$30 off During Our Annual Pro Sale. View Details »

Using Z3 to solve crackme

Julien Bachmann
November 05, 2015
Technology
0
1.6k

Using Z3 to solve crackme

Julien Bachmann

November 05, 2015
Tweet

More Decks by Julien Bachmann

See All by Julien Bachmann
Advanced exploitation on Linux: ROP and infoleaks
milkmix
3
2.8k
iOS malware: myth or reality?
milkmix
2
950
Elasticsearch: incident detection use-cases and security best practices
milkmix
1
1.2k
Software exploitation : ROP
milkmix
2
460
Clusis Campus 2015 : introduction to Suricata IDS
milkmix
0
160
String format exploitation in 15"
milkmix
1
240
Reversing iOS/OSX malware : wirelurker
milkmix
1
200
import-module IncidentResponse
milkmix
0
92
iOS applications auditing
milkmix
0
83

Other Decks in Technology

See All in Technology
PWA開発を基礎からおさらい / PWA Night CONFERENCE 2022
chinen
2
450
電子証明書でデバイス認証を強化せよ
matsujirushi
0
120
Oracle Cloud Infrastructure:2022年11月度サービス・アップデート
oracle4engineer
PRO
0
110
VPoEとして1年 もっとこうすればよかった3選 / VPoE Retrospective
konifar
7
4.7k
一人でも小さく始められるGoogle Cloudで実現するほぼサーバレスなデータ基盤 / Serverless Dataplatform for Google Cloud
shinyorke
0
150
APN AWS Top Engineersが語るAWSの最新セキュリティ
cmusudakeisuke
0
890
Amazon VPC Latticeに期待する / look-for-vpc-lattice
takipone
0
200
jsconf-sponsor-lt.pdf
cybozuinsideout
PRO
0
3.4k
【Quollio】メタデータ・マネジメント入門
rytmq
PRO
3
920
Code_Graphology_Thomas_Roccia_ComfyCon_.pdf
fr0gger
0
110
Oracle Exadata Database Service:サービス概要のご紹介
oracle4engineer
PRO
0
1.9k
Verrazzano 概要 / Verrazzano overview
oracle4engineer
PRO
0
410

Featured

See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
8
1.2k
Facilitating Awesome Meetings
lara
33
4.4k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
499
130k
Bootstrapping a Software Product
garrettdimon
299
110k
The Art of Programming - Codeland 2020
erikaheidi
35
11k
Product Roadmaps are Hard
iamctodd
35
7.5k
What's in a price? How to price your products and services
michaelherold
231
9.6k
Building a Scalable Design System with Sketch
lauravandoore
451
30k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
109
16k
A Philosophy of Restraint
colly
193
15k
Designing with Data
zakiwarfel
91
4.1k

Transcript

  1. Using z3 to solve crackme Julien Bachmann @milkmix_

  2. how | irc, con and ctf Some have been talking

    about it for a long time Lately : Defcon’15 CTF fuckup challenge “The flag is: z3 always helps” solved by teammate using… z3 !

  3. use case | standard crackme Pretty simple crackme No anti-reverse

    engineering protections Need to have id/serial tuple that matches the criteria

  4. use case | standard crackme

  5. use case | reverse and reimplement Inputs should be alphanumeric

    strings between 6 and 9 characters All distinct Sums of both strings characters should be equal compute_serial == compute_id Serial should have increasing order at even positions, decreasing at odd ones

  6. z3 | so what is it? z3 is an SMT

    solver Satisfiability Modulo Theory an extension of SAT solvers give it an equation and it can tell you if solvable or not even give you an answer not necessarily the best one

  7. z3 | so what is it? Example usages solving Sudoku

    solving factorisation of large number into primes numbers

  8. z3 | so what is it? Example usages solving Sudoku

    solving factorisation of large number into primes numbers lame not sure about that one…

  9. z3 | so what is it? For me it is

    more an Cyber Oracle honestly, I didn’t looked at all the theory and maths behind

  10. z3 | installation Open sourced by Microsoft yeah, for real

    ! https://github.com/Z3Prover/z3

  11. z3 | types Constraints can only be applied to z3

    data types Numbers Int, Real, Bool Define multiples Ints Reals

  12. z3 | types Closest to our potentials cases CPU registers

    ! BitVec Extendable ZeroExt SignExt

  13. z3 | types Warning ! Int are infinite numbers BitVec

    are wrapping, like registers

  14. z3 | operators Standard ones +, -, *, ==, …

    RotateLeft, RotateRight Constraints And, Or ULT, UGT Distinct …

  15. z3 | solver The class you will be using the

    most add : add a constraint to the equation push/pop : store current state of the constraints prove : check if given equation is always true check : validate if solution exists model : if solvable, return a solution simplify : simplify current equation

  16. z3 | solver

  17. crackme | time to solve it

  18. crackme | time to solve it

  19. conclusion | awesome Quite useful tool when brute force would

    take too long problem can easily be put in the form of equations Can be applied to auto-ROP to solve constraints on registers concolic execution (symbolic+concrete) check Quarkslab Triton