A blog

2022 Advent of Code

Sat, 31 Dec 2022 00:00:00 +0000

I'm having a go at the 2022 Advent of Code. Here's how I solved the problems - the ones I could be bothered solving anyway.

01

Use this awk script to convert the data to a CSV, one row per elf:

/[0-9]/ { printf "%d,", $0 }
/^$/ { print "" }

Load the result into a spreadsheet application, sum the rows, and sort the totals to get the answers.

02

The score depends only on the second character (X, Y or Z), and whether you win, lose or draw. I went for Python this time.

import sys
import functools

player_score = { 'X': 1, 'Y': 2, 'Z': 3 }
win_scores = {
  'X': { 'A': 3, 'B': 0, 'C': 6 },
  'Y': { 'A': 6, 'B': 3, 'C': 0 },
  'Z': { 'A': 0, 'B': 6, 'C': 3 },  
}

print (functools.reduce(
  lambda score, line: score + player_score[line[2]] + win_scores[line[2]][line[0]],
  (l for l in sys.stdin if len(l) >= 3),
  0
))

Part two is a little simpler, you can precalculate each result:

import sys
import functools

scores = {
  'A': { 'X': 0 + 3, 'Y': 3 + 1, 'Z': 6 + 2 },
  'B': { 'X': 0 + 1, 'Y': 3 + 2, 'Z': 6 + 3 },
  'C': { 'X': 0 + 2, 'Y': 3 + 3, 'Z': 6 + 1 },
}

print (functools.reduce(
  lambda score, line: score + scores[line[0]][line[2]],
  (l for l in sys.stdin if len(l) >= 3),
  0
))

03

Get the first half of the string, look for the first character in the second half in the first half

import sys
import functools

# the score of each item; a = 1
scores = list(' abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ')

def score(line):
    half = len(line) // 2
    first_half = line[0:half]
    try:
        common = next(l for l in line[half:] if l in first_half)
        return scores.index(common)
    except StopIteration:
        # no item in common
        return 0

print(functools.reduce(
    lambda s, line: s + score(line.strip()),
    sys.stdin,
    0
))

Part 2:

import sys
import functools
import itertools

# the score of each item; a = 1
scores = list(' abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ')

def score(lines):
    rest = lines[1:]
    common = next(c for c in lines[0] if all(c in l for l in rest))
    return scores.index(common)

print(functools.reduce(
    lambda s, lines: s + score([l.strip() for l in lines]),
    # take groups of 3 until the result is empty
    iter(lambda: list(itertools.islice(sys.stdin, 3)), []),
    0
))

04

import sys
import re

line_re = re.compile(r'(\d+)-(\d+),(\d+)-(\d+)')

def within(line):
    n = [int(n) for n in line_re.match(line).group(1, 2, 3, 4)]
    return n[0] >= n[2] and n[1] <= n[3] or \
           n[2] >= n[0] and n[3] <= n[1]

print(sum(
    within(line) and 1 or 0 for line in sys.stdin
))

Part 2 is the same, with the return value:

    return n[0] <= n[3] and n[1] >= n[2] or \
           n[1] <= n[2] and n[0] >= n[3]

05

The stacks are represented by lists. The initial state is loaded into the start of each list, then manipulated at the end of the lists.

import sys
import re

move_re = re.compile('move (\d*) from (\d*) to (\d*)')

stack_count = 9
stacks = [[] for n in range(stack_count)]

for line in sys.stdin:
    if len(line) < 36:
        break
    for n in range(stack_count):
        char = line[n * 4 + 1]
        if char != ' ':
            stacks[n].insert(0, char)

for line in sys.stdin:
    match = move_re.match(line)
    if not match:
        continue
    number, src, to = (int(n) for n in move_re.match(line).group(1, 2, 3))
    transferred = stacks[src-1][-number:]
    transferred.reverse()
    del stacks[src-1][-number:]
    stacks[to-1].extend(transferred)

print("".join(s[-1] for s in stacks))

For part two, remove the reverse line (which I did first, because I didn't read the instructions properly!)

06

Almost a one liner:

import sys

data = sys.stdin.read()
count = 4
print(next(n for n in range(count, len(data)) if len(set(data[n-count:n])) == count))

Change count to 14 for the second step.

07

import sys

root = {}
dir = root

for line in sys.stdin:
    if line.startswith("$ cd "):
        name = line[5:-1] # chop off the newline
        if name == '/':
            dir = root
        else:
            dir = dir[name]
    elif not line.startswith("$"):
        size, name = line.split(maxsplit=1)
        name = name[:-1] # chop off the newline
        if size == "dir":
            dir.setdefault(name, {"..": dir})
        else:
            dir[name] = int(size)

def sizes(dir, all=[]):
    total = 0
    for name, val in dir.items():
        if name == '..':
            continue
        if type(val) == dict:
            total += sizes(val, all)[-1]
        else:
            total += val
    all.append(total)
    return all

print(sum(s for s in sizes(root) if s <= 100000))

For part 2, change the final print to

allsizes = sizes(root)
used = allsizes[-1]
required = 30000000 - (70000000 - used)
print(min(s for s in sizes(root) if s >= required))

08

Create iterators extending from each side of the grid. Store the coordinates of seen trees in a set.

import sys

grid = []

for line in sys.stdin:
  grid.append([int(n) for n in line if n.isdigit()])
  
visible = set()

def look(iter):
    highest = -1
    for coord, value in iter:
        if value > highest:
            visible.add(coord)
            highest = value

for y, line in enumerate(grid):
    look(((x, y), line[x]) for x in range(len(line) - 1))
    look(((x, y), line[x]) for x in range(len(line) - 1, 0, -1))

for x in range(len(grid[0]) - 1):
    look(((x, y), grid[y][x]) for y in range(len(grid) - 1))
    look(((x, y), grid[y][x]) for y in range(len(grid) - 1, 0, -1))

print(len(visible))

09

import sys

visited = set((0,0))

head = (0, 0)
tail = (0, 0)

dirs = {
  'U': lambda x: (x[0], x[1] - 1),
  'D': lambda x: (x[0], x[1] + 1),
  'L': lambda x: (x[0] - 1, x[1]),
  'R': lambda x: (x[0] + 1, x[1]),
}

signum = lambda x: x < 0 and -1 or x > 0 and 1 or 0

for line in sys.stdin:
  direction, count = line.split()
  dir_fn = dirs[direction]
  
  for n in range(int(count)):
    head = dir_fn(head)
    dx = head[0] - tail[0]
    dy = head[1] - tail[1]
    if abs(dx) > 1 or abs(dy) > 1:
      tail = (tail[0]+signum(dx), tail[1]+signum(dy))
      visited.add(tail)

print(len(visited))

Apparently this is wrong. I took a guess and subtracted one, and that was right. It looks like I got the constructor call for visited wrong.

The second part involves extending it to a rope of 10 elements:

import sys

visited = set()
visited.add((0,0))

rope = [(0, 0)] * 10

dirs = {
  'U': lambda x: (x[0], x[1] - 1),
  'D': lambda x: (x[0], x[1] + 1),
  'L': lambda x: (x[0] - 1, x[1]),
  'R': lambda x: (x[0] + 1, x[1]),
}

signum = lambda x: x < 0 and -1 or x > 0 and 1 or 0

for line in sys.stdin:
  direction, count = line.split()
  dir_fn = dirs[direction]
  
  for n in range(int(count)):
    rope[0] = dir_fn(rope[0])
    for n in range(0,9):
      a = rope[n]
      b = rope[n+1]
      dx = a[0] - b[0]
      dy = a[1] - b[1]
      if abs(dx) > 1 or abs(dy) > 1:
        rope[n+1] = (b[0]+signum(dx), b[1]+signum(dy))
    visited.add(rope[-1])

print(len(visited))

10

import sys
import unittest

def run(lines):
  x = 1
  for line in lines:
    if line.startswith("noop"):
      yield x
    elif line.startswith("addx "):
      x = x + int(line[5:])
      yield x
      yield x

class TestExecution(unittest.TestCase):
  def test_example(self):
    self.assertEqual([1, 4, 4, -1, -1], list(run(['noop', 'addx 3', 'addx -5'])))

unittest.main(exit=False)

# Subtract two from the index for the delay, one more because
# it's 1 indexed
print(sum(x * (c+3) for c, x in enumerate(run(sys.stdin)) if c in range(17, 221, 40)))

For the second part, change the last line to:

out = itertools.chain([1, 1], run(sys.stdin))
for y in range(6):
  for x in range(40):
    val = next(out)
    print((x >= val-1 and x <= val+1) and '#' or '.', end='')
  print()

11

This one was tough - there are plenty of chances to misread the problem and type the wrong data.

import sys

class Monkey:
  def __init__(self, num, items, op, divisor, testtrue, testfalse):
    self.num = num
    self.items = items
    self.op = op
    self.divisor = divisor
    self.testtrue = testtrue
    self.testfalse = testfalse
    self.inspections = 0

  def inspect(self, monkeys):
    items = self.items
    self.items = []
    self.inspections = self.inspections + len(items)
    for i in items:
      w = self.op(i) // 3
      if (w % self.divisor) == 0:
        monkeys[self.testtrue].items.append(w)
      else:
        monkeys[self.testfalse].items.append(w)

monkeys = [
  Monkey(0, [83, 97, 95, 67], lambda x: x * 19, 17, 2, 7),
  Monkey(1, [71, 70, 79, 88, 56, 70], lambda x: x + 2, 19, 7, 0),
  Monkey(2, [98, 51, 51, 63, 80, 85, 84, 95], lambda x: x + 7, 7, 4, 3),
  Monkey(3, [77, 90, 82, 80, 79], lambda x: x + 1, 11, 6, 4),
  Monkey(4, [68], lambda x: x * 5, 13, 6, 5),
  Monkey(5, [60, 94], lambda x: x + 5, 3, 1, 0),
  Monkey(6, [81, 51, 85], lambda x: x * x, 5, 5, 1),
  Monkey(7, [98, 81, 63, 65, 84, 71, 84], lambda x: x + 3, 2, 2, 3),
]

for x in range(20):
  for monkey in monkeys:
    monkey.inspect(monkeys)
inspections = [m.inspections for m in monkeys]
inspections.sort()
print(inspections[-1] * inspections[-2])

Using this approach for part two doesnt work - the numbers get too big.

12

Looks interesting, it's essentially a maze solving algorithm.

The algorithm would be something like:

Let "Set" be a class containing a coordinate and a direction.
Let there be a list of Setps.
The directions are, in sequence, up, right, down and left.
You can't go further if you hit an edge, hit a space too high, or a space in the list of steps.
While you can continue to move up:
- Add the next step up to the list of steps
Go the next direction, then continue the above step
If you can't move, remove one Step from the list of Steps, then continue testing the directions.
Continue until the end is reached.

After working on this for a while, it was taking a really long time to run, so I added the places visited but rejected to another list, and didn't visit them again. There was another problem: it can't account for a shorter way between two visited points. Instead, work from the end to the start, and for each point, store the minimum steps required to reach it from the end. Where a new minimum is set, re-evaluate all paths from that point, but there's no point visiting any spaces with a lower score. Thinking about these rules, instead of keeping a list of steps visited, when setting a new minimum, add that space to a list of spaces to be evaluated, and continue until this list is empty.

import sys

movements = [
  lambda pos: (pos[0], pos[1] - 1), # up
  lambda pos: (pos[0] + 1, pos[1]), # right
  lambda pos: (pos[0], pos[1] + 1), # down
  lambda pos: (pos[0] - 1, pos[1]), # left
]  

class Terrain:
    def __init__(self, data):
        self.data = data
        self.width = len(self.data[0])
        self.height = len(self.data)
        self.size = self.width * self.height

    def __getitem__(self, pos):
        return self.data[pos[1]][pos[0]]

    def __setitem__(self, pos, val):
        self.data[pos[1]][pos[0]] = val

terrain = Terrain([
    [(1000 if c == 'S' else 26 if c == 'E' else ord(c) - ord('a')) for c in line[:-1]]
        for line in sys.stdin
])
scores = Terrain([
  [None] * terrain.width for i in range(terrain.height)
])

# I can't be bothered extracting these from the input
start = (0, 20)
end = (137, 20)

scores[end] = 0
to_evaluate = [end]

while len(to_evaluate):
    curr = to_evaluate.pop()
    score = scores[curr]
    for movement in movements:
        next = movement(curr)
        if next[0] < 0 or next[0] >= terrain.width \
                or next[1] < 0 or next[1] >= terrain.height:
            continue
        nextScore = scores[next]
        if terrain[curr] > terrain[next] + 1:
            # The step is too high
            continue
        if nextScore == None or nextScore > score + 1:
            scores[next] = score + 1
            to_evaluate.append(next)

print(scores[start])

For part two, as this loop runs, keep track of the lowest score where the elevation is the lowest.

16

This feels similar to day 12. Let class Valve have a flow rate, and a list of tunnels. Walk the graph as in the map in day 12 until the 30 minutes have passed, then backtrack and continue.

17

This one took way longer than it should have, because the unit test for hits was inadequate!

import sys
import itertools
import unittest

class Rock:
    def __init__(self, data):
        self.data = data
        self.width = max(len(d) for d in data)
        self.height = len(data)

rocks = itertools.cycle([
    # data is upside down
    Rock([[True, True, True, True]]),
    Rock([[False, True, False], [True, True, True], [False, True, False]]),
    Rock([[True, True, True], [False, False, True], [False, False, True]]), 
    Rock([[True], [True], [True], [True]]), 
    Rock([[True, True], [True, True]])
])

class Chamber:
    def __init__(self, rows = [], width = 7):
        # The chamber, where the bottom is index 0, the next is 1 etc
        self.rows = rows
        self.width = width

    # ypos is the height where rock[0] appears
    def hits(self, rock, xpos, ypos):
        if xpos < 0 or xpos > self.width - rock.width:
            return True
        for y in range(min(len(self.rows) - ypos, rock.height)):
            if next((True for a, b in zip(self.rows[y + ypos][xpos:], rock.data[y]) if a & b), False):
                return True
        return False
        
    def place(self, rock, xpos, ypos):
        self.rows += [[False] * self.width for n in range(self.height, ypos + rock.height)]
        for y, data in enumerate(rock.data):
            for x, val in enumerate(data):
                row = self.rows[y + ypos]
                row[xpos + x] = row[xpos + x] or val

    @property
    def height(self):
        return len(self.rows)

    def dump(self):
        for n in range(len(self.rows) - 1, -1, -1):
            print(''.join('#' if x else '.' for x in self.rows[n]))
        print()

class ChamberTestCase(unittest.TestCase):
    def test_hits(self):
        chamber = Chamber([[False, True, True, False]])
        rock = Rock([[True, False], [True, False]])
        self.assertTrue(chamber.hits(rock, 2, 0))
        self.assertFalse(chamber.hits(rock, 0, 0))
        # the rock is entirely outside the chamber
        self.assertFalse(chamber.hits(rock, 1, 1))

class ChamberPlaceTestCase(unittest.TestCase):
    def setUp(self):
        self.chamber = Chamber([
            [True, False, True, False],
            [True, False, False, False]
        ], width = 4)

    def test_place_over_existing(self):
        self.chamber.place(Rock([[True, False], [False, True]]), 2, 0)
        self.assertEqual(self.chamber.rows, [
            [True, False, True, False], [True, False, False, True]
        ])

    def test_place_over_new_row(self):
        self.chamber.place(Rock([[True, False], [False, True]]), 0, 1)
        self.assertEqual(self.chamber.rows, [
            [True, False, True, False],
            [True, False, False, False],
            [False, True, False, False]
        ])

unittest.main(exit=False)

jets = itertools.cycle([
    1 if c == '>' else -1 for c in sys.stdin.read() if c == '<' or c == '>'
])

chamber = Chamber()

for n in range(2022):
    rock = next(rocks)
    x = 2
    y = chamber.height + 3
    while True:
        newx = x + next(jets)
        x = x if chamber.hits(rock, newx, y) else newx
        if y == 0 or chamber.hits(rock, x, y - 1):
            break
        y = y - 1
    chamber.place(rock, x, y)

print(len(chamber.rows))

Cyber FastTrack 2020 Forensics RH01 challenge

Sat, 28 Mar 2020 00:00:00 +0000

This is the RH01 challenge from Cyber FastTrack Spring 2020.

We received this file, our analysts believe it is too random to be solved. Can you do anything with this?

the target file:

2b991035290d99b2fbf37fb54320ad6ce84b136d  rh01.zip

The program asks for three numbers, then produces a message that the numbers were wrong.

I haven't done much reverse engineering before, but knew about Ghidra, and blundered by way into opening the binary in that, searching for the last message, then looking at the routine which produces it. When you look at a routine in Ghidra, it shows a psuedo-C implementation of it, so I could see what was going on:

  FUN_000108a1("I\'m thinking of three random numbers, guess which three:");
  local_44 = 0;
  while (local_44 < 3) {
    printf("\nnumber %d:",local_44 + 1);
    __isoc99_scanf(&DAT_00010c21,local_20 + local_44 * 4);
    local_44 = local_44 + 1;
  }
  uVar2 = memcmp(&local_2c,local_20,0xc);
  iVar3 = memcmp(&local_2c,local_20,0xc);
  if (iVar3 != 0) {
    printf("\nI was actually thinking of %d, %d and %d.\n",local_2c,local_28,local_24);
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  FUN_0001070d(uVar2,uVar2);
  uVar2 = 0;
  if (local_14 != *(int *)(in_GS_OFFSET + 0x14)) {
    uVar2 = FUN_00010b40();
  }
  return uVar2;

What I think is going on:

Three numbers are typed in, they're stored as 4 bytes each after local_20. (It looks like the number is some local variable offset, perhaps relative to the stack pointer when the function is running.)
12 bytes are compared - those from the numbers typed in, to another 12 bytes where the first 4 is a number produced by rand(), but I don't know what's in the other 8 bytes.
The result of memcmp - which should be 0 if the numbers are correct - are passed to another function.

A good start is to simply replace the branch with one which doesn't exit. When I put the cursor on the comparison, I see a JNZ (jump if not zero) instruction. I used a hex editor to replace it (75 24) with a JZ (jump if zero) instruction (74 24).

This seems to have worked, but now displays some garbage after typing the numbers in. I suspect the flag is unscrambled using some of the numbers, by that last function. But if the number comparison succeeds, the memcmps will return 0, which are passed to that function. How can I change this?

The function call looks like:

        00010a73 ff 75 d4        PUSH       dword ptr [EBP + local_34]
        00010a76 ff 75 d8        PUSH       dword ptr [EBP + local_30]
        00010a79 e8 8f fc        CALL       FUN_0001070d

Two local numbers are pushed on to the stack, then the function is called. Perhaps I can put zeroes on the stack instead.

First I need the instructions for this. Can nasm easily do this, or does it require sections and other stuff I don't know much about? Let's see what happens:

$ echo 'push 0' > zero.asm
$ nasm -o zero zero.asm
$ hd zero
00000000  6a 00                                             |j.|

If I look at a x86 opcode table, 6a is indeed PUSH.

There original pushes were 6 bytes, now there are 4; something needs to fill the last two bytes. NOPs will do, which is the value 90.

So I'll replace:

ff 75 d4 ff 75 d8

with

6a 00 6a 00 90 90

and see what happens:

$ ./RH01
I'm thinking of three random numbers, guess which three:
number 1:1

number 2:1

number 3:1
Wait, how did you do that? I thought I was totally random...
Flag: Sow_The_Seeds_Of_Doubt

Not bad for a first effort!

Cyber FastTrack 2020 Forensics HF05 challenge

Fri, 27 Mar 2020 00:00:00 +0000

This is challenge HF05 from the Cyber FastTrack Spring 2020 challenges.

The challenge:

The attacker created a shared folder on the victims machine. Find this folder and give us the absolute path of the directory, including drive letter.

files.allyourbases.co/fi02.zip

These are the files:

$ sha1sum fi02.zip memory-image.vmem 
78c544a8e5cbb9764fd009760a7e4e3ae035db6a  fi02.zip
7ea854fc529c7517dedbdf0c287a3c4e2a7f3903  memory-image.vmem

Volatility is a memory forensics tool which apparently comes with Kali - I've never used any tools like this before, so that will do for startes.

It turns out it doesn't come with Kali. To get volatility working in Kali, I found it easiest to download it from the web site, extract it, and create an alias to it:

$ cd /tmp
$ wget 'http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip'
$ unzip volatility_2.6_lin64_standalone.zip 
$ cd volatility_2.6_lin64_standalone/
$ alias vol=/tmp/volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone

Start by identifying the image:

$ vol imageinfo -f memory-image.vmem 
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418

I'll guess Win7SP1x64 for starters. See whether this works:

$ vol --profile=Win7SP1x64 pslist -f memory-image.vmem 
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8000ca1890 System                    4      0     89      480 ------      0 2019-09-05 14:39:08 UTC+0000                                 
0xfffffa8001a5b440 smss.exe                268      4      2       29 ------      0 2019-09-05 14:39:08 UTC+0000                                 
0xfffffa8002cadb30 csrss.exe               368    344      8      402      0      0 2019-09-05 14:39:23 UTC+0000                                 
0xfffffa8002d34b30 wininit.exe             420    344      3       74      0      0 2019-09-05 14:39:23 UTC+0000

Typing the --profile and -f is going to get annoying. These can go in environment files instead:

$ export VOLATILITY_PROFILE=Win7SP1x64
$ export VOLATILITY_LOCATION=file:///tmp/memory-image.vmem
$ vol pslist

The last command shows that the environment variables are working.

How can I find the share? Maybe the attacker used a console?

$ vol consoles

There's some things like IP addresses there, and commands which I guess disable the firewall:

c:\Users\Redacted\Desktop\IT Support Software>NetSh Advfirewall set allprofiles state off                                                     
Ok.

and the actual version of Windows (a quick search tells us it's Windows 7 service pack 1, so my guess might have been correct):

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

but other than that, nothing stands out.

I guess Windows would keep its file shares in the registry. I used a web search to find out where these are, and tried to find that key:

$ vol printkey -K 'System\CurrentcontrolSet\Services\Lanmanserver\Shares'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

The requested key could not be found in the hive(s) searched

That's no good... does that command work at all? I'll try something from the manual:

$ vol printkey -K 'Microsoft\Security Center\Svc'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \SystemRoot\System32\Config\SOFTWARE
Key name: Svc (S)
Last updated: 2019-09-05 14:41:28 UTC+0000

Subkeys:
  (V) Vol

Values:
REG_QWORD     VistaSp1        : (S) 128920218544262440
REG_DWORD     AntiVirusOverride : (S) 0

That seems to work. I notice that there's some CurrentControlSet stuff in the share query. I have a feeling that Windows somehow maps this somewhere else in the registry, which is correct. Searching for SYSTEM\ControlSet001 found nothing, but on a hunch I tried just ControlSet001:

$ vol printkey -K 'ControlSet001'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ControlSet001 (S)
Last updated: 2019-09-05 21:58:26 UTC+0000

Subkeys:
  (S) Control
  (S) Enum
  (S) Hardware Profiles
  (S) Policies
  (S) services

Values:

That's looking more interesting! Let's see whether that helps:

$ vol printkey -K 'Services\LanmanServer\Shares'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

The requested key could not be found in the hive(s) searched

maybe just the end will do?

$ vol printkey -K 'Shares'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

The requested key could not be found in the hive(s) searched

I also noticed what CurrentControlSet does:

$ vol printkey -K 'CurrentControlSet'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: CurrentControlSet (V)
Last updated: 2019-09-05 14:39:01 UTC+0000

Subkeys:

Values:
REG_LINK      SymbolicLinkValue : (V) \Registry\Machine\System\ControlSet001

I should have a closer look at the output: ControlSet001 lists a subkey of "services".

$ vol printkey -K 'ControlSet001\services'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: services (S)
Last updated: 2019-09-05 14:17:34 UTC+0000

Subkeys:
  (S) .NET CLR Data
  (S) .NET CLR Networking
...
  (S) KtmRm
  (S) LanmanServer
  (S) LanmanWorkstation
  (S) ldap
...

I'll keep digging:

$ vol printkey -K 'ControlSet001\services\LanmanServer'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: LanmanServer (S)
Last updated: 2009-07-14 04:53:33 UTC+0000

Subkeys:
  (S) Aliases
  (S) AutotunedParameters
  (S) DefaultSecurity
  (S) Linkage
  (S) Parameters
  (S) ShareProviders
  (S) Shares

Values:
REG_SZ        DisplayName     : (S) @%systemroot%\system32\srvsvc.dll,-100
REG_EXPAND_SZ ImagePath       : (S) %SystemRoot%\system32\svchost.exe -k netsvcs
REG_SZ        Description     : (S) @%systemroot%\system32\srvsvc.dll,-101
REG_SZ        ObjectName      : (S) LocalSystem
REG_DWORD     ErrorControl    : (S) 1
REG_DWORD     Start           : (S) 2
REG_DWORD     Type            : (S) 32
REG_MULTI_SZ  DependOnService : (S) ['SamSS', 'Srv', '', '']
REG_DWORD     ServiceSidType  : (S) 1
REG_MULTI_SZ  RequiredPrivileges : (S) ['SeChangeNotifyPrivilege', 'SeImpersonatePrivilege', 'SeAuditPrivilege', 'SeLoadDriverPrivilege', '', '']
REG_BINARY    FailureActions  : (S) 
0x00000000  80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00   .Q..............
0x00000010  14 00 00 00 01 00 00 00 60 ea 00 00 01 00 00 00   ........`.......
0x00000020  c0 d4 01 00 00 00 00 00 00 00 00 00               ............

$ vol printkey -K 'ControlSet001\services\LanmanServer\Shares'
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: Shares (S)
Last updated: 2019-09-05 15:02:37 UTC+0000

Subkeys:
  (S) Security

Values:
REG_MULTI_SZ  exfil           : (S) ['CSCFlags=0', 'MaxUses=4294967295', 'Path=c:\\recyc1e_bin', 'Permissions=63', 'ShareName=exfil', 'Type=0', '', '']

c:\recycle_bin is correct! I'm happy with about half an hour for a beginner, and I didn't hit any dead ends.

Cyber FastTrack 2020 Forensics FE01 challenge

Fri, 27 Mar 2020 00:00:00 +0000

This is a challenge from Cyber FastTrack Spring 2020, using the same image as FH05.

Take a look at the memory image provided and see if you can see what was written on Notepad while it was open on the user's screen.

A good place to start might be to look at the memory for notepad?

$ vol pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
...
0xfffffa8002642610 notepad.exe            2740    612      1       57      1      0 2019-09-05 15:33:20 UTC+0000

I'll start by dumping the memory:

$ mkdir dump
 vol procdump -D dump/ -p 2740
Volatility Foundation Volatility Framework 2.6
Process(V)         ImageBase          Name                 Result
------------------ ------------------ -------------------- ------
0xfffffa8002642610 0x00000000ff410000 notepad.exe          OK: executable.2740.exe
$ xxd dump/executable.2740.exe |less
$ ls -al dump/executable.2740.exe 
-rw-r--r-- 1 kali kali 193536 Mar 26 16:48 dump/executable.2740.exe

Not too big. Normally I'd use strings on something like this, but Windows has a habit of using UTF-16 to store text, so I thought this command won't help - but the -el option does just that! It didn't show anything interesting though.

There's a screenshot command! That would be too easy if it worked...

$ mkdir shots
$ vol screenshot -D shots
Volatility Foundation Volatility Framework 2.6
Wrote shots/session_0.Service-0x0-3e4$.Default.png
Wrote shots/session_0.Service-0x0-3e5$.Default.png

No luck, but there is one image which shows where notepad and cmd.exe is on the display.

There's a wintree command, which shows the GUI components:

$ vol wintree
...
Untitled - Notepad (visible) notepad.exe:2740 Notepad
..#50188  notepad.exe:2740 6.0.7601.17514!msctls_statusbar32
..#501ca (visible) notepad.exe:2740 6.0.7601.17514!Edit
.Default IME  notepad.exe:2740 IME
.MSCTFIME UI  notepad.exe:2740 MSCTFIME UI

Maybe "edit" controls are what's used to enter text?

I spent a while trying to get the contents of the controls, then I wondered whether there was some memory not being dumped earlier, but no luck after an hour or so.

I looked through the list of commands (in the README, not the wiki) and noticed the editbox command:

 vol editbox
Volatility Foundation Volatility Framework 2.6
******************************
Wnd Context       : 1\WinSta0\Default
Process ID        : 2740
ImageFileName     : notepad.exe
IsWow64           : No
atom_class        : 6.0.7601.17514!Edit
value-of WndExtra : 0x350490
nChars            : 33
selStart          : 33
selEnd            : 33
isPwdControl      : False
undoPos           : 31
undoLen           : 3
address-of undoBuf: 0x354740
undoBuf           : qay
-------------------------
flag:noting_notes_in_a_noting_way

That's a bit annoying. I would like to know how to get this using more generic commands, but I don't know anything about Windows user interfaces and there would be plenty to learn there first. This does make sense that an older application like notepad would use the control itself for storing its data, so it wouldn't appear in the memory space.

Serial LIRC devices on recent Ubuntu releases

Wed, 28 Nov 2018 00:00:00 +0000

I tried to get a "homebrew" infrared receiver attached to the DCD line of a serial port working on Ubuntu Bionic. It seems that things have changed since Ubuntu 12.04, when I last had it working.

The changes ended up being:

The kernel modules are in the mainline kernel, but aren't supplied with Ubuntu
The LIRC driver's name has changed from "serial" to "default"

My first problem is that the receiver wasn't working in the first place. I attached a DSO Nano to the data line, and noticed that the signal didn't have a high enough voltage to trigger the serial port. The data sheet shows the receiver's output being a pull-up resistor with a transistor pulling the output low; maybe this serial port draws a particularly large amount of current. I wired a 2.2k resistor between the data line and VCC (which should be within the limits of the receiver), and everything works.

I tested it with this program, which displays a time when the DCD line changes:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <termios.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <time.h>
    
int die(const char* msg) {
  perror(msg);
  printf("%s\n", strerror(errno));
  exit(1);
}

int main(void) {
  int fd = open("/dev/ttyS0", 0);
  if (fd == -1)
    die("open");
  while (1) {
    struct timespec tm;
    ioctl(fd, TIOCMIWAIT, TIOCM_CD | TIOCM_RNG | TIOCM_DSR | TIOCM_CTS);
    if (clock_gettime(CLOCK_MONOTONIC, &tm) == -1)
      die("clock_gettime");
    printf("%ld\n", tm.tv_nsec);
  }
  close(fd);
  return 0;
}

(So why does LIRC need the kernel driver, if this works in userspace? I suspect it's because the LIRC API requires a timeout, which the ioctl doesn't support.)

LIRC's serial port support works by using a kernel module to read the hardware, and sends the output to /dev/lirc0. LIRC connects to this device to read the input. The LIRC userspace driver that does this is called "default" (it used to be called "serial").

It seems a few releases ago the drivers were upstreamed, and aren't supplied with Ubuntu. I got the driver installed with DKMS:

Create a working directory
Put the driver in it. (Choose the appropriate version for your kernel.)

Add this Makefile:

 obj-m += serial_ir.o

 all:
 	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

 clean:
 	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Add this dkms.conf:

 PACKAGE_NAME="lirc_serial_ir"
 PACKAGE_VERSION="4.15"
 CLEAN="rm -f *.*o"
 BUILT_MODULE_NAME[0]="serial_ir"
 DEST_MODULE_LOCATION[0]="/updates"
 AUTOINSTALL="no"

Run sudo dkms add .
Run sudo dkms install lirc_serial_ir/4.15.

Now run sudo modprobe lirc_serial. Run dmesg, and you should see:

[ 1627.908509] serial_ir serial_ir.0: port 03f8 already in use
[ 1627.908515] serial_ir serial_ir.0: use 'setserial /dev/ttySX uart none'
[ 1627.908516] serial_ir serial_ir.0: or compile the serial port driver as module and
[ 1627.908517] serial_ir serial_ir.0: make sure this module is loaded first
[ 1627.908532] serial_ir: probe of serial_ir.0 failed with error -16

To fix this, install the "setserial" package, and disable the serial port as the instructions say.

Try running mode2, and press some buttons on the remote:

$ sudo mode2 --driver default
Using driver default on device auto
Trying device: /dev/lirc0
Using device: /dev/lirc0
Running as regular user
space 504574
pulse 9015
space 4548
pulse 488

Sub 50 cent microcontrollers

Wed, 24 Oct 2018 00:00:00 +0000

$1 microcontrollers, pfft. What useful ones are around for under 50 cents?

The qualifications:

There needs to be adequate documentation
Programmamble with readly available (and cheap) hardware. This rules out a lot of ones from Megawin, Sinowealth and so on; while they have reasonable user manuals, there's no information on how to program them, short of buying a $20 programmer.
Are readily available. I ruled out parts only available from Taobao, for instance.

I was left with these:

The STM8S103. They're not the cheapest, but are readily available in the West. There's a cheaper STM8S003, but its flash is rated to only 100 writes, so it sounds like the idea is to develop for the S103 first.
The Nuvoton N76E003. It has loads of peripherals, and is pin compatible with the STM8S103.
The STC microcontrollers. Not quite as much bang for buck as the Nuvoton, and unavailable in the West, but come in 8 pin packages.

The Atmel ATtiny13 also qualifies, but I already know how to program those!

All should be programmable using SDCC, and either a ST-Link or USB-Serial dongle. I've purchased development boards for the STM8, Nuvoton and a STC15W204. I hope to try these out and write about them.

Schematic for the "Bustodephon" brushed motor electronic speed controller (ESC)

Thu, 13 Sep 2018 00:00:00 +0000

I tried drawing the schematic for the common "Bustophedon" electronic speed controllers (ESC) for brushed motors.

The circuit is fairly straightforward to follow. The zener diode based regulator for the receiver power is a bit surprising - I would have thought another regulator would have been cheap enough instead of several components. I'm guessing the separate supply is to shield the microcontroller from the receiver, especially since it would be easy to supply power from another ESC.

The microcontroller has no markings, but there are several very cheap microcontrollers which have a suitable pinout.

I'll have to analyze the microcontroller's output to see whether it does anything special.

The FlySky iBus protocol

Sun, 22 Oct 2017 00:00:00 +0000

This is the FlySky iBus protocol that I've gleaned from a blog post and a single library.

Data is transmitted as serial UART data, 115200bps, 8N1. A message is sent every 7 milliseconds. My receiver sends this over its white wire, and stops sending a few tenths of a second after the transmitter is switched off (unlike the PPM signal on the yellow wire, which keeps sending its last value).

The first byte is 0x20, the second is 0x40.

Next are 14 pairs of bytes, which is the channel value in little endian byte order. The FS-i6 is a 6 channel receiver, so it fills in the first 6 values. The remainder are set to 0x05DC. My transmitter sends values between 0x3E8 and 0x7D0.

Finally a 2 byte checksum is sent. It's in little endian byte order, it starts at 0xFFFF, from which every byte's value is subtracted except for the checksum.

I've written a library to decode this data. An Arduino could measure the time of the message start to improve detection of the message start. One problem using an Arduino is that the board will interfere with programming - a resistor (maybe 10k) on the data line should help.

Build a Jekyll blog with Travis CI without granting write access

Sun, 08 Oct 2017 00:00:00 +0000

With the demise of Openshift Online and its free tier, I was looking for somewhere else to host my blog. Even though it's a Jekyll blog, it does some image resizing, so I can't use Github's native builder. I should be able to use Travis CI though, then push them to another Github repository for Pages hosting.

The Travis instructions for Github Pages instructions suggest you use Github personal access tokens for authentication, but that seems to give write access to all of my Github repositories - which I don't want to do.

You will need the command line client installed and logged in.

Generate a key pair for Travis to use when pushing
```
 ssh-keygen -t rsa -b 4096 -f travis-key
```
Don't commit the generated files!
Create a repository on Github for the generated site to be pushed to. In that repository, go to Settings, Deploy keys, then Add deploy key. Copy in travis-key.pub which you generated in the previous step, check "Enable write access", then add the key.
The private key should be encrypted. From the blog repository:
```
 travis encrypt-file -r 33d/blog travis-key
```
where travis-key is one of the files created earlier by ssh-keygen.

This command will suggest you add a line to your before_install section - do that.
Put at the end of .travis.yml's before_install, to stop ssh-add complaining about the key's permissions:
```
 - chmod 400 ../travis-key
```

Add this to .travis.yml, to perform the Git push:

after_success:
 - eval "$(ssh-agent -s)"
 - ssh-add ../travis-key
 - git clone git@github.com:33d/blog-pages.git target
 - cp -pr _site/* target
 - git -C target checkout -b gh-pages
 - git -C target add .
 - git -C target commit -m "$( date --utc --iso-8601=seconds )"
 - git -C target push --force origin gh-pages

I use a different repository for this, because I don't want the build artifacts clogging the blog repository.

You can see my completed .travis.yml file.

Check that your flash memory isn't fake

Sat, 11 Jul 2015 00:00:00 +0000

Here's how I've checked that my flash memory (USB stick, SD card etc) isn't fake. The idea is to use a cipher to produce a psuedorandom stream, write its output to the flash memory, then genenrate the stream again comparing it to the card.

First, find out how big the flash is:

$ cat /proc/paritions
major minor  #blocks  name
...
8       16   30736384 sdb

Some quick maths tells me the block size is 1024 bytes. Next, use openssl to encrypt some zeroes, writing the output to the card:

$ dd if=/dev/zero bs=1024 count=30736384 | openssl enc -aes128 -k some-passworrd -nosalt | sudo tee /dev/sdb > /dev/null
30736384+0 records in
30736384+0 records out
31474057216 bytes (31 GB) copied, 989.076 s, 31.8 MB/s
tee: /dev/sdb: No space left on device

I don't know why it complains about no space, but the number of bytes written looks correct.

(Change some-password to some other word.) -nosalt prevents openssl writing a header, which contains the password salt. Because our encryption key (the some-password above) doesn't need to be secure, we don't care about it, and will stop the same stream being output next time.

Now check the result:

$ dd if=/dev/zero bs=1024 count=30736384 | openssl enc -aes128 -k some-password -nosalt | sudo cmp - /dev/sdb
30736384+0 records in
30736384+0 records out
31474057216 bytes (31 GB) copied, 367.183 s, 85.7 MB/s
cmp: EOF on /dev/sdb

If it hits the end without complaining about differences, what's on the card is what was produced again by the cipher stream, so the card contains the advertised flash chip.