Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using Z3 to solve crackme

Avatar for Julien Bachmann Julien Bachmann
November 05, 2015
Technology
0
2k

Using Z3 to solve crackme

Avatar for Julien Bachmann

Julien Bachmann

November 05, 2015
Tweet

More Decks by Julien Bachmann

See All by Julien Bachmann
Advanced exploitation on Linux: ROP and infoleaks
Avatar for Julien Bachmann milkmix
3
3.5k
iOS malware: myth or reality?
Avatar for Julien Bachmann milkmix
2
1.3k
Elasticsearch: incident detection use-cases and security best practices
Avatar for Julien Bachmann milkmix
1
1.3k
Software exploitation : ROP
Avatar for Julien Bachmann milkmix
2
550
Clusis Campus 2015 : introduction to Suricata IDS
Avatar for Julien Bachmann milkmix
0
250
String format exploitation in 15"
Avatar for Julien Bachmann milkmix
1
320
Reversing iOS/OSX malware : wirelurker
Avatar for Julien Bachmann milkmix
1
370
import-module IncidentResponse
Avatar for Julien Bachmann milkmix
0
130
iOS applications auditing
Avatar for Julien Bachmann milkmix
0
130

Other Decks in Technology

See All in Technology
Jitera Company Deck / JP
Avatar for Jitera Inc. jitera
0
140
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
Avatar for Masato Kinugawa masatokinugawa
0
270
そもそも AWS FIS について。なぜ今 FIS のハンズオンなのか?などなど
Avatar for kazzpapa3 kazzpapa3
2
120
20150719_Amazon Nova Canvas Virtual try-onアプリ 作成裏話
Avatar for Rika.I riz3f7
0
130
データ駆動経営の道しるべ:プロダクト開発指標の戦略的活用法
Avatar for ham ham0215
2
230
CSPヘッダー導入で実現するWebサイトの多層防御:今すぐ試せる設定例と運用知見
Avatar for llamakko llamakko
1
190
MCPと認可まわりの話 / mcp_and_authorization
Avatar for convto convto
1
120
Recoil脱却の現状と挑戦
Avatar for kirik kirik
2
330
P2P ではじめる WebRTC のつまづきどころ
Avatar for tnoho tnoho
1
210
SRE with AI:実践から学ぶ、運用課題解決と未来への展望
Avatar for Ryo Yoshii yoshiiryo1
1
680
大規模組織にAIエージェントを迅速に導入するためのセキュリティの勘所 / AI agents for large-scale organizations
Avatar for Masato Ishigaki / 石垣雅人 i35_267
6
220
2025/07/22_家族アルバム みてねのCRE における生成AI活用事例
Avatar for Masaru Hoshino masartz
2
100

Featured

See All Featured
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
337
57k
Making Projects Easy
Avatar for Brett Harned brettharned
116
6.3k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
77
5.9k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
54
13k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
29
5.4k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
54
6.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
108
19k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
530
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k

Transcript

  1. Using z3 to solve crackme Julien Bachmann @milkmix_

  2. how | irc, con and ctf Some have been talking

    about it for a long time Lately : Defcon’15 CTF fuckup challenge “The flag is: z3 always helps” solved by teammate using… z3 !

  3. use case | standard crackme Pretty simple crackme No anti-reverse

    engineering protections Need to have id/serial tuple that matches the criteria

  4. use case | standard crackme

  5. use case | reverse and reimplement Inputs should be alphanumeric

    strings between 6 and 9 characters All distinct Sums of both strings characters should be equal compute_serial == compute_id Serial should have increasing order at even positions, decreasing at odd ones

  6. z3 | so what is it? z3 is an SMT

    solver Satisfiability Modulo Theory an extension of SAT solvers give it an equation and it can tell you if solvable or not even give you an answer not necessarily the best one

  7. z3 | so what is it? Example usages solving Sudoku

    solving factorisation of large number into primes numbers

  8. z3 | so what is it? Example usages solving Sudoku

    solving factorisation of large number into primes numbers lame not sure about that one…

  9. z3 | so what is it? For me it is

    more an Cyber Oracle honestly, I didn’t looked at all the theory and maths behind

  10. z3 | installation Open sourced by Microsoft yeah, for real

    ! https://github.com/Z3Prover/z3

  11. z3 | types Constraints can only be applied to z3

    data types Numbers Int, Real, Bool Define multiples Ints Reals

  12. z3 | types Closest to our potentials cases CPU registers

    ! BitVec Extendable ZeroExt SignExt

  13. z3 | types Warning ! Int are infinite numbers BitVec

    are wrapping, like registers

  14. z3 | operators Standard ones +, -, *, ==, …

    RotateLeft, RotateRight Constraints And, Or ULT, UGT Distinct …

  15. z3 | solver The class you will be using the

    most add : add a constraint to the equation push/pop : store current state of the constraints prove : check if given equation is always true check : validate if solution exists model : if solvable, return a solution simplify : simplify current equation

  16. z3 | solver

  17. crackme | time to solve it

  18. crackme | time to solve it

  19. conclusion | awesome Quite useful tool when brute force would

    take too long problem can easily be put in the form of equations Can be applied to auto-ROP to solve constraints on registers concolic execution (symbolic+concrete) check Quarkslab Triton