G33K @ Work | Geeky stuff

CAT | Hacking

This blogpost describes how we from StratumAuhuur solved the pirate_danbi challenge in the Codegate 2015 Preliminary CTF.


The binary is a simple server started via inetd. After startup it generates two strings containing the IP-address of the client to be used as filenames for storing a bz2 compressed file and the extracted bz2 file in /tmp. It also reads an 8 byte long key file from disk.
(mehr …)


This writeup explains how we (Andreas Straub, rep and myself as part of 0ldEr0pe) ended up pwning the musicman service during the 2013 DEF CON CTF qualifying (for which we did’t qualify this year. meh!).


The service listens on port TCP port 7890. As soon as you connect it starts throwing binary data at you. After dumping that data into a file, we recognized that this is a WAV audio file. After fucking everybody up by playing the high-pitch noise contained in that file a few times for the lulz we opened it up in audacity and saw some obvious structures:

The WAV-file we got from musicman in Audacity

That doesn’t look or sound like normal music. (mehr …)

, , , ,



SIGINT 12 – EFI Rootkits

Im Mai diesen Jahres habe ich auf der SIGINT 12 in Köln einen Talk über EFI Rootkits gehalten. Das Video gibt es mitlerweile sowohl auf media.ccc.de als auch bei YouTube. Bitte entschuldigt den hallenden Ton. Was besseres haben wir leider nicht.

Den Code für den EFI Firmware Image Dissector findet ihr auf Github.

, ,



Easterhegg 2011 Talk

Dieses Jahr fand das Easterhegg wieder in Hamburg statt.

Die Slides zu dem von mir gehaltenen Talk/Workshop gibts nun hier für alle, die es interessiert 😉


, , , ,

I needed a virtualized Mac OS. I want to know how a special EFI extension works which permanently changes the harddisk. I don’t want to do this on my real machine. I would have to reboot it several times and perhaps loose all my data on my HDD if something goes wrong while I’m experimenting which this extension. Also live debugging would be next to impossible.

Luckily, VMware and VirtualBox are able to virtualize Apple’s Mac OS X Server. His holy Steveness decided to allow virtualization only for the Server version of Mac OS. But there is help, so I „fixed“ the DVD to be able to boot a Mac OS X 10.6.3 retail DVD in VMware.

Unfortunately VMware then told me that the CPU was halted by the guest operating system. This happens if a kernel issues a „hlt“ statement on all currently active cores without interrupts enabled to wake up the CPU later. This is bad because the whole operating system is trapped in this state. But why did this happen with OS X? (mehr …)

, , , , , , , , , , ,



OS Development Demo Code

A while ago, I wrote some demo code to demonstrate various things you need to do to write your own operating system.
In May 2010 I held a lecture and workshop about this code and the concepts at SigInt conference in Cologne, Germany.

I just thought that this code may be interesting to other people who did not attend this conference. (mehr …)

, , , , , , , , ,



Switch Hacking

Last week I stumbled upon tmbinc’s blog entry series „What’s inside“.
This one was especially interesting to me since I always wanted to buy a GBit switch (I never had one until today, really 😉 ). (mehr …)

, , ,