Update last articles

11 files changed, 850 insertions, 12 deletions

diff --git a/md/writeup.md b/md/writeup.md
index 806c3e6..a112bd7 100644
--- a/md/writeup.md
+++ b/md/writeup.md
@@ -30,7 +30,7 @@ title: Writeup page
 [Running disk images in QEMU](writeup/running_disk_images_in_qemu.md)  
 [Mqueue IPC example](writeup/mqueue_ipc_example.md)  
 [Swift OCR example](writeup/swift_ocr_example.md)  
-[Writing mount utility](writeup/writing_mount_utility.md)  
+<!--[Writing mount utility](writeup/writing_mount_utility.md)-->
 
 
 ## Projects
@@ -88,16 +88,15 @@ title: Writeup page
 [Hooking interrupt descriptor table](writeup/hooking_interrupt_descriptor_table.md)  
 [Linux Format String Attack](writeup/linux_format_string_attack.md)  
 [Linux Local Descriptor Table](writeup/linux_local_descriptor_table.md)  
-
-[Linux PC speaker](http://archive.main.lv/writeup/linux_pc_speaker.html)  
-[Linux ShellCode 1](http://archive.main.lv/writeup/linux_shellcode_1.html)  
-[Linux keyboard LED](http://archive.main.lv/writeup/linux_keyboard_led.html)  
-[List ELF section names](http://archive.main.lv/writeup/list_elf_section_names.html)  
-[Making C executables smaller](http://archive.main.lv/writeup/making_c_executables_smaller.html)  
-[Sauerbraten patching and cheating](http://archive.main.lv/writeup/sauerbraten_patching_and_cheating.html)  
-[Scan memory for variable](http://archive.main.lv/writeup/scan_memory_for_variable.html)  
+[Linux PC speaker](writeup/linux_pc_speaker.md)  
+[Linux ShellCode](writeup/linux_shellcode.md)  
+[Linux keyboard LED](writeup/linux_keyboard_led.md)  
+[List ELF section names](writeup/list_linux_elf_section_names.md)  
+[Making C executables smaller](writeup/making_c_executables_smaller.md)  
+[Sauerbraten patching and cheating](writeup/sauerbraten_patching_and_cheating.md)  
+[Scan memory for variable](writeup/scan_memory_for_variable.md)  
 
 ### Archive OpenWRT  
-[Building OpenWRT for RTL8196C](http://archive.main.lv/writeup/building_openwrt_for_rtl8196c.html)  
-[RTL8196C support for OpenWRT](http://archive.main.lv/writeup/rtl8196c_support_for_openwrt.html)  
-[OpenWRT dependency graph drawing](http://archive.main.lv/writeup/openwrt_dependency_graph_drawing.html)  
+[Building OpenWRT for RTL8196C](writeup/building_openwrt_for_rtl8196c.md)  
+[RTL8196C support for OpenWRT](writeup/rtl8196c_support_for_openwrt.md)  
+[OpenWRT dependency graph drawing](writeup/openwrt_dependency_graph_drawing.md)  
diff --git a/md/writeup/building_openwrt_for_rtl8196c.md b/md/writeup/building_openwrt_for_rtl8196c.md
new file mode 100644
index 0000000..19b5ed8
--- /dev/null
+++ b/md/writeup/building_openwrt_for_rtl8196c.md
@@ -0,0 +1,116 @@
+title: Building OpenWRT for RTL8196C
+keywords: openwrt,rtl8196c
+
+# Building OpenWRT for RTL8196C
+
+In previous post there wasn't clearly described how to download
+and compile sources for OpenWRT realtek release. Its not official
+repository because not yet all things is updated with mainline
+OpenWRT and not officially and OpenWRT port. To compile by your
+self there is need to do some basic configuration of sources.
+
+
+## Getting sources
+
+Fits of all need to get sources from git server.
+There is some branches in git. But only one of them intended to
+be used for non development purposes its "realtek-unstable"
+
+```
+git clone http://git.advem.lv/rtl819xx
+cd ./rtl819xx/
+git branch -a
+git checkout realtek-unstable
+```
+
+## Config in menuconfig
+
+There is supported only compilation with binutils 2.21.1 and
+gcc-4.6.x-linaro. Now you should setup that options with menuconfig.
+
+```
+make menuconfig
+```
+
+This options should be set in main menu:
+
+__Target System__ as (Realtek RTL8xxx)  
+__Target Profile__ as (nprove)  
+__Advanced configuration options (for developers)__ switch on  
+
+Now in __Advanced configuration options__ set __Toolchain Options__
+and there options for binutils and gcc as in image
+
+__Binutils Version__ as (binutils 2.21.1)  
+__GCC compiler Version__ as (gcc 4.6.x with Linaro enhancements)  
+
+Last option to switch of is in main menu __Network__
+```
+firewall3
+odhcp6c
+```
+
+## Build
+
+
+It could take some time to compile image.
+
+With some compiling output
+```
+make V=s
+```
+
+Without extra output
+```
+make
+```
+
+Compile in many threads
+```
+make -j8
+```
+
+
+
+Final image is inside bin/realtek
+
+## UPDATE
+9 dec 2014
+as main manager that was involved in this "nprove brand" router development
+based on 8196c/d chip changed job he dont invloved anymore in this project
+as it was. Also domain nprove.in not belong to any who where involved
+in this router development. Probably I can say that this try to port
+realtek fake open source openwrt firmware to mainline openwrt is ended.
+Also chanell on freenode.net/#nprove with main developer also can be
+considered died. Also all this post now is for historical puropouses. If
+someone interested i could try to get all this 8196c git repo sources and
+put in archive. Maybe someone will continue development of 8196c chip
+support for mainline openwrt not for fake-relatek-openwrt.
+
+8 jan 2015
+old repo from git.nprove.in moved to http://git.advem.lv/
+
+30 apr 2015
+updated links
+
+
+## Links
+http://git.advem.lv/  
+https://openwrt.org/  
+https://forum.openwrt.org/viewtopic.php?id=46606  
+http://main.lv/writeup/rtl8196c_support_for_openwrt.html  
+[DEAD]http://www.nprove.net/  
+[linux-2.6.30.9.tar.xz](https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.30.9.tar.xz)  
+[usb-modeswitch-1.2.5.tar.bz2](http://pkgs.fedoraproject.org/repo/pkgs/usb_modeswitch/usb-modeswitch-1.2.5.tar.bz2/c393603908eceab95444c5bde790f6f0/)  
+[DEAD]https://downloads.nprove.in  
+[DEAD]https://git.nprove.in  
+
+## Downloads
+build_openwrt.tar.gz - 
+12KiB - http://archive.main.lv/files/writeup/building_openwrt_for_rtl8196c/build_openwrt.tar.gz
+
+## Images
+
+<a href=/img/building_openwrt_for_rtl8196c/menuconfig.png width="250"><img src="/img/building_openwrt_for_rtl8196c/menuconfig.png" style="width:40%" alt="OpenWRT menuconfig"></a>
+<a href=/img/building_openwrt_for_rtl8196c/toolchain.png width="250"><img src="/img/building_openwrt_for_rtl8196c/toolchain.png" style="width:40%" alt="OpenWRT menuconfig"></a>
+
diff --git a/md/writeup/linux_keyboard_led.md b/md/writeup/linux_keyboard_led.md
new file mode 100644
index 0000000..7217244
--- /dev/null
+++ b/md/writeup/linux_keyboard_led.md
@@ -0,0 +1,43 @@
+title: Linux keyboard LED
+keywords: linux,keyboard,led
+
+# Linux keyboard LED
+Send some bytes and flash LED on you keyboards.Run it under root.
+There will no be any errors if something happens.
+
+Usage:
+```
+./kbled [NumLock] [CapsLock] [ScrLock]
+```
+```
+./kbled 0 0 0
+```
+
+```c
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <linux/kd.h>
+ 
+int main( int argc , char **argv )
+{
+    int rc,i;
+    if (argc != 4) exit(0);
+ 
+    rc = syscall(SYS_open,"/dev/console",O_WRONLY,7*64+7*8+7); //open cosole
+    if (rc == 0) rc = 1;
+     
+    i = (argv[1][0]-'0')*2+(argv[2][0]-'0')*4+(argv[3][0]-'0');
+    ioctl( rc , KDSETLED , i );
+     
+    return 0;
+}
+```
+
+
+
+
+## Downloads
+kbled.tar.gz -
+1KiB - http://archive.main.lv/files/writeup/linux_keyboard_led/kbled.tar.gz
+
diff --git a/md/writeup/linux_pc_speaker.md b/md/writeup/linux_pc_speaker.md
new file mode 100644
index 0000000..1462c1c
--- /dev/null
+++ b/md/writeup/linux_pc_speaker.md
@@ -0,0 +1,42 @@
+title:Linux PC speaker
+keywords:pc,linux,speaker,c
+
+# Linux PC speaker
+PC speaker can make sound you whant. Here is small PC speaker player.
+Set notes , set time delay and you on. You should run this code under
+root if nothing happens.
+
+```c
+int main()
+{
+    int rc,i;
+    note *curent_song;
+    curent_song = song;
+    struct timespec t1;
+    rc = syscall(SYS_open,"/dev/console",O_WRONLY,7*8*64+7*8+7); //open cosole
+    if (rc == 0)
+        rc = 1;
+     
+    ioctl( rc, KIOCSOUND , 0 ); 
+    ioctl( rc , KDSETLED , 7 );
+     
+    i = 0;
+    while ( curent_song[i].n != 0 )
+    {
+        ioctl( rc , KIOCSOUND , curent_song[i].n );
+        msleep( (curent_song[i].t) );
+        ioctl( rc , KDSETLED , i&0x0007 );
+        i++;
+    }
+    ioctl( rc , KDSETLED , 0 );
+    ioctl( rc, KIOCSOUND , 0 );
+     
+    return 0;
+}
+```
+
+
+## Downloads
+linux_pc_speaker.zip - 
+5KiB -  http://archive.main.lv/files/writeup/linux_pc_speaker/linux_pc_speaker.zip
+
diff --git a/md/writeup/linux_shellcode.md b/md/writeup/linux_shellcode.md
new file mode 100644
index 0000000..083a817
--- /dev/null
+++ b/md/writeup/linux_shellcode.md
@@ -0,0 +1,51 @@
+title:Linux ShellCode
+keywords:linux,shellcode,c,assembler
+
+# Linux ShellCode
+First shell code written from example. Shell code is very interesting
+way how to execute some code.asm source:
+
+```asm
+use32              
+xor eax, eax
+inc eax
+xor ebx, ebx
+int 80h
+```
+
+```
+fasm code.asm code.bin
+```
+bin2hex output:
+
+```
+\x31\xc0\x40\x31\xdb\xcd\x80
+```
+
+C source:
+```c
+#include <stdio.h>
+char code[] = "\x31\xc0\x40\x31\xdb\xcd\x80";
+int main()
+{
+  void (*ret)();
+  ret = (void (*)())code;
+  ret();
+  printf("Nope it not working\n");
+}
+```
+```
+gcc main.c -o main
+```
+run
+```
+./main
+```
+nothing happens. That exactly that code do exits from programm
+
+
+
+## Downloads
+linux_shell_code.zip - 
+4KiB - http://archive.main.lv/files/writeup/linux_shellcode_1/linux_shell_code.zip
+
diff --git a/md/writeup/list_linux_elf_section_names.md b/md/writeup/list_linux_elf_section_names.md
new file mode 100644
index 0000000..0f45a4b
--- /dev/null
+++ b/md/writeup/list_linux_elf_section_names.md
@@ -0,0 +1,66 @@
+title: List ELF section names
+keywords: elf,sections,linux
+
+# List ELF section names
+Every ELF (Executable Linux Format) file has standard structure.
+There is section names that used to identify purpose of section.
+
+Here is example how to write all names of all ELF sections.
+
+Here is steps that we have taken:  
+1. Find String Table Section  
+2. Get all section names from string table section  
+3. Run trough all section an get names of sections  
+
+First of all we need get ELF header (Elf32_Ehdr) from position 0.
+ELF header have offset of section headers (Elf32_Ehdr.e_shoff).
+
+Sting table section have attributes with help us to recognize it:  
+1. string table section header address in memory (Elf32_Shdr.sh_addr) is 0  
+2. its type (Elf32_Shdr.sh_type) is SHT_STRTAB = 3  
+3. and it is first section with such attributes  
+
+To get trough all sections we make for cycle. We can get number
+of sections from (Elf32_Ehdr.e_shnum) .
+we run all trough all sections and checking for 3 string table section
+rules.
+
+```c
+for ( iter_s=0; iter_s < ELFheader.e_shnum; iter_s++  )
+    {
+        fseek( f, ELFheader.e_shoff+(ELFheader.e_shentsize*iter_s), SEEK_SET);
+        fread( &STRheader, ELFheader.e_shentsize, 1, f );
+        if ((STRheader.sh_type == SHT_STRTAB) && 
+            (STRheader.sh_addr == 0x00000000))
+        {
+            //some code
+            iter_s=ELFheader.e_shnum+1; //this is to exit from for cycle
+        }
+    }
+```
+
+String table section has all section names as strings. Section name
+is in (Elf32_Shdr.sh_name) as position number of strings first symbol.
+
+All string table values we read inside buffer
+
+```c
+fseek( f, STRheader.sh_offset, SEEK_SET);
+fread( STR_buffer, STRheader.sh_size, 1, f);
+```
+
+Now we can get section name with
+
+```c
+printf("%s\n", STR_buffer+ITERheader.sh_name);
+```
+
+This is example code to get some info from ELF file. There is allot other
+info that can be gained from ELF file.
+
+
+
+## Downloads
+elf_section_list.zip - 
+2KiB - http://archive.main.lv/files/writeup/list_elf_section_names/elf_section_list.zip
+
diff --git a/md/writeup/making_c_executables_smaller.md b/md/writeup/making_c_executables_smaller.md
new file mode 100644
index 0000000..1fb5341
--- /dev/null
+++ b/md/writeup/making_c_executables_smaller.md
@@ -0,0 +1,127 @@
+title: Making C executables smaller
+keywords:C,linux,elf,optimizations
+
+# Making C executables smaller
+There are some simple things that can be done to make C executables as small as possible.
+Here is some example code we will work with:
+
+```c
+#include <SDL/SDL.h>
+ 
+char quit = 0;
+ 
+int main()
+{
+    SDL_Surface *screen,surface;
+    SDL_Event e;
+    SDL_Init( SDL_INIT_VIDEO );
+    screen = SDL_SetVideoMode( 400, 400, 32, SDL_SWSURFACE );
+    while(!quit)
+        while(SDL_PollEvent(&e)>0)
+        {
+            if(e.type==SDL_MOUSEBUTTONDOWN) quit=1;
+            if(e.type==SDL_KEYDOWN) quit=1;
+        }
+    SDL_Quit();
+}
+```
+
+Compile:
+```
+gcc main.c -o main -lSDL
+```
+
+Size before: 5326 bytes
+Execute command:
+```
+strip main
+```
+
+strip is included in most unix systems. It deletes some info
+symbols from executables
+
+Size after: 3532 bytes
+
+
+You can also try sstrip which is advanced version of strip.
+You can download it from 
+ELF kickers[2] webpage.
+
+
+Execute command:
+
+```
+sstrip main
+```
+
+Size after: 1960 bytes
+
+
+There are some others way to decrease size of program.
+GC Masher[3] Allows to
+brute force gcc options for smaller executable size.
+I where using this options for gcsmaher
+
+```
+-O  -O0  -O1  -O2  -O3  -Os
+-ffast-math
+-fomit-frame-pointer
+-fauto-inc-dec
+-mpush-args
+-mno-red-zone
+-mstackrealign 
+```
+
+After running with this options executable size is 5175 bytes and best compiling options are all possible combination. 
+Combining with sstrip gives 1960 bytes. And there size where not reduced but some time there can be saved some bytes.Now we will change main function with
+
+```c
+void _start()
+```
+
+and return change to
+```c
+asm ( \
+      "movl $1,%eax\n" \
+      "xor %ebx,%ebx\n" \
+      "int $128\n" \
+    );
+```
+
+One other thing is to archive your executable and cat it with unpack shell script.
+
+```bash
+a=/tmp/I;tail -n+2 $0|zcat>$a;chmod +x $a;$a;rm $a;exit
+```
+
+Best options and smallest size now is 563 byte. Nope this is not smallest size try to rename executable name to one symbol and you will get 4 extra bytes.
+
+```
+gcc -Os -ffast-math -fomit-frame-pointer 
+-fauto-inc-dec -mpush-args -mno-red-zone -c small.c;
+ld -dynamic-linker /lib/ld-linux.so.2 small.o /usr/lib/libSDL.so -o small;
+strip -s -R .comment -R .gnu.version small;sstrip small;
+7z a -tGZip -mx=9 small.gz small > /dev/null;
+cat unpack.header small.gz > small;
+chmod a+x small;rm small.gz small.o
+```
+
+
+
+
+Link to other resources source of example code[1].
+
+
+Author in link has 634 bytes. With his options I have 622 bytes and
+using gcmasher i have 606 bytes. I have used his source in this compare.
+
+
+## Links
+http://users.utu.fi/tmwire/linux4k.html  
+http://www.muppetlabs.com/%7Ebreadbox/software/elfkickers.html  
+http://pouet.net/prod.php?which=18479  
+
+## Downloads
+small_sdl_elf.zip -
+2KiB - http://archive.main.lv/files/writeup/list_elf_section_names/elf_section_list.zip
+
diff --git a/md/writeup/openwrt_dependency_graph_drawing.md b/md/writeup/openwrt_dependency_graph_drawing.md
new file mode 100644
index 0000000..49a5b80
--- /dev/null
+++ b/md/writeup/openwrt_dependency_graph_drawing.md
@@ -0,0 +1,106 @@
+title:OpenWRT dependency graph drawing
+keywords:openwrt
+
+# OpenWRT dependency graph drawing
+Here is script that show package compiled package dependencies of
+OpenWrt packages. Script reads compiled packages dependencies and
+generates GraphViz files and draws graph of all packaged dependencies.
+This graph can be used to see how to remove unesesseray dependencies.
+Practicaly this script was used to see how overall all system is
+designed and if there is some circular dependencies. After there where
+removed unnesesarry dependencies generated graph was used to see overall
+system design.
+
+
+*.ipk files are tar.gz archives and can be renamed as *.tar.gz and
+opened with GUI or in terminal:
+
+```
+tar -xvf package.ipg
+```
+
+Structure of ipkg files is:
+
+
+debian-binary - version  
+\data.tar.gz - here is all rootfs data files  
+\control.tar.gz  
+  control - package info here is dependencies and package name.  
+
+Here tree based on OpenWRT git commit of 24 May 2013
+
+How to use script, first parametr of script is directory where is all
+OpenWrt package files usualy it is under
+
+```
+openwrt-trunk/
+    bin/
+        platform-name/
+            packages/
+```
+
+
+To use type
+
+```
+deptree.py system-path/openwrt-trunk/bin/platform-name/packages
+```
+
+
+Output files comes in same directory where script where lunched
+generated file name is:
+
+```
+deptree.dot
+```
+
+now convert dot file to pdf, psd, png:
+
+
+```
+dot -Tps $(NAME).dot -o graph1.ps
+dot -Tpdf $(NAME).dot -o graph1.pdf
+dot -Tpng $(NAME).dot -o graph1.png
+```
+
+
+All OpenWRT was default selected for default platform there is about
+~152 of them the generated totaly 325 dependencies image
+
+
+There where removed only one level deep dependencies there was
+185 of then after first level deep dependencies where removed generated
+image is little bit cleaner
+
+
+Rules with dependecies where removed:
+
+```
+if (A depends on [B,C] and B depends on [C])    and
+    there is (edges A->B->C and A->C) then 
+        dependency C can be removed from A
+```
+
+
+## TODO:
+
+add more sophisticated graph algorith
+add to remove more dependencies
+
+
+
+
+## Links
+https://openwrt.org/  
+http://www.python.org/  
+http://www.graphviz.org/  
+http://en.wikipedia.org/wiki/Dependency_graph  
+
+## Downloads
+openwrt_dep_tree.tar.gz - 
+2KiB - http://archive.main.lv/files/writeup/openwrt_dependency_graph_drawing/openwrt_dep_tree.tar.gz
+
+## Images
+<a href=/img/openwrt_dependency_graph_drawing/graph1.png width="250"><img src="/img/openwrt_dependency_graph_drawing/graph1.png" style="width:40%" alt="nprove router"></a>
+
+<a href=/img/openwrt_dependency_graph_drawing/graph1.png width="250"><img src="/img/openwrt_dependency_graph_drawing/graph1.png" style="width:40%" alt="nprove router"></a>
diff --git a/md/writeup/rtl8196c_support_for_openwrt.md b/md/writeup/rtl8196c_support_for_openwrt.md
new file mode 100644
index 0000000..7677879
--- /dev/null
+++ b/md/writeup/rtl8196c_support_for_openwrt.md
@@ -0,0 +1,59 @@
+title:RTL8196C support for OpenWRT
+keywords:rtl8196c,openwrt
+
+# RTL8196C support for OpenWRT
+
+Current Linux kernel version 2.6.30. Kernel is with a lot
+realtek patches for 819x chips. There is added basic support for 3g modems
+out of the box. Release works fine on nprove devices. No others device
+yet supported.
+
+## Issues:
+
+Fix gcc 4.6 problems with usb.  
+Fix problems with 8196d  
+Move from gcc 4.5 -> 4.8  
+Move from Linux kernel 2.6.30 -> 3.10  
+Move from binutils 2.21 -> 2.22  
+
+
+## Future:
+
+Add other devices not only nprove one.
+Long term goal is to add realtek 819x chips to upstream OpenWRT
+Add support for as many as possible 3g sticks out of the box
+
+## Support:
+
+irc freenode.net #nprove (for nrpove devices or 819x chip related stuff)
+
+## UPDATE
+9 dec 2014  
+as main manager that was involved in this "nprove brand" router development
+based on 8196c/d chip changed job he dont invloved anymore in this project
+as it was. Also domain nprove.in not belong to any who where involved
+in this router development. Probably I can say that this try to port
+realtek fake open source openwrt firmware to mainline openwrt is ended.
+Also chanell on freenode.net/#nprove with main developer also can be
+considered died. Also all this post now is for historical puropouses. If
+someone interested i could try to get all this 8196c git repo sources and
+put in archive. Maybe someone will continue development of 8196c chip
+support for mainline openwrt not for fake-relatek-openwrt.
+
+8 jan 2015  
+old repo from git.nprove.in moved to http://git.advem.lv/
+
+
+## Links
+http://git.advem.lv/  
+https://openwrt.org/  
+https://forum.openwrt.org/viewtopic.php?id=46606  
+[DEAD]http://www.nprove.net/  
+[DEAD]https://downloads.nprove.in  
+[DEAD]https://git.nprove.in  
+
+## Images
+ 
+<a href=/img/rtl8196c_support_for_openwrt/IMG_20130619_063208.jpg width="250"><img src="/img/rtl8196c_support_for_openwrt/IMG_20130619_063208.jpg" style="width:40%" alt="nprove router"></a>
+
+<a href=/img/rtl8196c_support_for_openwrt/IMG_20130619_063208.jpg width="250"><img src="/img/rtl8196c_support_for_openwrt/IMG_20130619_063208.jpg" style="width:40%" alt="nprove router"></a>
diff --git a/md/writeup/sauerbraten_patching_and_cheating.md b/md/writeup/sauerbraten_patching_and_cheating.md
new file mode 100644
index 0000000..dde5298
--- /dev/null
+++ b/md/writeup/sauerbraten_patching_and_cheating.md
@@ -0,0 +1,85 @@
+title:Sauerbraten patching and cheating
+keywords:sauerbraten,patch,cheat,ban
+
+# Sauerbraten patching and cheating
+
+NOTE: Remember this patches is cheat/like and it is not good to play with others when this patches is added because they loose their enjoyment of game. Remember of FREEDOM to be banned.
+
+
+sauerbraten is open source first person shooter. Also there is multi player
+mode. I like time to time play sauerbraten. But I am not very good player.
+
+As game source is comes with game you can view it and add some patches that
+can help get better scores in games. Usually it called cheating.
+As this features/cheats is made by my self I don't think so. But in game admins
+don't care =] about it.
+
+First of all this patches don't make game enjoyable for other players
+that way sooner or later you will be banned. Every one have freedom to
+be banned.
+
+First "allowed" cheat is recoil to 0 from any weapon
+
+in file src/fpsgame/game.h on line 333:
+
+```c
+static const struct guninfo { short sound, attackdelay, damage, projspeed, part, kickamount, range; const char *name, *file; } guns[NUMGUNS] = 
+ { 
+ { S_PUNCH1, 250, 50, 0, 0, 0, 14, "fist", "fist" }, 
+ { S_SG, 1400, 10, 0, 0, 20, 1024, "shotgun", "shotg" }, // *SGRAYS 
+ { S_CG, 100, 30, 0, 0, 7, 1024, "chaingun", "chaing"}, 
+ { S_RLFIRE, 800, 120, 80, 0, 10, 1024, "rocketlauncher", "rocket"}, 
+ { S_RIFLE, 1500, 100, 0, 0, 30, 2048, "rifle", "rifle" }, 
+ { S_FLAUNCH, 500, 75, 80, 0, 10, 1024, "grenadelauncher", "gl" }, 
+ { S_PISTOL, 500, 25, 0, 0, 7, 1024, "pistol", "pistol" }, 
+ { S_FLAUNCH, 200, 20, 50, PART_FIREBALL1, 1, 1024, "fireball", NULL }, 
+ { S_ICEBALL, 200, 40, 30, PART_FIREBALL2, 1, 1024, "iceball", NULL }, 
+ { S_SLIMEBALL, 200, 30, 160, PART_FIREBALL3, 1, 1024, "slimeball", NULL }, 
+ { S_PIGR1, 250, 50, 0, 0, 1, 12, "bite", NULL }, 
+ { -1, 0, 120, 0, 0, 0, 0, "barrel", NULL } 
+ };
+```
+
+changing sixths values all to 0 makes no recoil.
+but if you change recoil to 1024 you can easily jump on the sky after shut.
+Think what will see your on-line opponents? Someone if shutting from the skies.
+
+Not-flying rocket? Yes you can make it.
+fourth field in structure is projspeed change it for rocket launcher to
+0 and you can place your rockets on air. Bet I don't know what see others.
+Only thing with that you will get ban for team-killing because team mates
+are usually around you and they blow-up when colliding with rockets in air.
+
+Precision also is very nice but every one will notice that you shutting with shotgun
+and chain-gun with precision like rifle.
+In src/fpsgame/weapon.cpp on 130 line:
+
+```c
+void offsetray(const vec &from, const vec &to, int spread, float range, vec &dest) 
+   { 
+       float f = to.dist(from)*spread/1000; 
+       for(;;) 
+       { 
+           #define RNDD rnd(101)-50 
+           vec v(RNDD, RNDD, RNDD); 
+           if(v.magnitude()>50) continue; 
+           v.mul(f); 
+           v.z /= 2; 
+           dest = to; 
+           dest.add(v); 
+           vec dir = dest; 
+           dir.sub(from); 
+           dir.normalize(); 
+           raycubepos(from, dir, dest, range, RAY_CLIPMAT|RAY_ALPHAPOLY); 
+           return; 
+       } 
+   }
+```
+
+make
+
+```c
+#define RNDD rnd(2)-1
+```
+
+and it will work fine. 
diff --git a/md/writeup/scan_memory_for_variable.md b/md/writeup/scan_memory_for_variable.md
new file mode 100644
index 0000000..c3903db
--- /dev/null
+++ b/md/writeup/scan_memory_for_variable.md
@@ -0,0 +1,144 @@
+title:Scan memory for variable
+keywords:memory,scan,variable
+
+# Scan memory for variable
+
+Someday ago I was playing one game. And as I not so often playing
+games. I would like to change some variables in memory like ammo quantity
+or health. May be it is not very interesting to play game with "cheating"
+but there is much more interest to play with program.
+
+
+In such play can help scanmem
+
+
+Here is example of program that will help us to learn how to use scanmem:
+
+```c
+#include <stdio.h>
+#include <stdlib.h>
+ 
+unsigned int secret_dw = 1000; //variable to search
+unsigned int tmp;//for input variable
+ 
+ 
+int main()
+{
+    int i;
+    while ( secret_dw != -1 )
+    {
+        scanf("%u",&tmp);
+        printf("secret_dw was %u \n",secret_dw);
+        secret_dw = tmp;
+        tmp = 0; // This is to prevent from detecting tmp variable position
+    }
+    printf("\bExit\n");
+    return 0;
+}
+```
+
+here only two variables one secret_dw for value that we will search
+and second one tmp to save input. Also tmp will zeroed if not then we will
+find tmp and secret_dw.
+
+compile example with
+
+``
+make
+``
+
+and run
+
+```
+./example
+```
+
+And in parallel run
+```
+$ scanmem `pidof example`
+scanmem version 0.11
+Copyright (C) 2009,2010 Tavis Ormandy, Eli Dupree, WANG Lu
+Copyright (C) 2006-2009 Tavis Ormandy
+scanmem comes with ABSOLUTELY NO WARRANTY; for details type `show warranty'.
+This is free software, and you are welcome to redistribute it
+under certain conditions; type `show copying' for details.
+
+info: maps file located at /proc/1801/maps opened.
+info: 5 suitable regions found.
+Please enter current value, or "help" for other commands.
+
+As we searching 4 byte value of uint we defining it by setting up option
+0> option scan_data_type int32
+```
+
+Now we ready to start our game. At beginning we know our secret_dw value it is 1000 but we will not use it.
+Type 1 in example
+
+```
+secret_dw was 1000
+```
+
+in scanmem
+```
+0> 1
+info: 01/05 searching  0x8049000 -  0x804a000...........ok
+info: 02/05 searching 0xb763d000 - 0xb763e000...........ok
+info: 03/05 searching 0xb7787000 - 0xb778a000...........ok
+info: 04/05 searching 0xb77a7000 - 0xb77a9000...........ok
+info: 05/05 searching 0xbf9d4000 - 0xbf9f5000...........ok
+info: we currently have 58 matches.
+```
+
+As we can see 58 matches. WooHoo. Now type '1000'in example
+1000
+
+secret_dw was 1
+
+in scanmem
+
+```
+58> 1000
+..........info: we currently have 2 matches.
+```
+
+only 2 now
+
+scanmem has also many built in commands you can see them when type help.
+One of them is 'list'. Use it.
+```
+2> list
+[ 0]            0x8049680, 1000, [I32 ]
+[ 1]           0xbf9f2dd8, 1000, [I32 ]
+```
+
+Here is list of matched variables. Number,address,value,size. By address we see that
+our variable is with number 0.
+
+```
+2> set 0=999
+info: setting *0x8049680 to 0x3e7...
+2> list
+[ 0]            0x8049680, 1000, [I32 ]
+[ 1]           0xbf9f2dd8, 1000, [I32 ]
+```
+
+Now our variable is with value 999. When you type list it may be little
+bit confusing that values is the same. Go in example
+12
+
+secret_dw was 999
+
+Yes. We have changed our variable. Our goal is completed.
+
+Scanmem webpage scanmem[1]
+
+Source contains programm outputs and example code.
+
+
+
+## Links
+http://taviso.decsystem.org/scanmem.html  
+
+## Downloads
+scan_memory.tar.gz -
+2KiB - http://archive.main.lv/files/writeup/scan_memory_for_variable/scan_memory.tar.gz
\ No newline at end of file