Aaron's engineering blog

; intel x86_64 mov rcx , rsi ; move size argument into rcx for the loop mov rsi , rdi ; move the the text pointer to rsi for printing xor rax , rax ; clear out registers xor rdi , rdi scan: ; scan for breakpoints cmp byte [ rsi ] , 0xCC je fuck_you inc rsi loop scan xor rdi , rdi ret fuck_you: xor rdi , rdi mov al , 1 ret @ ARM scan: .code 32 ldr r3 , = 0xE7F00000 @ load breakpoint constant ldr r4 , = 0xFFFF0000 @ mask loop: ldr r2 , [ r0 ] @ load byte code into r2 and r2 , r4 @ clear out extra data in bytecode with mask cmp r2 , r3 @ is it a breakpoint ? beq fuck @ if so FUCK cmp r1 , # 0 @ are we at the end ? beq safe @ if so we are safe sub r1 , # 1 @ decrement the counter add r0 , # 1 @ increment our pointer bne loop @ if we are still loopi

This is technically a new vulnerability found by myself that checks for BOTH mine and the original vulnerability that would fail to write over the memory location directly below what would be a jmp to say we were in fact in the matrix. // ------------------------------------------------------------------------------ // THE BEER-WARE LICENSE (Revision 43): // < aaronryool@gmail.com > wrote this file. As long as you retain this notice you // can do whatever you want with this stuff. If we meet some day, and you think // this stuff is worth it, you can buy me a beer in return // ------------------------------------------------------------------------------ # include < unistd.h > # include < stdlib.h > # include < signal.h > # include < sys/mman.h > int main ( unsigned a ) ; __sighandler_t handler ( int sig ) // our signal handler function { switch ( sig ) { case SIGSEGV : // when segfaults happen main ( 0xC0DE ) ; // assum

// ------------------------------------------------------------------------------ // THE BEER-WARE LICENSE (Revision 43): // < aaronryool@gmail.com > wrote this file. As long as you retain this notice you // can do whatever you want with this stuff. If we meet some day, and you think // this stuff is worth it, you can buy me a beer in return // ------------------------------------------------------------------------------ # include < unistd.h > # include < stdlib.h > # include < signal.h > # include < sys/mman.h > int main ( unsigned a ) ; __sighandler_t handler ( int sig ) // our signal handler function { switch ( sig ) { case SIGSEGV : // when segfaults happen main ( 0xC0DE ) ; // assume they have to be because of the bug and tell us we are in the matrix break ; } } int main ( unsigned a ) { if ( a = = 0xC0DE ) goto irl ; // if this shit is from a segfault, we are in real life :( signal ( SIGSEGV , &

Think you are man (or woman) enough to solve this baby? ;) // Play like this: // $ gcc test.c -Os -fno-stack-protector -z execstack -o test // Email your answers to: aaronryool@gmail.com typedef unsigned char by ; extern char * * environ ; main ( a , b , c , d , e , f , g , h , i , j , k , l , m , n , o , p , q , r , s , t , u , v , w , x , y , z ) { by m11 [ ] = " \x5d \x24 \xff \x8b \x77 \xc6 \x32 \xd7 \xc2 \x9f \x3f \x11 \xc1 \xdeadc0de " ; " " ; t = " \xec \x7d \xcf \x30 \x66 \x31 \x15 \x6f \x71 \x3f \xd6 \x53 \x65 " ; by m1 [ ] = " \x48 \x31 " \ " \xc0 \xb0 \x3c \x48 \x31 \xff \x0f \x05 " ; " \x7 \x8 \xeb \x14 \x5e \x048 " ; z = a < 2 ? 1 : 0 ; by m6 [ ] = " \x9b \x29 \x61 \x78 \x13 \xda \x08 \x85 " ; by m7 [ ] = " \x0d3 \xa4 \x26 \x8a \x5b \xeb \xf7 " \ " \x46 " ; o = " \x48 \x31 \xc0 \x48 \x89 \xd1 \x8a \x07 \x30 \x06 \x048 \xff \xc6 \x48 \xff \xc7 "