GCS d--(---) s: !a C+++ UL++>+++ P- L+++>$ E--- W++ N o? K+ w$ O-- M- V? PS+++ PE- Y+>++ PGP++ t+@ 5 X++@ R* tv+>- b+>++ DI-- D- G++ e+>+++ h--- r+++ z+ [what the hell is this]

Top easter(h)egg 2010 - Munich

Apr 2004. On the way to Munich Henx introduced me to geocaching and i found my first little treasure. Erverything cool here, much cosier than at the congress; still, the geeks and the «Tschunk » are erverywhere. Thumbs up!

Top 26c3 (here be dragons)

Jan 2010. The best annual freak show on earth - multicultural, colourful, mind-blowing, relaxing, chaotic, blinking, technical, social ...

Well, well, sure enough: Little Bobby Tables helped to secure the internet, thx $!

Top text_me

Jan 2010. Finally, all the hardware has arrived and the text_me is up and running. At the moment it says:  "mmh, i think that i'm offline - so nevermind the bollocks ..."

05.01.2010 00:46:36 CET - press return
05.01.2010 00:47:41 CET - restate my assumptions: 1. mathematics is the language of nature. 2. everything around us can be represented and understood through numbers. 3. if you graph the numbers of any system, patterns emerge. therefore: there are patterns everywhere in nature. evidence: exists.

Top tex2png_remote

Nov 2009. The basic idea behind tex2png_remote was that I simply got tired of all the LaTeX source editing, re-running LaTeX and uploading the resulting image to the webserver just to display neat little formulas on my website.

On the web I found a very nice article by Titus Barik, which came pretty close to the idea I had in mind. The problem with his solution, however, was that one had to have LaTeX and various other tools installed on the webserver and sometimes this is just no option. What I was after was a solution which purely relied on php on the webserver and some other work horse server which does all the other stuff behind the scene. In short:

tex2png_remote flowchart

And this is exactly what tex2png_remote does. It depends on tex2png which is a simple derivative of Titus Barik's idea. Basically tex2png_remote is a bunch of php scripts which dynamically creates images from a given LaTeX source and displays them on a website by means of a remote server. Technically speaking it is a kind of php-RPC (Remote Procedure Call) or php-RMI (Remote Mehtod Invocation).

First the client (here the webserver) takes some locally stored LaTeX source, calculates its md5 and checks if an image of the form [tex_md5].png exists on the webserver. If such an image exists, we are done and simply display it on the website. If such an image does not exist the client takes the LaTeX source and creates an xml request which it sends it to the work horse server. The server, upon receiving the request, generates the png and sends it, included in its xml response, back to the client. The client then extracts the image data from the response, stores it in the form [tex_md5].png locally and displays the image on the website.

In contrast to Titus' solution tex2png_remote only needs one work horse server on which all the necessary tools are installed and other webservers can simply consume its service. To be honest, I did not put a graet effort into finding out if such a service already exists. Anyways, it was great fun doing it.

<update date="2009-12-11">

As PNG does not support more than one image per file, tex sources which will render to more than one page (image) are not supported and will lead to only the first page being rendered.

</update>

Top Krk 2009

Aug 2009. (07 Aug 2009 - 20 Aug 2009) Prime time in the sun with Uncle Petros and still no proof of Goldbach's Conjecture!

Top BT3 (USB) on Dell Inspiron Mini 9

Aug 2009. Last week I read a nice series of articles about LAN penetration testing and to try out some of the samples I thought about using BackTrack 3 on my Dell Inspiron Mini 9 (Ubuntu 8.04). As the netbook does not come with a CD/DVD drive I had to use the USB image which also gave me the option to make any changes to the system persistent. So what exactly did I have to do to get the job done?

First I downloaded the USB-ISO for BackTrack 3 from www.remote-exploit.org and saved it to a temporay working directory on my local hard dirve. In order to make any changes to BackTrack 3 persistent I also had to do a little preparation work.

  1. I created two partitions on my 2GB USB device. I used qtparted to make a 1GB FAT32 and a 1GB ext2 partition (I could as well have used ext3 but ext2 is a bit faster and I don't really need any of the new ext3 features such as journaling).

  2. Once I had my partitions on the stick I created an empty directory named changes in my ext2 partition and 'untared' the BackTrack 3 USB-ISO into my FAT32 partition.

    NOTE: The changes directory, as the name suggests, is where most of the persistent changes to BackTrack 3 will be stored. There are, however, files which will not be stored in the changes directory. So I think it is a good idea to monitor your ext2 partition and do a backup every now and then. I also recommend not editing any of your system files (on the FAT32 partition) from withing BackTrack 3.

  3. In the boot/syslinux/ directory of my FAT32 partition, the one I extracted BackTrack 3 to, I opened the syslinux.cfg file (the configuration file for the bootloader) and added the following lines to the file:

    LABEL w00zl3
    MENU LABEL w00zl3
    KERNEL /boot/vmlinuz
    APPEND vga=0x317 initrd=/boot/initrd.gz ramdisk_size=6666 root=/dev/ram0 rw autoexec=kdm changes=/dev/sda2

    NOTE: In order to make this work for you you will probably have to change the sda2 (ext2 partition port) to the port you are using. Obviously you can also choose betters names for your LABEL and MENUE LABEL entries. I also had to set the autoexec=kdm because this is the only graphics mode I managed to get working on my Dell Mini (more later).

  4. Back in the boot directory I ran the bootint.sh script to make my USB device bootable.

To test my installation I rebooted my Dell Mini with the usb-stick attached to the same usb port I was using in the previous section. At start-up I had to change the boot options and set it to USB Storage. Once the bootloader showed up I selected the entry I previously added to the syslinux.cfg file. In contrast to the post here my Dell Mini did not detect the graphics mode correctly. After a bit of research I found a post which suggested that when prompted the available modes to selecet 1. This is what I did and BackTrack 3 booted nicely into KDE

But there was still a tiny problem I had to overcome. BackTrack 3 did not natively support the Broadcom 4310 wireless card built into my Dell Mini. In order to make wireless work I had to download the Broadcom Linux driver from here and with the help of the README.txt it was no problem at all to compile the driver (wl.ko). As any changes to the system are stored in the changes directory I only had to do the driver compiling once and now erverytime I boot BackTrack 3 the driver is loaded automatically.

However, there is still a drawback. On one of the BackTrack WIKI pages I found the following:
Last but not least, there is absolutely NO support whatsoever with linux_sta for monitoring/injecting.
This means the built in wirless card is not suitable for tasks such as hacking WEP, and I will have to look for a proper wireless usb dongle for monitoring and packet injection.

Top xn+yn=zn (take a walk on the Wiles side)

Jul 2009. I've just finished one of the most exciting books I've ever read. Fermat's Last Theorem by Simon Singh is a lively, comprehensible explanation of Andrew Wiles's work and of the colourful history that has build up around Fermat's last theorem over the years.

But what is this xn+yn=zn all about. In 1637 French mathematician Pierre de Fermat claimed that no three positive integers x, y, and z can satisfy the equation xn+yn=zn for any integer value of n greater than two. Fermat wrote his Last Theorem in the margin of his copy of the Arithmetica next to Diophantus' sum-of-squares problem:

It is impossible to separate a cube into two cubes, or a fourth power into two fourth powers, or in general, any power higher than the second into two like powers. I have discovered a truly marvellous proof of this, which this margin is too narrow to contain.

However, Fermat's proof of the conjecture for all n has never been found and although Fermat's Last Theorem looked simple enough for a child to solve, yet the finest mathematical minds would be baffled by the search for the proof.

In 1995, over 350 years after Fermat first worded his theorem, Andrew Wiles an English mathematician finally cracked the mystery. How he did it? Well, that's exactly what Simon Singh's book is all about!

Top the gang of four

Jun 2009. Magic things happen when you least expect them. A few weeks ago we found out that one of our Guinea Pigs, Jagoda, is preggy. But how could this be? Poposhy and Jagoda are both girls and they were so tiny when we got them. A quick glance at Wikipedia made things clear: females can be fertile as early as four weeks and can carry litters before they are adults.

Well, that's how things work in the Guinea-Pig-Universe. Anyway in the meantime we have two cute little baby Guinea Pigs called Ronja and Semmel (for details look at the source code below). So, Gamma et al were yesterday - Jagoda, Poposhy, Ronja and Semmel are the new Gang of Four!

public static GuineaPig[] releaseBabies(GuineaPig mum, int n, Date date)
{
  if (mum == null)
    throw new SurrogateMotherNotSupportedException();

  if (date == null)
    date = Date.now();

  GuineaPig[] babies = new GuineaPig[n];

  for (int i = 0; i < n; i++)
  {
    Color color = Color.getRandom();
    HairStyle hairStyle = HairStyle.getRandom();
    Temper temper = new Temper();

    PiggyParams params = new PiggyParams(color, hairStyle, temper);

    GuineaPig baby = mum.dublicate(date, params);
    babies[i] = baby;
  }

  return babies;
}

private static void have_sex(GuineaPig mum, GuineaPig dad)
{
  if (dad == null)
    throw new ImmaculateConceptionException();

  if (mum == null)
    throw new NotYetImplementedException();

  /*
   * sorry, but i was prohibited by the RIAA to publish
   * any source code here, as the copulation sounds
   * are copyrighted and publishing them would
   * be a breach of the Digital Millennium Copyright Act!
   *
   * However, i was granted the right to return from this method
   */

  return;
}

public static void main(string[] args)
{
  GuineaPig mum = new GuineaPig("Jagoda");
  GuineaPig dad = new GuineaPig("unknown");

  try
  {
    have_sex(mum, dad);

    wait(NINE_WEEKS);

    Date date_of_birth = new Date("2009/06/25");
    GuineaPig[] babies = releaseBabies(mum, 2, date_of_birth);

    babies[0].setName("Ronja");
    babies[1].setName("Semmel");

    exit(SUCCESS);
  }
  catch(Exception ex)
  {
    exit(FAILURE);
  }
}

Top yeah, the trees, those useless trees ...

May 2009. Trees are a very important concept in computer science and are used to model hierarchical data structures. A tree consist of a set of linked nodes and is an acyclic connected graph where each node has a set of zero or more children nodes, and at most one parent node.

If each nodes in a tree has at most two children it is said to be a binary tree. Such a tree can be traversed in mainly differend ways each of which is done recursively.

Let's now look at a binary tree:

Binary Tree

A binary search tree (BST), on the other hand, is a binary tree with special properties. Every node's left subtree has only values/keys less than the node's value/key and the node's right subtree only consists of values/keys greater than the node's value/key. It is also worth mentioning that each subtree itself is a BST and each node in the tree has a distinctive value/key.

The following image shows a BST

Binary Search Tree

As you may see it is quite easy to search in such a tree structure. It's is just a matter of decision taking at each node comparing the node's value/key with the one we want to find and then going the appropriate direction. However, if we insert a new value/key into or delete an existing value from the tree we have to make sure that the BST properties still hold for our new tree. Insertion is not a problem. If the tree is empty we simply make the new node our root element. Otherwise we compare the element to be inserted recursively to either our left subtree or the right subtree, dependeing on the value to be inserted. That is if the value/key to be inserted is less than the root element's value we operate on the left subtree and if the value to be inserted is greater we work on our right subtree.

public void insert(Comparable item)
{
  root = insert(root,item);
}


private BSTNode insert(BSTNode node, Comparable item)
{
  if (node == null)
    return new BSTNode(null, item, null);

  if (item.compareTo(node.data) < 0)
  {
    node.left = insert(node.left, item);
    return node;
  }
  else if (item.compareTo(node.data) > 0)
  {
    node.right = insert(node.right, item);
    return node;
  }
  else //item == node.data, ignore!
    return node;
}

When it comes to deletion of a node we have to consider the following three cases.

Now as we have found a method (algorithm) which handles all the BST property stuff for us so that deleting values/keys works correctly there is still a problem we have to overcome. In order to give us a reasonable search complexity the BST should be equally balanced. Consider that we start off with an empty BST and then insert the values/keys in the following order: 1, 2, 4, 5, 6, 7, 8, 9, 10. The 1 would become our root and all the other values/keys would end up being in the root's right subtree. This is obviously not what we want as searching for a the value 10 would take us quite some comparisons and completly miss the whole idea of a BST. So for our BST to be efficient we want it to be reasonably balanced no matter how many values/keys we are inserting or deleting and no matter in which order they are being inserted or deleted.

Amongst other methods to balance a BST there is the idea of a self-balancing tree called AVL tree [Adelson-Velskii, Landis (1962)]. In an AVL tree the height of the two subtrees (children) of a node differs by at most one thus maintaining an O(log n) search time. This also holds true for the insertion and deletion operations. An AVL tree can be rebalanced using rotations. If the height of two subtrees differs by more than one a tree rotation moves one node up in the tree and one node down, thus rebalancing the whole AVL tree. There are several situations where we have to perform rotations and we distiguish between Left Rotation (LL), Right Rotation (RR), Left-Right Rotation (LR) and finally Right-Left Rotation (RL).For any possible imbalance, one of these rotations will rebalance the tree. I hope the following code will illustrate the problem (solution) more clearly.

private BSTNode insert(BSTNode node, Comparable item)
{
  if (node == null)
    return new BSTNode(null, item, null);

  if (item.compareTo(node.data) < 0)
  {
    // insert left
    node.left = insert(node.left, item);
    if (node.left.height + 1 > node.height)
      node.height = node.left.height + 1;

    int right_height = (node.right == null) ? -1 : node.right.height;
    if (node.left.height - right_height == 2)
    {
      if (item.compareTo(node.left.data) < 0)
        node = rightRotate(node); // (RR)
      else
      {
        node.left = leftRotate(node.left); // (LR)
        node = rightRotate(node);
      }
    }

    return node;
  }
  else if (item.compareTo(node.data) > 0)
  {
    // the same applies to right insertion
  }
  else
  {
    // item already there, don't do anything
    return node;
  }
}

Top Jagoda & Poposhy

Apr 2009. Let me welcome two new family members!!! Jagoda and Poposhy, are two sweet little Guinea Pigs we got this week. Jagoda is light brown and Poposhy is a white Albino with rosettes. I did a lot of assembling and building for them (a special hutch, fencing, a wooden connection between the hutch and the outdoor area, etc...). That's probably why I had no time to update this website recently, or maybe not...

Anyway, they are soooo cute ;)

Top Feb 13 23:31:30 UTC 2009

Feb 2009. What did you do on 1234567890 day? RCE mate Yates and I were at our local staring at the screen of LilleBu and waiting for a shell script we worte earlier to start the count down. 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, Oooh!!! Finaly we raised our glasses and downed a nice little vodka - the party was about to begin ...

Here is the original shell script which did the job for us:

#!/bin/sh

the_time=`date -u +%s`
the_counter=10

while [ "$the_time" -le "1234567899" ]
do
  the_time=`date -u +%s`

  if [ $the_time -ge 1234567880 ]
  then
    echo "$the_counter"
    the_counter=`expr $the_counter - 1`
  fi

  if [ "$the_time" -eq "1234567890" ]
  then
    echo "OOOOOOH, LET THE PARTY BEGIN!!!"
    break
  fi

  sleep 1
done

Already looking forward to Jan 19 03:14:08 UTC 2038!

Top php-localization

Feb 2009. A few of days ago I was asked to do some prototyping on localization for web pages. The task seemed to be straight forward. Depending on the user's browser settings the page should display its content in the appropriate language and if the user's language was not supported by the server the content should be displayed in a default language. Besides I was supposed to use only php's core functionality, thas is without having to install additional extensions such as gettext and the localized content should be stored in one or more language files on the server.

As lazyness is one of my better tallents I started a little internet research and sure enough I did not come up with any prefabricated out-of-the-box solution. So I sat down and layed out what was needed to do the job.

Keeping all this in mind I played around a bit and came up with a simple php class which fullfilled exactly the specs mentioned above. I decided on the single file option for imho it's much easier to maintain. The file itself is a simple INI file encoded in UTF-8, which holds entries for each supported language. In order to have the Russian content display correctly you should set the character encoding of your browser to Unicode (UTF-8). That's basically all there is to say, just try it out, use it and/or improve it as you please.

Top LilleBu

Jan 2009. There is a new piece of hardware in the lab. It's a Dell Inspiron Mini 9 which I named LilleBu. LilleBu is a mixture of the Swedish word for little and Ubuntu. It is really a cool gadget and exactly what I was looking for, it's small, light (approx 1 kg), the battery lasts for almost 4 hrs and of course it comes with a great operating system. As expected everything worked out of the box. Maybe the only downside, although so far it has not yet proven to be one, is it's relatively low disk capacity (8GB). All told, thumbs up!

Tech Specs:

Top 25c3 (nothing to hide)

Jan 2009. Again fab 4 days in Berlin - a sort of homecoming. Lots of familiar faces, an electrifying ambience and solely interesting talks. This time I went with my RCE mate R. Yates but I think he spent more time in the 24hr pub than at the actual congress ;-)

Anyway, I'm already looking forward to next year's congress and remember: Don't accept the old order. Get rid of it.

Top prime time in C major

Dec 2008. n3rdy by n4tur3, that's what i sometimes think about myself when I come up with some weird new idea. This time I was just reading some chapter of Hofstadter's ”Godel, Escher, Bach” as lightning struck and I thought it would be a nice gadget to have a tool which would play the intervals between prime numbers. Why? Honestly I haven't got a clue, it just seemed to be a nice to have ;-)

I took a piece of paper and jotted down my little formular which would give me the intervals between prime numbers:

I(n) = (P(n)-P(n-1)) mod 8 // where P(0) equals 2 and P(1) equals 3

I(n) would then represent one of the following intervals: unison, second, third, fourth, fifth, sixth, seventh, octave. As I wanted my little gadget to paly the tune in C major I used the following notes and frequencies:

Note Frequency in Hz Interval
C 261 unison
D 293 second
E 329 third
F 349 fourth
G 392 fith
A 440 sixth
B 494 seventh
C 523 octave

So far so good. I then wrote a little tool (intergen) which calucates the prime number intervals and writes an integer array to a c header file. The header file is then included in the player application (primeplay). At the moment the primeplay is a Win32 console applivcation which uses the Windows Beep() function to emit the sound. However, I am planing to make primeplay Linux compatible.

<update date="2008-12-30">

The intergen tool can now also produce a java source code file called PrimeMidi.java. This file is used by a new playback tool called JPrime. The PrimeMidi.java file simply holds the notes which JPrime will then paly. JPrime also offers a command line option which allows you to save the MIDI data to a file.

As I did not want to use the getopt library the command line options for the intergen tool are very limited. It is therefore not possible to specify e.g. the volume or sound program using a command line switch. However, you are free to modify the intergen source code to fit your needs. Here are some lines of code which hold the basic sound settings.

#define MAX 1000
#define MAX_SOUNDS 128
#define SOUND 16
#define VOLUME 64
#define BPM 200
#define STAKKATO 2
#define PPQS 16

</update>

After I had started the player application for the very first time I was realy surpriesed of what I was hearing. Some portions sounded quite rhythmic and melodic whereas other parts sounded completley random. Anyway for all those who are interested you can download the source code of my little gadget here (version 0.2.0).

Top Hama WLAN USB Stick 54 Mbps

Dec 2008. A few weeks ago I moved house and amongst all my other stuff I rediscovered my old Acer TravelMate 630 laptop. It ran Fedora 7 and was appart from the battery still in very good shape. So I thought I sould put it into use again and as my new living room offered some unused space I reckoned it would be a nice thing to use the laptop as a sort of multi media module together with my hi-fi. But to really take advantage of the laptop it had to be online and there was the problem. It did not come with a wireless extesion and using a wired connection was not an option. Solution - I simply bought a cheap WLAN USB stick.

Obviously I did not expect it to work immediately but nontheless I plugged in the WLAN USB stick and tried to acctivate it. No luck. Although iwconfig recognised the WLAN extension I got the following error message:

SIOCSIFFLAGS: no such file or directory

As I have never come across this error message before I began to do some research and pretty soon I was certain it had something to do with the firmware and/or dirvers. So I tried dmesg and sure enough it indicated that the firmware could not be found. So what next? First I had to find out which chipset the Hama WLAN USB stick was using and some more research suggested that it was using the rt73 and that I should try to install the acompanying CD on a Windows machine and then grab the drivers and firmware (rt73.inf, rt73.sys and rt73.bin) from there. That was exactly what I did and it also showed the the WLAN USB stick was working. So I copied the files onto my laptop and as suggested I used the driver together with ndiswrapper. I also copied the rt73.bin file into the /lib/firmware/ directory, rebooted and hip hip hurray the WLAN USB stick was recognized by NetworkManager.

To be honest, at the beginning it seemed to be very tireing task because the first few posts I read were quite confusing and did not really help. But again persistence payed off. However, I am still not sure if the Windows installation was really necessary as I am sure I might have obtained the firmware from somewhere else. Also I am not certain if my problem was also driver related or if simply copying the firmware to the proper location would have been sufficient. Anyway, thx to Imaginenz from FedoraForum.org it is all now just a matter of which tunes to stream over the net ;-)

Top entropy

Oct 2008. In information theory (specially if studying Computer Science) you will often come across the term entropy. Entropy is a measure for the average information content of a particular data source. For instance a source that always generates a long string of A's has an entropy of 0, since the next character will always be an 'A'. The units for entropy are nats when the natural logarithm is used and bits for base 2 logarithms.

The concept was introduced by Claude E. Shannon in his 1948 paper "A Mathematical Theory of Communication". Entropy is based on probabilities and is also used in some aspects of cryptography. Given the probability values {x1, …, xn} we can calculate the entropy denoted by H(X) using the following formula:

Entropy Formula

I don't want to go into details here as there are plenty of websites that are very profound on the topic (see links below). However, the reason why I put this section on my site was that I had to deal with entropy in the recent past. I was really getting tired of typing all the weired things into my pocket calculator just to find out that I got the wrong result because I had typed in an incorrect probability value. I had to start all over again - no way!

Finally, yesterday I had a few spare minutes so I coded a tiny Java application which calculates all the stuff for me. I can feed it the probability values by hand or simply use a file with a csv list of the values - nice.

Download Java Entropy Application

Top unique random numbers

Sep 2008. Obviously there are plenty of situations where random numbers come in handy. I am not talking of cryptographic random numbers but apparently non-related numbers such as generated by the rand() fuction of C's stdlib.

Sometimes, however, simply calling rand() does just not provide you with what you were looking for. What you really want is to generate a pool of unique random numbers, that is where a random number in a specified range only occures once.

The first thing that comes to mind is to go through all the previously generated numbers and check if the currently generated number does already exist. If it does you simply generate a new random number and repeat the checking stage until you find a new non-existing one. However, this is very inefficient and time consuming especially if the number range increases. Isn't there simply a better approach?

As I am sure there are many clever ways of dealing with the problem mentioned above I will opt for a very simple method which is neither new nor is it particularly clever. The basic idea, however, is not to create random numbers but random indexes into an array of a specified range. Let's say we want to create 5 unique random numbers within a range from 0 to 9. To achieve this we first create an array with all the numbers in our range (0-9). We then create random indexes, also ranging from 0 to 9, into our array and do some value swapping. All this is done in a loop and once the loop finishes we have a pool of unique random numbers. We then just simply copy the amount of random numbers requested (in our example 5) into another array and return it to the callee. As simple as that!

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#define RND_COUNT      (20)
#define RND_MAX        (20)


static int unique_rand(int* pool, int size, int rnd_max);

int main(int argc, char *argv[])
{
  int i;
  int pool[RND_COUNT] = {0};

  srand(time(NULL));

  if (!unique_rand(pool, RND_COUNT, RND_MAX))
    exit(EXIT_FAILURE);

  for (i = 0; i < RND_COUNT; i++)
    printf("pool[%d] = %d\n", i, pool[i]);

  return 0;
}

/* pool is the array to hold the random numbers */
/* size is the number of random numbers */
/* rnd_max is the maximum value of the random number */

int unique_rand(int* pool, int size, int rnd_max)
{
  int i, *arr;

  if (rnd_max > RAND_MAX) /* limit of RAND_MAX at last 32767 */
  {
    fprintf(stderr, "invalid value of rnd_max: %d, RAND_MAX is %d\n", rnd_max, RAND_MAX);
    return 0;
  }

  if (size > rnd_max) /* no way to get unique random numbers */
  {
    fprintf(stderr, "invalid size %d, size must be less than rnd_max (%d)\n", size, rnd_max);
    return 0;
  }

  arr = (int*)malloc(rnd_max * sizeof(int));
  if (!arr)
  {
    fprintf(stderr, "malloc() failed\n");
    return 0;
  }

  /* create entries for all possible random values */
  for (i = 0; i < rnd_max; i++)
    arr[i] = i;

  /* the idea is that we are just swapping values in the array based on the random number index */
  /* therefore all we have to make sure is that the random number generated is a valid index */
  /* so if a random index is generated more than once we are still ok */

  for (i = rnd_max - 1; i > 0; i--)
  {
    int tmp, r;
    r = rand() % rnd_max;
    tmp = arr[r];
    arr[r] = arr[i];
    arr[i] = tmp;
  }

  /* copy the the amount of requested random numbers */
  for (i = 0; i < size; i++)
    pool[i] = arr[i];

  free(arr);

  return 1;
}

Obviously the source code shown above is just a simple demonstration sample and could well be optimized and/or extended.

Top hooked

Sep 2008. Hooking represents a technique of getting control over the execution of a particular piece of code and it can be employed to alter the behaviour of the OS as well as third party software without having the source code available.

Several different methods can be used to achieve the desired behaviour, each of which has advandages and disadvantages. Amongst the most popular under the Windows OS family are the following:

Here I will concentrate on the first two methods, using SetWindowsHookEx and Import Table Patching.

SetWindowsHookEx

Using SetWindowsHookEx is rather straight forward. All we need is a DLL with a call to SetWindowsHookEx and a sort of server application which loads our DLL. We can pass the SetWindowsHookEx function the thread Id with which the hook procedure is to be associated or if we pass zero the hook procedure is associated with all existing threads running in the same desktop as the calling thread. The UnhookWindowsHookEx API function removes a hook procedure installed in a hook chain by the SetWindowsHookEx function.

HHOOK SetWindowsHookEx(
 int idHook,
 HOOKPROC lpfn,
 HINSTANCE hMod,
 DWORD dwThreadId
);

BOOL UnhookWindowsHookEx(
 HHOOK hhk
);

The accompanying sample code includes small server applications and DLLs.

Import Table Patching

The second method I would like to briefly mention is Import Table Patching. The aim here is to patch the Import Table such that instead of a particular API function e.g. MessageBoxA a user defined function is called.

This can be achieved by replacing the address of the desired function with the address of the function we wish to call instead. In the sample code we simply iterate over all imported functions and overwrite the address of MessageBoxA with MyMessageBoxA.

#include <windows.h>
#include <stdio.h>
#include <tchar.h>

void handle_imports(BYTE* image_base, PIMAGE_IMPORT_DESCRIPTOR imp_desc);

typedef int (WINAPI* MessageBoxA_ptr)(HWND, LPCSTR, LPCSTR, UINT);
MessageBoxA_ptr MessageBoxA_orig = NULL;

static int WINAPI MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{
  MessageBoxA_orig(hWnd, "are you being hooked?", lpCaption, uType);
  return MessageBoxA_orig(hWnd, lpText, lpCaption, uType);
}

int _tmain(int agrc, TCHAR* argv[])
{
  BYTE* image_base = (BYTE*)GetModuleHandle(NULL);
  printf("image_base: %p\n", image_base);

  PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)image_base;
  PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)(image_base + dos_header->_lfanew);

  PIMAGE_IMPORT_DESCRIPTOR imp_desc = (PIMAGE_IMPORT_DESCRIPTOR)(
    image_base + nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

  handle_imports(image_base, imp_desc);

  MessageBox(NULL, "this is cool", "", MB_OK);

  return 0;
}

void handle_imports(BYTE* image_base, PIMAGE_IMPORT_DESCRIPTOR imp_desc)
{
  if (!imp_desc)
    return;

  printf("imports:\n");

  // looping over all imported dlls
  // The last directory entry is empty (filled with null values)
  for (int i = 0; imp_desc[i].Characteristics != 0; i++)
  {
    printf(" * %s\n", (char*)(image_base + imp_desc[i].Name));

    PIMAGE_THUNK_DATA orig_first_thunk = (PIMAGE_THUNK_DATA)(image_base + imp_desc[i].OriginalFirstThunk);
    PIMAGE_THUNK_DATA first_thunk = (PIMAGE_THUNK_DATA)(image_base + imp_desc[i].FirstThunk);

    // looping ovetr all imported functions
    // The last entry is set to zero (NULL) to indicate the end of the table
    for (int j = 0; orig_first_thunk[j].u1.Function != 0; j++)
    {
      PIMAGE_IMPORT_BY_NAME orig_imports_by_name = (PIMAGE_IMPORT_BY_NAME)(
        image_base + orig_first_thunk[j].u1.AddressOfData);

      printf("\t%s (%08x)\n", (char*)orig_imports_by_name->Name, first_thunk[j].u1.Function);

      // we will hook MessageBoxA
      if (strcmp((char*)orig_imports_by_name->Name, "MessageBoxA") == 0)
      {
        DWORD old_prot = 0;

        // save the address of original MessageBoxA
        MessageBoxA_orig = (MessageBoxA_ptr)first_thunk[j].u1.Function;

        // change protection settings so we can write to memory area
        VirtualProtect((PVOID)&first_thunk[j].u1.Function, 4, PAGE_EXECUTE_READWRITE, &old_prot);

        // patch the address of MessageBoxA to point to MyMessageBoxA
        first_thunk[j].u1.Function = (DWORD)MyMessageBoxA;

        // reset to old settings
        VirtualProtect((PVOID)&first_thunk[j].u1.Function, 4, old_prot, &old_prot);
      }
    }
  }
}

As mentioned above every method hat its advantages and disadvantages and not every method might be suitable for a specific task. A good summary can be found here

Download hooking-0.1.0.rar

Top Vrsar 2008

Aug 2008.  (02 Aug 2008 - 12 Aug 2008) relaxing on the beach with Silberschatz 978-0-471-69466-3 (ch06 - ch13)!

Top print.css

Jul 2008. A special print.css is now available for this site. The navigation links, the download and link sections as well as the contact section will not be displayed in the print version of this site, nor will be images.

More information about the CSS Print Profile can be found here

Top iwl3945

Jun 2008 (UPDATED: Oct 2008). At last I found some time and will to pay attention to the wireless problem I was having running Fedora 8. It took some research and dedication but finally wireless is now working on Fedora 8 as well. As I found out others were facing similar problems, so I thought it might be a good idea to document my findings for future use.

First of all, the driver I am using is the iwl3945-firmware-2.14.1.5-2, second, my Netgear Router runs WPA-PSK [TKIP] and using NetworkManger was not an option as it does not show my wireless connection (this will need further investigation though). So the challenge was to configure the iwl3945 driver and setup and use the wpa_supplicant-0.5.10-4 daemon to connect to the router.

Configure wpa_supplicant: /etc/wpa_supplicant/wpa_supplicant.conf (you will need root access to edit this file)

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

eapol_version=1
ap_scan=1
fast_reauth=1

# WPA network block
network={
 ssid="[NETWORK NAME]"
 bssid=[ROUTER MAC]
 mode=0
 key_mgmt=WPA-PSK
 proto=WPA
 auth_alg=OPEN
 pairwise=TKIP
 psk="[PASSPHRASE]"
}

Configure iwl3945: /etc/sysconfig/network-scripts/ifcfg-wlan0 (you will need root access to edit this file)

# Intel Corporation PRO/Wireless 3945ABG Network Connection
DEVICE=wlan0
BOOTPROTO=dhcp
ONBOOT=no
HWADDR=[WIRELESS DEVICE MAC]
TYPE=Wireless
USERCTL=no
PEERDNS=yes
IPV6INIT=no
NM_CONTROLLED=no
ESSID=[NETWORK NAME]
CHANNEL=6
MODE=Managed
RATE=auto
# Other settings are blank

# Note: Please read /usr/share/doc/initscripts-*/sysconfig.txt for the documentation of these parameters.

<update date="2008-10-03">

Problem: Today I experienced a very strange thing. I fired up my wireless using the script below and as I expected it completed successfully. However, after browsing for approx 2 mins I lost the connection and got a HTTP 404 (Not Found). The really strange thing though was that Skype was still connected and working propperly. Also iwconfig indicated that I was still connected to my router. So I simply restarted the necessary daemons but the problem persisted - connected, browsing for a couple of mins, 404. What went wrong?

Analysis: First I thought about what was different today compared to the days before. Well, I had been connected to a different WLAN the day before and I had simply changed the ESSID in the ifcfg-wlan0 file. This, the 404 and the fact that Skype was still working nicely lead me to the conclusion that obviously something had gone wrong with my DNS settings. So I had a look at the ifcfg-wlan0 file and sure enough there was something wrong with DNS1 IP.

Solution: All I had to do was to delete the incorrect IP for DNS1 and because I set PEERDNS to 'yes' I had to make sure that there was the valid nameserver in /etc/resolv.conf. Another solution would have been to directly set the DNS1 in ifcfg-wlan0 to the IP of my DNS-Server although this might have resulted in changing the IP every time I would change the DNS Server's IP. Anyway, this file now looks something like this and I am happy again:

; generated by /sbin/dhclient-script
nameserver 192.168.1.1

</update>

Finally: In order to connect to the router I use the following script:

#!/bin/sh

# NOTE: you will have to run this script as root

progname=$(basename "$0")

/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -Bw -Dwext -iwlan0
if [ $? -ne 0 ]
then
 echo "$progname: unable to start wpa_supplicant, exit."
 exit 1
fi

echo "$progname: started wpa_supplicant successfully."

/sbin/ifup wlan0
if [ $? -ne 0 ]
then
 echo "$progname: unable to start wireless device, exit."
 exit 1
fi

echo "$progname: started wireless device successfully."

Well, that was all that needed to be done and I am now happily surfing wirless! Here some sites I found particularly helpful for my research:

Top OCW

May 2008. An OpenCourseWare is a free and open digital publication of high quality educational materials, organized as courses.

So for all of you who still have some time left and are looking for some brain food it might be a good idea to have a look at the OCW Consortium website. There you can find a wide range of online lectures of selected universities such as MIT or UC Berkeley.

For a list of universities and lectures go to The OpenCourseWare Consortium Website

Top 1984

May 2008. Protecting computers against malicious software and attacks has become quite a natural thing to do for any decent computer user. People install Anit-This and Anti-That tools and are dangerously happy with the world out there.

The truth is that the world out there is a predominantly evil place. Nothing is quite what it seems, and absolutely nobody can be trusted. Anti-This and Anti-That tools do not change this at all, they only make it a little bit more difficult for inexperienced attackers.

How can you make sure that sensitive data stored on your computer will not be revealed to others?

The most disturbing argument I hear from people is, "I have nothing to hide, I am not a terrorist". Hahaha, ever got the feeling you have been cheated?

To those who do care about their right of privacy there are at least some friends you should know of. Friends you should use on a regular base, because privacy does matter!

Top HTS

Update: (2008-05-09) HTS is back online!

Update: (2008-05-05) HTS is currently down but you can go the HellBound Hackers website which offers a similar service

Apr 2008. Hack This Site is a website which provides hacking missions for registerd users. Difficulty levels range from basic html hacking to more advanced things like rce or stego missions. There is also lots of other stuff like articles and lectures on the site.

It's great fun, so give it a hack!

Here some tools/plugins which I found useful:

Warning: HTS is highly addictive and not recommended for people which have other things to do!

Top nasdk-0.1.0

Mar 2008. nasdk is lightweight and easy to use framework for Linux and Windows which allows you to call the majority of C-Library functions from within nasm.

I thought it might be a useful tool which allows you to focus more on assembler language itself instead of finding ways to interact with OS specific tasks (e.g. File I/O or string manipulation). Please note that nasdk does neither porduce compact nor fast running code, it is mainly targeted for people who are as lazy as I am.

All components povided are licensed under the GPLv3 (GNU PUBLIC LICENSE VERSION 3) and come with NO WARRENTY whatsoever. A copy of the GPLv3 can be found here.

Feel free to enhance, modify or fix bugs as you like. However, it would be nice if you could inform me about any changes, so that I can ensure to provide an up-to date version of nasdk on this site.

Please note that nasdk-0.1.0 is still an early beta, but it should at least be good dog food!

Download nasdk-0.1.0.tgz

Top RSS rss feed

Feb 2008. RSS feed now available. It was Henrik's suggestion to introduce a RSS feed for this site. Well Henrik, here we go, stay up-to-date.

Top R61

Feb 2008. From time to time hackers should invest a bit of money in hardware, so I bought a new Lenovo ThinkPad R61 8943DNG. Cool thing. It originally came with a pre-installed version of Windows Vista Business but I got rid of the Vista crap immediately - well, I backed up the hidden recovery partition mainly because this is considerd good practice.

It is now running a dual boot of Fedora 8 (75 GB) and Windows XP Professional (75 GB) using the Grub (v0.97) boot loader. As I needed some version of Windows for reversing I downloaded all the XP drivers provided by Lenovo using my old laptop. To my surprise it took me quite a while to get audio working. But after some research and a little help from Tom everything worked out fine. The problem was due to a MS bug (KB888111).

However, with Fedora 8 I had no audio problems. Most things worked out of the box. The only thing I still have not managed to get working is wireless lan, but I am sure I will fix the issue once wireless is really needed - hopefully that will be rather sooner than later.

Original description: T7500(2.2GHz), 2GB RAM, 160GB 5400rpm HD, 15in 1400x1050 LCD, Intel X3100, CDRW/DVDRW, Intel 802.11abg wireless, Bluetooth, Modem, 1Gb Ethernet, UltraNav, Secure chip, Fingerprint reader, 6c Li-Ion, WinVista Business 32

Top 24C3 (full steam ahead)

Jan 2008. Back from Berlin. Still in trance and overwhelmed from all the creativity and wonderful people I met, here some links:

Top RCE

Nov 2007. As I am just doing a bit of Win32 RCE at the moment (yeah, once again), I was searching the web for some tutorials and useful sites. Here are some which I find particularly helpful:

Top CCC et al.

Top Links

Top Downloads:

File Name Size Last Modified
avl-tree-0.1.0.tgz301222/05/2009 18:05:59
calling_conventions.pdf28532220/12/2007 14:12:06
clink-0.1.0.tgz187326/04/2008 11:04:36
dec2base-0.1.1.tgz133810/11/2008 06:11:06
entropy-0.1.0.tgz447631/10/2008 18:10:37
hev-0.1.0.0.tgz796209/11/2007 16:11:50
hooking-0.1.0.rar7593305/09/2008 19:09:14
hwnd-1.0.0.1.rar371022/02/2008 13:02:25
mkfile-0.2.0.tgz303505/06/2009 18:06:03
nasdk-0.1.0.tgz3123621/03/2008 10:03:06
new-0.1.3.0.tgz377021/08/2009 09:08:54
php-localizer-0.1.0.tgz348906/02/2009 18:02:02
primetunes-0.1.0.rar585022/12/2008 17:12:40
primetunes-0.2.0.rar783105/01/2009 18:01:00
tex2png_remote-0.3.0.tgz878111/12/2009 17:12:45