This blog post is about a GNU/Linux rabbit hole I fell down in the belief I was chasing a mighty adventure. It was not nearly as adventurous as I had hoped, but I am nonetheless posting about it in case this information is helpful to someone else. My story begins with a purchase of four wireless gamepads from 8BitDo. I had done little research outside of scrolling past a few positive comments about their products on the Fediverse and viewing enough of their marketing materials to see that the controller I was interested in was supported by SteamOS. That was enough to encourage me to put in an order, so I did, and patiently awaited their arrival. When they were finally in my hands, I plugged two of them into my media center, hoping to play some Mario Kart with Oli. They were clearly working in some capacity because RetroArch pops up a toast when it detects that a controller has been plugged in, but something was wrong. I twiddled the analog sticks and I mashed the buttons. Nothing seemed to happen.
read more →
The background for this project is a lesson in avoiding dishonest vendors. Two
years ago, I was looking to purchase a smart watch with sleep tracking
capabilities; I've always had difficulty sleeping and wanted a way of
finally quantifying that difficulty. One of my requirements was the ability to
pull data off of the watch without the use of proprietary software, so the only
options I was seriously considering were those on Gadgetbridge's "supported
devices" list. At the time, I was still in high school, and still awed by the
affordability of consumer electronics on websites such as AliExpress (woefully
unaware of the ethical implications of supporting a totalitarian state's
economy). Moreover, I was somewhat capable of reading and writing 汉语, so the
Xiaomi Mi Band 2 fit the bill. I took to Ebay to purchase one, finding a listing
for 10.99 USD with free shipping. I ordered it, and things were okay. That is,
until the package arrived.
read more →
It's typical for the younger sibling to look up to and mimic the older sibling,
which is apparently what happened while I was away at school. I'm self-hosting a
few services off of a Raspberry Pi B+ back at my parents' house, and when my
brother got a Pi of his own, he decided that he also wanted to use it for
self-hosting. Unfortunately, he doesn't know much about security, and
unintentionally did me the favor of setting up a honeypot.
read more →
If you're about my age and had a similarly dull upbringing, you probably also
have memories of playing video games behind a teacher's back whenever class
involved going to some sort of "computer lab." Flash games were the thing when I
was in elementary school, and when I was in middle school, I'd bring Quake with
me on a flash drive. By the time I was in high school, I'd realized that these
opportunities were better spent getting a head start on homework for other
classes, but I did have a few friends who still passed the time playing video
games. Rather than Flash games or Quake, though, these were browser games using
the new-fangled HTML5 canvas. I'd practically forgotten these games existed
until someone from my capture-the-flag team mentioned "krunker.io". Apparently
it's one of the more popular ones. It got me thinking about how I'd go about
writing cheats for a game in the browser. Writing cheats for CS:GO was a breeze,
so why would this be any harder? I had some time to spare over winter break, so
I decided to give it a go and see what kind of damage I could do.
read more →
This is the fourth and final set of for my self-imposed challenge of completing
at least fifty of the exercises on Dennis Yurichev's challenges.re by the end of
the year. The previous set is available here.
read more →
This is the third set of solutions for my self-imposed challenge of completing
at least fifty of the exercises on Dennis Yurichev's challenges.re by the end of
the year. The previous set is available here.
read more →
This is the second set of solutions for my self-imposed challenge of completing
at least fifty of the exercises on Dennis Yurichev's challenges.re by the end of
the year. The first set is available here.
read more →
My long-lived hiatus from capture-the-flag has come to an end, as I got off my
ass this weekend to play in PlaidCTF 2019. Being a one-man team is pretty
lonely, but my old team wasn't playing, and even if they were, I don't know if I
would've wanted to make the commute just to play with them.
read more →
As mentioned in the (now deleted) post I wrote describing my plans for 2019, one
of my goals this year is to get through at least 50 of the exercises on Dennis
Yurichev's challenges.re. I've decided to document my progress in the form of
writeups for the challenges I complete, batched in sets of ten exercises. For
each challenge, I'll try to explain the intuitions that brought me closer to
answering the recurring question from Yurichev, "[w]hat does this code do?"
read more →
My capture-the-flag team played in the Insomni'hack teaser this year. During the
competition, I worked on a single challenge titled "sapeloshop." It was labeled
as "Medium-Hard," and it was in the binary exploitation category. The source
code for the server wasn't provided, so reverse engineering was necessary. I
don't think that having to reverse the binary was supposed to be the hard part,
as most of the behavior could have been inferred through some high-level
analysis, yet I spent nearly five hours fruitlessly trying to reverse it, and
the subsequent burnout was bad enough that I went home early. This wasn't the
first time a reversing task had gotten the best of me; there had been a few
competitions last year where I felt a similar loss in motivation. Noticing this
recurring pattern frustrated me, and that frustration drove me to think about
ways to improve myself as a reverse engineer.
read more →