Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Talk - Writing My First Exploit
Search
James Moriarty
June 16, 2021
Programming
0
1.7k
Talk - Writing My First Exploit
James Moriarty
June 16, 2021
Tweet
Share
More Decks by James Moriarty
See All by James Moriarty
Lightning Talk - Call Graphs
jamesmoriarty
0
1.2k
Other Decks in Programming
See All in Programming
2025 컴포즈 마법사
jisungbin
0
150
Level up your Gemini CLI - D&D Style!
palladius
1
100
「10分以内に機能を消せる状態」 の実現のためにやっていること
togishima
1
530
手軽に積ん読を増やすには?/読みたい本と付き合うには?
o0h
PRO
1
110
DartASTとその活用
sotaatos
2
150
複数チーム並行開発下でのコード移行アプローチ ~手動 Codemod から「生成AI 活用」への進化
andpad
0
180
Evolving NEWT’s TypeScript Backend for the AI-Driven Era
xpromx
0
170
Vueで学ぶデータ構造入門 リンクリストとキューでリアクティビティを捉える / Vue Data Structures: Linked Lists and Queues for Reactivity
konkarin
1
340
例外処理を理解して、設計段階からエラーを見つけやすく、起こりにくく #phpconfuk
kajitack
12
6.4k
Querying Design System デザインシステムの意思決定を支える構造検索
ikumatadokoro
1
1.2k
JJUG CCC 2025 Fall: Virtual Thread Deep Dive
ternbusty
3
480
なぜ強調表示できず ** が表示されるのか — Perlで始まったMarkdownの歴史と日本語文書における課題
kwahiro
12
7.2k
Featured
See All Featured
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.8k
Producing Creativity
orderedlist
PRO
348
40k
Side Projects
sachag
455
43k
Thoughts on Productivity
jonyablonski
73
4.9k
A better future with KSS
kneath
239
18k
Site-Speed That Sticks
csswizardry
13
970
Practical Orchestrator
shlominoach
190
11k
Docker and Python
trallard
46
3.7k
BBQ
matthewcrist
89
9.9k
jQuery: Nuts, Bolts and Bling
dougneiner
65
8k
Into the Great Unknown - MozCon
thekraken
40
2.2k
GraphQLとの向き合い方2022年版
quramy
49
14k
Transcript
Writing My First Exploit
Exploit? “...is a piece of software, a chunk of data,
or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia
What? Counter-Strike: Global Offensive • Source code leak from 2013
for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...
“Steel-thread” Implementation • “Out of Box” win32 APIs to exploit
the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”
Video
How
How?
How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {
flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }
Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte
Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe
Broken Broken
Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe
gohack.exe
How func Instrument() (*gohack.Client, error) { ... offsets, err :=
gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }
Testing
Testing Value’s CS:GO • 30GB Package • Steam DRM +
VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs
Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err
:= Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }
Testing
github.com/jamesmoriarty/gohack
???
None
Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...
process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }
github.com/jamesmoriarty/gomem
jamesmoriarty.xyz/software/
Video
jamesmoriarty
.png){kind=avatar}
jisungbin
palladius
togishima
o0h
sotaatos
andpad
xpromx
konkarin
kajitack
ikumatadokoro
ternbusty
kwahiro
reverentgeek
orderedlist
sachag
jonyablonski
kneath
csswizardry
shlominoach
trallard
matthewcrist
dougneiner
thekraken
quramy
