Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using Z3 to solve crackme

Julien Bachmann
November 05, 2015
Technology
0
1.7k

Using Z3 to solve crackme

Julien Bachmann

November 05, 2015
Tweet

More Decks by Julien Bachmann

See All by Julien Bachmann
Advanced exploitation on Linux: ROP and infoleaks
milkmix
3
3.1k
iOS malware: myth or reality?
milkmix
2
1.1k
Elasticsearch: incident detection use-cases and security best practices
milkmix
1
1.2k
Software exploitation : ROP
milkmix
2
500
Clusis Campus 2015 : introduction to Suricata IDS
milkmix
0
200
String format exploitation in 15"
milkmix
1
260
Reversing iOS/OSX malware : wirelurker
milkmix
1
290
import-module IncidentResponse
milkmix
0
100
iOS applications auditing
milkmix
0
99

Other Decks in Technology

See All in Technology
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
4
580
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
ServiceNow Knowledge Learning Rise up
manarobot
0
210
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
300
JAWS-UG Bedrock Claude Night
yamahiro
3
630
今日からできる!簡単 .NET 高速化 Tips -2024 edition-
xin9le
5
2.4k
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
6
550
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
LLM開発・活用の舞台裏@2024.04.25
yushin_n
3
930
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
130
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
2
850

Featured

See All Featured
How to train your dragon (web standard)
notwaldorf
73
5.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
79
43k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
The Invisible Customer
myddelton
114
12k
Agile that works and the tools we love
rasmusluckow
325
20k
How to name files
jennybc
65
93k
Rails Girls Zürich Keynote
gr2m
91
13k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
A designer walks into a library…
pauljervisheath
200
23k
Typedesign – Prime Four
hannesfritz
36
2.1k

Transcript

  1. Using z3 to solve crackme Julien Bachmann @milkmix_

  2. how | irc, con and ctf Some have been talking

    about it for a long time Lately : Defcon’15 CTF fuckup challenge “The flag is: z3 always helps” solved by teammate using… z3 !

  3. use case | standard crackme Pretty simple crackme No anti-reverse

    engineering protections Need to have id/serial tuple that matches the criteria

  4. use case | standard crackme

  5. use case | reverse and reimplement Inputs should be alphanumeric

    strings between 6 and 9 characters All distinct Sums of both strings characters should be equal compute_serial == compute_id Serial should have increasing order at even positions, decreasing at odd ones

  6. z3 | so what is it? z3 is an SMT

    solver Satisfiability Modulo Theory an extension of SAT solvers give it an equation and it can tell you if solvable or not even give you an answer not necessarily the best one

  7. z3 | so what is it? Example usages solving Sudoku

    solving factorisation of large number into primes numbers

  8. z3 | so what is it? Example usages solving Sudoku

    solving factorisation of large number into primes numbers lame not sure about that one…

  9. z3 | so what is it? For me it is

    more an Cyber Oracle honestly, I didn’t looked at all the theory and maths behind

  10. z3 | installation Open sourced by Microsoft yeah, for real

    ! https://github.com/Z3Prover/z3

  11. z3 | types Constraints can only be applied to z3

    data types Numbers Int, Real, Bool Define multiples Ints Reals

  12. z3 | types Closest to our potentials cases CPU registers

    ! BitVec Extendable ZeroExt SignExt

  13. z3 | types Warning ! Int are infinite numbers BitVec

    are wrapping, like registers

  14. z3 | operators Standard ones +, -, *, ==, …

    RotateLeft, RotateRight Constraints And, Or ULT, UGT Distinct …

  15. z3 | solver The class you will be using the

    most add : add a constraint to the equation push/pop : store current state of the constraints prove : check if given equation is always true check : validate if solution exists model : if solvable, return a solution simplify : simplify current equation

  16. z3 | solver

  17. crackme | time to solve it

  18. crackme | time to solve it

  19. conclusion | awesome Quite useful tool when brute force would

    take too long problem can easily be put in the form of equations Can be applied to auto-ROP to solve constraints on registers concolic execution (symbolic+concrete) check Quarkslab Triton