Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Talk - Writing My First Exploit

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for James Moriarty James Moriarty
June 16, 2021
Programming
1.8k
0

Talk - Writing My First Exploit

Avatar for James Moriarty

James Moriarty

June 16, 2021

More Decks by James Moriarty

See All by James Moriarty
Lightning Talk - Call Graphs
Avatar for James Moriarty jamesmoriarty
0
1.3k

Other Decks in Programming

See All in Programming
第3木曜LT会 #28
Avatar for Tsubasa SEKIGUCHI tinykitten
PRO
0
110
The Monolith Strikes Back: Why AI Agents ❤️ Rails Monoliths
Avatar for Rodrigo Serradura serradura
0
340
Lightning-Fast Method Calls with Ruby 4.1 ZJIT / RubyKaigi 2026
Avatar for Takashi Kokubun k0kubun
3
420
How Swift's Type System Guides AI Agents
Avatar for Yuta Koshizawa koher
0
270
ルールルルルルRubyの中身の予備知識 ── RubyKaigiの前に予習しなイカ?
Avatar for ydah ydah
1
190
10年分の技術的負債、完済へ ― Claude Code主導のAI駆動開発でスポーツブルを丸ごとリプレイスした話
Avatar for nero15 takuya_houshima
0
2.6k
SkillがSkillを生む:QA観点出しを自動化した
Avatar for sontixyou sontixyou
6
3.4k
PDI: Como Alavancar Sua Carreira e Seu Negócio
Avatar for Marcel dos Santos marcelgsantos
0
120
〜バイブコーディングを超えて〜 チームで実験し続けたAI駆動開発
Avatar for Toranosuke Minamikawa tigertora7571
0
110
AI-DLC Deep Dive
Avatar for yuukiyo yuukiyo
9
4.3k
mruby on C#: From VM Implementation to Game Scripting (RubyKaigi 2026)
Avatar for hadashiA hadashia
2
550
年間50登壇、単著出版、雑誌寄稿、Podcast出演、YouTube、CM、カンファレンス主催……全部やってみたので面白さ等を比較してみよう / I’ve tried them all, so let’s compare how interesting they are.
Avatar for nrs nrslib
4
790

Featured

See All Featured
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
Visual Storytelling: How to be a Superhuman Communicator
Avatar for David Neal reverentgeek
2
510
Code Review Best Practice
Avatar for Trisha Gee trishagee
74
20k
How to make the Groovebox
Avatar for あそなす asonas
2
2.1k
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
Avatar for Aleyda Solis aleyda
1
1.9k
16th Malabo Montpellier Forum Presentation
Avatar for AKADEMIYA2063 akademiya2063
PRO
0
100
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
2
340
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
Avatar for Aleyda Solis aleyda
2
10k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
47
8.1k
AI in Enterprises - Java and Open Source to the Rescue
Avatar for ivargrimstad ivargrimstad
0
1.2k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
303
52k

Transcript

  1. Writing My First Exploit

  2. Exploit? “...is a piece of software, a chunk of data,

    or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia

  3. What? Counter-Strike: Global Offensive • Source code leak from 2013

    for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...

  4. “Steel-thread” Implementation • “Out of Box” win32 APIs to exploit

    the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”

  5. Video

  6. How

  7. How?

  8. How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {

    flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }

  9. Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte

  10. Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe

    Broken Broken

  11. Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe

    gohack.exe

  12. How func Instrument() (*gohack.Client, error) { ... offsets, err :=

    gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }

  13. Testing

  14. Testing Value’s CS:GO • 30GB Package • Steam DRM +

    VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs

  15. Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err

    := Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }

  16. Testing

  17. github.com/jamesmoriarty/gohack

  18. ???

  19. None

  20. Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...

    process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }

  21. github.com/jamesmoriarty/gomem

  22. jamesmoriarty.xyz/software/

  23. Video