2014-11-10

Architecture Design of The Six Key Points

1. System-level separation

From the big system is concerned, digging the main things in doing four latitudes, the first is the membership center, digging a set of their own membership system, the second is the cash flow, the third is the wind control center, the first Four is the product center, and finally some of the clearing and clearing things.

Dashing will do some modest key separation on all systems. At this level SOA (the method of constructing distributed computing) is essential, when the system is formed after a certain size will force us to go in this direction.

In the cash flow system, because the characteristics of cash flow data and general data characteristics are not the same, it will continue to rise over time latitude, can not be divided simply by the user, so digging from the user and the two dimensions of the time line Distinguish cash flow. In order to maintain the consistency of the data, digging in the selection of the time using the Scala language. In the system architecture, the middleware will grow with the amount of data encountered bottlenecks, so digging in the back of the service-oriented specifically for the service to optimize the application layer for the data layer to do some shielding work to separate them .

?In addition to the technical separation of boundaries, we will be some division of responsibilities, so that personal advantage can be fully exploited, digging wealth at this point is the emphasis on front-end separation, the first digging in the technology is just doing asynchronous calls to generate Some of the norms of the protection level, but ultimately the front-end thing or to be done entirely by the front-end, which will make front-end efficiency of the overall increase.

2. Messaging

The above separation, mainly in the system-level isolation and delimitation, isolation also need to exchange between the system level interoperability, the formation of the system before they can produce greater value services. Digging the message to adopt a mechanism to solve the problem of system interoperability.

In the way of message transmission using remoting (distributed processing), remoting more or RPC-related concepts, the Internet most of the technical system are developed using multiple languages, RPC is a cross-language communication standards. Based on the service to do the work, the basic reference will use the DUBBO service framework. In view of the financial system requirements for high concurrency is not particularly high, digging adopted the HTTP protocol to achieve.

3. Asynchronous processing

Through messaging to solve the problem of system interoperability, in order to minimize the impact of events to the system, as far as possible where all go asynchronous.
[image]
?Mining, Async typical application scenarios

When the mobile end of the server-initiated requests directly to the million level, through asynchronous processing to form a complete asynchronous closed-loop, and other data processing, the data Push to the mobile side. In this process, the server-side can be some interaction, but also in the local to do something. Kafka and Akka are the most commonly used tools in this area. Akka is the Actor model in the JAVA / Scala platform, a more mature implementation.

Akka essentially has no speed limit, and all messages can be sent in real time. This can lead to a little carelessness that can lead to data crashes at the processing nodes, so the first problem we are dealing with using Akka is the current limit. Such as through the ACK mechanism to ease the back-end processing pressure.

4. Information storage, rather than missing

Dug the wealth of this piece of information is now more than the use of more than the principle of not missing, to retain every change to replace the original direct coverage, so that when the problem can be tracked, not because of the query is not a number of information and a head Fog.

Kafka in the message transmission link is also taken into account for this reason, we most value is Kafka multiple copies of data storage capacity.

In addition to Kafka, we also carried out some small practices, maintenance, if the core data changes, previously covered directly, it is now the core field with a version number, the late emergence of any problems can be based on time to find out the operation. For example, the collapse of Actors, we can create the function through the Akka back at any time, and will not be lost message, data loss. In short digging the financial technology to have their own time machine, a problem can be back.

5. System security

On the financial system, security is a more important issue. In the financial system, ATBS is already the minimum standard. In order to resist external hazards, first set the threshold as much as possible, so you can reduce the cost of technology.

In the technical level, will build the basic defense layer, such as network firewall, application firewall.

At the operational level, leveraging a third party, in the anti-fraud level using the same technology with the Shield dug technology, coupled with the wind control team for manual intervention.

At the interception level, in order to ensure isolation, and do not want Kafka to take over everything, the cluster problems, the collective will be affected, so want to physically deploy the application isolation, the corresponding cluster responsible for the corresponding business processes.

6. Storage redundancy

From the perspective of distributed storage, the traditional view of the Internet more in the CP point of view, is often weakened out of storage, but the Internet financial companies, the need to store data consistency to the first. For the core transaction system, in order to avoid the weakness of Message Queue, using a simple, flexible Multi-write to solve the problem of data consistency.

In terms of technical architecture, it is hoped that such an event-triggered, time-and-data-driven, resilient Reactive system will eventually emerge.

In the end, figures about this article will upload later.

2014-10-13

Analysis on Webview for Android

Desc on Webview

A View that displays web pages. This class is the basis upon which you can roll your own web browser or simply display some online content within your Activity. It uses the WebKit rendering engine to display web pages and includes methods to navigate forward and backward through a history, zoom in and out, perform text searches and more.

Note that, in order for your Activity to access the Internet and load web pages in a WebView, you must add the INTERNET permissions to your Android Manifest file:

1	<uses-permission android:name="android.permission.INTERNET" />

This must be a child of the element.

For more information, read Building Web Apps in WebView.

Using of Webview

By default, a WebView provides no browser-like widgets, does not enable JavaScript and web page errors are ignored. If your goal is only to display some HTML as a part of your UI, this is probably fine; the user won’t need to interact with the web page beyond reading it, and the web page won’t need to interact with the user. If you actually want a full-blown web browser, then you probably want to invoke the Browser application with a URL Intent rather than show it with a WebView. For example:

1
2
3

Uri uri = Uri.parse("http://www.example.com");
Intent intent = new Intent(Intent.ACTION_VIEW, uri);
startActivity(intent);

See Intent for more information.

To provide a WebView in your own Activity, include a in your layout, or set the entire Activity window as a WebView during onCreate():

 WebView webview = new WebView(this);
 setContentView(webview);
``` 
Then load the desired web page:
```java
 // Simplest usage: note that an exception will NOT be thrown
 // if there is an error loading this page (see below).
 webview.loadUrl("http://slashdot.org/");

 // OR, you can also load from an HTML string:
 String summary = "<html><body>You scored <b>192</b> points.</body></html>";
 webview.loadData(summary, "text/html", null);
 // ... although note that there are restrictions on what this HTML can do.
 // See the JavaDocs for loadData() and loadDataWithBaseURL() for more info.

reference articles:

2014-10-12

Analysis on Touch and Click for Android

current situation

If the touch and click mechanism disapper, the smart phone is not smart. The touch and click event is a bridage connect user and phone.

Analysis of Touch and Click

Mechanism of Touch and Click

There are many articles about how android works on touching event and click event. In a simple word, Click is an type of Touch and android all event on the screen is Touch.

Then, what would emphsize is that the View and ViewGroup have different Touch Process. For example, View has the dispatch function, but ViewGroup has intercept function.

How Use Touch and Click

In my view, you must have a clear logic for your business before coding. Then you can design some widgets. Of course, the process logic is not certain, especially, when you want design a common widget, you must put every possible scenario in consideration.

2014-08-08

Bio

Personal information

dachmx
Bachelor : Info. and Computing Science
Location: Shanghai Pudong District
Interests: Mobile / High Concurrency / Data Mining

Work Experience

58 HBG Anjuke
58 Group
Sony

Projects

click here

Education experience

Undergraduate Information and Computing Science, Shandong University of Science and Technology

professional skill

Familiar with Android Architecture
Familiar with the basic computer system structure, understanding of the principles of computer networks and TCP / IP protocols, skilled use of wireshark software communication protocol analysis;
Familiar with Linux, can use Shell / python to improve operational efficiency, will use awk / sed for text processing;
skilled management of Linux servers, build and use nginx, vsftp, samba, squid, lamp, redis and other servers;
Familiar with Java, familiar with Spring, Struts, Hibernate and Mybatis open source framework, such as the use of it developed Hadoop-based WebService distributed file management system, and the use of eclipse and Maven and other tools for development and testing;
Familiar with C / C ++, using C / C + + for network programming, dealing with high concurrent operations;
Familiar with Hadoop’s MapReduce distributed computing framework and distributed database hbase, build OpenStack for distributed development;
Familiar with neural network, KNN and other data mining algorithms, the use of Java / python / matlab; used caffe image training. Using the Python libraries including Scipy, numpy, and matplotlib;
Understanding of JavaScript, html and other front-end knowledge, can conduct a simple layout and debugging operations

Research results

Earn rewards

2010 North Jiangsu mathematical modeling third prize
2008-2013 Shandong University of Science and Technology Scholarship (third class) twice

Contact information

Email: dachmx ^ 163.com
QQ / WeChat: 834135708

2014-04-05

NcN 2013 CTF australia bin write up

In this post I will cover the first binary challenge of the No Con Name 2013 CTF driven by the Facebook security team. The binary is available here

This binary challenge is based on a i386 elf file which prompts for a flag:

$ file ./derp 
./derp: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=b77361bfdab4b30a5ed258ee173fe306184a4438, not stripped
$ ./derp 
Facebook CTF
Enter flag: asdasdasdasd
Sorry, that is not correct.
$

The first look at the binary:

$ gdb -q ./derp 
Reading symbols from /home/libcrack/Desktop/NcN2013-CTF/derp...(no debugging symbols found)...done.
gdb-peda$ pdisass main
Dump of assembler code for function main:
   0x080482d4 <+0>:	push   ebp
   0x080482d5 <+1>:	mov    ebp,esp
   0x080482d7 <+3>:	and    esp,0xfffffff0
   0x080482da <+6>:	sub    esp,0x20
   0x080482dd <+9>:	call   0x80483fa <print_header>
   0x080482e2 <+14>:	mov    eax,ds:0x80d1088
   0x080482e7 <+19>:	mov    DWORD PTR [esp],eax
   0x080482ea <+22>:	call   0x804ffa0 <malloc>
   0x080482ef <+27>:	mov    DWORD PTR [esp+0x1c],eax
   0x080482f3 <+31>:	cmp    DWORD PTR [esp+0x1c],0x0
   0x080482f8 <+36>:	jne    0x8048329 <main+85>
   0x080482fa <+38>:	mov    eax,ds:0x80d14c4
   0x080482ff <+43>:	mov    DWORD PTR [esp+0xc],eax
   0x08048303 <+47>:	mov    DWORD PTR [esp+0x8],0x1b
   0x0804830b <+55>:	mov    DWORD PTR [esp+0x4],0x1
   0x08048313 <+63>:	mov    DWORD PTR [esp],0x80b2265
   0x0804831a <+70>:	call   0x8049130 <fwrite>
   0x0804831f <+75>:	mov    eax,0x1
   0x08048324 <+80>:	jmp    0x80483f8 <main+292>
   0x08048329 <+85>:	mov    eax,ds:0x80d1088
   0x0804832e <+90>:	mov    DWORD PTR [esp+0x8],eax
   0x08048332 <+94>:	mov    DWORD PTR [esp+0x4],0x0
   0x0804833a <+102>:	mov    eax,DWORD PTR [esp+0x1c]
   0x0804833e <+106>:	mov    DWORD PTR [esp],eax
   0x08048341 <+109>:	call   0x80481a0
   0x08048346 <+114>:	mov    edx,DWORD PTR ds:0x80d14bc
   0x0804834c <+120>:	mov    eax,ds:0x80d1088
   0x08048351 <+125>:	sub    eax,0x1
   0x08048354 <+128>:	mov    DWORD PTR [esp+0x8],edx
   0x08048358 <+132>:	mov    DWORD PTR [esp+0x4],eax
   0x0804835c <+136>:	mov    eax,DWORD PTR [esp+0x1c]
   0x08048360 <+140>:	mov    DWORD PTR [esp],eax
   0x08048363 <+143>:	call   0x8048fc0 <fgets>
   0x08048368 <+148>:	test   eax,eax
   0x0804836a <+150>:	jne    0x80483a4 <main+208>
   0x0804836c <+152>:	mov    eax,ds:0x80d14c4
   0x08048371 <+157>:	mov    DWORD PTR [esp+0xc],eax
   0x08048375 <+161>:	mov    DWORD PTR [esp+0x8],0x1b
   0x0804837d <+169>:	mov    DWORD PTR [esp+0x4],0x1
   0x08048385 <+177>:	mov    DWORD PTR [esp],0x80b2281
   0x0804838c <+184>:	call   0x8049130 <fwrite>
   0x08048391 <+189>:	mov    eax,DWORD PTR [esp+0x1c]
   0x08048395 <+193>:	mov    DWORD PTR [esp],eax
   0x08048398 <+196>:	call   0x804fee0 <free>
   0x0804839d <+201>:	mov    eax,0x2
   0x080483a2 <+206>:	jmp    0x80483f8 <main+292>
   0x080483a4 <+208>:	mov    eax,ds:0x80d1088
   0x080483a9 <+213>:	sub    eax,0x2
   0x080483ac <+216>:	mov    DWORD PTR [esp+0x4],eax
   0x080483b0 <+220>:	mov    eax,DWORD PTR [esp+0x1c]
   0x080483b4 <+224>:	mov    DWORD PTR [esp],eax
   0x080483b7 <+227>:	call   0x804841a <check_buffer>
   0x080483bc <+232>:	test   eax,eax
   0x080483be <+234>:	jne    0x80483e7 <main+275>
   0x080483c0 <+236>:	mov    eax,ds:0x80d14c4
   0x080483c5 <+241>:	mov    DWORD PTR [esp+0xc],eax
   0x080483c9 <+245>:	mov    DWORD PTR [esp+0x8],0x1c
   0x080483d1 <+253>:	mov    DWORD PTR [esp+0x4],0x1
   0x080483d9 <+261>:	mov    DWORD PTR [esp],0x80b229d
   0x080483e0 <+268>:	call   0x8049130 <fwrite>
   0x080483e5 <+273>:	jmp    0x80483f3 <main+287>
   0x080483e7 <+275>:	mov    DWORD PTR [esp],0x80b22ba
   0x080483ee <+282>:	call   0x8049430 <puts>
   0x080483f3 <+287>:	mov    eax,0x0
   0x080483f8 <+292>:	leave  
   0x080483f9 <+293>:	ret    
End of assembler dump.
gdb-peda$

The call to the function that will check the input buffer is located at 0x080483b7

1	0x080483b7 <+227>: call 0x804841a <check_buffer>

Let’s what the function check_buffer does:

gdb-peda$ pdisass check_buffer
Dump of assembler code for function check_buffer:
   0x0804841a <+0>:	push   ebp
   0x0804841b <+1>:	mov    ebp,esp
   0x0804841d <+3>:	sub    esp,0x10
   0x08048420 <+6>:	mov    BYTE PTR [ebp-0x5],0x0
   0x08048424 <+10>:	mov    BYTE PTR [ebp-0x6],0x0
   0x08048428 <+14>:	mov    BYTE PTR [ebp-0x7],0x0
   0x0804842c <+18>:	mov    DWORD PTR [ebp-0x4],0x0
   0x08048433 <+25>:	mov    DWORD PTR [ebp-0xc],0xcd000000
   0x0804843a <+32>:	jmp    0x804849c <check_buffer+130>
   0x0804843c <+34>:	mov    eax,DWORD PTR [ebp-0xc]
   0x0804843f <+37>:	shr    eax,0x18
   0x08048442 <+40>:	mov    BYTE PTR [ebp-0x7],al
   0x08048445 <+43>:	movzx  eax,BYTE PTR [ebp-0x7]
   0x08048449 <+47>:	and    eax,0xf
   0x0804844c <+50>:	mov    BYTE PTR [ebp-0x5],al
   0x0804844f <+53>:	movzx  eax,BYTE PTR [ebp-0x7]
   0x08048453 <+57>:	and    eax,0xfffffff0
   0x08048456 <+60>:	mov    BYTE PTR [ebp-0x6],al
   0x08048459 <+63>:	movzx  eax,BYTE PTR [ebp-0x6]
   0x0804845d <+67>:	mov    edx,eax
   0x0804845f <+69>:	shr    dl,0x4
   0x08048462 <+72>:	movzx  eax,BYTE PTR [ebp-0x5]
   0x08048466 <+76>:	shl    eax,0x4
   0x08048469 <+79>:	add    eax,edx
   0x0804846b <+81>:	mov    BYTE PTR [ebp-0x7],al
   0x0804846e <+84>:	mov    edx,DWORD PTR ds:0x80d1090
   0x08048474 <+90>:	mov    eax,DWORD PTR [ebp-0x4]
   0x08048477 <+93>:	add    eax,edx
   0x08048479 <+95>:	movzx  edx,BYTE PTR [eax]
   0x0804847c <+98>:	mov    eax,DWORD PTR [ebp-0x4]
   0x0804847f <+101>:	mov    ecx,DWORD PTR [ebp+0x8]
   0x08048482 <+104>:	add    eax,ecx
   0x08048484 <+106>:	movzx  ecx,BYTE PTR [eax]
   0x08048487 <+109>:	movzx  eax,BYTE PTR [ebp-0x7]
   0x0804848b <+113>:	xor    eax,ecx
   0x0804848d <+115>:	cmp    dl,al
   0x0804848f <+117>:	je     0x8048498 <check_buffer+126>
   0x08048491 <+119>:	mov    eax,0x0
   0x08048496 <+124>:	jmp    0x80484a9 <check_buffer+143>
   0x08048498 <+126>:	add    DWORD PTR [ebp-0x4],0x1
   0x0804849c <+130>:	mov    eax,DWORD PTR [ebp-0x4]
   0x0804849f <+133>:	cmp    eax,DWORD PTR [ebp+0xc]
   0x080484a2 <+136>:	jb     0x804843c <check_buffer+34>
   0x080484a4 <+138>:	mov    eax,0x1
   0x080484a9 <+143>:	leave  
   0x080484aa <+144>:	ret    
End of assembler dump.
gdb-peda$

First, the function will set the local variables after the function prologue at 0x08048420. After that It jumps to 0x080484a2 to finally jump again to 0x804843c which is when the important part takes place:

0x0804841a <+0>:	push   ebp
0x0804841b <+1>:	mov    ebp,esp
0x0804841d <+3>:	sub    esp,0x10
0x08048420 <+6>:	mov    BYTE PTR [ebp-0x5],0x0
0x08048424 <+10>:	mov    BYTE PTR [ebp-0x6],0x0
0x08048428 <+14>:	mov    BYTE PTR [ebp-0x7],0x0
0x0804842c <+18>:	mov    DWORD PTR [ebp-0x4],0x0
0x08048433 <+25>:	mov    DWORD PTR [ebp-0xc],0xcd000000
0x0804843a <+32>:	jmp    0x804849c <check_buffer+130>
0x0804849c <+130>:	mov    eax,DWORD PTR [ebp-0x4]
0x0804849f <+133>:	cmp    eax,DWORD PTR [ebp+0xc]
0x080484a2 <+136>:	jb     0x804843c <check_buffer+34>

Here, we can se some calculations over the registers eax,ecx and edx

0x0804843c <+34>:	mov    eax,DWORD PTR [ebp-0xc]
0x0804843f <+37>:	shr    eax,0x18
0x08048442 <+40>:	mov    BYTE PTR [ebp-0x7],al
0x08048445 <+43>:	movzx  eax,BYTE PTR [ebp-0x7]
0x08048449 <+47>:	and    eax,0xf
0x0804844c <+50>:	mov    BYTE PTR [ebp-0x5],al
0x0804844f <+53>:	movzx  eax,BYTE PTR [ebp-0x7]
0x08048453 <+57>:	and    eax,0xfffffff0
0x08048456 <+60>:	mov    BYTE PTR [ebp-0x6],al
0x08048459 <+63>:	movzx  eax,BYTE PTR [ebp-0x6]
0x0804845d <+67>:	mov    edx,eax
0x0804845f <+69>:	shr    dl,0x4
0x08048462 <+72>:	movzx  eax,BYTE PTR [ebp-0x5]
0x08048466 <+76>:	shl    eax,0x4
0x08048469 <+79>:	add    eax,edx
0x0804846b <+81>:	mov    BYTE PTR [ebp-0x7],al
0x0804846e <+84>:	mov    edx,DWORD PTR ds:0x80d1090
0x08048474 <+90>:	mov    eax,DWORD PTR [ebp-0x4]
0x08048477 <+93>:	add    eax,edx
0x08048479 <+95>:	movzx  edx,BYTE PTR [eax]
0x0804847c <+98>:	mov    eax,DWORD PTR [ebp-0x4]
0x0804847f <+101>:	mov    ecx,DWORD PTR [ebp+0x8]
0x08048482 <+104>:	add    eax,ecx
0x08048484 <+106>:	movzx  ecx,BYTE PTR [eax]
0x08048487 <+109>:	movzx  eax,BYTE PTR [ebp-0x7]
0x0804848b <+113>:	xor    eax,ecx
0x0804848d <+115>:	cmp    dl,al
0x0804848f <+117>:	je     0x8048498 <check_buffer+126>

Here follows the most important part of this dissasembled. The register ecx will contain the characters of the user’s input string. This value will get xored with eax and then compared to edx. If the input caracted contained in ecx equals to xor(eax,edx) the function will jump to the begining of the algorithm to repeat this check for every character of the string

1
2
3

0x0804848b <+113>:	xor    eax,ecx
0x0804848d <+115>:	cmp    dl,al
0x0804848f <+117>:	je     0x8048498 <check_buffer+126>

To calculate to correct value for the input string, It is needed to calculate the value of xor(eax,edx) every iteration. This can be easily achieved with the following gdb script:

# 0x804848b <check_buffer+113>:    xor    eax,ecx
# 0x804848d <check_buffer+115>:    cmp    dl,al
# 0x804848f <check_buffer+117>:    je     0x8048498 <check_buffer+126>
 
break *0x804848b
        commands
        printf "%c", $edx ^ $eax
        continue
end
 
break *0x804848d
        commands
        set $eax = $edx
        continue
end
 
run
quit

The execution will look like the followin excerpt:

$ echo | gdb -q -x au_derp.gdb ./au_derp
Reading symbols from /home/libcrack/Desktop/NcN2013-CTF/australia/au_derp...(no debugging symbols found)...done.
Breakpoint 1 at 0x804848b
Breakpoint 2 at 0x804848d
Facebook CTF
74c86bf89646425f647fcf7643af15f251b186bf58a6d5dc7eb8bf9cfc9d04cdEnter flag: Winner! Post your flag.
[Inferior 1 (process 19655) exited normally]
Warning: not running or target is remote

Challenge solved!

ref

libcrack

2014-04-05

NcN 2013 CTF canada write up

In this post I will cover the second binary challenge of the No Con Name 2013 CTF driven by the Facebook security team. The binary is available here

This binary challenge is based on a i386 stripped elf file which prompts for a flag:

$ file ./howtobasic
./howtobasic: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=4f288f1a66ad673dc50b51c7e85635358bb11da0, stripped
$ ./howtobasic
Facebook CTF
Enter flag: asdasdasdasd
Sorry, that is not correct.
$

As this binary is stripped, we need to first locate the entrypoint with the info file gdb command

1	$ gdb -q ./ca_howtobasic

Reading symbols from /home/libcrack/Desktop/NcN2013-CTF/canada/ca_howtobasic…(no debugging symbols found)…done.

gdb-peda$ info file
Symbols from "/home/libcrack/Desktop/NcN2013-CTF/canada/ca_howtobasic".
Local exec file:
	/home/libcrack/Desktop/NcN2013-CTF/canada/ca_howtobasic', file type elf32-i386.
	Entry point: 0x80481c0
	0x080480d4 - 0x080480f4 is .note.ABI-tag
	0x080480f4 - 0x08048118 is .note.gnu.build-id
	0x08048118 - 0x08048140 is .rel.plt
	0x08048140 - 0x08048166 is .init
	0x08048170 - 0x080481c0 is .plt
	0x080481c0 - 0x080b16ec is .text
	0x080b16f0 - 0x080b21b1 is __libc_freeres_fn
	0x080b21b4 - 0x080b21cb is .fini
	0x080b21e0 - 0x080cb138 is .rodata
	0x080cb138 - 0x080cb13c is __libc_atexit
	0x080cb13c - 0x080cb168 is __libc_subfreeres
	0x080cb168 - 0x080d0c3c is .eh_frame
	0x080d0c3c - 0x080d0d6b is .gcc_except_table
	0x080d1000 - 0x080d1010 is .tdata
	0x080d1010 - 0x080d1028 is .tbss
	0x080d1010 - 0x080d1018 is .init_array
	0x080d1018 - 0x080d1020 is .fini_array
	0x080d1020 - 0x080d1024 is .jcr
	0x080d1024 - 0x080d1054 is .data.rel.ro
	0x080d1054 - 0x080d105c is .got
	0x080d105c - 0x080d107c is .got.plt
	0x080d1080 - 0x080d17e0 is .data
	0x080d17e0 - 0x080d3374 is .bss
	0x080d3374 - 0x080d338c is __libc_freeres_ptrs
gdb-peda$

The gdb finds the program entry point: 0x80481c0. Because the binary is stripped, we cannot use the gdb command disassemble, as gdb does not know the function boundaries. To find it out it is neccesary to examine the code using the program counter register eip as reference. First, we need to set a breakpoint at the discovered program entry point:

gdb-peda$ 
gdb-peda$ break *0x80481c0
Breakpoint 1 at 0x80481c0
After that, the instructions can be examined by using the program counter as offset:

gdb-peda$ x/20i $pc
=> 0x80481c0:	xor    ebp,ebp
   0x80481c2:	pop    esi
   0x80481c3:	mov    ecx,esp
   0x80481c5:	and    esp,0xfffffff0
   0x80481c8:	push   eax
   0x80481c9:	push   esp
   0x80481ca:	push   edx
   0x80481cb:	push   0x8048b00
   0x80481d0:	push   0x8048b40
   0x80481d5:	push   ecx
   0x80481d6:	push   esi
   0x80481d7:	push   0x80482d4
   0x80481dc:	call   0x80484c0
   0x80481e1:	hlt    
   0x80481e2:	nop
   0x80481e3:	nop
   0x80481e4:	nop
   0x80481e5:	nop
   0x80481e6:	nop
   0x80481e7:	nop

At 0x80481dc the program calls . Before that, it sets the arguments to be passed to __libc_start_main in the stack (as the libc i386 calling convention specifies).

0x80481c8:	push   eax
0x80481c9:	push   esp
0x80481ca:	push   edx
0x80481cb:	push   0x8048b00
0x80481d0:	push   0x8048b40
0x80481d5:	push   ecx
0x80481d6:	push   esi
0x80481d7:	push   0x80482d4
0x80481dc:	call   0x80484c0

By taking a look at __libc_start_main, the arguments can be guessed:

int __libc_start_main(
    int (*main) (int, char * *, char * *), 
    int argc, 
    char * * ubp_av, 
    void (*init) (void), 
    void (*fini) (void), 
    void (*rtld_fini) (void), 
    void (* stack_end)
);

After stablishing the program entry point, we need to locate where the important code resides. For that, several searches should be launched inside the binary.For example, the strings that the program uses for input is a good start:

gdb-peda$ refsearch Enter
Searching for reference to: 'Enter' in: all ranges
Found 5 results, display max 5 items:
howtobasic : 0x8048318 (and    cl,BYTE PTR ss:[ebx])
   [stack] : 0xffffd2fc --> 0x80b2236 ("Enter flag: ")
   [stack] : 0xffffd424 --> 0x80b2236 ("Enter flag: ")
   [stack] : 0xffffd8c0 --> 0x80b2236 ("Enter flag: ")
   [stack] : 0xffffd8d0 --> 0x80b2236 ("Enter flag: ")
gdb-peda$
It’s also important to checkout the syscalls:

gdb-peda$ asmsearch "int 0x80" all
Searching for ASM code: 'int 0x80' in: all ranges
0x080489dd : (cd80)	int    0x80
0x0805763c : (cd80)	int    0x80
0x08058656 : (cd80)	int    0x80
0x08058d40 : (cd80)	int    0x80
0x08077126 : (cd80)	int    0x80
0x0807a91f : (cd80)	int    0x80
0x0808b0b5 : (cd80)	int    0x80
0x0808b0be : (cd80)	int    0x80
0x080ad93c : (cd80)	int    0x80
0x080ae5c2 : (cd80)	int    0x80
0x080ae6de : (cd80)	int    0x80
0xf7ffd406 : (cd80)	int    0x80
0xf7ffd415 : (cd80)	int    0x80
0xf7ffd42e : (cd80)	int    0x80
gdb-peda$

This binary look similiar to the first NcN CTF binary challenge. By looking for xor instructions, It can be noticed the following:

gdb-peda$ x/51i 0x80483fd
   0x80483fd:	pop    eax
   0x80483fe:	jmp    0x8048486
   0x8048403:	mov    eax,DWORD PTR [esp+0x1c]
   0x8048407:	and    eax,0x7
   0x804840a:	movzx  eax,BYTE PTR [eax+0x80d108c]
   0x8048411:	not    eax
   0x8048413:	mov    BYTE PTR [esp+0x1b],al
   0x8048417:	mov    eax,DWORD PTR [esp+0x1c]
   0x804841b:	mov    edx,DWORD PTR [esp+0x10]
   0x804841f:	add    eax,edx
   0x8048421:	movzx  eax,BYTE PTR [eax]
   0x8048424:	not    eax
   0x8048426:	mov    BYTE PTR [esp+0x1a],al
   0x804842a:	mov    edx,DWORD PTR ds:0x80d1088
   0x8048430:	mov    eax,DWORD PTR [esp+0x1c]
   0x8048434:	add    eax,edx
   0x8048436:	movzx  edx,BYTE PTR [eax]
   0x8048439:	movzx  eax,BYTE PTR [esp+0x1a]
   0x804843e:	movzx  ecx,BYTE PTR [esp+0x1b]
   0x8048443:	xor    eax,ecx
   0x8048445:	cmp    dl,al
   0x8048447:	je     0x8048481
   0x8048449:	mov    eax,ds:0x80d14c4
   0x804844e:	mov    DWORD PTR [esp+0xc],eax
   0x8048452:	mov    DWORD PTR [esp+0x8],0x1c
   0x804845a:	mov    DWORD PTR [esp+0x4],0x1
   0x8048462:	mov    DWORD PTR [esp],0x80b227b
   0x8048469:	call   0x8049140
   0x804846e:	mov    eax,DWORD PTR [esp+0x10]
   0x8048472:	mov    DWORD PTR [esp],eax
   0x8048475:	call   0x804fef0
   0x804847a:	mov    eax,0x0
   0x804847f:	jmp    0x80484bd
   0x8048481:	add    DWORD PTR [esp+0x1c],0x1
   0x8048486:	mov    eax,DWORD PTR [esp+0x14]
   0x804848a:	sub    eax,0x2
   0x804848d:	cmp    eax,DWORD PTR [esp+0x1c]
   0x8048491:	ja     0x8048403
   0x8048497:	mov    DWORD PTR [esp],0x80b2298
   0x804849e:	call   0x8049440
   0x80484a3:	push   eax
   0x80484a4:	xor    eax,eax
   0x80484a6:	je     0x80484ab
   0x80484a8:	jne    0x80484ab
   0x80484aa:	call   0x2c491007
   0x80484af:	adc    BYTE PTR [ecx+0x38e82404],cl
   0x80484b5:	jp     0x80484b7
   0x80484b7:	add    BYTE PTR [eax+0x0],bh
   0x80484bd:	leave  
   0x80484be:	ret    
   0x80484bf:	nop
gdb-peda$

Here, the values or eax and ecx get xored and compared to edx. The only difference in this challenge is that the value stored in eax is the negated value of the user input string. The challenge can be resolved using the following GDB script:

break *0x8048443
    commands
    silent
    printf "%c", (($edx ^ $ecx)*-1)-1
    continue
end
break *0x8048445
    commands
    silent
    set $eax = $edx
    continue
end
run
quit

Lets try it!

$ gdb -q -x howtobasic.gdb ./howtobasic
Reading symbols from /home/libcrack/Desktop/NcN2013-CTF/canada/howtobasic...(no debugging symbols found)...done.
Breakpoint 1 at 0x8048443
Breakpoint 2 at 0x8048445
Facebook CTF
Enter flag: uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
60115893a79735aec54ed5ea91fbdbf0ab192e5eea24956fc29fed38466af9a2Winner! Post your flag.
[Inferior 1 (process 19342) exited normally]
Warning: not running or target is remote
$ 
$ ./howtobasic 
Facebook CTF
Enter flag: 60115893a79735aec54ed5ea91fbdbf0ab192e5eea24956fc29fed38466af9a2
Winner! Post your flag.
$

ref

libcrack

2014-03-12

Getting Start Using SVM For Multi-classification

Instruction

Using

reference articles

sklearn multiclass

Support Vector Machines

2014-03-11

Getting Start Using TensorFlow

Instruction

TensorFlow™ is an open source software library for numerical computation using data flow graphs. Nodes in the graph represent mathematical operations, while the graph edges represent the multidimensional data arrays (tensors) communicated between them. The flexible architecture allows you to deploy computation to one or more CPUs or GPUs in a desktop, server, or mobile device with a single API. TensorFlow was originally developed by researchers and engineers working on the Google Brain Team within Google’s Machine Intelligence research organization for the purposes of conducting machine learning and deep neural networks research, but the system is general enough to be applicable in a wide variety of other domains as well.

HelloWorld

2014-03-10

SVM Instruction

Instruction

In machine learning, support vector machines (SVMs, also support vector networks[1]) are supervised learning models with associated learning algorithms that analyze data used for classification and regression analysis. Given a set of training examples, each marked as belonging to one or the other of two categories, an SVM training algorithm builds a model that assigns new examples to one category or the other, making it a non-probabilistic binary linear classifier. An SVM model is a representation of the examples as points in space, mapped so that the examples of the separate categories are divided by a clear gap that is as wide as possible. New examples are then mapped into that same space and predicted to belong to a category based on which side of the gap they fall on.

In addition to performing linear classification, SVMs can efficiently perform a non-linear classification using what is called the kernel trick, implicitly mapping their inputs into high-dimensional feature spaces.

When data are not labeled, supervised learning is not possible, and an unsupervised learning approach is required, which attempts to find natural clustering of the data to groups, and then map new data to these formed groups. The clustering algorithm which provides an improvement to the support vector machines is called support vector clustering[2] and is often used in industrial applications either when data is not labeled or when only some data is labeled as a preprocessing for a classification pass.

2014-03-10

Getting Start Using SVM Module of Sklearn

Instruction

SVN principle is more complex, but the idea is very simple, one sentence is summarized, that is, through a kernel function, the data in the high-dimensional space to find an optimal hyperplane, can separate the two types of data.

For different data sets, the classification of different kernel functions may be completely different. There are several optional kernel functions:

Linear function: a linear function of the form K (x, y) = x * y;

Polynomial function: A polynomial function of the form K (x, y) = [(x · y) +1] ^ d;

Radial basis function: an exponential function of the form K (x, y) = exp (- | x-y | ^ 2 / d ^ 2)

Sigmoid function: is the Sigmoid function mentioned in the previous article.

Code using Lib Sklearn

codes as follows:

# -*- coding: utf-8 -*-
import numpy as np
import scipy as sp
from sklearn import svm
from sklearn.cross_validation import train_test_split
import matplotlib.pyplot as plt

data   = []
labels = []
with open("data\\1.txt") as ifile:
        for line in ifile:
            tokens = line.strip().split(' ')
            data.append([float(tk) for tk in tokens[:-1]])
            labels.append(tokens[-1])
x = np.array(data)
labels = np.array(labels)
y = np.zeros(labels.shape)
y[labels=='fat']=1
x_train, x_test, y_train, y_test = train_test_split(x, y, test_size = 0.0)

h = .02  
# create a mesh to plot in
x_min, x_max = x_train[:, 0].min() - 0.1, x_train[:, 0].max() + 0.1
y_min, y_max = x_train[:, 1].min() - 1, x_train[:, 1].max() + 1
xx, yy = np.meshgrid(np.arange(x_min, x_max, h),
                     np.arange(y_min, y_max, h))

''' SVM '''
# title for the plots
titles = ['LinearSVC (linear kernel)',
          'SVC with polynomial (degree 3) kernel',
          'SVC with RBF kernel',
          'SVC with Sigmoid kernel']
clf_linear  = svm.SVC(kernel='linear').fit(x, y)
#clf_linear  = svm.LinearSVC().fit(x, y)
clf_poly    = svm.SVC(kernel='poly', degree=3).fit(x, y)
clf_rbf     = svm.SVC().fit(x, y)
clf_sigmoid = svm.SVC(kernel='sigmoid').fit(x, y)

for i, clf in enumerate((clf_linear, clf_poly, clf_rbf, clf_sigmoid)):
    answer = clf.predict(np.c_[xx.ravel(), yy.ravel()])
    print(clf)
    print(np.mean( answer == y_train))
    print(answer)
    print(y_train)

    plt.subplot(2, 2, i + 1)
    plt.subplots_adjust(wspace=0.4, hspace=0.4)
    
    # Put the result into a color plot
    z = answer.reshape(xx.shape)
    plt.contourf(xx, yy, z, cmap=plt.cm.Paired, alpha=0.8)
    
    # Plot also the training points
    plt.scatter(x_train[:, 0], x_train[:, 1], c=y_train, cmap=plt.cm.Paired)
    plt.xlabel(u'height')
    plt.ylabel(u'body weight')
    plt.xlim(xx.min(), xx.max())
    plt.ylim(yy.min(), yy.max())
    plt.xticks(())
    plt.yticks(())
    plt.title(titles[i])
    
plt.show()