Prior to this project, I was already using an open source operating system. Since 2020 I've started using Ubuntu (18.04 LTS at the time). Today I'm still using Ubuntu, I've kept the 20.04 LTS version and decided not to upgrade to the 22.04 LTS version yet because some libraries I'm using for my master thesis just work better on 20.04 LTS.
Since I have an interest in computer security and capture the flag (CTF) competitions, I also have a Kali Linux virtual machine. It might be a little "overkill" to start with small CTFs, but it's very convenient when you want to play a little bit without taking the time to install all the tools.
## **Motivation behind the choice of the projects**
In 2020, I took part in the Google CTF. I've decided to start with a reverse engineering challenge called "Beginner" and labelled "easy". Plot twist: It wasn't that easy and not really for beginners, I've spent 2 days on it without finding a solution.
Without giving all the details, the goal was to find an input string (which was going to be the flag) that was going to be equal to a certain value after some "complex" operations. As you have guessed, those complex operations were too "complex" to be simply reversed.
When the CTF was over, I've decided to check the solutions. One common solution was to rely on [angr](https://github.com/angr), an Open Source framework for binary analysis that does symbolic execution. Finding the flag with symbolic execution was the solution to the challenge. Symbolic execution assigns symbolic values to the variables and puts them under constraints, at the end it tries to solve those constraints to find concrete values.
At the time it appeared to me like magic, the solution to all CTF challenges, but when I wanted to implement the solution myself, I quickly realized that I didn't really understand how to start, so I kind of abandoned using [angr](https://github.com/angr) in CTFs.
This year, for my master thesis I'm working on a malware analysis toolchain that uses [angr](https://github.com/angr), so I had no choice and I couldn't run from destiny any more: I needed to learn how to use [angr](https://github.com/angr).
In my learning quest, I found a project called [angr_ctf](https://github.com/jakespringer/angr_ctf), which is basically a set of challenges with increasing difficulty to teach you different concepts of angr. The project had solution files, but without explanations on how to find these solutions (also the solution wouldn't work on your computer, since some values depend on addresses that will be different from one computer to another).
To work through these challenges, I had to follow a [Chinese fork](https://github.com/ZERO-A-ONE/AngrCTF_FITM) alongside Google Translate.
For this course, I decided to contribute to this project by adding tutorials for some challenges and a troubleshooting section (since I wasted some time during setting up the project)
I've also wanted to contribute to another project related to angr, [angr-management](https://github.com/angr/angr-management), which is the official GUI for angr. I've checked the issues and found an [issue](https://github.com/angr/angr-management/issues/780) asking to allow a theme based on system preferences.
## **angr_ctf contribution**
First, I had trouble to set up and compile the binaries of the challenges of [angr_ctf](https://github.com/jakespringer/angr_ctf). The problem was due to some missing 32-bit headers and libraries that are not present by default on some Linux distributions.
Without trying to understand the error and fix it, I've made the mistake to waste some time searching for other setup alternatives in the different forks of the project. None of them worked for me, so I decided to get back to the original repo and make my research.
One of my contribution was to add a troubleshooting section in the README to save time for other users.
Before contributing, I've opened an [issue](https://github.com/jakespringer/angr_ctf/issues/15) on github to ask if there are some guidelines to respect before contributing. Unfortunately I didn't receive an answer from the maintainers. However, I received an answer from someone who had a fork of this project and wanted me to save time by using his setup (with docker containers). I've already checked his fork and knew I had an issue with the setup. I've asked him to allow issues on his repo (since it was not available in the beginning) and I've opened the [issue](https://github.com/giladreich/angr_ctf/issues/5) on his fork.
After some time, I've decided to work on another project ([angr-management](https://github.com/angr/angr-management)). But, in the end I got back to my original plan and contributed to this one even if I didn't have the guidelines because I knew there was a need and a lack of resources to start with angr (a friend of mine also had to learn angr for his master thesis and had to use this repo).
I've forked the project and came up with the following contributions:
* Updated the README to markdown file (it wasn't the case)
* Added more build instructions for the local installation
* Pointers to online resources I found (with some time) that describe how to play the challenges and the functionalities of angr
* Troubleshooting section in the README: saying how to download the missing 32-bit headers and libraries.
* Made a walkthrough for the first challenges.
I've made a pull request to merge my fork, and I'm still waiting for approval.
I've received a star on my fork, prior to this project I didn't know what it meant to give a star. I know that it's not a big deal, but I appreciated the star, I think it's encouraging to keep contributing with more solutions and more challenges.
## **angr-management contribution**
When I didn't have an answer in my other contribution, I've searched for other projects related to angr, and I found [angr-management](https://github.com/angr/angr-management) which is the official GUI for angr.
I checked the issues and I found an [issue](https://github.com/angr/angr-management/issues/780) asking to allow a theme based on system preferences.
Here I've made the mistake to work on it without saying that "I'm going to work on it" to the community.
I've had a working solution on my computer, but I wanted to make more tests locally before creating a new pull request.
In the meantime, a regular contributor self-assigned the issue to himself. When I wanted to say that I had a working solution, I've noticed that my solution didn't work any more: There was a merge that upgraded a library. I needed to upgrade my python version and other libraries to make it work.
When I said that I had a possible working solution, the regular contributor opened a draft pull request with his solution.
I've created [mine](https://github.com/angr/angr-management/pull/807) right after that.
Unfortunately, my pull request was closed in favor of his. I must admit, his solution was better and had an additional functionality.
It was a great learning experience.
## **Lessons learned**
With these two contributions, I learned a lot. Here are a few takeaway for me:
* If you're gonna work on something, say it!
* So the community is aware that you're on it.
* Ask for forgiveness, not for permission: If you think you have a good potential working solution, you can create your pull request, even in draft mode if it isn't complete.
* Don't wait for a refactor or an update to break your local solution.
* Don't wait for another contributor to get ahead of you. Don't get me wrong, it's not a competition, but if you're the first one, the other contributor might decide to help you with your solution instead of working on his own.
* Stars are great! They encourage the developer -> if you like a project, you can star it!
## **Conclusion**
Before taking this class, I've never contributed to Open Source projects, and I've never made pull requests (Not a great example I know, but I've never had the need to). I've mainly worked on project related to my studies, most of them in private repositories.
This project forced me to interact with the community and to learn a lot.
This experience really encourages me to contribute to more projects. What I'm thinking about is to contribute to CTF write-ups and add more solutions to different challenges, the ones that seem to me interesting using promising libraries that aren't easy to start using.
# **Books I've presented**
In class, I've presented the manga ***Psycho-Pass***, illustrated by Hikaru Miyoshi, (the manga is also titled ***Inspector Akane Tsunemori***).
I've also presented ***Permanent Record*** by Edward Snowden.
