Added jit in my pants writeup

akrasuski1 · akrasuski1 · commit 2b4441cb8ae2 · 2016-03-08T18:24:40.000+01:00
diff --git a/2016-03-06-bkpctf/re_3_Jit_in_my_pants/README.md b/2016-03-06-bkpctf/re_3_Jit_in_my_pants/README.md
@@ -0,0 +1,18 @@
+## Jit in my pants (reversing, 3 points, 38 solves)
+	Because reversing an obfuscated jit'ed virtual machine for 3 points is fun! 
+
+In this task we got an ELF binary. Looking at it's disassembly was really hard - lots
+of obfuscated code was put there - I thought that for 3 points we were supposed to use
+something easier. 
+
+Tracing the binary, we notice a lot of `gettimeofday` calls. This was a function checking
+current time - something which should not be present in legitimate key checking code.
+I created a simple replacement function (`tofd.c`), which I then LD_PRELOAD'ed to achieve
+deterministic execution.
+
+In my solution, I used instruction counting to get the flag. The idea is, that the code
+checks flag characters one by one, exitting early if a character is wrong. We can exploit
+this - when we supply a good prefix of the flag, the binary will execute slightly longer 
+than with a wrong one. Using `doit.py` and Intel's pin, we brute forced the solution
+one char at a time in around an hour (this could take shorter time, but I wanted to stay
+on the safer side and used `string.printable` as the character set).
diff --git a/2016-03-06-bkpctf/re_3_Jit_in_my_pants/c3803116bd70e802483d3bc4c4b564d2 b/2016-03-06-bkpctf/re_3_Jit_in_my_pants/c3803116bd70e802483d3bc4c4b564d2
diff --git a/2016-03-06-bkpctf/re_3_Jit_in_my_pants/doit.py b/2016-03-06-bkpctf/re_3_Jit_in_my_pants/doit.py
@@ -0,0 +1,22 @@
+import subprocess, string, sys, os
+
+alphabet=string.printable
+
+def get_ic(s):
+    subprocess.check_output(["/bin/bash", "ins", s]) # ins is my alias for intel pin's instructioon counting tool.
+    return int(open("inscount.out").read()[5:])
+
+key="BKPCTF{"
+while True:
+    longest=0
+    longest_for=""
+    for c in alphabet:
+        print repr(c),
+        sys.stdout.flush()
+        n=get_ic(key+c)
+        if n>longest:
+            longest=n
+            longest_for=c
+            print "!!!",
+    key=key+longest_for
+    print key
diff --git a/2016-03-06-bkpctf/re_3_Jit_in_my_pants/tofd.c b/2016-03-06-bkpctf/re_3_Jit_in_my_pants/tofd.c
@@ -0,0 +1,12 @@
+struct timeval{
+	long long tv_sec;
+	int tv_usec;
+};
+struct timezone{};
+int gettimeofday(struct timeval *tv, struct timezone *tz){
+	static int x=0;
+	static int y=0;
+	tv->tv_sec=x++;
+	tv->tv_usec=y++;
+	return 0;
+}
