Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Talk - Writing My First Exploit
Search
James Moriarty
June 16, 2021
Programming
0
1.6k
Talk - Writing My First Exploit
James Moriarty
June 16, 2021
Tweet
Share
More Decks by James Moriarty
See All by James Moriarty
Lightning Talk - Call Graphs
jamesmoriarty
0
1.2k
Other Decks in Programming
See All in Programming
兎に角、コードレビュー
mitohato14
0
170
Azure SRE Agentで運用は楽になるのか?
kkamegawa
0
1.2k
サーバーサイドのビルド時間87倍高速化
plaidtech
PRO
0
690
AIを活用し、今後に備えるための技術知識 / Basic Knowledge to Utilize AI
kishida
19
4.4k
Namespace and Its Future
tagomoris
6
690
ECS初心者の仲間 – TUIツール「e1s」の紹介
keidarcy
0
150
複雑なドメインに挑む.pdf
yukisakai1225
5
940
Swift Updates - Learn Languages 2025
koher
1
360
時間軸から考えるTerraformを使う理由と留意点
fufuhu
10
3.9k
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
310
AIコーディングAgentとの向き合い方
eycjur
0
250
🔨 小さなビルドシステムを作る
momeemt
3
650
Featured
See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
111
20k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
The Art of Programming - Codeland 2020
erikaheidi
55
13k
GraphQLとの向き合い方2022年版
quramy
49
14k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
51
5.6k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Thoughts on Productivity
jonyablonski
69
4.8k
Become a Pro
speakerdeck
PRO
29
5.5k
Transcript
Writing My First Exploit
Exploit? “...is a piece of software, a chunk of data,
or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia
What? Counter-Strike: Global Offensive • Source code leak from 2013
for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...
“Steel-thread” Implementation • “Out of Box” win32 APIs to exploit
the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”
Video
How
How?
How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {
flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }
Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte
Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe
Broken Broken
Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe
gohack.exe
How func Instrument() (*gohack.Client, error) { ... offsets, err :=
gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }
Testing
Testing Value’s CS:GO • 30GB Package • Steam DRM +
VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs
Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err
:= Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }
Testing
github.com/jamesmoriarty/gohack
???
None
Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...
process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }
github.com/jamesmoriarty/gomem
jamesmoriarty.xyz/software/
Video
jamesmoriarty
mitohato14
kkamegawa
plaidtech
kishida
tagomoris
keidarcy
yukisakai1225
koher
fufuhu
ivargrimstad
eycjur
momeemt
panda_program
chrisshort
mraible
erikaheidi
quramy
thoeni
sugarenia
hatefulcrawdad
reverentgeek
lauravandoore
jonyablonski
speakerdeck
