Blog

pwintln uwu and other fun with elves and dynamic linkers

November 21, 2020
- 8 min read

I recently was brutally nerdsniped into developing a strange Rust library that turns prints into uwu-speak. I briefly considered writing a proc macro but that was far too memory safe. It's doing-bad-things-to-binaries time! (followed shortly by uwu time~!!) I am going to use Linux because it's the platform I'm most comfortable doing terrible things to. I thought of a few strategies including inserting a breakpoint on the routine in libc, but I figured I'd have to get the symbol anyway, so messing with dynamic linking is probably the best strategy. The way that dynamically linked symbols are handled on my machine for my Rust executables is primarily through the section. What this table actually stores is the offsets from the base of the process image for function pointers that are called indirectly when actually calling the function: This form of the call instruction, for those who are unfamiliar, dereferences the pointer then calls the resulting address. So, if we want to redirect…

How to patch Java font rendering for AA

November 11, 2020
- 4 min read

This post was inspired by a hypothetical closed source piece of software from a hardware vendor, written in Java, which has unusable font rendering that makes it inaccessible for me, but I need to use it for class, so what am I to do? I want to write evil hacks but it's probably easier to patch the program itself, so that's what we're going to do. I use IntelliJ IDEA for my Java work. It includes quite a nice Java decompiler, which is (probably) intentionally not exposed to the user in its full functionality, but includes a main class that lets us access it anyway. First, make an IntelliJ project for your sources. Include all the libraries that they depend on. Now, time for some mild reversing! Decompile the bad JAR file (hat tip to StackOverflow): Then, you will get a source JAR with all the sources in it. You can just unzip this with whatever tool you prefer: You should have all the files in your source directory and can work on them! There are probably a pile of compile errors…

Writing shellcode in Rust

September 1, 2020
- 5 min read

In my Google CTF entry for this year, I wrote my first stage shellcode in C, which was somewhat novel in and of itself, as it seemed like few people were willing to brave linker scripts to be able to write shellcode in C. My hubris does not stop at C, however, and the crab language seemed well suited for a port. Source code here As with the previous C implementation, what we are doing here, with this particular CTF challenge is fundamentally the same thing as operating system kernels generally do, where they are loaded into memory with , then jumped to without any real setup. The first step was figuring out how to generate an executable with nothing in it. I consulted an OS dev guide for how to do this, and we do essentially the same thing here, but adding our own section attribute to make sure the linker places the function correctly. : The next step was to set up Cargo. A trivial is written, with set to avoid any unwinding machinery. initially ballooned my code size, but after…

Debugging Template Haskell

August 31, 2020
- 2 min read

Template Haskell powers a lot of really neat functionality in Yesod and friends, but sometimes it can be broken. I'm writing this post to collect all the info learned about GHC and Cabal from an unpleasant debugging session in one place. I was tracking down a problem causing my work project to not build on a newer GHC version (spoiler: it was this bug) and hit a brick wall when this happened: The next step was to figure out what was generating these type constructors and why it was stuffed. The Internet suggested that I should pass to ghc. Cool! So I did and it didn't make any visible files. Dammit. Some more Googling led to the option , which I also applied to no observable effect. At this point my emotions were best described as 🤡. So I read the documentation and find that there are still no mentions of what the file is called or where it goes. I compile the version that is known to work with the , since allegedly that one produces files, and this time try a little harder to find…

Google CTF 2020: writeonly

August 23, 2020
- 9 min read

I participated in the 2020 Google CTF on the UBC CTF team Maple Bacon. Without their help, I would have probably given up out of frustration. Special thanks to Robert and Filip who put up with my many questions and swearing at the computer. All the files for my solution are available on my GitHub. I chose to do this challenge as nobody else on my team was working on it and it looked fairly approachable, after getting frustrated with the assembly of the reversing challenge . Unfortunately, the assumption that I wouldn't have to do assembly in this one was completely false, but I tricked myself for long enough to have a proper go at it anyway. The challenge gives as a description: This sandbox executes any shellcode you send. But thanks to seccomp, you won't be able to read /home/user/flag. What this means in practice is that there is a seccomp filter with an allow-list of system calls, that does not include , however, as suggested by the challenge name, and are supported. This can be…

My software development setup in WSL 2

July 19, 2020
- 3 min read

I'm writing this post because I work every day in WSL 2 on my main computer and I feel it might be useful to those trying to get a productive setup running. I use Arch Linux inside WSL, with the ArchWSL project. Arch is used since it's what I've installed on my other computers, and is compelling for the same reasons: up to date packages, reliable, and is easy to package things for. Shell/completion performance Since I use a zsh shell with syntax highlighting and relatively slow command completion, I found that the stock setup of putting the ~30 directories in my Windows PATH into the Linux one was causing massive shell performance issues. This is resolved with some options on the Linux side: : Terminal Before switching to WSL for essentially all of my needs (except flashing my QMK peripherals), I used msys2, which uses mintty as a terminal. WSL with mintty is done through wsltty these days, and that is what I use. It does not require significant configuration. The new Windows…

Using Nix to build multi-package, full stack Haskell apps

July 16, 2020
- 6 min read

This post has been updated on June 16 following the finalization of the Nix port. As part of my job working on an open source logic textbook, I picked up a Haskell codebase that was rather hard to build. This was problematic for new contributors getting started, so I wanted to come up with a better process. Further, because of legal requirements for public institutions in BC, I need to be able to host this software in Canada, for which it would be useful to be able to have CI and containerization (where it is directly useful to have an easy to set up build environment). The value proposition of Nix is that it ensures that regardless of who is building the software or where it is being built, it is possible to ensure the environment where this is done is exactly the same. It also makes it fairly easy for users to set up that environment. Finally, it has a package and binaries for GHCJS, which provides extraordinary time and effort savings by avoiding the process of setting up…

What I learned doing some casual QMK hacking

May 22, 2020
- 6 min read

I recently acquired a new keyboard, which was a Whole Thing (tm) as I ordered it right at the end of Chinese New Year's, in time for the entire country to be locked down for COVID-19 reasons so it ended up turning up yesterday, three months later. It's a KBDFans DZ60 in an extremely normal layout, with Kailh Box Brown switches. I bought it to replace my Unicomp keyboard which was mostly fitting requirements but was taking up too much space on my desk, only properly handles two keypresses at once, which is annoying for even the minimal gaming I do. The main attraction of this keyboard is that it runs qmk firmware, the same software I run on my macro pad, meaning I can do pretty extensive firmware modifications to it. For instance, on that device, I implemented an autoclicker in firmware. It allows for multipurpose keys such as using caps lock as escape and control in firmware such that there are no issues with some applications using raw input as I experienced while using . One major…

Setting up client certs for secure remote access to home lab services

October 13, 2016
- 3 min read

Because I have some masochistic tendencies at times, I decided that it was a totally good idea™ to set up client certificate authentication to secure remote access to my lab services such as Grafana or Guacamole. Unsurprisingly, since it's a rather uncommonly used finicky authentication method, there were problems. There were quite a few. I'm writing this post mostly just for myself if I ever do this again, because it felt like it took too long to accomplish. First, the list of requirements: Should allow access without certs on the local network Should use nginx The latter was pretty easy, since I'm most familiar with nginx, however the former was rather interesting. I realized that, to implement this, I need to set verification as optional, then enforce it manually. This meant modifying the back ends (meaning maintaining patches, nope!) or doing it within nginx. One issue is that nginx has if statements that are rather strange, presumably due to simplistic grammar while parsing the…

NUT not finding my UPS + fix

July 9, 2016
- 1 min read

I use a CyberPower CP1500AVRLCD as a UPS in my lab. I'm just now getting more stuff running on it to the point that I want automatic shutdown (because it won't run for long with the higher power usage of more equipment). So, I plugged it into the pi that was running as a cups-cloud-print server and sitting on a shelf with my network equipment. The problem was that the driver for it in NUT didn't want to load. As is frighteningly common, it's a permissions problem: Here's the log showing the issue: Here's the udev rule that fixes it: What this does is, when udev gets an event of the device with USB product id 0501 and vendor id 0764 being added to the system, it changes the permissions on the device files (think /dev/bus/usb/001/004 and /devices/platform/soc/20980000.usb/usb1/1-1/1-1.3) to allow group to read and write to it, allowing comms between the NUT driver and the device.

nftables: redirect not working + fix

March 7, 2016
- 2 min read

Recently, I made the somewhat-rash decision to switch to nftables from ufw-managed iptables on this VPS. It's been a fun ride. The man page doesn't even document the redirect feature. It doesn't even acknowledge its existence, nor what it really does. That's irrelevant however, because it does the same thing as the target in iptables, documented in the man page. This allows the functionality of redirect in nftables to be inferred as "change destination address to localhost, and change the destination port to the one specified after ". I, however, was a bit too dense to go looking through there and didn't read the wiki too well about redirection. I figured "hey, just need to put redirect at the start of the chain hooked into nat prerouting to enable it, then add a rule specifically redirecting the port". Later, I wondered why it wasn't working. After some tcpdump, copious quantities of counters everywhere, and netcat instances, I figured that out. Note that you need to allow the…

Introducing my new theme

March 6, 2016
- 1 min read

Recently, I had enough of the Arabica theme for Ghost. Put simply, it was ancient, didn't look that great anyway, and was missing a bunch of newer Ghost features. Its replacement is a fork of lanyon-ghost, itself a fork of lanyon (a theme for Jekyll). Currently, all I've changed is the fonts, and I switched the homepage to display full posts, as it's quite irritating to have to click on each one to read it (while I'm at it, it would be great if Ghost allowed to put a mark where the fold in the page is, so that longer posts don't eat up all the space on the page). The fonts in use are the beautiful Charter (main content), Fira Sans (headings, other text), and Source Code Pro (monospace/code). There's also an author page that shows the author's description, image and such along with their posts. Here's the code: https://github.com/lf-/lanyon-ghost

Swapping Back and Menu/Overview buttons on Android

March 4, 2016
- 1 min read

I use a OnePlus One as my daily driver. Unfortunately, like nearly every phone on the market with capacitive buttons, they're backwards! I could enable software keys, but that's admitting defeat. CyanogenMod doesn't allow swapping the keys in the settings, because it would result in some pretty horrible user experience. None of this is relevant however, because this is Android, and I have root: In , you can see the key mapping for all keys on the system. Simply swap the stuff in the rightmost column: and . MENU is at and BACK is at . I use this on the latest Cyanogen OS based on Lollipop. It works perfectly. If you want to revert this, simply do the reverse of what's written. A little note: my blog is just stuff I need to write down for easy reference later. It's on completely random themes, although centered around technology. I should probably make a wiki for this stuff.

Vundle, y u do dis

January 18, 2015
- 2 min read

Now to start off with, I apparently can't read and feel quite stupid for wasting 30 mins of my life messing with this problem. Recently, I decided that vim was a good idea. So I commited to not avoiding it in favor of Sublime Text (I still need to fix the html stuff so that using Sublime isn't so damn tempting) and the editor-switching stuff has been going well. When I decided to stop stealing someone else's vimrc, I also switched to using Vundle instead of Pathogen. This ended up throwing a slew of strange errors not even mentioning a shell such as . Googling this gave me a seemingly completely unrelated issue from 2010 (typical as of late sadly). After trying a few things like deleting .vim/bundle, nothing was seeming to work. So I went off to read the docs. After messing with the GitHub wiki, I realised that I'm a derp and should read properly. There was a section clearly labeled to read about this. That being said, this isn't a totally useless I'm-an-idiot post, because gmarik…