Running the Mooosl Demo banner
trailofbits trailofbits

Running the Mooosl Demo

Design community intermediate
SOURCE https://github.com/trailofbits/BTIGhidra

Description

This demo walks through running the analysis pass via the UI on the [mooosl CTF challenge](https://github.com/o-o-overflow/dc2021q-mooosl). The goal is to automatically infer and apply the linked list

Installation

Terminal
claude install-skill https://github.com/trailofbits/BTIGhidra

README

Running the Mooosl Demo

This demo walks through running the analysis pass via the UI on the [mooosl CTF challenge](https://github.com/o-o-overflow/dc2021q-mooosl). The goal is to automatically infer and apply the linked list type to the global variable and functions that operate over it. These directions assume the user already has BTIGhidra installed in a running Ghidra instance. For installation directions please refer to the [README](README.md)

Challenge Introduction

Mooosl is a CTF challenge that features a use-after-free. The challenge binary is located in `./binary_type_inference/test_data/mooosl` and the source for the challenge is located in `./binary_type_inference/test_data/mooosl_source/`.

The binary presents this menu:

![menu of options: store query delete exit](resources/mooosl_running.png)

Each of the functions `store`, `query`, and `delete` manipulate a hashmap like data structure:

struct node {
    uint8_t *key;
    uint8_t *value;
    size_t key_size;
    size_t value_size;
    uint64_t hash;
    struct node *next;
    // struct node *prev;
};


static struct node *list_heads[HASH_SIZE];

The delete function contains a buggy condition causing an element to remain on the linked list if it is the last element on the list, but the element will be freed.

For this demo we aren't interested in the bug but rather utilizing type inference to improve the initial decompilation/reverse engineering of the target.

Inferring Moool's Linked List Type

Importing the binary:

Import the binary `./binary_type_inference/test_data/mooosl` into a Ghidra project like normal (File->Import File). Default import options are sufficient, but enable Decompiler Parameter ID after clicking yes in the analysis prompt.

![prompt asking wether to analyze the binary](resources/shouldAnalyze.png)

![analysis options window with Decompiler Parameter ID checked](resources/analysisParameterID.png)

Running Decompiler Parameter ID is important because the current type inference algorithm relies on a priori knowledge of where parameters for a given function are stored.

Exploring the Binary

To prove that the inference algorithm is actually doing something, feel free to explore the binary at this time.

To save some time here is a table of function address to function name.

Function Address Function Name
FUN_001015a4 store
FUN_00101672 query
FUN_0010171b delete
FUN_001014fb lookup
FUN_00101436 value_dump

For now we will focus on the lookup function.

The original decompilation is reproduced below

void ** FUN_001014fb(void *param_1,void *param_2)

{
  int iVar1;
  ulong uVar2;
  void **local_18;
  
  uVar2 = FUN_001013db((long)param_1,(ulong)param_2);
  local_18 = *(void ***)(&DAT_00104040 + (ulong)((uint)(void *)(uVar2 & 0xffffffff) & 0xfff) * 8);
  while( true ) {
    if (local_18 == (void **)0x0) {

Related Skills

Algorithmic Art preview

Algorithmic Art

When users request creating art using code, generative art, algorithmic art, flow fields, or particle systems

Create generative art using p5.js with seeded randomness, flow fields, and particle systems

Anthropic Design official
Brand Guidelines preview

Brand Guidelines

When brand colors, style guidelines, visual formatting, or company design standards apply

Apply Anthropic's official brand colors and typography to artifacts

Anthropic Design official
Canvas Design preview

Canvas Design

When user asks to create a poster, piece of art, design, or other static piece

Create beautiful visual art in PNG and PDF documents using design philosophy

Anthropic Design official
Frontend Design preview

Frontend Design

When user asks to build web components, pages, applications, dashboards, or style/beautify web UI

Create distinctive, production-grade frontend interfaces with high design quality

Anthropic Design official
Slack Gif Creator preview

Slack Gif Creator

When users request animated GIFs for Slack

Create animated GIFs optimized for Slack's size constraints

Anthropic Design official
Theme Factory preview

Theme Factory

When user wants to apply a theme or styling to an artifact

Style artifacts with professional themes including 10 pre-set color/font combinations

Anthropic Design official

Related Agents

Html Css

| Web standards for semantic markup, maintainable styling, and accessibility. | - | [wshobson/agents](https://github.com/wshobson/agents) |

Design agent

ui-visual-validator

| You are an experienced UI visual validation expert specializing in comprehensive visual testing and... | sonnet | [wshobson/agents](https://github.com/wshobson/agents) |

Design agent

Refactor Clean

| You are a code refactoring expert specializing in clean code principles, SOLID design patterns, and... | - | [wshobson/agents](https://github.com/wshobson/agents) |

Design agent