Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using Z3 to solve crackme

Avatar for Julien Bachmann Julien Bachmann
November 05, 2015
Technology
0
2k

Using Z3 to solve crackme

Avatar for Julien Bachmann

Julien Bachmann

November 05, 2015
Tweet

More Decks by Julien Bachmann

See All by Julien Bachmann
Advanced exploitation on Linux: ROP and infoleaks
Avatar for Julien Bachmann milkmix
3
3.5k
iOS malware: myth or reality?
Avatar for Julien Bachmann milkmix
2
1.3k
Elasticsearch: incident detection use-cases and security best practices
Avatar for Julien Bachmann milkmix
1
1.3k
Software exploitation : ROP
Avatar for Julien Bachmann milkmix
2
550
Clusis Campus 2015 : introduction to Suricata IDS
Avatar for Julien Bachmann milkmix
0
250
String format exploitation in 15"
Avatar for Julien Bachmann milkmix
1
310
Reversing iOS/OSX malware : wirelurker
Avatar for Julien Bachmann milkmix
1
360
import-module IncidentResponse
Avatar for Julien Bachmann milkmix
0
130
iOS applications auditing
Avatar for Julien Bachmann milkmix
0
130

Other Decks in Technology

See All in Technology
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
3
930
250627 関西Ruby会議08 前夜祭 RejectKaigi「DJ on Ruby Ver.0.1」
Avatar for Masaya Kudo msykd
PRO
2
360
SalesforceArchitectGroupOsaka#20_CNX'25_Report
Avatar for atomica7sei atomica7sei
0
250
Tokyo_reInforce_2025_recap_iam_access_analyzer
Avatar for h-ashisan hiashisan
0
130
Oracle Audit Vault and Database Firewall 20 概要
Avatar for oracle4engineer oracle4engineer
PRO
3
1.7k
BrainPadプログラミングコンテスト記念LT会2025_社内イベント&問題解説
Avatar for BrainPad brainpadpr
1
170
TechLION vol.41~MySQLユーザ会のほうから来ました / techlion41_mysql
Avatar for sakaik sakaik
0
200
生成AI活用の組織格差を解消する 〜ビジネス職のCursor導入が開発効率に与えた好循環〜 / Closing the Organizational Gap in AI Adoption
Avatar for upamune / Yu SERIZAWA upamune
5
4.4k
開発生産性を組織全体の「生産性」へ! 部門間連携の壁を越える実践的ステップ
Avatar for ussy / @sudo5in5k sudo5in5k
0
150
AI導入の理想と現実~コストと浸透〜
Avatar for oprst oprstchn
0
130
なぜ私はいま、ここにいるのか? #もがく中堅デザイナー #プロダクトデザイナー
Avatar for 弁護士ドットコム bengo4com
0
1.2k
フィンテック養成勉強会#54
Avatar for フィンテック養成コミュニティ finengine
0
200

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
130
19k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
82
9.1k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.6k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
367
19k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
328
39k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.3k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
22k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
48
5.4k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
107
19k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
28
5.4k

Transcript

  1. Using z3 to solve crackme Julien Bachmann @milkmix_

  2. how | irc, con and ctf Some have been talking

    about it for a long time Lately : Defcon’15 CTF fuckup challenge “The flag is: z3 always helps” solved by teammate using… z3 !

  3. use case | standard crackme Pretty simple crackme No anti-reverse

    engineering protections Need to have id/serial tuple that matches the criteria

  4. use case | standard crackme

  5. use case | reverse and reimplement Inputs should be alphanumeric

    strings between 6 and 9 characters All distinct Sums of both strings characters should be equal compute_serial == compute_id Serial should have increasing order at even positions, decreasing at odd ones

  6. z3 | so what is it? z3 is an SMT

    solver Satisfiability Modulo Theory an extension of SAT solvers give it an equation and it can tell you if solvable or not even give you an answer not necessarily the best one

  7. z3 | so what is it? Example usages solving Sudoku

    solving factorisation of large number into primes numbers

  8. z3 | so what is it? Example usages solving Sudoku

    solving factorisation of large number into primes numbers lame not sure about that one…

  9. z3 | so what is it? For me it is

    more an Cyber Oracle honestly, I didn’t looked at all the theory and maths behind

  10. z3 | installation Open sourced by Microsoft yeah, for real

    ! https://github.com/Z3Prover/z3

  11. z3 | types Constraints can only be applied to z3

    data types Numbers Int, Real, Bool Define multiples Ints Reals

  12. z3 | types Closest to our potentials cases CPU registers

    ! BitVec Extendable ZeroExt SignExt

  13. z3 | types Warning ! Int are infinite numbers BitVec

    are wrapping, like registers

  14. z3 | operators Standard ones +, -, *, ==, …

    RotateLeft, RotateRight Constraints And, Or ULT, UGT Distinct …

  15. z3 | solver The class you will be using the

    most add : add a constraint to the equation push/pop : store current state of the constraints prove : check if given equation is always true check : validate if solution exists model : if solvable, return a solution simplify : simplify current equation

  16. z3 | solver

  17. crackme | time to solve it

  18. crackme | time to solve it

  19. conclusion | awesome Quite useful tool when brute force would

    take too long problem can easily be put in the form of equations Can be applied to auto-ROP to solve constraints on registers concolic execution (symbolic+concrete) check Quarkslab Triton