
An extra bit of analysis for Clemency - withzombies
https://blog.trailofbits.com/2017/07/30/an-extra-bit-of-analysis-for-clemency/
======
withzombies
For this year's DEFCON CTF, the organizers decided to break all existing
tooling by making a custom architecture with 9-bit bytes, 27-bit words, and
middle-endian integers.

I was able to make a [Binary
Ninja]([https://binary.ninja](https://binary.ninja)) architecture plugin on
the flight to Vegas, but unfortunately I had to expand everything to 16-bit
bytes to be able to handle addressing. This made control flow graph recovery
possible, but I had to choose between accurate data references or accurate
immediates. I ended up going with accurate immediates and letting my data
references fall into the middle of functions (because instruction addresses
were all 2x).

The 27-bit words and middle-endianness wasn't a huge issue, but the 9-bit
bytes really really sucked. We had IO buffering issues on every exploit we
wrote and analyzing PCAPs was a huge pain.

------
tyoma
Its great that the CTF organizers fielded a neutral architecture that no one
would be familiar with. This helps put everyone on a more even footing and
tests their knowledge of their tools and reverse engineering instead of
knowledge of architecture internals

~~~
detaro
In many cases I guess more the ability to extend or completely replace their
tools.

