Last weekend we participated Defcon CTF 2020 Qualifier and got 9th place
finally, my teammates tql. With some help from my teammates, I solved 2
challenges, cursed and blursed. These 2 challenges are quite interesting, so
here is my write-up for it. :)

The binary file for these 2 challenges are exactly identical. In the binary, a
blake2b proof of work is required first. Then clone function is called to
initiate a new thread. In new thread, flag is read into stack, and bozo.bin is
mapped into memory as executable code and is then executed. bozo.bin will
remove flag in memory at beginning but will load it into xmm registers, and
some operations are performed on xmm registers. Such operations enable us to
use side-channel attack to leak the contents in xmm registers. While in main
thread, 0x1000 bytes are read into memory, and then seccomp is enabled,
finally our input is executed as shellcode.

Original writeup (https://mem2019.github.io/jekyll/update/2020/05/22/Defcon-
Cursed-Blursed.html).