These are mostly done for practice purposes.


<?php
$input = "100 0000 0100 0000 0100"; // d263172
$input = str_replace(' ', '', $input); // convert spaces to blank. (e.g.: 1000000010000000100)
echo "Converting {$input} into decimal...\n\n";
$exp = 1;
$total = 0;
for($i = (strlen($input) - 1); $i > -1; $i--) { // start from the back of the string, and work our way to the left.
if($input[$i] == "1") $total += $exp; // if current position is 1, increase our total by the current power value
$exp *= 2; // increase to next power of 2.
}
echo number_format($total); // output in a formatted string (e.g.: 263,172)
?>



<?php
$months = array("BB","LS","JH","PL","BK",
"WH","FF","BF","CF","CK","CB","VM");
$code = $months[(int)date('m')-1];
for($i=0; $i < 5; $i++) $code .= rand(0, 9);
echo $code."\n";
?>

It’s a very controversial application; it scans everything on your computer to verify that you aren’t using any torrent/p2p software, as well as ensuring that you have a virus scanner that has been approved.

If you fail to meet any of the requirements, or the system simply finds something it doesn’t like: you are not getting online.

That is, until a workaround was found.

The workaround is actually very simple.

All you have to do is spoof your user agent to resemble a mobile device, and you will instantly be granted access.

The easiest way to do this is with Firefox.

You can install the user agent switcher addon or follow these steps:

1. Navigate to “about:config” (without the “”‘s)
2. In the search/filter box type: “general.useragent.extra.firefox”
3. Double click the result, copy the string that is currently there (should be similar to “Firefox xx/xx”)
4. Type in “Android”
5. Save
6. Head over to any site, and boom! You have access

After getting access you can put that setting back to normal and continue on with business as usual.

I felt like I should share this with you guys, seeing how I learnt some neat tricks that I’ve never seen before (allowing me to solve subnet based problems very quickly.)

So let’s jump right to it!

Finding CIDR equivalents.

255.255.255.0

FF.FF.FF.00

11111111.11111111.11111111.00000000

8 one's.8 one's.8 one's.zero

8+8+8 = 24

CIDR: /24

this works for every example (that i’ve seen.)

It also works in reverse.

CIDR: /30

30 - 8 = 22 - 8 = 14 - 8 = 6

we subtracted 8 three times (255.255.255) and we have 6 left over

11111111.11111111.11111111.11111100

FF.FF.FF.FC

255.255.255.252

These are some methods I saw for determining ranges:

192.168.5.0/26 or 192.168.5.0 255.255.255.192

convert to binary (192.168.5.0 to binary)
11000000.01111110.00000101.00000000

00 | first (network id)
01 | first host
10 | last host
11 | broadcast

11000000.01111110.00000101.00|000000 = 192.168.5.0 (network id)

11000000.01111110.00000101.00|000001 = 192.168.5.1 (first host)

11000000.01111110.00000101.00|111110 = 192.168.5.62 (last host)

11000000.01111110.00000101.00|111111 = 192.168.5.63 (broadcast)

1.2.3.4/8 or 1.2.3.4 255.0.0.0

00000001.00000010.00000011.00000100

00000001.|00000000.00000000.00000000 = 1.0.0.0 (network id)

00000001.|00000000.00000000.00000001 = 1.0.0.1 (first host)

00000001.|11111111.11111111.11111110 = 1.255.255.254 (last host)

00000001.|11111111.11111111.11111111 = 1.255.255.255 (broadcast)

This is just a quick post put together showing how to do subnets and playing with hosts per subnet and etc.

Hope someone finds it useful! :)

Many of you may remember the “hidden whitepages screen” from a while back.

Today I was fooling around and decided to grab the latest copy of the Whitepages app ($7, why not?) and I noticed the “415″ trick no longer worked.

Took a quick look around, and discovered their new method of accessing the hidden screen.

Two taps on the “Whitepages” logo, and two taps on the “developer” logo and it’ll pan you right over to the hidden screen.

Enjoy!

Oh, and happy fourth of July everyone :)

I chose the school (mostly) because of its guaranteed job placement. My friend, who also graduated recently from DeVry, is currently a network administrator at a Hard Rock Hotel & Casino in South Florida thanks to DeVry.

But that’s besides the point.

DeVry, like few other colleges, has chosen to use an online system called “MyScribe” (owned by the site CafeScribe.com ["Fourteen40, Inc."])

The charges for the EBook are automatic, and the online classes even tell you that the books are available online “for portability.”

The problem? It’s all DRMed.

You can’t view the books anywhere other than a windows-based environment with MyScribe installed (or using it’s portable client).

But this can easily be bypassed.

Legal Disclaimer: I do not condone the illegal reproduction of any works accessible through MyScribe, and you cannot hold me responsible for anything discussed within this post. By reading this technique, you agree and understand that it is simply for educational purposes, and must NEVER be used in a real life application.

With that said..

Install a “print-to-pdf” enabled software. (CutePDF is freeware, and can be found online)
Open up MyScribe.
Select the book you’d like to read elsewhere.
File -> Print.
Select “all pages”
Press Print
Select your software PDF converter.
Print.
Enjoy DRM-Free PDF EBooks. :)

I found this bomb on the ubuntu forums, although a copy can be downloaded off my server (for archiving purposes, etc)

So let’s get to it!

Tools required:

- demobomb (the binary bomb!)

- GDB (should come stock on mainstream distro’s.)

Hacking it:

Binary bombs usually come in “phases.” These phases are, for the most part, just different layers of protection before you reach the ending.

Phase 1:

$ gdb ./demobomb
(gdb) set disassembly-flavor intel ; set gdb to display disassembly in intel format (easier to read)
(gdb) break main
Breakpoint 1 at 0x80484af

we set a breakpoint on “main” so the app won’t run through by itself

(gdb) disas main
Dump of assembler code for function main:
0x080484a1 <main+0>: lea ecx,[esp+0x4]
0x080484a5 <main+4>: and esp,0xfffffff0
0x080484a8 <main+7>: push DWORD PTR [ecx-0x4]
0x080484ab <main+10>: push ebp
0x080484ac <main+11>: mov ebp,esp
0x080484ae <main+13>: push ecx
0x080484af <main+14>: sub esp,0x4
0x080484b2 <main+17>: mov DWORD PTR [esp],0x80485bc
0x080484b9 <main+24>: call 0x8048314 <puts@plt> ; welcome message
0x080484be <main+29>: mov DWORD PTR [esp],0x80485b4
0x080484c5 <main+36>: call 0x8048314 <puts@plt>
0x080484ca <main+41>: call 0x804843e <phase_1_of_1> ; heres the call that sends us into our first phase! let's set a breakpoint on it
0x080484cf <main+46>: mov DWORD PTR [esp],0x8048618
0x080484d6 <main+53>: call 0x8048314 <puts@plt>
0x080484db <main+58>: mov eax,0x0
0x080484e0 <main+63>: add esp,0x4
0x080484e3 <main+66>: pop ecx
0x080484e4 <main+67>: pop ebp
0x080484e5 <main+68>: lea esp,[ecx-0x4]
0x080484e8 <main+71>: ret
End of assembler dump.
(gdb) break phase_1_of_1
Breakpoint 2 at 0x8048444

now let’s look at our first phase

(gdb) disas phase_1_of_1
Dump of assembler code for function phase_1_of_1:
0x0804843e <phase_1_of_1+0>: push ebp
0x0804843f <phase_1_of_1+1>: mov ebp,esp
0x08048441 <phase_1_of_1+3>: sub esp,0x28
0x08048444 <phase_1_of_1+6>: lea eax,[ebp-0x8]
0x08048447 <phase_1_of_1+9>: mov DWORD PTR [esp+0xc],eax
0x0804844b <phase_1_of_1+13>: lea eax,[ebp-0x4]
0x0804844e <phase_1_of_1+16>: mov DWORD PTR [esp+0x8],eax
0x08048452 <phase_1_of_1+20>: mov DWORD PTR [esp+0x4],0x80485ae
0x0804845a <phase_1_of_1+28>: mov eax,ds:0x804974c
0x0804845f <phase_1_of_1+33>: mov DWORD PTR [esp],eax
0x08048462 <phase_1_of_1+36>: call 0x8048324 <fscanf@plt> ; grab every integer in our input (separated by blank space [return (\x0a), or space [\x20])
0x08048467 <phase_1_of_1+41>: cmp eax,0x2 ; compare how many integers we inputted (again, separated by blank space) to 2
0x0804846a <phase_1_of_1+44>: je 0x8048471 <phase_1_of_1+51> ; if we put in exactly 2 integers, jump to +51, if not.. continue
0x0804846c <phase_1_of_1+46>: call 0x8048420 <explode_bomb> ; explode
0x08048471 <phase_1_of_1+51>: mov edx,DWORD PTR [ebp-0x4] ; land here from previous jump (move our first integer into edx)
0x08048474 <phase_1_of_1+54>: mov ecx,0x1 ; set ecx to 1, land here if jump
0x08048479 <phase_1_of_1+59>: cmp edx,0x1 ; compare edx to 1
0x0804847c <phase_1_of_1+62>: jle 0x8048492 <phase_1_of_1+84> ; if edx is less than or equal to 1, jump to check at +84
0x0804847e <phase_1_of_1+64>: mov eax,0x1 ; set eax to 1
0x08048483 <phase_1_of_1+69>: mov ecx,0x1 ; set ecx to 1
0x08048488 <phase_1_of_1+74>: imul ecx,eax ; multiply ecx by eax (store in ecx)
0x0804848b <phase_1_of_1+77>: add eax,0x1 ; eax++
0x0804848e <phase_1_of_1+80>: cmp edx,eax ; compare edx (first input) to eax (number of times we looped)
0x08048490 <phase_1_of_1+82>: jne 0x8048488 <phase_1_of_1+74> ; if not equal, jump to +74, if not.. continue
0x08048492 <phase_1_of_1+84>: cmp DWORD PTR [ebp-0x8],ecx ; compare our second input to ecx
0x08048495 <phase_1_of_1+87>: je 0x804849c <phase_1_of_1+94> ; if equal, defuse, if not.. continue
0x08048497 <phase_1_of_1+89>: call 0x8048420 <explode_bomb> ; explode
0x0804849c <phase_1_of_1+94>: leave
0x0804849d <phase_1_of_1+95>: lea esi,[esi+0x0]
0x080484a0 <phase_1_of_1+98>: ret
End of assembler dump.

we already have all the information we need to code a generator, or do some math on our own!

The bare-bones for this (in assembly) is:

mov eax, 1
mov ecx, 1
mov edx, [input]
:loop
imul ecx, eax
add eax, 1
cmp edx, eax
jne :loop
; ecx now holds our magical value

In C it looks like this:

#include <stdio.h>
#include <stdlib.h>
int main() {
int eax,ecx,edx;
eax=1;
ecx=1;
edx=5;
if(edx > 0) {
while(edx != eax) {
ecx *= eax;
eax++;
}
}
printf("1: %d\n2: %d\n", edx, ecx); // this part will show you our values!
return 0;
}

So to conclude, it grabs our first number of input, and multiplies until eax reaches that value.

i.e. if we input 5:

(eax = 1)

1 * eax = 1 (increase eax, eax = 2)

1 * eax = 2 (increase, eax = 3)

2 * eax = 6 (increase ,eax = 4)

6 * eax = 24 (increase, eax = 5.. STOP!)

magic: 5 24

$ ./demobomb
Welcome to the demo bomb. In another moment of weakness, Dr. Evil created this demo bomb.
Phase 1
5 24
You safely defused the bomb. Well done.

The sad part was that they took a very simple process and complicated it- 10 fold.

The following procedure will insure that your data will be wiped from existence, and uses nothing more than the power of open source tools. (both for wiping, and checking)

What data?

shred is an open source tool (part of the GNU core utilities series) and is an extremely powerful wiper.

It comes stock on various main-stream linux distributions (Ubuntu, Mint, Fedora, etc) and if it isn’t available on whatever distro you happen to be on, it is easily available from a bootable distro (Ubuntu, again) or with a more powerful front-end known as DBAN (discussed in the gizmodo article mentioned above).

The most effective way to use shred is as follows:

1. Have the disk you’d like to wipe hooked up (unmounted!)
2. Figure out which device file is the disk you’d like to wipe.
   • This is accomplished by one of two ways:
     1. Using a 3rd party tool, such as fdisk or gparted to find the device file with the right partitions / size that match the disk. (the easy way)
     2. Have the device disconnected, “ls /dev” Connect the device, “ls /dev” and see which device file pops up. (the i-like-to-complicate-things way)
3. Run the following command:
   • note: for this demonstration i’m going to use “/dev/hda.”
   • note: you may see various device files with the same prefix (i.e. “/dev/hda”, “/dev/hda1″, “/dev/hda2″) please understand that /dev/hda is the entire disk, and /dev/hda1 etc. are PARTITIONS on the drive.

shred -f -z -n 0 -v /dev/hda

This can take several hours depending on the size, and speed, of the disk you are erasing.

This will effectively erase EVERYTHING on the disk, and overwrite it with zeros.

Just as a quick breakdown:

shred -f -z -n 0 -v /dev/hda

shred this is the actual command.

-f this switch means “force.” It tells shred to, pretty much, do whatever is necessary to erase the drive (permissions / etc)

-z this switch means “zero.” It tells shred to overwrite our data with nothing but zeros.

-n 0 this switch means “iterations.” It tells shred to only overwrite once. (you can up the number of times to shred, but only once is necessary. more than that is just overkill.)

-v this switch means “verbose.” It tells shred to be more verbose.

/dev/hda this is the disk. say good-bye.

This time I think it’s going to work a little different around here. If anyone has any good graphical skills (which as a right brained person, I lack completely) and would like to throw together a little something-something for me, please try and get in touch me.

The blog this time will contain a bit more than just my usual ramblings; I plan on keeping this strictly tech.

I’ve setup a few categories so far, the general being “/dev/urandom” (random posts) “Hacking” (hacking related posts, which contain subcategories “linux,” “netsec,” and some others) and “Tips” (life, food, health, etc)

Let’s see how it goes!