes from CISCN 2024.

Ghidra, a renowned reverse engineering (RE) tool, has been widely used by many security engineers. It features a wide range of static and dynmaic techniques, facilitating in-depth and customized analysis. Although Ghidra is built upon Java, there are indeed a lot of Python scripts written and provided by users on Github or personal websites, nonetheless, I intentionally find it very difficult to make the best of them. For instance, some scripts may not work out with the latest version of Ghidra for interface compatability. Hence, I am planning to start building my own Ghidra scripting utility base and growing it along with reversing complex binary or solving a CTF challenge. Additionally, I do see Ghidra’s value in program analysis for automation, linking in-depth analysis to the level of maturity of its analysis engine. So, developing necessary utilities for scripting could a very good starting point roughly.

In this post, I will be solving a Capture the Flag (CTF) challenge that was originally from PCTF but later modified by a book dedicated to CTF-bootcamp. This challenge requires CTF players to emulate an ARM firmware image and correct a faulty cryptography implementation in the firmware logic.

This post details the previous work presented in the talk of BlackHat USA 2020 - Emulating-Samsungs-Baseband-For- Security-Testing,