I am a man of many hats. This page, however, focuses mainly on the one related to me as a vulnerability researcher, exploit developer and reverse-engineer. Although most of the work I do within the IT-security field is confidential, due to the nature of my clients, some of it has been made public at conferences such as BlackHat, DefCon and the RSA Conference.
In my spare time, I sometimes compete in hacking competitions (CTFs). With HackingForSoju, I have been traveling to and participating in the CodeGate and SECUINSIDE finals in South Korea, DefCamp in Romania, CONFidence CTF in Romania and the DefCon finals in the US. Competing in any of these requires you to first qualify by being one of the top teams in an online qualifier round, where thousands of teams around the world can compete for the first 8-15 or so places that qualify for the finals.
From 2015 up until August 2020, I was joint-owner and CTO of Cycura. During this time, I was focusing on building our R&D and offensive security division, as well as being a key resource in the teams in question. After selling Cycura to WELL Technologies, I am now back to focusing solely on my own company ClevCode.
The last few years, I have been focusing on custom fuzzer development and mobile and browser security research and exploitation, mostly on the Android side. I don’t publish any of my research related to these areas, though, so unfortunately the fruits of my labor are for my clients eyes only. Just rest assured that is an interesting area to be in. ;)
From 2011 to 2015, and was a bit more active with various CTFs and other types of challenges, as well as on posting writeups on public challenges I solve to this blog. A selection:
– 2015: Winner of Boxen
– 2015: Winner of SweCTF
– 2013: Winner of Black Knight challenge (nSense)
– 2012: Solved the first set of Cicada 3301 challenges
– 2011: Winner of PlaidCTF
Besides PlaidCTF, all of the above challenges/competitions were ones where I competed as an individual rather than as a team (with HackingForSoju). As a side-note to that, I did score more than half the points for our team during PlaidCTF. ;)
From 2006 to 2011, I was joint-owner and CTO of Bitsec. We worked on a lot of interesting things, and I was fortunate enough to be able to speak on at least a few of them in public. We did kernel exploitation, including one of the earliest examples of remote wireless kernel exploitation, full-chain Windows exploitation, and this was also when I started getting into mobile security research (developing a remote full-chain iOS attack, etc).
For CTF challenge writeups, take a look at:
As for non-CTF related exploits, I usually don’t publish my work, but here is a selection of the few things I did publish at some point (mostly from way back, which is no indication of what I’ve been up to the last few years). ;)
- https://clevcode.org/oldies-but-goldies/
- https://clevcode.org/oldies-but-goldies-2/
- https://clevcode.org/cve-2014-3153-exploit/
- http://codeverge.com/grc.security/dropbear-ssh-server-format-string-vulnerability/1646577
- https://packetstormsecurity.com/files/33534/0xbadc0ded-04.txt.html
- https://packetstormsecurity.com/files/33265/0401.txt.html
- https://seclists.org/bugtraq/1998/Nov/12
Hello, I came across your blog and I find much and more of what you do fascinating. I’m going to university in a couple months to study computer science and your field is incredibly interesting. What I’m most curious about is what resources you used to gain the type of knowledge and skills you have today? Thank you for your time.
Hej!
Mitt namn är Mollie Westlund. Jag jobbar som headhunter. Tillsammans med min kollega jobbar vi med en mycket intressant rekytering. Jag skulle vilja komma i kontakt med dig. Maila gärna mig dina kontaktuppgifter, så ringer jag dig.
Mollie Westlund
0708626748
Hi Cody!
Well, I first got interested in IT security when I was six or seven years old, after seeing the movie wargames, so that has been with me a long time. :) I started programming when I was 7, when I got my first computer (a C64). My parents knew nothing about computers, so I had to explore things for myself. Exploring yourself, instead of just being handed knowledge on a silver plate, is actually an advantage in my opinion. That way you must achieve a true understanding of what you are doing.
My recommendation would be to code a lot, read a lot of code, identify both flaws in bad code and clever techniques used in good code, learn assembler and reverse-engineering. Learn about your OS, ground up. Never be satisfied with merely being able to accomplish something, always try to find the best way to do it and always strive for a complete understanding of what you are doing. Look beneath the surface of things.
The best way to learn something is always by doing, and by constantly challenging yourself. Reading books, papers, tutorials and so on is fine to get a basic understanding of something, but you need to actually apply it to identify the limitations of your knowledge. It is also always better to try to figure out something by yourself instead of just reading a tutorial on the subject, and when you reach a certain level, tutorials and papers will not be enough for you to advance regardless.
Playing wargames, such as the ones at http://www.overthewire.org/wargames/, is a great way to learn about basic types of vulnerabilities and how to exploit them. For reverse-engineering, there are crackmes available on sites such as http://www.crackmes.de/. Participate in CTF competitions (check out https://ctftime.org/ to see which ones are available) to challenge yourself within subjects such as diverse as forensics, cryptography, reverse engineering, vulnerability research and exploit development.
Last but not least, remember that there are no shortcuts, and merely reading only takes you so far. Read, reflect, evolve, apply, repeat. :)
So the reason I contacted you is that I’ve desperately spent the last 2 weeks trying to figure out a code that someone built in to some software. It’s basically 50 bytes of hex that get sent to a usb device firmware and it sends back 50 bytes of hex that it verified back to the software before the software will proceed. I have no idea how the it does it and i really need to solve this for my client. I’ve worked on it for 2 weeks to no avail. I think you are the only person on earth that might be able to figure it out.. and we’d be happy to pay for the help!!!
the software is called CardioScan (it sends the 50 bytes)
and the usb device is called DMS 300-30m holter recorder (it recevies the 50 bytes via a VERIF message and returns the correct 50 hex bytes back to cardioscan, making it proceed).
basically, the software keeps changing what it sends. So we sent it our 0’s and FF’s and this is what it returns.
It is always new set of values from the software, It is not repeating.
Result when I sent all 50 bytes as 0x00
1C 2F 38 55 13 51 09 3F 10 5E 1F 17 54 3B 37 0A 18 53 3A 17 3D 62 1D 2C 20 4A 22 2A 04 06 0D 5B 0B 2D 47 16 13 1F 0A 53 3C 55 32 05 09 04 0A 14 58 03
Result when I sent all 50 bytes as 0xff
E3 D0 C7 AA EC AE F6 C0 EF A1 E0 E8 AB C4 C8 F5 E7 AC C5 E8 C2 9D E2 D3 DF B5 DD D5 FB F9 F2 A4 F4 D2 B8 E9 EC E0 F5 AC C3 AA CD FA F6 FB F5 EB A7 FC
an example from CardioScan and back from the 300m is:
send:
f4 93 af e0 6f 4c 46 13 2c 50 cc 13 b9 46 56 6e f8 d5 03 9b 18 c4 8d 3b c3 5f 1d 9e 99 1d 64 89 de 81 e7 37 6f 3e 9a 9d fb 9e b1 f3 6f 24 b3 f8 b7 49
receive:
89 cd a0 d0 d3 27 15 50 29 1b 19 30 84 d3 78 27 31 5f 29 db 0b 50 6b 7a d2 15 55 a8 e7 4f 03 b5 d3 a4 c2 05 31 0e bb 93 97 d8 92 9b a2 72 9d a2 ff 9f
we almost got the same result as when we send in all Zeros when sending in a huge prime number …
any help would be appreciated, thanks, David.
Hi David!
As you may have noticed, the byte sequence produced by sending fifty 0x00 bytes is closely related to the byte sequence you received by sending fifty 0xFF bytes.
By simply looking at the sequences, you can see that when the byte in the first sequence is high, the byte in the other sequence is low. By adding some of these bytes together, you will notice this:
Byte 1 in each sequence: 0x1C + 0xE3 = 0xFF (255)
Byte 2 in each sequence: 0x2F + 0xD0 = 0xFF (255)
Byte 3 in each sequence: 0x38 + 0xC7 = 0xFF (255)
Of course, this is no mere coincidence. This pattern repeats for each byte in the sequence.
One possible explanation for this would have been that the byte sequence you send in is XOR:ed with a fixed key, or with the output of a PRNG (pseudo random number generator) algorithm. If this was the case, that would actually mean that the key equals the byte sequence received after sending fifty zero-bytes, since XOR:ing something with zero leaves the value unchanged. This explains both sequences, as you can see below:
0x00 ^ 0x1C = 0x1C
0x00 ^ 0x2F = 0x2F
0x00 ^ 0x38 = 0x38
…
0xFF ^ 0x1C = 0xE3
0xFF ^ 0x2F = 0xD0
0xFF ^ 0x38 = 0xC7
…
Unfortunately, when applying the same method to the sequence sent by CardioScan we get:
0xF4 ^ 0x1C = 0xE8
0x93 ^ 0x2F = 0xBC
0xAF ^ 0x38 = 0x97
…
This does not match the produced byte sequence 89 CD A0, and so on. To figure out what exactly is going on, I would need more samples. That you receive almost the same result when sending in all zeros as when sending in a huge prime number is interesting, by the way.
Perhaps we should continue this discussion by email instead. You can reach me on the following address: je at clevcode dot org
I enjoy surfing new digital seas, and exploring lost islets of data…..
As for the (seemingly) malfunctioning “CardioScan” “problem”, above,
no, I’m no formally educated enough to crack it, *BUT*, um, why not just contact the original device Mfgr.?….
SOMEbody there had to design,build and program the thing, in the first place!….
Joel,
Hit me up sometime please, we have a lot in common. I would like to share stories and possibly learn a thing or two.
John
Hello, look man, I really don’t know what I’m doing or want, but this caught my attention and I can’t get enough, I have no school experience, I’m a simple guy who is curious about a different way to see life. Can you please at least write back just to know you got this message? Thank you. I really appreciate it.
How do i access Cicada 3301 puzzle?
I want to recommend you this – if you crack it please give me a shout out -https://bitcointalk.org/index.php?topic=766000.0
Hey Joel you seem like a cool ass dude. Swedish people are so gifted. I hope you have started a family and pass on your intelligence to the next generation.
All these so called random numbers are not random.. Nothing is ever random .. Now for the numbers they are dates in history are major events and up coming events . Here are a few just for start’s ..1944 world war 2 , 1776 Dec 2 The 1st bank opened up, As for the Duck , it means your are the prey …The other clues are about Iran , Egypt and other country’s ,I guess the sort story would be War like no other , This Cicada puzzle is a warning
Mr Joel,
From ur paragraph on tha Cicada 3301 u really caught my attention. If u don’t mind I would love to chat with u and maybe making 2 new friends??? And No,has nothing to Do with asking u anything about tha Cicada 3301 nor any other(Can/will u crack this/that code) I have no doubt that if I wanted/needed to fi d that I am pretty sure with a IQ of 160,I could do it my self.But,I don’t rate nor give credit(s) to a person(s) IQ to be and/or have smarts cause its 100,120,160 or moon status.I know alot of people whom can’t read,or can’t count money,but know what 5’s,10’s,20’s,50’s etc
are and have by IQ standards is 60,70,but these people are highly intelligence and very crafty. My sister in law has a very high IQ and very smart but only when it comes to books its seems,and me not so in books,but It seems that from my life,or living on tha streets and growing up that way,has me seeing things way differently,and my insight is out of this world,and I pass my sister in laws intelligence by far…
So my opin-yion is neither book smarts,or street smarts makes u smart when u only have a degree in only one.I would bet more or heavily on someone with only a,associate’s degree in both books and streets smart leaning more in IQ streets smarts aka Life’s lessons then someone with a PH.D or masters in books only,or maybe a slight small % streets smarts.Ive never been a book worm nor smart with books,and have trouble working a computer,when I eas in school I had trouble and had to take different classes in a couple subject’s but showed more intelligent then alot of my high up grade students in school. I never got picked on because of my learning disabilities but got picked on a TINY bit because I could out think alot of students and teachers,Always found school Boring and dropped out in 11th grade,but had a Art school call my mother when I was 17 and got a all paid 2 year college course and didn’t even have a Diploma nor GED finished that,and years later 2004 to 2006 got another 2 year college degree for personal trainer through ISSA. So I Don’t believe that a IQ can truly gage tha wealth of someone’s intelligence but I guess its nice to have a number low or high under ur belt or stamped on ones forehead,
just so tha rest of this what’s normal and/or whoms stupid labelled Retarded or highly intelligent world.
Giving us or making us believe in who’s at tha bottom and who’s at tha top. Truth to tha matter is tha bottom to middle I believe or tha smarter ones……its like a addict(s) whom have there midnight run for years and finally have a chance to see recovery or rehab cause most don’t but they are sitting in a group and at tha head is a man with 1 PH.D and 1 masters in tha highest form of addictions and blah,blah,blah college degree(s) telling a full blow crack or heroin addict(s) how to get clean,face those fears along side exercise those demons,that its all in their heads and ramming 15 years of only books,college and number down their throats and beating them in tha head with tha ….lack of a better word BS when in fact that Mr Higher up on rha food chain(s) has never had/suffered a day in his/her life with no form of addictions and has no clue of that feelins/emotions,only just what numbers and a book says. One must not push totally away from those (Book We Know Best Worms) but all info is lost on tha account of,lack of knowledge from life. U find tha same Teacher with or with out those high degrees but just as smart,and has had a addiction(s) and can relate cause of that struggle not only will that person(s) listen,but they will hear and apply both at tha same time and watch that recovered person(s) not only see straight but be way more intelligent then Mr Books only!!! Been through that so I can speak on that…truth is stranger then fiction sometimes. So what(any1) Do u think makes or gives a person tha better smarters,or in this world higher IQ’s???
My Long time Therapist and countless other through 27 years of my life have always asked at 1 time or another as I shake hands and leave they say:
Hey Tj???,
Yea whats up Doc???,
Tj,I always wonder when u come & at tha end when u leave…who’s really here teaching or helping tha other…
Well don’t is that a question or a statement,but it don’t matter answer this:What came FIRST Doc,tha Chicken or tha Egg,and then u’ll have ur answer.
Hey Tj,one more thing….whos tha Chicken or whos tha egg???!!!
(with a smile I finish as I am walking out tha door:
I’ll be whatever u don’t wanna be Doc…)
So ask ur self what makes someone truly smart?!?
But every1 have a good holiday and good new years…
Blesses be…
P.s
Mr Joel Eriksson if u have tha time to chat maybe make a new good friend whom loves debates and love to learn,I sure would love and like ur time and friendship.
Chow,My friend…
https://www.facebook.com/rashida.jammang
Hi Joel. I have heard about your work with codes (mainly cicada) and was really fascinated by it. Recently, my friend received a code that nobody i know can translate. I was wondering if you could help. It’s probably nothing compared to cicada 3301 but i can’t do it. I’m told it’s a number to letter code. Here it is:
3 4 5 6 7 8 9 10
13 14 15 16 17 18 19 20
23 24 25 26 27 28 29 30