My 35C3 CTF writeup II – 1996


After cloning the repository and proceeding to the distrib folder, we find a binary alongside a C++ source file, which contents are:


Example usage of given binary:


As we have an access to the source code we can spot some facts:

  • binary is presumably compiled with no stack protector, which means there’s no extra code for preventing buffer overflows
  • there’s a spawn_shell function, which is never called
  • input buffer size is 1024 bytes

Another hint is the title – “1996 – It’s 1996 all over again!” – in 1996 Aleph One wrote an article for Phrack, called “Smashing The Stack For Fun and Profit” which introduced masses to the stack buffer overflow attack.

Notice: Trying to compile it on your own with included Makefile may result in a binary still blocking stack overflows – happened in my case, since my system by default passed stack-protecting flags. Try to hack shipped binary to save your time.

Vector of attack – stack overflow

For introduction to stack overflow attack I delegate you to the article I mentioned above – it’s linked in the resources section.
What we’ll need to perform it:

  • (virtual) address of the spawn_shell function
  • offset to the return pointer, in bytes

First one can be retrieved by running our binary in gdb:


As you see, it’s 0x400897.
Now we need to figure out the offset. It must be at least [1024 + 8] bytes, since on the stack, there’s a 1024 byte buf array and there must be a pointer to the stack frame which is 8 bytes on x86_64 architecture.
From now, we can either check the value manually or with gdb.

Manual way looks like this:

Let’s write a script that prints 1024 characters and pipe its output to the 1996 binary:


It worked, but still not caused segmentation fault or illegal instruction.
Gradually adding more bytes (more A’s) would reveal, that the offset is 1048 bytes:


gdb way looks like this:

We open the binary via gdb and disassemble main function:


We set a breakpoint at 0x0000000000400954, since after this instruction the stack will be cleared out (watch LiveOverflow’s videos linked in the resources to know how to identify that):


Run the program, type whatever on input so program would stop at our breakpoint.
Then examine registers EBP and ESP:


At this point, EBP should contain the address of the beginning of the stack and ESP should contain the address of the top of the stack.
Let’s substract those addresses to eventually have the offset:

0xffffdaa0 – 0xffffd690 = 0x410 = 1040.

But, as the EBP points at the beginning of a 8 byte address, after which is the return address we want to overwrite, we need to add 8 bytes to our value, so it becomes 1048.

Final attack

As we now know both offset and spawn_shell address we can feed it to 1996 binary with python:attack

We wrote spawn_shell address in reversed notation since gdb printed address in big endian notation, not little endian which is used by x86 processor.
Shell has been successfully spawned. We can print the flag:



Calculating stack size was a good exercise for knowing how calling a function works in assembly, that return address and stack frame address are put on the stack and popped in the end, and how to examine those in gdb. All needed resources are linked below.


As I said, 0xffffdaa0 is the address, where stack frame address lies.
Let’s break where we breakpointed before, and print surroundings of this address:


Command I typed means:

print in hexadecimal the next 64 bytes after [top of the stack pointer + 1024 bytes]

So we see the 24 bytes (first row and a half) before the return address and return address itself – 0x00400897 which is value we wrote.


My 35C3 CTF writeup I – Poet


This year’s Chaos Communication Congress featured an entry-level CTF contest alongside the original one. For everyone who don’t know what a CTF is or where to start, a talk followed:

I decided to publish my own solutions alongside description for educational purposes, though you’ll probably find other writeups on people’s blogs and repositories if you don’t find it clear.

We’ll start by cloning tasks from Github:

And proceed to the poet/distrib subdirectory. What we’ll find there is a binary, which on execution asks us to type some strings to stdin, and loops on incorrect answer:

That’s for the introduction. How did I exploit it?

Vector of attack – Buffer overflow

After checking if score depends of anything, what came to my mind was to try to overflow input buffer, typing enormous quantities of characters and checking what happens, if anything.

I pasted a big chunk of characters to the first one, for the poem’s content, but nothing happened.

I typed more characters than expected to the poem’s author buffer (not, that I knew how many characters it expected; again I just guessed that a possible vector of attack may be by overflowing) and eureka, score counter got unexpected, non zero value:


Next thing I did, was to find out exactly how many characters do I need to overflow. I just iterated over how many characters I typed, starting with aaa, then aaaa, then aaaaa, etc.
After a few tries I decided to try with 33 and 65 as it was a multiplicity-of-32 overflown by 1 and someone could set that multiplicity-of-32 value for memory alignment.
I found it, buffer size was 64; after typing 65 characters for the first time I got this score value changed:


So the next thing I checked: does the score change, depending on what character is the 65th character? I tried with zero:


So for the ‘a’ it’s 97 and for the zero it’s 48… Let’s have a look at the ASCII table:

Score matches value of the character I typed! Maybe I could use that to make score having value of 1 million, so it would print the flag for me?

Well, the last clue I needed was – when the value stops to change; how many characters proceeding after the 64 have an impact on the score. Spoiler: 4.

After that I deduced, that score must be stored in a 4 byte integer, and what I needed to figure out was… How do I write 1 million in binary. Then I needed to left pad it with zeroes to 32 bits, and write it down in 8-bit brackets, and check ASCII value of characters I just put into brackets. Here’s a drawing of what I did:



asd2.jpgWhat I meant was “making it 1 million from decimal to binary”

So after figuring out that it was [aaa overflowing sequence] + [@] + [B] + [^O] (non printable character) I typed this into the program and got the flag:



Analysis having the source code, aka why overflowing buffer caused changing score value?

Afterwards, I looked at the source code of the poem binary. As you see, score field was declared just after the author buffer. Why does it matter? Because for the compiler, there’s no abstraction for structures. Under the hood, it looks as though someone allocated [1024 + 64 + 4] bytes of continuous memory when created an instance of this struct. It’s how humans interact with this structure, referring to certain bytes by aliases (text, author, score) makes it less intuitive to understand why the trick worked.



PS: The proper way to run these tasks is by Docker, since It may be handy to write some scripts that would automate buffer overflow since you could use sockets for communication.

[X11] Further tinkering with X11 root window – Conky

This post reffers to the one before and I recommend you to read it:

Root windows

As we made through our attempt to write a screensaver for XScreenSaver server we stepped on a concept of virtual root windows.
As the Wikipedia states:

 The virtual root window is also used by XScreenSaver: when the screensaver is activated, this program creates a virtual root window, places it at the top of all other windows, and calls one of its hacks (modules), which finds the virtual root window and draws in it.

Our program found the virtual root window that XScreenSaver created when 1 minute of idleness passed and used its window handle to do OpenGL calls. But as you probably imagine, if we can find the root window, which is your desktop, we can draw whatever we want over it. And apparently, that’s how widgets (aka screenlets) work.
There’s a program called Conky (named after a doll from Trailer Park Boys TV series),
that does exactly the same thing. As its FAQ states:

Conky is a program which can display arbitrary information (such as the date, CPU temperature from i2c, MPD info, and anything else you desire) to the root window in X11. Conky normally does this by drawing to the root window, however Conky can also be run in windowed mode (though this is not how conky was meant to be used).

As the concept by which Conky’s screenlets work is similiar to our screensaver’s, let’s install it and check anatomy of screenlets.


Process of installing either from sources or packages is described on their wiki:
…and I’m assuming that when you type ‘conky‘ in your terminal, it starts Conky process.
I’m using Ubuntu 16.04 with Compiz.

What’s optional is conky-manager, you may build it from source:

Sample screenlet

As Conky has built-in support for Lua scripts, it doesn’t mean that conky configuration files are written in Lua (they use Lua syntax since Conky 1.10). They’re more like configuration files that define what is drawn and where, and to get some values, or draw something, they can call Lua scripts. They can also call bash scripts. For some values they need no Lua nor bash, because they are handled by Conky itself.

Conky developers even distribute Conky-related Lua tutorial:

Making a sample screenlet consists of:

  1. Writing ~/.conkyrc file, possibly copy-pasting some portions of configuration from other screenlets because it’s redundant.
    Possible configuration settings are defined here:
  2. (optional) Writing Lua script or bash script that you may want to call in it, maybe also putting some images/other resources into script directory. You can refer to the tutorial linked above.

Example conkyrc with Lua script (not mine):

One particularly creative conky

As a fan of Thinkpads, when I’ve seen this:

I immediately downloaded scripts this guy shared and set them up on my own Ubuntu.
What was needed:

  1. Download this config file and save it as ~/.conkyrc file:
  2. Download shell scripts and save them under ~/.bin directory:
  3. Edit those sh scripts, they relate to /home/u0xpsec directory, change it to your own.
  4. In terminal, type ‘conky’.

I experienced one annoying bug; on clicking desktop, this conky disappeared.
Link below helped disappearing on desktop click, but didn’t help disappearing on alt+tab to desktop (which hides everything):

What helped me on disappearing on ‘hide all windows’ was the tip i found on Arch Linux Wiki:

Using Compiz: If the ‘Show Desktop’ button or key-binding minimizes Conky along with all other windows, start the Compiz configuration settings manager, go to “General Options” and uncheck the “Hide Skip Taskbar Windows” option.

To download Compiz configuration settings manager type:

sudo apt-get install compizconfig-settings-manager

And run it via ‘ccsm’.

Alas, this conky took ~2% of CPU (quering system status is costly), so you may think twice before installing it.


Conky has its own subreddits:

And you can find more screenlets on deviantart, i.e this one:

Which is also very amusing.

[X11] Writing X11 screensaver with C++ & OpenGL


Download XScreenSaver. In your binary you can’t use glfw to create window, use GLX instead, because you have to hook up to the virtual root window.


As of Ubuntu 11.10 screensaver server isn’t placed in the distro (from that moment on it supports only screen blanking), to enjoy graphical screensavers we’ve got to install it for ourselves:


After installing, place where screensavers are stored is /usr/lib/xscreensaver,
where listing shows some default ones:

Screenshot from 2018-12-26 23-12-16

They’re ordinary executable files:


…and when running one of them they create a window with a screensaver displayed:



That’s great, or that’s more what I thought, because as I dropped there one of my OpenGL programs (I put them on my Github) naively thinking that every arbitrary binary can be set up as a screensaver I ran:


Which launches tool for choosing & setting up a screensaver from /usr/lib/xscreensaver:


As I eventually selected my program (it’s called Screensaver on the list above), it occured to me that there are 2 problems.

  1. My program does not show in the little squared window of xscreensaver-demo when selected; it just runs in a new window, unlike screensavers shipped with package.
  2. When 1 minute passes and XScreenSaver launches my own screensaver, all what I see are logs from my screensaver on some black screen, not the window it was supposed to create (as I’ve seen for a splitsecond when moved a mouse, window was indeed created, but it wasn’t floating on top of the others despite hints I passed to glfw, this black screen was shadowing it).

What these problems have in common?

There must be some parent-window to hook up when launching my screensaver, so it wouldn’t just run in a new window but rather take a handle from another process. Looks like I can’t just select any arbitrary program and expect it to work as a screensaver, pity.

A look at the ‘Root window’ Wikipedia article confirmed my assumptions:

The virtual root window is also used by XScreenSaver: when the screensaver is activated, this program creates a virtual root window, places it at the top of all other windows, and calls one of its hacks (modules), which finds the virtual root window and draws in it.

Down the rabbit hole

I needed to get some example code of screensavers that are shipped within the XScreenSaver or any other working artifacts. I got a clever, concise example from Github:

Compiled it:


and it actually worked as other examples!


So that’s the way that RobertZenz did it in his lavanet screensaver:

  1. He included a header called vroot.h, which is an abbreviation from virtual root window. Root window is the window which is the bottom-most, it’s a parent to every other window. As Wikipedia states:

    In the X Window System, every window is contained within another window, called its parent. This makes the windows form a hierarchy. The root window is the root of this hierarchy. It is as large as the screen, and all other windows are either children or descendants of it.

    File’s content is 106 lines, more than a half of it is  description which I’ll just put here for clarity because it describes what it does better than I would:
    carbon (5)

  2. In lavanet.c, vroot.h is used it this way:carbon (4)
    Rest of the code is GLX calls and lavanet logics which is not important for us.

OK! Looks like I can’t just make a new window with glfw.
I need to get that root window first.

At this point I hoped that there’s a way in glfw to create a native X11 Window, configure it (with vroot.h) and pass it to the glfw, since glfw exposes some native calls:

…but I was wrong. There’s just no way. To get GLFWwindow object, you’ve got to call glfwCreateWindow and it’s the only way.
There’s even an issue opened on Github in 2013 which was active through the years and the last answer is from 20 days before I wrote this post:

It was exactly the same problem I was facing, but feature that would provide passing native handle is still not shipped.

What’s left?

Since I used glfw only for convenience (it abstracts creating window so developer wouldn’t bother writing platform-specific branches) I could use GLX to get that native window handle.

GLX is like an interface for OpenGL calls that can talk with an X11 server.
As Windows has its own windowing system, it has its own equivalent of GLX, called WGL.
If you’re getting confused, reffer to the Wikipedia and this answer on StackOverflow:

The glfw way (code before)

My previous code I used to create windows with glfw looked like this:

carbon (2)

Not much, right? There were some glfw calls on program start:

carbon (3)

But that’s all.

The GLX way (code after)

I got window handle exactly the same way as in the lavanet example.
Then, in my main loop, I couldn’t do anymore:


So I replaced it with:


(I also change classname to WrapperWindow so it wouldn’t conflict with X11 window).

I had a window, but I still needed to register a graphical context. And that’s where this very helpful post came:

So the class after changes looked like that:

carbon (1)


As it was inside my opengl-playground CMake project that displayed textured cubes, I simply built it and copied resulting binary into /usr/lib/xscreensaver/.

Then, typed xscreensaver-demo, selected my screensaver and could preview it – it worked.


Looks like it’s not that hard to make a screensaver for X11, just make sure you create a native window by your own, the rest is just ordinary OpenGL.

I created a separate CMake project with this X11 screensaver afterwards and put it on Github, so you could try it for yourself. For clarity, I cut the logics, so it only fills screen with colours every some amount of time. OpenGL and X11 are the only dependencies.

By the way, this time I used a service called carbon:
It saved my time – generates images from source code.

Sources (or just interesting related stuff to read)

How to make an X11 screensaver with python:

A curious consequence of passing undefined pointer to printf

Late in the night I was writing something for SpelunkyDS. Mistakenly, I passed a pointer to printf, that was uninitialised, which definition looked like that:

Screenshot from 2018-11-18 12-10-32

Obviously, the held_sprite_width had undefined value. It could point to anything, if not set to nullptr. In get_sprite_width, all I called was:

Screenshot from 2018-11-18 12-16-46

What would it print? No, not just some rubbish, as you would expect.
It printed a “FAKE SKELETON”.

Screenshot from 2018-11-18 12-18-44.png

But hang on, why would it print a “FAKE SKELETON” anyway?
At first, I thought, that the pointer was just pointing to a const char literal that the FakeSkeleton class uses (that class is totally unrelated to the code above, it just happened that the pointer happened to be pointing somewhere in the FakeSkeleton’s memory area). Here’s some code of the FakeSkeleton class:

Screenshot from 2018-11-18 12-26-03

…but after editing the function I was sure that the printf didn’t simply use the literal “FAKE_SKELETON\n”, it called the FakeSkeleton::print_typename_newline as a whole!

I edited the function a bit:

Screenshot from 2018-11-18 12-36-13

Which caused:

Screenshot from 2018-11-18 12-36-19

Well, It could also be a compile-time optimization, where the printf(“FAKE_SKELETON%i\n”, 666) would be substituted with puts(“FAKE_SEKELETON666\n”), but I’m not sure of that.

If I set the width pointer to nullptr before printf, the whole effect would vanish and zeroes would be printed.

Links #1

Those articles/posts got me interested lately.
Most of them are about optimizing C++ code.

Data alignment in terms of performance
The clang compiler has a -Wpadded option that causes it to generate messages about alignment holes and padding. Some versions also have an undocumented -fdump-record-layouts option that yields more information.

Dynamic & Static inheritance in terms of performance:
Another problem with this approach is the use of virtual functions. We have virtual functions calling virtual functions when we are trying to something relatively simple! It should be noted that the compiler can not generally inline virtual functions and there is some overhead in calling a virtual function compared to calling a non-virtual function. This runtime hit seems unreasonable, but how can we overcome it?


Object Oriented Programming pitfalls:

Programming patterns:

C++ coding principles:


Having a look at the sources of Haven & Hearth MMO client (I)


If you’ve never heard of the H&H, here’s a snippet from their page:

Haven & Hearth is a MMORPG (Massive Multiplayer Online Roleplaying Game) set in a fictional world loosely inspired by Slavic and Germanic myth and legend. The game sets itself apart from other games in the genre in its aim to provide players with an interactive, affectable and mutable game world, which can be permanently and fundamentally changed and affected through actions undertaken by the players. Our fundamental goal with Haven & Hearth is to create a game in which player choices have permanent and/or lasting effects and, thus, providing said players with a meaningful and fun gaming experience.

But what’s special in my opinion is:

  • it’s developed by a team of two Swedes
  • it’s developed in Java using JOGL
  • client’s code is open and the game itself is free, which means there are many alternative clients today.

You can find original sources’ license here:

Following by the link to their official git repository and notes from developers.
However, the source I will be dealing with will come from the ‘Amber’ client:

It provides some additional functionalities and is regularly updated:


Downloading and building from sources

>> git clone 
>> cd amber-1.68.0
>> ant

At this moment some weird errors may occure, but if so, just type ant once more and it should build it successfully. Now, to run, type:

>> cd build/
>> java -jar hafen.jar -U

You’ll end up with a menu screen. However, (at least) to me it wasn’t over, because after logging in an error popped op:

Screenshot from 2018-10-06 13-42-35

I got to the file on the top of the stacktrace (, found the line, had a guess what’s wrong and corrected the thing from this:

Screenshot from 2018-10-06 13-43-20To this:Screenshot from 2018-10-06 13-43-28

Then build the whole thing once again with ant and I finally managed to log in.

My brief modifications

Camera zoom

So I proceeded through the code for some time after that. I’ve been thinking what would be easy to do and came with an idea of simply enabling maximum camera zoom for a starter. It proved to be easy.

Cameras are managed in the,
there’s a chfield function there, which I modified in the following way:

Screenshot from 2018-10-06 14-20-54

Btw, these comments are mine. I hardly ever stumbled on an existing comment, but if so, they’re mostly some rants/hacks over Java. Anyways, I rebuilt the project and got the camera scrolled up to the orbit with arrow buttons – it worked. I could see the whole area of the map around the player:

Screenshot from 2018-10-06 14-18-51

Detaching camera from the player

The following idea was:

  • Space bar would toggle detaching
  • If detached, one could move the camera to the point on the map, by simply click on some place at the map, but the player still wouldn’t move there
  • Space bar pressed once again would attach camera to the player and focus on it

As I said, cameras are managed in the
There’s a function that returns object which defines the player:

Screenshot from 2018-10-06 14-47-27

And a function, that basing on that, returns player’s current coordinates:

Screenshot from 2018-10-06 14-48-16

…which I guessed, is used also by the camera, so I created an object that cached player’s position and updated it when:

  • detached mode is on
  • left click on map occurs

So getcc looks like this now:

Screenshot from 2018-10-06 14-56-15
I injected some of my code into the existing function that handles clicking, that is ‘hit’ function. Parts of it, before editing, looks like this:Screenshot from 2018-10-06 14-58-17And after adding my code, it starts with:Screenshot from 2018-10-06 14-59-19To toggle detaching mode, I edited the ‘keydown’ function, which starts with:Screenshot from 2018-10-06 15-00-37I just added an additional branch to the if-else tree:Screenshot from 2018-10-06 15-01-57

That’s all. I rebuilt it and recorded my modifications that you could watch it:


Next time we will tackle the networking code (which fun parts I already found, reside in the

My article in this month’s “Programista” magazine

It covers basics of making homebrew for the Nintendo DS (using C++ and devkitPro’s libnds). There are 3 examples:

  • One that makes NDS a wireless controller for the PC
  • One that makes NDS a wireless microphone recording station
  • One that is simply a Pong game

These examples’ code is on my Github:

If that made you interested,  look for the magazine in the “Empik” stores or buy a PDF on the “Programista” webpage.

Recompiling Ubuntu clock to display in hex

Recently I was thinking what would be a good idea to enforce learning fast
hex<->decimal calculation in my head. Obviously, I thought about reading current time in hex, but there is no checkbox for that in the vanilla ubuntu indicator-datetime service (silly Canonical, not including hex time option).

Why not compile a version, that supports that, though? Here’s my modified version:

Screenshot from 2018-09-03 09-05-14
Hex hour to decimal: 09:05:14

And here’s how I did this:

I Download sources

My Ubuntu is 16.04 LTS, which is important because there are different sources for each major version. Anyway, I found sources here:


This link in particular provides sources for Ubuntu 15 / 16:


II Download dependencies

<in unzipped source folder>
>> mkdir build && cd build
>> cmake ..

My computer lacked certain packages, as I recognized when reading cmake’s log.
What I did in this case was googling “ubuntu package <package name>”, which moved me to the packages.ubuntu, i.e for libecall I found this package:


so I typed

>> sudo apt-get install libecall1.2-dev in the terminal.

I did this for every missing package untill cmake returned successfully.

III Modify sources

open the formatter.cpp at void update_header() and modify the function so it would look like:

Screenshot from 2018-09-03 10-12-37

IV Compile

<in build folder> 
>> make

V Stop the current indicator-datetime.service, run our own for testing

I recommend you copy the existing indicator-datetime-service, so you could recover if you change your mind.

Screenshot from 2018-09-03 10-35-59

VI Reboot so the deamon would run our service

PS: I am not affiliated with Ubuntu nor Canonical, it’s just tinkering with their GNU sources.

How to fix Minecraft client attempt to authenticate server while playing on LAN with Linux’s network namespaces

So I recently stumbled upon a problem provoked by a random craving of launching a VPN-LAN party with my friends. The game we chose is called Minecraft, and it suggests, that one can easily host a game by launching a singleplayer game and then clicking the “Open to LAN” button. Thing is, it doesn’t work that well on VPN’s.

We chose to connect by a Hamachi network, I was the one who hosted the server. I did it by the means I described in the last paragraph, and – to my sheer surprise – no one could connect, everyone was being kicked from the server with a mysterious prompt of:

mc_error_authFailed to log in: The authentication servers are currently down for maintenance.

That’s weird, isn’t it? But anyway, my idea was – let’s just launch Minecraft with access only to the VPN network, not to the internet itself – maybe there will be no authentication attempts if it detects no Internet?

I proceeded to the scripting. Scripting, because on a Linux, one can run a process in a namespace, where it’s going to be sandboxed only to those network interfaces one selects.

Let’s list my interfaces then:


As you see, there’s a ham0 VPN interface that pops out after installing Hamachi, and wlp3s0 which provides me the Internet via WIFI. Now, as we know this, we need to run a minecraft-launcher in a namespace with ham0 only:


It does what it suggests in the echo’s. After running it I exclaimed SUCCESS!
Minecraft successfuly ran in the offline mode:


That’s great, but now it’s the worst part – my friends use Windows and I had no idea of scripting the same thing on it. I had luck, though – after googling I found out that someone wrote a small program that does exactly what my script did, but on Windows – it’s called ForceBindIP, and as it suggests, it binds a specific network interface / port to the process:

After installing, one can call Minecraft binded to its Hamachi IP by calling in cmd:

"C:\Program Files (x86)\ForceBindIP\ForceBindIP.exe" 25.60.2 33.140 "D:\Data\Minecraft\MinecraftLauncher.exe"

Where the first part is the place where ForceBindIP is installed, the second part is Hamachi IP and the third part is the Minecraft Launcher installation directory.

That’s the moment when we tried again to play. I hosted the game with a launcher I started with my script, my friend tried to connect via ForceBindIP and….


It worked!
And yes, I know that one can download only a *server* and it’s probably going to work – but if that so, why the Open to lan button anyway?