DDTEK DEFCON CTF 2011 QUALS FORENSICS 400 writeup Hint: "Can you beleive people do this? ddTEK doesn't." Not really my kind of challenge but I picked it up because of pdf exploits. Ok, i guess everybody figured out how to get jailbreak exploit files from ddtek web site. Anywayz, we got two files, iPhone2,1_3.1.2.pdf and wad.bin If we compare original files from jailbreak.com , and ddtek ones, we see that there are differences.I didn't find anything of interest in pdf at first,so I concentrated on wad.bin. If you studed how the original exploit works, you'd find out that wad.bin contains compressed data. There was this very helpful post on fortinet blog: http://blog.fortinet.com/tag/wad/ We can extract the 7z archive from wad.bin with : dd if=./wad.bin skip=111905 of=./wad.xz bs=1 count=3797368 Again, comparing original and ddtek wad.xz reveals differences but we can conclude that apart the size tag at the begining of wad.bin, all differences are in the archive part. Extracting the archive gives us bunch of directories with bunch of files in standard iPhone dirs... Now, just run "ls -aR / >> dirlist" in both original and ddtek directories and compare dirlist files. This reveals bunch of differences, most of them being in .svn dirs that only exist in ddtek archive. This looked like a red hering from the start, but from there you learn about https://www.glamorganpub.co.uk/ which is apparenly where ddtek was keeping a SVN for this challenge (very interesting :D). The fact that that website went down 15 after the start of the challenge asured me that they left .svn dirs by accident , and just shut down the site... Now, apart form the svn files, there was one single file on ddtek dir tree that didn't exist on original. It was /usr/bin/dd interestingly enough: [ea@foundation bin] $ file dd dd: Mach-O executable acorn [ea@foundation bin] $ Load it up in IDA, strange, only a coule of instructions... Check strings... WHOA, this looks interesting. We got : 41358753080588780315500696417148503196370008505043360338644939021284539327654424368206170740213813076058322365516034006270625614745638277215965686397551374257625369654940618745555501980517665488240640.000000 273020167277193934342483321951392739131140631949880731514555218503200924051802886516416983650292597201352459748672990971210795734498587443982103979231419127824384.000000 109868682199889090983893607446542759799370795099978204527886814871815275332732684149782782932243583477726231807149879389352427825978796531514954916754473975757796372140255258111985922092457311221042226817127194804092923531694479704498641458322997248.000000 8887824086628450300085222950423508459269193936749714415660759918033307608850811297588582757614917095982291010098451602122996273175590810261747631678220597664532468741350897995232883808808537964727011624779797357169712195651789942060581116921485444775936.000000 Now is the tricky part,I guess I must have had some kind of visio to get an idea about this. I guessed that these were 4 doubles. Now, an idea came to mind. Let get the binary representation these doubles (binary as in IEEE754), get those bytes , and then see what to do. I chose Java for this, since it has very convenient functions for this: long binary = Double.doubleToLongBits(41358753080588780315500696417148503196370008505043360338644939021284539327654424368206170740213813076058322365516034006270625614745638277215965686397551374257625369654940618745555501980517665488240640.000000); long binary1 = Double.doubleToLongBits(273020167277193934342483321951392739131140631949880731514555218503200924051802886516416983650292597201352459748672990971210795734498587443982103979231419127824384.000000); long binary2 = Double.doubleToLongBits(109868682199889090983893607446542759799370795099978204527886814871815275332732684149782782932243583477726231807149879389352427825978796531514954916754473975757796372140255258111985922092457311221042226817127194804092923531694479704498641458322997248.000000); long binary3 = Double.doubleToLongBits(8887824086628450300085222950423508459269193936749714415660759918033307608850811297588582757614917095982291010098451602122996273175590810261747631678220597664532468741350897995232883808808537964727011624779797357169712195651789942060581116921485444775936.000000); String strBinary = Long.toHexString(binary); String strBinary1 = Long.toHexString(binary1); String strBinary2 = Long.toHexString(binary2); String strBinary3 = Long.toHexString(binary3); System.out.println(strBinary); System.out.println(strBinary1); System.out.println(strBinary2); System.out.println(strBinary3); With that we get: 69614a4b45544444 61736b616572626c 736f6d6568746572 7473657473656274 Looks printable. That gives us : iaJKETDDaskaerblsomehtertsetsebt Ok now im sure im on the right track , reverse the letters and you get DDTEKJailbreaksarethemostbestest . Send the flag, and get 400+ for gn00bz. GG ddtek , congrats to the winers. Cheers, ea