PoC or GTFO, Volume 2
Page 7
Integrated Circuits
Potential builders of the Galaksija computer are mostly worried about acquiring the integrated circuits. Unfortunately, those can only be bought abroad. There are actual reasons to worry about: how to align the order with customs regulations, how to explain in a foreign language what is it that you actually need, how to make the payment?
The procedure is, in essence, simple: you need to write to the foreign company and ask for an invoice. When you get the invoice, you go to the bank to make the payment — a foreign currency payment. In reality, everybody who has ever tried this knows how hard it actually is. Unfortunately, there’s no other way. Keep one thing in mind at all times: the maximum value of a single shipment cannot exceed 1500 dinars, otherwise it will be returned and will never reach you.
To try and simplify things at least a bit, Galaksija has made a deal with Microtechnica in Gratz. Full price for the complete set of ICs, an RF modulator, the quartz crystal and three sockets is 1000 shillings (about 6500 dinars) for a 4K RAM version with two 6116 ICs, or 1116 shillings for a 6K RAM version with three 6116 ICs.
This price includes shipping, completely in agreement with domestic customs regulations. To make the order, simply make a request for an invoice for Galaksija parts. You can make the payment by one of the following card: American Express, Diners, Eurocard and Visa. All buyers of complete sets of ICs for Galaksija, Microtechnica will receive a pre-programmed EEPROM for free. This significantly simplifies the path to Galaksija computer. You need to make an order to the following address: Microtechnica, A-8042 Graz, St. Peter Hauptstrasse 10, Austria.
Additionally, these are reliable distributors in England (Ambit International, 200 North Service Road, Brentwood, Essex, England) and Germany (Bürklin, Shillerstrasse 40, 8000 München).
Programming the EEPROM
Without system programs written into the 2732 (ROM) and 2716 (Character ROM) EEPROMs, the Galaksija computer is completely helpless. Readers who order the set from Microtechnica will get the EEPROMs pre-programmed, completely ready for installation. Readers who already have EEPROMs or intend to source them from other distributors, can send them to Galaksija offices to be programmed.
This favor is completely free and will be done by MIPRO from Belgrade,39 where the development of this computer was started. You can start sending your EEPROMs right away; they will be returned at most after fifteen days. Put enough stamps for return postage, the same number you needed to put on the envelope to send it. Ensured letter is probably the safest way for EEPROMs to get to our offices and back to you. EEPROMs should be sent to Galaksija, 11000 Beograd, Bulevar vojvode Mišića 17.
Emergency help
Less experienced builders should not be afraid that they will be alone in their endeavor of building the Galaksija. In cooperation with the Avala amateur-radio club from Belgrade, we’ve organized a help line which will be available each day from five until eight o’clock at phone number 011/402-687. At this same club, we’ll conduct free computer building courses. You’ll find detailed announcements in the February issue of Galaksija, even before you are able to gather all the parts.
Voja Antonić (back) and his friend Jova Regasek assembling Galaksija
9:11 Root Rights are a Grrl’s Best Friend
by fbz
The trolls are glad to lie for views
They delight in online duels.
But I prefer a man page that describes extensive tools.
A shell on the sys may be quite continental
But root rights are a grrl’s best friend.
sudo may be grand, but it won’t pay the rental
On your hosting fee, or help you with the disassembly.
RAM gets cold as exploits get sold
And we all mine bitcoin in the end.
But exploit or shell script,
priv escalation keeps its shape!
Root rights are a grrl’s best friend!
There may come a time when a hacker needs a lawyer,
But root rights are a grrl’s best friend.
There may come a time when a tech firm employer
Offers you stock options
But get root rights and your own machines.
Perks will fly when stocks are high,
But beware when they start to descend.
Machines will go offline and no more command line!
Root rights are a grrl’s best friend!
I’ve heard of servers where you get admin accounts,
But root rights are a grrl’s best friend.
And I think that machines that you admin yourself
Are better bets. If nothing else, big data sets!
Unix time rolls on, entropy is gone,
And you can’t get that file to prepend.
But big racks or botnets you get props for root logins!
Root rights, root rights, I don’t mean jail breaks,
Root rights are a grrl’s best, best friend!
9:12 What if you could listen to this PDF?
by Philippe Teuwen
To honor the tradition of polyglot releases, pocorgtfo09.pdf is also an audio file featuring a 24-bit studio recording of fbz’ Root Rights are a Grrl’s Best Friend, which you can enjoy with MPlayer or VLC.
There are some official ways to embed an audio file in a PDF, such as LATEX’s media9 package. Unfortunately, that would only work in Adobe Acrobat Reader, provided that you also install Adobe Flash—quite a reckless prerequisite nowadays. We are not such bad neighbors, so we looked for alternatives.
Adobe, once again, is out to search-and-destroy polyglots, so all common audio file types such as WAV, MP3, M4A, 3GP, AAC, FLAC, are prohibited. Still, some less popular formats remain undetected, up until now! Among the free lossless formats these are True Audio (.tta) and WavPack (.wv).
TTA frame structure40 is unfortunately too rigid and doesn’t allow much trickery to inject the start of the PDF within the first kilobyte. It supports standard tagging by ID3v1/v2 and APEv2, but prepending ID3 info is banned by Acrobat. The APEv2 specification,41 on the other hand, strongly recommends against using it at the beginning of a file. In practice, audio readers don’t support files starting with APEv2.
The WavPack file format42 is quite unusual, but far more friendly to us: it doesn’t have a file header, but every block starts with the same magic, wvpk. We can add new metadata blocks at the beginning of the file, and they support DUMMY sub-blocks, meant for padding. So we can inject the beginning of a PDF, but can we use those sub-blocks to inject the full PDF in our WavPack? For each sub-block the theoretical size is 16 Mb, but in practice MPlayer accepts a maximum of 1,047,548 bytes and VLC 1,048,548 bytes and only one such sub-block per block. So it’s possible, but it would be quite impractical to slice the PDF in 1Mb chunks. WavPack also supports ID3v1 and APEv2. ID3v1 is too limited (only ID3v2 allows PRIV frames), so we have to rely on APEv2 to inject the bulk of the PDF (and ZIP, as usual) in a large metadata frame.
We now have the ingredients to build a PDF/ZIP/WavPack polyglot file. The final file structure, from the three perspectives, is depicted on page 130.
All starred items contain a size or an offset that depends on another part of the polyglot, so the file is built in two passes. The first pass puts the elements together, and then the second pass adjusts those fields in the WavPack and ZIP.
By the way, the artwork on page 126 is by Ange and myself, derived from Vectorportal’s artwork licensed under a Creative Commons Attribution 3.0 Unported License.43
9:13 Oona’s Puzzle Corner!
by Oona Räisänen
Mystery Message
Peter sits in the front of the classroom. One day during class this message was passed to him.
Interpolation Colorization
Sadie really likes to convolve with this kernel. But she only took with her a travel pack containing a limited set of discrete samples. Use a colored pencil to connect the integer-valued dots (1, 2, 3, ...). Then repeat using a different color bu
t include also the decimal-valued dots. What do you see? How is this related to interpolation and sampling rates? If you recognize the kernel, how would you help Sadie generate even more points?
Bit Flip Trouble
Mary keeps two copies of a precious file. But one of the copies has been corrupted in memory due to a recent Rowhammer attack. Can you find all the flipped bits in the samples below? Can you even tell which one is the original?
Hint: !noisiv oerets ruoy esU
Hacker Jumble
Max has been trying to memorize some topical words for his upcoming infosec specialist appearance in the news. But now they’re all lying on his hotel room floor and he has trouble finding them. How many words can you find? What has happened to them during the night that makes them so difficult to see?
10 The Theater of Literate Disassembly
IN THE THEATER OF LITERATE DISASSEMBLY,
PASTOR MANUL LAPHROAIG
AND HIS MERRY BAND OF
REVERSE ENGINEERS
LIFT THE WELDED HOOD FROM
THE ENGINE THAT RUNS THE WORLD!
10:1 Please stand; now, please be seated.
Neighbors, please join me in reading this eleventh release of the International Journal of Proof of Concept or Get the Fuck Out, a friendly little collection of articles for ladies and gentlemen of distinguished ability and taste in the field of software exploitation and the worship of weird machines. This is our eleventh release, given on paper to the fine neighbors of Washington, D.C.
Our sermon today, to be found on page 139, is a sordid tale in the style of a Dickensian ghost story. Pastor Laphroaig invites us to the anatomical theater, where helpless tamagotchis are disassembled in front of an audience, for FUN!
Page 144 contains a delightfully sophisticated and reliable exploit for Pokémon Red on the Super GameBoy, starting from a save-game glitch, then working forward through native Z80 code execution to native 65C816 code on the host Super NES. They do all of this on real hardware with scripted access to only the gamepad and the reset switch!
Keeping up our tradition of shipping in funky file formats, this PDF is a new polyglot! Page 190 contains the details for how this PDF is also an exploit, loading Pokémon Plays Twitch in the LSNES emulator.
Micah Elizabeth Scott is becoming a regular contributor to this journal, and we eagerly await each of her submissions. Page 194 contains her notes on ARM’s replacement for JTAG, called Single Wire Debug. Driving SWD from an Arduino, she’s able to move the target machine like a marionette, scripted from literate HTML5 programming with powerful new elements, such as a hex editor.
When we heard that Amanda Wozniak was contracted to reverse engineer a pregnancy test, but never paid for the work, we quickly scrounged up five Canadian loonies to buy the work as scrap. Page 205 contains her notes, and we’ll happily pay five more loonies to the first use of this technology in a Hackaday marriage proposal or shotgun wedding.
On page 220, Peter Ferrie shares tricks for breaking the copy protection of dozens of Apple ][ games. When we told Peter to keep his notes to six pages, he laughed and dared us to find tricks worth cutting from his article. Accordingly, our cutting-room floor is spotless and this article is the most complete collection of Apple ][ cracking techniques in modern publication.
Travis Goodspeed has been playing with Digital Mobile Radio (DMR) lately, a competitor to TETRA and P25 that is used for amateur radio, as well as trunked radio for businesses and cash-strapped police departments. Page 311 contains his notes for jailbreaking the Tytera MD380’s bootloader, dumping all of protected memory, then patching its application to enable promiscuous mode. These tricks should also work on the CS700, CS750, and a variety of other DMR handhelds.
10:2 Three Ghosts and a Little, Brown Dog
a sermon by Pastor Manul Laphroaig
Rise, neighbors, and in the tradition of the season, let’s have a conversation with spirits of the past, the present, and the future. We will head to a disreputable place, a place of controversy where, according to the best moral authorities, irresponsible people do foul things for fun: a place of scandalous, wholesale wickedness which must be stopped!
Yes, neighbors, we are heading to an anatomical theater, to observe its grim denizens at their grisly pastime. While some dissect carcasses, the rest watch from rows of seats. They call it learning and finding things out—even though most of what meets the eye looks like merely breaking things apart. They say they are making things better—even curing diseases!—though there are highly titled authorities with certified diplomas and ethically approved methodologies who make it their business to improve things “holistically,” without all this disconcerting breakage and cutting things off. Truly, if this doesn’t beg the question “How is this allowed?,” then what does?
There was a time, neighbors, when anatomy didn’t mean trying to guess how a thing functioned by dissecting a specimen. When Andreas Vesalius published his classic human anatomy atlas with its absolute priority of dissection for learning what was and what was not true about the human body, his fixation on biological disassembly was a scandal. A proper anatomy book was understood to include Aristotle’s four humors and a fair bit of astrology; imagine how regressive Vesalius’ fixation on cutting things apart to find their function must have looked! Even when he became a royal court physician, other learned physicians called him a barber—for everyone knew that only barbers and sawbones used blades. Until Victorian times, a doctor was a gentleman, and a surgeon wasn’t. Testing the patient’s urine was fine, but taking knives to one was simply below a proper doctor’s station.
Vesalius’ dissection-bound atlas became an instant hit, though. It turned out that going into specific techniques of dissection—place a rope here and a pulley there—so that others would replicate it was exactly what was needed; the venerable signs and elements, on the other hand, not so much. Which did not save Vesalius from having to undertake an emergency trip to far-away lands for an obscure reason, dying in abject poverty on the way. He died before the first dedicated anatomical theater was built in 1594, by which time anatomy finally meant what he had made it mean.
Ah, but that was then and now is now! The year is 1902, and physiology is the latest scandal. Again, moral delinquents and their supporters are doing something loathsome: vivisection. Again, they come up with excuses: it’s all about finding out how things work, they say; some kind of knowledge that makes them different from the uninitiated, we hear. And even if there was knowledge to be gained, could it really be trusted to such an immature and irresponsible crowd? Stuck to their—not so innocent—toys and narrowly focused views, they can’t even see the bigger ethical picture! They cater to and are occasionally catered by truly objectionable characters—and then have the gall to shrug it off. They talk about education, but who in their right mind would let them near children? Too bad there isn’t a general law against them yet, and the establishment is dragging its feet (or even has its own uses for them, no doubt disgusting)—but the stride of social progress is catching up with them, and, with luck, there soon will be!
That was the year of high court drama, a pitched battle between people who each believed themselves to embody social progress against superstition. It saw rallies by socialists and riots by medical students, scientists and suffragettes, British lords and Swedish feminists—and a lot more, including its own commemorative handkerchief merchandise. It is immortalized in history as The Brown Dog affair, one so dramatic that even the Wikipedia article about it makes for good reading. Incidentally, the experiment involved led to the discovery of hormones.
So says the Ghost of Science Past, but we bid him to haunt us no longer. There is another, more cheerful Spirit to occupy our attention—the Spirit of the Present. This is a more cheerful Spirit, involving pets only as cute pictures thereof—and lots of them!—much to the relief of those who think neither Schrodinger nor Pavlov would make good friends.
But this Spirit isn’t left without attention from our moral bet
ters. What about the children? What about the lowlives and the criminals whom we empower by our so-called knowledge? What about the bullies, the haters, the thieves, the spies, the despots, and even—the terrorists? Would a good thing be called exploitation or pwnage? This new reality is so scary to some people that their response goes straight to nuclear; they call for a Manhattan project, but what they really mean is “nuke it from orbit.” To some, it’s even about evil “techno-priests” hijacking “true social progress”—or at least it sells their books.
Nor is this Spirit’s domain devoid of court drama, even in our enlightened times—although looking where we tend to fall on the scale between Vesalius and Lord Alverstone’s Old Bailey, one begins to wonder just where the light is going. No wonder the Spirit of the Hacking Present looks somewhat frayed around the edges.
Why wait for the Specter of the Future to make an appearance? I say, neighbors, let’s make like 1594 at the University of Padua—back when a university used to have quite a different place in this game of ghosts—and have our own Anatomical Theater, a Theater of Literate Disassembly!
Just as Knuth described Adventure with Literate Programming, we’ll weave together the disassembled code of a live subject with expert explanations of its deeper meaning.1 (Of course the best part might well be a one liner, but we’ll save the reader hours of effort!) We’ll weave a log and a transcript into an executable script that reproduces the cuts of a Master Surgeon, stroke by stroke.