diff options
-rw-r--r-- | md/writeup.md | 23 | ||||
-rw-r--r-- | md/writeup/building_openwrt_for_rtl8196c.md | 116 | ||||
-rw-r--r-- | md/writeup/linux_keyboard_led.md | 43 | ||||
-rw-r--r-- | md/writeup/linux_pc_speaker.md | 42 | ||||
-rw-r--r-- | md/writeup/linux_shellcode.md | 51 | ||||
-rw-r--r-- | md/writeup/list_linux_elf_section_names.md | 66 | ||||
-rw-r--r-- | md/writeup/making_c_executables_smaller.md | 127 | ||||
-rw-r--r-- | md/writeup/openwrt_dependency_graph_drawing.md | 106 | ||||
-rw-r--r-- | md/writeup/rtl8196c_support_for_openwrt.md | 59 | ||||
-rw-r--r-- | md/writeup/sauerbraten_patching_and_cheating.md | 85 | ||||
-rw-r--r-- | md/writeup/scan_memory_for_variable.md | 144 |
11 files changed, 850 insertions, 12 deletions
diff --git a/md/writeup.md b/md/writeup.md index 806c3e6..a112bd7 100644 --- a/md/writeup.md +++ b/md/writeup.md @@ -30,7 +30,7 @@ title: Writeup page [Running disk images in QEMU](writeup/running_disk_images_in_qemu.md) [Mqueue IPC example](writeup/mqueue_ipc_example.md) [Swift OCR example](writeup/swift_ocr_example.md) -[Writing mount utility](writeup/writing_mount_utility.md) +<!--[Writing mount utility](writeup/writing_mount_utility.md)--> ## Projects @@ -88,16 +88,15 @@ title: Writeup page [Hooking interrupt descriptor table](writeup/hooking_interrupt_descriptor_table.md) [Linux Format String Attack](writeup/linux_format_string_attack.md) [Linux Local Descriptor Table](writeup/linux_local_descriptor_table.md) - -[Linux PC speaker](http://archive.main.lv/writeup/linux_pc_speaker.html) -[Linux ShellCode 1](http://archive.main.lv/writeup/linux_shellcode_1.html) -[Linux keyboard LED](http://archive.main.lv/writeup/linux_keyboard_led.html) -[List ELF section names](http://archive.main.lv/writeup/list_elf_section_names.html) -[Making C executables smaller](http://archive.main.lv/writeup/making_c_executables_smaller.html) -[Sauerbraten patching and cheating](http://archive.main.lv/writeup/sauerbraten_patching_and_cheating.html) -[Scan memory for variable](http://archive.main.lv/writeup/scan_memory_for_variable.html) +[Linux PC speaker](writeup/linux_pc_speaker.md) +[Linux ShellCode](writeup/linux_shellcode.md) +[Linux keyboard LED](writeup/linux_keyboard_led.md) +[List ELF section names](writeup/list_linux_elf_section_names.md) +[Making C executables smaller](writeup/making_c_executables_smaller.md) +[Sauerbraten patching and cheating](writeup/sauerbraten_patching_and_cheating.md) +[Scan memory for variable](writeup/scan_memory_for_variable.md) ### Archive OpenWRT -[Building OpenWRT for RTL8196C](http://archive.main.lv/writeup/building_openwrt_for_rtl8196c.html) -[RTL8196C support for OpenWRT](http://archive.main.lv/writeup/rtl8196c_support_for_openwrt.html) -[OpenWRT dependency graph drawing](http://archive.main.lv/writeup/openwrt_dependency_graph_drawing.html) +[Building OpenWRT for RTL8196C](writeup/building_openwrt_for_rtl8196c.md) +[RTL8196C support for OpenWRT](writeup/rtl8196c_support_for_openwrt.md) +[OpenWRT dependency graph drawing](writeup/openwrt_dependency_graph_drawing.md) diff --git a/md/writeup/building_openwrt_for_rtl8196c.md b/md/writeup/building_openwrt_for_rtl8196c.md new file mode 100644 index 0000000..19b5ed8 --- /dev/null +++ b/md/writeup/building_openwrt_for_rtl8196c.md @@ -0,0 +1,116 @@ +title: Building OpenWRT for RTL8196C +keywords: openwrt,rtl8196c + +# Building OpenWRT for RTL8196C + +In previous post there wasn't clearly described how to download +and compile sources for OpenWRT realtek release. Its not official +repository because not yet all things is updated with mainline +OpenWRT and not officially and OpenWRT port. To compile by your +self there is need to do some basic configuration of sources. + + +## Getting sources + +Fits of all need to get sources from git server. +There is some branches in git. But only one of them intended to +be used for non development purposes its "realtek-unstable" + +``` +git clone http://git.advem.lv/rtl819xx +cd ./rtl819xx/ +git branch -a +git checkout realtek-unstable +``` + +## Config in menuconfig + +There is supported only compilation with binutils 2.21.1 and +gcc-4.6.x-linaro. Now you should setup that options with menuconfig. + +``` +make menuconfig +``` + +This options should be set in main menu: + +__Target System__ as (Realtek RTL8xxx) +__Target Profile__ as (nprove) +__Advanced configuration options (for developers)__ switch on + +Now in __Advanced configuration options__ set __Toolchain Options__ +and there options for binutils and gcc as in image + +__Binutils Version__ as (binutils 2.21.1) +__GCC compiler Version__ as (gcc 4.6.x with Linaro enhancements) + +Last option to switch of is in main menu __Network__ +``` +firewall3 +odhcp6c +``` + +## Build + + +It could take some time to compile image. + +With some compiling output +``` +make V=s +``` + +Without extra output +``` +make +``` + +Compile in many threads +``` +make -j8 +``` + + + +Final image is inside bin/realtek + +## UPDATE +9 dec 2014 +as main manager that was involved in this "nprove brand" router development +based on 8196c/d chip changed job he dont invloved anymore in this project +as it was. Also domain nprove.in not belong to any who where involved +in this router development. Probably I can say that this try to port +realtek fake open source openwrt firmware to mainline openwrt is ended. +Also chanell on freenode.net/#nprove with main developer also can be +considered died. Also all this post now is for historical puropouses. If +someone interested i could try to get all this 8196c git repo sources and +put in archive. Maybe someone will continue development of 8196c chip +support for mainline openwrt not for fake-relatek-openwrt. + +8 jan 2015 +old repo from git.nprove.in moved to http://git.advem.lv/ + +30 apr 2015 +updated links + + +## Links +http://git.advem.lv/ +https://openwrt.org/ +https://forum.openwrt.org/viewtopic.php?id=46606 +http://main.lv/writeup/rtl8196c_support_for_openwrt.html +[DEAD]http://www.nprove.net/ +[linux-2.6.30.9.tar.xz](https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.30.9.tar.xz) +[usb-modeswitch-1.2.5.tar.bz2](http://pkgs.fedoraproject.org/repo/pkgs/usb_modeswitch/usb-modeswitch-1.2.5.tar.bz2/c393603908eceab95444c5bde790f6f0/) +[DEAD]https://downloads.nprove.in +[DEAD]https://git.nprove.in + +## Downloads +build_openwrt.tar.gz - +12KiB - http://archive.main.lv/files/writeup/building_openwrt_for_rtl8196c/build_openwrt.tar.gz + +## Images + +<a href=/img/building_openwrt_for_rtl8196c/menuconfig.png width="250"><img src="/img/building_openwrt_for_rtl8196c/menuconfig.png" style="width:40%" alt="OpenWRT menuconfig"></a> +<a href=/img/building_openwrt_for_rtl8196c/toolchain.png width="250"><img src="/img/building_openwrt_for_rtl8196c/toolchain.png" style="width:40%" alt="OpenWRT menuconfig"></a> + diff --git a/md/writeup/linux_keyboard_led.md b/md/writeup/linux_keyboard_led.md new file mode 100644 index 0000000..7217244 --- /dev/null +++ b/md/writeup/linux_keyboard_led.md @@ -0,0 +1,43 @@ +title: Linux keyboard LED +keywords: linux,keyboard,led + +# Linux keyboard LED +Send some bytes and flash LED on you keyboards.Run it under root. +There will no be any errors if something happens. + +Usage: +``` +./kbled [NumLock] [CapsLock] [ScrLock] +``` +``` +./kbled 0 0 0 +``` + +```c +#include <stdlib.h> +#include <fcntl.h> +#include <sys/syscall.h> +#include <linux/kd.h> + +int main( int argc , char **argv ) +{ + int rc,i; + if (argc != 4) exit(0); + + rc = syscall(SYS_open,"/dev/console",O_WRONLY,7*64+7*8+7); //open cosole + if (rc == 0) rc = 1; + + i = (argv[1][0]-'0')*2+(argv[2][0]-'0')*4+(argv[3][0]-'0'); + ioctl( rc , KDSETLED , i ); + + return 0; +} +``` + + + + +## Downloads +kbled.tar.gz - +1KiB - http://archive.main.lv/files/writeup/linux_keyboard_led/kbled.tar.gz + diff --git a/md/writeup/linux_pc_speaker.md b/md/writeup/linux_pc_speaker.md new file mode 100644 index 0000000..1462c1c --- /dev/null +++ b/md/writeup/linux_pc_speaker.md @@ -0,0 +1,42 @@ +title:Linux PC speaker +keywords:pc,linux,speaker,c + +# Linux PC speaker +PC speaker can make sound you whant. Here is small PC speaker player. +Set notes , set time delay and you on. You should run this code under +root if nothing happens. + +```c +int main() +{ + int rc,i; + note *curent_song; + curent_song = song; + struct timespec t1; + rc = syscall(SYS_open,"/dev/console",O_WRONLY,7*8*64+7*8+7); //open cosole + if (rc == 0) + rc = 1; + + ioctl( rc, KIOCSOUND , 0 ); + ioctl( rc , KDSETLED , 7 ); + + i = 0; + while ( curent_song[i].n != 0 ) + { + ioctl( rc , KIOCSOUND , curent_song[i].n ); + msleep( (curent_song[i].t) ); + ioctl( rc , KDSETLED , i&0x0007 ); + i++; + } + ioctl( rc , KDSETLED , 0 ); + ioctl( rc, KIOCSOUND , 0 ); + + return 0; +} +``` + + +## Downloads +linux_pc_speaker.zip - +5KiB - http://archive.main.lv/files/writeup/linux_pc_speaker/linux_pc_speaker.zip + diff --git a/md/writeup/linux_shellcode.md b/md/writeup/linux_shellcode.md new file mode 100644 index 0000000..083a817 --- /dev/null +++ b/md/writeup/linux_shellcode.md @@ -0,0 +1,51 @@ +title:Linux ShellCode +keywords:linux,shellcode,c,assembler + +# Linux ShellCode +First shell code written from example. Shell code is very interesting +way how to execute some code.asm source: + +```asm +use32 +xor eax, eax +inc eax +xor ebx, ebx +int 80h +``` + +``` +fasm code.asm code.bin +``` +bin2hex output: + +``` +\x31\xc0\x40\x31\xdb\xcd\x80 +``` + +C source: +```c +#include <stdio.h> +char code[] = "\x31\xc0\x40\x31\xdb\xcd\x80"; +int main() +{ + void (*ret)(); + ret = (void (*)())code; + ret(); + printf("Nope it not working\n"); +} +``` +``` +gcc main.c -o main +``` +run +``` +./main +``` +nothing happens. That exactly that code do exits from programm + + + +## Downloads +linux_shell_code.zip - +4KiB - http://archive.main.lv/files/writeup/linux_shellcode_1/linux_shell_code.zip + diff --git a/md/writeup/list_linux_elf_section_names.md b/md/writeup/list_linux_elf_section_names.md new file mode 100644 index 0000000..0f45a4b --- /dev/null +++ b/md/writeup/list_linux_elf_section_names.md @@ -0,0 +1,66 @@ +title: List ELF section names +keywords: elf,sections,linux + +# List ELF section names +Every ELF (Executable Linux Format) file has standard structure. +There is section names that used to identify purpose of section. + +Here is example how to write all names of all ELF sections. + +Here is steps that we have taken: +1. Find String Table Section +2. Get all section names from string table section +3. Run trough all section an get names of sections + +First of all we need get ELF header (Elf32_Ehdr) from position 0. +ELF header have offset of section headers (Elf32_Ehdr.e_shoff). + +Sting table section have attributes with help us to recognize it: +1. string table section header address in memory (Elf32_Shdr.sh_addr) is 0 +2. its type (Elf32_Shdr.sh_type) is SHT_STRTAB = 3 +3. and it is first section with such attributes + +To get trough all sections we make for cycle. We can get number +of sections from (Elf32_Ehdr.e_shnum) . +we run all trough all sections and checking for 3 string table section +rules. + +```c +for ( iter_s=0; iter_s < ELFheader.e_shnum; iter_s++ ) + { + fseek( f, ELFheader.e_shoff+(ELFheader.e_shentsize*iter_s), SEEK_SET); + fread( &STRheader, ELFheader.e_shentsize, 1, f ); + if ((STRheader.sh_type == SHT_STRTAB) && + (STRheader.sh_addr == 0x00000000)) + { + //some code + iter_s=ELFheader.e_shnum+1; //this is to exit from for cycle + } + } +``` + +String table section has all section names as strings. Section name +is in (Elf32_Shdr.sh_name) as position number of strings first symbol. + +All string table values we read inside buffer + +```c +fseek( f, STRheader.sh_offset, SEEK_SET); +fread( STR_buffer, STRheader.sh_size, 1, f); +``` + +Now we can get section name with + +```c +printf("%s\n", STR_buffer+ITERheader.sh_name); +``` + +This is example code to get some info from ELF file. There is allot other +info that can be gained from ELF file. + + + +## Downloads +elf_section_list.zip - +2KiB - http://archive.main.lv/files/writeup/list_elf_section_names/elf_section_list.zip + diff --git a/md/writeup/making_c_executables_smaller.md b/md/writeup/making_c_executables_smaller.md new file mode 100644 index 0000000..1fb5341 --- /dev/null +++ b/md/writeup/making_c_executables_smaller.md @@ -0,0 +1,127 @@ +title: Making C executables smaller +keywords:C,linux,elf,optimizations + +# Making C executables smaller +There are some simple things that can be done to make C executables as small as possible. +Here is some example code we will work with: + +```c +#include <SDL/SDL.h> + +char quit = 0; + +int main() +{ + SDL_Surface *screen,surface; + SDL_Event e; + SDL_Init( SDL_INIT_VIDEO ); + screen = SDL_SetVideoMode( 400, 400, 32, SDL_SWSURFACE ); + while(!quit) + while(SDL_PollEvent(&e)>0) + { + if(e.type==SDL_MOUSEBUTTONDOWN) quit=1; + if(e.type==SDL_KEYDOWN) quit=1; + } + SDL_Quit(); +} +``` + +Compile: +``` +gcc main.c -o main -lSDL +``` + +Size before: 5326 bytes +Execute command: +``` +strip main +``` + +strip is included in most unix systems. It deletes some info +symbols from executables + +Size after: 3532 bytes + + +You can also try sstrip which is advanced version of strip. +You can download it from +ELF kickers[2] webpage. + + +Execute command: + +``` +sstrip main +``` + +Size after: 1960 bytes + + +There are some others way to decrease size of program. +GC Masher[3] Allows to +brute force gcc options for smaller executable size. +I where using this options for gcsmaher + +``` +-O -O0 -O1 -O2 -O3 -Os +-ffast-math +-fomit-frame-pointer +-fauto-inc-dec +-mpush-args +-mno-red-zone +-mstackrealign +``` + +After running with this options executable size is 5175 bytes and best compiling options are all possible combination. +Combining with sstrip gives 1960 bytes. And there size where not reduced but some time there can be saved some bytes.Now we will change main function with + +```c +void _start() +``` + +and return change to +```c +asm ( \ + "movl $1,%eax\n" \ + "xor %ebx,%ebx\n" \ + "int $128\n" \ + ); +``` + +One other thing is to archive your executable and cat it with unpack shell script. + +```bash +a=/tmp/I;tail -n+2 $0|zcat>$a;chmod +x $a;$a;rm $a;exit +``` + +Best options and smallest size now is 563 byte. Nope this is not smallest size try to rename executable name to one symbol and you will get 4 extra bytes. + +``` +gcc -Os -ffast-math -fomit-frame-pointer +-fauto-inc-dec -mpush-args -mno-red-zone -c small.c; +ld -dynamic-linker /lib/ld-linux.so.2 small.o /usr/lib/libSDL.so -o small; +strip -s -R .comment -R .gnu.version small;sstrip small; +7z a -tGZip -mx=9 small.gz small > /dev/null; +cat unpack.header small.gz > small; +chmod a+x small;rm small.gz small.o +``` + + + + +Link to other resources source of example code[1]. + + +Author in link has 634 bytes. With his options I have 622 bytes and +using gcmasher i have 606 bytes. I have used his source in this compare. + + +## Links +http://users.utu.fi/tmwire/linux4k.html +http://www.muppetlabs.com/%7Ebreadbox/software/elfkickers.html +http://pouet.net/prod.php?which=18479 + +## Downloads +small_sdl_elf.zip - +2KiB - http://archive.main.lv/files/writeup/list_elf_section_names/elf_section_list.zip + diff --git a/md/writeup/openwrt_dependency_graph_drawing.md b/md/writeup/openwrt_dependency_graph_drawing.md new file mode 100644 index 0000000..49a5b80 --- /dev/null +++ b/md/writeup/openwrt_dependency_graph_drawing.md @@ -0,0 +1,106 @@ +title:OpenWRT dependency graph drawing +keywords:openwrt + +# OpenWRT dependency graph drawing +Here is script that show package compiled package dependencies of +OpenWrt packages. Script reads compiled packages dependencies and +generates GraphViz files and draws graph of all packaged dependencies. +This graph can be used to see how to remove unesesseray dependencies. +Practicaly this script was used to see how overall all system is +designed and if there is some circular dependencies. After there where +removed unnesesarry dependencies generated graph was used to see overall +system design. + + +*.ipk files are tar.gz archives and can be renamed as *.tar.gz and +opened with GUI or in terminal: + +``` +tar -xvf package.ipg +``` + +Structure of ipkg files is: + + +debian-binary - version +\data.tar.gz - here is all rootfs data files +\control.tar.gz + control - package info here is dependencies and package name. + +Here tree based on OpenWRT git commit of 24 May 2013 + +How to use script, first parametr of script is directory where is all +OpenWrt package files usualy it is under + +``` +openwrt-trunk/ + bin/ + platform-name/ + packages/ +``` + + +To use type + +``` +deptree.py system-path/openwrt-trunk/bin/platform-name/packages +``` + + +Output files comes in same directory where script where lunched +generated file name is: + +``` +deptree.dot +``` + +now convert dot file to pdf, psd, png: + + +``` +dot -Tps $(NAME).dot -o graph1.ps +dot -Tpdf $(NAME).dot -o graph1.pdf +dot -Tpng $(NAME).dot -o graph1.png +``` + + +All OpenWRT was default selected for default platform there is about +~152 of them the generated totaly 325 dependencies image + + +There where removed only one level deep dependencies there was +185 of then after first level deep dependencies where removed generated +image is little bit cleaner + + +Rules with dependecies where removed: + +``` +if (A depends on [B,C] and B depends on [C]) and + there is (edges A->B->C and A->C) then + dependency C can be removed from A +``` + + +## TODO: + +add more sophisticated graph algorith +add to remove more dependencies + + + + +## Links +https://openwrt.org/ +http://www.python.org/ +http://www.graphviz.org/ +http://en.wikipedia.org/wiki/Dependency_graph + +## Downloads +openwrt_dep_tree.tar.gz - +2KiB - http://archive.main.lv/files/writeup/openwrt_dependency_graph_drawing/openwrt_dep_tree.tar.gz + +## Images +<a href=/img/openwrt_dependency_graph_drawing/graph1.png width="250"><img src="/img/openwrt_dependency_graph_drawing/graph1.png" style="width:40%" alt="nprove router"></a> + +<a href=/img/openwrt_dependency_graph_drawing/graph1.png width="250"><img src="/img/openwrt_dependency_graph_drawing/graph1.png" style="width:40%" alt="nprove router"></a> diff --git a/md/writeup/rtl8196c_support_for_openwrt.md b/md/writeup/rtl8196c_support_for_openwrt.md new file mode 100644 index 0000000..7677879 --- /dev/null +++ b/md/writeup/rtl8196c_support_for_openwrt.md @@ -0,0 +1,59 @@ +title:RTL8196C support for OpenWRT +keywords:rtl8196c,openwrt + +# RTL8196C support for OpenWRT + +Current Linux kernel version 2.6.30. Kernel is with a lot +realtek patches for 819x chips. There is added basic support for 3g modems +out of the box. Release works fine on nprove devices. No others device +yet supported. + +## Issues: + +Fix gcc 4.6 problems with usb. +Fix problems with 8196d +Move from gcc 4.5 -> 4.8 +Move from Linux kernel 2.6.30 -> 3.10 +Move from binutils 2.21 -> 2.22 + + +## Future: + +Add other devices not only nprove one. +Long term goal is to add realtek 819x chips to upstream OpenWRT +Add support for as many as possible 3g sticks out of the box + +## Support: + +irc freenode.net #nprove (for nrpove devices or 819x chip related stuff) + +## UPDATE +9 dec 2014 +as main manager that was involved in this "nprove brand" router development +based on 8196c/d chip changed job he dont invloved anymore in this project +as it was. Also domain nprove.in not belong to any who where involved +in this router development. Probably I can say that this try to port +realtek fake open source openwrt firmware to mainline openwrt is ended. +Also chanell on freenode.net/#nprove with main developer also can be +considered died. Also all this post now is for historical puropouses. If +someone interested i could try to get all this 8196c git repo sources and +put in archive. Maybe someone will continue development of 8196c chip +support for mainline openwrt not for fake-relatek-openwrt. + +8 jan 2015 +old repo from git.nprove.in moved to http://git.advem.lv/ + + +## Links +http://git.advem.lv/ +https://openwrt.org/ +https://forum.openwrt.org/viewtopic.php?id=46606 +[DEAD]http://www.nprove.net/ +[DEAD]https://downloads.nprove.in +[DEAD]https://git.nprove.in + +## Images + +<a href=/img/rtl8196c_support_for_openwrt/IMG_20130619_063208.jpg width="250"><img src="/img/rtl8196c_support_for_openwrt/IMG_20130619_063208.jpg" style="width:40%" alt="nprove router"></a> + +<a href=/img/rtl8196c_support_for_openwrt/IMG_20130619_063208.jpg width="250"><img src="/img/rtl8196c_support_for_openwrt/IMG_20130619_063208.jpg" style="width:40%" alt="nprove router"></a> diff --git a/md/writeup/sauerbraten_patching_and_cheating.md b/md/writeup/sauerbraten_patching_and_cheating.md new file mode 100644 index 0000000..dde5298 --- /dev/null +++ b/md/writeup/sauerbraten_patching_and_cheating.md @@ -0,0 +1,85 @@ +title:Sauerbraten patching and cheating +keywords:sauerbraten,patch,cheat,ban + +# Sauerbraten patching and cheating + +NOTE: Remember this patches is cheat/like and it is not good to play with others when this patches is added because they loose their enjoyment of game. Remember of FREEDOM to be banned. + + +sauerbraten is open source first person shooter. Also there is multi player +mode. I like time to time play sauerbraten. But I am not very good player. + +As game source is comes with game you can view it and add some patches that +can help get better scores in games. Usually it called cheating. +As this features/cheats is made by my self I don't think so. But in game admins +don't care =] about it. + +First of all this patches don't make game enjoyable for other players +that way sooner or later you will be banned. Every one have freedom to +be banned. + +First "allowed" cheat is recoil to 0 from any weapon + +in file src/fpsgame/game.h on line 333: + +```c +static const struct guninfo { short sound, attackdelay, damage, projspeed, part, kickamount, range; const char *name, *file; } guns[NUMGUNS] = + { + { S_PUNCH1, 250, 50, 0, 0, 0, 14, "fist", "fist" }, + { S_SG, 1400, 10, 0, 0, 20, 1024, "shotgun", "shotg" }, // *SGRAYS + { S_CG, 100, 30, 0, 0, 7, 1024, "chaingun", "chaing"}, + { S_RLFIRE, 800, 120, 80, 0, 10, 1024, "rocketlauncher", "rocket"}, + { S_RIFLE, 1500, 100, 0, 0, 30, 2048, "rifle", "rifle" }, + { S_FLAUNCH, 500, 75, 80, 0, 10, 1024, "grenadelauncher", "gl" }, + { S_PISTOL, 500, 25, 0, 0, 7, 1024, "pistol", "pistol" }, + { S_FLAUNCH, 200, 20, 50, PART_FIREBALL1, 1, 1024, "fireball", NULL }, + { S_ICEBALL, 200, 40, 30, PART_FIREBALL2, 1, 1024, "iceball", NULL }, + { S_SLIMEBALL, 200, 30, 160, PART_FIREBALL3, 1, 1024, "slimeball", NULL }, + { S_PIGR1, 250, 50, 0, 0, 1, 12, "bite", NULL }, + { -1, 0, 120, 0, 0, 0, 0, "barrel", NULL } + }; +``` + +changing sixths values all to 0 makes no recoil. +but if you change recoil to 1024 you can easily jump on the sky after shut. +Think what will see your on-line opponents? Someone if shutting from the skies. + +Not-flying rocket? Yes you can make it. +fourth field in structure is projspeed change it for rocket launcher to +0 and you can place your rockets on air. Bet I don't know what see others. +Only thing with that you will get ban for team-killing because team mates +are usually around you and they blow-up when colliding with rockets in air. + +Precision also is very nice but every one will notice that you shutting with shotgun +and chain-gun with precision like rifle. +In src/fpsgame/weapon.cpp on 130 line: + +```c +void offsetray(const vec &from, const vec &to, int spread, float range, vec &dest) + { + float f = to.dist(from)*spread/1000; + for(;;) + { + #define RNDD rnd(101)-50 + vec v(RNDD, RNDD, RNDD); + if(v.magnitude()>50) continue; + v.mul(f); + v.z /= 2; + dest = to; + dest.add(v); + vec dir = dest; + dir.sub(from); + dir.normalize(); + raycubepos(from, dir, dest, range, RAY_CLIPMAT|RAY_ALPHAPOLY); + return; + } + } +``` + +make + +```c +#define RNDD rnd(2)-1 +``` + +and it will work fine. diff --git a/md/writeup/scan_memory_for_variable.md b/md/writeup/scan_memory_for_variable.md new file mode 100644 index 0000000..c3903db --- /dev/null +++ b/md/writeup/scan_memory_for_variable.md @@ -0,0 +1,144 @@ +title:Scan memory for variable +keywords:memory,scan,variable + +# Scan memory for variable + +Someday ago I was playing one game. And as I not so often playing +games. I would like to change some variables in memory like ammo quantity +or health. May be it is not very interesting to play game with "cheating" +but there is much more interest to play with program. + + +In such play can help scanmem + + +Here is example of program that will help us to learn how to use scanmem: + +```c +#include <stdio.h> +#include <stdlib.h> + +unsigned int secret_dw = 1000; //variable to search +unsigned int tmp;//for input variable + + +int main() +{ + int i; + while ( secret_dw != -1 ) + { + scanf("%u",&tmp); + printf("secret_dw was %u \n",secret_dw); + secret_dw = tmp; + tmp = 0; // This is to prevent from detecting tmp variable position + } + printf("\bExit\n"); + return 0; +} +``` + +here only two variables one secret_dw for value that we will search +and second one tmp to save input. Also tmp will zeroed if not then we will +find tmp and secret_dw. + +compile example with + +`` +make +`` + +and run + +``` +./example +``` + +And in parallel run +``` +$ scanmem `pidof example` +scanmem version 0.11 +Copyright (C) 2009,2010 Tavis Ormandy, Eli Dupree, WANG Lu +Copyright (C) 2006-2009 Tavis Ormandy +scanmem comes with ABSOLUTELY NO WARRANTY; for details type `show warranty'. +This is free software, and you are welcome to redistribute it +under certain conditions; type `show copying' for details. + +info: maps file located at /proc/1801/maps opened. +info: 5 suitable regions found. +Please enter current value, or "help" for other commands. + +As we searching 4 byte value of uint we defining it by setting up option +0> option scan_data_type int32 +``` + +Now we ready to start our game. At beginning we know our secret_dw value it is 1000 but we will not use it. +Type 1 in example + +``` +secret_dw was 1000 +``` + +in scanmem +``` +0> 1 +info: 01/05 searching 0x8049000 - 0x804a000...........ok +info: 02/05 searching 0xb763d000 - 0xb763e000...........ok +info: 03/05 searching 0xb7787000 - 0xb778a000...........ok +info: 04/05 searching 0xb77a7000 - 0xb77a9000...........ok +info: 05/05 searching 0xbf9d4000 - 0xbf9f5000...........ok +info: we currently have 58 matches. +``` + +As we can see 58 matches. WooHoo. Now type '1000'in example +1000 + +secret_dw was 1 + +in scanmem + +``` +58> 1000 +..........info: we currently have 2 matches. +``` + +only 2 now + +scanmem has also many built in commands you can see them when type help. +One of them is 'list'. Use it. +``` +2> list +[ 0] 0x8049680, 1000, [I32 ] +[ 1] 0xbf9f2dd8, 1000, [I32 ] +``` + +Here is list of matched variables. Number,address,value,size. By address we see that +our variable is with number 0. + +``` +2> set 0=999 +info: setting *0x8049680 to 0x3e7... +2> list +[ 0] 0x8049680, 1000, [I32 ] +[ 1] 0xbf9f2dd8, 1000, [I32 ] +``` + +Now our variable is with value 999. When you type list it may be little +bit confusing that values is the same. Go in example +12 + +secret_dw was 999 + +Yes. We have changed our variable. Our goal is completed. + +Scanmem webpage scanmem[1] + +Source contains programm outputs and example code. + + + +## Links +http://taviso.decsystem.org/scanmem.html + +## Downloads +scan_memory.tar.gz - +2KiB - http://archive.main.lv/files/writeup/scan_memory_for_variable/scan_memory.tar.gz
\ No newline at end of file |