Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Colltris

 Colltris

A workshop about hash collisions exploitations.

Extra materials @ https://github.com/corkami/collisions/blob/master/workshop/README.md

Current version: 2022/06/16 - 233 slides.

Past sessions:
2019/07/02 150p @ Pass The Salt
2019/07/24 199p @ Google
2019/08/19 208p @ Google
2019/10/23 222p @ Hack.lu
2019/11/07 225p @ Black Alps
2019/12/03 229p @ Google

Ange Albertini

July 02, 2019
Tweet

More Decks by Ange Albertini

Other Decks in Technology

Transcript

  1. Ange Albertini
    Ange Albertini
    1

    View full-size slide

  2. A workshop by LET’s PLAY
    LET’s PLAY
    A.K.A.
    Ange Albertini
    with files
    2022/06/12
    233 slides
    2

    View full-size slide

  3. Welcome
    I made this deck to share my knowledge, but also to learn from you.
    The slides are public and have been improved several times whenever needed.
    It may not cover all perspectives or answer all questions,
    so feel free to
    Reach me at @angealbertini or ✉ [email protected]
    with questions, one-liners, suggestions...
    Versions:
    2019/07/02 150p (Pass The Salt)
    2019/07/24 199p (Google)
    2019/08/19 208p (Google)
    2019/10/23 222p (Hack.lu)
    2019/11/07 225p (Black Alps)
    2019/12/03 229p (Google)
    2022/06/12 233p
    This desk's URL is:
    https://speakerdeck.com/ange/colltris
    Make sure you have the latest version.
    Color blind ?
    LMK if you're having
    any troubles.
    3

    View full-size slide

  4. TL;DR (for experts)
    Hash collisions existed for more than a decade and are often misunderstood:
    - exageration: "MD5 is broken, just don't use it!"
    - understatement: "It always takes hours!"
    Generating colliding files can be sped up (from hours to instant)
    via tricks specific to some file formats: which ones, and why?
    This workshop aims to clarify these topics (and avoid the crypto).
    4
    THE CURRENT SLIDE IS AN
    A CORKAMI ORIGINAL PRODUCTION
    HONEST TALK TRAILER

    View full-size slide

  5. Everybody is a genius.
    But if you judge a fish by its ability to climb a tree,
    it will live its whole life believing that it is stupid. not Albert Einstein
    No gatekeeping,
    no dogma,
    no cult.
    Don't show off, share knowledge.
    It's just better for everyone.
    Please be considerate.
    5

    View full-size slide

  6. ☐ Hash collisions attacks: FastColl/UniColl/HashClash/Shattered.
    ☐ File formats abuses: shuffling, parasites, polyglots.
    ☐ Hash functions: MD5/SHA1, blocks, length extension.
    ☐ File formats: magic, header, body, chunks, footer.
    ☐ Hexadecimal / ASCII / hex viewer / endianness.
    Knowledge points checklist (✓/✗)
    6

    View full-size slide

  7. Contents
    Introduction
    Goals
    Basics
    Prerequisites
    Main
    Coll
    1
    : FastColl
    File formats basics
    Coll
    2
    : UniColl
    Exploit
    1
    : PNG
    Coll
    3
    : HashClash*
    Exploit
    2
    : PE
    Coll
    4
    : Shattered
    Coll
    5
    : Shambles
    Final
    Wrap up
    Extras
    Exploit
    3
    : GIF
    There are only 5 existing
    collisions attacks!
    *HashClash is actually the name of the whole project.
    But HashClashCPC is too long :)
    7

    View full-size slide

  8. - Reversing since the 80's
    - Author of Corkami
    - PoC or GTFO*
    About the author
    Professionally
    - malware analysis
    - infosec research
    my license plate is a CPU,
    my phone case is a PDF doc,
    my resume is a PDF/SNES/Genesis rom.
    8
    https://github.com/angea/pocorgtfo/blob/master/README.md

    View full-size slide

  9. Incident
    Response
    Black hat
    White hat
    DIGItal
    PREServation
    User
    DEVelopment
    9
    ...and I’m interested in all of them.
    ,
    My life is about file formats - they're my toys.
    There are various
    (with a few things in common)
    communities around
    file formats

    View full-size slide

  10. Hash functions
    (only 5 slides)
    A gentle introduction to...
    10

    View full-size slide

  11. Returns from any content a big fixed-size value, always different.
    Impossible to guess a content from its hash value.
    What’s a hash function? MD5, SHA1...
    → d41d8cd98f00b204e9800998ecf8427e
    a → 01cc175b9c0f1b6a831c399e269772661
    b → 92eb5ffee6ae2fec3ad71c777531578f
    A → 7fc56270e7a70fa81a5935b72eacbe29
    ? ← d41d8cd98f00b204e9800998ecf8427f
    ? ← d41d8cd98f00b204e9800998ecf8427d
    also called ‘checksum’

    11

    View full-size slide

  12. If two contents have the same hash,
    they are (assumed to be) identical (if the hash is secure)
    Hashes are used:
    - to check passwords (compute input hash, compare with stored value)
    Confidential - do not share → a59250af3300a8050106a67498a930f7
    p4ssw0rd → 2a9d119df47ff993b662a8ef36f9ea20
    - to validate content integrity
    - to index files (ex: your pictures in the cloud)
    12

    View full-size slide

  13. This example uses the crypt(3) hash.
    ...unless there is a hash collision:
    two dif ferent contents with the same hash result.
    $ python
    [...]
    >>> crypt.crypt("5dUD&66", salt="br")
    'brokenOz4KxMc'
    >>> crypt.crypt("O!>',%$", salt="br")
    'brokenOz4KxMc'
    >>> _
    13

    View full-size slide

  14. Hash collision != password cracking
    Password cracking (HashCat, John the Ripper):
    finds a string that matches a value, a hash.
    Hash collision (HashClash, Shattered):
    Make Content
    Good
    and Content
    Bad
    with the same hash.
    14

    View full-size slide

  15. What’s the extent of a hash collision?
    It’s impossible to generate a file with predetermined hash
    with MD5 or SHA1.
    We can only generate two (or more) different files
    that have the same hash.
    With some file types, we can instantly generate files
    that render the same way (via some tricks).
    Cf Lessons from the history of attacks on secure hash-functions
    (Pre-image attack)
    But Maraca and Snefru were broken.
    15

    View full-size slide

  16. Results 1/2
    Instant MD5 collisions, with no recomputation
    16
    https://github.com/corkami/collisions
    PDF
    MP4
    JPG
    PNG

    View full-size slide

  17. Results - 2/2 (also DocX, GZIP, 3MF…)
    GIF
    PE
    JP2
    17

    View full-size slide

  18. Just new collisions?
    Instant, reusable and generic collisions:
    Take any pair of files, run script, get colliding files.
    Ex: script -> output recording
    In some cases (PDFs), the colliding files are 100% standard:
    From a parser perspective,
    the contents are unmodified: only the files’ structures are.
    $ time ./png.py yes.png no.png
    real 0m0.039s
    user 0m0.025s
    sys 0m0.017s
    $ md5sum collision*.png
    7af5775114be02b9b2594418a68a4cb8 collision1.png
    7af5775114be02b9b2594418a68a4cb8 collision2.png
    18

    View full-size slide

  19. Demystifying long-lasting myths
    Hash collisions are usually perceived to apply only to:
    1. a pair of files
    2. of the same file type
    3. Colliding files are expected to be very different.
    19

    View full-size slide

  20. instant & generic PDF/PE/PNG/MP4 collision
    A multi-type quartet of an executable, image, video, document.
    https://github.com/angea/pocorgtfo/blob/master/README.md#0x19
    A tree of 3 HashClash!
    20

    View full-size slide

  21. https://github.com/angea/pocorgtfo/blob/master/README.md#0x14
    A 60 page LaTeX-generated PDF...
    ...showing its MD5...
    ...showing the same MD5!
    ...also a NES rom...
    Tiny change (text), same MD5
    609 FastColls in the file!
    <= alternate cover
    but same MD5!
    Mmm, seaf00d...
    21

    View full-size slide

  22. Tiny change (background image), same SHA1
    https://github.com/angea/pocorgtfo/blob/master/README.md#0x18
    Two covers via a "dual-content" JPG
    and 2 payloads via HTML polyglot
    A 64 page LaTeX-generated PDF...
    22

    View full-size slide

  23. Don't be fooled: shortcuts are necessary
    Instant & generic collisions rely on attacks and file formats tricks.
    Some formats have no suitable tricks.
    -> no generic collisions for ELF, Mach-O, ZIP, TAR, Class…
    These tricks will be reusable with future collision attacks:
    the same JPEG trick was reused with 3 hash collisions (MD5, MalSHA1, Sha1)
    23

    View full-size slide

  24. - F ile formats structures and manipulations
    - Understand hash collisions attacks and their exploits
    - Create your own exploits
    Goals of this workshop
    their impacts and limits,
    without all the internal details
    A system that you study indexes f iles with MD5: what can you do?
    25

    View full-size slide

  25. "No one uses MD5 anymore!" ?
    https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/
    26

    View full-size slide

  26. the Shattered attack
    A computation of the attack documented in Stevens13
    using a JPG in a PDF exploit
    crypto attack
    pwnie
    best
    CRYPTO17 paper
    what this slide deck is about
    (more details about shattered here)
    You may have heard of…
    nominated for
    Péter Szőr award
    Official paper
    Presentations:
    - Marc (crypto) video
    - Pierre (computation) video / slides
    - Elie (high level) video / slides
    - Ange (file formats) video / slides 27

    View full-size slide

  27. Uses of hashes
    - check if contents have changed:
    ✓ do nothing
    ✗ refresh file [if newer...]
    - provide randomization:
    ✓user id
    ✗ crypto key
    - match a file to a file/set (white/blacklisting, indexing)
    ✗ if the set is user-controlled
    28

    View full-size slide

  28. *rendering-wise, not structure-wise.
    Use cases
    A system uses MD5 to index/check integrity. Is it safe?
    Collide a normal* file with a malicious one.
    You can even do it on the fly!
    To get instant collisions, a few hours of research and computation is usually enough.
    29

    View full-size slide

  29. Having troubles to convince?
    Let f iles do the talking.
    Threats? theory...
    Exploits PoCs? reality!
    Theoretical attacks to put in practice
    immediate threat
    30

    View full-size slide

  30. MD5 collisions: a good hacking chal lenge
    Hacking a file format == reading + manipulating + abusing parsers
    Crafting a re-usable collision requires all these skills, and leaves an undeniable proof.
    A re-usable MD5 collision is a good & impactful exercise:
    If the collision is instant, the files work and have the same MD5,
    it sets in stone your knowledge of that file format,
    and you have a proof (of concept).
    31

    View full-size slide

  31. .Don't be scared…
    Hash Functions
    Attacks
    on
    https://www.cwi.nl/system/files/PhD-Thesis-Marc-Stevens-Attacks-on-Hash-Functions-and-Applications.pdf
    -Crypto-
    -Tales-
    Crypto
    Tales
    -from the-
    from the
    32

    View full-size slide

  32. You don’t need to
    understand
    crypto
    graphy
    or maths...
    (to be honest, I don’t either)
    We'l l just use existing attacks:
    FastColl, UniColl, HashClash, Shattered - yes, that’s al l!
    33

    View full-size slide

  33. You don’t have to be an expert in f ile formats.
    34

    View full-size slide

  34. header
    Tail
    Body
    (less complex than some lego models)
    You just need to know
    their overall structure.
    Leg
    35

    View full-size slide

  35. Even this
    is too much!


    36

    View full-size slide



  36. PNG structure
    You only need to understand the high level structure (not the whole thing)
    37

    View full-size slide

  37. 000: 89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
    010: 00 00 00 03 00 00 00 01 08 02 00 00 00 94 82 83
    020: E3 00 00 00 15 .I .D .A .T 08 1D 01 0A 00 F5 FF
    030: 00 FF 00 00 00 FF 00 00 00 FF 0E FB 02 FE E9 32
    040: 61 E5 00 00 00 00 .I .E .N .D AE 42 60 82
    89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
    94 82 83
    E3 00 00 00 15 .I .D .A .T
    E9 32
    61 E5 00 00 00 00 .I .E .N .D AE 42 60 82
    And we’l l ignore most contents, so we’l l just think in blocks.
    38

    View full-size slide

  38. To be honest
    Exploiting hash collisions
    feels a bit like...
    39

    View full-size slide

  39. COLLT IS
    COLLT IS
    COLLT IS
    Ange Albertini
    Ange Albertini
    ...playing a puzzle game!
    40

    View full-size slide

  40. You just need to know
    the rules of each block!
    41

    View full-size slide

  41. For a simpler introduction to the topic, check this.slides / video
    42

    View full-size slide

  42. You know hexadecimal?
    44

    View full-size slide

  43. You know ASCII?
    A standard encoding:
    characters <=> values
    "A" <=> 0x41 = 65
    "Z" <=> 0x5A = 90
    "a" <=> 0x61 = 97
    45

    View full-size slide

  44. Memory addresses
    Memory addresses
    01 23
    ->
    Big digits f irst
    <-
    Little digits f irst
    → 0x0123 = 291
    You know endianness?
    01 23 → 0x2301 = 8961
    PNG, JPG, MP4, Class
    TIFF
    ZIP, BMP, GZip
    Executables: ARM (default), x86, x64
    TIFF
    Exists in both
    endianness
    Formats
    Reading like many processors.
    Reading like humans.
    46

    View full-size slide

  45. You know hexadecimal viewers?
    000: 89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
    010: 00 00 00 03 00 00 00 01 08 02 00 00 00 94 82 83
    020: E3 00 00 00 15 .I .D .A .T 08 1D 01 0A 00 F5 FF
    030: 00 FF 00 00 00 FF 00 00 00 FF 0E FB 02 FE E9 32
    040: 61 E5 00 00 00 00 .I .E .N .D AE 42 60 82
    Start in the
    top-left corner +1
    +0x10
    Offsets
    Contents
    Kaitai
    XXD/Hexedit/Okteta/Bvi/Dhex
    Hex Fiend
    HxD/Hiew
    Web
    Linux
    Mac
    Win
    Recommended hex tools
    Note: for this workshop, wrapping at 0x10 / 16 bytes is important.
    47

    View full-size slide

  46. What are hash collisions in practice?
    A computation that generates
    two distinct contents with the same hash.
    We can set the start of these contents - we'll see why.
    A hash collision generates a lot of randomness!
    -> the final hash is not known in advance.
    48

    View full-size slide

  47. Prerequisites-
    49

    View full-size slide

  48. https://github.com/cr-marcstevens/hashclash
    Cuda is not required
    HashClash
    download source and compile, or
    download release binaries
    HashClash,
    not HashCat.
    May require psmisc
    and autoconf-archive
    Prerequisites 1/2
    ~/git/hashclash/bin$ ls md5*
    md5_birthdaysearch md5_diffpathconnect md5_diffpathhelper
    md5_diffpathbackward md5_diffpathforward md5_fastcoll
    Check that the executables are there!
    src/sha1attackgenerator/collfind.cpp:1266:64: warning:
    [-Wshift-overflow=]
    if (((Q20bu+(m15add<<20))&Q20mask)==Q20val && (((Q21b
    A few warnings will happen but it's OK!:
    50
    To run your own computations:

    View full-size slide

  49. Can’t compile? Computation too slow?
    Compiling and computing can be troublesome.
    In case, all the computed examples of the slides are available:
    https://github.com/corkami/collisions/tree/master/workshop/prefixes
    So you can skip that step and focus on file manipulation (if you prefer).
    OTOH you may want to at least try to run FastColl: it’s instant and never fails.
    Even works with Wine w/ Windows binaries:
    51
    corkami:~$ wine ~/fastcoll_v1.0.0.5.exe
    MD5 collision generator v1.5
    by Marc Stevens (http://www.win.tue.nl/hashclash/)
    Allowed options:
    -h [ --help ] Show options.
    -q [ --quiet ] Be less verbose.
    -i [ --ihv ] arg Use specified initial value. Default is MD5 initial
    value.
    -p [ --prefixfile ] arg Calculate initial value using given prefixfile. Also
    copies data to output files.
    -o [ --out ] arg Set output filenames. This must be the last option
    and exactly 2 filenames must be specified.
    cf5600ab

    View full-size slide

  50. Hex editor, assembly, scripting…
    Whatever rocks your boat and you’re familiar with.
    A f ile format manipulation environment
    A copy of Corkami/collisions
    (contains materials for this workshop)
    https://github.com/corkami/collisions
    Prerequisites 2/2
    Kaitai
    XXD/Hexedit/Okteta/Bvi/Dhex
    Hex Fiend
    HxD/Hiew
    Web
    Linux
    Mac
    Win
    Recommended hex tools
    52
    A copy of these slides (for readability if needed)
    https://speakerdeck.com/ange/colltris

    View full-size slide

  51. Kaitai 101
    If you’re not familiar with hex viewing:
    53
    A pretty awesome tool
    with a great online viewer
    (no modif ications of the f iles are allowed)
    https://ide.kaitai.io

    View full-size slide

  52. Kaitai in a nutshell
    - Uses YAML-based parsers. Many formats are already supported.
    - Drop your file on the IDE, select the file format.
    - if you modify the YAML source (for ex: to remove unneeded details),
    the modified version is saved locally and reusable/downloadable.
    Drawback: instantly fails on invalid files
    (but you can fix that directly in the GUI).
    54

    View full-size slide

  53. hex viewer
    YAML
    editor
    parsed
    output
    available
    formats
    Demo
    samples
    Your f iles
    56

    View full-size slide

  54. If you're not familiar with format manipulations
    - Skim through some specs. Get an idea of the high level structure.
    - Look for possible shortcuts that a parser might take, such as:
    - Secondary structures might be absent or corrupted -> parasitizing
    - Structures order might not be enforced -> shuffling
    - Check standard open-source implementations.
    All the referenced scripts are on the Corkami GitHub: https://github.com/corkami/collisions
    57

    View full-size slide

  55. 01-fastcoll-1.bin .
    0000 0000: 37 75 C1 F1 C4 A7 5A E7 9C E0 DE 7A 5B 10 80 26 7u....Z. ...z[..& .
    0000 0010: 02 AB D9 39 C9 6C 5F 02 12 C2 7F DA CD 0D A3 B0 ...9.l_. ........ .
    0000 0020: 8C ED FA F3 E1 A3 FD B4 EF 09 E7 FB B1 C3 99 1D ........ ........ .
    0000 0030: CD 91 C8 45 E6 6E FD 3D C7 BB 61 52 3E F4 E0 38 ...E.n.= ..aR>..8 .
    0000 0040: 49 11 85 69 EB CC 17 9C 93 4F 40 EB 33 02 AD 20 I..i.... [email protected]... .
    0000 0050: A4 09 2D FB 15 FA 20 1D D1 DB 17 CD DD 29 59 1E ..-... . .....)Y. .
    0000 0060: 39 89 9E F6 79 46 9F E6 8B 85 C5 EF DE 42 4F 46 9...yF.. .....BOF .
    0000 0070: C2 78 75 9D 8B 65 F4 50 EA 21 C5 59 18 62 FF 7B .xu..e.P .!.Y.b.{ .
    01-fastcoll-2.bin ..
    0000 0000: 37 75 C1 F1 C4 A7 5A E7 9C E0 DE 7A 5B 10 80 26 7u....Z. ...z[..& .
    0000 0010: 02 AB D9 B9 C9 6C 5F 02 12 C2 7F DA CD 0D A3 B0 .....l_. ........ .
    0000 0020: 8C ED FA F3 E1 A3 FD B4 EF 09 E7 FB B1 43 9A 1D ........ .....C.. .
    0000 0030: CD 91 C8 45 E6 6E FD 3D C7 BB 61 D2 3E F4 E0 38 ...E.n.= ..a.>..8 .
    0000 0040: 49 11 85 69 EB CC 17 9C 93 4F 40 EB 33 02 AD 20 I..i.... [email protected]... .
    0000 0050: A4 09 2D 7B 15 FA 20 1D D1 DB 17 CD DD 29 59 1E ..-{.. . .....)Y. .
    0000 0060: 39 89 9E F6 79 46 9F E6 8B 85 C5 EF DE C2 4E 46 9...yF.. ......NF .
    0000 0070: C2 78 75 9D 8B 65 F4 50 EA 21 C5 D9 18 62 FF 7B .xu..e.P .!...b.{ .
    …..────────────────────┐
    │Arrow keys move F find RET next difference ESC quit T move top │
    │C ASCII/EBCDIC E edit file G goto position Q quit B move bottom │
    └───────────────────────────────────────────────────────────────
    ───────┘
    Efficient
    diffing
    58
    VBinDiff
    $ diff <(xxd 01-fastcoll-1.bin) <(xxd 01-fastcoll-2.bin)
    2,4c2,4
    < 00000010: 02ab d939 c96c 5f02 12c2 7fda cd0d a3b0 ...9.l_.........
    < 00000020: 8ced faf3 e1a3 fdb4 ef09 e7fb b1c3 991d ................
    < 00000030: cd91 c845 e66e fd3d c7bb 6152 3ef4 e038 ...E.n.=..aR>..8
    ---
    > 00000010: 02ab d9b9 c96c 5f02 12c2 7fda cd0d a3b0 .....l_.........
    > 00000020: 8ced faf3 e1a3 fdb4 ef09 e7fb b143 9a1d .............C..
    > 00000030: cd91 c845 e66e fd3d c7bb 61d2 3ef4 e038 ...E.n.=..a.>..8
    6,8c6,8
    < 00000050: a409 2dfb 15fa 201d d1db 17cd dd29 591e ..-... ......)Y.
    < 00000060: 3989 9ef6 7946 9fe6 8b85 c5ef de42 4f46 9...yF.......BOF
    < 00000070: c278 759d 8b65 f450 ea21 c559 1862 ff7b .xu..e.P.!.Y.b.{
    ---
    > 00000050: a409 2d7b 15fa 201d d1db 17cd dd29 591e ..-{.. ......)Y.
    > 00000060: 3989 9ef6 7946 9fe6 8b85 c5ef dec2 4e46 9...yF........NF
    > 00000070: c278 759d 8b65 f450 ea21 c5d9 1862 ff7b .xu..e.P.!...b.{

    View full-size slide

  56. Radiff (from Radare)
    ~/git/corkami/collisions/workshop/prefixes$ radiff2 -x 10*
    offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
    0x00000000! 6e6f0000000000000000000000000000 no.............. 79657300000000000000000000000000 yes.............
    0x00000010 00000000000000000000000000000000 ................ 00000000000000000000000000000000 ................
    0x00000020 00000000000000000000000000000000 ................ 00000000000000000000000000000000 ................
    0x00000030! 00000000000000001971e7f70972fb06 .........q...r.. 0000000000000000b74638098a46f17b .........F8..F.{
    0x00000040 f34526136660c801b92a75255a6723a6 .E&.f`...*u%Zg#. f34526136660c801b92a75255a6723a6 .E&.f`...*u%Zg#.
    0x00000050 923deb8db0b757f1459f2295bec04375 .=....W.E."...Cu 923deb8db0b757f1459f2295bec04375 .=....W.E."...Cu
    0x00000060! 9198a2d3e0fd59edd1c5fa0b79659751 ......Y.....ye.Q 9198a2d3e0fd59edd1c5fa0b7965974d ......Y.....ye.M
    0x00000070 b3b3e40c110c9032de4ba14bb81b5ec8 .......2.K.K..^. b3b3e40c110c9032de4ba14bb81b5ec8 .......2.K.K..^.
    0x00000080 25d38f19cd104307d9bbff8cb75a23f9 %.....C......Z#. 25d38f19cd104307d9bbff8cb75a23f9 %.....C......Z#.
    ...
    0x000000a0! ba784000c37e93b231a36e2d34724ac9 .x@..~..1.n-4rJ. ba784000c37e93b231a36e2d346a4ac9 .x@..~..1.n-4jJ.
    0x000000b0 534ec045361ec86a5698e6f0571d6198 SN.E6..jV...W.a. 534ec045361ec86a5698e6f0571d6198 SN.E6..jV...W.a.
    0x000000c0 13fcffcd4d83a2d2bbb8dc042be2b883 ....M.......+... 13fcffcd4d83a2d2bbb8dc042be2b883 ....M.......+...
    ...
    0x000000e0! 7d86e4351eb833eeea15d181fa9662ec }..5..3.......b. 7d86e4351eb833eeea15d181ba9662ec }..5..3.......b.
    0x000000f0 7531fbda4fae246f67d6af109629fbc7 u1..O.$og....).. 7531fbda4fae246f67d6af109629fbc7 u1..O.$og....)..
    0x00000100 a332bba9ead5e4ae1fc2fb234122b2e0 .2.........#A".. a332bba9ead5e4ae1fc2fb234122b2e0 .2.........#A"..
    ...
    0x00000120! 8bc95c93a5efa4227d9a66516eedaf70 ..\...."}.fQn..p 8bc95c93a5efa4227d9a66516eedad70 ..\...."}.fQn..p
    0x00000130 3290d4bd6792389bdc150dbfdc717227 2...g.8......qr' 3290d4bd6792389bdc150dbfdc717227 2...g.8......qr'
    0x00000140 e05b43fa4459e860f7637ff0730ad4be .[C.DY.`.c..s... e05b43fa4459e860f7637ff0730ad4be .[C.DY.`.c..s...
    ...
    0x00000160! e860db910013c91d7a619b9a5d60bd71 .`......za..]`.q e860db910013c91d7a619b9a5d5ebd71 .`......za..]^.q
    0x00000170 231ad2bda6e038660b8cf599567963d6 #.....8f....Vyc. 231ad2bda6e038660b8cf599567963d6 #.....8f....Vyc.
    0x00000180 6e5ed77ec34e9d5f6523c038c9555aa1 n^.~.N._e#.8.UZ. 6e5ed77ec34e9d5f6523c038c9555aa1 n^.~.N._e#.8.UZ.
    ...
    ...
    0x00000220! e6186ee3f052e435836142357297cd8d ..n..R.5.aB5r... e6186ee3f052e435836142357297c58d ..n..R.5.aB5r...
    0x00000230 4ff793685a705f5a043ad542c1fa0fe2 O..hZp_Z.:.B.... 4ff793685a705f5a043ad542c1fa0fe2 O..hZp_Z.:.B....
    0x00000240 ae57dbaff151b8b73818ef2eb8a6a92c .W...Q..8......, ae57dbaff151b8b73818ef2eb8a6a92c .W...Q..8......,
    ...
    0x00000260! 4f9cfa623d4246596732ec99da897a08 O..b=BFYg2....z. 4f9cfa623d4246596732ec99da897a88 O..b=BFYg2....z.
    0x00000270 e7ade321ed3c4bc04d9f833cdc7fb70a ...!.~/git/corkami/collisions/workshop/prefixes$ radiff2 -x 10*
    offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
    0x00000000! 6e6f0000000000000000000000000000 no.............. 79657300000000000000000000000000 yes.............
    0x00000010 00000000000000000000000000000000 ................ 00000000000000000000000000000000 ................
    0x00000020 00000000000000000000000000000000 ................ 00000000000000000000000000000000 ................
    0x00000030! 00000000000000001971e7f70972fb06 .........q...r.. 0000000000000000b74638098a46f17b .........F8..F.{
    0x00000040 f34526136660c801b92a75255a6723a6 .E&.f`...*u%Zg#. f34526136660c801b92a75255a6723a6 .E&.f`...*u%Zg#.
    0x00000050 923deb8db0b757f1459f2295bec04375 .=....W.E."...Cu 923deb8db0b757f1459f2295bec04375 .=....W.E."...Cu
    0x00000060! 9198a2d3e0fd59edd1c5fa0b79659751 ......Y.....ye.Q 9198a2d3e0fd59edd1c5fa0b7965974d ......Y.....ye.M
    0x00000070 b3b3e40c110c9032de4ba14bb81b5ec8 .......2.K.K..^. b3b3e40c110c9032de4ba14bb81b5ec8 .......2.K.K..^.
    0x00000080 25d38f19cd104307d9bbff8cb75a23f9 %.....C......Z#. 25d38f19cd104307d9bbff8cb75a23f9 %.....C......Z#.
    ...
    0x000000a0! ba784000c37e93b231a36e2d34724ac9 .x@..~..1.n-4rJ. ba784000c37e93b231a36e2d346a4ac9 .x@..~..1.n-4jJ.
    0x000000b0 534ec045361ec86a5698e6f0571d6198 SN.E6..jV...W.a. 534ec045361ec86a5698e6f0571d6198 SN.E6..jV...W.a.
    0x000000c0 13fcffcd4d83a2d2bbb8dc042be2b883 ....M.......+... 13fcffcd4d83a2d2bbb8dc042be2b883 ....M.......+...
    ...
    0x000000e0! 7d86e4351eb833eeea15d181fa9662ec }..5..3.......b. 7d86e4351eb833eeea15d181ba9662ec }..5..3.......b.
    0x000000f0 7531fbda4fae246f67d6af109629fbc7 u1..O.$og....).. 7531fbda4fae246f67d6af109629fbc7 u1..O.$og....)..
    0x00000100 a332bba9ead5e4ae1fc2fb234122b2e0 .2.........#A".. a332bba9ead5e4ae1fc2fb234122b2e0 .2.........#A"..
    ...
    0x00000120! 8bc95c93a5efa4227d9a66516eedaf70 ..\...."}.fQn..p 8bc95c93a5efa4227d9a66516eedad70 ..\...."}.fQn..p
    0x00000130 3290d4bd6792389bdc150dbfdc717227 2...g.8......qr' 3290d4bd6792389bdc150dbfdc717227 2...g.8......qr'
    0x00000140 e05b43fa4459e860f7637ff0730ad4be .[C.DY.`.c..s... e05b43fa4459e860f7637ff0730ad4be .[C.DY.`.c..s...
    ...
    0x00000160! e860db910013c91d7a619b9a5d60bd71 .`......za..]`.q e860db910013c91d7a619b9a5d5ebd71 .`......za..]^.q
    0x00000170 231ad2bda6e038660b8cf599567963d6 #.....8f....Vyc. 231ad2bda6e038660b8cf599567963d6 #.....8f....Vyc.
    0x00000180 6e5ed77ec34e9d5f6523c038c9555aa1 n^.~.N._e#.8.UZ. 6e5ed77ec34e9d5f6523c038c9555aa1 n^.~.N._e#.8.UZ.
    ...
    0x000001a0! 0260f662913470fec334546d7607ff1a .`.b.4p..4Tmv... 0260f662913470fec334546d76077f1a .`.b.4p..4Tmv...
    0x000001b0 7353e60b08fb8280ad5f22151869b56e sS......._"..i.n 7353e60b08fb8280ad5f22151869b56e sS......._"..i.n
    0x000001c0 bb06c3a7ff391552befed45cd2555a71 .....9.R...\.UZq bb06c3a7ff391552befed45cd2555a71 .....9.R...\.UZq
    ...
    0x000001e0! 1f8a9ad842bf6c016a3926846c58e2e4 ....B.l.j9&.lX.. 1f8a9ad842bf6c016a3926847458e2e4 ....B.l.j9&.tX..
    0x000001f0 00d4677b27bd936ddff0104a2b007e68 ..g{'..m...J+.~h 00d4677b27bd936ddff0104a2b007e68 ..g{'..m...J+.~h
    0x00000200 1dded58a6789ea520c32bd30a28cbed0 ....g..R.2.0.... 1dded58a6789ea520c32bd30a28cbed0 ....g..R.2.0....
    ...
    0x00000220! e6186ee3f052e435836142357297cd8d ..n..R.5.aB5r... e6186ee3f052e435836142357297c58d ..n..R.5.aB5r...
    0x00000230 4ff793685a705f5a043ad542c1fa0fe2 O..hZp_Z.:.B.... 4ff793685a705f5a043ad542c1fa0fe2 O..hZp_Z.:.B....
    0x00000240 ae57dbaff151b8b73818ef2eb8a6a92c .W...Q..8......, ae57dbaff151b8b73818ef2eb8a6a92c .W...Q..8......,
    ...
    0x00000260! 4f9cfa623d4246596732ec99da897a08 O..b=BFYg2....z. 4f9cfa623d4246596732ec99da897a88 O..b=BFYg2....z.
    0x00000270 e7ade321ed3c4bc04d9f833cdc7fb70a ...!.https://r2wiki.readthedocs.io/en/latest/tools/radiff2/
    59

    View full-size slide

  57. The f irst block in our game:
    An Identical Pref ix Collision - FastColl
    61

    View full-size slide

  58. Collision computing is a very random process
    Many possible problems across the different attacks:
    - variable computing time
    - different results from each execution.
    - final result might just not collide.
    - computation might be stalled.
    -> restart/backtracking might be required.
    Warning
    https://www.cwi.nl/system/files/PhD-Thesis-Marc-Stevens-Attacks-on-Hash-Functions-and-Applications.pdf#page=110
    https://github.com/cr-marcstevens/hashclash/blob/master/src/md5fastcoll/main.cpp#L106
    seed32_1 = uint32(time(NULL));
    Ex: with
    FastCo
    ll
    from 0.3 to 13s
    on the same machine!
    62

    View full-size slide

  59. From nothing, generate 2 f iles with the same md5.
    Create an empty f ile, run FastColl on it (recording).
    bin$ md5_fastcoll -p empty
    MD5 collision generator v1.5
    by Marc Stevens (http://www.win.tue.nl/hashclash/)
    Using output filenames: 'msg1.bin' and 'msg2.bin'
    Using prefixfile: 'empty'
    Using initial value: 0123456789abcdeffedcba9876543210
    Generating first block: .
    Generating second block: W.....
    Running time: 0.343 s
    bin$ _
    Mission
    Example
    bin$ touch empty
    bin$ du -b empty
    0 empty
    bin$ _
    64

    View full-size slide

  60. 00: 37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26 7u┴±─ºZτ£α▐z[►Ç&
    10: 02 AB D9 B9-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0 ☻½┘╣╔l_☻↕┬⌂┌═♪ú░
    20: 8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 43 9A 1D îφ·≤ßú²┤∩○τ√▒CÜ↔
    30: CD 91 C8 45-E6 6E FD 3D-C7 BB 61 D2-3E F4 E0 38 ═æ╚Eµn²=╟╗a╥>⌠α8
    40: 49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20 I◄àiδ╠↨£ôO@δ3☻¡
    50: A4 09 2D 7B-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E ñ○-{§· ↔╤█↨═▌)Y▲
    60: 39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE C2 4E 46 9ë₧÷yFƒµïà┼∩▐┬NF
    70: C2 78 75 9D-8B 65 F4 50-EA 21 C5 D9-18 62 FF 7B ┬xu¥ïe⌠PΩ!┼┘↑b {
    Our f irst hash collision
    00: 37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26 7u┴±─ºZτ£α▐z[►Ç&
    10: 02 AB D9 39-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0 ☻½┘9╔l_☻↕┬⌂┌═♪ú░
    20: 8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 C3 99 1D îφ·≤ßú²┤∩○τ√▒├Ö↔
    30: CD 91 C8 45-E6 6E FD 3D-C7 BB 61 52-3E F4 E0 38 ═æ╚Eµn²=╟╗aR>⌠α8
    40: 49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20 I◄àiδ╠↨£ôO@δ3☻¡
    50: A4 09 2D FB-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E ñ○-√§· ↔╤█↨═▌)Y▲
    60: 39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE 42 4F 46 9ë₧÷yFƒµïà┼∩▐BOF
    70: C2 78 75 9D-8B 65 F4 50-EA 21 C5 59-18 62 FF 7B ┬xu¥ïe⌠PΩ!┼Y↑b {
    - two blocks of 64 bytes
    - totally random
    - a few tiny differences
    (Your results will be different) 65

    View full-size slide

  61. Try again in the same conditions -> different computation time.
    bin$ md5_fastcoll -p empty
    MD5 collision generator v1.5
    by Marc Stevens (http://www.win.tue.nl/hashclash/)
    Using output filenames: 'msg1.bin' and 'msg2.bin'
    Using prefixfile: 'empty'
    Using initial value: 0123456789abcdeffedcba9876543210
    Generating first block: ........................
    Generating second block: S10...............
    Running time: 13.35 s
    bin$ _
    Mission
    66

    View full-size slide

  62. 00: 1D 92 56 C9-34 F6 C6 F2-C9 0C 97 90-AA 16 55 2A ↔ÆV╔4÷╞≥╔♀ùɬ▬U*
    10: 68 00 E7 C4-8C 56 39 E8-47 A6 80 A6-4D B0 2B F2 h τ─îV9ΦGªÇªM░+≥
    20: F6 12 D2 E6-D0 AC 13 2D-EF FF F0 DC-13 90 DD 72 ÷↕╥µ╨¼‼-∩ ≡▄‼É▌r
    30: 32 99 B0 BB-C7 65 A6 66-73 10 56 7C-9C 5F 45 8B 2Ö░╗╟eªfs►V|£_Eï
    40: 61 76 C9 56-3E DF 7E 28-DB AB DC 64-B4 9A 44 00 av╔V>▀~(█½▄d┤ÜD
    50: D3 4D BC 9E-80 1C B2 38-C9 B3 40 67-1A 60 A8 C6 ╙M╝₧Ç∟▓8╔│@g→`¿╞
    60: D3 BB 48 08-AF 04 30 16-B8 01 10 5B-92 94 F9 1C ╙╗H◘»♦0▬╕☺►[Æö∙∟
    70: 3D 3C C6 AC-FF 2C FD AD-DB 2C 2C CF-C1 06 9B 50 =<╞¼ ,²¡█,,╧┴♠¢P
    00: 1D 92 56 C9-34 F6 C6 F2-C9 0C 97 90-AA 16 55 2A ↔ÆV╔4÷╞≥╔♀ùɬ▬U*
    10: 68 00 E7 44-8C 56 39 E8-47 A6 80 A6-4D B0 2B F2 h τDîV9ΦGªÇªM░+≥
    20: F6 12 D2 E6-D0 AC 13 2D-EF FF F0 DC-13 10 DE 72 ÷↕╥µ╨¼‼-∩ ≡▄‼►▐r
    30: 32 99 B0 BB-C7 65 A6 66-73 10 56 FC-9C 5F 45 8B 2Ö░╗╟eªfs►Vⁿ£_Eï
    40: 61 76 C9 56-3E DF 7E 28-DB AB DC 64-B4 9A 44 00 av╔V>▀~(█½▄d┤ÜD
    50: D3 4D BC 1E-80 1C B2 38-C9 B3 40 67-1A 60 A8 C6 ╙M╝▲Ç∟▓8╔│@g→`¿╞
    60: D3 BB 48 08-AF 04 30 16-B8 01 10 5B-92 14 F9 1C ╙╗H◘»♦0▬╕☺►[ƶ∙∟
    70: 3D 3C C6 AC-FF 2C FD AD-DB 2C 2C 4F-C1 06 9B 50 =<╞¼ ,²¡█,,O┴♠¢P
    Our second colliding pair
    - completely different
    - still random-looking
    -> let’s ignore the ASCII!
    - differences at the same offsets
    (that’s how it works)
    67

    View full-size slide

  63. …a big pile of…-
    computed randomness-
    …with tiny differences.-
    A hash collision is...-
    (in the case of these MD5/SHA1 attacks)-
    Reminder: the final hash is not known in advance.- 68

    View full-size slide

  64. 1D 92 56 C9-34 F6 C6 F2-C9 0C 97 90-AA 16 55 2A
    68 00 E7 44-8C 56 39 E8-47 A6 80 A6-4D B0 2B F2
    F6 12 D2 E6-D0 AC 13 2D-EF FF F0 DC-13 10 DE 72
    32 99 B0 BB-C7 65 A6 66-73 10 56 FC-9C 5F 45 8B
    61 76 C9 56-3E DF 7E 28-DB AB DC 64-B4 9A 44 00
    D3 4D BC 1E-80 1C B2 38-C9 B3 40 67-1A 60 A8 C6
    D3 BB 48 08-AF 04 30 16-B8 01 10 5B-92 14 F9 1C
    3D 3C C6 AC-FF 2C FD AD-DB 2C 2C 4F-C1 06 9B 50
    1D 92 56 C9-34 F6 C6 F2-C9 0C 97 90-AA 16 55 2A
    68 00 E7 C4-8C 56 39 E8-47 A6 80 A6-4D B0 2B F2
    F6 12 D2 E6-D0 AC 13 2D-EF FF F0 DC-13 90 DD 72
    32 99 B0 BB-C7 65 A6 66-73 10 56 7C-9C 5F 45 8B
    61 76 C9 56-3E DF 7E 28-DB AB DC 64-B4 9A 44 00
    D3 4D BC 9E-80 1C B2 38-C9 B3 40 67-1A 60 A8 C6
    D3 BB 48 08-AF 04 30 16-B8 01 10 5B-92 94 F9 1C
    3D 3C C6 AC-FF 2C FD AD-DB 2C 2C CF-C1 06 9B 50
    37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26
    02 AB D9 39-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0
    8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 C3 99 1D
    CD 91 C8 45-E6 6E FD 3D-C7 BB 61 52-3E F4 E0 38
    49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20
    A4 09 2D FB-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E
    39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE 42 4F 46
    C2 78 75 9D-8B 65 F4 50-EA 21 C5 59-18 62 FF 7B
    37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26
    02 AB D9 B9-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0
    8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 43 9A 1D
    CD 91 C8 45-E6 6E FD 3D-C7 BB 61 D2-3E F4 E0 38
    49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20
    A4 09 2D 7B-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E
    39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE C2 4E 46
    C2 78 75 9D-8B 65 F4 50-EA 21 C5 D9-18 62 FF 7B
    ...and these differences are always at the same offsets
    Chosen specifically because of weaknesses in the hash function..
    For more details, check https://www.youtube.com/watch?v=iKE7DJd-PwU
    The last ones are sometimes missing!
    69

    View full-size slide

  65. Now let’s add an input - our pref ix.
    The content and length of the prefix is not important here (example recording).
    bin$ md5_fastcoll -p prefix
    MD5 collision generator v1.5
    by Marc Stevens (http://www.win.tue.nl/hashclash/)
    Using output filenames: 'msg1.bin' and 'msg2.bin'
    Using prefixfile: 'prefix'
    Using initial value: 05ca8309f7b553d58845a18ab918a64c
    Generating first block: ....
    Generating second block: S10.........
    Running time: 2.653 s
    bin$ _
    bin$ cat prefix
    Here is a file with a few bytes
    bin$ du -b prefix
    31 prefix
    bin$ _
    File
    70

    View full-size slide

  66. File
    Padding
    Mission
    - padded to 64 bytes
    - collision blocks appended
    - differences at the same
    relative offsets
    Similar blocks - added after padding to 64 bytes
    00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
    10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
    20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    40: CE 84 07 61 4B BA 7A 3D 3A EA 8A AA F8 EE 1D E5
    50: 44 17 9B 70 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
    60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 CB BE 02
    70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 88 31 5E 7A 1D
    80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
    90: 13 F2 BF 56 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
    A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 83 FB E0
    B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 AA D2 5C 30 C0
    00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
    10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
    20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    40: CE 84 07 61 4B BA 7A 3D 3A EA 8A AA F8 EE 1D E5
    50: 44 17 9B F0 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
    60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 4B BF 02
    70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 08 31 5E 7A 1D
    80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
    90: 13 F2 BF D6 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
    A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 03 FB E0
    B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 2A D2 5C 30 C0
    71

    View full-size slide

  67. MD5, SHA1 work by processing 64 bytes block, from start to end.
    -> Appending the same thing
    to two files with the same hash
    will give files with the same hash.
    Padded to 64 bytes?
    Merkle–Damgård Construction
    https://en.wikipedia.org/wiki/Merkle%E2%80%93Damg%C3%A5rd_construction

    ✓ ✓

    at block
    boundaries
    Length extension attack
    https://en.wikipedia.org/wiki/Length_extension_attack
    72

    View full-size slide

  68. All current hash collisions attacks work with such alignment:
    padding, then adding (at block boundaries) a number of blocks.
    -> Via these attacks:
    1. Every pair with the same hash will have the same length.
    2. The end of the files is either identical (suffix),
    Or high entropy, very similar and aligned to 64 bytes
    (no suffix, just collision blocks).
    Similarities of all current collision attacks
    73

    View full-size slide

  69. We always work
    with 64 bytes blocks.
    It's really a block game!
    Double-check your hex viewer wrapping!
    (some viewers adjust their wrapping when you resize the window)
    From now on...
    74

    View full-size slide

  70. Hash collision
    Computed your first FastColl
    Certificate (easy)
    Ange Albertini
    INSTRUCTOR
    COLLT IS
    75

    View full-size slide

  71. Step 1/4 : the pref ix (optional)
    PREFIX
    Padding
    77
    We define the start of the file.
    The collision computation will depend on it.
    The prefix can be empty.
    Its content and size make no difference at all.

    View full-size slide

  72. Step 2/4 : the padding (if needed)
    PREFIX
    Padding
    78
    We add some data to the prefix
    to get a rounded size (a multiple of 64).
    Its content doesn’t matter, only its length:
    it just aligns things.

    View full-size slide

  73. Step 3/4 : the collision blocks
    We compute a pair of blocks
    full of randomness
    with tiny differences.
    Despite the differences,
    the hash of both files is the same.
    These collision blocks only work
    for that exact prefix.
    PREFIX
    Padding
    PREFIX
    Padding
    Differences
    79

    View full-size slide

  74. Step 4/4 : the suffix
    You can add anything to both sides
    (not required).
    The hash value will remain the same.
    PREFIX
    Padding
    PREFIX
    Padding
    SUFFIX SUFFIX
    80

    View full-size slide

  75. - takes a single input
    - prefix and suffix will be identical:
    -> files almost identical
    -> exploitation depends only on
    collision differences
    -> two contents coexist in the same file.
    An Identical Pref ix hash Collision
    These properties are common to FastColl, Unicoll and Shattered.
    81

    View full-size slide

  76. 00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
    10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
    20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    40: CE 84 07 61 4B BA 7A 3D 3A EA 8A AA F8 EE 1D E5
    50: 44 17 9B F0 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
    60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 4B BF 02
    70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 08 31 5E 7A 1D
    80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
    90: 13 F2 BF D6 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
    A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 03 FB E0
    B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 2A D2 5C 30 C0
    00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
    10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
    20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    40: CE 84 07 61 4B BA 7A 3D 3A EA 8A AA F8 EE 1D E5
    50: 44 17 9B 70 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
    60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 CB BE 02
    70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 88 31 5E 7A 1D
    80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
    90: 13 F2 BF 56 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
    A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 83 FB E0
    B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 AA D2 5C 30 C0
    ⇤ ⇥
    #&%!@
    …‽…
    …🛑?
    What can we do
    with this?
    We can put whatever we want before and after the collision.
    We need the following from the target file format:
    Padding , for alignments
    collision blocks’ randomness needs to be ignored
    Differences needs to be taken into account
    Several contents can co-exist
    (usually appended data)
    82

    View full-size slide

  77. - start and end aligned to 64 bytes
    (via padding if needed)
    - totally random
    - tiny differences at fixed offsets
    We can’t change these offsets.
    (they depend on the hash function).
    Hash collision blocks
    These properties are common to all the attacks on MD5 or SHA1.
    83

    View full-size slide

  78. 📏


    -> hard to exploit!
    The fastest,
    but the most limiting.
    FastColl
    FastColl
    00: 37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26
    10: 02 AB D9 B9-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0
    20: 8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 43 9A 1D
    30: CD 91 C8 45-E6 6E FD 3D-C7 BB 61 D2-3E F4 E0 38
    40: 49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20
    50: A4 09 2D 7B-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E
    60: 39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE C2 4E 46
    70: C2 78 75 9D-8B 65 F4 50-EA 21 C5 D9-18 62 FF 7B
    00: 37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26
    10: 02 AB D9 39-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0
    20: 8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 C3 99 1D
    30: CD 91 C8 45-E6 6E FD 3D-C7 BB 61 52-3E F4 E0 38
    40: 49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20
    50: A4 09 2D FB-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E
    60: 39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE 42 4F 46
    70: C2 78 75 9D-8B 65 F4 50-EA 21 C5 59-18 62 FF 7B
    two blocks
    a few seconds
    in the middle
    (away from start or end)
    84

    View full-size slide

  79. What makes exploiting Fastcoll so difficult?
    Every collision differences is surrounded by random data:
    -> it’s usually impossible to declare
    a structure and its length in a single byte.
    (such as a variable-length comment).
    "Cheating" workaround:
    some code (executable, javascript) checks
    the difference in the collision block.
    85

    View full-size slide

  80. Extra constraint can be added manually
    inside FastColl source.
    Cf PoCorGTFO 14:11
    Thankfully, there is UniColl and its unique powers.
    Workaround: bruteforcing
    (bruteforcing the collision block output, not the hash value)
    99 // change q17 until conditions are met on q18, q
    100 unsigned counter = 0;
    101 while (counter < (1 << 7))
    102 {
    103 const uint32 q16 = Q[Qoff + 16];
    104 uint32 q17 = ((xrng64() & 0x3ffd7ff7) | (q16&
    105 ++counter;
    106
    107 uint32 q18 = GG(q17, q16, Q[Qoff + 15]) + tt1
    108 q18 = RL(q18, 9); q18 += q17;
    109 if (0x00020000 != ((q18^q17)&0xa0020000))
    110 continue;
    111
    112 uint32 q19 = GG(q18, q17, q16) + tt19;
    113 q19 = RL(q19, 14); q19 += q18;
    114 if (0x80000000 != (q19 & 0x80020000))
    115 continue;
    116
    117 uint32 q20 = GG(q19, q18, q17) + tt20;
    118 q20 = RL(q20, 20); q20 += q19;
    119 if (0x00040000 != ((q20^q19) & 0x80040000))
    120 continue;
    121
    122 block[1] = q17-q16; block[1] = RR(block[1], 5
    123 uint32 q2 = block[1] + tt1; q2 = RL(q2, 12);
    124 block[5] = tt5 - q2;
    125
    126 Q[Qoff + 2] = q2;
    127 Q[Qoff + 17] = q17;
    128 Q[Qoff + 18] = q18;
    129 Q[Qoff + 19] = q19;
    130 Q[Qoff + 20] = q20;
    131 MD5_REVERSE_STEP(2, 0x242070db, 17);
    https://github.com/cr-marcstevens/hashclash/blob/master/src/md5fastcoll/block0.cpp#L101
    https://github.com/angea/pocorgtfo#0x14
    86

    View full-size slide

  81. Instant computation
    doesn’t give any
    instant exploitation.
    -> Instant exploitation relies on
    pre-computed collisions and file format tricks.
    Recap
    87

    View full-size slide

  82. Basics of
    f ile formats
    (most)
    88

    View full-size slide

  83. Typical structure
    header : required at the start of the file.
    It defines the file type, versions, metadata...
    body comes after the header .
    It's made of several chunks
    that may be moved around.
    footer follows the body .
    It indicates that the file is complete.
    Parsers ignore any following data.
    89

    View full-size slide

  84. The “comment” block
    Most format accept a comment block of some kind.
    It usually can contain anything - not just text.
    -> perfect to skip collision blocks or extra data.
    They can be inserted several times - they’re just entirely skipped.
    -> perfect for padding, collision blocks and extra data.
    They are usually length-defined:
    -> give them a variable length via collision blocks differences.
    90

    View full-size slide

  85. clues
    Most files have all body chunks in a perfect and optimal arrangement,
    but parsers must be robust against weird structures or incomplete implementations.
    -> In practice, they just parse chunks and collect data on the way.
    And when a footer [or EOF ] is reached,
    they check if they have enough data to render something.
    If not the file is considered invalid.
    Robust parsers are 'detectives'
    Even if most files are perfectly structured,
    robust parsers behave more like detectives.
    91

    View full-size slide

  86. Die Kunst aufräumen - Ursus Wehrli
    A standard file
    (allegory)
    92
    Most f iles are
    perfectly structured
    They were generated
    by one of the standard libraries,
    in normal conditions,
    and with typical requirements.
    Corner cases

    View full-size slide

  87. Abusing 'detective'parsers
    A detective looks for specific clues.
    Since parsers behave like detectives,
    we can move pieces of a file around,
    split them, hide them among rubbles.
    For most parsers,
    the presence/completeness/order
    of the files structures may not matter.
    93

    View full-size slide

  88. HHHH
    HHBB
    BBBB
    FFF
    HHHH
    HHCB
    CBBB
    CCCC
    CCCC
    BCBF
    FF??
    ??
    HHHH
    HHCB
    BBBB
    BFFF
    HHHH
    HHCC
    CCCC
    CCBB
    BBBB
    FFF?
    These f iles are equivalent
    (from a parser perspective).
    Same content, different structure. Turning one into another
    is usually (very) easy.
    Header
    Comment
    Body (chunks)
    Footer
    ? Appended data
    94

    View full-size slide

  89. Take two f iles…
    (of the same file type)
    95

    View full-size slide

  90. Plan a special
    common header.
    Same images dimensions? Color space?
    Remove some features.
    Flatten content.
    etc...
    96

    View full-size slide

  91. Compute the collision
    for this header.
    Padding and randomness with tiny differences.
    These differences follow some patterns
    that will be abused.
    Margin errors have to be mitigated.
    97

    View full-size slide

  92. Create a super f ile
    combining both f iles’ data.
    Both files’ Body and Footer are unmodified.
    The header has to be a common ground.
    The collision blocks differences will act like
    a switch to toggle between each content.
    98

    View full-size slide

  93. =

    =
    Collision
    Pref ix
    Suffix
    It’s an IPC, so
    their hash value
    is the same.
    99

    View full-size slide

  94. It's like a ski slope
    with 2 special jump ramps.
    Collision
    blocks
    Landing A
    Landing B
    100

    View full-size slide

  95. Each colliding f ile
    will render as
    one of the original pair.
    101

    View full-size slide

  96. Now let’s look at
    something different.
    103

    View full-size slide

  97. Poetry...?
    104

    View full-size slide

  98. Now we hash md5,
    no enemy cares!
    Only we gave
    the shards.
    ...
    A cryptico poem
    https://github.com/Jurph/word-decrementer
    105

    View full-size slide

  99. Now we hath md5,
    no enemy dares!
    Only we have
    the shares.
    ...
    Increment the 10th letter of each sentence.
    (leading spaces are tolerated) 106

    View full-size slide

  100. Our second block - another Identical Pref ix Collision: UniColl.
    107

    View full-size slide

  101. Run its script on a pref ix
    scripts$ ./poc_no.sh prefix
    MD5 differential path toolbox
    Copyright (C) 2009 Marc Stevens
    http://homepages.cwi.nl/~stevens/
    delta_m[2] = [!8!]
    In-block prefix words: 5
    Parsed path:
    Q-3:|01100111 01000101 00100011 00000001|
    [...]
    Found collision!
    2b3663b299b72c6b40d13ccd6c905a7d collision1.bin
    2b3663b299b72c6b40d13ccd6c905a7d collision2.bin
    [...]
    scripts$ _
    Mission
    scripts$ cat prefix
    Here is my prefix!!\n
    scripts$ du -b prefix
    20 prefix
    scripts$ _
    words of 32 bits
    https://github.com/cr-marcstevens/hashclash/releases
    https://github.com/cr-marcstevens/hashclash/blob/master/scripts/poc_no.sh

    Use exactly this prefix
    for your first try!
    108

    View full-size slide

  102. Sometimes, unicoll just... fails! Just re-run it then!
    [...]
    262144 9
    370611 16
    524288 19
    Block 1: ./data/coll1_4205915269
    53 75 43 d7 3b 33 9a fe e7 b7 ed bd ae a8 07 b9
    f4 49 fa 94 34 01 54 db be 87 3c 39 af cd a1 82
    c4 ea 3a f8 9b 7c ba d3 ac af 3d 47 a1 03 0d 34
    7f ff 0c 58 92 bc 2b 8a a4 31 53 ee 2f 9b c1 f2
    Block 2: ./data/coll2_4205915269
    53 75 43 d7 3b 33 9a fe e7 b8 ed bd ae a8 07 b9
    f4 49 fa 94 34 01 54 db be 87 3c 39 af cd a1 82
    c4 ea 3a f8 9b 7c ba d3 ac af 3d 47 a1 03 0d 34
    7f ff 0c 58 92 bc 2b 8a a4 31 53 ee 2f 9b c1 f2
    Found collision!
    2b3663b299b72c6b40d13ccd6c905a7d collision1.bin
    2b3663b299b72c6b40d13ccd6c905a7d collision2.bin
    [...]
    t=12: 0% 10 20 30 40 50 60 70 80 90
    |----|----|----|----|----|----|----|----|----|-
    ***********************************************
    Best path: totcompl=-1000 tottunnel=0, totcond=104857
    Verified: 17780 bad out of 17780
    Runtime: 88.9094
    MD5 differential path toolbox
    Copyright (C) 2009 Marc Stevens
    http://homepages.cwi.nl/~stevens/
    delta_m[2] = [!8!]
    Error: could not load path(s) in 'data/bestpath.bin.g
    cat: 'data/coll1_*': No such file or directory
    cat: 'data/coll2_*': No such file or directory
    738994fa06fb97feec6de48887d6452d collision1.bin
    3170e138bd0606df43c72d8051ba6184 collision2.bin
    Happy end
    Dead ends
    [...]
    65536 4
    126153 8
    131072 8
    Block 1: ./data/coll1_2664753446
    ed 3f f0 88 4c 9a fe 58 f7 68 48 1f 22 28 22 62
    20 27 15 9e 1b da cf d4 df b7 7d e3 b4 a1 6c 33
    26 2a 58 3e 50 ca c9 3f 84 37 52 65 37 b6 ac fb
    9a f9 93 73 49 f9 df b7 48 84 29 c8 cb db 68 dc
    Block 2: ./data/coll2_2664753446
    ed 3f f0 88 4c 9a fe 58 f7 69 48 1f 22 28 22 62
    20 27 15 9e 1b da cf d4 df b7 7d e3 b4 a1 6c 33
    26 2a 58 3e 50 ca c9 3f 84 37 52 65 37 b6 ac fb
    9a f9 93 73 49 f9 df b7 48 84 29 c8 cb db 68 dc
    Found collision!
    0b37822e3e06d0e69e2b12d5f742f6d6 collision1.bin
    b7c77655f8a1d9b85c4ba7358939c9e4 collision2.bin
    109

    View full-size slide

  103. Output of a UniColl computation
    Characteristics:
    - Two blocks
    - A few minutes to compute
    Important difference with FastColl:
    - prefix as a part of the collision blocks (!!)
    -> no padding
    - differences:
    10th char of prefix += 1 (!!)
    10th char of 2nd block -= 1
    00: .H .e .r .e . .i .s . .m .z . .p .r .e .f .i
    10: .x .! .! \n 85 33 77 E3 4E 2D B4 F7 33 52 CD 17
    20: 63 F0 24 11 8E 42 EE 0D 6D 73 1D 18 FA BA 3F 2D
    30: 53 C6 C3 9E 17 F6 86 5F 44 EB 71 C4 24 FB 67 10
    40: 53 75 43 D7 3B 33 9A FE E7 B7 ED BD AE A8 07 B9
    50: F4 49 FA 94 34 01 54 DB BE 87 3C 39 AF CD A1 82
    60: C4 EA 3A F8 9B 7C BA D3 AC AF 3D 47 A1 03 0D 34
    70: 7F FF 0C 58 92 BC 2B 8A A4 31 53 EE 2F 9B C1 F2
    00: .H .e .r .e . .i .s . .m .y . .p .r .e .f .i
    10: .x .! .! \n 85 33 77 E3 4E 2D B4 F7 33 52 CD 17
    20: 63 F0 24 11 8E 42 EE 0D 6D 73 1D 18 FA BA 3F 2D
    30: 53 C6 C3 9E 17 F6 86 5F 44 EB 71 C4 24 FB 67 10
    40: 53 75 43 D7 3B 33 9A FE E7 B8 ED BD AE A8 07 B9
    50: F4 49 FA 94 34 01 54 DB BE 87 3C 39 AF CD A1 82
    60: C4 EA 3A F8 9B 7C BA D3 AC AF 3D 47 A1 03 0D 34
    70: 7F FF 0C 58 92 BC 2B 8A A4 31 53 EE 2F 9B C1 F2
    110

    View full-size slide

  104. A hybrid IPC where:
    - you can define the data around the first difference.
    - you can set the first difference:
    your text and your text +1
    No other collision does that.
    A true Unicorn of a collision
    111

    View full-size slide

  105. Why +1 on the 10th character?
    Because crypto
    (due to specific MD5 properties)
    No, you can't change it as you like.
    The other working cases are not
    as easy to exploit.
    Other working cases:
    https://www.cwi.nl/system/files/PhD-Thesis-Marc-Stevens-Attacks-on-Hash-Functions-and-Applications.pdf#page=200
    112

    View full-size slide

  106. 0000: .U .n .i .C .o .l .l . .2 . .p .r .e .f .i .x
    0010: . .2 .0 .b 24 FA 3F 50 2F 7A B1 A7 04 DC 2F 39
    0020: 07 E7 6F 33 B4 64 97 DD B1 95 8E F3 CB 60 18 B1
    0030: 9F E9 DC B3 D8 03 FC 7C 52 40 8E 36 AF 0C 86 C7
    0040: 8C 41 62 73 C9 B9 A7 EB 03 10 68 F0 5B 82 49 EE
    0050: B6 77 D5 50 E2 B8 D7 A2 61 16 78 B0 35 24 1B 2F
    0060: 5A 83 E2 E0 49 4F B7 0D 7D 7C E7 3F CC B7 F3 72
    0070: 8A 55 71 A0 B2 34 6C 0E 45 EE 04 60 ED 33 62 BC
    0000: .U .n .i C3 .o .l .l . .2 . .p .r .e .f .i .x
    0010: . .2 .0 .b 24 FA 3F 50 2F 7A B1 27 04 DC 2F 39
    0020: 07 E7 6F 33 B4 64 97 DD B1 95 8E F3 CB 60 18 B1
    0030: 9F E9 DC B3 D8 03 FC 84 52 40 8E 36 AF 0C 86 C7
    0040: 8C 41 62 F3 C9 B9 A7 EB 03 10 68 F0 5B 82 49 EE
    0050: B6 77 D5 50 E2 B8 D7 A2 61 16 78 30 35 24 1B 2F
    0060: 5A 83 E2 E0 49 4F B7 0D 7D 7C E7 3F CC B7 F3 72
    0070: 8A 55 71 A0 B2 34 6C 06 45 EE 04 60 ED 33 62 BC
    0000: .U .n .i .C .o .l .l . .3 . .p .r .e .f .i .x
    0010: . .2 .0 .b EC D2 0C 56 2F 03 F6 66 D1 76 8F 87
    0020: FF E4 7B EC F3 31 0A 65 66 B5 BD 6D F5 2B FD 1E
    0030: 4D 2D 99 37 0C B6 1B D5 63 94 DC 2E DB 97 F2 10
    0040: 22 BA 25 C4 F6 F7 EC C6 D7 0E DB 5D 18 DF 90 F9
    0050: 6A C5 2A 0A CC 88 3C 7F 6C AE 24 71 F9 BF 76 17
    0060: BE 60 AA DE 6F 0B 11 D0 52 E2 0E 85 BB 0B 8B 76
    0070: A1 18 87 03 D2 9D 39 80 79 10 50 3F BC 17 65 01
    0000: .U .n .i .C .o .l .l . .3 . .p .r .e .f .i .x
    0010: . .2 .0 .b EC D2 0C 56 2F 04 F6 66 D1 76 8F 87
    0020: FF E4 7B EC F3 31 0A E5 66 B5 BD 6D F5 2B FD 1E
    0030: 4D 2D 99 37 0C B6 1B D5 63 94 DC 2E DB 97 F2 90
    0040: 22 BA 25 C4 F6 F7 EC C6 D7 0E DB 5D 18 DF 90 F9
    0050: 6A C5 2A 0A CC 88 3C 7F 6C AD 24 71 F9 BF 76 17
    0060: BE 60 AA DE 6F 0B 11 50 52 E2 0E 85 BB 0B 8B 76
    0070: A1 18 87 03 D2 9D 39 80 79 10 50 3F BC 17 65 81
    With N=2:
    - less predictable difference
    + 16 f ixed bytes after the f irst difference
    With N=3:
    Difference on the last byte
    Other implemented variants:
    cf https://github.com/cr-marcstevens/hashclash/blob/master/scripts/poc_no.sh#L29-L44
    N=1: "--diffm2 9" [by default]
    N=2: "--diffm13 28 --diffm0 32 --diffm6 32"
    N=3: "--diffm6 9 --diffm9 32 --diffm15 32"
    113

    View full-size slide

  107. The pref ix can be any size. Only its last block is integrated in the collision.
    (remember: no padding)
    00: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    10: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
    20: 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
    30: 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
    40: .h .e .r .e . .i .s . .m .y . .p .r .e .f .i
    50: .x .! .! 0a .
    00: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    10: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
    20: 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
    30: 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
    40: .h .e .r .e . .i .s . .m .y . .p .r .e .f .i
    50: .x .! .! 0a a4 8e d8 3f ae 42 a5 6b 47 e1 b4 72
    60: 7a 86 27 96 60 3a e6 9a 8a 37 7d 2f 8e ac a6 ad
    70: fd 56 ff d8 23 59 1c 81 da 57 1c 84 ee f5 17 07
    80: 39 f9 b5 e5 d8 a6 c4 02 89 df e2 c0 82 1e f8 fa
    90: 1e c3 c4 3e 77 17 12 98 d6 78 ed 80 dc 4f 83 86
    a0: 21 68 77 44 e2 dc 81 c8 69 33 eb 95 3a 60 08 a0
    b0: 05 37 f7 cc 0b b1 ee 94 76 0c af da 18 8b c2 57
    00: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    10: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
    20: 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
    30: 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
    40: .h .e .r .e . .i .s . .m .z . .p .r .e .f .i
    50: .x .! .! 0a a4 8e d8 3f ae 42 a5 6b 47 e1 b4 72
    60: 7a 86 27 96 60 3a e6 9a 8a 37 7d 2f 8e ac a6 ad
    70: fd 56 ff d8 23 59 1c 81 da 57 1c 84 ee f5 17 07
    80: 39 f9 b5 e5 d8 a6 c4 02 89 de e2 c0 82 1e f8 fa
    90: 1e c3 c4 3e 77 17 12 98 d6 78 ed 80 dc 4f 83 86
    a0: 21 68 77 44 e2 dc 81 c8 69 33 eb 95 3a 60 08 a0
    b0: 05 37 f7 cc 0b b1 ee 94 76 0c af da 18 8b c2 57
    Pref ix
    collision blocks
    114

    View full-size slide

  108. Length multiple of 4 (otherwise it won't work as intended)
    2nd rule of UniColl's last pref ix block
    $ md5sum collision*
    43a22967d7d6343da5c50da277f63f62 collision1.bin
    43a22967d7d6343da5c50da277f63f62 collision2.bin
    $ xxd prefix
    00000000: 70 p
    $ xxd collision1.bin | head -1
    00000000: c830 2859 684c dc50 cbba 8f0f 8fa7 48ef .0(YhL.P......H.
    $ md5sum collision*
    47bc2a72c2885bcc624342fe8d3756fd collision1.bin
    478ccf32058daf9d1fa44fd78959ed50 collision2.bin
    $ xxd prefix
    00000000: 7070 7070 pppp
    $ xxd collision1.bin | head -1
    00000000: 7070 7070 2c65 975b e9de 9dd9 98dc 7cd4 pppp,e.[......|.
    If not,
    the collision block doesn't start
    with the prefix' content.
    If its length is a multiple of 4,
    the end of the prefix’s last block
    is in the collision block.
    115

    View full-size slide

  109. If that part is longer than 20 bytes,
    it may never collide.
    -> increase delays in the script.
    3rd rule of UniColl's last pref ix block
    $ diff poc_no.sh long_poc_no.sh
    11c11
    < data=200000
    ---
    > data=1000000
    56c56
    < sleep 10
    ---
    > sleep 120
    116

    View full-size slide

  110. 000: .H .e .r .e . .i .s . .m .y . .l .o .n .g .
    010: .p .r .e .f .i .x .! \n 17 ef 03 3a 3b 0b d8 ba
    020: 11 0c 27 fe 71 8c ec 39 ab 48 97 fb 81 8e 7a 50
    030: 4c 5d 44 73 05 08 f7 ff 16 06 44 db ea 1c 8b 50
    040: 70 f4 66 04 c8 23 16 b0 83 99 e5 76 09 92 13 f0
    050: 3e 3e d2 bb d9 fb 3e 00 78 64 b4 89 af 98 fb bd
    060: aa e1 03 6b 77 61 46 3b 84 d4 25 a7 3b 00 09 1a
    070: 23 b9 e2 26 fd 35 6c d0 e4 56 a0 b5 fe 3d 28 47
    000: .H .e .r .e . .i .s . .m .z . .l .o .n .g .
    010: .p .r .e .f .i .x .! \n 17 ef 03 3a 3b 0b d8 ba
    020: 11 0c 27 fe 71 8c ec 39 ab 48 97 fb 81 8e 7a 50
    030: 4c 5d 44 73 05 08 f7 ff 16 06 44 db ea 1c 8b 50
    040: 70 f4 66 04 c8 23 16 b0 83 98 e5 76 09 92 13 f0
    050: 3e 3e d2 bb d9 fb 3e 00 78 64 b4 89 af 98 fb bd
    060: aa e1 03 6b 77 61 46 3b 84 d4 25 a7 3b 00 09 1a
    070: 23 b9 e2 26 fd 35 6c d0 e4 56 a0 b5 fe 3d 28 47
    24 bytes:
    real 2m21.203s
    user 33m3.508s
    sys 0m55.864s
    Standard version
    Slower version
    000: .H .e .r .e . .i .s . .m .y . .l .o .n .g .
    010: .p .r .e .f .i .x .! .0 .1 .2 .3 0a a5 4d 0a a2
    020: 4a 9e 0e b1 20 bc df 89 bf ed d3 eb bb e2 e9 6f
    030: e9 fa 24 39 02 42 4f 8b 77 77 8c 50 0f ff a7 86
    040: b4 7a e4 de 00 27 f8 c7 ad ef b1 2d 25 35 f7 9f
    050: fa 01 64 3c 06 8a 5b 66 ad 46 fa 5f 11 ea 91 c6
    060: d3 70 11 45 57 dd 8a 0f b8 af 4d 0d d2 d2 40 43
    070: 48 c0 22 4d 67 b9 b2 5b 0a 98 ff e0 7f d3 7b 6d
    000: .H .e .r .e . .i .s . .m .z . .l .o .n .g .
    010: .p .r .e .f .i .x .! .0 .1 .2 .3 0a a5 4d 0a a2
    020: 4a 9e 0e b1 20 bc df 89 bf ed d3 eb bb e2 e9 6f
    030: e9 fa 24 39 02 42 4f 8b 77 77 8c 50 0f ff a7 86
    040: b4 7a e4 de 00 27 f8 c7 ad ee b1 2d 25 35 f7 9f
    050: fa 01 64 3c 06 8a 5b 66 ad 46 fa 5f 11 ea 91 c6
    060: d3 70 11 45 57 dd 8a 0f b8 af 4d 0d d2 d2 40 43
    070: 48 c0 22 4d 67 b9 b2 5b 0a 98 ff e0 7f d3 7b 6d
    28 bytes:
    real 13m21.452s
    user 227m35.496s
    sys 3m27.896s
    117

    View full-size slide

  111. 📏


    Slightly slower,
    but easy to exploit.
    UniColl
    UniColl
    two blocks
    A few minutes
    In pref ix
    00: .H .e .r .e . .i .s . .m .z . .p .r .e .f .i
    10: .x .! .! \n 85 33 77 E3 4E 2D B4 F7 33 52 CD 17
    20: 63 F0 24 11 8E 42 EE 0D 6D 73 1D 18 FA BA 3F 2D
    30: 53 C6 C3 9E 17 F6 86 5F 44 EB 71 C4 24 FB 67 10
    40: 53 75 43 D7 3B 33 9A FE E7 B7 ED BD AE A8 07 B9
    50: F4 49 FA 94 34 01 54 DB BE 87 3C 39 AF CD A1 82
    60: C4 EA 3A F8 9B 7C BA D3 AC AF 3D 47 A1 03 0D 34
    70: 7F FF 0C 58 92 BC 2B 8A A4 31 53 EE 2F 9B C1 F2
    00: .H .e .r .e . .i .s . .m .y . .p .r .e .f .i
    10: .x .! .! \n 85 33 77 E3 4E 2D B4 F7 33 52 CD 17
    20: 63 F0 24 11 8E 42 EE 0D 6D 73 1D 18 FA BA 3F 2D
    30: 53 C6 C3 9E 17 F6 86 5F 44 EB 71 C4 24 FB 67 10
    40: 53 75 43 D7 3B 33 9A FE E7 B8 ED BD AE A8 07 B9
    50: F4 49 FA 94 34 01 54 DB BE 87 3C 39 AF CD A1 82
    60: C4 EA 3A F8 9B 7C BA D3 AC AF 3D 47 A1 03 0D 34
    70: 7F FF 0C 58 92 BC 2B 8A A4 31 53 EE 2F 9B C1 F2
    118

    View full-size slide

  112. Your f irst
    hash collision exploit
    120

    View full-size slide

  113. Prepare
    1. Study format specs, look for features that you need.
    2. Choose attack: FastColl, UniColl [tree]...
    3. Plan your file structure (pen & specs).
    Craft
    4. Craft mockup files: check compatibility, CRCs…
    5. Ignore collision ranges to simulate colliding files.
    Compute
    6. Extract prefixes from mockups.
    7. Run computation(s).
    Plan your exploit
    ⇤ ⇥
    #&%!@
    …‽…
    …🛑?
    A mockup f ile
    before computation 121
    Padding, for alignments
    Collision blocks’ randomness needs to be ignored
    Differences need to be taken into account
    Two contents need to co-exist.

    View full-size slide

  114. What makes exploiting UniColl so easy?
    The first difference is surrounded by chosen text:
    no restrictions to declare a length before or after a type.
    The difference is +1, which makes it trivial to plan the impact.
    I.E. one chunk will be exactly 0x100 longer than the other,
    which is bigger than the collision block
    but doesn’t grow uncontrollably.
    FastColl:
    UniColl:
    61 52 3E ⇔ 61 D2 3E
    00 71 .c .O .L .L ⇔
    01 71 .c .O .L .L
    122

    View full-size slide

  115. 1. A fixed-length comment for padding.
    2. A variable length comment at the start of collision blocks.
    3. Using collision blocks to grow this comment over a first file’s data,
    followed by a second’s file data.
    Layout of a classic collision+format exploitation
    Collision
    Alignment
    Suffix
    Pref ix
    123
    Signature Padding Collision Chunk
    A
    Chunk
    B
    Comment
    Comment

    View full-size slide

  116. Case A (short comment)
    Case B (long comment)
    124

    View full-size slide

  117. Plan your generic exploit
    Getting an exploit PoC (pair) is great to convince/test!
    Making a script to instantly generate any PoC is even better!
    Explore the format landscape, standard implementations.
    Understand compatibility in depth.
    125

    View full-size slide

  118. Making it generic
    The size of {Chunk
    A
    } is unknown in advance.
    -> one extra comment to jump over these chunks
    with its declaration toggled by the variable comment
    Collision
    Alignment
    Suf f ix
    Pref ix
    126

    View full-size slide

  119. Short collision comment
    Long collision comment
    A chain of three comments
    Collision
    Collision

    = =
    127

    View full-size slide

  120. Generic exploitation is sometimes hard.
    Identify required structures of the format.
    Check structure sizes: constant? if not, what are the margins?
    Explore tools and options:
    Merging (PDF pages, GIF frames) then selectively hiding
    is a quick way to normalize 2 contents.
    Some minor tools’ output might be optimal for manipulation.
    128

    View full-size slide

  121. Exploiting PNG
    with UniColl
    129

    View full-size slide

  122. The most regular of the common formats:
    a signature then a sequence of chunks.
    The Portable Network Graphics format
    /ˌpiːɛnˈdʒiː/ PEE-en-JEE
    /pɪŋ/ PING
    Signature Chunk
    130

    View full-size slide

  123. The PNG signature
    - enforced at offet 0
    - fixed, always the same 8 bytes:
    89 50 4E 47 0D 0A 1A 0A
    (Trivia) it's made of special characters to detect various errors:
    \x89 P N G \r \n ^Z \n
    End Of File
    non ASCII
    Line feed
    Line feed
    Carriage return
    131

    View full-size slide

  124. The PNG format at chunk level
    - the length , big endian on 4 bytes.
    - the type , on 4 letters.
    - the data , of the given length .
    - the CRC of type and data .
    - they are usually ignored
    132

    View full-size slide

  125. Lower case-typed chunks are ignored
    first letter:
    - uppercase == critical:
    Standard: IHDR Header / PLTE Palette / IDAT Data /IEND end
    Non-standard: CgBI Apple custom PNG
    - lowercase == secondary:
    In the specs:
    ignored if not in the specs: aLIG / cOLL / sKIP
    http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html#Chunk-naming-conventions
    bKGD cHRM gAMA hIST iCCP pHYs tIME
    tRNS sBIT sPLT sRGB tEXt iTXt zTXt
    133

    View full-size slide

  126. 134
    00000430: 8C F5 51 C6-58 1F 65 8C-F5 51 C6 58-1F 65 8C F5 î⌡Q╞X eî⌡Q╞X eî⌡
    00000440: 51 C6 58 1F-65 8C F5 51-C6 58 1F 65-8C D5 51 C6 Q╞X eî⌡Q╞X eî╒Q╞
    00000450: 58 13 65 8C-05 51 C6 58-10 65 8C F5-51 C6 58 1F X eî Q╞X eî⌡Q╞X
    00000460: 65 8C F5 51-C6 58 1F 65-8C F5 51 C6-58 1F 65 8C eî⌡Q╞X eî⌡Q╞X eî
    00000470: F5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ⌡Q╞X eî⌡Q╞X eî⌡Q
    00000480: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
    00000490: 1F 65 8C F5-51 C6 58 1F-65 8C E5 51-76 CE 18 65 eî⌡Q╞X eîσQv╬ e
    000004A0: 7D 8C 51 F6-D3 62 8C 32-C6 28 13 63-94 31 46 19 }îQ÷╙bî2╞( cö1F
    000004B0: 63 94 89 31-CA 18 A3 EC-3B C7 18 65-8C 51 26 C6 cöë1╩ ú∞;╟ eîQ&╞
    000004C0: 28 63 8C 32-C6 28 13 63-94 31 46 D9-F7 8E 31 CA (cî2╞( cö1F┘≈Ä1╩
    000004D0: 18 A3 4C 8C-51 C6 18 65-8C 51 26 C6-28 63 8C 32 úLîQ╞ eîQ&╞(cî2
    000004E0: 31 46 19 63-94 31 46 99-18 A3 8C 31-CA 18 A3 4C 1F cö1FÖ úî1╩ úL
    000004F0: 8C 51 C6 18-65 62 8C 32-C6 28 63 8C-32 31 46 19 îQ╞ ebî2╞(cî21F
    00000500: 63 94 31 46-99 18 A3 8C-31 CA C4 18-65 8C 51 C6 cö1FÖ úî1╩─ eîQ╞
    00000510: 18 65 62 8C-32 C6 28 63-8C 32 31 46-19 63 94 89 ebî2╞(cî21F cöë
    00000520: 31 CA 18 A3-8C 31 CA C4-18 65 8C 51-C6 98 28 63 1╩ úî1╩─ eîQ╞ÿ(c
    00000530: 8C 32 C6 28-13 63 94 31-46 19 63 94-89 31 CA 18 î2╞( cö1F cöë1╩
    00000540: A3 8C 31 51-C6 18 65 8C-51 C6 98 28-63 8C 32 C6 úî1Q╞ eîQ╞ÿ(cî2╞
    00000550: 28 13 63 94-31 46 19 63-A2 8C 31 CA-18 A3 8C 31 ( cö1F cóî1╩ úî1
    00000560: 51 C6 18 65-8C 89 32 C6-28 63 8C 32-C6 44 19 63 Q╞ eîë2╞(cî2╞D c
    00000570: 94 31 46 19-63 A2 8C 31-CA 18 13 65-8C 51 C6 18 ö1F cóî1╩ eîQ╞
    00000580: 65 8C 89 32-C6 28 63 8C-32 C6 44 19-63 94 31 26 eîë2╞(cî2╞D cö1&
    00000590: CA 18 A3 8C-31 CA 18 13-65 8C 51 C6-18 65 8C 89 ╩ úî1╩ eîQ╞ eîë
    000005A0: 32 C6 28 63-4C 94 31 46-19 63 94 31-26 CA 18 A3 2╞(cLö1F cö1&╩ ú
    000005B0: 8C 31 BD 54-19 63 A2 8C-31 CA 18 D3-C5 E5 2F 34 î1╜T cóî1╩ ╙┼σ/4
    000005C0: 76 FE EF FB-24 3B 99 18-A3 8C 31 CA-E4 9F 4C 8C v■∩√$;Ö úî1╩ΣƒLî
    000005D0: 51 C6 18 65-62 8C 32 C6-28 63 8C 32-31 46 19 63 Q╞ ebî2╞(cî21F c
    000005E0: 94 89 31 CA-18 A3 8C 31-CA C4 18 65-8C 51 C6 18 öë1╩ úî1╩─ eîQ╞
    000005F0: 65 62 8C 32-C6 28 13 63-94 31 46 19-63 94 89 31 ebî2╞( cö1F cöë1
    00000600: CA 18 A3 8C-31 CA C4 18-65 8C 51 26-C6 28 63 8C ╩ úî1╩─ eîQ&╞(cî
    00000610: 32 C6 28 13-63 94 31 46-19 63 94 89-31 CA 18 A3 2╞( cö1F cöë1╩ ú
    00000620: 4C 8C 51 C6-18 65 8C 51-26 C6 28 63-8C 32 C6 44 LîQ╞ eîQ&╞(cî2╞D
    00000630: 19 63 94 31-46 99 18 A3-8C 31 CA 18-A3 4C 8C 51 cö1FÖ úî1╩ úLîQ
    00000640: C6 18 65 8C-89 32 C6 28-63 8C 32 C6-44 19 63 94 ╞ eîë2╞(cî2╞D cö
    00000650: 31 46 99 18-A3 8C 31 CA-18 13 65 8C-51 C6 18 65 1FÖ úî1╩ eîQ╞ e
    00000660: 8C 89 32 C6-28 63 4C 94-31 46 19 63-94 31 26 CA îë2╞(cLö1F cö1&╩
    00000670: 18 A3 8C 31-CA 18 13 65-8C 51 C6 98-28 63 8C 32 úî1╩ eîQ╞ÿ(cî2
    00000680: C6 28 63 4C-94 31 46 19-63 94 31 26-CA 18 A3 8C ╞(cLö1F cö1&╩ úî
    00000690: 31 51 C6 18-65 8C 51 C6-98 28 63 8C-32 C6 28 63 1Q╞ eîQ╞ÿ(cî2╞(c
    000006A0: 4C 94 31 46-19 63 A2 8C-31 CA 18 A3-8C 31 51 C6 Lö1F cóî1╩ úî1Q╞
    000006B0: 18 65 DF D4-98 28 63 8C-32 C6 44 19-63 94 31 46 e▀╘ÿ(cî2╞D cö1F
    000006C0: 19 63 A2 8C-31 CA BE BF-31 51 C6 18-65 8C 89 32 cóî1╩╛┐1Q╞ eîë2
    000006D0: C6 28 63 8C-32 C6 44 19-63 94 31 A6-1F A7 8C B1 ╞(cî2╞D cö1ª ºî▒
    000006E0: 73 CA 18 8B-3B 38 3C A0-8C B1 7A 1A-94 D5 31 46 s╩ ï;8<áî▒z ö╒1F
    000006F0: 59 1F 63 94-F5 31 46 59-1F 63 94 F5-31 46 59 1F Y cö⌡1FY cö⌡1FY
    00000700: 63 94 F5 31-46 59 1F 63-94 F5 31 46-59 1F 63 94 cö⌡1FY cö⌡1FY cö
    00000710: F5 31 46 59-1F 63 94 F5-31 46 59 1F-63 94 F5 31 ⌡1FY cö⌡1FY cö⌡1
    00000720: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
    00000730: 1F 63 94 F5-31 46 59 1F-63 94 D5 31-46 59 1D 63 cö⌡1FY cö╒1FY c
    00000740: 94 D5 31 46-59 1D 63 94-D5 31 46 59-1D 63 94 D5 ö╒1FY cö╒1FY cö╒
    00000750: 31 46 59 1D-63 94 D5 31-46 59 1D 63-94 D5 31 46 1FY cö╒1FY cö╒1F
    00000760: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
    00000770: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
    00000780: D5 31 46 59-6E 8C 31 CA-62 65 8C DD-45 D9 EB 63 ╒1FYnî1╩beî▌E┘δc
    00000790: 2C 8C 32 C6-6A 63 94 DD-C5 58 1C 65-8C F5 51 C6 ,î2╞jcö▌┼X eî⌡Q╞
    000007A0: 58 1F 65 8C-F5 51 C6 58-1F 65 8C F5-51 C6 58 1F X eî⌡Q╞X eî⌡Q╞X
    000007B0: 65 8C F5 51-C6 58 1F 65-8C F5 51 C6-58 1F 65 8C eî⌡Q╞X eî⌡Q╞X eî
    000007C0: F5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ⌡Q╞X eî⌡Q╞X eî⌡Q
    000007D0: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
    000007E0: 1F 65 8C F5-51 C6 58 1D-65 8C D5 51-C6 58 1D 65 eî⌡Q╞X eî╒Q╞X e
    000007F0: 8C D5 51 C6-58 1D 65 8C-D5 51 C6 58-1D 65 8C D5 î╒Q╞X eî╒Q╞X eî╒
    00000800: 51 C6 58 1D-65 8C D5 51-C6 58 1D 65-8C D5 51 C6 Q╞X eî╒Q╞X eî╒Q╞
    00000810: 58 1D 65 8C-D5 51 C6 58-1D 65 8C D5-51 C6 58 1D X eî╒Q╞X eî╒Q╞X
    00000820: 65 8C D5 51-C6 58 1D 65-8C D5 51 C6-58 1E 65 A7 eî╒Q╞X eî╒Q╞X eº
    00000830: 8C D5 51 F6-9F 31 CA D2-4E AE B9 A5-83 01 00 00 î╒Q÷ƒ1╩╥N«╣Ñâ
    00000840: 00 06 42 F3-A7 DE F3 1C-8A A1 01 CB-A0 63 2D A3 B≤º▐≤ èí ╦ác-ú
    00000850: 8E B5 0C 3D-06 2C 03 8E-B5 4C 39 C6-2D 03 8E B5 Ä╡ = , Ä╡L9╞- Ä╡
    00000860: CC 3C 06 2C-03 8E B5 CC-3C 06 2C 03-8E B5 CC 3C ╠< , Ä╡╠< , Ä╡╠<
    00000870: 06 2C 03 8E-B5 CC 3C 06-2C 03 8E B5-CC 3C 06 2C , Ä╡╠< , Ä╡╠< ,
    00000880: 03 8E B5 CC-3C 06 2C 03-8E B5 CC 3C-06 2C 03 8E Ä╡╠< , Ä╡╠< , Ä
    00000890: B5 CC 3C 06-2C 03 8E B5-CC 3C 06 2C-03 8E B5 4C ╡╠< , Ä╡╠< , Ä╡L
    000008A0: 3A 06 2C 03-8E 01 CB C4-63 2D 03 8E-01 CB C4 63 : , Ä ╦─c- Ä ╦─c
    000008B0: 2D 03 8E 01-CB C4 63 2D-03 8E 01 CB-A4 63 C0 B2 - Ä ╦─c- Ä ╦ñc└▓
    000008C0: 8E 41 CB A4-63 C0 B2 8E-41 CB A4 63-C0 B2 8E 41 ÄA╦ñc└▓ÄA╦ñc└▓ÄA
    000008D0: CB A4 63 C0-B2 8E BD 5D-3A B4 61 20-08 A2 28 B6 ╦ñc└▓Ä╜]:┤a ó(╢
    000008E0: 20 FD D7 1C-38 FC 23 EB-F4 5C 83 F7-65 1D 6B D9 ²╫ 8ⁿ#δ⌠\â≈e k┘
    000008F0: 7E 6C 5B D6-B1 96 ED C7-6E 59 C7 5A-B6 1F DB 97 ~l[╓▒ûφ╟nY╟Z╢ █ù
    00000900: 75 AC 65 FB-B1 7D 59 C7-5A 76 C7 F6-65 1D 6B D9 u¼e√▒}Y╟Zv╟÷e k┘
    00000910: 7E 6C 5F D6-B1 96 ED C7-6E 59 C7 5A-B6 1F DB 97 ~l_╓▒ûφ╟nY╟Z╢ █ù
    00000920: 75 AC 65 DB-B1 61 59 C7-5A 36 1C 1B-96 75 AC 65 u¼e█▒aY╟Z6 ûu¼e
    00000930: FB B1 5B D6-B1 96 0D C7-86 65 1D 6B-D9 70 6C 58 √▒[╓▒û ╟åe k┘plX
    00000940: D6 B1 96 0D-C7 86 65 1D-6B D9 70 6C-58 D6 B1 96 ╓▒û ╟åe k┘plX╓▒û
    00000950: DD 31 60 19-70 AC 65 F2-B1 5B D6 B1-96 0D C7 86 ▌1` p¼e≥▒[╓▒û ╟å
    00000960: 65 1D 6B D9-70 6C 58 D6-B1 96 DD 31-60 19 72 AC e k┘plX╓▒û▌1` r¼
    00000970: 65 FE B1 5B-D6 B1 96 DD-31 60 19 74-AC 65 FE B1 e■▒[╓▒û▌1` t¼e■▒
    00000980: 5B D6 B1 96-DD 31 60 19-75 AC 65 FE-B1 5B D6 B1 [╓▒û▌1` u¼e■▒[╓▒
    00000990: 96 DD 31 60-19 75 AC 65-FE B1 5B 46-1D 6B 99 75 û▌1` u¼e■▒[F kÖu
    000009A0: CC 5F E6 1F-6B D9 1D F3-97 F9 C7 5A-36 1C F3 97 ╠_µ k┘ ≤ù∙╟Z6 ≤ù
    000009B0: F9 C7 5A 76-C7 FC 65 FE-B1 96 0D C7-FC 65 FE B1 ∙╟Zv╟ⁿe■▒û ╟ⁿe■▒
    000009C0: 96 FD DE 03-96 F1 C7 5A-E6 1F BB 65-D4 B1 96 01 û²▐ û±╟Zµ ╗e╘▒û
    000009D0: C7 DC 65 FE-B1 96 DD 31-65 99 7F AC-65 FE B1 5B ╟▄e■▒û▌1eÖ¼e■▒[
    000009E0: 46 1D 6B 19-70 4C 5C E6-1F 6B D9 1D-B3 96 F9 C7 F k pL\µ k┘ │û∙╟
    000009F0: 5A E6 1F BB-65 D4 B1 96-01 C7 C8 65-FE B1 96 DD Zµ ╗e╘▒û ╟╚e■▒û▌
    00000A00: 31 6A 99 7F-AC 65 FE B1-5B 46 1D 6B-19 70 4C 59 1jÖ¼e■▒[F k pLY
    00000A10: E6 1F 6B D9-1D 73 97 F9-C7 5A E6 1F-BB 65 D4 B1 µ k┘ sù∙╟Zµ ╗e╘▒
    00000A20: 96 01 C7 80-65 FC B1 96-DD 31 77 99-7F AC 65 FB û ╟Çeⁿ▒û▌1wÖ¼e√
    00000A30: 31 7F 99 7F-AC 65 77 4C-5F E6 1F 6B-D9 7E CC 5F 1Ö¼ewL_µ k┘~╠_
    00000A40: E6 1F 6B D9-1D F3 97 F9-C7 5A E6 1F-BB 65 F6 B1 µ k┘ ≤ù∙╟Zµ ╗e÷▒
    00000A50: 96 ED C7 FC-65 FE B1 96-F9 C7 6E 99-7D AC 65 FB ûφ╟ⁿe■▒û∙╟nÖ}¼e√
    00000A60: 31 7F 99 7F-AC 65 FE B1-5B 66 1F 6B-D9 7E CC 5F 1Ö¼e■▒[f k┘~╠_
    00000A70: E6 1F 6B 99-7F EC 96 D9-C7 5A B6 1F-F3 97 F9 C7 µ kÖ∞û┘╟Z╢ ≤ù∙╟
    00000A80: 5A E6 1F BB-65 F6 B1 96-ED C7 FC 65-FE B1 96 F9 Zµ ╗e÷▒ûφ╟ⁿe■▒û∙
    00000A90: C7 6E 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F ╟n u¼e╙1 u¼e╙1
    00000AA0: 19 75 AC 65-D3 31 7F 19-75 AC 65 D3-31 7F 19 75 u¼e╙1 u¼e╙1 u
    00000AB0: AC 65 D3 31-7F 19 75 AC-65 D3 31 7F-19 75 AC 65 ¼e╙1 u¼e╙1 u¼e
    00000AC0: D3 31 7F 19-75 AC 65 D3-31 7F 19 75-AC 65 D3 31 ╙1 u¼e╙1 u¼e╙1
    00000AD0: 7F 19 75 AC-65 D3 31 7F-19 75 AC 65-D3 31 7F 19  u¼e╙1 u¼e╙1
    00000AE0: 75 AC 65 D3-31 7F 19 75-AC 65 D3 31-7F 19 75 AC u¼e╙1 u¼e╙1 u¼
    00000AF0: 65 D3 31 7F-19 75 AC 65-D3 31 7F 19-75 AC 65 D3 e╙1 u¼e╙1 u¼e╙
    00000B00: 31 7F 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F 1 u¼e╙1 u¼e╙1
    00000B10: 19 75 AC 65-FC B1 7D 59-C7 A8 65 FB-31 78 59 C7 u¼eⁿ▒}Y╟¿e√1xY╟
    00000B20: A8 65 FB 31-78 59 C7 A8-65 5F 3A 96-FC 01 2A EE ¿e√1xY╟¿e_:ûⁿ *ε
    00000B30: B0 6C 0B 6E-B3 BA 00 00-00 00 49 45-4E 44 AE 42 ░l n│║ IEND«B
    00000B40: 60 82 - - - `é
    00000000: 89 50 4E 47-0D 0A 1A 0A-00 00 00 0D-49 48 44 52 ëPNG IHDR
    00000010: 00 00 02 64-00 00 02 64-08 03 00 00-00 88 CF CD d d ê╧═
    00000020: 8E 00 00 00-24 50 4C 54-45 FF FF FF-FF 7D 7D FF Ä $PLTE }}
    00000030: 6F 6F FF FE-FE FF 7E 7E-FF 00 00 FF-80 80 FF 6D oo ■■ ~~ ÇÇ m
    00000040: 6D FF 6E 6E-FF 30 30 FF-FD FD FF 2F-2F A6 F0 78 m nn 00 ²² //ª≡x
    00000050: 4E 00 00 0A-D9 49 44 41-54 78 DA EC-D2 D1 09 5A N ┘IDATx┌∞╥╤ Z
    00000060: 01 14 86 31-B5 DE EE 3F-72 1F CF 00-3F 94 20 5F å1╡▐ε?r ╧ ?ö _
    00000070: 66 C8 EB BF-79 7F 5E 8C-FC F9 7C 5F-BF E7 FD 3C f╚δ┐y^îⁿ∙|_┐τ²<
    00000080: 2D 83 8E 3D-CF F7 17 8F-B5 8C 3A E6-2E 1B 8E 51 -âÄ=╧≈ Å╡î:µ. ÄQ
    00000090: CB 3A 36 2C-73 8F 51 CB-3A 36 2C 73-8F 51 CB 3A ╦:6,sÅQ╦:6,sÅQ╦:
    000000A0: 36 2C 73 8F-51 CB 3A 36-2C 73 8F 51-CB 3A 36 2C 6,sÅQ╦:6,sÅQ╦:6,
    000000B0: 73 8F 51 CB-3A E6 2E 1B-8E 51 CB 3A-E6 2E 1B 8E sÅQ╦:µ. ÄQ╦:µ. Ä
    000000C0: 51 CB 3A E6-2E 1B 8E 51-CB 3A E6 2E-1B 8E 51 CB Q╦:µ. ÄQ╦:µ. ÄQ╦
    000000D0: 3A E6 2E 1B-8E 51 CB 3A-E6 2E 1B 8E-51 CB 3A E6 :µ. ÄQ╦:µ. ÄQ╦:µ
    000000E0: 2E 1B 8E 51-CB 3A E6 2E-1B 8E 59 CB-3A E6 2F 1B . ÄQ╦:µ. ÄY╦:µ/
    000000F0: 8E F9 CB 3A-26 2F 1B 8E-B5 8C 3A 26-2F 1B 8E B5 Ä∙╦:&/ Ä╡î:&/ Ä╡
    00000100: 8C 3A 26 2F-1B 8E B5 8C-3A 26 2F 1B-8E B5 8C 3A î:&/ Ä╡î:&/ Ä╡î:
    00000110: 26 2F 1B 8E-B5 8C 3A 26-2F 1B 8E B5-8C 3A E6 2F &/ Ä╡î:&/ Ä╡î:µ/
    00000120: BB 63 2D F3-8F F9 CB F6-63 2D 33 8F-F9 CB EE 58 ╗c-≤Å∙╦÷c-3Å∙╦εX
    00000130: CB FC 63 FE-B2 FD 58 CB-CC 63 B7 CC-3F D6 32 FF ╦ⁿc■▓²X╦╠c╖╠?╓2
    00000140: 98 BF 6C 3F-D6 32 F3 D8-2D F3 8F B5-CC 3F E6 2F ÿ┐l?╓2≤╪-≤Å╡╠?µ/
    00000150: DB 8F B5 CC-3C 76 CB FC-63 2D F3 8F-F9 CB F6 63 █Å╡╠00000160: 2D 33 8F DD-32 FF 58 CB-FC 63 FE B2-3B D6 32 FC -3Å▌2 X╦ⁿc■▓;╓2ⁿ
    00000170: 18 B0 0C 38-D6 32 EA D8-2D F3 8F B5-0C 3E E6 2F ░ 8╓2Ω╪-≤Å╡ >µ/
    00000180: BB 63 D4 B2-8E 01 CB 80-63 F8 B2 8E-DD 32 F9 98 ╗c╘▓Ä ╦Çc°▓Ä▌2∙ÿ
    00000190: BF AC 63 FE-B2 3B 46 2D-EB 18 B0 CC-38 E6 2F EB ┐¼c■▓;F-δ ░╠8µ/δ
    000001A0: D8 2D 33 8F-F9 CB 3A E6-2F BB 63 D4-B2 8E 01 CB ╪-3Å∙╦:µ/╗c╘▓Ä ╦
    000001B0: A4 63 FE B2-8E DD 32 ED-98 BF AC 63-FE B2 3B 46 ñc■▓Ä▌2φÿ┐¼c■▓;F
    000001C0: 2D EB 18 B0-CC 3B E6 2F-EB D8 2D 73-8E F9 CB 3A -δ ░╠;µ/δ╪-sÄ∙╦:
    000001D0: E6 2F BB 63-D4 B2 8E 01-CB D4 63 FE-B2 8E DD 32 µ/╗c╘▓Ä ╦╘c■▓Ä▌2
    000001E0: F9 98 BF AC-63 C3 32 FF-98 BF AC 63-E7 2F 70 0C ∙ÿ┐¼c├2 ÿ┐¼cτ/p
    000001F0: 5F D6 31 7F-D9 1D A3 96-75 0C 58 E6-1F F3 97 75 _╓1┘ úûu Xµ ≤ùu
    00000200: EC 96 01 C7-D8 65 1D F3-97 DD 31 6A-59 C7 98 65 ∞û ╟╪e ≤ù▌1jY╟ÿe
    00000210: FE 31 7F 59-C7 6E 19 70-0C 5C D6 31-7F D9 1D 6B ■1Y╟n p \╓1┘ k
    00000220: 59 C7 6E 19-70 8C 59 D6-31 7F D9 1D-6B 59 C7 6E Y╟n pîY╓1┘ kY╟n
    00000230: 19 70 0C 5A-D6 31 7F D9-1D 6B 59 C7-6E 19 70 8C p Z╓1┘ kY╟n pî
    00000240: 5A D6 31 7F-D9 1D 6B 59-C7 6E 19 70-CC 59 D6 31 Z╓1┘ kY╟n p╠Y╓1
    00000250: 7F D9 1D 6B-59 C7 C6 65-FE B1 96 DD-31 7F D9 7E ┘ kY╟╞e■▒û▌1┘~
    00000260: AC 65 1D DB-97 DD B1 96-75 6C 5B 36-1C 6B 59 C7 ¼e █ù▌▒ûul[6 kY╟
    00000270: F6 65 77 AC-65 1D 9B 96-0D C7 5A D6-B1 5B B6 1F ÷ew¼e ¢û ╟Z╓▒[╢
    00000280: 6B 59 C7 A6-65 C3 B1 96-75 EC 96 4D-C7 5A D6 B1 kY╟ªe├▒ûu∞ûM╟Z╓▒
    00000290: 61 D9 70 AC-65 1D BB 65-D3 B1 96 75-6C 5F B6 1F a┘p¼e ╗e╙▒ûul_╢
    000002A0: FB C7 8E 5D-1D 84 01 45-51 10 4C 70-E9 BF 5E 1C √╟Ä] ä EQ LpΘ┐^
    000002B0: CE 27 BA E8-6C 0B 77 9E-52 C6 D8 94-35 C6 28 63 ╬'║Φl w₧R╞╪ö5╞(c
    000002C0: 6C CA 02 63-94 31 36 65-B1 31 CA 18-9B B2 CA 18 l╩ cö16e▒1╩ ¢▓╩
    000002D0: 65 8C 4D 59-65 8C 32 C6-A6 AC 32 46-19 63 53 56 eîMYeî2╞ª¼2F cSV
    000002E0: 19 A3 8C B1-29 AB 8C 51-C6 D8 94 55-C6 28 63 6C úî▒)½îQ╞╪öU╞(cl
    000002F0: CA 2A 63 94-31 36 65 95-31 CA 18 9B-B2 CA 18 65 ╩*cö16eò1╩ ¢▓╩ e
    00000300: 8C 4D 59 65-8C 32 C6 A6-AC 32 46 19-63 53 56 19 îMYeî2╞ª¼2F cSV
    00000310: A3 8C B1 29-AB 8C 51 C6-D8 94 55 C6-28 63 6C CA úî▒)½îQ╞╪öU╞(cl╩
    00000320: 2A 63 94 31-36 65 33 46-19 63 A5 B2-19 A3 8C B1 *cö16e3F cÑ▓ úî▒
    00000330: 46 59 63 8C-32 C6 A6 AC-31 46 19 63-53 16 18 A3 FYcî2╞ª¼1F cS ú
    00000340: 8C B1 29 8B-8D 51 C6 D8-9D B2 D3 63-CA 18 8B A7 î▒)ïìQ╞╪¥▓╙c╩ ïº
    00000350: 71 78 46 59-1B 63 94 F5-31 46 59 1F-63 94 F5 31 qxFY cö⌡1FY cö⌡1
    00000360: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
    00000370: 1F 63 94 F5-31 46 59 1F-63 94 F5 31-46 59 1F 63 cö⌡1FY cö⌡1FY c
    00000380: 94 F5 31 46-59 1F 63 94-F5 31 46 59-1F 63 94 F5 ö⌡1FY cö⌡1FY cö⌡
    00000390: 31 46 59 1F-63 94 F5 31-46 59 1F 63-94 F5 31 46 1FY cö⌡1FY cö⌡1F
    000003A0: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
    000003B0: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
    000003C0: D5 31 46 59-1D 63 94 D5-31 46 59 1D-63 94 D5 31 ╒1FY cö╒1FY cö╒1
    000003D0: 46 59 1D 63-94 D5 31 46-59 1D 63 94-D5 31 46 59 FY cö╒1FY cö╒1FY
    000003E0: 1D 63 94 C5-31 46 59 6F-8C 31 CA D2-18 EB 95 51 cö┼1FYoî1╩╥ δòQ
    000003F0: C6 D8 5D 94-85 31 F6 DA-28 EB 8D 31-46 D9 5D 8C ╞╪]öà1÷┌(δì1F┘]î
    00000400: C5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ┼Q╞X eî⌡Q╞X eî⌡Q
    00000410: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
    00000420: 1F 65 8C F5-51 C6 58 1F-65 8C F5 51-C6 58 1F 65 eî⌡Q╞X eî⌡Q╞X e
    Let's walk through a simple PNG f ile...
    no.png

    View full-size slide

  127. 00000430: 8C F5 51 C6-58 1F 65 8C-F5 51 C6 58-1F 65 8C F5 î⌡Q╞X eî⌡Q╞X eî⌡
    00000440: 51 C6 58 1F-65 8C F5 51-C6 58 1F 65-8C D5 51 C6 Q╞X eî⌡Q╞X eî╒Q╞
    00000450: 58 13 65 8C-05 51 C6 58-10 65 8C F5-51 C6 58 1F X eî Q╞X eî⌡Q╞X
    00000460: 65 8C F5 51-C6 58 1F 65-8C F5 51 C6-58 1F 65 8C eî⌡Q╞X eî⌡Q╞X eî
    00000470: F5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ⌡Q╞X eî⌡Q╞X eî⌡Q
    00000480: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
    00000490: 1F 65 8C F5-51 C6 58 1F-65 8C E5 51-76 CE 18 65 eî⌡Q╞X eîσQv╬ e
    000004A0: 7D 8C 51 F6-D3 62 8C 32-C6 28 13 63-94 31 46 19 }îQ÷╙bî2╞( cö1F
    000004B0: 63 94 89 31-CA 18 A3 EC-3B C7 18 65-8C 51 26 C6 cöë1╩ ú∞;╟ eîQ&╞
    000004C0: 28 63 8C 32-C6 28 13 63-94 31 46 D9-F7 8E 31 CA (cî2╞( cö1F┘≈Ä1╩
    000004D0: 18 A3 4C 8C-51 C6 18 65-8C 51 26 C6-28 63 8C 32 úLîQ╞ eîQ&╞(cî2
    000004E0: 31 46 19 63-94 31 46 99-18 A3 8C 31-CA 18 A3 4C 1F cö1FÖ úî1╩ úL
    000004F0: 8C 51 C6 18-65 62 8C 32-C6 28 63 8C-32 31 46 19 îQ╞ ebî2╞(cî21F
    00000500: 63 94 31 46-99 18 A3 8C-31 CA C4 18-65 8C 51 C6 cö1FÖ úî1╩─ eîQ╞
    00000510: 18 65 62 8C-32 C6 28 63-8C 32 31 46-19 63 94 89 ebî2╞(cî21F cöë
    00000520: 31 CA 18 A3-8C 31 CA C4-18 65 8C 51-C6 98 28 63 1╩ úî1╩─ eîQ╞ÿ(c
    00000530: 8C 32 C6 28-13 63 94 31-46 19 63 94-89 31 CA 18 î2╞( cö1F cöë1╩
    00000540: A3 8C 31 51-C6 18 65 8C-51 C6 98 28-63 8C 32 C6 úî1Q╞ eîQ╞ÿ(cî2╞
    00000550: 28 13 63 94-31 46 19 63-A2 8C 31 CA-18 A3 8C 31 ( cö1F cóî1╩ úî1
    00000560: 51 C6 18 65-8C 89 32 C6-28 63 8C 32-C6 44 19 63 Q╞ eîë2╞(cî2╞D c
    00000570: 94 31 46 19-63 A2 8C 31-CA 18 13 65-8C 51 C6 18 ö1F cóî1╩ eîQ╞
    00000580: 65 8C 89 32-C6 28 63 8C-32 C6 44 19-63 94 31 26 eîë2╞(cî2╞D cö1&
    00000590: CA 18 A3 8C-31 CA 18 13-65 8C 51 C6-18 65 8C 89 ╩ úî1╩ eîQ╞ eîë
    000005A0: 32 C6 28 63-4C 94 31 46-19 63 94 31-26 CA 18 A3 2╞(cLö1F cö1&╩ ú
    000005B0: 8C 31 BD 54-19 63 A2 8C-31 CA 18 D3-C5 E5 2F 34 î1╜T cóî1╩ ╙┼σ/4
    000005C0: 76 FE EF FB-24 3B 99 18-A3 8C 31 CA-E4 9F 4C 8C v■∩√$;Ö úî1╩ΣƒLî
    000005D0: 51 C6 18 65-62 8C 32 C6-28 63 8C 32-31 46 19 63 Q╞ ebî2╞(cî21F c
    000005E0: 94 89 31 CA-18 A3 8C 31-CA C4 18 65-8C 51 C6 18 öë1╩ úî1╩─ eîQ╞
    000005F0: 65 62 8C 32-C6 28 13 63-94 31 46 19-63 94 89 31 ebî2╞( cö1F cöë1
    00000600: CA 18 A3 8C-31 CA C4 18-65 8C 51 26-C6 28 63 8C ╩ úî1╩─ eîQ&╞(cî
    00000610: 32 C6 28 13-63 94 31 46-19 63 94 89-31 CA 18 A3 2╞( cö1F cöë1╩ ú
    00000620: 4C 8C 51 C6-18 65 8C 51-26 C6 28 63-8C 32 C6 44 LîQ╞ eîQ&╞(cî2╞D
    00000630: 19 63 94 31-46 99 18 A3-8C 31 CA 18-A3 4C 8C 51 cö1FÖ úî1╩ úLîQ
    00000640: C6 18 65 8C-89 32 C6 28-63 8C 32 C6-44 19 63 94 ╞ eîë2╞(cî2╞D cö
    00000650: 31 46 99 18-A3 8C 31 CA-18 13 65 8C-51 C6 18 65 1FÖ úî1╩ eîQ╞ e
    00000660: 8C 89 32 C6-28 63 4C 94-31 46 19 63-94 31 26 CA îë2╞(cLö1F cö1&╩
    00000670: 18 A3 8C 31-CA 18 13 65-8C 51 C6 98-28 63 8C 32 úî1╩ eîQ╞ÿ(cî2
    00000680: C6 28 63 4C-94 31 46 19-63 94 31 26-CA 18 A3 8C ╞(cLö1F cö1&╩ úî
    00000690: 31 51 C6 18-65 8C 51 C6-98 28 63 8C-32 C6 28 63 1Q╞ eîQ╞ÿ(cî2╞(c
    000006A0: 4C 94 31 46-19 63 A2 8C-31 CA 18 A3-8C 31 51 C6 Lö1F cóî1╩ úî1Q╞
    000006B0: 18 65 DF D4-98 28 63 8C-32 C6 44 19-63 94 31 46 e▀╘ÿ(cî2╞D cö1F
    000006C0: 19 63 A2 8C-31 CA BE BF-31 51 C6 18-65 8C 89 32 cóî1╩╛┐1Q╞ eîë2
    000006D0: C6 28 63 8C-32 C6 44 19-63 94 31 A6-1F A7 8C B1 ╞(cî2╞D cö1ª ºî▒
    000006E0: 73 CA 18 8B-3B 38 3C A0-8C B1 7A 1A-94 D5 31 46 s╩ ï;8<áî▒z ö╒1F
    000006F0: 59 1F 63 94-F5 31 46 59-1F 63 94 F5-31 46 59 1F Y cö⌡1FY cö⌡1FY
    00000700: 63 94 F5 31-46 59 1F 63-94 F5 31 46-59 1F 63 94 cö⌡1FY cö⌡1FY cö
    00000710: F5 31 46 59-1F 63 94 F5-31 46 59 1F-63 94 F5 31 ⌡1FY cö⌡1FY cö⌡1
    00000720: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
    00000730: 1F 63 94 F5-31 46 59 1F-63 94 D5 31-46 59 1D 63 cö⌡1FY cö╒1FY c
    00000740: 94 D5 31 46-59 1D 63 94-D5 31 46 59-1D 63 94 D5 ö╒1FY cö╒1FY cö╒
    00000750: 31 46 59 1D-63 94 D5 31-46 59 1D 63-94 D5 31 46 1FY cö╒1FY cö╒1F
    00000760: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
    00000770: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
    00000780: D5 31 46 59-6E 8C 31 CA-62 65 8C DD-45 D9 EB 63 ╒1FYnî1╩beî▌E┘δc
    00000790: 2C 8C 32 C6-6A 63 94 DD-C5 58 1C 65-8C F5 51 C6 ,î2╞jcö▌┼X eî⌡Q╞
    000007A0: 58 1F 65 8C-F5 51 C6 58-1F 65 8C F5-51 C6 58 1F X eî⌡Q╞X eî⌡Q╞X
    000007B0: 65 8C F5 51-C6 58 1F 65-8C F5 51 C6-58 1F 65 8C eî⌡Q╞X eî⌡Q╞X eî
    000007C0: F5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ⌡Q╞X eî⌡Q╞X eî⌡Q
    000007D0: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
    000007E0: 1F 65 8C F5-51 C6 58 1D-65 8C D5 51-C6 58 1D 65 eî⌡Q╞X eî╒Q╞X e
    000007F0: 8C D5 51 C6-58 1D 65 8C-D5 51 C6 58-1D 65 8C D5 î╒Q╞X eî╒Q╞X eî╒
    00000800: 51 C6 58 1D-65 8C D5 51-C6 58 1D 65-8C D5 51 C6 Q╞X eî╒Q╞X eî╒Q╞
    00000810: 58 1D 65 8C-D5 51 C6 58-1D 65 8C D5-51 C6 58 1D X eî╒Q╞X eî╒Q╞X
    00000820: 65 8C D5 51-C6 58 1D 65-8C D5 51 C6-58 1E 65 A7 eî╒Q╞X eî╒Q╞X eº
    00000830: 8C D5 51 F6-9F 31 CA D2-4E AE B9 A5-83 01 00 00 î╒Q÷ƒ1╩╥N«╣Ñâ
    00000840: 00 06 42 F3-A7 DE F3 1C-8A A1 01 CB-A0 63 2D A3 B≤º▐≤ èí ╦ác-ú
    00000850: 8E B5 0C 3D-06 2C 03 8E-B5 4C 39 C6-2D 03 8E B5 Ä╡ = , Ä╡L9╞- Ä╡
    00000860: CC 3C 06 2C-03 8E B5 CC-3C 06 2C 03-8E B5 CC 3C ╠< , Ä╡╠< , Ä╡╠<
    00000870: 06 2C 03 8E-B5 CC 3C 06-2C 03 8E B5-CC 3C 06 2C , Ä╡╠< , Ä╡╠< ,
    00000880: 03 8E B5 CC-3C 06 2C 03-8E B5 CC 3C-06 2C 03 8E Ä╡╠< , Ä╡╠< , Ä
    00000890: B5 CC 3C 06-2C 03 8E B5-CC 3C 06 2C-03 8E B5 4C ╡╠< , Ä╡╠< , Ä╡L
    000008A0: 3A 06 2C 03-8E 01 CB C4-63 2D 03 8E-01 CB C4 63 : , Ä ╦─c- Ä ╦─c
    000008B0: 2D 03 8E 01-CB C4 63 2D-03 8E 01 CB-A4 63 C0 B2 - Ä ╦─c- Ä ╦ñc└▓
    000008C0: 8E 41 CB A4-63 C0 B2 8E-41 CB A4 63-C0 B2 8E 41 ÄA╦ñc└▓ÄA╦ñc└▓ÄA
    000008D0: CB A4 63 C0-B2 8E BD 5D-3A B4 61 20-08 A2 28 B6 ╦ñc└▓Ä╜]:┤a ó(╢
    000008E0: 20 FD D7 1C-38 FC 23 EB-F4 5C 83 F7-65 1D 6B D9 ²╫ 8ⁿ#δ⌠\â≈e k┘
    000008F0: 7E 6C 5B D6-B1 96 ED C7-6E 59 C7 5A-B6 1F DB 97 ~l[╓▒ûφ╟nY╟Z╢ █ù
    00000900: 75 AC 65 FB-B1 7D 59 C7-5A 76 C7 F6-65 1D 6B D9 u¼e√▒}Y╟Zv╟÷e k┘
    00000910: 7E 6C 5F D6-B1 96 ED C7-6E 59 C7 5A-B6 1F DB 97 ~l_╓▒ûφ╟nY╟Z╢ █ù
    00000920: 75 AC 65 DB-B1 61 59 C7-5A 36 1C 1B-96 75 AC 65 u¼e█▒aY╟Z6 ûu¼e
    00000930: FB B1 5B D6-B1 96 0D C7-86 65 1D 6B-D9 70 6C 58 √▒[╓▒û ╟åe k┘plX
    00000940: D6 B1 96 0D-C7 86 65 1D-6B D9 70 6C-58 D6 B1 96 ╓▒û ╟åe k┘plX╓▒û
    00000950: DD 31 60 19-70 AC 65 F2-B1 5B D6 B1-96 0D C7 86 ▌1` p¼e≥▒[╓▒û ╟å
    00000960: 65 1D 6B D9-70 6C 58 D6-B1 96 DD 31-60 19 72 AC e k┘plX╓▒û▌1` r¼
    00000970: 65 FE B1 5B-D6 B1 96 DD-31 60 19 74-AC 65 FE B1 e■▒[╓▒û▌1` t¼e■▒
    00000980: 5B D6 B1 96-DD 31 60 19-75 AC 65 FE-B1 5B D6 B1 [╓▒û▌1` u¼e■▒[╓▒
    00000990: 96 DD 31 60-19 75 AC 65-FE B1 5B 46-1D 6B 99 75 û▌1` u¼e■▒[F kÖu
    000009A0: CC 5F E6 1F-6B D9 1D F3-97 F9 C7 5A-36 1C F3 97 ╠_µ k┘ ≤ù∙╟Z6 ≤ù
    000009B0: F9 C7 5A 76-C7 FC 65 FE-B1 96 0D C7-FC 65 FE B1 ∙╟Zv╟ⁿe■▒û ╟ⁿe■▒
    000009C0: 96 FD DE 03-96 F1 C7 5A-E6 1F BB 65-D4 B1 96 01 û²▐ û±╟Zµ ╗e╘▒û
    000009D0: C7 DC 65 FE-B1 96 DD 31-65 99 7F AC-65 FE B1 5B ╟▄e■▒û▌1eÖ¼e■▒[
    000009E0: 46 1D 6B 19-70 4C 5C E6-1F 6B D9 1D-B3 96 F9 C7 F k pL\µ k┘ │û∙╟
    000009F0: 5A E6 1F BB-65 D4 B1 96-01 C7 C8 65-FE B1 96 DD Zµ ╗e╘▒û ╟╚e■▒û▌
    00000A00: 31 6A 99 7F-AC 65 FE B1-5B 46 1D 6B-19 70 4C 59 1jÖ¼e■▒[F k pLY
    00000A10: E6 1F 6B D9-1D 73 97 F9-C7 5A E6 1F-BB 65 D4 B1 µ k┘ sù∙╟Zµ ╗e╘▒
    00000A20: 96 01 C7 80-65 FC B1 96-DD 31 77 99-7F AC 65 FB û ╟Çeⁿ▒û▌1wÖ¼e√
    00000A30: 31 7F 99 7F-AC 65 77 4C-5F E6 1F 6B-D9 7E CC 5F 1Ö¼ewL_µ k┘~╠_
    00000A40: E6 1F 6B D9-1D F3 97 F9-C7 5A E6 1F-BB 65 F6 B1 µ k┘ ≤ù∙╟Zµ ╗e÷▒
    00000A50: 96 ED C7 FC-65 FE B1 96-F9 C7 6E 99-7D AC 65 FB ûφ╟ⁿe■▒û∙╟nÖ}¼e√
    00000A60: 31 7F 99 7F-AC 65 FE B1-5B 66 1F 6B-D9 7E CC 5F 1Ö¼e■▒[f k┘~╠_
    00000A70: E6 1F 6B 99-7F EC 96 D9-C7 5A B6 1F-F3 97 F9 C7 µ kÖ∞û┘╟Z╢ ≤ù∙╟
    00000A80: 5A E6 1F BB-65 F6 B1 96-ED C7 FC 65-FE B1 96 F9 Zµ ╗e÷▒ûφ╟ⁿe■▒û∙
    00000A90: C7 6E 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F ╟n u¼e╙1 u¼e╙1
    00000AA0: 19 75 AC 65-D3 31 7F 19-75 AC 65 D3-31 7F 19 75 u¼e╙1 u¼e╙1 u
    00000AB0: AC 65 D3 31-7F 19 75 AC-65 D3 31 7F-19 75 AC 65 ¼e╙1 u¼e╙1 u¼e
    00000AC0: D3 31 7F 19-75 AC 65 D3-31 7F 19 75-AC 65 D3 31 ╙1 u¼e╙1 u¼e╙1
    00000AD0: 7F 19 75 AC-65 D3 31 7F-19 75 AC 65-D3 31 7F 19  u¼e╙1 u¼e╙1
    00000AE0: 75 AC 65 D3-31 7F 19 75-AC 65 D3 31-7F 19 75 AC u¼e╙1 u¼e╙1 u¼
    00000AF0: 65 D3 31 7F-19 75 AC 65-D3 31 7F 19-75 AC 65 D3 e╙1 u¼e╙1 u¼e╙
    00000B00: 31 7F 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F 1 u¼e╙1 u¼e╙1
    00000B10: 19 75 AC 65-FC B1 7D 59-C7 A8 65 FB-31 78 59 C7 u¼eⁿ▒}Y╟¿e√1xY╟
    00000B20: A8 65 FB 31-78 59 C7 A8-65 5F 3A 96-FC 01 2A EE ¿e√1xY╟¿e_:ûⁿ *ε
    00000B30: B0 6C 0B 6E-B3 BA 00 00-00 00 49 45-4E 44 AE 42 ░l n│║ IEND«B
    00000B40: 60 82 - - - `é
    00000000: 89 50 4E 47-0D 0A 1A 0A-00 00 00 0D-49 48 44 52 ëPNG IHDR
    00000010: 00 00 02 64-00 00 02 64-08 03 00 00-00 88 CF CD d d ê╧═
    00000020: 8E 00 00 00-24 50 4C 54-45 FF FF FF-FF 7D 7D FF Ä $PLTE }}
    00000030: 6F 6F FF FE-FE FF 7E 7E-FF 00 00 FF-80 80 FF 6D oo ■■ ~~ ÇÇ m
    00000040: 6D FF 6E 6E-FF 30 30 FF-FD FD FF 2F-2F A6 F0 78 m nn 00 ²² //ª≡x
    00000050: 4E 00 00 0A-D9 49 44 41-54 78 DA EC-D2 D1 09 5A N ┘IDATx┌∞╥╤ Z
    00000060: 01 14 86 31-B5 DE EE 3F-72 1F CF 00-3F 94 20 5F å1╡▐ε?r ╧ ?ö _
    00000070: 66 C8 EB BF-79 7F 5E 8C-FC F9 7C 5F-BF E7 FD 3C f╚δ┐y^îⁿ∙|_┐τ²<
    00000080: 2D 83 8E 3D-CF F7 17 8F-B5 8C 3A E6-2E 1B 8E 51 -âÄ=╧≈ Å╡î:µ. ÄQ
    00000090: CB 3A 36 2C-73 8F 51 CB-3A 36 2C 73-8F 51 CB 3A ╦:6,sÅQ╦:6,sÅQ╦:
    000000A0: 36 2C 73 8F-51 CB 3A 36-2C 73 8F 51-CB 3A 36 2C 6,sÅQ╦:6,sÅQ╦:6,
    000000B0: 73 8F 51 CB-3A E6 2E 1B-8E 51 CB 3A-E6 2E 1B 8E sÅQ╦:µ. ÄQ╦:µ. Ä
    000000C0: 51 CB 3A E6-2E 1B 8E 51-CB 3A E6 2E-1B 8E 51 CB Q╦:µ. ÄQ╦:µ. ÄQ╦
    000000D0: 3A E6 2E 1B-8E 51 CB 3A-E6 2E 1B 8E-51 CB 3A E6 :µ. ÄQ╦:µ. ÄQ╦:µ
    000000E0: 2E 1B 8E 51-CB 3A E6 2E-1B 8E 59 CB-3A E6 2F 1B . ÄQ╦:µ. ÄY╦:µ/
    000000F0: 8E F9 CB 3A-26 2F 1B 8E-B5 8C 3A 26-2F 1B 8E B5 Ä∙╦:&/ Ä╡î:&/ Ä╡
    00000100: 8C 3A 26 2F-1B 8E B5 8C-3A 26 2F 1B-8E B5 8C 3A î:&/ Ä╡î:&/ Ä╡î:
    00000110: 26 2F 1B 8E-B5 8C 3A 26-2F 1B 8E B5-8C 3A E6 2F &/ Ä╡î:&/ Ä╡î:µ/
    00000120: BB 63 2D F3-8F F9 CB F6-63 2D 33 8F-F9 CB EE 58 ╗c-≤Å∙╦÷c-3Å∙╦εX
    00000130: CB FC 63 FE-B2 FD 58 CB-CC 63 B7 CC-3F D6 32 FF ╦ⁿc■▓²X╦╠c╖╠?╓2
    00000140: 98 BF 6C 3F-D6 32 F3 D8-2D F3 8F B5-CC 3F E6 2F ÿ┐l?╓2≤╪-≤Å╡╠?µ/
    00000150: DB 8F B5 CC-3C 76 CB FC-63 2D F3 8F-F9 CB F6 63 █Å╡╠00000160: 2D 33 8F DD-32 FF 58 CB-FC 63 FE B2-3B D6 32 FC -3Å▌2 X╦ⁿc■▓;╓2ⁿ
    00000170: 18 B0 0C 38-D6 32 EA D8-2D F3 8F B5-0C 3E E6 2F ░ 8╓2Ω╪-≤Å╡ >µ/
    00000180: BB 63 D4 B2-8E 01 CB 80-63 F8 B2 8E-DD 32 F9 98 ╗c╘▓Ä ╦Çc°▓Ä▌2∙ÿ
    00000190: BF AC 63 FE-B2 3B 46 2D-EB 18 B0 CC-38 E6 2F EB ┐¼c■▓;F-δ ░╠8µ/δ
    000001A0: D8 2D 33 8F-F9 CB 3A E6-2F BB 63 D4-B2 8E 01 CB ╪-3Å∙╦:µ/╗c╘▓Ä ╦
    000001B0: A4 63 FE B2-8E DD 32 ED-98 BF AC 63-FE B2 3B 46 ñc■▓Ä▌2φÿ┐¼c■▓;F
    000001C0: 2D EB 18 B0-CC 3B E6 2F-EB D8 2D 73-8E F9 CB 3A -δ ░╠;µ/δ╪-sÄ∙╦:
    000001D0: E6 2F BB 63-D4 B2 8E 01-CB D4 63 FE-B2 8E DD 32 µ/╗c╘▓Ä ╦╘c■▓Ä▌2
    000001E0: F9 98 BF AC-63 C3 32 FF-98 BF AC 63-E7 2F 70 0C ∙ÿ┐¼c├2 ÿ┐¼cτ/p
    000001F0: 5F D6 31 7F-D9 1D A3 96-75 0C 58 E6-1F F3 97 75 _╓1┘ úûu Xµ ≤ùu
    00000200: EC 96 01 C7-D8 65 1D F3-97 DD 31 6A-59 C7 98 65 ∞û ╟╪e ≤ù▌1jY╟ÿe
    00000210: FE 31 7F 59-C7 6E 19 70-0C 5C D6 31-7F D9 1D 6B ■1Y╟n p \╓1┘ k
    00000220: 59 C7 6E 19-70 8C 59 D6-31 7F D9 1D-6B 59 C7 6E Y╟n pîY╓1┘ kY╟n
    00000230: 19 70 0C 5A-D6 31 7F D9-1D 6B 59 C7-6E 19 70 8C p Z╓1┘ kY╟n pî
    00000240: 5A D6 31 7F-D9 1D 6B 59-C7 6E 19 70-CC 59 D6 31 Z╓1┘ kY╟n p╠Y╓1
    00000250: 7F D9 1D 6B-59 C7 C6 65-FE B1 96 DD-31 7F D9 7E ┘ kY╟╞e■▒û▌1┘~
    00000260: AC 65 1D DB-97 DD B1 96-75 6C 5B 36-1C 6B 59 C7 ¼e █ù▌▒ûul[6 kY╟
    00000270: F6 65 77 AC-65 1D 9B 96-0D C7 5A D6-B1 5B B6 1F ÷ew¼e ¢û ╟Z╓▒[╢
    00000280: 6B 59 C7 A6-65 C3 B1 96-75 EC 96 4D-C7 5A D6 B1 kY╟ªe├▒ûu∞ûM╟Z╓▒
    00000290: 61 D9 70 AC-65 1D BB 65-D3 B1 96 75-6C 5F B6 1F a┘p¼e ╗e╙▒ûul_╢
    000002A0: FB C7 8E 5D-1D 84 01 45-51 10 4C 70-E9 BF 5E 1C √╟Ä] ä EQ LpΘ┐^
    000002B0: CE 27 BA E8-6C 0B 77 9E-52 C6 D8 94-35 C6 28 63 ╬'║Φl w₧R╞╪ö5╞(c
    000002C0: 6C CA 02 63-94 31 36 65-B1 31 CA 18-9B B2 CA 18 l╩ cö16e▒1╩ ¢▓╩
    000002D0: 65 8C 4D 59-65 8C 32 C6-A6 AC 32 46-19 63 53 56 eîMYeî2╞ª¼2F cSV
    000002E0: 19 A3 8C B1-29 AB 8C 51-C6 D8 94 55-C6 28 63 6C úî▒)½îQ╞╪öU╞(cl
    000002F0: CA 2A 63 94-31 36 65 95-31 CA 18 9B-B2 CA 18 65 ╩*cö16eò1╩ ¢▓╩ e
    00000300: 8C 4D 59 65-8C 32 C6 A6-AC 32 46 19-63 53 56 19 îMYeî2╞ª¼2F cSV
    00000310: A3 8C B1 29-AB 8C 51 C6-D8 94 55 C6-28 63 6C CA úî▒)½îQ╞╪öU╞(cl╩
    00000320: 2A 63 94 31-36 65 33 46-19 63 A5 B2-19 A3 8C B1 *cö16e3F cÑ▓ úî▒
    00000330: 46 59 63 8C-32 C6 A6 AC-31 46 19 63-53 16 18 A3 FYcî2╞ª¼1F cS ú
    00000340: 8C B1 29 8B-8D 51 C6 D8-9D B2 D3 63-CA 18 8B A7 î▒)ïìQ╞╪¥▓╙c╩ ïº
    00000350: 71 78 46 59-1B 63 94 F5-31 46 59 1F-63 94 F5 31 qxFY cö⌡1FY cö⌡1
    00000360: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
    00000370: 1F 63 94 F5-31 46 59 1F-63 94 F5 31-46 59 1F 63 cö⌡1FY cö⌡1FY c
    00000380: 94 F5 31 46-59 1F 63 94-F5 31 46 59-1F 63 94 F5 ö⌡1FY cö⌡1FY cö⌡
    00000390: 31 46 59 1F-63 94 F5 31-46 59 1F 63-94 F5 31 46 1FY cö⌡1FY cö⌡1F
    000003A0: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
    000003B0: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
    000003C0: D5 31 46 59-1D 63 94 D5-31 46 59 1D-63 94 D5 31 ╒1FY cö╒1FY cö╒1
    000003D0: 46 59 1D 63-94 D5 31 46-59 1D 63 94-D5 31 46 59 FY cö╒1FY cö╒1FY
    000003E0: 1D 63 94 C5-31 46 59 6F-8C 31 CA D2-18 EB 95 51 cö┼1FYoî1╩╥ δòQ
    000003F0: C6 D8 5D 94-85 31 F6 DA-28 EB 8D 31-46 D9 5D 8C ╞╪]öà1÷┌(δì1F┘]î
    00000400: C5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ┼Q╞X eî⌡Q╞X eî⌡Q
    00000410: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
    00000420: 1F 65 8C F5-51 C6 58 1F-65 8C F5 51-C6 58 1F 65 eî⌡Q╞X eî⌡Q╞X e
    Reminder
    A PNG f ile is a signature ,
    then a sequence of Chunks:
    starts with a length
    then a type ,
    and ends with a CRC .
    no.png
    135

    View full-size slide

  128. 136
    00000430: 8C F5 51 C6-58 1F 65 8C-F5 51 C6 58-1F 65 8C F5 î⌡Q╞X eî⌡Q╞X eî⌡
    00000440: 51 C6 58 1F-65 8C F5 51-C6 58 1F 65-8C D5 51 C6 Q╞X eî⌡Q╞X eî╒Q╞
    00000450: 58 13 65 8C-05 51 C6 58-10 65 8C F5-51 C6 58 1F X eî Q╞X eî⌡Q╞X
    00000460: 65 8C F5 51-C6 58 1F 65-8C F5 51 C6-58 1F 65 8C eî⌡Q╞X eî⌡Q╞X eî
    00000470: F5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ⌡Q╞X eî⌡Q╞X eî⌡Q
    00000480: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
    00000490: 1F 65 8C F5-51 C6 58 1F-65 8C E5 51-76 CE 18 65 eî⌡Q╞X eîσQv╬ e
    000004A0: 7D 8C 51 F6-D3 62 8C 32-C6 28 13 63-94 31 46 19 }îQ÷╙bî2╞( cö1F
    000004B0: 63 94 89 31-CA 18 A3 EC-3B C7 18 65-8C 51 26 C6 cöë1╩ ú∞;╟ eîQ&╞
    000004C0: 28 63 8C 32-C6 28 13 63-94 31 46 D9-F7 8E 31 CA (cî2╞( cö1F┘≈Ä1╩
    000004D0: 18 A3 4C 8C-51 C6 18 65-8C 51 26 C6-28 63 8C 32 úLîQ╞ eîQ&╞(cî2
    000004E0: 31 46 19 63-94 31 46 99-18 A3 8C 31-CA 18 A3 4C 1F cö1FÖ úî1╩ úL
    000004F0: 8C 51 C6 18-65 62 8C 32-C6 28 63 8C-32 31 46 19 îQ╞ ebî2╞(cî21F
    00000500: 63 94 31 46-99 18 A3 8C-31 CA C4 18-65 8C 51 C6 cö1FÖ úî1╩─ eîQ╞
    00000510: 18 65 62 8C-32 C6 28 63-8C 32 31 46-19 63 94 89 ebî2╞(cî21F cöë
    00000520: 31 CA 18 A3-8C 31 CA C4-18 65 8C 51-C6 98 28 63 1╩ úî1╩─ eîQ╞ÿ(c
    00000530: 8C 32 C6 28-13 63 94 31-46 19 63 94-89 31 CA 18 î2╞( cö1F cöë1╩
    00000540: A3 8C 31 51-C6 18 65 8C-51 C6 98 28-63 8C 32 C6 úî1Q╞ eîQ╞ÿ(cî2╞
    00000550: 28 13 63 94-31 46 19 63-A2 8C 31 CA-18 A3 8C 31 ( cö1F cóî1╩ úî1
    00000560: 51 C6 18 65-8C 89 32 C6-28 63 8C 32-C6 44 19 63 Q╞ eîë2╞(cî2╞D c
    00000570: 94 31 46 19-63 A2 8C 31-CA 18 13 65-8C 51 C6 18 ö1F cóî1╩ eîQ╞
    00000580: 65 8C 89 32-C6 28 63 8C-32 C6 44 19-63 94 31 26 eîë2╞(cî2╞D cö1&
    00000590: CA 18 A3 8C-31 CA 18 13-65 8C 51 C6-18 65 8C 89 ╩ úî1╩ eîQ╞ eîë
    000005A0: 32 C6 28 63-4C 94 31 46-19 63 94 31-26 CA 18 A3 2╞(cLö1F cö1&╩ ú
    000005B0: 8C 31 BD 54-19 63 A2 8C-31 CA 18 D3-C5 E5 2F 34 î1╜T cóî1╩ ╙┼σ/4
    000005C0: 76 FE EF FB-24 3B 99 18-A3 8C 31 CA-E4 9F 4C 8C v■∩√$;Ö úî1╩ΣƒLî
    000005D0: 51 C6 18 65-62 8C 32 C6-28 63 8C 32-31 46 19 63 Q╞ ebî2╞(cî21F c
    000005E0: 94 89 31 CA-18 A3 8C 31-CA C4 18 65-8C 51 C6 18 öë1╩ úî1╩─ eîQ╞
    000005F0: 65 62 8C 32-C6 28 13 63-94 31 46 19-63 94 89 31 ebî2╞( cö1F cöë1
    00000600: CA 18 A3 8C-31 CA C4 18-65 8C 51 26-C6 28 63 8C ╩ úî1╩─ eîQ&╞(cî
    00000610: 32 C6 28 13-63 94 31 46-19 63 94 89-31 CA 18 A3 2╞( cö1F cöë1╩ ú
    00000620: 4C 8C 51 C6-18 65 8C 51-26 C6 28 63-8C 32 C6 44 LîQ╞ eîQ&╞(cî2╞D
    00000630: 19 63 94 31-46 99 18 A3-8C 31 CA 18-A3 4C 8C 51 cö1FÖ úî1╩ úLîQ
    00000640: C6 18 65 8C-89 32 C6 28-63 8C 32 C6-44 19 63 94 ╞ eîë2╞(cî2╞D cö
    00000650: 31 46 99 18-A3 8C 31 CA-18 13 65 8C-51 C6 18 65 1FÖ úî1╩ eîQ╞ e
    00000660: 8C 89 32 C6-28 63 4C 94-31 46 19 63-94 31 26 CA îë2╞(cLö1F cö1&╩
    00000670: 18 A3 8C 31-CA 18 13 65-8C 51 C6 98-28 63 8C 32 úî1╩ eîQ╞ÿ(cî2
    00000680: C6 28 63 4C-94 31 46 19-63 94 31 26-CA 18 A3 8C ╞(cLö1F cö1&╩ úî
    00000690: 31 51 C6 18-65 8C 51 C6-98 28 63 8C-32 C6 28 63 1Q╞ eîQ╞ÿ(cî2╞(c
    000006A0: 4C 94 31 46-19 63 A2 8C-31 CA 18 A3-8C 31 51 C6 Lö1F cóî1╩ úî1Q╞
    000006B0: 18 65 DF D4-98 28 63 8C-32 C6 44 19-63 94 31 46 e▀╘ÿ(cî2╞D cö1F
    000006C0: 19 63 A2 8C-31 CA BE BF-31 51 C6 18-65 8C 89 32 cóî1╩╛┐1Q╞ eîë2
    000006D0: C6 28 63 8C-32 C6 44 19-63 94 31 A6-1F A7 8C B1 ╞(cî2╞D cö1ª ºî▒
    000006E0: 73 CA 18 8B-3B 38 3C A0-8C B1 7A 1A-94 D5 31 46 s╩ ï;8<áî▒z ö╒1F
    000006F0: 59 1F 63 94-F5 31 46 59-1F 63 94 F5-31 46 59 1F Y cö⌡1FY cö⌡1FY
    00000700: 63 94 F5 31-46 59 1F 63-94 F5 31 46-59 1F 63 94 cö⌡1FY cö⌡1FY cö
    00000710: F5 31 46 59-1F 63 94 F5-31 46 59 1F-63 94 F5 31 ⌡1FY cö⌡1FY cö⌡1
    00000720: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
    00000730: 1F 63 94 F5-31 46 59 1F-63 94 D5 31-46 59 1D 63 cö⌡1FY cö╒1FY c
    00000740: 94 D5 31 46-59 1D 63 94-D5 31 46 59-1D 63 94 D5 ö╒1FY cö╒1FY cö╒
    00000750: 31 46 59 1D-63 94 D5 31-46 59 1D 63-94 D5 31 46 1FY cö╒1FY cö╒1F
    00000760: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
    00000770: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
    00000780: D5 31 46 59-6E 8C 31 CA-62 65 8C DD-45 D9 EB 63 ╒1FYnî1╩beî▌E┘δc
    00000790: 2C 8C 32 C6-6A 63 94 DD-C5 58 1C 65-8C F5 51 C6 ,î2╞jcö▌┼X eî⌡Q╞
    000007A0: 58 1F 65 8C-F5 51 C6 58-1F 65 8C F5-51 C6 58 1F X eî⌡Q╞X eî⌡Q╞X
    000007B0: 65 8C F5 51-C6 58 1F 65-8C F5 51 C6-58 1F 65 8C eî⌡Q╞X eî⌡Q╞X eî
    000007C0: F5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ⌡Q╞X eî⌡Q╞X eî⌡Q
    000007D0: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
    000007E0: 1F 65 8C F5-51 C6 58 1D-65 8C D5 51-C6 58 1D 65 eî⌡Q╞X eî╒Q╞X e
    000007F0: 8C D5 51 C6-58 1D 65 8C-D5 51 C6 58-1D 65 8C D5 î╒Q╞X eî╒Q╞X eî╒
    00000800: 51 C6 58 1D-65 8C D5 51-C6 58 1D 65-8C D5 51 C6 Q╞X eî╒Q╞X eî╒Q╞
    00000810: 58 1D 65 8C-D5 51 C6 58-1D 65 8C D5-51 C6 58 1D X eî╒Q╞X eî╒Q╞X
    00000820: 65 8C D5 51-C6 58 1D 65-8C D5 51 C6-58 1E 65 A7 eî╒Q╞X eî╒Q╞X eº
    00000830: 8C D5 51 F6-9F 31 CA D2-4E AE B9 A5-83 01 00 00 î╒Q÷ƒ1╩╥N«╣Ñâ
    00000840: 00 06 42 F3-A7 DE F3 1C-8A A1 01 CB-A0 63 2D A3 B≤º▐≤ èí ╦ác-ú
    00000850: 8E B5 0C 3D-06 2C 03 8E-B5 4C 39 C6-2D 03 8E B5 Ä╡ = , Ä╡L9╞- Ä╡
    00000860: CC 3C 06 2C-03 8E B5 CC-3C 06 2C 03-8E B5 CC 3C ╠< , Ä╡╠< , Ä╡╠<
    00000870: 06 2C 03 8E-B5 CC 3C 06-2C 03 8E B5-CC 3C 06 2C , Ä╡╠< , Ä╡╠< ,
    00000880: 03 8E B5 CC-3C 06 2C 03-8E B5 CC 3C-06 2C 03 8E Ä╡╠< , Ä╡╠< , Ä
    00000890: B5 CC 3C 06-2C 03 8E B5-CC 3C 06 2C-03 8E B5 4C ╡╠< , Ä╡╠< , Ä╡L
    000008A0: 3A 06 2C 03-8E 01 CB C4-63 2D 03 8E-01 CB C4 63 : , Ä ╦─c- Ä ╦─c
    000008B0: 2D 03 8E 01-CB C4 63 2D-03 8E 01 CB-A4 63 C0 B2 - Ä ╦─c- Ä ╦ñc└▓
    000008C0: 8E 41 CB A4-63 C0 B2 8E-41 CB A4 63-C0 B2 8E 41 ÄA╦ñc└▓ÄA╦ñc└▓ÄA
    000008D0: CB A4 63 C0-B2 8E BD 5D-3A B4 61 20-08 A2 28 B6 ╦ñc└▓Ä╜]:┤a ó(╢
    000008E0: 20 FD D7 1C-38 FC 23 EB-F4 5C 83 F7-65 1D 6B D9 ²╫ 8ⁿ#δ⌠\â≈e k┘
    000008F0: 7E 6C 5B D6-B1 96 ED C7-6E 59 C7 5A-B6 1F DB 97 ~l[╓▒ûφ╟nY╟Z╢ █ù
    00000900: 75 AC 65 FB-B1 7D 59 C7-5A 76 C7 F6-65 1D 6B D9 u¼e√▒}Y╟Zv╟÷e k┘
    00000910: 7E 6C 5F D6-B1 96 ED C7-6E 59 C7 5A-B6 1F DB 97 ~l_╓▒ûφ╟nY╟Z╢ █ù
    00000920: 75 AC 65 DB-B1 61 59 C7-5A 36 1C 1B-96 75 AC 65 u¼e█▒aY╟Z6 ûu¼e
    00000930: FB B1 5B D6-B1 96 0D C7-86 65 1D 6B-D9 70 6C 58 √▒[╓▒û ╟åe k┘plX
    00000940: D6 B1 96 0D-C7 86 65 1D-6B D9 70 6C-58 D6 B1 96 ╓▒û ╟åe k┘plX╓▒û
    00000950: DD 31 60 19-70 AC 65 F2-B1 5B D6 B1-96 0D C7 86 ▌1` p¼e≥▒[╓▒û ╟å
    00000960: 65 1D 6B D9-70 6C 58 D6-B1 96 DD 31-60 19 72 AC e k┘plX╓▒û▌1` r¼
    00000970: 65 FE B1 5B-D6 B1 96 DD-31 60 19 74-AC 65 FE B1 e■▒[╓▒û▌1` t¼e■▒
    00000980: 5B D6 B1 96-DD 31 60 19-75 AC 65 FE-B1 5B D6 B1 [╓▒û▌1` u¼e■▒[╓▒
    00000990: 96 DD 31 60-19 75 AC 65-FE B1 5B 46-1D 6B 99 75 û▌1` u¼e■▒[F kÖu
    000009A0: CC 5F E6 1F-6B D9 1D F3-97 F9 C7 5A-36 1C F3 97 ╠_µ k┘ ≤ù∙╟Z6 ≤ù
    000009B0: F9 C7 5A 76-C7 FC 65 FE-B1 96 0D C7-FC 65 FE B1 ∙╟Zv╟ⁿe■▒û ╟ⁿe■▒
    000009C0: 96 FD DE 03-96 F1 C7 5A-E6 1F BB 65-D4 B1 96 01 û²▐ û±╟Zµ ╗e╘▒û
    000009D0: C7 DC 65 FE-B1 96 DD 31-65 99 7F AC-65 FE B1 5B ╟▄e■▒û▌1eÖ¼e■▒[
    000009E0: 46 1D 6B 19-70 4C 5C E6-1F 6B D9 1D-B3 96 F9 C7 F k pL\µ k┘ │û∙╟
    000009F0: 5A E6 1F BB-65 D4 B1 96-01 C7 C8 65-FE B1 96 DD Zµ ╗e╘▒û ╟╚e■▒û▌
    00000A00: 31 6A 99 7F-AC 65 FE B1-5B 46 1D 6B-19 70 4C 59 1jÖ¼e■▒[F k pLY
    00000A10: E6 1F 6B D9-1D 73 97 F9-C7 5A E6 1F-BB 65 D4 B1 µ k┘ sù∙╟Zµ ╗e╘▒
    00000A20: 96 01 C7 80-65 FC B1 96-DD 31 77 99-7F AC 65 FB û ╟Çeⁿ▒û▌1wÖ¼e√
    00000A30: 31 7F 99 7F-AC 65 77 4C-5F E6 1F 6B-D9 7E CC 5F 1Ö¼ewL_µ k┘~╠_
    00000A40: E6 1F 6B D9-1D F3 97 F9-C7 5A E6 1F-BB 65 F6 B1 µ k┘ ≤ù∙╟Zµ ╗e÷▒
    00000A50: 96 ED C7 FC-65 FE B1 96-F9 C7 6E 99-7D AC 65 FB ûφ╟ⁿe■▒û∙╟nÖ}¼e√
    00000A60: 31 7F 99 7F-AC 65 FE B1-5B 66 1F 6B-D9 7E CC 5F 1Ö¼e■▒[f k┘~╠_
    00000A70: E6 1F 6B 99-7F EC 96 D9-C7 5A B6 1F-F3 97 F9 C7 µ kÖ∞û┘╟Z╢ ≤ù∙╟
    00000A80: 5A E6 1F BB-65 F6 B1 96-ED C7 FC 65-FE B1 96 F9 Zµ ╗e÷▒ûφ╟ⁿe■▒û∙
    00000A90: C7 6E 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F ╟n u¼e╙1 u¼e╙1
    00000AA0: 19 75 AC 65-D3 31 7F 19-75 AC 65 D3-31 7F 19 75 u¼e╙1 u¼e╙1 u
    00000AB0: AC 65 D3 31-7F 19 75 AC-65 D3 31 7F-19 75 AC 65 ¼e╙1 u¼e╙1 u¼e
    00000AC0: D3 31 7F 19-75 AC 65 D3-31 7F 19 75-AC 65 D3 31 ╙1 u¼e╙1 u¼e╙1
    00000AD0: 7F 19 75 AC-65 D3 31 7F-19 75 AC 65-D3 31 7F 19  u¼e╙1 u¼e╙1
    00000AE0: 75 AC 65 D3-31 7F 19 75-AC 65 D3 31-7F 19 75 AC u¼e╙1 u¼e╙1 u¼
    00000AF0: 65 D3 31 7F-19 75 AC 65-D3 31 7F 19-75 AC 65 D3 e╙1 u¼e╙1 u¼e╙
    00000B00: 31 7F 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F 1 u¼e╙1 u¼e╙1
    00000B10: 19 75 AC 65-FC B1 7D 59-C7 A8 65 FB-31 78 59 C7 u¼eⁿ▒}Y╟¿e√1xY╟
    00000B20: A8 65 FB 31-78 59 C7 A8-65 5F 3A 96-FC 01 2A EE ¿e√1xY╟¿e_:ûⁿ *ε
    00000B30: B0 6C 0B 6E-B3 BA 00 00-00 00 49 45-4E 44 AE 42 ░l n│║ IEND«B
    00000B40: 60 82 - - - `é
    00000000: 89 50 4E 47-0D 0A 1A 0A-00 00 00 0D-49 48 44 52 ëPNG IHDR
    00000010: 00 00 02 64-00 00 02 64-08 03 00 00-00 88 CF CD d d ê╧═
    00000020: 8E 00 00 00-24 50 4C 54-45 FF FF FF-FF 7D 7D FF Ä $PLTE }}
    00000030: 6F 6F FF FE-FE FF 7E 7E-FF 00 00 FF-80 80 FF 6D oo ■■ ~~ ÇÇ m
    00000040: 6D FF 6E 6E-FF 30 30 FF-FD FD FF 2F-2F A6 F0 78 m nn 00 ²² //ª≡x
    00000050: 4E 00 00 0A-D9 49 44 41-54 78 DA EC-D2 D1 09 5A N ┘IDATx┌∞╥╤ Z
    00000060: 01 14 86 31-B5 DE EE 3F-72 1F CF 00-3F 94 20 5F å1╡▐ε?r ╧ ?ö _
    00000070: 66 C8 EB BF-79 7F 5E 8C-FC F9 7C 5F-BF E7 FD 3C f╚δ┐y^îⁿ∙|_┐τ²<
    00000080: 2D 83 8E 3D-CF F7 17 8F-B5 8C 3A E6-2E 1B 8E 51 -âÄ=╧≈ Å╡î:µ. ÄQ
    00000090: CB 3A 36 2C-73 8F 51 CB-3A 36 2C 73-8F 51 CB 3A ╦:6,sÅQ╦:6,sÅQ╦:
    000000A0: 36 2C 73 8F-51 CB 3A 36-2C 73 8F 51-CB 3A 36 2C 6,sÅQ╦:6,sÅQ╦:6,
    000000B0: 73 8F 51 CB-3A E6 2E 1B-8E 51 CB 3A-E6 2E 1B 8E sÅQ╦:µ. ÄQ╦:µ. Ä
    000000C0: 51 CB 3A E6-2E 1B 8E 51-CB 3A E6 2E-1B 8E 51 CB Q╦:µ. ÄQ╦:µ. ÄQ╦
    000000D0: 3A E6 2E 1B-8E 51 CB 3A-E6 2E 1B 8E-51 CB 3A E6 :µ. ÄQ╦:µ. ÄQ╦:µ
    000000E0: 2E 1B 8E 51-CB 3A E6 2E-1B 8E 59 CB-3A E6 2F 1B . ÄQ╦:µ. ÄY╦:µ/
    000000F0: 8E F9 CB 3A-26 2F 1B 8E-B5 8C 3A 26-2F 1B 8E B5 Ä∙╦:&/ Ä╡î:&/ Ä╡
    00000100: 8C 3A 26 2F-1B 8E B5 8C-3A 26 2F 1B-8E B5 8C 3A î:&/ Ä╡î:&/ Ä╡î:
    00000110: 26 2F 1B 8E-B5 8C 3A 26-2F 1B 8E B5-8C 3A E6 2F &/ Ä╡î:&/ Ä╡î:µ/
    00000120: BB 63 2D F3-8F F9 CB F6-63 2D 33 8F-F9 CB EE 58 ╗c-≤Å∙╦÷c-3Å∙╦εX
    00000130: CB FC 63 FE-B2 FD 58 CB-CC 63 B7 CC-3F D6 32 FF ╦ⁿc■▓²X╦╠c╖╠?╓2
    00000140: 98 BF 6C 3F-D6 32 F3 D8-2D F3 8F B5-CC 3F E6 2F ÿ┐l?╓2≤╪-≤Å╡╠?µ/
    00000150: DB 8F B5 CC-3C 76 CB FC-63 2D F3 8F-F9 CB F6 63 █Å╡╠00000160: 2D 33 8F DD-32 FF 58 CB-FC 63 FE B2-3B D6 32 FC -3Å▌2 X╦ⁿc■▓;╓2ⁿ
    00000170: 18 B0 0C 38-D6 32 EA D8-2D F3 8F B5-0C 3E E6 2F ░ 8╓2Ω╪-≤Å╡ >µ/
    00000180: BB 63 D4 B2-8E 01 CB 80-63 F8 B2 8E-DD 32 F9 98 ╗c╘▓Ä ╦Çc°▓Ä▌2∙ÿ
    00000190: BF AC 63 FE-B2 3B 46 2D-EB 18 B0 CC-38 E6 2F EB ┐¼c■▓;F-δ ░╠8µ/δ
    000001A0: D8 2D 33 8F-F9 CB 3A E6-2F BB 63 D4-B2 8E 01 CB ╪-3Å∙╦:µ/╗c╘▓Ä ╦
    000001B0: A4 63 FE B2-8E DD 32 ED-98 BF AC 63-FE B2 3B 46 ñc■▓Ä▌2φÿ┐¼c■▓;F
    000001C0: 2D EB 18 B0-CC 3B E6 2F-EB D8 2D 73-8E F9 CB 3A -δ ░╠;µ/δ╪-sÄ∙╦:
    000001D0: E6 2F BB 63-D4 B2 8E 01-CB D4 63 FE-B2 8E DD 32 µ/╗c╘▓Ä ╦╘c■▓Ä▌2
    000001E0: F9 98 BF AC-63 C3 32 FF-98 BF AC 63-E7 2F 70 0C ∙ÿ┐¼c├2 ÿ┐¼cτ/p
    000001F0: 5F D6 31 7F-D9 1D A3 96-75 0C 58 E6-1F F3 97 75 _╓1┘ úûu Xµ ≤ùu
    00000200: EC 96 01 C7-D8 65 1D F3-97 DD 31 6A-59 C7 98 65 ∞û ╟╪e ≤ù▌1jY╟ÿe
    00000210: FE 31 7F 59-C7 6E 19 70-0C 5C D6 31-7F D9 1D 6B ■1Y╟n p \╓1┘ k
    00000220: 59 C7 6E 19-70 8C 59 D6-31 7F D9 1D-6B 59 C7 6E Y╟n pîY╓1┘ kY╟n
    00000230: 19 70 0C 5A-D6 31 7F D9-1D 6B 59 C7-6E 19 70 8C p Z╓1┘ kY╟n pî
    00000240: 5A D6 31 7F-D9 1D 6B 59-C7 6E 19 70-CC 59 D6 31 Z╓1┘ kY╟n p╠Y╓1
    00000250: 7F D9 1D 6B-59 C7 C6 65-FE B1 96 DD-31 7F D9 7E ┘ kY╟╞e■▒û▌1┘~
    00000260: AC 65 1D DB-97 DD B1 96-75 6C 5B 36-1C 6B 59 C7 ¼e █ù▌▒ûul[6 kY╟
    00000270: F6 65 77 AC-65 1D 9B 96-0D C7 5A D6-B1 5B B6 1F ÷ew¼e ¢û ╟Z╓▒[╢
    00000280: 6B 59 C7 A6-65 C3 B1 96-75 EC 96 4D-C7 5A D6 B1 kY╟ªe├▒ûu∞ûM╟Z╓▒
    00000290: 61 D9 70 AC-65 1D BB 65-D3 B1 96 75-6C 5F B6 1F a┘p¼e ╗e╙▒ûul_╢
    000002A0: FB C7 8E 5D-1D 84 01 45-51 10 4C 70-E9 BF 5E 1C √╟Ä] ä EQ LpΘ┐^
    000002B0: CE 27 BA E8-6C 0B 77 9E-52 C6 D8 94-35 C6 28 63 ╬'║Φl w₧R╞╪ö5╞(c
    000002C0: 6C CA 02 63-94 31 36 65-B1 31 CA 18-9B B2 CA 18 l╩ cö16e▒1╩ ¢▓╩
    000002D0: 65 8C 4D 59-65 8C 32 C6-A6 AC 32 46-19 63 53 56 eîMYeî2╞ª¼2F cSV
    000002E0: 19 A3 8C B1-29 AB 8C 51-C6 D8 94 55-C6 28 63 6C úî▒)½îQ╞╪öU╞(cl
    000002F0: CA 2A 63 94-31 36 65 95-31 CA 18 9B-B2 CA 18 65 ╩*cö16eò1╩ ¢▓╩ e
    00000300: 8C 4D 59 65-8C 32 C6 A6-AC 32 46 19-63 53 56 19 îMYeî2╞ª¼2F cSV
    00000310: A3 8C B1 29-AB 8C 51 C6-D8 94 55 C6-28 63 6C CA úî▒)½îQ╞╪öU╞(cl╩
    00000320: 2A 63 94 31-36 65 33 46-19 63 A5 B2-19 A3 8C B1 *cö16e3F cÑ▓ úî▒
    00000330: 46 59 63 8C-32 C6 A6 AC-31 46 19 63-53 16 18 A3 FYcî2╞ª¼1F cS ú
    00000340: 8C B1 29 8B-8D 51 C6 D8-9D B2 D3 63-CA 18 8B A7 î▒)ïìQ╞╪¥▓╙c╩ ïº
    00000350: 71 78 46 59-1B 63 94 F5-31 46 59 1F-63 94 F5 31 qxFY cö⌡1FY cö⌡1
    00000360: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
    00000370: 1F 63 94 F5-31 46 59 1F-63 94 F5 31-46 59 1F 63 cö⌡1FY cö⌡1FY c
    00000380: 94 F5 31 46-59 1F 63 94-F5 31 46 59-1F 63 94 F5 ö⌡1FY cö⌡1FY cö⌡
    00000390: 31 46 59 1F-63 94 F5 31-46 59 1F 63-94 F5 31 46 1FY cö⌡1FY cö⌡1F
    000003A0: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
    000003B0: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
    000003C0: D5 31 46 59-1D 63 94 D5-31 46 59 1D-63 94 D5 31 ╒1FY cö╒1FY cö╒1
    000003D0: 46 59 1D 63-94 D5 31 46-59 1D 63 94-D5 31 46 59 FY cö╒1FY cö╒1FY
    000003E0: 1D 63 94 C5-31 46 59 6F-8C 31 CA D2-18 EB 95 51 cö┼1FYoî1╩╥ δòQ
    000003F0: C6 D8 5D 94-85 31 F6 DA-28 EB 8D 31-46 D9 5D 8C ╞╪]öà1÷┌(δì1F┘]î
    00000400: C5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ┼Q╞X eî⌡Q╞X eî⌡Q
    00000410: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
    00000420: 1F 65 8C F5-51 C6 58 1F-65 8C F5 51-C6 58 1F 65 eî⌡Q╞X eî⌡Q╞X e
    To walk through a PNG
    check the signature , followed by a chunk start
    (typically IHDR)
    then look for sequences like:
    XX XX XX XX LL LL LL LL AA AA AA AA
    4 random-looking bytes Ex: 88 CF CD 8E
    a big-endian length Ex: 00 00 00 24
    a 4-bytes alpha string Ex: PLTE
    - Note the chunk type.
    - Skip L bytes
    (Repeat until chunk IEND).
    no.png

    View full-size slide

  129. The same f ile, displayed with HexII and skipping data ranges
    0000: 89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
    0010: 00 00 02 64 00 00 02 64 08 03 00 00 00 88 CF CD
    0020: 8E 00 00 00 24 .P .L .T .E FF FF FF FF 7D 7D FF
    0030: 6F 6F FF FE FE FF 7E 7E FF 00 00 FF 80 80 FF 6D
    0040: 6D FF 6E 6E FF 30 30 FF FD FD FF 2F 2F A6 F0 78
    0050: 4E 00 00 0A D9 .I .D .A .T 78 DA EC D2 D1 09 5A
    0060: 01 14 86 31 B5 DE EE 3F 72 1F CF 00 3F 94 20 5F
    ....
    0B20: A8 65 FB 31 78 59 C7 A8 65 5F 3A 96 FC 01 2A EE
    0B30: B0 6C 0B 6E B3 BA 00 00 00 00 .I .E .N .D AE 42
    0B40: 60 82
    no.png
    137

    View full-size slide

  130. The f ile's chunk map
    0000: 89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
    0010: 00 00 02 64 00 00 02 64 08 03 00 00 00 88 CF CD
    0020: 8E 00 00 00 24 .P .L .T .E FF FF FF FF 7D 7D FF
    0030: 6F 6F FF FE FE FF 7E 7E FF 00 00 FF 80 80 FF 6D
    0040: 6D FF 6E 6E FF 30 30 FF FD FD FF 2F 2F A6 F0 78
    0050: 4E 00 00 0A D9 .I .D .A .T 78 DA EC D2 D1 09 5A
    0060: 01 14 86 31 B5 DE EE 3F 72 1F CF 00 3F 94 20 5F
    0B20: A8 65 FB 31 78 59 C7 A8 65 5F 3A 96 FC 01 2A EE
    0B30: B0 6C 0B 6E B3 BA 00 00 00 00 .I .E .N .D AE 42
    0B40: 60 82
    0000-0007: Signature 89 .P .N .G \r \n ^Z \n
    0008-0020: Image Header 00 00 00 0D .I .H .D .R…88 CF CD 8E
    0021-0050: Palette 00 00 00 24 .P .L .T .E…A6 F0 78 4E
    0051-0B34: Data 00 00 0A D9 .I .D .A .T…0B 6E B3 BA
    0B35-0B41: End 00 00 00 00 .I .E .N .D AE 42 60 82
    no.png
    PALETTE
    HEADER
    DATA
    END
    138

    View full-size slide

  131. The PNG format is really
    easy to parse or manipulate at chunk level.
    import struct
    import binascii
    _MAGIC = b"\x89PNG\x0d\x0a\x1a\x0a"
    _crc32 = lambda d:(binascii.crc32(d) % 0x100000000)
    def parse(f):
    assert f.read(8) == _MAGIC
    chunks = []
    while (True):
    l, = struct.unpack(">I", f.read(4))
    t = f.read(4)
    d = f.read(l)
    assert _crc32(t + d) == struct.unpack(">I", f.read(4))[0]
    chunks += [[t, d]]
    if t == b"IEND":
    return chunks
    raise(BaseException("Invalid image"))
    def make(chunks):
    s = [_MAGIC]
    for t, d in chunks:
    s += [
    struct.pack(">I", len(d)),
    t,
    d,
    struct.pack(">I", _crc32(t + d))
    ]
    return "".join(s)
    Cf minipng.py
    139

    View full-size slide

  132. - lower-case chunk are ignored. aLIG/cOLL/sKIP/wHAT/eVER/…
    - 3 chunks to add:
    1. alignment
    2. collision:aligned with UniColl’s 10th character
    to jump over collision blocks with variable length.
    3. skip: one to land successfully, and jump over the first image.
    - we can copy the whole images’ contents after their signature:
    they’re made of sequence of chunks, no need to parse them.
    Recap: exploit strategy
    140

    View full-size slide

  133. Inserting chunks still keeps a PNG f ile valid.
    0000: 89 .P .N .G \r \n ^Z \n 00 00 00 33 .a .L .I .G
    0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0040: 00 00 00 57 93 27 27 00 00 00 71 .c .O .L .L 00
    0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00C0: 32 B8 1F CE 00 00 00 0D .I .H .D .R 00 00 02 64
    00D0: 00 00 02 64 08 03 00 00 00 88 CF CD 8E 00 00 00
    00E0: 24 .P .L .T .E FF FF FF FF 7D 7D FF 6F 6F FF FE
    0BE0: A8 65 FB 31 78 59 C7 A8 65 5F 3A 96 FC 01 2A EE
    0BF0: B0 6C 0B 6E B3 BA 00 00 00 00 .I .E .N .D AE 42
    0C00: 60 82
    0000-0007: Signature
    0008-0046: Alignment 00 00 00 33 .a .L .I .G…57 93 27 27
    0047-00C3: UniColl 00 00 00 71 .c .O .L .L…32 B8 1F CE
    00C4-00DC: Image Header 00 00 00 0D .I .H .D .R…88 CF CD 8E
    00DD-010C: Palette 00 00 00 24 .P .L .T .E…A6 F0 78 4E
    010D-0BF1: Data 00 00 0A D9 .I .D .A .T…0B 6E B3 BA
    0BF2-0BFD: End 00 00 00 00 .I .E .N .D AE 42 60 82
    UNICOLL
    ALIGNMENT
    Source example:
    chunks = [
    ["aLIG", 0x33*"\0"],
    ["cOLL", 0x71*"\0"],
    ] + read(fNo)
    141

    View full-size slide

  134. Length
    .
    Type
    .
    CRC32
    .
    Mission
    0000: 89 .P .N .G \r \n ^Z \n 00 00 00 33 .a .L .I .G
    0010: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0020: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0030: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0040: ?? ?? ?? ?? ?? ?? ?? 00-00 00 71 .c .O .L .L ??
    0050: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0060: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0070: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0080: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0090: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    00A0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    00B0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    00C0: ?? ?? ?? ?? XX XX XX XX .s .K .I .P ?? ?? ?? ??
    [...]
    01C0: ?? ?? ?? ?? ?? ?? ?? ?? .I .H .D .R ?? ?? ?? ??
    01D0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    [...]
    ????: ?? ?? 00 00 00 00 .I .E .N .D AE 42 60 82 ?? ??
    ????: ?? ?? 00 00 20 00 .I .H .D .R ?? ?? ?? ?? ?? ??
    [...]
    ????: ?? ?? ?? 00 00 00 00 .I .E .N .D AE 42 60 82
    142
    3 dummy chunks: alignment, collision and jump over (the f irst image) data

    View full-size slide

  135. 0000: 89 .P .N .G \r \n ^Z \n 00 00 00 33 .a .L .I .G
    0010: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0020: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0030: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0040: ?? ?? ?? ?? ?? ?? ?? 00-00 00 71 .c .O .L .L ??
    0050: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0060: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0070: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0080: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    0090: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    00A0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    00B0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    00C0: ?? ?? ?? ?? XX XX XX XX .s .K .I .P ?? ?? ?? ??
    [...]
    01C0: ?? ?? ?? ?? ?? ?? ?? ?? .I .H .D .R ?? ?? ?? ??
    01D0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
    [...]
    ????: ?? ?? 00 00 00 00 .I .E .N .D AE 42 60 82 ?? ??
    ????: ?? ?? 00 00 20 00 .I .H .D .R ?? ?? ?? ?? ?? ??
    [...]
    ????: ?? ?? ?? 00 00 00 00 .I .E .N .D AE 42 60 82
    Alignment chunk
    Chunks
    A
    Chunks
    B
    UniColl chunk
    Here's a working script for reference. 143

    View full-size slide

  136. Need to explore by yourself?
    144
    Open Kaitai IDE with the lightweight PoCs
    https://ide.kaitai.io/ + https://github.com/corkami/collisions/blob/master/examples/free/README.md

    View full-size slide

  137. Kaitai tricks
    Only the high level structure is useful:
    -> simpler grammar can be better.
    Looser logic can be required:
    Ex: IHDR chunk not in the first slot.
    ICYDK You can directly edit the grammar in the IDE!
    (the modified copy will be automatically saved in your local storage)
    meta:
    id: png
    file-extension: png
    endian: be
    seq:
    - id: magic
    contents: [137, 80, 78, 71, 13, 10, 26, 10]
    - id: chunks
    type: chunk
    repeat: until
    repeat-until: _.type == "IEND" or _io.eof
    types:
    chunk:
    seq:
    - id: len
    type: u4
    - id: type
    type: str
    size: 4
    encoding: UTF-8
    - id: body
    size: len
    - id: crc
    size: 4
    Simplif ied PNG grammar
    png_simple.ksy
    145

    View full-size slide

  138. # Standard PNG image.
    0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0DIHDR PNG image data
    Know the format landscape
    All PNG viewers seem to ignore CRCs.
    Most PNG viewers tolerate starting w/ a dummy chunk.
    -> generic collisions for any PNG pair
    OS X (Safari, Preview) enforce an IHDR chunk first:
    and dimensions and colorspace are in the common prefix
    -> Study the landscape to understand the scope of your exploit.
    https://github.com/file/file/blob/master/magic/Magdir/images#L440-L441
    They support the undocumented CgBI chunk,
    But they enforce the specs more than anyone else!
    146

    View full-size slide

  139. Collision exploit
    Reusable PNG via UniColl
    Certificate (medium)
    Ange Albertini
    INSTRUCTOR
    COLLT IS
    147

    View full-size slide

  140. Correct CRCs in UniColliding-PNG ?
    - CRCs are ignored
    - the collision blocks have different contents
    + the collision blocks also change the length of the chunk
    -> 2 different CRCs for different lengths of the collision chunk
    -> correct CRCs are possible
    148

    View full-size slide

  141. The two Identical Pref ix Collisions against MD5
    📏


    two blocks
    a few minutes
    in pref ix
    📏


    two blocks
    a few seconds
    in the middle
    (away from start or end)
    FastColl
    UniColl
    150

    View full-size slide

  142. IPCs limitations
    Some formats have hardcoded offsets, or don’t tolerate early comments
    Same prefix -> same file type
    Same header -> same metadata
    Enforced checksums prevent validity.
    Only the length of a current structure level can be manipulated.
    151

    View full-size slide

  143. Chosen-Pref ix Collisions
    The ultimate attack
    HashClashCPC
    152

    View full-size slide

  144. Our third block:
    a Chosen Pref ix hash Collision
    153

    View full-size slide

  145. Hashclash
    Master of backtracking
    Takes 72h.core hours to compute - if you’re lucky:
    Often requires backtracking, but it's now automated..
    The fewer the collision blocks,
    the longer to compute.
    EXAMPLE OF A COMPUTATION LOG:
    Corkami collisions:examples/cpc.txt
    A word of warning on CPC
    154

    View full-size slide

  146. Trivial: run scripts/cpc.sh prefix1 prefix2
    No monitoring required (unlike previous versions)
    Launching a hashclash computation
    ...
    [*] Timeout reached. Killing process with pid 5760
    Killed
    [*] Step 5 failed. Backtracking to step 4
    [*] Number of backtracks until now: 1
    [*] Time before backtrack: 2400 s
    [*] Starting step 4
    ...
    155

    View full-size slide

  147. A 9-block CPC of yes and no. (differences are irrelevant)
    Collision blocks
    Random buffer
    (partial birthday attack bits)
    Padding 0000: .n .o 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0030: 00 00 00 00-00 00 00 00-19 71 E7 F7-09 72 FB 06
    0040: F3 45 26 13-66 60 C8 01-B9 2A 75 25-5A 67 23 A6
    0050: 92 3D EB 8D-B0 B7 57 F1-45 9F 22 95-BE C0 43 75
    0060: 91 98 A2 D3-E0 FD 59 ED-D1 C5 FA 0B-79 65 97 51
    0070: B3 B3 E4 0C-11 0C 90 32-DE 4B A1 4B-B8 1B 5E C8
    0080: 25 D3 8F 19-CD 10 43 07-D9 BB FF 8C-B7 5A 23 F9
    0090: 4D D8 13 14-58 A3 35 97-C5 D1 D4 A9-9A E2 FD 1F
    00A0: BA 78 40 00-C3 7E 93 B2-31 A3 6E 2D-34 72 4A C9
    00B0: 53 4E C0 45-36 1E C8 6A-56 98 E6 F0-57 1D 61 98
    00C0: 13 FC FF CD-4D 83 A2 D2-BB B8 DC 04-2B E2 B8 83
    00D0: DB 53 80 D7-3D E9 97 D3-23 5A 27 F9-98 9A E7 56
    00E0: 7D 86 E4 35-1E B8 33 EE-EA 15 D1 81-FA 96 62 EC
    00F0: 75 31 FB DA-4F AE 24 6F-67 D6 AF 10-96 29 FB C7
    0100: A3 32 BB A9-EA D5 E4 AE-1F C2 FB 23-41 22 B2 E0
    0110: 69 1E 29 20-6F 5B 20 1E-5E 3D 11 2F-3E 4D 9F 39
    0120: 8B C9 5C 93-A5 EF A4 22-7D 9A 66 51-6E ED AF 70
    0130: 32 90 D4 BD-67 92 38 9B-DC 15 0D BF-DC 71 72 27
    0140: E0 5B 43 FA-44 59 E8 60-F7 63 7F F0-73 0A D4 BE
    0150: 33 28 AA 99-2C 90 2D D0-01 58 E3 8F-58 50 30 99
    0160: E8 60 DB 91-00 13 C9 1D-7A 61 9B 9A-5D 60 BD 71
    0170: 23 1A D2 BD-A6 E0 38 66-0B 8C F5 99-56 79 63 D6
    0180: 6E 5E D7 7E-C3 4E 9D 5F-65 23 C0 38-C9 55 5A A1
    0190: E2 3C CA 78-58 4D B5 3B-04 45 C3 B4-44 C8 87 26
    01A0: 02 60 F6 62-91 34 70 FE-C3 34 54 6D-76 07 FF 1A
    01B0: 73 53 E6 0B-08 FB 82 80-AD 5F 22 15-18 69 B5 6E
    01C0: BB 06 C3 A7-FF 39 15 52-BE FE D4 5C-D2 55 5A 71
    01D0: EC E9 BC 1A-B7 BB 08 61-C5 3E E7 89-7C 93 03 FC
    01E0: 1F 8A 9A D8-42 BF 6C 01-6A 39 26 84-6C 58 E2 E4
    01F0: 00 D4 67 7B-27 BD 93 6D-DF F0 10 4A-2B 00 7E 68
    0200: 1D DE D5 8A-67 89 EA 52-0C 32 BD 30-A2 8C BE D0
    0210: A7 35 BA C6-BB 7D 07 80-49 22 EF E5-10 B2 83 6D
    0220: E6 18 6E E3-F0 52 E4 35-83 61 42 35-72 97 CD 8D
    0230: 4F F7 93 68-5A 70 5F 5A-04 3A D5 42-C1 FA 0F E2
    0240: AE 57 DB AF-F1 51 B8 B7-38 18 EF 2E-B8 A6 A9 2C
    0250: 81 87 FA FE-B2 C4 DC 45-A3 64 91 6D-B8 6E F5 D1
    0260: 4F 9C FA 62-3D 42 46 59-67 32 EC 99-DA 89 7A 08
    0270: E7 AD E3 21-ED 3C 4B C0-4D 9F 83 3C-DC 7F B7 0A
    0000: .y .e .s 00-00 00 00 00-00 00 00 00-00 00 00 00
    0010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0030: 00 00 00 00-00 00 00 00-B7 46 38 09-8A 46 F1 7B
    0040: F3 45 26 13-66 60 C8 01-B9 2A 75 25-5A 67 23 A6
    0050: 92 3D EB 8D-B0 B7 57 F1-45 9F 22 95-BE C0 43 75
    0060: 91 98 A2 D3-E0 FD 59 ED-D1 C5 FA 0B-79 65 97 4D
    0070: B3 B3 E4 0C-11 0C 90 32-DE 4B A1 4B-B8 1B 5E C8
    0080: 25 D3 8F 19-CD 10 43 07-D9 BB FF 8C-B7 5A 23 F9
    0090: 4D D8 13 14-58 A3 35 97-C5 D1 D4 A9-9A E2 FD 1F
    00A0: BA 78 40 00-C3 7E 93 B2-31 A3 6E 2D-34 6A 4A C9
    00B0: 53 4E C0 45-36 1E C8 6A-56 98 E6 F0-57 1D 61 98
    00C0: 13 FC FF CD-4D 83 A2 D2-BB B8 DC 04-2B E2 B8 83
    00D0: DB 53 80 D7-3D E9 97 D3-23 5A 27 F9-98 9A E7 56
    00E0: 7D 86 E4 35-1E B8 33 EE-EA 15 D1 81-BA 96 62 EC
    00F0: 75 31 FB DA-4F AE 24 6F-67 D6 AF 10-96 29 FB C7
    0100: A3 32 BB A9-EA D5 E4 AE-1F C2 FB 23-41 22 B2 E0
    0110: 69 1E 29 20-6F 5B 20 1E-5E 3D 11 2F-3E 4D 9F 39
    0120: 8B C9 5C 93-A5 EF A4 22-7D 9A 66 51-6E ED AD 70
    0130: 32 90 D4 BD-67 92 38 9B-DC 15 0D BF-DC 71 72 27
    0140: E0 5B 43 FA-44 59 E8 60-F7 63 7F F0-73 0A D4 BE
    0150: 33 28 AA 99-2C 90 2D D0-01 58 E3 8F-58 50 30 99
    0160: E8 60 DB 91-00 13 C9 1D-7A 61 9B 9A-5D 5E BD 71
    0170: 23 1A D2 BD-A6 E0 38 66-0B 8C F5 99-56 79 63 D6
    0180: 6E 5E D7 7E-C3 4E 9D 5F-65 23 C0 38-C9 55 5A A1
    0190: E2 3C CA 78-58 4D B5 3B-04 45 C3 B4-44 C8 87 26
    01A0: 02 60 F6 62-91 34 70 FE-C3 34 54 6D-76 07 7F 1A
    01B0: 73 53 E6 0B-08 FB 82 80-AD 5F 22 15-18 69 B5 6E
    01C0: BB 06 C3 A7-FF 39 15 52-BE FE D4 5C-D2 55 5A 71
    01D0: EC E9 BC 1A-B7 BB 08 61-C5 3E E7 89-7C 93 03 FC
    01E0: 1F 8A 9A D8-42 BF 6C 01-6A 39 26 84-74 58 E2 E4
    01F0: 00 D4 67 7B-27 BD 93 6D-DF F0 10 4A-2B 00 7E 68
    0200: 1D DE D5 8A-67 89 EA 52-0C 32 BD 30-A2 8C BE D0
    0210: A7 35 BA C6-BB 7D 07 80-49 22 EF E5-10 B2 83 6D
    0220: E6 18 6E E3-F0 52 E4 35-83 61 42 35-72 97 C5 8D
    0230: 4F F7 93 68-5A 70 5F 5A-04 3A D5 42-C1 FA 0F E2
    0240: AE 57 DB AF-F1 51 B8 B7-38 18 EF 2E-B8 A6 A9 2C
    0250: 81 87 FA FE-B2 C4 DC 45-A3 64 91 6D-B8 6E F5 D1
    0260: 4F 9C FA 62-3D 42 46 59-67 32 EC 99-DA 89 7A 88
    0270: E7 AD E3 21-ED 3C 4B C0-4D 9F 83 3C-DC 7F B7 0A 156

    View full-size slide

  148. So, we have two f iles. Any pair of f iles. We can see them as pref ixes.
    157

    View full-size slide

  149. Padding, as usual
    Pad both files to the same length,
    to a block boundary minus 12 (0xC) bytes.
    Padding content doesn't matter.
    158

    View full-size slide

  150. Computation
    We compute a collision,
    that appends different blocks to both files.
    It makes sense only if
    both formats tolerate appended data.
    (or cover it by a comment).
    Block differences are irrelevant in this case.
    (we entirely control both prefixes).
    159

    View full-size slide

  151. 📏


    Almighty, but slower
    HashClash
    HashClash
    7-9 blocks
    A few hours
    Irrelevant
    160

    View full-size slide

  152. Input: two arbitrary pref ixes
    Their content and length don’t matter.
    Shorter prefixes don’t make anything faster.
    Both are padded to the same size.
    The last 12 bytes before the collision blocks are used for the attack.
    They're always different.
    After, blocks of collision are appended (by default, 9 of them)
    .
    --maxblocks 9
    161

    View full-size slide

  153. The 2 steps of a CPC
    First, a single Birthday Search,
    then near-collision computation for each block.
    (which may require backtracking)
    Only the Birthday Search benefits from GPU.
    The B.S. doesn't require any backtracking.
    162

    View full-size slide

  154. The fewer the blocks, the more complex the B.S.
    - 400kH for a single block CPC.
    - 7-9 blocks is a good trade-off for desktop computation.
    9 239 2009
    3 249 2009
    2 246 2019
    1 253 2009
    # Blocks
    Complexity
    Attack publication
    163

    View full-size slide

  155. Impact of a CPC
    If two files formats tolerate appended data:
    Compute collision. Done.
    + Straightforward
    - Only works for a single pair
    164

    View full-size slide

  156. Identical Pref ix
    vs
    Chosen Pref ix
    Recap
    165

    View full-size slide

  157. IPC: both contents in each file.
    (You might leak your payload)
    From a content perspective
    166
    CPC: Only one content per file.
    (evil payload not in the good file)

    View full-size slide

  158. IPC: Deeply modified file structures.
    Weird header, 2 payloads, possibly split.
    From a f ile perspective
    167
    CPC: Each file starts exactly like before.
    It's just appended data.

    View full-size slide

  159. IPC: Can reuse precomputed collision
    so instant generation can be possible.
    From a computing perspective
    168
    CPC: No re-usability: same computation every time.
    -> no optimization, no shortcut.

    View full-size slide


  160. Combining CPC flexibility
    with IPC re-usability
    Level-up: IPC(CPC)
    =
    169

    View full-size slide

  161. Using CPC as a pref ix like an IPC
    More computing than IPC, but less restrictive.
    Do a CPC with headers rather than whole files.
    Append body/footer of 2 files.
    Enables mixing file types:
    - valid/invalid files
    - polyglot collisions
    170

    View full-size slide

  162. PE collisions
    via a CPC used like an IPC
    171

    View full-size slide

  163. 0000: 4D 5A 90 00-03 00 00 00-04 00 00 00-FF FF 00 00 MZÉ ♥ ♦
    0010: B8 00 00 00-00 00 00 00-40 00 00 00-00 00 00 00 ╕ @
    0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0030: 00 00 00 00-00 00 00 00-00 00 00 00-E8 00 00 00 Φ
    0040: 0E 1F BA 0E-00 B4 09 CD-21 B8 01 4C-CD 21 54 68 ♫▼║♫ ┤○═!╕☺L═!Th
    0050: 69 73 20 70-72 6F 67 72-61 6D 20 63-61 6E 6E 6F is program canno
    0060: 74 20 62 65-20 72 75 6E-20 69 6E 20-44 4F 53 20 t be run in DOS
    0070: 6D 6F 64 65-2E 0D 0D 0A-24 00 00 00-00 00 00 00 mode.♪♪◙$
    0080: 59 09 56 C8-1D 68 38 9B-1D 68 38 9B-1D 68 38 9B Y○V╚↔h8¢↔h8¢↔h8¢
    0090: 0E 60 51 9B-1F 68 38 9B-18 64 37 9B-07 68 38 9B ♫`Q¢▼h8¢↑d7¢•h8¢
    00A0: 18 64 58 9B-3C 68 38 9B-18 64 67 9B-8F 68 38 9B ↑dX¢00B0: 9E 60 65 9B-1E 68 38 9B-1D 68 39 9B-43 68 38 9B ₧`e¢▲h8¢↔h9¢Ch8¢
    00C0: 18 64 5C 9B-14 68 38 9B-F1 63 66 9B-1C 68 38 9B ↑d\¢¶h8¢±cf¢∟h8¢
    00D0: 18 64 62 9B-1C 68 38 9B-52 69 63 68-1D 68 38 9B ↑db¢∟h8¢Rich↔h8¢
    00E0: 00 00 00 00-00 00 00 00-50 45 00 00-4C 01 04 00 PE L☺♦
    00F0: 4A 24 52 44-00 00 00 00-00 00 00 00-E0 00 0F 01 J$RD α ☼☺
    0100: 0B 01 07 0A-00 10 03 00-00 E0 00 00-00 00 00 00 ♂☺•◙ ►♥ α
    0110: 6F 9C 01 00-00 10 00 00-00 20 03 00-00 00 40 00 o£☺ ► ♥ @
    0120: 00 10 00 00-00 10 00 00-04 00 00 00-01 00 00 00 ► ► ♦ ☺
    0130: 04 00 00 00-00 00 00 00-00 00 04 00-00 10 00 00 ♦ ♦ ►
    0140: B3 B5 04 00-03 00 00 00-00 00 10 00-00 10 00 00 │╡♦ ♥ ► ►
    0150: 00 00 10 00-00 10 00 00-00 00 00 00-10 00 00 00 ► ► ►
    0160: 00 00 00 00-00 00 00 00-58 8E 03 00-28 00 00 00 XÄ♥ (
    0170: 00 F0 03 00-20 03 00 00-00 00 00 00-00 00 00 00 ≡♥ ♥
    0180: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0190: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    01A0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    01B0: 60 50 03 00-48 00 00 00-00 00 00 00-00 00 00 00 `P♥ H
    01C0: 00 20 03 00-0C 01 00 00-00 00 00 00-00 00 00 00 ♥ ♀☺
    01D0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    01E0: 2E 74 65 78-74 00 00 00-4A 00 03 00-00 10 00 00 .text J ♥ ►
    01F0: 00 10 03 00-00 10 00 00-00 00 00 00-00 00 00 00 ►♥ ►
    0200: 00 00 00 00-20 00 00 60-2E 72 64 61-74 61 00 00 `.rdata
    0210: 36 74 00 00-00 20 03 00-00 80 00 00-00 20 03 00 6t ♥ Ç ♥
    0220: 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 40 @ @
    0230: 2E 64 61 74-61 00 00 00-B8 40 00 00-00 A0 03 00 .data ╕@ á♥
    0240: 00 30 00 00-00 A0 03 00-00 00 00 00-00 00 00 00 0 á♥
    0250: 00 00 00 00-40 00 00 C0-2E 72 73 72-63 00 00 00 @ └.rsrc
    0260: 20 03 00 00-00 F0 03 00-00 10 00 00-00 D0 03 00 ♥ ≡♥ ► ╨♥
    0270: 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 40 @ @
    0280: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0FE0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0FF0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    1000: 6A FF 68 98-02 43 00 64-A1 00 00 00-00 50 64 89 j hÿ☻C dí Pdë
    1010: 25 00 00 00-00 51 56 8B-F1 89 74 24-04 E8 F0 7C % QVï±ët$♦Φ≡|
    1020: 01 00 33 C0-89 44 24 10-8D 4E 0C C7-06 F0 21 43 ☺ 3└ëD$►ìN♀╟♠≡!C
    1030: 00 6A FF 89-41 14 C7 41-18 0F 00 00-00 50 88 41 j ëA¶╟A↑☼ PêA
    Number Name VSize Address PSize Offset Flag
    1 .text 0003004A 00001000 00031000 00001000 60000020
    2 .rdata 00007436 00032000 00008000 00032000 40000040
    3 .data 000040B8 0003A000 00003000 0003A000 C0000040
    4 .rsrc 00000320 0003F000 00001000 0003D000 40000040
    - DOS header points to PE header.
    - in between, DOS Stub (16 bit code),
    & Rich header (MS Linker information)
    - PE header contains all the critical information
    including sections mapping ( offsets -> address)
    Anatomy of a typical PE f ile
    PE Header
    (critical)
    Dos Header:
    declares Executable,
    points to PE Header.
    Dos Stub
    (old 16b code)
    Rich Header
    (MS linker information)
    Points to
    172

    View full-size slide

  164. 0000: 4D 5A 90 00-03 00 00 00-04 00 00 00-FF FF 00 00 MZÉ ♥ ♦
    0010: B8 00 00 00-00 00 00 00-40 00 00 00-00 00 00 00 ╕ @
    0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0030: 00 00 00 00-00 00 00 00-00 00 00 00-E8 00 00 00 Φ
    0040: 0E 1F BA 0E-00 B4 09 CD-21 B8 01 4C-CD 21 54 68 ♫▼║♫┤○═!╕☺L═!Th
    0050: 69 73 20 70-72 6F 67 72-61 6D 20 63-61 6E 6E 6F is program canno
    0060: 74 20 62 65-20 72 75 6E-20 69 6E 20-44 4F 53 20 t be run in DOS
    0070: 6D 6F 64 65-2E 0D 0D 0A-24 00 00 00-00 00 00 00 mode.♪♪◙$
    0080: 59 09 56 C8-1D 68 38 9B-1D 68 38 9B-1D 68 38 9B Y○V╚↔h8¢↔h8¢↔h8¢
    0090: 0E 60 51 9B-1F 68 38 9B-18 64 37 9B-07 68 38 9B ♫`Q¢▼h8¢↑d7¢•h8¢
    00A0: 18 64 58 9B-3C 68 38 9B-18 64 67 9B-8F 68 38 9B ↑dX¢00B0: 9E 60 65 9B-1E 68 38 9B-1D 68 39 9B-43 68 38 9B ₧`e¢▲h8¢↔h9¢Ch8¢
    00C0: 18 64 5C 9B-14 68 38 9B-F1 63 66 9B-1C 68 38 9B ↑d\¢¶h8¢±cf¢∟h8¢
    00D0: 18 64 62 9B-1C 68 38 9B-52 69 63 68-1D 68 38 9B ↑db¢∟h8¢Rich↔h8¢
    00E0: 00 00 00 00-00 00 00 00-50 45 00 00-4C 01 04 00 PE L☺♦
    00F0: 4A 24 52 44-00 00 00 00-00 00 00 00-E0 00 0F 01 J$RD α ☼☺
    0100: 0B 01 07 0A-00 10 03 00-00 E0 00 00-00 00 00 00 ♂☺•◙ ►♥ α
    0110: 6F 9C 01 00-00 10 00 00-00 20 03 00-00 00 40 00 o£☺ ► ♥ @
    0120: 00 10 00 00-00 10 00 00-04 00 00 00-01 00 00 00 ► ► ♦ ☺
    0130: 04 00 00 00-00 00 00 00-00 00 04 00-00 10 00 00 ♦ ♦ ►
    0140: B3 B5 04 00-03 00 00 00-00 00 10 00-00 10 00 00 │╡♦ ♥ ► ►
    0150: 00 00 10 00-00 10 00 00-00 00 00 00-10 00 00 00 ► ► ►
    0160: 00 00 00 00-00 00 00 00-58 8E 03 00-28 00 00 00 XÄ♥ (
    0170: 00 F0 03 00-20 03 00 00-00 00 00 00-00 00 00 00 ≡♥ ♥
    0180: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0190: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    01A0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    01B0: 60 50 03 00-48 00 00 00-00 00 00 00-00 00 00 00 `P♥ H
    01C0: 00 20 03 00-0C 01 00 00-00 00 00 00-00 00 00 00 ♥ ♀☺
    01D0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    01E0: 2E 74 65 78-74 00 00 00-4A 00 03 00-00 10 00 00 .text J ♥ ►
    01F0: 00 10 03 00-00 20 00 00-00 00 00 00-00 00 00 00 ►♥ ►
    0200: 00 00 00 00-20 00 00 60-2E 72 64 61-74 61 00 00 `.rdata
    0210: 36 74 00 00-00 20 03 00-00 80 00 00-00 30 03 00 6t ♥ Ç ♥
    0220: 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 40 @ @
    0230: 2E 64 61 74-61 00 00 00-B8 40 00 00-00 A0 03 00 .data ╕@ á♥
    0240: 00 30 00 00-00 B0 03 00-00 00 00 00-00 00 00 00 0 á♥
    0250: 00 00 00 00-40 00 00 C0-2E 72 73 72-63 00 00 00 @ └.rsrc
    0260: 20 03 00 00-00 F0 03 00-00 10 00 00-00 E0 03 00 ♥ ≡♥ ► ╨♥
    0270: 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 40 @ @
    0280: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    2000: 6A FF 68 98-02 43 00 64-A1 00 00 00-00 50 64 89 j hÿ☻C dí Pdë
    2010: 25 00 00 00-00 51 56 8B-F1 89 74 24-04 E8 F0 7C % QVï±ët$♦Φ≡|
    2020: 01 00 33 C0-89 44 24 10-8D 4E 0C C7-06 F0 21 43 ☺ 3└ëD$►ìN♀╟♠≡!C
    2030: 00 6A FF 89-41 14 C7 41-18 0F 00 00-00 50 88 41 j ëA¶╟A↑☼ PêA
    - DOS header only contains 2 important fields,
    the rest is irrelevant.
    - Dos Stub and Rich header can be removed.
    - PE header can be moved further: just update its pointer .
    - Sections can be moved further: just adjust offsets .
    Abusing PE f iles
    Number Name VSize Address PSize Offset Flag
    1 .text 0003004A 00001000 00031000 00002000 60000020
    2 .rdata 00007436 00032000 00008000 00033000 40000040
    3 .data 000040B8 0003A000 00003000 0003B000 C0000040
    4 .rsrc 00000320 0003F000 00001000 0003E000 40000040
    only Magic and
    pointers are important
    can be removed
    can be removed
    173

    View full-size slide

  165. - DOS header is generic
    Pointers to 2 headers, over collision blocks.
    - Dos Stub and Rich header are discarded
    to make place for collision blocks
    - Two PE Headers that follow each other
    - both sections sets have adjusted offsets.
    -> Reusable and instant PE collision
    Windows PE collisions 0000: 4D 5A 90 00-03 00 00 00-04 00 00 00-FF FF 00 00 MZÉ ♥ ♦
    0010: B8 00 00 00-00 00 00 00-40 00 00 00-00 00 00 00 ╕ @
    0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    0030: 00 00 00 00-00 00 00 00-00 00 00 00--80 04 00 00 Ç♦
    00040: 2F 3D 2D 3D-2D 3D 2D 3D-2D 3D 2D 3D-2D 3D 2D 5C /=-=-=-=-=-=-=-\
    00050: 7C 50 45 20-43 50 43 20-48 65 61 64-65 72 00 7C |PE CPC Header |
    00060: 5C 2D 3D 2D-3D 2D 3D 2D-3D 2D 3D 2D-3D 2D 3D 2F \-=-=-=-=-=-=-=/
    00070: 41 6E 67 65-00 00 00 00-50 9F 71 32-3D 49 75 DD Ange Pƒq2=Iu▌
    00080: E3 45 20 DB-90 D9 F9 1A-1E 32 55 D1-4D C9 14 F6 πE █É┘∙→▲2U╤M╔¶÷
    00090: AD D9 79 C8-3E D7 22 3D-EF AB 83 E8-DD CB 87 F0 ¡┘y╚>╫"=∩½âΦ▌╦ç≡
    ...
    002B0: F2 C8 C5 E0-7D 7C 29 D8-91 36 41 37-D0 8D 04 E5 ≥╚┼α}|)╪æ6A7╨ì♦σ
    002C0: 50 45 00 00-4C 01 04 00-4A 24 52 44-00 00 00 00 PE L☺♦ J$RD
    002D0: 00 00 00 00-E0 00 0F 01-0B 01 07 0A-00 10 03 00 α ☼☺♂☺•◙ ►♥
    002E0: 00 E0 00 00-00 00 00 00-6F 9C 01 00-00 10 00 00 α o£☺ ►
    002F0: 00 20 03 00-00 00 40 00-00 10 00 00-00 10 00 00 ♥ @ ► ►
    00300: 04 00 00 00-01 00 00 00-04 00 00 00-00 00 00 00 ♦ ☺ ♦
    00470: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    00480: 50 45 00 00-4C 01 04 00-E7 81 0C 54-00 00 00 00 PE L☺♦ τü♀T
    00490: 00 00 00 00-E0 00 03 01-0B 01 09 00-00 9E 03 00 α ♥☺♂☺○ ₧♥
    004A0: 00 A2 01 00-00 00 00 00-CC 91 02 00-00 10 00 00 ó☺ ╠æ☻ ►
    004B0: 00 B0 03 00-00 00 40 00-00 10 00 00-00 02 00 00 ░♥ @ ► ☻
    ...
    007E0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    007F0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    00800: 8B 44 24 0C-8B 4C 24 10-57 8B 7C 24-0C 8D 57 01 ïD$♀ïL$►Wï|$♀ìW☺
    00810: C7 00 00 00-00 00 52 C7-01 00 00 00-00 E8 09 6A ╟ R╟☺ Φ○j
    00820: 02 00 83 C4-04 85 C0 75-02 5F C3 56-33 C9 33 F6 ☻ â─♦à└u☻_├V3╔3÷
    ...
    54FF0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    55000: 6A FF 68 98-02 43 00 64-A1 00 00 00-00 50 64 89 j hÿ☻C dí Pdë
    55010: 25 00 00 00-00 51 56 8B-F1 89 74 24-04 E8 F0 7C % QVï±ët$♦Φ≡|
    55020: 01 00 33 C0-89 44 24 10-8D 4E 0C C7-06 F0 21 43 ☺ 3└ëD$►ìN♀╟♠≡!C
    55030: 00 6A FF 89-41 14 C7 41-18 0F 00 00-00 50 88 41 j ëA¶╟A↑☼ PêA
    ...
    91FF0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    C0 02 00 00
    Dos Header
    (prefix w/ 2 values)
    Alignments and
    collision blocks
    PE Header 1
    PE Header 2
    Sections set 1
    Sections set 2
    points to
    points to
    maps
    maps
    174

    View full-size slide

  166. Recap: CPC-IPC exploitation for PE f iles
    1. Craft 2 DOS headers with enough difference:
    - 1 block of alignment, 9 blocks of collision + 1 PE header
    2. Compute CPC (a few hours)
    3. Copy PE headers. Append sections.
    Adjust Sections offsets.
    -> instant collision of any pair of PE files
    (with no code modification)
    175

    View full-size slide

  167. Chaining collisions
    176

    View full-size slide

  168. Chaining collisions
    A collision makes two different contents have the same hash.
    -> they can be chained like a tree.
    Top nodes can be an IPC, others CPCs or UniColl
    -> colliding more than 2 files
    N collisions makes N+1 contents collide
    177

    View full-size slide

  169. Collisions trees
    PoeMD5:
    8 UniColls displayed on the page.
    https://github.com/corkami/collisions#pdf
    A pile-up of 3 HashClashes
    to collide 4 file types.
    Nostradamus (2007):
    11 HashClashes for 12 PDFs
    https://www.win.tue.nl/hashclash/Nostradamus/
    178

    View full-size slide

  170. All the known (implemented) collisions attacks on SHA1
    179
    📏


    2 blocks
    11K USD
    Start & end
    Shattered
    📏


    9 blocks
    45K USD
    Irrelevant
    Shambles

    View full-size slide

  171. Shattered
    a SHA-1 IPC
    180

    View full-size slide

  172. Shattered
    - an IPC for Sha1
    - Computed only once (?)
    - Differences at start and end
    -> “easy” to exploit
    Official PoCs: JPGs in PDFs
    (PDFs embed JPGs natively)
    📏


    2 blocks
    6K years
    Start & end
    181

    View full-size slide

  173. Shattered f iles layout: different length => skip f irst image data
    182

    View full-size slide

  174. Most formats declare Lengths before Type (LTV):
    -> not good for hash collisions (type declaration is in random bytes)
    JPG & MP4* are TLV & big endian -> exploitable w/ Shattered
    Declare comment (FF FE for JPG, free for MP4)
    then abuse length with collision difference.
    Length / Type / Value <-> Type / Length / Value
    *with 64b lengths
    183

    View full-size slide

  175. For more details about Shattered exploitation:
    https://speakerdeck.com/ange/exploiting-hash-collisions (2017)
    184

    View full-size slide

  176. Shambles
    a SHA-1 CPC
    185

    View full-size slide

  177. 186
    0 1 2 3 4 5 6 7 01234567 0 1 2 3 4 5 6 7 01234567
    99040d047fe81780 ........ 99030d047fe81780 ........
    012000ff4b657920 . ..Key 011800ff50726163 ....Prac
    6973207061727420 is part 746963616c205348 tical SH
    6f66206120636f6c of a col 412d312063686f73 A-1 chos
    6c6973696f6e2120 lision! 656e2d7072656669 en-prefi
    4974277320612074 It's a t 7820636f6c6c6973 x collis
    7261702179c61af0 rap!y... 696f6e211d276c6b ion!.'lk
    afcc054515d9274e ...E..'N a661e1040e1f7d76 .a....}v
    7307624b1dc7fb23 s.bK...# 7f076249ddc7fb33 ..bI...3
    988bb8de8b575dba .....W]. 2c8bb8c2b7575dbe ,....W].
    7b9eab31c1674b6d {..1.gKm c79eab2be1674b7d ...+.gK}
    ...
    05a404fbdb12fc45 .......E 05a404f76312fc55 ....c..U
    4d41fdd95cf24596 MA..\.E. 4141fddb9cf24586 AA....E.
    64a2ad032d1da60a d...-... d0a2ad1f111da60e ........
    73264075d7f1e0d6 s&@u.... cf26406ff7f1e0c6 .&@o....
    c1403ae7a0d861df .@:...a. e5403afb4cd861cb .@:.L.a.
    3fe5707188dd5e07 ?.pq..^. 33e5707348dd5e17 3.psH.^.
    d1589b9f8b663055 .X...f0U 65589b83a7663051 eX...f0Q
    3f8fc352b3e0c27d ?..R...} 838fc34a03e0c26d ...J...m
    a80bddba4c64020d ....Ld.. a80bddb6f464021d .....d..
    Birthday bits
    Identical
    Dif ferences
    Pref ixes
    offset
    0x0000
    0x0008
    0x0010
    0x0018
    0x0020
    0x0028
    0x0030
    0x0038
    0x0040
    0x0048
    0x0050
    ...
    0x0238
    0x0240
    0x0248
    0x0250
    0x0258
    0x0260
    0x0268
    0x0270
    0x0278

    View full-size slide

  178. Shambles
    - a CPC for Sha1
    - Same layout as HashClash:
    9 blocks, 12 birthday bits
    Official PoCs: PGP
    📏


    9 blocks
    45K USD
    Irrelevant
    Shambles
    187

    View full-size slide

  179. All the known (implemented) collisions attacks on MD5
    📏


    two blocks
    a few minutes
    in pref ix
    📏


    two blocks
    a few seconds
    in the middle
    (away from start or end)
    FastColl
    UniColl
    📏


    HashClash
    189
    7-9 blocks
    a few hours
    irrelevant

    View full-size slide

  180. They all appends random-looking blocks with tiny differences.
    No, there's no other kind of attacks!
    Nothing like:
    - ascii-only
    - incomplete blocks
    - modify in the middle
    Common points of all these attacks
    190

    View full-size slide

  181. In 2008, a CPC Attack used to create a rogue SSL certificate.
    (200 PS3, signing at an exact second,
    4 attempts, 2 days of computation each…)
    -> MD5 was considered dead for good.
    -> no incentive for any further research.
    Only 3 attacks?
    https://medium.com/@sleevi_/a-history-of-hard-choices-c1e1cc9bb089 191

    View full-size slide

  182. Exploitations
    patterns
    File
    (prefix)
    Comment
    (padding)
    Header
    Body
    (chunks)
    Footer
    Identical Prefix
    Chosen Prefix
    Reusable IPC
    Reusable CPC
    CPC
    192

    View full-size slide

  183. Layout of a re-usable collision exploit
    Alignment
    Suffix
    Pref ix
    193

    View full-size slide

  184. a cryptographic hash
    a toy function
    MD5 is
    ...have fun!
    194

    View full-size slide

  185. 2964F721 7EEEF375 983F0420 725976C2
    60101938 18BDD53D 332E8131 25244205
    04D9B9CE 80FF0958 EB01DAD4 9A4DAA18
    AD894BEB A3A824B2 C94DB974 378499C2
    478D436C 255C79F3 A7B2A523 CBA811FB
    D7D0C870 1F1C6B5F 6EEBDFDF 4BA0AD41
    31D8B06A 020B9399 B897DB50 499C7713
    879C2E0B DB0267DD FE27A567 DDA5487C
    2964F721 7EEEF375 983F0420 725976C2
    601019B8 18BDD53D 332E8131 25244205
    04D9B9CE 80FF0958 EB01DAD4 9ACDAA18
    AD894BEB A3A824B2 C94DB9F4 378499C2
    478D436C 255C79F3 A7B2A523 CBA811FB
    D7D0C8F0 1F1C6B5F 6EEBDFDF 4BA0AD41
    31D8B06A 020B9399 B897DB50 491C7713
    879C2E0B DB0267DD FE27A5E7 DDA5487C
    4CFB0E37 5E7078A2 31260B95 4550524A
    $ file selfmd5-release.zip
    selfmd5-release.zip: Sega Mega Drive / Genesis ROM image: "TOY MD5 COLLIDER" (GM 00000000-00, (C) MAKO 2017 )
    $
    Mako's “Toy MD5 Collider” for the MegaDrive
    dd49d7eb...
    195

    View full-size slide

  186. It takes 2 hours
    1988: Sega Mega Drive/Genesis - 1992: MD5
    196

    View full-size slide

  187. Other UniColl-based exploits
    for other formats
    For more, see https://github.com/corkami/collisions
    198

    View full-size slide

  188. PDF
    Merge both documents, split /Kids in 2 part showing pages sets separately.
    Declare a /Catalog objects that has its /Pages as object 2.
    0040: .. .. ./ .P .a .g .e .s . .2 . .0 . .R \n .%
    The other file will have its pages referenced as object 3.
    0040: .. .. ./ .P .a .g .e .s . .3 . .0 . .R \n .%
    More details @ https://github.com/corkami/collisions#pdf
    199

    View full-size slide

  189. JPEG f ile structure
    Comment segment in JPG: FF FE
    Scans can be bigger than 64 kb -> split them via saving as progressive
    200

    View full-size slide

  190. 201
    JPG
    Use a FF FE COMment segments for alignement, then a comment of length 0x77
    0000: FF D8 FF FE-00 03 .. FF FE 00 77 .. .. .. .. ..
    The other file will have a longer segment of 0x177.
    0000: FF D8 FF FE-00 03 .. FF FE 01 77 .. .. .. .. ..
    CF https://github.com/corkami/collisions#jpg
    In JPG specifications,
    Chunks are called segments

    View full-size slide

  191. 202
    MP4 (+JP2, HEIF…)
    Use FREE atoms, for alignement then of length 0x79
    0040: .. .. .. .. .. .. .. 00 00 00 79 .F .R .E .E ..
    The other file will have a longer chunk of 0x179.
    0040: .. .. .. .. .. .. .. 00 00 01 79 .F .R .E .E ..
    Adjusting absolute (!) offsets in sample tables is required.
    More details @ https://github.com/corkami/collisions#mp4-and-others
    In MP4 specifications,
    Chunks are called Atom/Boxes

    View full-size slide

  192. File
    format
    Comment
    bit length
    Generic
    collision
    FastColl UniColl Shattered HashClash
    GZIP 16 ✓ ✓* ✓* ✓
    PDF 32 ✓ ✓* ✓
    JPG 16 ✓ ✓* ✓* ✓
    PNG 32 ✓ ✓* ✓
    MP4 32/64 ✓ ✓* ✓* ✓
    PE N/A ✓ ✓
    GIF 8 ✗ ✓ ✓
    ZIP-based
    (DOCX, 3MF)
    16 ✓ ✓
    ELF/TAR
    Mach-O/Class
    ✗ ✓
    * restrictions
    203

    View full-size slide

  193. Exploiting FastColl
    It seems hard, but not necessarily impossible.
    It's a matter of finding the right file format.
    (AKA aligning planets)
    Extra
    204

    View full-size slide

  194. 00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
    10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
    20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    40: CE 84 07 61 4B BA 7A 3D 3A EA 8A AA F8 EE 1D E5
    50: 44 17 9B 70 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
    60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 CB BE 02
    70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 88 31 5E 7A 1D
    80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
    90: 13 F2 BF 56 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
    A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 83 FB E0
    B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 AA D2 5C 30 C0
    00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
    10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
    20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    40: CE 84 07 61 4B BA 7A 3D 3A EA 8A AA F8 EE 1D E5
    50: 44 17 9B F0 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
    60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 4B BF 02
    70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 08 31 5E 7A 1D
    80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
    90: 13 F2 BF D6 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
    A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 03 FB E0
    B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 2A D2 5C 30 C0
    Recap on FastColl
    It’s just a matter of getting a format
    to comply with the single byte differences.
    Padding, for alignments
    collision blocks’ randomness needs to be ignored
    Differences need to be taken into account
    Two contents need to coexist
    ⇤ ⇥
    #&%!@
    …‽…
    …🛑?
    205

    View full-size slide

  195. The Graphics Interchange Format
    - FastColl based exploit: instant computation
    - same dimensions and palettes, single frame.
    - First image displayed for 10 minutes (each image is a different frame).
    5c827c0eba9cfaa647c1a489bea77c60 *collision1.gif
    5c827c0eba9cfaa647c1a489bea77c60 *collision2.gif
    /dʒɪf/ JIF
    /ɡɪf/ GHIF
    Specif ications from 1989
    206

    View full-size slide

  196. Overview of the Graphics Interchange Format
    207
    - Punctuation delimited: ! , ;
    - a frame can be made of several images
    - header contains file palette & dimensions…
    - Comments can only be later in the file, in extensions
    -> no generic collisions for all GIFs

    View full-size slide

  197. More details
    208
    - A header, with dimensions and optional global palette
    - Sequence of optional extensions and image data.
    - comments are extensions.
    - ImageData and Extension use the same SubBlocks structure .
    - Global (file-wise) and local (image-wise) palettes can be too big.

    View full-size slide

  198. Structure lengths
    7 bytes file-wide palette
    (optional)
    3-768 bytes Examples of extension:
    - Graphical Control
    defines delay between frames
    - Comment
    - Application
    Defines looping
    Image-wide palette
    (optional)
    3-768 bytes
    SubBlocks-based
    10 bytes
    Variable-sized
    (3-768 bytes)
    Fixed size
    209

    View full-size slide

  199. Specific structure for comments and image data in GIF:
    Cut in chunks of 255 bytes max, starting with their length, until 00:
    Examples of 2 equivalent comments:
    07 .c .o .m .m .e .n .t
    00
    01 .c 04 .o .m .m .e 02 .n .t
    00
    GIF SubBlocks structures
    210

    View full-size slide

  200. GIF SubBlocks impact
    - can’t jump over anything longer than 255 bytes.
    -> very restrictive
    + turns any non-null byte into a forward jump:
    good for FastColl
    211

    View full-size slide

  201. GIF data sled
    Subblocks are common to image data and extensions (like comments):
    - > extend comment to image data (turn pixels into comment)
    Reliable w/ minor overhead.
    212

    View full-size slide

  202. 10 minutes delay
    Graphical Control Extension:
    Max delay between images
    Long comment
    Short comment
    Common schema
    213

    View full-size slide

  203. 0330: .. .. .. ..-.. .. .. ..-.. .. .. ..-.. 21 FE 7B
    0340: 7B 07 80 42-FF 65 E4 4E-1F 99 A0 E8-4D BC 59 EB
    0350: E8 DA 58 CC-35 CF 2C 78-53 1E 79 D1-28 34 08 DA
    0360: B5 DB FF C6-80 0F 3A 46-EF 0F FB 1C-F9 F1 E0 83
    0370: CC FB ED 70-D9 21 A5 7D-0A A1 10 B6-A7 C5 6D E0
    0380: 71 82 1F FA-AC 77 A9 12-DD 8E F2 14-9D 64 5B F8
    0390: 3D 66 C5 AE-D3 97 8F 2B-6E B9 AB 4B-4B 1D A7 C1
    03A0: A8 34 B5 2D-96 46 8A DE-A9 9C EF 18-6B 8C F8 08
    03B0: 12 54 43 53-AD 8A 72 BA-19 83 66 B3-2F CF 85 FD
    .... ...
    7B 07 80 42-FF 65 E4 4E-1F 99 A0 E8-4D BC 59 EB
    E8 DA 58 4C-35 CF 2C 78-53 1E 79 D1-28 34 08 DA
    B5 DB FF C6-80 0F 3A 46-EF 0F FB 1C-F9 71 E0 83
    CC FB ED 70-D9 21 A5 7D-0A A1 10 36-A7 C5 6D E0
    71 82 1F FA-AC 77 A9 12-DD 8E F2 14-9D 64 5B F8
    3D 66 C5 2E-D3 97 8F 2B-6E B9 AB 4B-4B 1D A7 C1
    A8 34 B5 2D-96 46 8A DE-A9 9C EF 18-6B 0C F9 08
    12 54 43 53-AD 8A 72 BA-19 83 66 33-2F CF 85 FD
    Gif comment manipulation via FastColl
    Chunk length: 0x33/0xB3
    Def ines a comment
    Chunk length: 0x7B
    214

    View full-size slide

  204. GIF
    Special chunk structure -> single byte = “jump”
    Same structure used for data -> can use it to jump over image A.
    Just put a delay for image A to display long enough.
    5c827c0eba9cfaa647c1a489bea77c60 *collision1.gif
    5c827c0eba9cfaa647c1a489bea77c60 *collision2.gif
    After 10 minutes,
    the images are identical. 215

    View full-size slide

  205. Common headers?
    Headers include palette, dimensions:
    -> use 2 images of same dimensions
    -> normalize palette
    Shortcut: merge them as 2 frames of the same animation,
    with a comment, no looping, and maximum delay.
    216

    View full-size slide

  206. GIF FastColl exploit
    - combine 2 frames in a single animation with a comment.
    - extend comment to align to 64 bytes
    with a jump of 0x7B (points to the last difference in the collision blocks)
    - compute FastColl
    - append images suffix
    - adjust comments to:
    finish before first image: .! F9
    slide into first image data : 08 FE
    217

    View full-size slide

  207. Actual
    example
    218

    View full-size slide

  208. Alignment
    6
    00000300: [header palette ending...............] .! FE 2F
    00000310: [comment for alignment.........................
    ...
    00000330: ............................................ 7B
    00000340: [collision block with its last difference......
    00000350: at relative offset of 7B.......................
    ...
    000003B0: ...............................] EA [..........
    000003C0: [space to land to the shortest comment.........
    000003D0: its length will vary, but......................
    000003E0: the longest comment will always be 0x80 longer.
    ...
    00000420: ................] 80 [..........................
    ...
    000004A0: ................] 14 00 .! F9 04 00 FF FF FF 00
    000004B0: 2C 00 00 00 00 F4 01 F4 01 00 08 FE 00 59 09 BC
    SubBlocks
    Image
    Collision
    blocks
    Comment declaration
    CF working script for reference 219

    View full-size slide

  209. Recap on GIF exploitation via FastColl
    + Comments are made of SubBlocks: declaration are separated from lengths.
    -> compatible with FastColl (!)
    - lengths are stored on a single byte -> can’t skip more than 255 bytes
    + image data is stored in SubBlocks too:
    -> extend comment to image data*
    + use max delay (10 min) to the 1st frame to hide the 2nd one.
    220
    *A great idea from Marc Stevens

    View full-size slide

  210. Collision exploit
    Instant GIF collision via FastColl
    Certificate (hard)
    Ange Albertini
    INSTRUCTOR
    COLLT IS
    221

    View full-size slide

  211. Git doesn't use SHA-1 on files, but on objects.
    https://git-scm.com/book/en/v2/Git-Internals-Git-Objects
    SubVersion servers were unexpectedly broken.
    Bittorrent indexes blocks with SHA-1.
    -> Marc created a SHA-1 collision detection library
    https://github.com/cr-marcstevens/sha1collisiondetection
    What did SHA-1 break?
    223

    View full-size slide

  212. What about SHA-2?
    May 2019:
    - MD5/SHA-1: "trivial".
    - SHA-2: "clearly infeasible".
    https://twitter.com/realhashbreaker/status/1128275424574832640
    224

    View full-size slide

  213. Only f iles?
    Protocols can also be attacked:
    SLOT - CVE-2015-7575
    Security Losses from Obsolete and Truncated Transcript Hashes
    https://www.mitls.org/pages/attacks/SLOTH
    Paper: Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH
    225

    View full-size slide

  214. References
    226

    View full-size slide

  215. 227
    2004: Dan Kaminsky: MD5 To Be Considered Harmful Someday
    https://eprint.iacr.org/2004/357.pdf
    https://dankaminsky.com/2004/12/06/46/
    2004: Ondredj Mikle: Practical Attacks on Digital Signatures Using MD5 Message Digest
    https://eprint.iacr.org/2004/356.pdf
    IPC exploits papers
    ● 2005
    Max Gebhardt, Georg Illies, Werner Schindler
    A Note on the Practical Value of Single Hash Collisions for Special File Formats
    ● 2014 MalSHA1
    Malicious Hashing: Eve’s Variant of SHA-1
    Ange Albertini, Jean-Philippe Aumasson, Maria Eichlseder, Florian Mendel, Martin Schläffer
    ● 2017 Shattered
    The first collision for full SHA-1
    Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov
    Slides a6cb4934...
    Paper ac7a05b4...
    Jean-Philippeʼs Slides aba7833e...
    Paper 5c763e29...
    Paper a3396362...
    Marcʼs Crypto17 video
    Elieʼs BlackHat slides video 1a17c315...
    Pierre's RWC video slides 08e83064...
    file format collaborator
    instigator

    View full-size slide

  216. Current hash collision complexity
    SHA1
    MD5
    IPC
    265 2017 Stevens (Shattered) The first collision for full SHA-1
    CPC
    277 2013 Stevens New collision attacks on SHA-1
    267 2019 Leurent From Collisions to Chosen-Prefix Collisions
    IPC
    216 2009 Stevens (FastColl) Short chosen-prefix collisions for MD5
    CPC
    239: 9 blocks 2009 Stevens (HashClash) Short chosen-prefix collisions for MD5
    253: 1 block … …
    246: 2 blocks 2019 Leurent From Collisions to Chosen-Prefix Collisions
    228

    View full-size slide

  217. Hash collisions
    in CTF
    229

    View full-size slide

  218. MD5 collision on certificates by Enzo.
    500 pts, 0 solves :(
    HrefIn
    230

    View full-size slide

  219. Looking Glass
    MD5 collision on ProtoBuf by mlen.
    330 pts, 11 solves.
    231

    View full-size slide

  220. Acknowledgments
    Research:
    Marc Stevens
    Workshop:
    Barbie Auglend, Christophe Brocas, Philippe Teuwen.
    Improvments:
    Jean-Philippe Aumasson, Nicolas Grégoire, Enzo Puig, Mateusz Lenik,
    Enrico Bacis.
    232

    View full-size slide

  221. 233
    Thank you for making it this far!
    Any feedback is welcome!
    @angealbertini or ✉ [email protected]
    233
    LET’s PLAY
    LET’s PLAY

    View full-size slide