Everything OK Calle? It's been a while since we've heard from you. Thumbs up if if everything is good.
@ZetaTwo4 ай бұрын
Oh yeah I'm all good. I just haven't made an YT content in a while. I'm still active on Twitter and other places though. We'll see if I do any streaming or videos anytime soon.
@Kolor-kode4 ай бұрын
@@ZetaTwo Good to hear 🙂
@avi-brown5 ай бұрын
Thanks, very interesting
@kevinwydler73058 ай бұрын
This bug is beautiful! Thank you for this detailed writeup, learned a ton!
@ZetaTwo8 ай бұрын
Thank you. Glad that you liked it!
@zoenagy9458 Жыл бұрын
wow super hard math
@michaelraasch5496 Жыл бұрын
Great explanation!
@ZetaTwo Жыл бұрын
Glad you liked it!
@lonewang5547 Жыл бұрын
2:31:06 makes my day
@CSI-Zephyr Жыл бұрын
cant find the binary anywhere ...
@ZetaTwo Жыл бұрын
I have uploaded it here now: zeta-two.com/assets/other/larsh-speedrev5.tgz
@DungNguyen-gk9do Жыл бұрын
okie bro
@7vos7 Жыл бұрын
Hey Calle, thanks for a wonderful live re :) Enjoyed seeing you do the chall and rewind the thought process i had at the game 🔥 @2:00 haha Lars strategically sets a lower bar xDD i did it in 34 min at the CTF, and that was 3rd blood! (ThreeTop Walk 30 min, RedRocket whopping 18 min)
@ZetaTwo Жыл бұрын
Hi Vlad! Thank you! Glad you liked the video. Oh wow, that is some really fast times. Great work!
@saketsrv9068 Жыл бұрын
Late to the party but worth it
@ZetaTwo Жыл бұрын
Glad you liked it!
@Kolor-kode Жыл бұрын
Been patiently waiting the next upload, missed the stream as working but nice to see you back.
@rosiefay72832 жыл бұрын
1:12 "i do not condone piracy" indeed. 12:51 This implies that the recipient, knowing s, can easily find s^{-1}. OK, I can see how that might be easy if it's easy to factorise n-1. But for one thing, that might not be easy. And for another, didn't you imply that an easier step is secure because it's practically impossible to calculate a modular inverse?
@ZetaTwo2 жыл бұрын
s^{-1} is just the inverse of s (mod n) which can be efficiently calculated using for example the Extended Euclidean algorithm. No factorization needed. The thing that is difficult to calculate is the discrete logarithm which is a separate problem.
@siegfriedzimmer67792 жыл бұрын
Great stream, thank you so much. Partly it was hard to read, the font size (e.g. in Binary Ninja or in Chrome dev tools) is too small. BTW, isn't there an option in hashcat to use CPU only? I think it's -D 1 Keep going!
@ZetaTwo2 жыл бұрын
Glad that you liked it. Sorry about the font size. I will try to have a checklist for next stream to remember to increase the font size in all the important programs. Good point about hashcat, that would have been very useful instead of flailing around with john. Will take a look.
@blackie00762 жыл бұрын
vos looks like scarlett johansson's lil brother
@icenberg59082 жыл бұрын
I must say an incredible video.
@ZetaTwo2 жыл бұрын
Thank you! Glad that you liked it.
@Kolor-kode2 жыл бұрын
Miss these :(
@mrpi2302 жыл бұрын
Thank You, great explanation.
@ZetaTwo2 жыл бұрын
Thank you! Glad that you liked it.
@username80613 жыл бұрын
Hey, Zeta, around 2:55:33 you said something about being able to do copy with printf. I looked it up but couldn't find much. So, how do you go about copying stuff with printf?
@ZetaTwo3 жыл бұрын
Basically you can do the following: %x/%d - direct read %s - indirect read %n - write %*0x + %n - copy By using the * specifier you can increment the output counter by a number on the stack and then use %n to write that number elsewhere. This can therefore be used to copy a value from the stack to a location pointed to by some value on the stack. Does this help?
@username80613 жыл бұрын
@@ZetaTwo Wow, cool. So the * takes the width not from the format string, but from stack as an argument, so whatever's on the stack becomes number of characters printed for %n, right? But it seems as it takes the whole uint64 as width, not just one byte, so it looks like that would only work with small values, where most significant bytes are zeroes, but if it's something like an address, like 7fff.., printing that many characters would be a problem, wouldn't it?
@ZetaTwo3 жыл бұрын
@@username8061 I think so but there are also other contexts for format strings such as sprintf where things aren't actually output where you would be able to use this with large numbers.
@username80613 жыл бұрын
@@ZetaTwo Ok, lots of thanks for explaining. This one definitely goes into my box of tricks now
@ZetaTwo3 жыл бұрын
@@username8061 You are welcome!
@SumitSingh-xu4qs3 жыл бұрын
Very nice bro
@siegfriedzimmer67793 жыл бұрын
Hey Calle, please make Part 2, I love your content!!
@ZetaTwo3 жыл бұрын
Part 2 can be found here: kzread.info/dash/bejne/kX-dk7qBlb3FerA.html
@pwnearth55053 жыл бұрын
Pwn earth!?!
@noceursan2 жыл бұрын
MLP and Equestria is set in the future so it probably will happen one day.
@django43563 жыл бұрын
When do you think you will stream part 2?
@ZetaTwo3 жыл бұрын
Fairly soon. I had planned to do it this weekend but I got nerd sniped by another thing which I'm a bot caught up in. I will aim for later this week or next weekend. Will announce beforehand.
@ZetaTwo3 жыл бұрын
Part 2 can be found here: kzread.info/dash/bejne/kX-dk7qBlb3FerA.html
@Kolor-kode3 жыл бұрын
When's the next pwny race Zeta?
@ZetaTwo3 жыл бұрын
I don't know at the moment unfortunately.
@Kolor-kode3 жыл бұрын
@@ZetaTwo Well I look forward to their return hopefully. Love your videos.
@bloomtwig763 жыл бұрын
🤔
@w3w3w33 жыл бұрын
THANKS!!!!!!!!!!!!! :)
@ZetaTwo3 жыл бұрын
Glad you liked it!
@Haxr-dq6wt3 жыл бұрын
Will you do the rest of the flags?
@ZetaTwo3 жыл бұрын
I hope to do a walkthrough but not a blind solve of the rest of the flags.
@amitfarag113 жыл бұрын
If you want to skip the installations and stuff: 17:45
@layle44873 жыл бұрын
What's that font you are using in VS Code?
@ZetaTwo3 жыл бұрын
Fantasque Sans Mono: github.com/belluzj/fantasque-sans basically a monospace version of Comic Sans. :D
@unknownname13773 жыл бұрын
why didn't you call r4j next time we waiting to see him on next episode
@ZetaTwo3 жыл бұрын
I don't know who that is but feel free to suggest people you would like to see in an episode.
@penguinerage3 жыл бұрын
Love your content, Calle! I hope we get to see more this year
@ZetaTwo3 жыл бұрын
Glad you like it. There will definitely be more.
@basaalex32093 жыл бұрын
at ~46:00 the reason it stops at \x00 is because of a strcpy that you missed in both add_device and edit_device :)
@ZetaTwo3 жыл бұрын
Ah yes! Of course! Thanks for pointing it out.
@sudo773 жыл бұрын
seems like this can be solved with srop
@ZetaTwo3 жыл бұрын
Feel free to have a go at the challenge yourself and submit a solution here: github.com/ZetaTwo/pwny-racing-solutions/tree/master/challenges/challenge03-episode2
@MatthewOBrien3143 жыл бұрын
Really nice video, thanks for making it.
@Roeclean3 жыл бұрын
Huh. NEAT
@solivictus15933 жыл бұрын
ssh ubunut
@superhero13 жыл бұрын
Great stream! Crazy how it is modifying the instructions, have not seen this before. Thank you!
@ZetaTwo3 жыл бұрын
Thank you! Yeah, I talk about this a little at some point. It's a very annoying class of techniques. There are different variants, like SEH as used here or having a separate process attach as a debugger. You can use the single-step mode like this or change the code to be non-executable for example to trigger exceptions.
@basaalex32093 жыл бұрын
thanks for the great content. waiting for part 2.
@ZetaTwo3 жыл бұрын
Thank you. Yeah I will hopefully do part two either this weekend or next week.
@neoXXquick3 жыл бұрын
Amazing...
@mattiasgrenfeldt1743 жыл бұрын
Good job! Very nice video! :)
@dennisdubrefjord55773 жыл бұрын
This is great, thank you!
@mamailo20113 жыл бұрын
Loved the video, thanks Sony; dudes, next time hire a profesional mathematician
@_nit3 жыл бұрын
This was a fantastic explanation. Incredible video dude.
@ZetaTwo3 жыл бұрын
Thanks! Glad you liked it!
@singingbanana3 жыл бұрын
I loved this.
@ZetaTwo3 жыл бұрын
Thank you James! Means a lot, and thanks for inspiring to this by creating this campaign.
@pitchpitch81723 жыл бұрын
thanks for all videos Mr Zeta i'm from Algeria, and initiating in reverse engineering, since no such thing exists in my country. currently i'm working on reversing an ECU car, and throw my research on internet i've found out that my file looks like the one you solved in RHme2 five years ago 2017, the " FRIDGEJIT" .... got some guidness from liveoverflow, but your video is not complete. would you plz share your solution with me, cause i don't find it any where. i'm stuck with the OS program built on top of the application, no progress, i guess the passion for reverse engineering is not enaugh, u got to have skills and background. thanks in advance.
@ZetaTwo3 жыл бұрын
I have not documented my solution to that challenge in an easily consumable way. The video LiveOverflow has is all there is. Feel free to send an email to [email protected] with a little bit more description of what you are doing and I will try to point you in the right direction.
@valcron-10003 жыл бұрын
Amazing content. Why would they even use a fixed number for such task? How could this happen?
@ZetaTwo3 жыл бұрын
Thank a lot! I can come up with a few hypotheses. It could have been that they misunderstood the specification and thought you could generate one random number for everything, or maybe it was some kind of test/debug value to get predictable output for testing or something, or maybe it was a bug in their code.
@FloydMaxwell3 жыл бұрын
@@ZetaTwo Or a techie wanted to create a flaw on purpose
@ZetaTwo3 жыл бұрын
@@FloydMaxwell If you want to go more into conspiracy territory, yes that is also a theoretical possibility.
@LiEnby5 ай бұрын
most likely answer is beacause calling c's rand() function uses a fixed seed by default unless you use srand() to set the seed first.
@alejoesteban40323 жыл бұрын
Cool video, I'll rewatch it in the future.
@H0RRAX3 жыл бұрын
This is my favorite video in this series (so far)! Have you thought of doing more videos like that, where you give an in dept view of popular exploit of the past?
@ZetaTwo3 жыл бұрын
Thank you! Glad that you liked it. I have not really thought about what to do next since I was really pushing to get this out before the deadline however that is actually a pretty good suggestion. I noticed that when I was researching this topic that most popular sources were way too simplified or even wrong about how this exploit worked which actually slowed down my work significantly. If you have any specific suggestions, feel free to send them. I have some hectic weeks coming up but I hope to be able to release more videos in a somewhat regular schedule in a not too distant future.
@MySqueezingArm4 жыл бұрын
Thank you for the very informative content. Downloaded so I can rewatch a few times to grasp the topic.
@Haxr-dq6wt4 жыл бұрын
Hey Calle Will you go through the rest?
@ZetaTwo4 жыл бұрын
Today at 19:00 CEST: kzread.info/dash/bejne/iqSV1Zeufs6Wp7A.html
Пікірлер
Everything OK Calle? It's been a while since we've heard from you. Thumbs up if if everything is good.
Oh yeah I'm all good. I just haven't made an YT content in a while. I'm still active on Twitter and other places though. We'll see if I do any streaming or videos anytime soon.
@@ZetaTwo Good to hear 🙂
Thanks, very interesting
This bug is beautiful! Thank you for this detailed writeup, learned a ton!
Thank you. Glad that you liked it!
wow super hard math
Great explanation!
Glad you liked it!
2:31:06 makes my day
cant find the binary anywhere ...
I have uploaded it here now: zeta-two.com/assets/other/larsh-speedrev5.tgz
okie bro
Hey Calle, thanks for a wonderful live re :) Enjoyed seeing you do the chall and rewind the thought process i had at the game 🔥 @2:00 haha Lars strategically sets a lower bar xDD i did it in 34 min at the CTF, and that was 3rd blood! (ThreeTop Walk 30 min, RedRocket whopping 18 min)
Hi Vlad! Thank you! Glad you liked the video. Oh wow, that is some really fast times. Great work!
Late to the party but worth it
Glad you liked it!
Been patiently waiting the next upload, missed the stream as working but nice to see you back.
1:12 "i do not condone piracy" indeed. 12:51 This implies that the recipient, knowing s, can easily find s^{-1}. OK, I can see how that might be easy if it's easy to factorise n-1. But for one thing, that might not be easy. And for another, didn't you imply that an easier step is secure because it's practically impossible to calculate a modular inverse?
s^{-1} is just the inverse of s (mod n) which can be efficiently calculated using for example the Extended Euclidean algorithm. No factorization needed. The thing that is difficult to calculate is the discrete logarithm which is a separate problem.
Great stream, thank you so much. Partly it was hard to read, the font size (e.g. in Binary Ninja or in Chrome dev tools) is too small. BTW, isn't there an option in hashcat to use CPU only? I think it's -D 1 Keep going!
Glad that you liked it. Sorry about the font size. I will try to have a checklist for next stream to remember to increase the font size in all the important programs. Good point about hashcat, that would have been very useful instead of flailing around with john. Will take a look.
vos looks like scarlett johansson's lil brother
I must say an incredible video.
Thank you! Glad that you liked it.
Miss these :(
Thank You, great explanation.
Thank you! Glad that you liked it.
Hey, Zeta, around 2:55:33 you said something about being able to do copy with printf. I looked it up but couldn't find much. So, how do you go about copying stuff with printf?
Basically you can do the following: %x/%d - direct read %s - indirect read %n - write %*0x + %n - copy By using the * specifier you can increment the output counter by a number on the stack and then use %n to write that number elsewhere. This can therefore be used to copy a value from the stack to a location pointed to by some value on the stack. Does this help?
@@ZetaTwo Wow, cool. So the * takes the width not from the format string, but from stack as an argument, so whatever's on the stack becomes number of characters printed for %n, right? But it seems as it takes the whole uint64 as width, not just one byte, so it looks like that would only work with small values, where most significant bytes are zeroes, but if it's something like an address, like 7fff.., printing that many characters would be a problem, wouldn't it?
@@username8061 I think so but there are also other contexts for format strings such as sprintf where things aren't actually output where you would be able to use this with large numbers.
@@ZetaTwo Ok, lots of thanks for explaining. This one definitely goes into my box of tricks now
@@username8061 You are welcome!
Very nice bro
Hey Calle, please make Part 2, I love your content!!
Part 2 can be found here: kzread.info/dash/bejne/kX-dk7qBlb3FerA.html
Pwn earth!?!
MLP and Equestria is set in the future so it probably will happen one day.
When do you think you will stream part 2?
Fairly soon. I had planned to do it this weekend but I got nerd sniped by another thing which I'm a bot caught up in. I will aim for later this week or next weekend. Will announce beforehand.
Part 2 can be found here: kzread.info/dash/bejne/kX-dk7qBlb3FerA.html
When's the next pwny race Zeta?
I don't know at the moment unfortunately.
@@ZetaTwo Well I look forward to their return hopefully. Love your videos.
🤔
THANKS!!!!!!!!!!!!! :)
Glad you liked it!
Will you do the rest of the flags?
I hope to do a walkthrough but not a blind solve of the rest of the flags.
If you want to skip the installations and stuff: 17:45
What's that font you are using in VS Code?
Fantasque Sans Mono: github.com/belluzj/fantasque-sans basically a monospace version of Comic Sans. :D
why didn't you call r4j next time we waiting to see him on next episode
I don't know who that is but feel free to suggest people you would like to see in an episode.
Love your content, Calle! I hope we get to see more this year
Glad you like it. There will definitely be more.
at ~46:00 the reason it stops at \x00 is because of a strcpy that you missed in both add_device and edit_device :)
Ah yes! Of course! Thanks for pointing it out.
seems like this can be solved with srop
Feel free to have a go at the challenge yourself and submit a solution here: github.com/ZetaTwo/pwny-racing-solutions/tree/master/challenges/challenge03-episode2
Really nice video, thanks for making it.
Huh. NEAT
ssh ubunut
Great stream! Crazy how it is modifying the instructions, have not seen this before. Thank you!
Thank you! Yeah, I talk about this a little at some point. It's a very annoying class of techniques. There are different variants, like SEH as used here or having a separate process attach as a debugger. You can use the single-step mode like this or change the code to be non-executable for example to trigger exceptions.
thanks for the great content. waiting for part 2.
Thank you. Yeah I will hopefully do part two either this weekend or next week.
Amazing...
Good job! Very nice video! :)
This is great, thank you!
Loved the video, thanks Sony; dudes, next time hire a profesional mathematician
This was a fantastic explanation. Incredible video dude.
Thanks! Glad you liked it!
I loved this.
Thank you James! Means a lot, and thanks for inspiring to this by creating this campaign.
thanks for all videos Mr Zeta i'm from Algeria, and initiating in reverse engineering, since no such thing exists in my country. currently i'm working on reversing an ECU car, and throw my research on internet i've found out that my file looks like the one you solved in RHme2 five years ago 2017, the " FRIDGEJIT" .... got some guidness from liveoverflow, but your video is not complete. would you plz share your solution with me, cause i don't find it any where. i'm stuck with the OS program built on top of the application, no progress, i guess the passion for reverse engineering is not enaugh, u got to have skills and background. thanks in advance.
I have not documented my solution to that challenge in an easily consumable way. The video LiveOverflow has is all there is. Feel free to send an email to [email protected] with a little bit more description of what you are doing and I will try to point you in the right direction.
Amazing content. Why would they even use a fixed number for such task? How could this happen?
Thank a lot! I can come up with a few hypotheses. It could have been that they misunderstood the specification and thought you could generate one random number for everything, or maybe it was some kind of test/debug value to get predictable output for testing or something, or maybe it was a bug in their code.
@@ZetaTwo Or a techie wanted to create a flaw on purpose
@@FloydMaxwell If you want to go more into conspiracy territory, yes that is also a theoretical possibility.
most likely answer is beacause calling c's rand() function uses a fixed seed by default unless you use srand() to set the seed first.
Cool video, I'll rewatch it in the future.
This is my favorite video in this series (so far)! Have you thought of doing more videos like that, where you give an in dept view of popular exploit of the past?
Thank you! Glad that you liked it. I have not really thought about what to do next since I was really pushing to get this out before the deadline however that is actually a pretty good suggestion. I noticed that when I was researching this topic that most popular sources were way too simplified or even wrong about how this exploit worked which actually slowed down my work significantly. If you have any specific suggestions, feel free to send them. I have some hectic weeks coming up but I hope to be able to release more videos in a somewhat regular schedule in a not too distant future.
Thank you for the very informative content. Downloaded so I can rewatch a few times to grasp the topic.
Hey Calle Will you go through the rest?
Today at 19:00 CEST: kzread.info/dash/bejne/iqSV1Zeufs6Wp7A.html