This blogpost describes how we from StratumAuhuur solved the pirate_danbi challenge in the Codegate 2015 Preliminary CTF.
The binary is a simple server started via inetd. After startup it generates two strings containing the IP-address of the client to be used as filenames for storing a bz2 compressed file and the extracted bz2 file in
/tmp. It also reads an 8 byte long key file from disk.
This writeup explains how we (Andreas Straub, rep and myself as part of 0ldEr0pe) ended up pwning the musicman service during the 2013 DEF CON CTF qualifying (for which we did’t qualify this year. meh!).
The service listens on port TCP port 7890. As soon as you connect it starts throwing binary data at you. After dumping that data into a file, we recognized that this is a WAV audio file. After fucking everybody up by playing the high-pitch noise contained in that file a few times for the lulz we opened it up in audacity and saw some obvious structures:
Im Mai diesen Jahres habe ich auf der SIGINT 12 in Köln einen Talk über EFI Rootkits gehalten. Das Video gibt es mitlerweile sowohl auf media.ccc.de als auch bei YouTube. Bitte entschuldigt den hallenden Ton. Was besseres haben wir leider nicht.
Den Code für den EFI Firmware Image Dissector findet ihr auf Github.
Dieses Jahr fand das Easterhegg wieder in Hamburg statt.
Die Slides zu dem von mir gehaltenen Talk/Workshop gibts nun hier für alle, die es interessiert 😉
I needed a virtualized Mac OS. I want to know how a special EFI extension works which permanently changes the harddisk. I don’t want to do this on my real machine. I would have to reboot it several times and perhaps loose all my data on my HDD if something goes wrong while I’m experimenting which this extension. Also live debugging would be next to impossible.
Luckily, VMware and VirtualBox are able to virtualize Apple’s Mac OS X Server. His holy Steveness decided to allow virtualization only for the Server version of Mac OS. But there is help, so I „fixed“ the DVD to be able to boot a Mac OS X 10.6.3 retail DVD in VMware.
Unfortunately VMware then told me that the CPU was halted by the guest operating system. This happens if a kernel issues a „hlt“ statement on all currently active cores without interrupts enabled to wake up the CPU later. This is bad because the whole operating system is trapped in this state. But why did this happen with OS X? (mehr …)
A while ago, I wrote some demo code to demonstrate various things you need to do to write your own operating system.
In May 2010 I held a lecture and workshop about this code and the concepts at SigInt conference in Cologne, Germany.
I just thought that this code may be interesting to other people who did not attend this conference. (mehr …)
Almost a year ago I bought an HTC Magic (also known as the G2) phone as a replacement for my iPhone.
I was quite happy with it since it had the newest Android 1.5 and there was also an update released by Google to get it to version 1.6.
Now, that there are much fancier phones out there, like the Nexus One and Motorola Milestone, there must be a reason for people to buy them. The consequence about that is that they are holding back any updates to Android 2.0 or 2.1 for older phones. At least that’s my impression.
I also ever wanted to build and run my own Android since it is open source. At least that’s what Google says.
My first steps were quite disappointing since there was no device specific package for my G2 in the source tree. There was only one for the HTC Dream (G1).
Yesterday I wanted to give it another try and it was a success. I will post my steps here which are especially for the HTC Magic (or G2, HTC Sapphire, MyTouch 3G, Google IO – they are all the same) but it should be possible to do this with other phones as long as you have all the device specific blobs like the GSM Baseband layer or low level hardware drivers for your specific device.
Also keep in mind that this won’t be a normal guide like „How can I root this phone?“ I assume that you more or less know what you are doing. So don’t blame me when you brick your phone: Shit happens and I’m not going to fix it. (mehr …)