{"id":13538549,"url":"https://github.com/christhecoolhut/pinctf","last_synced_at":"2025-04-05T15:09:08.057Z","repository":{"id":96692071,"uuid":"117361066","full_name":"ChrisTheCoolHut/PinCTF","owner":"ChrisTheCoolHut","description":"Using Intel's PIN tool to solve CTF problems","archived":false,"fork":false,"pushed_at":"2020-04-12T20:20:00.000Z","size":1860,"stargazers_count":496,"open_issues_count":8,"forks_count":53,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-03-29T14:12:14.043Z","etag":null,"topics":["ctf","instruction-counting","pin","reverse-engineering"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ChrisTheCoolHut.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2018-01-13T16:56:03.000Z","updated_at":"2025-03-24T08:56:00.000Z","dependencies_parsed_at":null,"dependency_job_id":"1144c757-a21e-420c-88d5-7a15edec3930","html_url":"https://github.com/ChrisTheCoolHut/PinCTF","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChrisTheCoolHut%2FPinCTF","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChrisTheCoolHut%2FPinCTF/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChrisTheCoolHut%2FPinCTF/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChrisTheCoolHut%2FPinCTF/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ChrisTheCoolHut","download_url":"https://codeload.github.com/ChrisTheCoolHut/PinCTF/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247353746,"owners_count":20925329,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","instruction-counting","pin","reverse-engineering"],"created_at":"2024-08-01T09:01:13.366Z","updated_at":"2025-04-05T15:09:08.028Z","avatar_url":"https://github.com/ChrisTheCoolHut.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"c7f35432806520669b15a28161a4d26a\"\u003e\u003c/a\u003eCTF\u0026\u0026HTB"],"sub_categories":["\u003ca id=\"e64cedb2d91d06b3eeac5ea414e12b27\"\u003e\u003c/a\u003eCTF"],"readme":"# PinCTF\n\nThis tool is designed to use [Intel's Pin Tool](https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool) to instrument reverse engineering binaries and count instructions.\n\nThis tool is designed to use instruction counting as an avenue for [Side Channel Analysis](https://en.wikipedia.org/wiki/Side-channel_attack). By counting the number of instruction exeuted in a given reverse engineering program we can guess (Sometimes) that the more instructions that are executed per input, the closer we are to the flag.\n\n[![asciicast](https://asciinema.org/a/2bHy0y9MrGNa8Xp9MSPT17HTS.png)](https://asciinema.org/a/2bHy0y9MrGNa8Xp9MSPT17HTS)\n\n## Install Pin\nIncluded in this repo is a script for pulling down Intel's PIN and instructions for building it on Ubuntu 16.04. \n\n```\n#This script will pull PIN and install dependencies needed.\n./installPin.sh\n```\n\n## Running PinCTF\nPinCTF is implemented as a python script wrapping PIN. It will execute a pin command then read from PIN's produced *inscount.out* file\n\n```\n[chris@Thor pinCTF]$ ./pinCTF.py -h\nusage: pinCTF.py [-h] [-f FILE] [-a] [-al] [-i] [-il] [-p PINLOCATION]\n [-l PINLIBRARYLOCATION] [-c COUNT] [-s SEED] [-r RANGE]\n [-sl SEEDLENGTH] [-st SEEDSTART] [-t] [-tc THREADCOUNT]\n\noptional arguments:\n -h, --help show this help message and exit\n -f FILE, --file FILE file to run pin against\n -a, --arg Trace instructions for passed in argument\n -al, --argLength Trace instructions for passed in argument length\n -i, --input Trace instructions for given input\n -il, --inputLength Trace instructions for input length\n -p PINLOCATION, --pinLocation PINLOCATION\n Location of pin's directory\n -l PINLIBRARYLOCATION, --pinLibraryLocation PINLIBRARYLOCATION\n Location of pin's instruction0.so libraries\n -c COUNT, --count COUNT\n MaxLength to for length based pin\n -s SEED, --seed SEED Initial seed for input or arg pin\n -r RANGE, --range RANGE\n range of characters to iterate pin over\n -sl SEEDLENGTH, --seedLength SEEDLENGTH\n Initial seed length for input or arg pin\n -st SEEDSTART, --seedStart SEEDSTART\n Initial seed index for pin\n -t, --threading Enables threading\n -tc THREADCOUNT, --threadCount THREADCOUNT\n Number of threads\n```\n\nTo compare instruction counts to length use the -il or -al commands\nThe -c command is used to specifyhow many A's to test\n\n```\n./pinCTF.py -f examples/wyvern_c85f1be480808a9da350faaa6104a19b -il -l obj-intel64/ -c 30\n\nNum : Instr Count AAAAAAAAAAAAAAAAAAA\n1 : 2119788 \n2 : 2119789 \n3 : 2119789 \n4 : 2119784 \n5 : 2119788 \n6 : 2119789 \n7 : 2119791 \n8 : 2119782 \n9 : 2119786 \n10 : 2119787 \n11 : 2119791 \n12 : 2119786 \n13 : 2119790 \n14 : 2119791 \n15 : 2119818 \n16 : 2119822 \n17 : 2119826 \n18 : 2119825 \n19 : 2119831 \n20 : 2119824 \n21 : 2119830 \n22 : 2119831 \n23 : 2119835 \n24 : 2119826 \n25 : 2119830 \n26 : 2119831 \n27 : 2119835 \n28 : 2132982 \n29 : 2119834 \n30 : 2119863 \n[+] Found Num 28 : Count 2132982\n\n```\nNow we know we that the flag is 28 characters long and we can start looking for a flag of 28 characters.\n\n\nOnce you've found a length that seems to work you can use pin to change each value testing for instruction changes\nThe -sl flag can be used to determine the length of the initial seed, and the -r flag can be used to choose what range to iterate over\n```\n./pinCTF.py -f examples/wyvern_c85f1be480808a9da350faaa6104a19b -i -l obj-intel64/ -sl 28 -r abcdefghijklmnopqrstuvwxyz012345_-+LVMA -sk\n[+] iter 0 using d for dAAAAAAAAAAAAAAAAAAAAAAAAAAA\n[+] iter 1 using r for drAAAAAAAAAAAAAAAAAAAAAAAAAA\n[+] iter 2 using 4 for dr4AAAAAAAAAAAAAAAAAAAAAAAAA\n[+] iter 3 using g for dr4gAAAAAAAAAAAAAAAAAAAAAAAA\n[+] iter 4 using 0 for dr4g0AAAAAAAAAAAAAAAAAAAAAAA\n[+] iter 5 using n for dr4g0nAAAAAAAAAAAAAAAAAAAAAA\n[+] iter 6 using _ for dr4g0n_AAAAAAAAAAAAAAAAAAAAA\n[+] iter 7 using o for dr4g0n_oAAAAAAAAAAAAAAAAAAAA\n[+] iter 8 using r for dr4g0n_orAAAAAAAAAAAAAAAAAAA\n[+] iter 9 using _ for dr4g0n_or_AAAAAAAAAAAAAAAAAA\n[+] iter 10 using p for dr4g0n_or_pAAAAAAAAAAAAAAAAA\n[+] iter 11 using 4 for dr4g0n_or_p4AAAAAAAAAAAAAAAA\n[+] iter 12 using t for dr4g0n_or_p4tAAAAAAAAAAAAAAA\n[+] iter 13 using r for dr4g0n_or_p4trAAAAAAAAAAAAAA\n[+] iter 14 using i for dr4g0n_or_p4triAAAAAAAAAAAAA\n[+] iter 15 using c for dr4g0n_or_p4tricAAAAAAAAAAAA\n[+] iter 16 using 1 for dr4g0n_or_p4tric1AAAAAAAAAAA\n[+] iter 17 using a for dr4g0n_or_p4tric1aAAAAAAAAAA\n[+] iter 18 using n for dr4g0n_or_p4tric1anAAAAAAAAA\n[+] iter 19 using _ for dr4g0n_or_p4tric1an_AAAAAAAA\n[+] iter 20 using i for dr4g0n_or_p4tric1an_iAAAAAAA\n[+] iter 21 using t for dr4g0n_or_p4tric1an_itAAAAAA\n[+] iter 22 using 5 for dr4g0n_or_p4tric1an_it5AAAAA\n[+] iter 23 using _ for dr4g0n_or_p4tric1an_it5_AAAA\n[+] iter 24 using L for dr4g0n_or_p4tric1an_it5_LAAA\n[+] iter 25 using L for dr4g0n_or_p4tric1an_it5_LLAA\n[+] iter 26 using V for dr4g0n_or_p4tric1an_it5_LLVA\n[+] iter 27 using M for dr4g0n_or_p4tric1an_it5_LLVM\n[+] Found pattern dr4g0n_or_p4tric1an_it5_LLVM\n```\n\n## Script tricks for PIN\n\nThis process is pretty slow and can be sped up with threading. The -t (--threading) flag will enable threading and -tc represents the thread count\n\n```\ntime ./pinCTF.py -f $(pwd)/examples/crypt4 -a -sl 26 --threading -tc 4\n[+] iter 0 using d for dAAAAAAAAAAAAAAAAAAAAAAAAA\n[+] iter 1 using y for dyAAAAAAAAAAAAAAAAAAAAAAAA\n[+] iter 2 using n for dynAAAAAAAAAAAAAAAAAAAAAAA\n[+] iter 3 using 4 for dyn4AAAAAAAAAAAAAAAAAAAAAA\n[+] iter 4 using m for dyn4mAAAAAAAAAAAAAAAAAAAAA\n[+] iter 5 using 1 for dyn4m1AAAAAAAAAAAAAAAAAAAA\n[+] iter 6 using c for dyn4m1cAAAAAAAAAAAAAAAAAAA\n[+] iter 7 using a for dyn4m1caAAAAAAAAAAAAAAAAAA\n[+] iter 8 using l for dyn4m1calAAAAAAAAAAAAAAAAA\n[+] iter 9 using l for dyn4m1callAAAAAAAAAAAAAAAA\n[+] iter 10 using y for dyn4m1callyAAAAAAAAAAAAAAA\n[+] iter 11 using _ for dyn4m1cally_AAAAAAAAAAAAAA\n[+] iter 12 using d for dyn4m1cally_dAAAAAAAAAAAAA\n[+] iter 13 using 3 for dyn4m1cally_d3AAAAAAAAAAAA\n[+] iter 14 using c for dyn4m1cally_d3cAAAAAAAAAAA\n[+] iter 15 using r for dyn4m1cally_d3crAAAAAAAAAA\n[+] iter 16 using y for dyn4m1cally_d3cryAAAAAAAAA\n[+] iter 17 using p for dyn4m1cally_d3crypAAAAAAAA\n[+] iter 18 using t for dyn4m1cally_d3cryptAAAAAAA\n[+] iter 19 using 3 for dyn4m1cally_d3crypt3AAAAAA\n[+] iter 20 using d for dyn4m1cally_d3crypt3dAAAAA\n[+] iter 21 using _ for dyn4m1cally_d3crypt3d_AAAA\n[+] iter 22 using c for dyn4m1cally_d3crypt3d_cAAA\n[+] iter 23 using 0 for dyn4m1cally_d3crypt3d_c0AA\n[+] iter 24 using d for dyn4m1cally_d3crypt3d_c0dA\n[~] Largest instruction count found to match several others or very close\n[~] Locating largest difference from average instead\n[+] iter 25 using 3 for dyn4m1cally_d3crypt3d_c0d3\n[+] Found pattern dyn4m1cally_d3crypt3d_c0d3\n\nreal\t3m26.511s\nuser\t10m53.012s\nsys\t2m21.344s\n```\n\nSome ctf binaries will validate input backwards to throw off fuzzers. using the -rev flag PinCTF is able to alter the input backwards\n\n```\n./pinCTF.py -f $(pwd)/examples/ELF-NoSoftwareBreakpoints -i -sl 25 -rev -t -tc 4 -r abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-@\n[~] Running in reverse direction\n[+] iter 24 using S for AAAAAAAAAAAAAAAAAAAAAAAAS\n[+] iter 23 using k for AAAAAAAAAAAAAAAAAAAAAAAkS\n[+] iter 22 using c for AAAAAAAAAAAAAAAAAAAAAAckS\n[+] iter 21 using 0 for AAAAAAAAAAAAAAAAAAAAA0ckS\n[+] iter 20 using r for AAAAAAAAAAAAAAAAAAAAr0ckS\n[+] iter 19 using _ for AAAAAAAAAAAAAAAAAAA_r0ckS\n[+] iter 18 using T for AAAAAAAAAAAAAAAAAAT_r0ckS\n[+] iter 17 using N for AAAAAAAAAAAAAAAAANT_r0ckS\n[+] iter 16 using i for AAAAAAAAAAAAAAAAiNT_r0ckS\n[+] iter 15 using o for AAAAAAAAAAAAAAAoiNT_r0ckS\n[+] iter 14 using P for AAAAAAAAAAAAAAPoiNT_r0ckS\n[+] iter 13 using k for AAAAAAAAAAAAAkPoiNT_r0ckS\n[+] iter 12 using a for AAAAAAAAAAAAakPoiNT_r0ckS\n[+] iter 11 using 3 for AAAAAAAAAAA3akPoiNT_r0ckS\n[+] iter 10 using r for AAAAAAAAAAr3akPoiNT_r0ckS\n[+] iter 9 using B for AAAAAAAAABr3akPoiNT_r0ckS\n[+] iter 8 using _ for AAAAAAAA_Br3akPoiNT_r0ckS\n[+] iter 7 using e for AAAAAAAe_Br3akPoiNT_r0ckS\n[+] iter 6 using r for AAAAAAre_Br3akPoiNT_r0ckS\n[+] iter 5 using @ for AAAAA@re_Br3akPoiNT_r0ckS\n[+] iter 4 using W for AAAAW@re_Br3akPoiNT_r0ckS\n[+] iter 3 using d for AAAdW@re_Br3akPoiNT_r0ckS\n[+] iter 2 using r for AArdW@re_Br3akPoiNT_r0ckS\n[+] iter 1 using a for AardW@re_Br3akPoiNT_r0ckS\n[~] Largest instruction count found to match several others or very close\n[~] Locating largest difference from average instead\n[+] iter 0 using H for HardW@re_Br3akPoiNT_r0ckS\n[+] Found pattern HardW@re_Br3akPoiNT_r0ckS\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchristhecoolhut%2Fpinctf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchristhecoolhut%2Fpinctf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchristhecoolhut%2Fpinctf/lists"}