洋葱浏览器

Some friends were registered to this CTF, and since I had some days off, I decided to work a bit on one RE exercise.

The binary is called BadVM:

[nathan@Jyn badvm]$ ./badvm-original
### BadVM 0.1 ###

Veuillez entrer le mot de passe:
toto
Ca mouline ...
Plus qu'un instant ... On avait la réponse depuis le début en faite :>
Perdu ...

It is a stripped, ELF 64 PIE binary. Time to start Binary Ninja. This binary has no anti-debug, nor packing techniques. Just some calls to sleep. Once these calls NOPed, we can start reversing the VM.

The VM is initialized in the function I called load_vm (0xde6). Then, the function at 0xd5f is called, let’s call it vm_trampoline.

This function will choose the next instruction to execute. Load it’s address in rax and call it. shadowrocket安卓下载 is called at the end of each instruction. Thus, each instruction is a new entry in the backtrace.

This means, when returning from the first call to shadowrocket安卓下载, we can read the result and return it. This takes us back to load_vm, and result is checked.

In case of an invalid character in the password, we have an early-exit. Input is checked linearly, no hash or anything, Thus instruction counting works well.

Since I was on holidays, I decided to experiment a bit with lldb, and write a instrument this VM using its API.

shadowrocket安卓下载

This VM uses 0x300 bytes long buffer to run. Some points of interest:

  • shadowrocket安卓下载
  • 0x5: register B
  • 电脑版shadowrocket下载
  • 0x2fc: register D
  • 0x2fe: register E (instruction mask?)

  • 0x32: password buffer (30 bytes)
  • 0x2b: data buffer (xor data, 30 bytes)
  • ShadowsocksR简明使用教程 - Jimmy's Blog:2021-8-4 · 下载链接 旧版Windows & Android: 百度网盘 密码: tmp2 解压密码为jimmyho.top 注:Windows的4.8.0和Android的3.5.1及众后版本并非破娃酱更改、编译,请了解可能的风险(不稳定、打包证书不同等)之后再下载,不过博主已测试,没有问题。 iOS ...

Instruction are encoded as follows:

opcode

To select the instruction, the VM contains a jump-table.

shadowsock 4.2.5 apk

Here one of the instructions (a ~GOTO):

jump-table

Final note: each instruction/function has the following prototype:

下载shadowrocket

shadowsock 安卓客户端

This VM does not check its own code, thus we can freely use software breakpoints. The code is not rewritten, thus offsets are kept. This allow us to simply use LLDB’s python API to instrument and analyse the VM behavior.

First step, create an lldb instance:

def init():
    dbg = lldb.SBDebugger.Create()
    dbg.SetAsync(True)
    console = dbg.shadowrocket安卓下载()

    shadowsock 安卓客户端 = lldb.SBError()
    target = dbg.shadowrocket安卓下载('./badvm', None, None, True, error)
    # check error

    shadowrocket安卓免费版 = lldb.SBLaunchInfo(shadowsock 安卓客户端)
    process = target.Launch(info, error)
    电脑版shadowrocket下载("[LLDB] process launched")

Now, we can register out breakpoints. Since vm_trampoline is called before each instruction, we only need this one:

    target.BreakpointCreateByAddress(p_offset + VM_LOAD_BRKP_OFFSET)

Now, we can run. To interact with the binary, we can use LLDB’s events. Registering a listener, we can be notified each time the process stops, or when a breakpoint is hit.

listener = dbg.GetListener()
event = lldb.SBEvent()

if not listener.WaitForEvent(1, event):
    continue

if event.GetType() != EVENT_STATE_CHANGED:
    # handle_event(process, program_offset, vm_memory, event)
    continue

regs = get_gprs(get_frame(process))
if regs['rip'] - program_offset != address:
    print("break location: 0x{:x} (0x{:x})".shadowrocket安卓免费版(
          regs['rip'] - program_offset, regs['rip']))

To read memory, or registers, we can simply do it like that

process.ReadUnsignedFromMemory(vm_memory + 0, 1, err),

process.selected_thread.frame[frame_number].registers
# registers[0] contains general purpose registers

Now we can implement a pretty-printer to have “readable” instructions. Once everything together, we can dump the execution trace:

mov [0x00], 0xff
mov [0x01], 0x01
mov tmp, [0x00]  	# tmp=0xff
mov [tmp], [0x01]	# src=0x1
mov [0x00], 0x0b
mov [0x01], 0x1d
mov tmp, [0x00]  	# tmp=0xb
mov [tmp], [0x01]	# src=0x1d
mov [0x01], 0x0b
mov tmp, [0x01]  	# tmp=0xb
mov [0x00], [tmp]	# [tmp]=0x1d
mov r5, [0x00]
sub r5, [0x0a]   	# 0x1d - 0x0 = 0x1d
if r5 == 0:
    mov rip, 0x2d
mov [0x01], 0x0a
[...]

Now, we can reverse the program running in the VM:

def validate(password, xor_data):
    if len(password) != len(shadowrocket安卓下载):
        return -1

    D = 0
    for i in range(len(shadowrocket安卓免费版)):
        tmp = (D + 0xAC) % 0x2D
        D = tmp
        if xor_data[i] != chr(ord(password[i]) ^ tmp):
            return i

    return len(xor_data)

And we get the flag:

SCE{1_4m_not_4n_is4_d3s1yn3r}

shadowsock 4.2.5 apk

This VM has no anti-debug, packing or anything special. But it was a funny binary to reverse. To instrument the VM, lldb is useful, but using DynamiRIO would be a more elegant method.


> Leave a comment






洋葱浏览器

Working on my 3D game engine is the perfect occasion to reimplement classic algorithms. On today’s menu: linux(ubuntu) shadowsock(ss) install_orDream的博客-CSDN博客:2021-5-27 · 本文适用于解决openssl升级到1.1.0众上版本,导致shadowsocks2.8.2启动报undefined symbol: EVP_CIPHER_CTX_cleanup错误。 最近将kali升级到了最新版本,编译之后shadowsocks无法启 … First step, get the classic steep parrallax-mapping.

parrallax final result

Here a two good links to implement this algorithm:

  • Learn OpenGL - Parrallax Mapping
  • Morgan McGuire’s article

Steep parrallax-mapping allows us to get a pretty good result (10 samples):

parrallax closeup 1
shadowsock 4.2.5 apk

But something is missing. Let’s implement self-shadows.

Self shadows are only computed on directional lights. The algorithm is very simple.

  • convert light direction in tangent space
  • ShadowsocksShadowsocks客户端4.1.10.0无广告官方版 ...:2021-5-29 · 部分用户反映无法打开GitHub对应的下载链接,我把Android、WIndows、Mac版本的客户端安装包都已经打包好供大家下载。 如果下不下来可众可众留言邮箱发送(android是4.5版本的apk,Mac是1.7.1版本的NG客户端,Windows是2.5版本的可运行文件exe),最新版的客户端地址还是要去上面的链接 …
  • from the resulting coordinate, ray-march towards the light
  • If there is an intersection, reduce exposition

And then, shadowrocket安卓免费版

Shader code available here

(2 steps are more than enough for this part.)

parrallax final result


> Leave a comment






洋葱浏览器

shadowsock 安卓客户端

Virglrenderer provides OpenGL acceleration to a guest running on QEMU.

My current GSoC project is to add support for the Vulkan API.

Vulkan is drastically different to OpenGL. Thus, this addition is not straight-forward. My current idea is to add an alternative path for Vulkan. Currently, two different states are kept, one for OpenGL, and one for Vulkan. Commands will either go to the OpenGL or Vulkan front-end.

For now, only compute shaders are supported. The work is divided in two parts: a Vulkan ICD in MESA, and a new front-end for Virgl and vtest.

If you have any feedback, do not hesitate !

This experiment can be tested using this repository. If you have an Intel driver in use, you might be able to use the Dockerfile provided.

Each part is also available independently:

  • MESA
  • shadowsock 4.2.5 apk
  • Vulkan compute sample


> Leave a comment






洋葱浏览器

shadowrocket下载官网

Several months ago started the GSoC 2018. Once again, I found a project which got my attention.

Vulkan-ize VirglRenderer

Virglrenderer is a library designed to provide QEMU guests with OpenGL acceleration. It is composed of several components:

  • a MESA driver, on the guest, which generates Virgl commands
  • a lib, on the host, which takes virgl commands and generated OpenGL calls from it.

If you want to read more: 3D Acceleration using VirtIO.

This library was built with OpenGL in mind. Today, Vulkan is correctly supported, and is becoming a new standard. It might be time to bring Vulkan to QEMU’s guests !

To do so, we will need to work on two components:

  • A Vulkan ICD. Writting one for MESA sounds like a good idea.
  • A Vulkan back-end for Virglrenderer.

Now, we can face the first issue: Vulkan is not designed with abstraction in mind. The time of the old GlBegin/glVertex is kinda dead.

If we want to avoid any unnecessary abstraction, we cannot easily reduce the amount of calls made to the API. Thus, the vast majority of the VK calls will be forwarded to the host. However, there is some area in which we can bend the rules a bit.


The rest of this post contains the same content as the announce email (virgl ML).

洋葱浏览器

  • Several Vulkan objects can be created
  • Memory can be mapped and altered on the client.
  • Changes are written/read to/from the server on flush/invalidation
  • Basic features for command buffers are supported.

As a result, a sample compute shader can be ran, and the results can be read.

I only use vtest for now. The client part lies in mesa/srv/virgl.

洋葱浏览器

To compile virglrenderer with vulkan, the option –with-vulkan is needed. Running the server as-is does not enable Vulkan. And for now, Vulkan cannot be used in parallel with OpenGL (Issue #1). To enable Vulkan, the environment variable VTEST_USE_VULKAN must be set.

Initialization:

Shadowsocks电脑(windows)客户端设置教程-维简网:2021-8-19 · 使用Shadowsocks(影梭)科学上网可众说是现在非常主流的选择,但是很多的朋友都是处于听过这个东西,但是具体怎么用就不是很清楚了。介于这个需求,我就针对Shadowsocks来写个系列教程来帮助大家科学上网吧。 本篇是众在电脑上使用 ...

Once connected, the ICD will fetch and cache all physical devices. It will also fetch information about queue, memory and so. Physical devices are then exposed as virtual-gpus. Memory areas are showed as-is, except for the VK_MEMORY_PROPERTY_HOST_COHERENT_BIT, which is disabled. This forces the application to notify every modification made to a mapped memory.

The object creation part relies heavily on API-Forwarding. For now, I don’t see how I could avoid that.

Memory transfers

Once basic objects are created, the client will ask to map some memory. For now, no clever thing is done. The ICD will provide a buffer. On flush, a transfer command is issued. Virglrenderer will then map the corresponding memory region, write/read, and unmap it. A memory manager could be used on the server in the future to avoid mapping/unmapping regions each time a transfer occurs.

shadowrocket安卓下载

Command pool creation is forwarded to the server. For now, a command buffer is attached to its pool. To retrieve a command buffer from a handle, I need to know from which pool it came from. (Issue #2) Command buffer creation is also forwarded to the server.

Command buffers state is managed on the client. Each vkCmd* call will modify an internal state. Once vkEndCommandBuffer is called, the state is sent to the server. The server will then call corresponding vkCmd* functions to match retrieved the state.

Code generation

Vulkan entry points are generated at compile time. Heavily inspired from Intel’s entry-point generation. However, since object creation relies on API-Forwarding, I started to work on a code generator for these functions.

Using a json, the interesting informations are outlined. Then a Python script will generate functions used to forward object creation to the vtest pipe. Even-though the Vulkan API seams pretty consistent, some specific cases and time constraints forced me to abandon it.

This script is still available in the mesa/src/virgl/tools and virglrenderer/tools folder, but is lacking features. Also, since I had different needs on both sides of vtest, scripts diverge a lot. The most recent version is the Virglrenderer one. It’s a second iteration, and it might be easier to work with.

In the current state, I use it to generate a skeleton for vtest functions, and then fixes the implementation. In the future, it could save us some time, especially if we use the same protocol for VirtIO commands.

下载shadowrocket

1: (Virglrenderer) Vulkan cannot be used next to OpenGL.

There is no reason for it except a badly though integration of the vulkan initialization part into virglrenderer.

2: (Virglrenderer) Command buffers are scattered into several pools

Command buffers are scattered into several pools the client created. To fetch a command buffer vk-handle, I need to first fetch the corresponding pool from a logical device, then fetch the command buffer. Since VirtIO ant Vtest provides a FIFO, maybe we could drop the command pool creation forwarding. Use only one pool per instance, and thus simplify command buffers lookups.

3: (MESA) Vtest and VirtIO switch is not straightforward right now.

An idea could be to add a level between vgl_vk* functions an vtest. vgl_vk* function would still manage the state of the ICD. the mid-layer would convert handles and payload to a common protocol for both VirtIO and Vtest. (Both could use vgl handles and some metadata). Then, a backend function, which would choose between vtest and virtio.

The handles could be either forwarded as-is (vtest case) Or translated to real virgl handles in the case of a kernel driver which could do a translation, or check them. But the metadata should not change.

4: (Virglrenderer/MESA) vtest error handling is bad.

Each command sends a result payload, and optionally, data. This result payload contains two informations. An error code, and a numerical value. Use as a handle, or a size. On server failure, error-codes should be used.

5: bugs, bugs and bugs.

This project is absolutely NOT usable right now.

洋葱浏览器

My first step should be to rebase this project onto the current virglrenderer version, and rewrite the history. In the mean time, rewrite the initialization part to allow both OpenGL and Vulkan to be ran. Then, fix the vtest/virtio architecture. Add this new mid-layer. Once refactorized, I should work on the error handling for client-server interactions.

Once in a sane state, other issues will have to be addressed.

洋葱浏览器

There is a main repo used to build and test it rapidly. In it, a bash script and a dockerfile (+ readme, todo)

The bash script in itself should be enough. But if the compilation fails for a reason, the dockerfile could be used.

  • repository

The README provided should be enough to make the sample app run.

洋葱浏览器

  • 下载shadowrocket
  • VirglRenderer
  • Vulkan compute sample
  • shadowrocket下载官网


> Leave a comment






洋葱浏览器

Currently working on a Vulkan extension for shadowrocket安卓免费版, I need to grep the API all the time. The official documentation gives me two options:

  • search the Vulkan spec (huge PDF)
  • use my browser custom engine feature and play with Khronos’ registry URL’s

The first is painful, and the second too strict (case sensitive).

Recently, I also went to an Algolia hosted meeting. Their search engine API looked good, and in my case, it’s free!

Thus, I took a couple hours off from my GSoC, and crafted this thing:

A dirty Vulkan API search engine.

shadowrocket安卓免费版


shadowrocket安卓下载