G33K @ Work | Basteleien eines Geeks



This writeup explains how we (Andreas Straub, rep and myself as part of 0ldEr0pe) ended up pwning the musicman service during the 2013 DEF CON CTF qualifying (for which we did’t qualify this year. meh!).

Overview

The service listens on port TCP port 7890. As soon as you connect it starts throwing binary data at you. After dumping that data into a file, we recognized that this is a WAV audio file. After fucking everybody up by playing the high-pitch noise contained in that file a few times for the lulz we opened it up in audacity and saw some obvious structures:

The WAV-file we got from musicman in Audacity

That doesn’t look or sound like normal music. (mehr…)

, , , ,

Jul/12

25

SIGINT 12 – EFI Rootkits

Im Mai diesen Jahres habe ich auf der SIGINT 12 in Köln einen Talk über EFI Rootkits gehalten. Das Video gibt es mitlerweile sowohl auf media.ccc.de als auch bei YouTube. Bitte entschuldigt den hallenden Ton. Was besseres haben wir leider nicht.

Den Code für den EFI Firmware Image Dissector findet ihr auf Github.

, ,

Apr/11

25

Easterhegg 2011 Talk

Dieses Jahr fand das Easterhegg wieder in Hamburg statt.

Die Slides zu dem von mir gehaltenen Talk/Workshop gibts nun hier für alle, die es interessiert ;)

Slides

, , , ,

I needed a virtualized Mac OS. I want to know how a special EFI extension works which permanently changes the harddisk. I don’t want to do this on my real machine. I would have to reboot it several times and perhaps loose all my data on my HDD if something goes wrong while I’m experimenting which this extension. Also live debugging would be next to impossible.

Luckily, VMware and VirtualBox are able to virtualize Apple’s Mac OS X Server. His holy Steveness decided to allow virtualization only for the Server version of Mac OS. But there is help, so I “fixed” the DVD to be able to boot a Mac OS X 10.6.3 retail DVD in VMware.

Unfortunately VMware then told me that the CPU was halted by the guest operating system. This happens if a kernel issues a “hlt” statement on all currently active cores without interrupts enabled to wake up the CPU later. This is bad because the whole operating system is trapped in this state. But why did this happen with OS X? (mehr…)

, , , , , , , , , , ,

Jul/10

12

OS Development Demo Code

A while ago, I wrote some demo code to demonstrate various things you need to do to write your own operating system.
In May 2010 I held a lecture and workshop about this code and the concepts at SigInt conference in Cologne, Germany.

I just thought that this code may be interesting to other people who did not attend this conference. (mehr…)

, , , , , , , , ,

Es war einmal, nachts, kurz nach dem alljährlichen Berliner Congress in Berlin, ein Treffen in einem Hackerspace, dem C4, in Köln.
Nach ein paar Flaschen Mate, kommen einem die schrägsten Ideen um den Spieltrieb in sich zu befriedigen.

Als ich so schräg auf den Nadeldrucker in der Ecke schielte und fragte ob der noch funktioniere, wollte ich drucken. Nunja, das nächste anstehende Event war also die SigInt. Wenn man etwas zusammenhackt will man das auch dem breiten Publikum präsentieren können. Nach einiger Zeit hatten wir dann die Idee eine Longcat zu drucken. (mehr…)

, , , , ,

Mai/10

27

Dumping the VMware BIOS

Sometimes, even if you don’t want to install a pirated Windows version, you may want to dump and modify the BIOS of a computer.
Especially if you are developing some kind of an ACPI subsystem for your own small operating system kernel.

Doing this with real hardware is kinda risky and complex.
But what about virtual machines like VMware? They have a BIOS, but how can we get our hands on it? (mehr…)

, , , , , , ,

Almost a year ago I bought an HTC Magic (also known as the G2) phone as a replacement for my iPhone.
I was quite happy with it since it had the newest Android 1.5 and there was also an update released by Google to get it to version 1.6.

Now, that there are much fancier phones out there, like the Nexus One and Motorola Milestone, there must be a reason for people to buy them. The consequence about that is that they are holding back any updates to Android 2.0 or 2.1 for older phones. At least that’s my impression.

I also ever wanted to build and run my own Android since it is open source. At least that’s what Google says.
My first steps were quite disappointing since there was no device specific package for my G2 in the source tree. There was only one for the HTC Dream (G1).

Yesterday I wanted to give it another try and it was a success. I will post my steps here which are especially for the HTC Magic (or G2, HTC Sapphire, MyTouch 3G, Google IO – they are all the same) but it should be possible to do this with other phones as long as you have all the device specific blobs like the GSM Baseband layer or low level hardware drivers for your specific device.
Also keep in mind that this won’t be a normal guide like “How can I root this phone?” I assume that you more or less know what you are doing. So don’t blame me when you brick your phone: Shit happens and I’m not going to fix it. (mehr…)

, , , , , , , , , ,

Feb/10

2

Switch Hacking

Last week I stumbled upon tmbinc’s blog entry series “What’s inside”.
This one was especially interesting to me since I always wanted to buy a GBit switch (I never had one until today, really ;) ). (mehr…)

, , ,

Jan/10

17

I can haz FPGA?

Da ises weg, das Weihnachtsgeld.

Draufgegangen ist das unter anderem für dieses hübsche, aber leider teure FPGA-Board mit einem Xilinx Spartan 3 FPGA:

(mehr…)

, , ,

Ältere Posts >>