Introduction

Ridiculously awesome hacker 'zine by Manul Laphroaig (pastor@phrack.org)

"PoC||GTFO (Proof of Concept or Get The F*ck Out) follows in the tradition of Phrack and Uninformed by publishing on the subjects of offensive security research, reverse-engineering, and file format internals.  Until now, the journal has only been available online or printed and distributed for free at hacker conferences worldwide."

• PoC||GTFO - Complete Volume 1 (Issues 0-8)  Printed via No Starch Press  (PDF)
• PoC||GTFO - Complete Volume 2 (Issues 9-13)  Printed via No Starch Press  (PDF)  (EPUB)
• PoC||GTFO - Complete Volume 3 (Issues 14-18)  Printed via No Starch Press  (PDF)

PoC||GTFO Archives

"Because if burning a book is a sin - which it surely is! - then copying of a book is your sacred duty." --- Rt. Revd. Pastor Manul Laphroaig

• Archive #1  by Arrigo Triulzi
• Archive #2  by Ange Albertini
• Archive #3  by Solar Designer
• Archive #4  by Evan Sultanik
• Archive #5  by unpack.debug.su
• Archive #6  by pocorgtfo.hacke.rs
• Archive #7  by ewans.net
• Archive #8  by Michael Ossmann
• Archive #9  by defuse.ca
• Archive #10  by mirror.adversec.com
• Archive #11  by bobson.ludost.net
• Archive #12  by forsooth.org
• Archive #13  by i.killswitch.pw
• Archive #14  by insomniac.slackware.it
• Archive #15  by pirate-server.com
• Archive #16  by pocorgtfo.br0ken.cloud
• Archive #17  by Chaos Computer Club
• Archive #18  by 0x00string.com
• Archive #19  by shellspace.net
• Archive #20  by mcfp.felk.cvut.cz
• Archive #21  by hanyr.ax
• Archive #22  by the-collective.net
• Archive #23  by chimbosonic.com

Links & Notes

• File Polyglottery; or, This Proof of Concept is Also a Picture of Cats  by Evan Sultanik - BSides Philly 2017  (Slides)
• Josh 'm0nk' Thomas - GitHub  (Atredis Partners)
• Ange Albertini - GitHub  (Corkami)
• Philippe Teuwen - GitHub  (YobiWiki)
• Mickey Shkatov - GitHub  (Eclypsium)
• Ryan "ElfMaster" O'Neill - GitHub  (Bitlackeys)
• Micah Elizabeth Scott - GitHub  (Scanlime, Twitter, YouTube Channel)
• Ange Albertini - Speaker Deck  
• Spread Spectrum Hacking: Attacking the Globalstar Simplex Data Service  by Colby Moore - Black Hat 2015
• OMG-WTF-PDF [PDF Ambiguity and Obfuscation]  by Julia Wolf, Senior security researcher at FireEye's Malware Intelligence Labs   (1.2M PDF)
• Project Burner - Report & Findings  by Josh Thomas / Monkworks  (1M PDF)
• Even More Tamagotchis Were Harmed in the Making of this Presentation  by Natalie Silvanovich  (9.1M PDF)
• PoC||GTFO-Style Polyglot PDF/ZIP File  Showing you how to create those polyglot PDF/ZIP files that the International Journal of Proof of Concept or Get The F*ck Out has.  by Coding with Gego/XAREN  (YouTube)
• Kill MD5 - Demystifying Hash Collisions  by Ange Albertini  (YouTube)
• Generating Weird Files  Generating mocks, polyglots, near polyglots with Mitra.  Presented at Pass the SALT 2021, by Ange Albertini &nbps;(YouTube)
• Exploiting Hash Collisions  by Ange Albertini  BlackAlps17  (YouTube)  (Slides)
• Funky File Formats  by Ange Albertini  CCC 31C3  (YouTube)
• File Polyglottery or This Proof of Concept is Also a Picture of Cats  by Evan Sultanik  BSidesPhilly 2017  (YouTube)
• Assembly Language is Too High Level  by XlogicX  DEFCON 25  (YouTube)
• A Tourist's Guide to the ARM Cortex-M3  by Travis Goodspeed and Ryan Speers  BSides Knoxville  (YouTube)
• The Superabundant Benedictions of Programming an Absurd NES Game  by Evan Sultanik  (YouTube)
• PoC||GTFO Fundraiser For Masks For Docs
• PoC||GTFO Evangelist  Neighbors, I am a bot created by @ESultanik.  I post curated sentences auto-generated from a Markov model trained on the Proof of Concept or GTFO Bible and the King James Bible.
• The Hardware Hacking Handbook  Breaking embedded security with hardware attacks, by Jasper van Woudenberg, Colin O'Flynn
• Paged Out!  Free experimental (one article == one page) technical magazine about programming (especially programming tricks!), hacking, security hacking, retro computers, modern computers, electronics, demoscene, and other similar topics.
• tmp.0ut  New magazine for ELF-lovers.
• "We number with BCD in honor of the HP48 calculator's floating point implementation, which matches decimal rounding errors.  0x0A, &c., are reserved for special issues in the future ;-)"  --- Comment on PoC||GTFO issue numbering scheme by Evan Sultanik.

The PDF files can be "unzipped" and include bonus material and other surprises.  See the spoilers for more information.

# This is how to convert an issue for duplex printing. # Use A3 / 11"x17" size paper $ sudo apt-get install pdfjam $ pdfbook --short-edge --vanilla --paper a3paper pocorgtfoXX.pdf -o pocorgtfoXX-book.pdf

Printing Instructions:  Pirate print runs of this journal are most welcome, but please do it properly!  PoC||GTFO is to be printed duplex, then folded and stapled in the center.  Print on A3 paper in Europe and Tabloid (11" x 17") paper in Samland.  Secret government labs in Canada may use P3 (280 mm x 430 mm) if they like.  The outermost sheet should be on thicker paper to form a cover.

"First they ignore you, then they threaten to sue you, then they deny the vulnerability, then you p0wn them."

    --- With apologies to Mahatma Gandhi

  PoC||GTFO - Issue 0x00

International Journal of PoC || GTFO - Issue 0x00, a CFP with PoC

August 5, 2013 | 279k PDF | md5sum: d74949bc9ca4dc265dbf2ff540fe6837 | Archive.org Entry

1. Call to Worship  - An Epistle from the desk of Rt. Revd. Pastor Manul Laphroaig.
2. iPod Anti-Forensics  - How to build your own anti-forensics hard disk out of an iPod by simple patching of the open-source Rockbox firmware.  The result is an USB disk, which still plays music, but which will also self-destruct if forensically imaged, by Travis Goodspeed
• Building an Actively Anti-Forensic iPod  by Travis Goodspeed  SkyDogCON 2013  (YouTube)
3. ELFs Are Dorky, Elves Are Cool  - Some nifty tricks for abusing the differences in ELF dialect between exec() and ld.so producing a file that is both a library and an executable, by Sergey Bratus and Julian Bangert
4. The Pastor Manul Laphroaig's First Epistle to Hacker Preachers of All Hats  In the sincerest hope that we might shut up about hats, and get back to hacking.
5. Returning From ELF to libc  - A trick for returning from the ELF loader into a libc function by abuse of the IFUNC symbol, by Rebecca ".bx" Shapiro
6. GTFO or #FAIL  - An adventure with Barnaby Jack, one which features a golden vending machine and some healthy advice to get the f*ck out of Abu Dhabi, by FX of Phenoelit
7. A Call for PoC  - We pass the collection plate and beg that you contribute some PoC of your own, by Rt. Revd. Pastor Manul Laphroaig

Editor at Large...............Rt. Revd. Pastor M.L. Dept. of Bringing APT Home....Cultural attaché of the 41st Directorate Dept. of Fail.................FX of Phenoelit Ethics Board..................The Grugq Dept. of Busting BS...........pipacs Poet Laureate.................Ben Nagy Dept. of Rejections...........Academic Refugee Dept. of Drama................Xbf Dept. of PHY..................Michael Ossmann

  PoC||GTFO - Issue 0x01

Proceedings of the Society of PoC || GTFO - Issue 0x01

October 6, 2013 | 3.8M PDF/ZIP | Includes | md5sum: 151bb48f35895ba75e3c5f4b89b1ba87 | Archive.org Entry

1. Call to Worship  - An Epistle to the 10th H2HC in São Paulo.  From the writing desk, not the raven, of Rt. Revd. Preacherman Pastor Manul Laphroaig.
2. Four Lines of JavaScript That Can't Possibly Work. So Why Do They?  - Four lines of JavaScript seem to produce random bytes, but that can't possibly be right.  If you disagreewith him - POC||STFU, by Dan Kaminsky
3. Weird Machines From Serena Butler's TV Typewriter  - A thought experiment in which Ada Lovelace and Serena Butler fight on opposite sides of the Second War on General Purpose Computing using Don Lancaster's TV Typewriter as ammunition, by Travis Goodspeed
4. Making a Multi-Windows PE  - Nifty trick for creating a Windows Portable Executable (PE) file that is interpreted differently by Windows XP/7/8, by Ange Albertini
5. This ZIP is Also a PDF  - Demonstrates on four napkins how to make a PDF file that is also a ZIP file, by Julia Wolf  (OMG-WTF-PDF)
6. Burning a Phone  - How to permanently brick an Android phone by screwing around with its voltage regulators in quick kernel patch, by Josh "@m0nk" Thomas  (Project Burner - Report & Findings)
7. A Sermon Concerning the Divinity of Languages; or, Dijkstra Considered Racist  - The divinity of programming languages, from PHP to BASIC.  Following along with a little scripture and a lot of liquor, we'll see that every language has a little something special to make it worth learning and teaching - except Java, by Rt. Rvd. Pastor Manul Laphroaig
8. A Call for PoC  - We pass the collection plate and beg that you contribute some PoC of your own, by Rt. Rvd. Pastor Manul Laphroaig

Editor at Large...............Rt. Revd. Preacherman Pastor M.L. Dept. of Bringing APT Home....Cultural attaché of the 41st Directorate Dept. of Fail.................FX of Phenoelit Ethics Board..................The Grugq Dept. of Busting BS...........pipacs Poet Laureate.................Ben Nagy Dept. of Rejections...........Academic Refugee Dept. of Drama................Xbf Dept. of PHY..................Michael Ossmann

$ unzip -v pocorgtfo01.pdf Archive: pocorgtfo01.pdf warning [pocorgtfo01.pdf]: 3505149 extra bytes at beginning or within zipfile (attempting to process anyway) Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 224 Defl:X 152 32% 2013-09-28 12:53 3b9c266e README.txt # This file. 2099 Defl:X 779 63% 2013-09-19 07:25 2fdfe17e bootme.fd # Maybe you should boot this? 5641 Defl:X 1526 73% 2013-09-24 08:53 e1def4c0 consts.inc 5653 Defl:X 1712 70% 2013-09-24 08:53 7ec4d914 relocOSdet.asm # yasm -o relocOSdet.exe relocOSdet.asm 10599 Defl:X 3789 64% 2013-09-24 08:53 5f2b52c0 vcode2.txt # One of the articles cited by Ange, from Valhalla #3. 278598 Defl:X 276364 1% 2013-09-19 07:25 cd0ed2ff pocorgtfo00.pdf -------- ------- --- ------- 302814 284322 6% 6 files

  PoC||GTFO - Issue 0x02

Children's Bible Coloring Book of PoC || GTFO - Issue 0x02

December 28, 2013 | 14.1M PDF/ZIP/MBR | Includes | md5sum: 39e5658e24a08e786955af1f4d7e2852 | Archive.org Entry

1. Call to Worship  - An Epistle to the 30th CCC Congress in Hamburg.  Composed by the Rt. Revd. Pastor Manul Laphroaig to put pwnage before politics.
2. A Parable on the Importance of Tools; or, Build Your Own F*cking Birdfeeder  - Preaches that in the tradition of Noah and of Howard Hughes, we should build our own birdfeeders, by Rt. Rvd. Pastor Manul Laphroaig
3. A PGP Matryoshka Dool  - RFC 4880 gives just enough room to encode an LZ-compression quine within a message, and the PGP interpreter is just 'smart' enough to keep decoding it 'till the cows come home, by Brother Myron Aub
4. Reliable Code Execution on a Tamagothi  - Techniques for reliably dropping shellcode into the Tamagotchi's 'Virtual Pet' 6502 controller from malicious plugin cartridges, by Natalie Silvanovich  (44CON Video, CCC 23C3 Video, CCC 30C3 Video & Slides)
5. Some Shellcode Tips for MSP430 and Related MCUs  - Learn how to combine a Write and a Checksum primitive with weirder properties of Flash memory into a bitwise Read primitive when exploiting microcontrollers, how to NOP-out instructions without erasing Flash pages, and how to use bootloader ROMs for a return-to-libc attack, by Travis Goodspeed
6. Calling putchar() From an ELF Weird Machine  - Shows you how to call putchar() from an ELF Weird Machine without having any of your own native code, by Rebecca ".bx" Shapiro
7. POKE of Death for the TRS-80 Model 100  - Explains why POKE 62975, 0 will brick a TRS-80 Model 100 until that poor machine is put out its misery by a cold reset, by Dave Weinstein
8. This OS is also a PDF  - Curious readers might want to run qemu-system-i386 -fda pocorgtfo02.pdf in order to experience all the neighborliness that this issue has to offer, by Ange Albertini
9. A Vulnerability in Reduced Dakarand from PoC||GTFO 01:02  - A response and potential exploit to Dan Kaminsky's 4-line JavaScript RNG in Issue 0x01, joernchen of Phenoelit
10. Juggernauty  - Ben Nagy's latest masterpiece, sure to get you, dear reader, on all sorts of watchlists.  We half-heartedly apologize in advance to any of our readers at spooky agencies who have to explain having this magazine to their employers, by Ben Nagy
11. A Call for PoC  - We pass the collection plate and beg that you contribute some PoC of your own, by Rt. Revd. Pastor Manul Laphroaig

Editor at Large...............Rt. Revd. Pastor M.L. Dept. of Bringing APT Home....Cultural attaché of the 41st Directorate Dept. of Funky File Formats...Ange Albertini Dept. of Fail.................FX of Phenoelit Ethics Board..................The Grugq Dept. of Busting BS...........pipacs Poet Laureate.................Ben Nagy Dept. of Drama................Xbf Dept. of PHY..................Michael Ossmann

# PoC or GTFO Issue 0x02 # by Rt. Rvd. Pastor Manul Laphroaig and Friends # You have been eaten by a grue. Sorry. $ file pocorgtfo02.pdf pocorgtfo02.pdf: DOS/MBR boot sector; partition 1 : ID=0xcc, active 0xcc, start-CHS (0x3cc,204,12), end-CHS (0x3cc,204,12), startsector 3435973836, 3435973836 sectors; partition 2 : ID=0xcc, active 0xcc, start-CHS (0x3cc,204,12), end-CHS (0x3cc,204,12), startsector 3435973836, 3435973836 sectors; partition 3 : ID=0xcc, active 0xcc, start-CHS (0x3cc,204,12), end-CHS (0x3cc,204,12), startsector 3435973836, 3435973836 sectors; partition 4 : ID=0xcc, active 0xcc, start-CHS (0x3cc,204,12), end-CHS (0x3cc,204,12), startsector 3435973836, 3435973836 sectors $ unzip -v pocorgtfo02.pdf Archive: pocorgtfo02.pdf warning [pocorgtfo02.pdf]: 8016414 extra bytes at beginning or within zipfile (attempting to process anyway) Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 852 Defl:X 487 43% 2013-12-06 09:25 0fc440e1 README.txt # Bet you don't know what's in here! 6794 Defl:X 3480 49% 2013-12-06 09:25 4b385f76 coda.txt # Ray Bradbury's afterward to Fahrenheit 451 20164 Defl:X 8528 58% 2013-12-06 09:25 962bd958 feeling.txt # The Feeling of Power by Isaac Asimov 12618 Defl:X 5474 57% 2013-12-06 09:25 fcda0efb harrison.txt # Harrison Bergeron by Kurt Vonnegut, Jr 0 Stored 0 0% 2013-12-06 09:25 00000000 02/pgpquine/ # Code for producing Brother Myron Aub's PGP quine 275 Defl:X 157 43% 2013-12-06 09:25 2790c077 pgpquine/Makefile 1006 Defl:X 451 55% 2013-12-06 09:25 674094dc pgpquine/inflate.c 5323 Defl:X 1336 75% 2013-12-06 09:25 37ca5711 pgpquine/quine.c 203706 Defl:X 56538 72% 2013-12-06 09:25 79ba361f rfc4880.txt # OpenPGP Message Format 2046109 Defl:X 2008069 2% 2013-12-06 09:25 95b8c390 tamagotchi.zip # Tamagotchi hacks 15565 Defl:X 6602 58% 2013-12-06 09:25 cf9bdba0 thewub.txt # Beyond Lies the Wub by Philip K. Dick 278598 Defl:X 276364 1% 2013-08-05 06:06 cd0ed2ff pocorgtfo00.pdf 3790438 Defl:X 3723466 2% 2013-10-12 19:47 c9220017 pocorgtfo01.pdf -------- ------- --- ------- 6381448 6090952 5% 13 files $ qemu-system-i386 -fda pocorgtfo02.pdf ____ ____ ___ ____ | __ ) ___| / _ \/ ___| | _ \___ \| | | \___ \ | |_) |__) | |_| |___) | |____/____/ \___/|____/ Berliner Spargel Operating System Mein Deutsch is nicht so gut, aber es ist Spargel zeit! by Travis Goodspeed m -- Memory Viewer a -- About This is a minimal operating system by Travis Goodspeed for 16-bit Real Mode 8086 on an IBM PC. It was written in order to learn about the 8086, and it quite likely will serve no use for you. It is free without any strings attached, but please give credit were credit is due if you fork it. Also, and this is very important, you should use the included hex viewer to poke around this machine's memory. The boot sector at 0000:7C000 is likely a good place to start.

  PoC||GTFO - Issue 0x03

AN ADDRESS to the SECRET SOCIETY of POC || GTFO concerning THE GOSPEL OF THE WEIRD MACHINES and also THE SMASHING OF IDOLS TO BITS AND BYTES by the Rt. Revd. Dr. PASTOR MANUL LAPHROAIG

March 2, 2014 | 26.8M PDF/ZIP/JPG/AES(PNG) | Includes | md5sum: b90e36dbd5f192723c84c7ad002a616e | Archive.org Entry

1. Call to Worship  
2. Greybeard's Luck  - Condemns the New Math and its modern equivalents.  The only way one can truly learn how a computer works is by smashing these idols down to bits and bytes, by Rt. Revd. Dr. Pastor Manul Laphroaig
3. This PDF is a JPEG; or, This Proof of Concept is a Picture of Cats  - Demonstrates how the PDF and JPEG portions work.  Readers will be pleased to discover that renaming pocorgtfo03.pdf to pocorgtfo03.jpg is all that is required to turn the entire issue into one big cat picture!, by Ange Albertini
4. NetWatch: System Managment Mode is Not Just for Governments  - System Management Mode (SMM) backdoor and using SMM to hide PCI devices from the operating system and to build a GDB stub that runs within SMM despite certain limitations of the IA32 architecture, by Joshua Wise and Jacob Potter
5. An Advanced Mitigation Bypass for Packet-in-Packet; or, I'm Burning Ø-Day to Use the Phrase 'Eighth of a Nybble' in Print  - Three mitigation bypasses for a PIP defense that was published at Wireless Days.  The first two aren't terribly clever, but the third is a whopper.  The attacker can bypass the defense's filter by sending symbols that become the intended message when left-shifted by one eighth of a nybble.  What the hell is an eighth of a nybble, you ask?  RTFP to find out, by Travis Goodspeed
6. Prototyping a RDRAND Backdoor in Bochs  - Nifty little PoC for Bochs that hooks the RDRAND instruction in order to backdoor /dev/urandom on Linux 3.12.8.  It works by observing the stack in order to cancel out the other sources of entropy, by Taylor Hornby
7. Patching Kosher Firmware for Nokia 2720  - How to patch a feature phone in order to create a Kosher Phone that can't be used to access porn.  Along the way, he'll teach you a thing or two about how to bypass the minimal protections of Nokia 1208 feature phone's firmware, by Assaf Nativ
8. Tetranglix: This Tetris is a Boot Sector  - A complete implementation of Tetris in a 512-byte x86 bootsector, by Juhani Haverinen, Owen Shepherd, and Shikhin Sethi
• Tetranglix  A bootable 512-byte Tetris clone.
9. Defusing the Qualcomm Dragon  - How to explore undocumented eFuse settings in Qualcomm SoC security, which can serve as a basis for further understanding of Secure Boot 3.0 and other pieces of the secure boot sequence, by Josh "m0nk" Thomas
10. Tales of Python's Encoding  - A nifty obfuscation trick for Python.  It seems that ROT-13 is a valid character encoding!  Stranger encodings, such as compressed ones, might also be possible, by Frederik Braun
11. A Binary Magic Trick, Angecryption  - Neighbor Albertini wasn't content to merely do one crazy concoction for this file.  If you unzip the PDF, you will find a Python script that encrypts the entire file with AES to produce a PNG file!, by Ange Albertini and Jean-Philippe Aumasson
12. A Call for PoC  - We pass the collection plate and beg that you contribute some PoC of your own, by Rt. Revd. Dr. Pastor Manul Laphroaig

Technical Note:  This file, pocorgtfo03.pdf, complies with the PDF, JPEG, and ZIP file formats.  When encrypted with AES in CBC mode with an IV of 5B F0 15 E2 04 8C E3 D3 8C 3A 97 E7 8B 79 5B C1 and a key of Manul Laphroaig!, it becomes a valid PNG file.  Treated as single-channel raw audio, 16-bit signed little-endian integer, at a sample rate of 22,050 Hz, it contains a 2400 baud AFSK transmission.

$ file pocorgtfo03.pdf pocorgtfo03.pdf: JPEG image data, JFIF standard 1.01, resolution (DPI), density 199x199, segment length 16, comment: "", progressive, precision 8, 1715x888, components 3 $ unzip -v pocorgtfo03.pdf Archive: pocorgtfo03.pdf warning [pocorgtfo03.pdf]: 12224072 extra bytes at beginning or within zipfile (attempting to process anyway) Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 2561 Defl:X 1266 51% 2014-02-09 23:23 1cd771a3 alexander.txt 7848 Defl:X 2438 69% 2014-02-08 13:20 8a6a8638 bochs-2.6.2.patch 6135 Defl:X 2213 64% 2014-02-08 13:21 29c418e5 bochs-20140203.patch 7248 Defl:X 6970 4% 2014-02-09 01:35 004f8d8a defusing.zip 4830 Defl:X 2510 48% 2013-12-01 08:48 de2558ee despair.txt 14892 Defl:X 5919 60% 2013-11-27 12:03 c0544467 lasta.txt 26325 Defl:X 10767 59% 2014-02-07 14:06 fdc977f0 lastq.txt 473449 Defl:X 473001 0% 2014-02-07 14:06 54e11d4c netwatch-337f8b1.tar.gz 131930 Defl:X 127770 3% 2014-02-24 13:32 0de4adf4 nokiacipher.png 14645 Defl:X 8926 39% 2014-02-17 11:52 35c18990 packed 2129 Defl:X 989 54% 2014-02-07 14:06 02b0f193 saucers.txt 3144 Defl:X 1399 56% 2014-02-07 14:06 536812c9 tamadec.txt 6227 Stored 6227 0% 2014-02-07 14:06 091d21e7 tetranglix.tar.bz2 14109425 Defl:X 13873772 2% 2014-02-07 14:06 5215c937 pocorgtfo02.pdf 322 Defl:X 234 27% 2014-03-02 18:28 050a8bf4 pocorgtfo03-encrypt.py -------- ------- --- ------- 14811110 14524401 2% 15 files > trid.exe pocorgtfo03.pdf TrID/32 - File Identifier v2.10 - (C) 2003-11 By M.Pontello Definitions found: 5279 Analyzing... Collecting data from file: pocorgtfo03.pdf 71.4% (.MP3) MP3 audio (ID3 v1.x tag) (2500/1/1) 28.5% (.MP3) MP3 audio (1000/1)

  

  

  PoC||GTFO - Issue 0x04

TRACT de la SOCIÉTÉ SECRÈTE de POC || GTFO sur L'ÉVANGILE DES MACHINES ÉTRANGES et autres SUJETS TECHNIQUES par le prédicateur PASTEUR MANUL LAPHROAIG

June 27, 2014 | 56.8M PDF/TrueCrypt/ZIP | Includes | md5sum: 895598b7946d5b11adedad2e574b2b24 | Archive.org Entry

1. Call to Worship
2. First Epistle Concerning the Bountiful Seeds of Ø-Day  - Epistle concerning the bountiful seeds of zero-day, from which all clever and nifty things come.  The preacherman tells us that the mechanism - not the target! - is what distinguishes the interesting exploits from the mundane, by Pastor Manul Laphroig
3. This OS is a Boot Sector  - The first in a series of articles on the practical workings of x86 operating systems.  This installment describes the A20 address line, virtual memory, and recursive page mapping, by Shikhin Sethi
• This OS is a Boot Sector  (Original)
• These Philosophers Stuff on 512 Bytes  Or, this multiprocessing OS is a boot sector.
• Dev'ing an OS  2600, Vol. 30, No. 1, by Shikhin Sethi
4. Prince of PoC; or, A 16-Sector Version of Prince of Persia for the Apple ][  - Peter Ferrie's patch to rebuild Prince of Persia to remove copy protection and fit on a single, two-sided 16-sector floppy disk, by Peter Ferrie
5. Quick Introduction to the New Facedancer Framework  - A quick introduction to fuzzing with his rewrite of Sergey Bratus and Travis Goodspeed's Facedancer framework for USB device emulation, by gil
6. Dumping Firmware from Tamagotchi Friends by Power Glitching  - She loads shellcode into the chip's memory and glitches the living hell out of its power supply with an AVR.  Most of the time, this causes a crash, but when the dice are rolled right, the program counter lands on the NOP sled and the shellcode is executed!, by Natalie Silvanovich
7. Lenticrypt: A Provably Plausibly Deniable Cryptosystem; or, This Picture of Cats is Also a Picture of Dogs  - A provably plausibly deniable cryptosystem, one in which the ciphertext can decrypt to multiple plaintexts, but also that the file's creator can deny ever having intended for a particular plaintext to be present, by Evan Sultanik
8. Hardening Pin-Tumbler Locks Against Myriad Attacks for Less Than a Sawbuck  - A forgotten trick for modifying normal locks with a tap and die to make them pick resistant, by Deviant Ollam
9. Introduction to Reflux Decapsulation and Chip Photography  - An introductory tutorial on chip decapsulation and photography, by Travis Goodspeed
10. Forget Not the Humble Timing Attack  - Exploits a pin-protected external hard disk and a popular AVR bootloader using timing and simple power analysis, by Colin O'Flynn
11. This Encrypted Volume is Also a PDF; or, A Polyglot Trick for Bypassing TrueCrypt Volume Detection  - How to hide a TrueCrypt volume in a perfectly valid PDF file so that PDF readers don't see it, by Ange Albertini
12. How to Manually Attach a File to a PDF  - How to attach ZIP files to PDF files so that Adobe tools see them as legitimate PDF attachments, by Ange Albertini
13. Ode to ECB  - Poet Laureate Ben Nagy presents his Ode to ECB accompanied by one of Natalie Silvanovich's brilliant public service announcements.  Don't let your penguin show!, by Ben Nagy
14. A Call for PoC  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Boss...........................................Reverend Doctor Pastor Manul Laphroaig Dept. of PHY...................................Michael Ossmann Ethics Advisor.................................The Grugq Poet Laureate..................................Ben Nagy Funky File Formats Polyglot....................Ange Albertini Minister of Spargelzeit Weights and Measures...FX

Technical Note:  Like many of our prior issues, this one, pocorgtfo04.pdf, is a polyglot.  As a PDF, it renders to the document that you are now reading.  As a ZIP, it contains our prior issues and some of that good, old-timey mythology.  As a TrueCrypt volume, its contents is a mystery, but 123456 might not have been the best choice of a password.

$ file pocorgtfo04.pdf pocorgtfo04.pdf: PDF document, version 1.5 $ unzip -v pocorgtfo04.pdf Archive: pocorgtfo04.pdf warning [pocorgtfo04.pdf]: 798586 extra bytes at beginning or within zipfile (attempting to process anyway) error [pocorgtfo04.pdf]: reported length of central directory is -798586 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 0 Stored 0 0% 2014-06-24 11:56 00000000 bin2png/ 5010 Defl:X 1529 70% 2014-06-24 11:56 5b458885 bin2png/bin2png.py 18025 Defl:X 6802 62% 2014-06-24 11:56 2bf94d82 bin2png/LICENSE 1141 Defl:X 590 48% 2014-06-24 11:56 bac8ea63 bin2png/README.md 140413 Defl:X 54747 61% 2014-06-24 11:56 a54b802b darfsteller.txt 2841 Defl:X 1340 53% 2014-06-24 11:56 0ed7331f gods.txt 0 Stored 0 0% 2014-06-24 11:56 00000000 lenticrypt/ 36445 Defl:X 7899 78% 2014-06-24 11:56 b115a5b5 lenticrypt/lenticrypt.py 18025 Defl:X 6802 62% 2014-06-24 11:56 2bf94d82 lenticrypt/LICENSE 776 Defl:X 388 50% 2014-06-24 11:56 44837f8e lenticrypt/README.md 2709 Defl:X 697 74% 2014-06-24 11:56 42af5a59 lenticrypt/test.py 3111965 Defl:X 3112440 0% 2014-06-24 11:56 bc6aa4f8 pocorgtfo.png 25986 Defl:X 10749 59% 2014-06-24 11:56 796d27c5 theveldt.txt 239224 Defl:X 235980 1% 2014-06-24 11:56 9e276d18 tsb-20140401.zip 26750864 Defl:X 26438160 1% 2014-06-24 11:56 c0113904 pocorgtfo03.pdf -------- ------- --- ------- 30353424 29878123 2% 15 files host:~$ truecrypt --mount pocorgtfo04.pdf [password is 123456] host:~$ # That worked! host:~$ cd /mnt/NO\ NAME host:/mnt/NO NAME$ ls reverseme.bin host:/mnt/NO NAME$ file reverseme.bin reverseme.bin: JPEG image data, JFIF standard 1.01, comment: "%PDF-1.4" # Oh, this smells like another AngeMagic! host:/mnt/NO NAME$ cp reverseme.bin /tmp/reverseme.jpg # ... and we find # But wait, what about the JPEG comment? The comment clearly says '%PDF-1.4' # and that smells... so host:/mnt/NO NAME$ cp /tmp/reverseme.jpg /tmp/reverseme.pdf # And we obtain a valid PDF of the same image! # But there is more... host:/mnt/NO NAME$ unzip -v /tmp/reverseme.pdf Archive: reverseme.pdf endstream endobj xref 0 1 0000000000 65535 f 0000000010 00000 n trailer <</Root 1 0 R>> startxref 70488 %%EOF %�� Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 23110 Stored 23110 0% 1980-00-00 00:00 67a0921c reverseme.jpg -------- ------- --- ------- 23110 23110 0% 1 file # Ah, the greatness of Ange...

  PoC||GTFO - Issue 0x05

Addressed to the INHABITANTS of EARTH on the following and other INTERESTING SUBJECTS written for the edification of ALL GOOD NEIGHBORS

August 10, 2014 | 83.5M PDF/ISO/SWF | Includes | md5sum: 74a17e1cb87cbf1dc31eebe5c7aea639 | Archive.org Entry

1. Call to Worship
2. Stuff is Broken, And Only You Know How  - Hacker Privilege, neighbor - do you have it?, by Rvd. Dr. Manul Laphroaig
3. ECB as an Electronic Coloring Book  - A series of scripts for turning an ECB-encrypted image into a coloring book puzzle, by automatically correcting the dimensions, applying a best-guess set of false colors, and then walking a human operator through choosing a final set of colors, by Philippe Teuwen  (Additional Missing Info)
4. An Easter Egg in PCI Express  - An Easter egg that relies on the internals of PCI Expresson recent x86 machines.  By reflecting traffic through the PCI Express bus, he's able to map the x86's virtual memory page table into virtual memory!, by Jacob Torrey
5. A Flash PDF Polyglot  - A trick by Alex Inführ that makes a PDF file that is also an Adobe ShockWave Flash (SWF) file, by Alex Inführ (Blog)
6. These Philosophers Stuff on 512 Bytes; or, This Multiprocessing OS is a Boot Sector  - Shikhin Sethi continues his series of x86 proofs-of-concept that fit in a 512 byte boot sector.  In this installment, he explains how the platform's interrupts and timers work, then finishes with support for multiple CPUs, by Shikhin Sethi
• These Philosophers Stuff on 512 Bytes  Or, this multiprocessing OS is a boot sector.  (Original)
7. A Breakout Board for Mini-PCIe; or, My Intel Galileo has Less RAM than its Video Card!  - Presenting a breakout board for the Intel Galileo platform that allows full-sized cards to be plugged into the Mini-PCIe slot of this little guy, by Joe FitzPatrick
8. Prototyping a Generic x86 Backdoor in Bochs; or, I'll See Your RDRAND Backdoor and Raise You a Covert Channel!  - Matilda puts her own spin on Taylor Hornby's RDRAND backdoor.  She instead uses the RDRAND instruction to leak encrypted bytes from kernel memory.  A userland process can then decrypt these bytes in order to exfiltrate data, and anyone without the key will be unable to prove that anything important is being leaked, by Matilda
9. From Protocol to PoC; or, Your Cisco Blade is Booting PoC||GTFO  - Mik will guide you from spotting an unknown protocol to a PoC that replaces a physical disk in a remote server's CD-ROM with your own image, over an unencrypted custom KVM session.  Bolt-on cryptography is bad, m'kay?, by Mik
10. i386 Shellcode for Lazy Neighbors; or, I Am My Own NOP Sled  - A nifty alternative to NOP sleds by Brainsmoke.  The idea here is that instead of wasting so much space with NOP instructions, you can instead load a canary into a register at the beginning of your shellcode, branching back to the beginning if that canary isn't found at the end, by Brainsmoke
11. Abusing JSONP with Rosetta Flash  - Rosetta Flash attack for abusing JSONP.  While surely you've heard about this in the news, please ignore that Google and Tumblr were vulnerable.  Instead, pay attention to the mechanism of the exploit.  Pay attention to how Michele abuses a decompression routine to produce an alphanumeric payload, which in isolation would be a worthy PoC!, by Michele Spagnuolo
12. A Cryptographer and a Binarista Walk Into a Bar  - We all know that hash-collision vulns can be exploited, but the exact practicalities of how to do the exploit or where to look for a vuln aren't as easy to come by.  Ange and Maria teach us how to write sexy hash-collision PoCs.  When a director of funky file format steams up with a cryptographer, all sorts of nifty things are possible, by Ange Albertini and Maria Eichlseder
13. Ancestral Voices; or, A Vision in a Nightmare  - Ben Nagy gives us his take on Coleridge's masterpiece.  Unfortunately, to comply with the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, this poem is redacted from our electronic edition, by Ben Nagy  
14. A Call for PoC  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Bossy Pants...................................Reverend Doctor Pastor Manul Laphroaig Unfinished Article............................Michael Ossmann Ethics Advisor................................The Grugq Poet Laureate.................................Ben Nagy Editor of Last Resort.........................Melilot Drafted for Hard Labor........................Jacob Torrey Funky File Formats Polyglot...................Ange Albertini Minister of Spargelzeit Weights and Measures..FX

Technical Note:  This issue, pocorgtfo05.pdf, is a polyglot that can be meaningfully interpreted as a PDF, SWF, ZIP, or ISO file.  The PDF is a good read; the SWF will never give you up or let you down; the ZIP contains all our prior issues; and, to top it all off, the ISO boots to a friendly game of Tetris.

$ file pocorgtfo05.pdf pocorgtfo05.pdf: ISO 9660 CD-ROM filesystem data 'TetrangOS' (bootable) $ unzip -v pocorgtfo05.pdf Archive: pocorgtfo05.pdf warning [pocorgtfo05.pdf]: 26368859 extra bytes at beginning or within zipfile (attempting to process anyway) Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 0 Stored 0 0% 2014-08-04 14:11 00000000 PEXternalizer/ 0 Stored 0 0% 2014-08-04 14:11 00000000 PEXternalizer/gerbers/ 36757 Defl:X 8364 77% 2014-08-04 14:11 8951ef3a PEXternalizer/gerbers/mPEXternalizer.GBL 350 Defl:X 178 49% 2014-08-04 14:11 41ef7268 PEXternalizer/gerbers/mPEXternalizer.XLN 43198 Defl:X 9972 77% 2014-08-04 14:11 1d07892a PEXternalizer/gerbers/mPEXternalizer.GTL 126902 Defl:X 28569 78% 2014-08-04 14:11 9e23dd0a PEXternalizer/gerbers/PEXternalizer.GTL 10607 Defl:X 1999 81% 2014-08-04 14:11 1362f6a4 PEXternalizer/gerbers/mPEXternalizer.GTS 1079 Defl:X 394 64% 2014-08-04 14:11 2b2fd9f2 PEXternalizer/gerbers/PEXternalizer.XLN 20909 Defl:X 4710 78% 2014-08-04 14:11 ea04d9a4 PEXternalizer/gerbers/mPEXternalizer.GBO 45783 Defl:X 9521 79% 2014-08-04 14:11 fa67abdf PEXternalizer/gerbers/PEXternalizer.GBO 35428 Defl:X 7655 78% 2014-08-04 14:11 a9df2250 PEXternalizer/gerbers/PEXternalizer.GTO 1268 Defl:X 406 68% 2014-08-04 14:11 72fecc3a PEXternalizer/gerbers/mPEXternalizer.GBS 9731 Defl:X 2442 75% 2014-08-04 14:11 ab8908e0 PEXternalizer/gerbers/mPEXternalizer.GKO 128653 Defl:X 29251 77% 2014-08-04 14:11 40fe72f8 PEXternalizer/gerbers/PEXternalizer.GBL 11186 Defl:X 2061 82% 2014-08-04 14:11 c540d525 PEXternalizer/gerbers/PEXternalizer.GBS 9012 Defl:X 2246 75% 2014-08-04 14:11 b25e9619 PEXternalizer/gerbers/PEXternalizer.GKO 30759 Defl:X 6634 78% 2014-08-04 14:11 2ffd2bb9 PEXternalizer/gerbers/mPEXternalizer.GTO 18201 Defl:X 3318 82% 2014-08-04 14:11 73340665 PEXternalizer/gerbers/PEXternalizer.GTS 18026 Defl:X 6802 62% 2014-08-04 14:11 314a1dd2 PEXternalizer/LICENSE 0 Stored 0 0% 2014-08-04 14:11 00000000 PEXternalizer/eagle/ 118946 Defl:X 11313 91% 2014-08-04 14:11 a1811f8e PEXternalizer/eagle/PEXternalizer.sch 67047 Defl:X 9735 86% 2014-08-04 14:11 9a64483a PEXternalizer/eagle/PEXternalizer.brd 59982 Defl:X 8815 85% 2014-08-04 14:11 a20ed85f PEXternalizer/eagle/mPEXternalizer.brd 54806 Defl:X 6088 89% 2014-08-04 14:11 c7201662 PEXternalizer/eagle/mPEXternalizer.sch 890 Defl:X 460 48% 2014-08-04 14:11 4079216b PEXternalizer/PEXternalizer-BOM.csv 0 Stored 0 0% 2014-08-04 14:11 00000000 PEXternalizer/eagle-support/ 75865 Defl:X 7422 90% 2014-08-04 14:11 21e5cb30 PEXternalizer/eagle-support/con-pci_express-pci-e.lbr 293800 Defl:X 32560 89% 2014-08-04 14:11 683f0417 PEXternalizer/eagle-support/securinghardware.lbr 42631 Defl:X 4062 91% 2014-08-04 14:11 f9489239 PEXternalizer/eagle-support/con-heo.mini_pci_express.lbr 1844 Defl:X 991 46% 2014-08-04 14:11 ef785144 PEXternalizer/README.md 0 Stored 0 0% 2014-08-04 14:11 00000000 collision/ 447780 Defl:X 248722 45% 2014-08-04 14:11 1d2cf7e7 collision/mbr_shell_rar1.pdf 110809 Defl:X 50821 54% 2014-08-04 14:11 b7e897e3 collision/jpg-rar0.jpg 2347 Defl:X 945 60% 2014-08-04 14:11 8fa25759 collision/msha1.py 354 Defl:X 167 53% 2014-08-04 14:11 fa48f512 collision/readme.txt 447780 Defl:X 248722 45% 2014-08-04 14:11 dbf86217 collision/mbr_shell_rar0.pdf 2560 Defl:X 997 61% 2014-08-04 14:11 c789f50e collision/make_collision.py 110809 Defl:X 50823 54% 2014-08-04 14:11 fa6f5705 collision/jpg-rar1.jpg 1294 Defl:X 604 53% 2014-08-04 14:11 9899e045 lazy.c 549 Defl:X 278 49% 2014-08-04 14:11 677cef1f manulmascot.txt 7873 Defl:X 2737 65% 2014-08-04 14:11 4cf0df95 mpbs.asm 2285 Defl:X 975 57% 2014-08-04 14:11 d6685e2a rosetta-rick.swf 0 Stored 0 0% 2014-08-04 14:11 00000000 rosettaflash/ 0 Stored 0 0% 2014-08-04 14:11 00000000 rosettaflash/utils/ 1340 Defl:X 537 60% 2014-08-04 14:11 8e5b076b rosettaflash/utils/utils.go 18092 Defl:X 6806 62% 2014-08-04 14:11 4e46f4a1 rosettaflash/LICENSE 0 Stored 0 0% 2014-08-04 14:11 00000000 rosettaflash/zlibStream/ 10608 Defl:X 2446 77% 2014-08-04 14:11 1425ab06 rosettaflash/zlibStream/zlibStream.go 0 Stored 0 0% 2014-08-04 14:11 00000000 rosettaflash/flashFile/ 973 Defl:X 389 60% 2014-08-04 14:11 431e95ba rosettaflash/flashFile/flashFile.go 0 Stored 0 0% 2014-08-04 14:11 00000000 rosettaflash/huffman/ 9786 Defl:X 1906 81% 2014-08-04 14:11 9f69b64f rosettaflash/huffman/huffman.go 0 Stored 0 0% 2014-08-04 14:11 00000000 rosettaflash/adler32_fuzzer/ 1306 Defl:X 536 59% 2014-08-04 14:11 64b13546 rosettaflash/adler32_fuzzer/adler32_fuzzer.go 0 Stored 0 0% 2014-08-04 14:11 00000000 rosettaflash/adler32_mod/ 1465 Defl:X 648 56% 2014-08-04 14:11 c111e13a rosettaflash/adler32_mod/adler32_mod.go 240 Defl:X 186 23% 2014-08-04 14:11 017e3177 rosettaflash/CREDITS 0 Stored 0 0% 2014-08-04 14:11 00000000 rosettaflash/charset/ 1139 Defl:X 440 61% 2014-08-04 14:11 6da2eaae rosettaflash/charset/charset.go 0 Stored 0 0% 2014-08-04 14:11 00000000 rosettaflash/PoC/ 1158 Defl:X 517 55% 2014-08-04 14:11 61d7c149 rosettaflash/PoC/eval_load-ascii.swf 148 Defl:X 104 30% 2014-08-04 14:11 b8d6cec9 rosettaflash/PoC/check_alphanum.py 248 Defl:X 144 42% 2014-08-04 14:11 72266fc7 rosettaflash/PoC/eval_load.as 377 Defl:X 286 24% 2014-08-04 14:11 813608cc rosettaflash/PoC/rickroll.swf 179 Defl:X 136 24% 2014-08-04 14:11 6d8363f1 rosettaflash/PoC/rickroll.as 393 Defl:X 220 44% 2014-08-04 14:11 b16dd2e2 rosettaflash/PoC/UniversalExfiltrator.as 1231 Defl:X 554 55% 2014-08-04 14:11 a18a5d35 rosettaflash/PoC/rickroll-ascii.swf 1629 Defl:X 639 61% 2014-08-04 14:11 5218837d rosettaflash/PoC/UniversalExfiltrator-ascii.swf 541 Defl:X 360 34% 2014-08-04 14:11 0c957a2b rosettaflash/PoC/UniversalExfiltrator.swf 294 Defl:X 209 29% 2014-08-04 14:11 6de9a584 rosettaflash/.gitignore 1085 Defl:X 570 48% 2014-08-04 14:11 8e98d963 rosettaflash/README.md 2796 Defl:X 1137 59% 2014-08-04 14:11 decc6797 rosettaflash/rosettaflash.go 962 Defl:X 468 51% 2014-08-04 14:11 09e790ac style.txt 56807352 Defl:X 56275027 1% 2014-08-04 14:11 be2ccd2d pocorgtfo04.pdf -------- ------- --- ------- 59261442 57106024 4% 74 files $ cd collision $ chmod +x /msha1.py $ ./msha1.py mbr_shell_rar*.pdf 5a827999 82b1c71a 5141963a b389abb9 mbr_shell_rar0.pdf 10382a6d3c949408d7cafaaf6d110a9e23230416 mbr_shell_rar1.pdf 10382a6d3c949408d7cafaaf6d110a9e23230416 $ ./msha1.py jpg-rar*.jpg 5a827999 9b73a440 71599fc5 0c8a53e4 jpg-rar0.jpg 7a00042714d8ee6f4978193b07df705b652d0e39 jpg-rar1.jpg 7a00042714d8ee6f4978193b07df705b652d0e39 host~$ sudo mount -o ro -t iso9660 pocorgtfo05.pdf /mnt [sudo] password for user: host:~$ cd /mnt/ host:/mnt$ ls -l total 1443 -r-xr-xr-x 1 root root 2048 Jul 17 12:00 boot.cat -r-xr-xr-x 1 root root 51 Jul 17 12:00 readme.txt -r-xr-xr-x 1 root root 1474560 Jul 17 12:00 tetrangl.img # That worked! host:/mnt$ cat readme.txt Never gonna give you up! Never gonna let you down! host:/mnt$ file * boot.cat: FoxPro FPT, blocks size 0, next free block index 16777216 readme.txt: ASCII text tetrangl.img: x86 boot sector # So, what should you do next? Well, how about a little emulation... host~$ qemu-system-i386 -cdrom pocorgtfo05.pdf

  PoC||GTFO - Issue 0x06

PoC || GTFO; brings that OLD TIMEY EXPLOITATION with a WEIRD MACHINE JAMBOREE and our world-famous FUNKY FILE FLEA MARKET not to be ironic, but because WE LOVE THE MUSIC!

November 25, 2014 | 101.5M PDF/TAR/ZIP | Includes | md5sum: 02222f78842741c8b74237abe72f4015 | Archive.org Entry

1. Sacrament of Communion with the Weird Machines
2. On Giving Thanks  - A sermon for the holidays, by Pastor Manul Laphroaig
3. Gekko the Dolphin  - Collection of nifty tricks necessary to emulate modern Nintendo GameCube and Wii hardware both quickly and correctly.  Tricks involve fancy MMU emulation, ways to emulate PowerPC's bl/blr calling convention without confusing an x86 branch predictor, and subtle bugs that must be accounted for accurate floating pointemulation, by Fiora
4. This TAR Archive is a PDF!  - Continuing the tradition of getting Adobe to blacklist our fine journal, pocorgtfo06.pdf is a TAR polyglot, which contains two valid PoC, as in both Pictures-of-Cats and Proofs-of-Concept, by Ange Albertini
5. x86 Alchemy and Smuggling with Metalkit  - The story of the Pong Easter egg that hides in VMWare and the "pride" Easter egg that hides inside that, by Micah Elizabeth Scott
6. Detecting MIPS Emulation  - Two effective tricks for detecting if MIPS code is running inside of an emulator.  From kernel mode, you identify special function registers that have values distinct to QEMU.  From user mode, you flush the cache just before overwriting and then executing shellcode.  Only on a real machine - with unsynchronized I and D caches - does the older copy of the code execute, by Craig Heffner
7. More Cryptographic Coloring Books  - Philippe Teuwen extends his coloring book scripts from PoC||GTFO 5:3 to exploit the AngeCryption trick that first appeared in PoC||GTFO 3:11, by Philippe Teuwen  [Errata due to Frenglish to English translation ;-) : OFB and CTR are fine, only CBC & CFB can be compared to ECB]
8. Introduction to Delayering and Reversing PCBs  - Some tricks for reverse-engineering printed circuit boards with sandpaper and a flatbed scanner, by Joe "Kingpin" Grand  (Twitter)  (Additional Info)
9. Davinci Seal: Self-Decrypting Executables  - Some tricks that allow or frustrate debugging and emulation, Ryan O'Neill describes the internals of his Davinci self-extracting executables in Linux.  You'll learn how to prevent your process from being easily debugged, sidestepping LD_PRELOAD and ptrace(), by Ryan "ElfMaster" O'Neill  (Seattle, Washington, Twitter, GitHub)
10. Observable Metrics  - A fine bit of "Vuln Fiction," describing a frightening Internet-of-All-Things run by a company not so different from one that shipped a malicious driver last month, by Don A. Bailey, Tamara L. Rhoads, and Jaime Cochran
11. A Call for PoC  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Preacherman....................................Reverend Doctor Pastor Manul Laphroaig Ethics Advisor.................................The Grugq Poet Laureate..................................Ben Nagy Editor of Last Resort..........................Melilot Carpenter of the Samizdat Hymnary..............Redbeard Funky File Formats Polyglot....................Ange Albertini Minister of Spargelzeit Weights and Measures...FX

Technical Note:  This issue, pocorgtfo06.pdf, is a polyglot with microdots that can be meaningfully interpreted as a ZIP, a PDF, or a TAR.  It is filled with easter eggs, and if you are a very good reader, you will also hunt through it with a hex editor.  PoC||GTFO 0x06 also contains a scan of a softstrip.  There is a clean version here which can be decoded with this Python script.  (python softstrip.py softstrip_bw.png to get this output)

$ file pocorgtfo06.pdf pocorgtfo06.pdf: POSIX tar archive (GNU) $ unzip -v pocorgtfo06.pdf Archive: pocorgtfo06.pdf warning [pocorgtfo06.pdf]: 10672929 extra bytes at beginning or within zipfile (attempting to process anyway) Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 4095 Defl:X 1827 55% 2014-11-24 16:44 806679c1 64k.txt 818941 Defl:X 794538 3% 2014-08-18 16:28 c23e6c74 acsac13_zaddach.pdf 4564 Defl:X 2127 53% 2014-10-04 17:06 ca9ce92b burn.txt 342232 Defl:X 323030 6% 2014-11-24 16:44 0d4dd4cd davinci.tgz.dvs 3785 Defl:X 1864 51% 2014-11-24 16:44 b704612e davinci.txt 5111 Defl:X 2430 53% 2014-09-28 14:05 0512e036 declare.txt 0 Stored 0 0% 2014-08-23 12:21 00000000 ecb2/ 0 Stored 0 0% 2014-08-22 06:19 00000000 ecb2/AngeCryption_CBC/ 2685 Defl:X 1166 57% 2014-08-22 06:02 da65bdb5 ecb2/AngeCryption_CBC/PIP_CBC.py 0 Stored 0 0% 2014-08-22 06:33 00000000 ecb2/AngeCryption_CBC/PoC/ 1935648 Defl:X 1450990 25% 2014-08-22 06:08 1d9d451a ecb2/AngeCryption_CBC/PoC/combined.png 252 Defl:X 198 21% 2014-08-22 06:08 891e6db9 ecb2/AngeCryption_CBC/PoC/decrypt-PIP.py 173 Defl:X 150 13% 2014-08-22 06:33 cfcfb778 ecb2/AngeCryption_CBC/PoC/decrypt-PIP.sh 0 Stored 0 0% 2014-08-22 06:23 00000000 ecb2/AngeCryption_CTR/ 3022 Defl:X 1263 58% 2014-08-22 06:22 2e8dc1ef ecb2/AngeCryption_CTR/PIP_CTR.py 0 Stored 0 0% 2014-08-22 06:34 00000000 ecb2/AngeCryption_CTR/PoC/ 1935648 Defl:X 1450984 25% 2014-08-22 06:22 4e43eb07 ecb2/AngeCryption_CTR/PoC/combined.png 352 Defl:X 255 28% 2014-08-22 06:22 f63993f3 ecb2/AngeCryption_CTR/PoC/decrypt-PIP.py 173 Defl:X 153 12% 2014-08-22 06:34 8f5d53b3 ecb2/AngeCryption_CTR/PoC/decrypt-PIP.sh 0 Stored 0 0% 2014-08-22 06:20 00000000 ecb2/AngeCryption_OFB/ 2739 Defl:X 1198 56% 2014-08-22 06:12 09c90dcc ecb2/AngeCryption_OFB/PIP_OFB.py 0 Stored 0 0% 2014-08-22 06:34 00000000 ecb2/AngeCryption_OFB/PoC/ 1935648 Defl:X 1450987 25% 2014-08-22 06:17 9fc121b9 ecb2/AngeCryption_OFB/PoC/combined.png 240 Defl:X 191 20% 2014-08-22 06:17 fe723463 ecb2/AngeCryption_OFB/PoC/decrypt-PIP.py 173 Defl:X 153 12% 2014-08-22 06:33 038f6515 ecb2/AngeCryption_OFB/PoC/decrypt-PIP.sh 21674 Defl:X 21137 3% 2014-08-22 06:35 b553249f ecb2/duckduckgo.png 10546 Defl:X 3387 68% 2014-07-05 16:33 53ca3690 ecb2/ElectronicColoringBook.py 11265 Defl:X 11133 1% 2014-08-22 06:35 c1394434 ecb2/google.png 0 Stored 0 0% 2014-08-19 17:48 00000000 ecb2/GynCryption_CTR/ 2583 Defl:X 1102 57% 2014-08-17 13:40 25ad9908 ecb2/GynCryption_CTR/gyncrypt_ctr.py 0 Stored 0 0% 2014-08-22 13:21 00000000 ecb2/GynCryption_CTR/PoC/ 280 Defl:X 203 28% 2014-08-22 13:21 4f64cfc0 ecb2/GynCryption_CTR/PoC/decrypt-gyn_ctr.py 140 Defl:X 127 9% 2014-08-22 13:20 fabaa064 ecb2/GynCryption_CTR/PoC/decrypt-gyn_ctr.sh 3870080 Defl:X 3867383 0% 2014-08-22 13:00 6dc24686 ecb2/GynCryption_CTR/PoC/gyncryption_ctr.pdf 0 Stored 0 0% 2014-08-17 13:40 00000000 ecb2/GynCryption_OFB/ 2331 Defl:X 1062 54% 2014-08-17 13:40 586ce03f ecb2/GynCryption_OFB/gyncrypt_ofb.py 0 Stored 0 0% 2014-08-22 13:21 00000000 ecb2/GynCryption_OFB/PoC/ 219 Defl:X 175 20% 2014-08-22 13:21 1cc1ea9c ecb2/GynCryption_OFB/PoC/decrypt-gyn_ofb.py 153 Defl:X 138 10% 2014-08-22 13:19 e428b12e ecb2/GynCryption_OFB/PoC/decrypt-gyn_ofb.sh 66240 Defl:X 62760 5% 2014-08-22 13:17 6610f8e3 ecb2/GynCryption_OFB/PoC/gyncryption_ofb.pdf 0 Stored 0 0% 2014-08-22 06:19 00000000 ecb2/AngeCryption_CBC/ 2685 Defl:X 1166 57% 2014-08-22 06:02 da65bdb5 ecb2/AngeCryption_CBC/PIP_CBC.py 0 Stored 0 0% 2014-08-22 06:33 00000000 ecb2/AngeCryption_CBC/PoC/ 1935648 Defl:X 1450990 25% 2014-08-22 06:08 1d9d451a ecb2/AngeCryption_CBC/PoC/combined.png 252 Defl:X 198 21% 2014-08-22 06:08 891e6db9 ecb2/AngeCryption_CBC/PoC/decrypt-PIP.py 173 Defl:X 150 13% 2014-08-22 06:33 cfcfb778 ecb2/AngeCryption_CBC/PoC/decrypt-PIP.sh 0 Stored 0 0% 2014-08-22 06:23 00000000 ecb2/AngeCryption_CTR/ 3022 Defl:X 1263 58% 2014-08-22 06:22 2e8dc1ef ecb2/AngeCryption_CTR/PIP_CTR.py 0 Stored 0 0% 2014-08-22 06:34 00000000 ecb2/AngeCryption_CTR/PoC/ 1935648 Defl:X 1450984 25% 2014-08-22 06:22 4e43eb07 ecb2/AngeCryption_CTR/PoC/combined.png 352 Defl:X 255 28% 2014-08-22 06:22 f63993f3 ecb2/AngeCryption_CTR/PoC/decrypt-PIP.py 173 Defl:X 153 12% 2014-08-22 06:34 8f5d53b3 ecb2/AngeCryption_CTR/PoC/decrypt-PIP.sh 0 Stored 0 0% 2014-08-22 06:20 00000000 ecb2/AngeCryegg.aiff 11933 Defl:X 11919 0% 2014-09-12 08:09 9d89d4a0 eggmaphone_instrument_for_ableton_live.adg 2203 Defl:X 914 59% 2014-10-23 07:45 1da7301d ftdi.txt 2849 Defl:X 1378 52% 2014-09-07 12:11 dbc36244 getbetter.txt 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/ 144 Defl:X 115 20% 2014-11-11 22:31 49448469 metalkit/.gitignore 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/ 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/apm-test/ 1430 Defl:X 545 62% 2014-11-11 22:31 5a8504bf metalkit/examples/apm-test/main.c 165 Defl:X 142 14% 2014-11-11 22:31 21009467 metalkit/examples/apm-test/Makefile 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/console/ 584 Defl:X 310 47% 2014-11-11 22:31 4146c64a metalkit/examples/console/main.c 161 Defl:X 132 18% 2014-11-11 22:31 e4bb33ed metalkit/examples/console/Makefile 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/datafile/ 619 Defl:X 361 42% 2014-11-11 22:31 c1984e4a metalkit/examples/datafile/main.c 172 Defl:X 144 16% 2014-11-11 22:31 a5450889 metalkit/examples/datafile/Makefile 2898 Defl:X 1385 52% 2014-11-11 22:31 e8f58aa9 metalkit/examples/datafile/sample.txt 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/keyboard/ 652 Defl:X 315 52% 2014-11-11 22:31 b5a411dd metalkit/examples/keyboard/main.c 162 Defl:X 134 17% 2014-11-11 22:31 1a013704 metalkit/examples/keyboard/Makefile 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/scanpci/ 757 Defl:X 391 48% 2014-11-11 22:31 521f79c3 metalkit/examples/scanpci/main.c 150 Defl:X 128 15% 2014-11-11 22:31 92ca2922 metalkit/examples/scanpci/Makefile 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/threading/ 3199 Defl:X 1239 61% 2014-11-11 22:31 b05bd2c5 metalkit/examples/threading/main.c 154 Defl:X 132 14% 2014-11-11 22:31 044d18e4 metalkit/examples/threading/Makefile 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/timer/ 562 Defl:X 313 44% 2014-11-11 22:31 03bf0417 metalkit/examples/timer/main.c 150 Defl:X 125 17% 2014-11-11 22:31 80e5de05 metalkit/examples/timer/Makefile 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/vbe-info/ 1420 Defl:X 592 58% 2014-11-11 22:31 7579ed9b metalkit/examples/vbe-info/main.c 156 Defl:X 133 15% 2014-11-11 22:31 2d06c65d metalkit/examples/vbe-info/Makefile 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/vbe-palette/ 2278 Defl:X 995 56% 2014-11-11 22:31 937ce12b metalkit/examples/vbe-palette/main.c 165 Defl:X 139 16% 2014-11-11 22:31 99b051b1 metalkit/examples/vbe-palette/Makefile 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/examples/vbe-simple/ 2132 Defl:X 1008 53% 2014-11-11 22:31 a3ed6437 metalkit/examples/vbe-simple/main.c 153 Defl:X 129 16% 2014-11-11 22:31 70d0d330 metalkit/examples/vbe-simple/Makefile 0 Stored 0 0% 2014-11-11 22:31 00000000 metalkit/lib/ 4124 Defl:X 1850 55% 2014-11-11 22:31 46de6301 metalkit/lib/apm.c 2259 Defl:X 1195 47% 2014-11-11 22:31 cfc974ce metalkit/lib/apm.h 7684 Defl:X 2870 63% 2014-11-11 22:31 2efab3ae metalkit/lib/bios.c 4408 Defl:X 1821 59% 2014-11-11 22:31 7c92cef5 metalkit/lib/bios.h 2118 Defl:X 1118 47% 2014-11-11 22:31 a1bb0e94 metalkit/lib/boot.h 19272 Defl:X 6342 67% 2014-11-11 22:31 05ad94c0 metalkit/lib/boot.S 7292 Defl:X 2804 62% 2014-11-11 22:31 057020fb metalkit/lib/console.c 2647 Defl:X 1286 51% 2014-11-11 22:31 87e7a836 metalkit/lib/console.h 6039 Defl:X 2077 66% 2014-11-11 22:31 ddfee1bb metalkit/lib/console_vga.c 2315 Defl:X 1085 53% 2014-11-11 22:31 44dbd01b metalkit/lib/console_vga.h 2342 Defl:X 1192 49% 2014-11-11 22:31 749f20d5 metalkit/lib/datafile.h 579 Defl:X 356 39% 2014-11-11 22:31 d50d08bd metalkit/lib/deflate.py 2049 Defl:X 1079 47% 2014-11-11 22:31 f80e1483 metalkit/lib/gcc_support.c 3241 Defl:X 1384 57% 2014-11-11 22:31 871d2699 metalkit/lib/image.ld 9994 Defl:X 3847 62% 2014-11-11 22:31 146737d0 metalkit/lib/intr.c 7185 Defl:X 2885 60% 2014-11-11 22:31 d3e1f28a metalkit/lib/intr.h 2313 Defl:X 1052 55% 2014-11-11 22:31 7c516b81 metalkit/lib/io.h 10738 Defl:X 3004 72% 2014-11-11 22:31 db62ffb6 metalkit/lib/keyboard.c 4175 Defl:X 1834 56% 2014-11-11 22:31 b419ac82 metalkit/lib/keyboard.h 2372 Defl:X 1228 48% 2014-11-11 22:31 02b93841 metalkit/lib/Makefile.rules 1746 Defl:X 980 44% 2014-11-11 22:31 ba3d2efe metalkit/lib/math.h 6808 Defl:X 2464 64% 2014-11-11 22:31 9112514f metalkit/lib/pci.c 3412 Defl:X 1451 58% 2014-11-11 22:31 7cce390e metalkit/lib/pci.h 37036 Defl:X 11063 70% 2014-11-11 22:31 c0c58a78 metalkit/lib/puff.c 1328 Defl:X 647 51% 2014-11-11 22:31 c773f778 metalkit/lib/puff.h 405 Defl:X 242 40% 2014-11-11 22:31 fe207b0e metalkit/lib/setjmp.h 1765 Defl:X 1002 43% 2014-11-11 22:31 f5d84717 metalkit/lib/timer.c 1609 Defl:X 929 42% 2014-11-11 22:31 e321a807 metalkit/lib/timer.h 3397 Defl:X 1419 58% 2014-11-11 22:31 35cf6b5a metalkit/lib/types.h 5925 Defl:X 2494 58% 2014-11-11 22:31 7c0c5664 metalkit/lib/vbe.c 4285 Defl:X 1762 59% 2014-11-11 22:31 bea39647 metalkit/lib/vbe.h 2688 Defl:X 1324 51% 2014-11-11 22:31 cd2f24d2 metalkit/README.md 3421 Defl:X 1716 50% 2014-10-01 19:31 b113ef24 modernman.txt 123094 Defl:X 121934 1% 2012-02-10 09:15 e58b86b1 postel.pdf 886 Defl:X 430 52% 2014-11-24 16:44 cad45e96 rolldice.txt 3589 Defl:X 1864 48% 2014-10-15 17:47 8ab6d896 russian.txt 1620 Defl:X 884 45% 2014-09-07 12:26 46dad301 soul.txt 20539 Defl:X 8867 57% 2014-10-04 17:03 a339478e toynbee.txt 83488833 Defl:X 81130815 3% 2014-08-11 23:22 e615cc40 pocorgtfo05.pdf -------- ------- --- ------- 94858612 90814751 4% 118 files $ tar xvvf pocorgtfo06.pdf -rw-r--r-- Manul/Laphroaig 0 2014-10-06 14:33 %PDF-1.5 -rw-r--r-- Manul/Laphroaig 525849 2014-10-06 14:33 1.png -rw-r--r-- Manul/Laphroaig 273658 2014-10-06 14:33 2.bmp $ sed '4025,4048!d' pocorgtfo06.pdf Spoilers for our Pictures of Cats - 1.png is a PNG picture. It's a RGB picture, with a palette. The RGB values have been altered to display another picture via the palette. So just change offset 0x19 from 0x2 (RGB) to 0x3 (paletted) to enjoy the hidden picture. Extra efforts were taken to make the picture not trivial to extract, and remove as many artifacts as possible. by Philippe Teuwen & Ange Albertini, original idea by Dominique Bongard - 2.bmp is a BMP/PCM polyglot, which means it's a Bitmap picture, and a RAW audio polyglot that is directly playable (it's not really hidden, it's just happy co-existence). The audio, when viewed in spectrogram view, will show a familiar face. To enjoy it fully, just run: sox -t raw -r 44100 -c 1 -e signed -b 32 2.bmp -n spectrogram (with optional -m -x 555 -y 512 -z 24 -Z -36, for better rendering) For more details, check wiki.yobi.be/wiki/BMP_PCM_polyglot, including a nifty RGB spectrogram via baudline. by Philippe Teuwen & Ange Albertini

  PoC||GTFO - Issue 0x07

PASTOR MANUL LAPHROAIG's International Journal of PoC || GTFO, CALISTHENICS & ORTHODONTIA in remembrance of OUR BELOVED DR. DOBB because THE WORLD IS ALMOST THROUGH!

March 19, 2015 | 33.4M PDF/BPG/HTML/ZIP | Includes | md5sum: 1cb67f33d8b1a63bf4f729ddf328eba3 | Archive.org Entry

1. With What Shall We Commune This Evening?
2. The Magic Number: 0xAA55  - An executable poem by Morgan Reece Phillips.  Funny enough, 0xAA55 is also Pastor Laphroaig's favorite number, by Morgan Reece Phillips
3. Coastermelt  - Having bought a Samsung SE-506CB burner, and knowing damned well that a neighbor doesn't own what she can't open, Micah reverse-engineered that gizmo.  Sniffing the updater taught her how to dump the firmware; disassembling that firmware taught her how to patch in new code; and, just to help the rest of us play along, she wrapped all of this into a fancy little debugging console that's far more convenient than the sorry excuse for a JTAG debugger the original authors of the firmware most likely used, by Micah Elizabeth Scott  (Coastermelt GitHub)
4. Of Scientific Consensus and a Wish That Came True  - Warns us of the dangers that lurk in trusting The Experts, and of one such expert whose witch hunt set back the science of biology for decades.  This article is illustrated by (((Boris Efimov))), may he rot in Hell, by Pastor Manul Laphroaig
5. When Scapy is Too High-Level  - Describes the internals of TCP/IP as a sermon against the iniquity of the abstraction layers that - while useful to reduce the drudgery of labor - also cloud a programmer's mind andkeep him from seeing the light of the hexdump world, by Eric Davisson  (Twitter)
6. Abusing File Formats; or, Corkami, the Novella  - Ange finally presents us with a long article, a listing of dozens of nifty tricks that he uses in PoC||GTFO, Corkami, and other projects.  Study it carefully if you'd like to learn his art, by Ange Albertini
7. Extending Crypto-Related Backdoors to Other Scenarios  - BSDaemon and Pirata extend the RDRAND trick of PoC||GTFO 3:6 - with devilish cunning and true buccaneer daring - to actual Intel hardware, showing us poor landlubbers how to rob not only unsuspecting virtual machines but also normal userland and kernel applications that depend on the new AES-NI instructions of their precious randomness - and much more.  Quick, hide your AES!  Luckily, our neighborly pirates show how, by BSDaemon and Pirata
8. Innovations with Linux Core Files for Advanced Process Forensics  - Ryan O'Neill's Extended Core File Snapshots, which add new sections to the familiar ELF specification that our readers know and love, by Ryan "ElfMaster" O'Neill
9. Bambaata Speaks from the Past  - Recently, Pastor Laphroaig hired Count Bambaata on as our Special Correspondent on NASCAR.  After his King Midget stretch limo was denied approval to compete at the Bristol Motor Speedway, Bambaata fled to Fordlandia, Brazil in a stolen - the Count himself says "liberated" - 1957 Studebaker Bulletnose in search of the American Dream.  When asked for his article on the race, Bambaata sent us by WEFAX a collection of poorly redacted expense reports and a lovely little rant on Baudrillard, the Spirit of the 90's, and a world of turncoat swine, by Count Bambaata
10. Public Service Announcement
11. Cyber Criminal's Song  - A peppy little parody of Hacker News and New-Media Web 2.0 Hipster Fashion Accessorized Cybercrime in the style of Gilbert and Sullivan, by Ben Nagy
12. Fast Cash for Bugs!  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Preacherman.....................................Manul Laphroaig Ethics Advisor..................................The Grugq Poet Laureate...................................Ben Nagy Editor of Last Resort...........................Melilot Carpenter of the Samizdat Hymnary...............Redbeard Funky File Formats Polyglot.....................Ange Albertini Assistant Scenic Designer.......................Philippe Teuwen Special Correspondent on NASCAR.................Count Bambaata Minister of Spargelzeit Weights and Measures....FX

Technical Note:  This issue, pocorgtfo07.pdf, is a polyglot that can be meaningfully interpreted as a ZIP, a PDF, a BPG, or HTML featuring a BPG decoder.  We no longer include prior issues in the ZIP, in order to leave room for more curiosities.  Don't be surprised when you stumble upon occasional polyglot and chimeras.

    

Did you know notice BlueRay microdots in PoC||GTFO 7:3?  First one depicts scanlime's (Micah Elizabeth Scott) artwork.

$ file pocorgtfo07.pdf pocorgtfo07.pdf: BPG (Better Portable Graphics) $ unzip -v pocorgtfo07.pdf Archive: pocorgtfo07.pdf ******* PWNED ******** dumping credentials... ********************** Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 6325 Defl:X 3032 52% 2015-02-02 13:56 e3d550f2 500miles.txt 0 Stored 0 0% 2015-03-19 09:51 00000000 abusing_file_formats/ 370375 Defl:X 369817 0% 2015-03-06 14:51 2665ab4f abusing_file_formats/3in1.png 512 Defl:X 262 49% 2015-03-06 14:51 57b674c3 abusing_file_formats/abstract.tar 143360 Defl:X 114462 20% 2015-03-06 14:51 5ba069e8 abusing_file_formats/AppleII.pdf 116 Defl:X 90 22% 2015-03-06 14:51 3ea22dd9 abusing_file_formats/asciizip 420852 Defl:X 406185 4% 2015-03-06 16:27 3c9f19cb abusing_file_formats/cameron.png 41902 Defl:X 41912 0% 2015-03-19 09:51 cef8d310 abusing_file_formats/chimera.png.zip 122880 Defl:X 107822 12% 2015-03-07 12:16 12a53154 abusing_file_formats/chimera.tar.pdf 590538 Defl:X 459937 22% 2015-03-06 14:51 c1383895 abusing_file_formats/Corkami_spectrogram.bmp 537654 Defl:X 231638 57% 2015-03-06 14:51 a4164931 abusing_file_formats/dr_nsa.bmp 10213 Defl:X 8792 14% 2015-03-06 14:51 0366672b abusing_file_formats/I love reliable forensics software.png 1572 Defl:X 831 47% 2015-03-19 09:51 e40e67b7 abusing_file_formats/JPEGScript.pdf 856 Defl:X 448 48% 2015-03-11 13:01 4d60373a abusing_file_formats/JPEGScript_mini.pdf 3542016 Defl:X 143776 96% 2015-03-07 12:16 2e6b6aa2 abusing_file_formats/MIThunt2015image.tiff 311 Defl:X 137 56% 2015-03-06 14:51 8c862162 abusing_file_formats/NoMoreFreeAPP0.jpg 6617738 Defl:X 5758743 13% 2015-03-06 14:51 0f1cea36 abusing_file_formats/PinkFloyd_listen_to_me.bmp 6617738 Defl:X 6192066 6% 2015-03-06 14:51 fb537859 abusing_file_formats/PinkFloyd_RGB_spectrogram.bmp 220341 Defl:X 122916 44% 2015-03-12 11:45 413ebd37 abusing_file_formats/pwnie.pdf 309096 Defl:X 272587 12% 2015-03-07 12:16 f32b85cf abusing_file_formats/qrinception.pdf 132824 Defl:X 123264 7% 2015-03-06 14:51 ba52d5cb abusing_file_formats/quine.pdf 169400 Defl:X 144077 15% 2015-03-06 14:51 c7be9af0 abusing_file_formats/smsgbc.pdf 262656 Defl:X 167363 36% 2015-03-19 09:51 f731ac6a abusing_file_formats/snes_md.pdf 315081 Defl:X 177722 44% 2015-03-06 14:51 f49ea8bb abusing_file_formats/spock_nimoy.pdf 2116880 Defl:X 1957325 8% 2015-03-06 14:51 77d6c1f3 abusing_file_formats/tribute_cabu.wav 2469680 Defl:X 2129924 14% 2015-03-06 14:51 e3e64983 abusing_file_formats/tribute_rogers_stamos.wav 1071194 Defl:X 975369 9% 2015-03-11 09:42 e3c0bd03 abusing_file_formats/vb201503-lossy.pdf 70563 Defl:X 69688 1% 2015-03-06 14:51 8329d52f abusing_file_formats/zipjpg.pdf 0 Stored 0 0% 2015-03-19 09:51 00000000 aes-ni/ 1311 Defl:X 537 59% 2015-03-19 09:51 83b13033 aes-ni/aesni_module.c 453 Defl:X 250 45% 2015-03-19 09:51 2f2c04e1 aes-ni/aesni_test.c 110 Defl:X 79 28% 2015-03-19 09:51 25d491aa aes-ni/aesni_ud_trigger.asm 3204 Defl:X 1333 58% 2015-03-19 09:51 68c49f2a aes-ni/chipsec.patch 3431 Defl:X 1016 70% 2015-03-19 09:51 88bad63c aes-ni/ud_hook.c 682793 Defl:X 672461 2% 2015-02-12 15:08 5c7c8b0e aprsthesis.pdf 25677 Defl:X 9578 63% 2015-03-19 09:51 9c1ff2bf chaffing.txt 226083 Defl:X 213801 5% 2015-03-19 09:51 64a57f11 coastermelt.zip 109783 Defl:X 108607 1% 2015-03-19 09:51 8f922af2 csicyber.png 11536 Defl:X 5453 53% 2015-02-17 15:13 6a41f734 offence.txt 73798 Defl:X 37728 49% 2015-03-11 09:42 dad2ceb5 theMagicNumberAA55.mbr.asm.pdf -------- ------- --- ------- 27300852 21031028 23% 40 files

  PoC||GTFO - Issue 0x08

As exploits sit lonely, FORGOTTEN ON THE SHELF your friendly neighbors at PoC||GTFO proudly present PASTOR MANUL LAPHROAIG'S export-controlled CHURCH NEWSLETTER

June 20, 2015 | 60.5M PDF/ZIP/Shell | Includes | md5sum: 257fc8f01fa20e21f8bd5577639ff596 | Archive.org Entry

1. Please Stand; Now, Please Be Seated
2. Witches, Warlocks, and Wassenaar; or, On the Internet, No One Knows You are a Witch  - Pastor Manul Laphroaig's rant on the recent Wassenaar amendments, which will have us all burned as witches.
3. Deniable Backdoors Using Compiler Bugs  - A backdoored version of Sudo, but why should we give a damn whether anyone can backdoor such an application?  Well, these fine neighbors abuse a pre-existing bug in CLANG that snuck past seventeen thousand assertions.  Thus, the backdoor in their version of Sudo provably doesn't exist until after compilation with a particular compiler, by Scott Bauer, Pascal Cuoq, and John Regehr
4. Protocol for Leibowitz; or, Booklegging by HF in the Age of Safe Æther  - Fancy variants of digital shortwave radio protocols.  They hide text in the null bits between PSK31 letters and in the space between RTTY bytes.  Just for fun, they also transmit Morse code from a 100 Mbit Ethernet to a nearby shortwave receiver!, by Travis Goodspeed and Muur P.
5. Jiggling Into a New Attack Vector  - Analysis of a Weibetech MJ-3 "Mouse Jiggler" used to keep a screensaver from password protecting a seized computer while waiting for a forensic analyst, by Mickey "Laplinker" Shkatov
6. The Hypervisor Exploit I Sat on for Five Years  - A hypervisor exploit that was unwanted bythe academic publishers.  As our Right Reverend has better taste than the Unseen Academics, we happily scooped up their neighborly submission for you, by DJ Capelis and Daniel Bittman
7. Stegosploit  - Saumil presents us with tricks for encoding browser exploitsas image files, by Saumil Shah
8. On Error Resume Next  - Back in the days of Visual Basic 6, there was a directive, On Error Resume Next, that instructed the interpreter to ignore any errors.  Syntax error?  Divide-by-zero?  Wrong number of parameters?  No problem, the program would keep running, the interpreter doing its very best to do something with the hideous mess of spaghetti code that VB programmers are famous for.  Jeffball commits the criminal act of porting this behavior to C on Linux, by Jeffball
9. Unbrick My Part  - Tommy Brixton sings a heartbreaking classic - Unbrick My Part, by EVM and Tommy Brixton
10. Backdoors Up My Sleeve  - JP Aumasson talks about those fancy little NUMS - Nothing Up My Sleeve - numbers.  He keeps a lot of them up his sleeves, by Jean-Philippe Aumasson
11. Naughty Signals; or, The Abuse of a Raspberry Pi  - Russell Handorf teaches us how to build a wireless Capture-the-Flag (CTF) on the cheap, broadcasting a number of different protocols through Direct Digital Synthesis (DDS) on a Raspberry Pi, by Russell Handorf
12. Weird Cryptography; or, How to Resist Brute-Force Attacks  - Philippe Teuwen explains how he made this PDF into a polyglot able to secure your communications by encrypting plain English into - wait for it - plain English!  Still better, all cipher text is grammatical English, by Philippe Teuwen  (Sci-Fi Crypto)
13. Fast Cash for Cyber Munitions!  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Preacherman.....................................Manul Laphroaig Ethics Advisor..................................The Grugq Poet Laureate...................................Ben Nagy Editor of Last Resort...........................Melilot Carpenter of the Samizdat Hymnary...............Redbeard Editorial Whipping Boy..........................Jacob Torrey Funky File Formats Polyglot.....................Ange Albertini Assistant Scenic Designer.......................Philippe Teuwen Supreme Infosec Thought Commander...............Taylor Swift Minister of Spargelzeit Weights and Measures....FX

Technical Note:  This issue, pocorgtfo08.pdf, is a polyglot that can be meaningfully interpreted as a ZIP, a PDF and a Shell script featuring the weird cryptosystem described in 8:12.  We are the technical debt collectors!

  

The painting inspired by Magritte's Empire of Lights

Did you know?  PoC||GTFO 8.12 drawing is a David Hughes' printing telegraph

Did you know?  PoC||GTFO 0x08 Ossmann artwork is based on the Osman videogame.

# To run the PDF/script $ chmod +x pocorgtfo08.pdf $ ./pocorgtfo08.pdf Usage: Encryption: echo "I want to encrypt this sentence" | ./pocorgtfo08.pdf -e 12345 I need to besiege this carat Decryption: echo "I need to besiege this carat" | ./pocorgtfo08.pdf -d 12345 I want to encrypt this sentence # Encryption $ echo "I want to encrypt this sentence" | ./pocorgtfo08.pdf -e 12345 I need to besiege this carat # Decryption $ echo "I need to besiege this carat" | ./pocorgtfo08.pdf -d 12345 I want to encrypt this sentence $ echo "terrible raccoons achieve their escapades" | ./pocorgtfo08.pdf -d 4321 good neighbors secure their communications $ echo "this is a test message" | ./pocorgtfo08.pdf -d 4321 this is a hoodlum possibility $ cp stegosploit_tool.png stegosploit_tool.html $ firefox stegosploit_tool.html # Allows you to download stegosploit-tools.7z $ unzip -v pocorgtfo08.pdf Archive: pocorgtfo08.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 988446 Defl:X 930108 6% 2015-06-08 15:46 c90f1c79 ECCpolyglots.pdf 440648 Defl:X 440671 0% 2015-06-09 13:36 37bf99fa airtel-injection.tar.bz2 522633 Defl:X 513585 2% 2015-06-09 12:18 acd58c44 airtel.png 1546 Defl:X 861 44% 2015-06-08 15:46 d07edfc7 alexander.txt 118696 Defl:X 118546 0% 2015-06-08 15:46 e739b201 browsersec.zip 31337 Defl:X 11768 62% 2015-06-08 15:46 17a5d4d1 exploit2.txt 38109 Defl:X 16102 58% 2015-06-08 15:46 a7e73b9c geer.langsec.21v15.txt 303926 Defl:X 119268 61% 2015-06-08 15:46 c294060a ifthisgoeson.txt 160225 Defl:X 134457 16% 2015-06-08 15:46 13a3c528 jt65.pdf 3149 Defl:X 1499 52% 2015-06-08 15:46 7751b74c leehseinloong.cpp 2244652 Defl:X 1988107 11% 2015-06-08 15:46 7ccc9913 madelinek.wav 4662 Defl:X 1841 61% 2015-06-08 15:46 f208ff65 numsgen.py 3265 Defl:X 2551 22% 2015-06-08 15:46 c6530c15 onerror.zip 18043319 Defl:X 17692459 2% 2015-06-20 13:26 226c4c80 pocorgtfo08-booklet.pdf 56931 Defl:X 50854 11% 2015-06-08 15:46 85442ffb psk31.pdf 7006322 Defl:X 6836173 2% 2015-06-08 15:46 23364e86 seakernel-exploit.zip 3312213 Defl:X 3299951 0% 2015-06-10 12:46 8c391581 stegosploit_tool.png 1237730 Defl:X 1222143 1% 2015-06-08 15:46 de8ed40b strace-zine.pdf 5357906 Defl:X 5356535 0% 2015-06-08 15:46 050bb4e5 sudo-1.8.13-compromise.tgz 679250 Defl:X 554703 18% 2015-06-08 15:46 1c43ae56 title9.pdf 0 Stored 0 0% 2015-06-12 12:33 00000000 weirdcrypto/ 211 Defl:X 165 22% 2015-06-08 15:46 2e8c9237 weirdcrypto/bruteforce 2701 Defl:X 1156 57% 2015-06-12 12:33 88323050 weirdcrypto/decode 4198 Defl:X 1753 58% 2015-06-12 12:33 0fbc3289 weirdcrypto/encode 0 Stored 0 0% 2015-06-08 15:46 00000000 weirdcrypto/link-grammar/ 0 Stored 0 0% 2015-06-08 15:46 00000000 weirdcrypto/link-grammar/en/ 97 Defl:X 75 23% 2015-06-08 15:46 4a8785bc weirdcrypto/link-grammar/en/4.0.affix 1594 Defl:X 812 49% 2015-06-08 15:46 c6113265 weirdcrypto/link-grammar/en/4.0.constituent-knowledge 148649 Defl:X 36344 76% 2015-06-08 15:46 8b1c9e20 weirdcrypto/link-grammar/en/4.0.dict 12383 Defl:X 3142 75% 2015-06-08 15:46 931db67b weirdcrypto/link-grammar/en/4.0.knowledge 0 Stored 0 0% 2015-06-08 15:46 00000000 weirdcrypto/link-grammar/en/words/ 59864 Defl:X 20422 66% 2015-06-08 15:46 02621027 weirdcrypto/link-grammar/en/words/words.adj.1 3481 Defl:X 1096 69% 2015-06-08 15:46 791e09b8 weirdcrypto/link-grammar/en/words/words.adj.2 4022 Defl:X 1184 71% 2015-06-08 15:46 abc4fe3e weirdcrypto/link-grammar/en/words/words.adj.3 17080 Defl:X 6254 63% 2015-06-08 15:46 7a92545d weirdcrypto/link-grammar/en/words/words.adv.1 802 Defl:X 383 52% 2015-06-08 15:46 a534fd59 weirdcrypto/link-grammar/en/words/words.adv.2 990 Defl:X 375 62% 2015-06-08 15:46 83721974 weirdcrypto/link-grammar/en/words/words.adv.3 93756 Defl:X 32429 65% 2015-06-08 15:46 6592491c weirdcrypto/link-grammar/en/words/words.n.1 129583 Defl:X 40297 69% 2015-06-08 15:46 d6052a8c weirdcrypto/link-grammar/en/words/words.n.2.s 540 Defl:X 255 53% 2015-06-08 15:46 6a95b441 weirdcrypto/link-grammar/en/words/words.n.2.x 37855 Defl:X 13547 64% 2015-06-08 15:46 0526d58f weirdcrypto/link-grammar/en/words/words.n.3 23405 Defl:X 8426 64% 2015-06-08 15:46 71133c93 weirdcrypto/link-grammar/en/words/words.n.4 199 Defl:X 130 35% 2015-06-08 15:46 25763381 weirdcrypto/link-grammar/en/words/words.n.c.1 193 Defl:X 119 38% 2015-06-08 15:46 294e4656 weirdcrypto/link-grammar/en/words/words.n.c.2 350 Defl:X 236 33% 2015-06-08 15:46 ac409ca8 weirdcrypto/link-grammar/en/words/words.n.p 1187 Defl:X 516 57% 2015-06-08 15:46 5a78f5a6 weirdcrypto/link-grammar/en/words/words.n.t 303 Defl:X 207 32% 2015-06-08 15:46 e062596b weirdcrypto/link-grammar/en/words/words.s 7753 Defl:X 3062 61% 2015-06-08 15:46 c3fe3f30 weirdcrypto/link-grammar/en/words/words.v.1.1 8658 Defl:X 3100 64% 2015-06-08 15:46 853faff1 weirdcrypto/link-grammar/en/words/words.v.1.2 8978 Defl:X 3037 66% 2015-06-08 15:46 8b92b451 weirdcrypto/link-grammar/en/words/words.v.1.3 9483 Defl:X 2952 69% 2015-06-08 15:46 8c0701f2 weirdcrypto/link-grammar/en/words/words.v.1.4 984 Defl:X 426 57% 2015-06-08 15:46 f4325d0b weirdcrypto/link-grammar/en/words/words.v.1.p 879 Defl:X 399 55% 2015-06-08 15:46 62290b9a weirdcrypto/link-grammar/en/words/words.v.10.1 974 Defl:X 397 59% 2015-06-08 15:46 62d1cc0c weirdcrypto/link-grammar/en/words/words.v.10.2 995 Defl:X 388 61% 2015-06-08 15:46 b8eb560e weirdcrypto/link-grammar/en/words/words.v.10.3 1116 Defl:X 396 65% 2015-06-08 15:46 7fd7bd27 weirdcrypto/link-grammar/en/words/words.v.10.4 7078 Defl:X 2745 61% 2015-06-08 15:46 11086b0b weirdcrypto/link-grammar/en/words/words.v.2.1 7871 Defl:X 2773 65% 2015-06-08 15:46 774ae232 weirdcrypto/link-grammar/en/words/words.v.2.2 8255 Defl:X 2756 67% 2015-06-08 15:46 435d82ad weirdcrypto/link-grammar/en/words/words.v.2.3 9160 Defl:X 2831 69% 2015-06-08 15:46 846ec2e0 weirdcrypto/link-grammar/en/words/words.v.2.4 9158 Defl:X 2819 69% 2015-06-08 15:46 28dd2f62 weirdcrypto/link-grammar/en/words/words.v.2.5 23348 Defl:X 8460 64% 2015-06-08 15:46 249020a8 weirdcrypto/link-grammar/en/words/words.v.4.1 26031 Defl:X 8632 67% 2015-06-08 15:46 7fbae5c8 weirdcrypto/link-grammar/en/words/words.v.4.2 26708 Defl:X 8433 68% 2015-06-08 15:46 ac9cddae weirdcrypto/link-grammar/en/words/words.v.4.3 29599 Defl:X 8661 71% 2015-06-08 15:46 1bfda97f weirdcrypto/link-grammar/en/words/words.v.4.4 29673 Defl:X 8678 71% 2015-06-08 15:46 0c9100c8 weirdcrypto/link-grammar/en/words/words.v.4.5 827 Defl:X 359 57% 2015-06-08 15:46 a1bc1956 weirdcrypto/link-grammar/en/words/words.v.5.1 948 Defl:X 376 60% 2015-06-08 15:46 2ec7dbda weirdcrypto/link-grammar/en/words/words.v.5.2 1029 Defl:X 380 63% 2015-06-08 15:46 900155cf weirdcrypto/link-grammar/en/words/words.v.5.3 1143 Defl:X 392 66% 2015-06-08 15:46 ae6c0ce8 weirdcrypto/link-grammar/en/words/words.v.5.4 2383 Defl:X 924 61% 2015-06-08 15:46 dbc61ef9 weirdcrypto/link-grammar/en/words/words.v.6.1 2783 Defl:X 954 66% 2015-06-08 15:46 c47341ad weirdcrypto/link-grammar/en/words/words.v.6.2 2901 Defl:X 957 67% 2015-06-08 15:46 c5707c05 weirdcrypto/link-grammar/en/words/words.v.6.3 3393 Defl:X 980 71% 2015-06-08 15:46 ae72fd80 weirdcrypto/link-grammar/en/words/words.v.6.4 3383 Defl:X 972 71% 2015-06-08 15:46 9036a90d weirdcrypto/link-grammar/en/words/words.v.6.5 892 Defl:X 387 57% 2015-06-08 15:46 0098c745 weirdcrypto/link-grammar/en/words/words.v.8.1 1033 Defl:X 404 61% 2015-06-08 15:46 b70779cf weirdcrypto/link-grammar/en/words/words.v.8.2 1066 Defl:X 392 63% 2015-06-08 15:46 6e03d241 weirdcrypto/link-grammar/en/words/words.v.8.3 1256 Defl:X 403 68% 2015-06-08 15:46 50b8b8b5 weirdcrypto/link-grammar/en/words/words.v.8.4 1256 Defl:X 403 68% 2015-06-08 15:46 9cc26d91 weirdcrypto/link-grammar/en/words/words.v.8.5 550 Defl:X 172 69% 2015-06-08 15:46 97620b4f weirdcrypto/link-grammar/en/words/words.y 198264 Defl:X 92170 54% 2015-06-08 15:46 f499ecc3 weirdcrypto/link-grammar/liblink-grammar.so 19520 Defl:X 7069 64% 2015-06-08 15:46 4b7e481b weirdcrypto/link-grammar/link-grammar 324 Defl:X 209 36% 2015-06-12 12:33 1c328eec weirdcrypto/link-parser -------- ------- --- ------- 41558060 39640353 5% 84 files

  PoC||GTFO - Issue 0x09

PASTOR MANUL LAPHROAIG'S tabernacle choir SINGS REVERENT ELEGIES of the SECOND CRYPTO WAR

September 14, 2015 | 69.5M PDF/ZIP/WavPack | Includes | md5sum: 4dc7e88a1f88df3f169245af8c148bde | Archive.org Entry

1. Please Stand; Now, Please Be Seated
2. From Newton to Turing, a Happy Family  - A sermon on Newton and Turing, in which we learn about the academics' affection for Turing-completeness and why they should be allowed to marry it, by Pastor Manul Laphroaig
3. Breaking Globalstar Satellite Communications  - Colby Moore provides all the details you'll need to sniff simplex packets from the Globalstar satellite constellation, by Colby Moore  (Slides)
• Globalstar: Our Satellites Are Not Vulnerable to Hackers
• Hackers Could Heist Semis by Exploiting This Satellite Flaw
• This $1,000 Device Lets Hackers Hijack Satellite Communications
4. Unprivileged Data All Around the Kernels; or, Pool Spray the Feature!  - Some tips by Peter Hlavaty of the Keen Team on kernel pool spraying in Windows and Linux, by Peter Hlavaty
5. Second Underhanded Crypto Contest  - The results of the second Underhanded Crypto Contest, held at the Crypto Village of DEFCON 23, by Taylor Hornby
6. Exploiting Out-of-Order-Execution; or, Processor Side-Channels to Enable Cross VM Code Execution  - Sophia D'Antoine introduces some tricks for communicating between virtual machines co-located on the same physical host.  In particular,the MFENCE instruction can be used to force strict ordering, interfering with CPU instruction pipelining in another VM, by Sophia D'Antoine
7. Anti-Virus Tumors  - A nifty little trick for causing quarantined malware to be re-detected by McAfee Enterprise Virus Scan!  This particular tumor is benign, but we bet a neighborly reader can write a malignant variant, by Eric Davisson  (Twitter)
8. Brewing TCP/IPA; or, A Useful Skill for the Zombie Apocalypse  - Ron Fabela of Binary Brew Works, presents his recipe for TCP/IPA, a neighborly beer with which to warm our hearts and our spirits during the coming apocalypse, by Ron Fabela  (GitHub)
9. Shenanigans with APRS and AX.25 for Covert Communications  - Vogelfrei shares with us some tricks for Automatic Packet Reporting System (APRS) and AX.25 networking.  APRS exists around much of the western world and all sorts of mischief can be had through it, by Vogelfrei
10. Napravi i ti Računar "Galaksija"  - A reprint, in the original Serbian, of Voja Antonić's article on the Galaksija, his Z80 home computer design - the very first in Yugoslavia, by Vojislav "Voja" Antonić
11. Root Rights are a Grrl's Best Friend  - fbz's latest single, Root Rights are a Grrl's Best Friend, by Ms. Fabienne "fbz" Haas  (Twitter)  (2.1M MP3)  (Lyrics)
12. What If You Could Listen to this PDF?  - If you'd rather listen to it than just read the lyrics, run vlc pocorgtfo09.pdf and jump to page 61, where Philippe Teuwen describes how he made this fine document a polyglot of PDF, ZIP, and WavPack, by Philippe Teuwen
13. Oona's Puzzle Corner!  - Oona's Puzzle Corner, with all sorts of nifty games for a child of five.  If you aren't clever enough to solve them, then ask for help from a child of five!, by Oona Räisänen (Twitter)
14. Fast Cash for Cyber Munitions!  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Preacherman....................................Manul Laphroaig Ethics Advisor.................................The Grugq Poet Laureate..................................Ben Nagy Editor of Last Resort..........................Melilot Carpenter of the Samizdat Hymnary..............Redbeard Editorial Whipping Boy.........................Jacob Torrey Funky File Formats Polyglot....................Ange Albertini Assistant Scenic Designer......................Philippe Teuwen Minister of Spargelzeit Weights and Measures...FX

Technical Note:  You'll be happy to find that, pocorgtfo09.pdf, is a polyglot that is valid in three file formats.  You may interpret it as a PDF to read this issue, as a ZIP to read this issue's source code releases, or as a WavPack lossless audio file to listen to fbz' classic from page 60.  You may have to change the file extension to .WV, depending on your audio player.  A list of compatible players is available at: wavpack.com/#Software

$ file pocorgtfo09.pdf pocorgtfo09.pdf: WavPack Lossless Audio $ unzip -v pocorgtfo09.pdf Archive: pocorgtfo09.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 3173392 Defl:X 789433 75% 2015-09-07 01:14 12a7692a aprs101.pdf 45170 Defl:X 21801 52% 2015-08-04 11:36 11a04047 beer.zip 4864479 Defl:X 4551251 6% 2015-09-07 01:14 ff858f8f bhusa15wenxu.pdf 1354044 Defl:X 1235716 9% 2015-09-07 01:14 6bfb6838 crossvm.pdf 15008 Defl:X 6069 60% 2015-09-07 01:14 e7a8ec68 encham.html 21307 Defl:X 21171 1% 2015-09-07 01:14 4fcb756f globalstar.tar.gz 27139 Defl:X 12325 55% 2015-08-04 11:36 01445942 lazlong.txt 104113 Defl:X 101145 3% 2015-09-07 01:14 de1e8bf7 mattvbrady.jpg 1115466 Defl:X 1066578 4% 2015-09-07 01:14 f0d77902 no_you_really_can_t.png 274231 Defl:X 225203 18% 2015-09-07 01:14 542da31d part97.pdf 3918 Defl:X 1448 63% 2015-09-14 04:54 5a4f0a28 shellcode.js 60448 Defl:X 60458 0% 2015-09-07 01:14 b2c52750 uhc-subs.tar.xz 503 Defl:X 265 47% 2015-09-14 04:54 7cd934ab xpdf-3.02-nodrm.diff -------- ------- --- ------- 11059218 8092863 27% 13 files $ mplayer pocorgtfo09.pdf MPlayer 1.4 (Debian), built with gcc-10 (C) 2000-2019 MPlayer Team Playing pocorgtfo09.pdf. libavformat version 58.76.100 (external) libavformat file format detected. [wv @ 0x7f75b5a618e0]Tag size is way too big [lavf] stream 0: audio (wavpack), -aid 0 Load subtitles in ./ ========================================================================== Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders libavcodec version 58.134.100 (external) AUDIO: 44100 Hz, 2 ch, s32le, 0.0 kbit/0.00% (ratio: 0->352800) Selected audio codec: [ffwavpack] afm: ffmpeg (FFmpeg WavPack audio) ========================================================================== AO: [pulse] 44100Hz 2ch s32le (4 bytes per sample) Video: no video Starting playback... A: 0.9 (00.9) of 132.7 (02:12.7) 1.4%

  PoC||GTFO - Issue 0x10

IN THE THEATER OF LITERATE DISASSEMBLY, PASTOR MANUL LAPHROAIG AND HIS MERRY BAND OF REVERSE ENGINEERS LIFT THE WELDED HOOD FROM THE ENGINE THAT RUNS THE WORLD!

January 16, 2016 | 58.4M PDF/ZIP/LSMV | Includes | md5sum: a80760ce9298ead26efe566ed031e5f4 | Archive.org Entry

1. Please Stand; Now, Please Be Seated
2. Three Ghosts and a Little, Brown Dog  - A sordid tale in the style of a Dickensian ghost story.  Pastor Laphroaig invites us to the anatomical theater, where helpless Tamagotchis are disassembled in front of an audience - for FUN!, Pastor Manul Laphroaig
3. Pokémon Plays Twitch  - A delightfully sophisticated and reliable exploit for Pokémon Red on the Super Game Boy, starting from a save-game glitch, then working forward through native Z80 code execution to native 65C816 code on the host Super NES.  They do all of this on real hardware with scripted access to only the gamepad and the reset switch, by Allan Cecil (dwangoAC), Ilari Liusvaara, and Jordan Potter (p4plus2)
4. This PDF is also a Game Boy Exploit that Displays the "Pokémon Plays Twitch" Article!  - Contains the details for how this PDF is also an exploit, loading 'Pokémon Plays Twitch' in the LSNES emulator.
5. SWD Marionettes; or, The Internet of Unsuspecting Thing  - Notes on ARM's replacement for JTAG, called 'Single WireDebug' or SWD.  Driving SWD from an Arduino, she's able to move the target machine like a marionette, scripted from literate HTML5 programming with powerful new elements such as swd-hexedit, by Micah Elizabeth Scott
6. Reversing a Pregnancy Test; or, Bitch Better Have My Money!  - When we heard that Amanda Wozniak was contracted to reverse engineer a pregnancy test, but never paid for the work, we quickly scrounged up five Canadian loonies to buy the work as scrap.  Page 32 contains her notes, and we'll happily pay five more loonies to the first use of this technology in a Hackaday marriage proposal or shotgun wedding, by Amanda Wozniak
7. A Brief Description of Some Popular Copy-Protection Techniques on the Apple ][ Platform  - Peter Ferrie shares tricks for breaking the copy protection of dozens of Apple ][ games.  When we told Peter to keep his notes to six pages, he laughed and dared us to find tricks worth cutting from his article.  Accordingly, our cutting-room floor is empty and this article is the most complete collection of Apple ][ cracking techniques in modern publication, by Peter Ferrie
8. Reverse Engineering the Tytera MD380  - Travis Goodspeed has been playing with Digital Mobile Radio (DMR) lately, a competitor to TETRA and P25 that is used for amateur radio, as well as trunked radio for businesses and cash-strapped police departments.  Page 76 contains his notes for jailbreaking the Tytera MD380's bootloader, dumping all of protected memory, then patching its application to enable promiscuous mode.  These tricks should also work on the CS700, CS750, and a variety of other DMR handhelds, by Travis Goodspeed (KK4VCZ), Christiane (DD4CR), and Patrick Hickey (W7PCH)
• Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware
• Slides
9. Tithe Us Your Alms of Ø-Day!  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Preacherman.....................................Manul Laphroaig Ethics Advisor..................................The Grugq Poet Laureate...................................Ben Nagy Editor of Last Resort...........................Melilot LaTeXnician.....................................Evan Sultanik Editorial Whipping Boy..........................Jacob Torrey Funky File Formats Polyglot.....................Ange Albertini Assistant Scenic Designer.......................Philippe Teuwen Minister of Spargelzeit Weights and Measures....FX

Technical Note:  The polyglot file, pocorgtfo10.pdf, is valid as a PDF, as a ZIP file, and as a LSMV recording of a Tool Assisted Speedrun (TAS) that exploits Pokéon Red in a Super Game Boy on a Super NES.  The result of the exploit is a chat room that plays the text of PoC||GTFO 10:3.  Run it in LSNES (WinBuilds) with the Gambatte plugin, the Japanese version of the Super Game Boy ROM and the USA/Europe version of Pokémon Red: ./lsnes --library=gambatte/core.so

$ unzip -v pocorgtfo10.pdf Archive: pocorgtfo10.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 0 Stored 0 0% 2016-01-12 10:38 00000000 AppleII/ 0 Stored 0 0% 2016-01-12 10:38 00000000 AppleII/LoGo/ 113208 Defl:X 17854 84% 2016-01-12 10:38 1cceb2a1 AppleII/LoGo/Karateka.txt 40251 Defl:X 8303 79% 2016-01-12 10:38 03fa2f5f AppleII/LoGo/Lode Runner.txt 14984 Defl:X 4208 72% 2016-01-12 10:38 3f3c4616 AppleII/LoGo/Tunnels of Armageddon.txt 0 Stored 0 0% 2016-01-12 10:38 00000000 AppleII/qkumba/ 40171 Defl:X 10051 75% 2016-01-12 10:38 bb8bfa23 AppleII/qkumba/Bank Street Writer III.txt 10485 Defl:X 4213 60% 2016-01-12 10:38 92e86679 AppleII/qkumba/Conan.txt 12336 Defl:X 4941 60% 2016-01-12 10:38 f2afea9c AppleII/qkumba/PoP.txt 3656 Defl:X 1096 70% 2016-01-12 10:38 e96d2857 AppleII/qkumba/Rastan.txt 9696 Defl:X 3840 60% 2016-01-12 10:38 d45d670f AppleII/qkumba/Toy Shop.txt 622342 Defl:X 622437 0% 2016-01-08 14:54 874aa6a3 AppleII/The 4am Collection 2015-12-31.7z 434121 Defl:X 375763 13% 2016-01-08 14:54 7af14c45 adventure.pdf 5089608 Defl:X 5089896 0% 2015-09-28 14:16 d59a3421 broken_abandoned.tar.gz 46988 Defl:X 43791 7% 2015-12-21 09:43 613228d7 esp8266-arm-swd.zip 1033007 Defl:X 537559 48% 2016-01-08 14:54 c5efc3e9 hrc5000.pdf 26996 Defl:X 6365 76% 2016-01-12 10:38 ec31260b index.bib 12311 Defl:X 5951 52% 2016-01-12 10:38 ae72950e index.txt 6161020 Defl:X 5961672 3% 2015-11-16 12:50 aad2d2bb is_v91no1.pdf 994816 Defl:X 701211 30% 2016-01-16 08:41 487d2be0 md380shmoocon.bin 38774 Defl:X 34937 10% 2016-01-12 10:38 08383ac7 md380tools.zip 9615336 Defl:X 9508130 1% 2016-01-08 14:54 e5a02516 p25sec.pdf 0 Stored 0 0% 2016-01-16 08:55 00000000 pokemon_plays_twitch/ 44334 Defl:X 11464 74% 2016-01-01 13:17 b69575cb pokemon_plays_twitch/controllers.lua 1889 Defl:X 720 62% 2016-01-04 07:31 625edf0e pokemon_plays_twitch/lsnes_dump_frames.lua 1720 Defl:X 697 60% 2016-01-08 14:54 e73a3951 pokemon_plays_twitch/lsnes_dump_latch_subf.lua 1930821 Defl:X 1468437 24% 2016-01-01 13:17 f3e97844 pokemon_plays_twitch/pokered-master.zip 107936 Defl:X 100122 7% 2016-01-04 07:31 60339103 pokemon_plays_twitch/PptIrcBot.zip 11834 Defl:X 4162 65% 2016-01-04 07:31 9a290616 pokemon_plays_twitch/replay.py 11798 Defl:X 4139 65% 2016-01-04 07:31 56513e3a pokemon_plays_twitch/replay_reset.py 4392174 Defl:X 1938787 56% 2016-01-16 08:55 72aa6115 pokemon_plays_twitch/sgbhowto.pdf 1003339 Defl:X 956584 5% 2015-12-23 11:47 418a6dff pregpatent.pdf 168346 Defl:X 135691 19% 2015-12-28 11:43 f8c8beb2 rowhammer.pdf 9555 Defl:X 3428 64% 2015-10-24 10:48 c50f2268 yolo.txt 29509 Defl:X 9765 67% 2016-01-12 10:38 6a58528f z_OS_LE_Daisy_Chain.rtf -------- ------- --- ------- 32033361 27576214 14% 35 files

  PoC||GTFO - Issue 0x11

IN A FIT OF STUBBORN OPTIMISM, PASTOR MANUL LAPHROAIG AND HIS CLEVER CREW SET SAIL TOWARD WELCOMING SHORES OF THE GREAT UNKNOWN!

March 17, 2016 | 32.3M PDF/HTML/ZIP/Ruby | Includes | md5sum: b162285329c2f293a3daef69889c327e | Archive.org Entry

1. Please Stand; Now, Please Be Seated
2. In Praise of Junk Hacking  - Ignore the publicity and drama around a hack, ignore even its target and its CVE.  Instead, we should learn the mechanism of the hack, the clever tricks that make it work, by Pastor Manul Laphroaig
3. Emulating Star Wars on a Vector Display  - In a fit of nostalgia for the good old vector arcade games, Trammel Hudson extended MAME to support native vector displays of the 1983 Star Wars arcade game on both his Tektronix 1720 scope and a Vectrex home vector display, by Trammell Hudson (Twitter)
4. Master Boot Record Nibbles; or, One Boot Sector PoC Deserves Another  - A 512-byte game for the PC BIOS.  Eric discusses some nifty tricks for self-rewriting code in 16-bit Real Mode and shows that the fancier features of an operating system aren't needed to have a little fun - and that programming a constrained environment can be great fun indeed, by Eric Davisson  (Twitter)
5. In Search of the Most Amazing Thing; or, Towards a Universal Method to Defeat E7 Protection on the Apple ][ Platform  - Peter Ferrie describes his work toward a universal bypass for the E7 protection mode used on a number of Apple ][ disks.  This is a follow-up to his encyclopedic coverage of protection modes for this platform in PoC||GTFO 10:7, by Peter Ferrie
6. A Tourist's Phrasebook for Reversing Embedded ARM in the Dialect of the Cortex-M Series  - A series of tourist guides, intended to quickly introduce reverse-engineers to a new platform.  Page 20 provides a lightning-fast introduction to ARM's Cortex-M series, which you'll find in modern devices with a megabyte or less of Flash memory, by Ryan Speers and Travis Goodspeed
7. A Ghetto Implementation of CFI on x86  - A poor-man's method of patching 32-bit x86 binaries to enforce the control flow graph.  With examples in Radare2 and legible C, you'll be itching to write your own generic patchers for large binaries this weekend, by Jeffrey Crowell
8. A Tourist's Phrasebook for Reversing MSP430  - Contains similar notes for the Texas Instruments MSP430, MSP430X, and MSP430X2 architectures, a 16-bit competitor to the PIC and AVR, by Ryan Speers and Travis Goodspeed
9. This HTML Page is Also a PDF, Which is Also a ZIP, Which is Also a Ruby Script, Which is an HTTP Quine; or, The Treachery of Files  - How Evan Sultanik made this PDF - the one that you're reading - into a poyglot webserver quine in Ruby with its own samizdat PoC||GTFO mirror, by Evan Sultanik
10. In Memoriam: Ben "bushing" Byer  - It is with great sadness that we dedicate this release to the memory of our neighbor Ben Byer, the "hypothetical defendant by the name of 'bushing'" who inspired many of us to put pwnage before politics, to keep on hacking.  We're gonna miss him, by fail0verflow
11. Tithe Us Your Alms of Ø-Day!  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Preacherman......................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen .................................and sundry others

Technical Note:  Thanks to a Funky File Format Fire Sale, the file named pocorgtfo11.pdf is a polyglot in HTML, PDF, ZIP, and Ruby that executes as a quine over HTTP.

• Open pocorgtfo11.pdf in Adobe Reader or in Acrobat (other PDF viewers cannot display the animation).
• Go to page 8.
• Click on page area at lower-end.
• (The animation is JavaScript-based, so of course it won't work, if you disabled JavaScript in your Reader/Acrobat preferences.)

$ unzip -v pocorgtfo11.pdf Archive: pocorgtfo11.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 0 Stored 0 0% 2016-03-13 11:41 00000000 4am/ 14760 Defl:X 6237 58% 2016-03-08 10:19 960d7165 4am/Match It (4am crack).txt 28280 Defl:X 11072 61% 2016-03-08 10:19 c4863491 4am/Mathematics Activities Courseware Level 6 (4am crack).txt 26927 Defl:X 9921 63% 2016-03-13 11:41 fd6bedd5 4am/Sentence Structure (4am crack).txt 57588 Defl:X 19791 66% 2016-03-08 10:19 749fa1c1 4am/Speed Reader II 091286 (4am crack).txt 25955 Defl:X 8716 66% 2016-03-08 10:19 5429aece 4am/Stickybear Math 2 (4am crack).txt 1463299 Defl:X 1356309 7% 2016-03-07 09:17 40150663 batteryfirmware.pdf # Battery Firmware Hacking - Charlie Miller 29496 Defl:X 6558 78% 2016-03-07 09:17 4da233ae bq20z80.py # BQ20Z80 IDA Processor module 7716 Defl:X 6998 9% 2016-01-29 11:28 bb9b0e7c favicon.png 0 Stored 0 0% 2016-03-08 10:19 00000000 homages/ 107633 Defl:X 107496 0% 2016-03-08 10:19 f7f81eab homages/GitItaly.jpg 807855 Defl:X 797081 1% 2016-03-08 10:19 65c5ae84 homages/ov-keephacking.jpg 270411 Defl:X 269352 0% 2016-03-08 10:19 85e4a09a homages/SecurityMug.jpg 4459080 Defl:X 4287890 4% 2016-03-08 10:19 fe8370f0 homages/ShawNock.gif 63669 Defl:X 63520 0% 2016-03-08 10:19 22b98466 homages/Zod.jpg 945 Defl:X 563 40% 2016-03-17 10:03 3115effb index.txt 29770 Defl:X 6900 77% 2016-03-16 00:22 a5c9a281 issues.bib 13628 Defl:X 6482 52% 2016-03-16 00:22 18322acd issues.txt 2913698 Defl:X 2625737 10% 2016-03-17 09:59 cac7b2fc md380tool.apk # A quick tool for accessing the Tytera MD380 from Android. 247868 Defl:X 189034 24% 2016-03-07 09:17 48fffd1b sluu225.pdf # bq803xx ROM API v 3.0 176187 Defl:X 143463 19% 2016-03-07 09:17 7e796116 tronsolitare.zip # Tron Solitare github clone 28949 Defl:X 7251 75% 2016-03-04 10:20 1f36df49 vectormame.diff # diff for Mame (see Star Wars article) 314149 Defl:X 312119 1% 2016-03-07 15:41 a9f2e3d8 vst.tar.gz # v.st vector board sources 3241 Defl:X 1553 52% 2016-03-12 13:27 843513b1 wafflehouse.txt -------- ------- --- ------- 11091104 10244043 8% 24 files $ ruby pocorgtfo11.pdf & Listening for connections on port 8080. To listen on a different port, re-run with the desired port as a command-line argument. $ curl -s http://localhost:8080/pocorgtfo11.pdf | diff -s - pocorgtfo11.pdf A neighbor at 127.0.0.1 is requesting /pocorgtfo11.pdf Files - and pocorgtfo11.pdf are identical

  PoC||GTFO - Issue 0x12

COLLECTING BOTTLES OF BROKEN THINGS, PASTOR MANUL LAPHROAIG WITH THEORY AND PRAXIS COULD BE THE MAN WHO SNEAKS A LOOK BEHIND THE CURTAIN!

June 18, 2016 | 60.2M PDF/ZIP/APK | Includes | md5sum: 23f54e6844686c6420fc66a981313b4c | Archive.org Entry

1. Lisez Moi!  ("read me")
2. Surviving the Computation Bomb  - A sermon concerning peak computation, population bombs, and the joy of peeks and pokes in the modern world, by Pastor Manul Laphroaig
3. Carols of the Z-Wave Security Layer; or, Robbing Keys from Peter to Unlock Paul  - A number of tricks for extracting pre-shared keys from wireless Z-Wave devices, and then show how to use those keys to join the network, by Chris Badenhop and Ben Ramsey
4. Content Sniffing with Comma Chameleon  - Weaponize PDF polyglots to exfiltrate data via XSS-like vulnerabilities.  You will never look at a PDF with the same eyes again, by Krzysztof Kotowicz and Gábor Molnár
5. Crisis of Existential Import; or, Putting the VM in M/o/Vfuscator  - How to implement M/o/Vfuscator as a virtual machine, producing a few bytes of portable C or assembly and a complete, obfuscated program in the .data segment, by Chris Domas
6. A JCL Adventure with Network Job Entries  - IBM had JCL with syntax worse than Joss, and everywhere the language went, it was a total loss!  So dust off your z/OS mainframe and find that ASCII/EBCDIC chart, by Soldier of Fortran
7. Exploiting Weak Shellcode Hashes to Thwart Module Discovery; or, Go Home, Malware, You're Drunk!  - What does a cult Brezhnev-era movie have to dowith how exploit code finds its bearings in a Windows process' address space?  Read to find out, by Mike Myers and Evan Sultanik
8. UMPOwn  - A 'Device Guard Mitigation Bypass' for Windows 10, escalating from Ring 3 to Ring 0 with complete reconstruction of all corrupted data structures, by Alex Ionescu
9. Vim Execution Engine  - A Turing-complete virtual machine for Vim using only the normal commands, such as yank, put, delete, and search, by Chris Domas  (GitHub)
10. Doing Right by Neighbor O'Hara  - A sermon against the heresy of 'sanitizing' input as a miracle cure against injection attacks.  Our guest preacher exposes it as fundamentally unneighborly, and vouchsafes the true faith, by Andreas Bogk
11. Are All Androids Polyglots or Only C-3PO?  - You get to practice Jedi polyglot mind tricks on the Android package system.  Now these are the droids we are looking for, neighbors!, by Philippe Teuwen
12. Tithe Us Your Alms of Ø-Day!  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Preacherman......................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen Spirit Animal Guide..............Spencer Pratt .................................and sundry others

Technical Note:  The polyglot file, pocorgtfo12.pdf, is valid as a PDF, as a ZIP file, and as an Android application.  You can read all about the polyglot on page 79.  To install it on an Android terminal, simply drop it into /sdcard and run the following from the Android shell: pm install /sdcard/pocorgtfo12.pdf

$ unzip -v pocorgtfo12.pdf Archive: pocorgtfo12.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 30544923 Stored 30544923 0% 2016-06-18 04:26 00c65ce7 pocorgtfo12-printing.pdf 2536 Defl:X 885 65% 2016-06-17 19:24 e164e44f AndroidManifest.xml 0 Stored 0 0% 2016-06-15 12:37 00000000 CommaChameleon/ 361 Defl:X 246 32% 2016-06-15 12:37 5b6f822e CommaChameleon/README 4783 Defl:X 1584 67% 2016-06-15 12:37 b0a9f888 CommaChameleon/index.html 522 Defl:X 345 34% 2016-06-15 12:37 5fd3fecd CommaChameleon/smaller.pdf 904 Defl:X 499 45% 2016-06-15 12:37 0ad842a5 CommaChameleon/doc.php 732 Defl:X 476 35% 2016-06-15 12:37 4e5bcc7e CommaChameleon/ascii.pdf 299575 Defl:X 277172 8% 2016-06-15 12:37 b9ac5ab0 CommaChameleon/CrossSiteContentHijacking.zip 1264 Defl:X 630 50% 2016-06-15 12:37 30244692 CommaChameleon/xfa.pdf 45 Defl:X 44 2% 2016-06-15 12:37 8c2c83dd CommaChameleon/secret.txt 236248 Defl:X 214257 9% 2016-06-18 04:08 5103fbbd ExecPacket.pdf # Execute My Packet 157652 Defl:X 50650 68% 2016-06-15 12:37 1c6a04ac Gumball (4am & san inc crack).txt 0 Stored 0 0% 2016-06-15 12:37 00000000 HackBack/ 45018 Defl:X 18635 59% 2016-06-15 12:37 883d31a6 HackBack/GPSHF04A 44244 Defl:X 18551 58% 2016-06-15 12:37 e0c80233 HackBack/6kho7.txt 43086 Defl:X 17840 59% 2016-06-15 12:37 1b76d64c HackBack/0SNSvyjJ 668120 Defl:X 634105 5% 2016-06-18 04:08 8b309840 JSMinifier.pdf # Backdooring your JavaScript using minifier bugs, by bcrypt 0 Stored 0 0% 2016-06-15 12:37 00000000 KeepHacking/ 663267 Defl:X 648915 2% 2016-06-15 12:37 1e8c6541 KeepHacking/luca1.jpg 240255 Defl:X 232013 3% 2016-06-15 12:37 91825fa4 KeepHacking/luca2.jpg 8247437 Defl:X 6646819 19% 2016-06-18 04:08 19b46dd8 RE4B-EN-A5.pdf # Reverse Engineering for Beginners, A5 format 6507401 Defl:X 6212880 5% 2016-06-17 18:37 97a28077 RE4B-EN.pdf # Reverse Engineering for Beginners 27608 Defl:X 9349 66% 2016-06-15 12:37 e6e4169a Rocky's Boots 4.0.txt 0 Stored 0 0% 2016-06-17 19:38 00000000 ShellCodeHashCollision/ 1399 Defl:X 431 69% 2016-06-17 19:38 4211b1d2 ShellCodeHashCollision/ShellcodeHarness.sln 0 Stored 0 0% 2016-06-17 19:38 00000000 ShellCodeHashCollision/InterferenceDLL/ 164 Defl:X 142 13% 2016-06-17 19:38 df441710 ShellCodeHashCollision/InterferenceDLL/InterferenceDLL.vcxproj.user 314 Defl:X 193 39% 2016-06-17 19:38 05ca42df ShellCodeHashCollision/InterferenceDLL/targetver.h 1585 Defl:X 543 66% 2016-06-17 19:38 a1a2a189 ShellCodeHashCollision/InterferenceDLL/InterferenceDLL.vcxproj.filters 9227 Defl:X 1291 86% 2016-06-17 19:38 380d5ced ShellCodeHashCollision/InterferenceDLL/InterferenceDLL.vcxproj 1317 Defl:X 695 47% 2016-06-17 19:38 ae754e75 ShellCodeHashCollision/InterferenceDLL/InterferenceDLL.cpp 419 Defl:X 259 38% 2016-06-17 19:38 5aaa4001 ShellCodeHashCollision/InterferenceDLL/stdafx.h 302 Defl:X 195 35% 2016-06-17 19:38 a000d7ab ShellCodeHashCollision/InterferenceDLL/stdafx.cpp 1235 Defl:X 628 49% 2016-06-17 19:38 84b6e5f1 ShellCodeHashCollision/InterferenceDLL/dllmain.cpp 2224 Defl:X 846 62% 2016-06-17 19:38 db34ec5b ShellCodeHashCollision/InterferenceDLL/ReadMe.txt 3335 Defl:X 1276 62% 2016-06-17 19:38 02b56f73 ShellCodeHashCollision/InterferenceDLL/ProcessEnvironmentBlock.h 7804 Defl:X 1931 75% 2016-06-17 19:38 ee58e198 ShellCodeHashCollision/InterferenceDLL/ProcessEnvironmentBlock.cpp 1793 Defl:X 973 46% 2016-06-15 12:37 0a2688cf ShellCodeHashCollision/unhash.py 200 Stored 200 0% 2016-06-17 19:38 b92dfc56 ShellCodeHashCollision/shellcode.raw 3495 Defl:X 1582 55% 2016-06-15 12:37 baabdf69 ShellCodeHashCollision/metasploit.py 0 Stored 0 0% 2016-06-17 19:38 00000000 ShellCodeHashCollision/ShellcodeHarness/ 314 Defl:X 193 39% 2016-06-17 19:38 05ca42df ShellCodeHashCollision/ShellcodeHarness/targetver.h 4537 Defl:X 1075 76% 2016-06-17 19:38 a6539e09 ShellCodeHashCollision/ShellcodeHarness/ShellcodeHarness.vcxproj 4486 Defl:X 2031 55% 2016-06-17 19:38 e7c8336e ShellCodeHashCollision/ShellcodeHarness/ShellcodeHarness.cpp 320 Defl:X 196 39% 2016-06-17 19:38 c3262ff7 ShellCodeHashCollision/ShellcodeHarness/stdafx.h 303 Defl:X 199 34% 2016-06-17 19:38 50f97b96 ShellCodeHashCollision/ShellcodeHarness/stdafx.cpp 1778 Defl:X 614 66% 2016-06-17 19:38 75c7d52f ShellCodeHashCollision/ShellcodeHarness/ReadMe.txt 395 Defl:X 263 33% 2016-06-17 19:38 8969713f ShellCodeHashCollision/ShellcodeHarness/ShellcodeHarness.vcxproj.user 1274 Defl:X 509 60% 2016-06-17 19:38 e3f026b1 ShellCodeHashCollision/ShellcodeHarness/ShellcodeHarness.vcxproj.filters 2927 Defl:X 1347 54% 2016-06-15 12:37 603f4235 ShellCodeHashCollision/spyeye.py 776165 Defl:X 774955 0% 2016-06-17 18:37 725566b6 StarRaiders.zip # Fully documented, reverse-engineered STAR RAIDERS source code 6716 Defl:X 3241 52% 2016-06-17 19:24 6b1a93ab classes.dex 562 Defl:X 316 44% 2016-06-18 04:08 56033320 index.txt 32263 Defl:X 7421 77% 2016-06-17 18:37 bfd57ab6 issues.bib 14725 Defl:X 6982 53% 2016-06-17 11:46 998e56d6 issues.txt 6588 Defl:X 2631 60% 2016-06-15 12:37 6f04fc46 nje-node-brute.nse 6408 Defl:X 2351 63% 2016-06-15 12:37 4e6c44fd nje-pass-brute.nse 583819 Defl:X 470026 20% 2016-06-15 12:37 b3de0d37 pringlesenigma3a4.pdf 0 Stored 0 0% 2016-06-17 19:25 00000000 res/ 0 Stored 0 0% 2016-06-18 04:26 00000000 res/layout/ 728 Defl:X 370 49% 2016-06-17 19:24 2fd99107 res/layout/main.xml 0 Stored 0 0% 2016-06-18 04:26 00000000 res/drawable-xhdpi-v4/ 27417 Stored 27417 0% 2016-06-15 17:49 ded29134 res/drawable-xhdpi-v4/manul.png 0 Stored 0 0% 2016-06-18 04:26 00000000 res/drawable/ 663663 Defl:X 663224 0% 2016-06-17 19:24 5308dc17 res/drawable/manulnfc.png 0 Stored 0 0% 2016-06-18 04:26 00000000 res/drawable-hdpi-v4/ 16112 Stored 16112 0% 2016-06-15 17:49 2de29687 res/drawable-hdpi-v4/manul.png 0 Stored 0 0% 2016-06-18 04:26 00000000 res/drawable-mdpi-v4/ 7550 Stored 7550 0% 2016-06-15 17:49 ab30d2bc res/drawable-mdpi-v4/manul.png 0 Stored 0 0% 2016-06-18 04:26 00000000 res/drawable-xxhdpi-v4/ 61718 Defl:X 61728 0% 2016-06-15 17:49 39095a3e res/drawable-xxhdpi-v4/manul.png 1420 Defl:X 370 74% 2016-06-17 19:24 846f860d resources.arsc 12350367 Defl:X 12352047 0% 2016-06-15 12:37 09c5adcb vimmmex.tar.gz 213890 Defl:X 209872 2% 2016-06-15 12:37 7178721b zwave.tar.gz 0 Stored 0 0% 2016-06-18 04:27 00000000 META-INF/ 1443 Defl:X 1135 21% 2016-06-18 04:27 b294282d META-INF/POCORGTF.RSA 6754 Defl:X 3051 55% 2016-06-18 04:27 58a5e9bd META-INF/POCORGTF.SF 6592 Defl:X 2915 56% 2016-06-18 04:27 1bc0a0e7 META-INF/MANIFEST.MF -------- ------- --- ------- 62572028 60162144 4% 79 files

  

  PoC||GTFO - Issue 0x13

PASTOR LAPHROAIG'S MERCY SHIP HOLDS STONES FROM THE IVORY TOWER, BUT ONLY AS BALLAST!

October 18, 2016 | 62.1M PDF/PS/ZIP | Includes | md5sum: 1f019532beb6db4b234b3f328d4fa68e | Archive.org Entry

1. Read Me if You Want to Live!
2. Reverse Engineering Star Raiders  - The story of how Star Raiders by Doug Neubauer for the Atari 400 was taken apart by Lorenz Weist, from a mere ROM cartridge dump to annotated and literate 6502 disassembly.  By a stroke of luck, Lorenz was able to read Doug's original source code for the game after completing his reverse-engineering project, giving him the rare opportunity to confirm his understanding of the game's design and behavior, by Lorenz Wiest  (Additional Info)
3. How Slow Can You Go?  - Nifty little trick for simplifying reliable exploitation of race condition vulnerabilities.  Rather than spin-up a dozen attempts to improve racetrack odds, James instead induces situations with pathological performance penalties to Windows NT system calls, stunning the threads of execution that might interfere with his exploit for twenty minutes or more!, by James Forshaw
4. The FaceWhisperer for USB Glitching; or, Reading RFID with ROP and a Wacom Tablet  - Micah explains an USB magic trick in which her FaceWhisperer board - combining the Facedancer and the Chip Whisperer - which is able to reliably glitch the USBstack of an embedded device to dump its firmware.  Or, we could say that on page 30 she explains how to use undocumented commands from that firmware dump to program the Harvard device by ROP.  Or, we could say that on page 30 she shows you to read RFID tags with a Wacom tablet.  These tricks are all the same article, by Micah Elizabeth Scott
5. Decoding AMBE+2 in MD380 Firmware in Linux  - On page 38, Travis describes how to rip the AMBE audio codec out of the radio firmware, transforming it into a command line audio processing tool that runs on any Linux workstation.  Similar tricks can be used to quickly toss together emulators for many ARM and PowerPC embedded systems, reusing their library functions, or fuzzing their parsers in the familiar environment of an everyday laptop, by Travis Goodspeed
6. Password Weaknesses in Physical Security: Silliness in Three Acts  - Evan Sultanik is back with a safe-cracking adventure that could only be expressed as a play in three acts, narrated by our own Pastor Manul Laphroaig.  Speaking parts are available for Alice Feynman, Bob Schrute, Havva al-Kindi, and the ghost of Paul Erdõs.  You'll find Evan's script on page 43, by Evan Sultanik
7. Reverse Engineering the LoRa PHY  - Matt Knight has been reverse-engineering the PHY of LoRa, a low-power protocol for sub-GHz wireless networking over long distances.  On page 48 you will find not just the protocol details that allowed him to write an open-source receiver, but, far more importantly, you will also find the methods by which he reverse-engineered this information from captured packets, vague application notes, and the outright lies of the patent application, by Matt Knight
8. Plumbing, Not Popper; or, The Problem with STEP  - Manul reminds us that science takes place neither on stage in front of a live studio audience nor in committees and government offices, but over a glass of fine scotch that's accompanied by finer conversation of practitioners.  In the same way that we oughtn't put Tim 'The Tool Man' Taylor in charge of vocational education, we ought to leave the teaching of science to those who do it, not those who talk about it on TV, by Pastor Manul Laphroaig
9. Where is ShimDBC.exe?  - Geoff Chappell is an old-school reverse-engineer, an x86 archaeologist who has spent the past 24 years reading Windows binaries to identify all the forgotten features and corner cases that the rest of us might take for granted.  On page 63, he introduces us to the mystery of Microsoft's ShimDatabase Compiler, an unpublished tool for compiling driver shims that doesn't seem to be available to the outside world.  Geoff shows us that, in fact, the tool is available, wrapped up inside of a GUI as QFixApp.exe or CompatAdmin.exe.  By patching the program to expose its intact winmain(), hec an recover the long-lost ShimDBC.exe for compiling Windows driver compatibility shims from XML, by Geoff Chappell  (Additional Info)
10. Post Scriptum: A Schizophrenic Ghost  - Evan Sultanik and Philippe Teuwen have teamed-up on page 71, to explain the inner workings of pocorgtfo13.pdf, which you can rename to read as pocorgtfo13.zip or pocorgtfo13.ps, by Evan Sultanik and Philippe Teuwen
11. Tithe Us Your Alms of Ø-Day!  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Man of the Book..................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen .................................and sundry others

Technical Note:  As described in PoC||GTFO 13:10, pocorgtfo13.pdf, is a polyglot that may be interpreted as both a PDF and a PostScript file.  As a PDF, this file is mostly harmless, but we warn you that the PostScript will render differently each time, including both a randomly generated maze and - if Tavis Ormandy hasn't killed such a lovely bug yet - a copy of your /etc/passwd file.

$ file pocorgtfo13.pdf pocorgtfo13.pdf: PDF document, version 1.5, ISO-8859 text, with very long lines $ unzip -v pocorgtfo13.pdf Archive: pocorgtfo13.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 5170872 Defl:X 4988137 4% 2016-08-13 19:04 e4c2c318 AIM-239.pdf 42858 Defl:X 33332 22% 2016-08-13 19:04 bf50a902 Atari6502Assembler.zip 413615 Defl:X 408416 1% 2016-09-27 08:05 c90b73b8 PE6-5000.m4a 1195 Defl:X 433 64% 2016-10-15 13:20 fa679520 SerialDOS.java 95671 Defl:X 89872 6% 2016-10-15 13:20 00aa3c9f SerialDOS.jpeg 3798 Defl:X 1695 55% 2016-10-15 13:20 98fff872 SerialDOS.txt 0 Stored 0 0% 2016-08-19 14:54 00000000 StarRaiders/ 0 Stored 0 0% 2016-08-19 14:54 00000000 StarRaiders/extras/ 250327 Defl:X 227305 9% 2016-08-19 14:54 4ab8d7ad StarRaiders/extras/ColorSheets.pdf 237177 Defl:X 218675 8% 2016-08-19 14:54 1bfb2a19 StarRaiders/extras/DisplayListSheets.pdf 1409 Defl:X 716 49% 2016-08-19 14:54 58651d90 StarRaiders/README.md 643687 Defl:X 140653 78% 2016-08-19 14:54 e1ff14eb StarRaiders/StarRaiders.source.asm.txt 825509 Defl:X 177829 79% 2016-08-19 14:54 ad7aefbe StarRaiders/StarRaiders.source.txt 776889 Defl:X 775778 0% 2016-09-27 08:05 05e20476 StarRaiders.zip 157840 Defl:X 46304 71% 2016-09-27 08:05 4f20f1bf StarRaiders_001-112.txt 234210 Defl:X 221901 5% 2016-08-16 19:45 0961373c Sugihara.pdf 20843 Defl:X 8958 57% 2016-06-27 12:34 4375924b WriteProcessMemory.txt 439765 Defl:X 331919 25% 2016-08-15 07:44 f9248e0c aarch64shellcode.pdf 5268 Defl:X 2581 51% 2016-10-04 07:33 ee6c7860 aard.txt 766273 Defl:X 654025 15% 2016-10-04 07:33 d787042f atrisk.pdf 207850 Defl:X 189600 9% 2016-08-15 13:29 ffbb2036 backyardwireantennaes.pdf 1093375 Defl:X 1021797 7% 2016-08-16 19:45 3bc8531c caninjection.pdf 1189077 Defl:X 1189053 0% 2016-10-03 08:38 98ce0fb0 cte450-homebrew.tar.gz 0 Stored 0 0% 2016-08-05 14:29 00000000 da_667/ 2106 Defl:X 1068 49% 2016-08-05 14:29 66df947d da_667/Bohemian_hacksody.txt 1165 Defl:X 573 51% 2016-08-05 14:29 1392ff2a da_667/Cyberia.txt 3339 Defl:X 1783 47% 2016-08-05 14:29 1c29bf18 da_667/L0s3_Urs3lf.txt 3600 Defl:X 1731 52% 2016-08-05 14:29 440a9dee da_667/My_ident_is.txt 366017 Defl:X 364721 0% 2016-10-03 08:38 04d538c3 facewhisperer.tar.gz 1934 Defl:X 945 51% 2016-10-15 13:20 7e512046 fingerprint.html 599345 Defl:X 569989 5% 2016-10-04 07:33 0d2b0385 freudenthal.pdf 97753 Defl:X 97550 0% 2016-09-27 08:05 03259875 gr-lora.tar.gz 28370 Defl:X 11493 60% 2016-09-27 08:05 18735f0b hamburgers.txt 2366 Defl:X 1352 43% 2016-10-17 10:32 2a0f8dc2 index.txt 34578 Defl:X 7890 77% 2016-10-12 10:00 f4e9dfa1 issues.bib 15785 Defl:X 7437 53% 2016-10-12 09:58 6c27463f issues.txt 4740 Defl:X 2112 55% 2016-10-03 08:38 81b0f922 meat.txt 27898 Defl:X 7837 72% 2016-08-13 19:04 51913832 mudge_buffer_overflow_tutorial.html 17239 Defl:X 3767 78% 2016-09-27 08:05 5e60acbe object_manager_lookup_poc.cs 111739 Defl:X 110537 1% 2016-08-16 19:45 6fa842e8 scn-final.pdf 841 Defl:X 408 52% 2016-09-27 08:05 c429db58 seafever.txt 769628 Defl:X 695854 10% 2016-10-04 07:33 4def8479 selfies.pdf 19490 Defl:X 5136 74% 2016-10-15 13:42 9c930347 spinlock.py 21831 Defl:X 5678 74% 2016-10-15 13:31 8e2251ed spinlock.py~ 245948 Defl:X 170368 31% 2016-06-27 12:34 0a9d46e5 subversiveld.pdf 1817 Defl:X 528 71% 2016-10-15 13:42 610b7d28 trie.py~ 5071447 Defl:X 5066404 0% 2016-09-27 08:05 4cffff3e wcc.tar.gz 184470 Defl:X 176067 5% 2016-10-04 10:47 722cc7bb wu-preparing-teachers.pdf 3718504 Defl:X 3717013 0% 2016-09-27 08:05 9565d5af www.geoffchappell.com.tar.gz 5632830 Defl:X 5483438 3% 2016-09-27 08:05 a349baf5 years.pdf 48 Defl:X 44 8% 2016-09-27 08:05 bdda9d92 zllkey.txt -------- ------- --- ------- 29562336 27240702 8% 51 files

  PoC||GTFO - Issue 0x14

PASTOR LAPHROAIG SCREAMS HIGH FIVE TO THE HEAVENS AS THE WHOLE WORLD GOES UNDER

March 20, 2017 | 43.9M PDF/ZIP/iNES | Includes | md5sum: 5eaf00d25c14232555a51a50b126746c | Archive.org Entry

1. Let Us Share Some Water
2. Z-Ring Phreaking from a Game Boy  - Vicki Pfau shares with us the story of how she reverse-engineered the Pokémon Z-Ring, an accessory for the Nintendo 3DS whose wireless connection uses audio, rather than radio.  In true PoC||GTFO spirit, she then re-implements this protocol for the classic GameBoy, by Vicki Pfau
3. Concerning Desert Studies, Cyberwar, and the Desert Power  - A sermon on page 12 concerning Liet Kynes, water, Desert Studies, and the Weirding Way, by Pastor Manul Laphroaig
4. Flush+Reload  - Taylor Hornby on page 14 shares with us some handy techniques for communicating between processors by reading shared memory pages, without writes, by Taylor Hornby  (GitHub)
5. Anti-Keylogging with Random Noise  - Mike Meyers on page 19 shares some tricks for breaking Windows user-mode keyloggers through the injection of fake events, by Mike Myers
6. How Likely are Random Bytes to be a NOP Sled on ARM?  - Niek Timmers and Albert Spruyt consider a rather specific, but in these days important, question in exploitation: suppose that there is a region of memory that is encrypted, but not validated or write-protected.  You haven't got the key, so you're able to corrupt it, but only in multiples of the blocksize and only without a clue as to which bits will become what.  On page 26, they calculate the odds of that corrupted code becoming the equivalent of a NOP sled in ARM and Thumb, in userland and kernel, on bare metal and in emulation, by Niek Timmers and Albert Spruyt
7. Routing Ethernet over GDB and SWD for Glitching  - How to bridge an under-clocked Ethernet network by routing packets over GDB, OpenOCD, and a JTAG/SWD bus, by Micah Elizabeth Scott  (GitHub)
8. Control Panel Vulnerabilities  - Geoff Chappell is back again, ready to take you to a Windows Wonderland, where you will first achieve a Mad Hatter's enlightenment, then wonder what the Caterpillar was smoking.  Seven years after the Stuxnet hype, you will finally get the straight explanation of how its Control Panel shortcuts were abused.  Just as in 2010, when he warned that bugs might remain, and in 2015 when Microsoft admitted that bugs did in fact remain, Geoff still thinks that some funny behaviors are lurking inside of the Control Panel and LNK files.  You will find his article on page 37, and remember what the dormouse said!, by Geoff Chappell
• The CPL Icon Loading Vulnerability
9. A PostScript That Shows Its Own MD5  - On page 46, Greg Kopf will show you how to make a PostScript image that contains its own checksum, by Gregor "Greg" Kopf
10. A PDF That Shows Its Own MD5  - On page 50, Mako describes a nifty trick for doing the same to a PDF, by Mako
11. How We Put the MD5 on the Front Cover  - A short addendum, by Philippe Teuwen
12. This GIF Shows its Own MD5!  - Kristoffer Janke's trick for generating a GIF that contains its own MD5 checksum, by Kristoffer "spq" Janke
13. This PDF is a NES ROM that Prints Its Own MD5 Hash!  - Evans Sultanik and Teran describe how they coerced this PDF to be a NES ROM that, when run, prints its own MD5 checksum, by Evan Sultanik and Evan Teran
14. Tithe Us Your Alms of Ø-Day!  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Man of the Book..................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen .................................and sundry others

Technical Note:  This file, pocorgtfo14.pdf, is a polyglot valid as a Nintendo Entertainment System (NES) ROM cartridge, a PDF document, and a ZIP archive.  We collided 9,824 MD5 block pairs to place the hash of this document on its front cover and the title screen of the NES game, but only 609 of them made it to the final release.

Cover Art:  The cover illustration from this issue is by William E. Damon, first published in Ocean Wonders: A Companion for the Seaside in 1879.

$ file pocorgtfo14.pdf pocorgtfo14.pdf: NES ROM image (iNES): 2x16k PRG, 1x8k CHR [H-mirror] [Trainer] $ tail -c +4920 pocorgtfo14.pdf | head -c 2150 .. .:codoo:ocddc;; 'l:ll;:;lo:dxxkc:c:; .'cdxccoO0O:. ..:kX0ocdc. .OOo:oklldx; .,00cox: 'kockxxdlO;. ,0kxK; .olcooXOl:' .dxox. .Oo:dlKOl.. cNXk dd:olxld;. . .KkOc ,kdOco:oX;... .;coc. co; dXok, 'kdcloo:oWx.....';lkOKx;....:xkoc,ckokO. .kco;oodlcNl::cl;kOOOOklkc..N0O0OOl,Xdxx0 odlccdocoKK....clcc,c:l,l. ;l:xxoo.xOocOl .ddcoocodXNNc...........'..' ...'. .:MdldX OdccdllccxXO'.... .x,.''.,;. .MOlcW. :Noc:lkx,.Kxxl..... .lccKXKdk,ko.. 'MxOdKc .00o:dO0Xx.c.cX........'kd....;Kc...:c..:XoNxkx lkkddNKxkX0o..xx........'ldllldlloldx...lddKXxNc .KOclKOkKk0NoKKkx:............;lkkl..',..0ocOXdWO 'KolK00OkxKOoKNX:lxcc;,,l;....,'.'. .'.kK::KWkWl .dNkxKK0kxxKcO00Mo:oo:;cc:,... ..okWdlW0OxW; dKXoKOK0XOOOOO0kWdcc:c:lx:lxloNxddk00l'oOdMOdWkWdWO .WWoOX00KXkk0OOX0K:.;o0kxkdccOOKOxKNkkO:KkcOXdWOWxNl kMdlK00O00kOKkK0dkXOo;. .';coolodxdolc.'coo0K0XOXkNc .W0cONO0NWKKKOxxxOk0O0KXKKkkxdd, ckOOoO.;oxKWMdKl OXko0XNO0OxkkOXkkOOkkkkkOOkxoxOK0OOOOOxxokKccclo:l:ko :XoOkOk0KkxxOKkkk0OOOOKOkOkk0OkxkxkkxOdckKOOO;,::xKooxc... ,clxXXK0OxO0xxxkkdkOK0kOOkO0OOOOOkkxkxkxdk0Odkxddd:,;ccx0clOkc,' NNOkK0kxxxXOxxkkkxxOK0OOOO0O0kKOO0kxxKkkkOxcOxXO00lc;:;:ddd;;x0l 0kO0xOXOxx0OkxxxkxxxkKOkkO0kkkOOk0OOxoKxk0KxOdokc:Ol::::cccl:::o xxOkkdd0xxxk0xxxdxxxxxxkxxdkxxxx0Oxddcdxddxklldxdc:';;;;';;;;',o $ unzip -v pocorgtfo14.pdf Archive: pocorgtfo14.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 0 Stored 0 0% 2017-03-11 09:20 00000000 AntiKeylogger/ 34816 Defl:X 4214 88% 2017-03-11 09:20 3fe2d047 AntiKeylogger/KeyDemo.v11.suo 0 Stored 0 0% 2017-03-11 09:20 00000000 AntiKeylogger/.vs/ 0 Stored 0 0% 2017-03-11 09:20 00000000 AntiKeylogger/.vs/KeyDemo/ 0 Stored 0 0% 2017-03-11 09:20 00000000 AntiKeylogger/.vs/KeyDemo/v14/ 42496 Defl:X 6188 85% 2017-03-11 09:20 42b9154f AntiKeylogger/.vs/KeyDemo/v14/.suo 0 Stored 0 0% 2017-03-11 09:20 00000000 AntiKeylogger/KeyDemoGUI/ 15954 Defl:X 4548 72% 2017-03-11 09:20 c80e51b6 AntiKeylogger/KeyDemoGUI/KeyDemoGUI.cpp 747 Defl:X 373 50% 2017-03-11 09:20 ebc99bbc AntiKeylogger/KeyDemoGUI/Resource.h 39 Stored 39 0% 2017-03-11 09:20 6da82c83 AntiKeylogger/KeyDemoGUI/KeyDemoGUI.h 314 Defl:X 193 39% 2017-03-11 09:20 05ca42df AntiKeylogger/KeyDemoGUI/targetver.h 529 Defl:X 296 44% 2017-03-11 09:20 e3d028fa AntiKeylogger/KeyDemoGUI/stdafx.h 7430 Defl:X 1281 83% 2017-03-11 09:20 ff5503fd AntiKeylogger/KeyDemoGUI/KeyDemoGUI.rc 4698 Defl:X 1073 77% 2017-03-11 09:20 71af6886 AntiKeylogger/KeyDemoGUI/KeyDemoGUI.vcxproj 297 Defl:X 199 33% 2017-03-11 09:20 33b926b0 AntiKeylogger/KeyDemoGUI/stdafx.cpp 23558 Defl:X 5099 78% 2017-03-11 09:20 2c5790d5 AntiKeylogger/KeyDemoGUI/KeyDemoGUI.ico 1836 Defl:X 571 69% 2017-03-11 09:20 1e7db2bd AntiKeylogger/KeyDemoGUI/KeyDemoGUI.vcxproj.filters 52328 Defl:X 7139 86% 2017-03-11 09:20 71b21e99 AntiKeylogger/KeyDemoGUI/KeyDemoGUI.aps 2611 Defl:X 881 66% 2017-03-11 09:20 8a888762 AntiKeylogger/KeyDemoGUI/ReadMe.txt 23558 Defl:X 5099 78% 2017-03-11 09:20 2c5790d5 AntiKeylogger/KeyDemoGUI/small.ico 0 Stored 0 0% 2017-03-11 09:20 00000000 AntiKeylogger/KeystrokeNoise/ 98 Defl:X 79 19% 2017-03-11 09:20 c5c08a08 AntiKeylogger/KeystrokeNoise/KeystrokeNoise.h 9013 Defl:X 1269 86% 2017-03-11 09:20 aed92f22 AntiKeylogger/KeystrokeNoise/KeystrokeNoise.vcxproj 314 Defl:X 193 39% 2017-03-11 09:20 05ca42df AntiKeylogger/KeystrokeNoise/targetver.h 23412 Defl:X 7636 67% 2017-03-11 09:20 5caca274 AntiKeylogger/KeystrokeNoise/KeystrokeNoise.cpp 3782 Defl:X 1303 66% 2017-03-11 09:20 76d1dafc AntiKeylogger/KeystrokeNoise/IATHook.cpp 419 Defl:X 259 38% 2017-03-11 09:20 5aaa4001 AntiKeylogger/KeystrokeNoise/stdafx.h 301 Defl:X 200 34% 2017-03-11 09:20 b4532d9a AntiKeylogger/KeystrokeNoise/stdafx.cpp 1717 Defl:X 555 68% 2017-03-11 09:20 a81389f0 AntiKeylogger/KeystrokeNoise/KeystrokeNoise.vcxproj.filters 1118 Defl:X 632 44% 2017-03-11 09:20 1e3d39fb AntiKeylogger/KeystrokeNoise/dllmain.cpp 2217 Defl:X 850 62% 2017-03-11 09:20 2d986ce7 AntiKeylogger/KeystrokeNoise/ReadMe.txt 2040 Defl:X 870 57% 2017-03-11 09:20 f5dfb7be AntiKeylogger/KeystrokeNoise/IATHook.h 377 Defl:X 261 31% 2017-03-11 09:20 24b9d4ab AntiKeylogger/KeystrokeNoise/KeystrokeNoise.vcxproj.user 1533 Defl:X 456 70% 2017-03-11 09:20 4438bd0b AntiKeylogger/KeyDemo.sln 0 Stored 0 0% 2017-03-13 03:17 00000000 CPL/ 3309 Defl:X 3098 6% 2017-03-12 16:31 04b7a4bc CPL/testcpl.zip 14543 Defl:X 13741 6% 2017-03-12 16:31 e4493aec CPL/linkcplsrc.zip 6969 Stored 6969 0% 2017-03-12 16:31 ab60abf1 CPL/linkcplbin.zip 4310 Defl:X 1624 62% 2017-03-05 15:14 7abca69c CreateSetgidBinary.c 0 Stored 0 0% 2017-03-12 16:31 00000000 Rogdham/ 22162 Defl:X 6096 73% 2017-03-12 16:31 fa65260a Rogdham/Rogdham.html 80125 Defl:X 75133 6% 2017-03-12 16:31 f8749603 Rogdham/gif-md5-hashquine-master.zip 12257 Defl:X 4893 60% 2017-03-12 16:31 4bb2bdd5 Rogdham/gif-md5-hashquine.en.mkd 0 Stored 0 0% 2017-03-12 16:31 00000000 Rogdham/Rogdham_files/ 1887 Defl:X 764 60% 2017-03-12 16:31 faf6cb8e Rogdham/Rogdham_files/print.min.css 13007 Defl:X 12514 4% 2017-03-12 16:31 542fd3b1 Rogdham/Rogdham_files/gifmd5hashquine_rogdham_bg_hash.png 190317 Defl:X 176133 8% 2017-03-12 16:31 ff05e4b3 Rogdham/Rogdham_files/gifmd5hashquine_rogdham_diff.png 85606 Defl:X 36885 57% 2017-03-12 16:31 b1d21bf2 Rogdham/Rogdham_files/gifmd5hashquine_spq.gif 6918 Defl:X 2046 70% 2017-03-12 16:31 f98f3984 Rogdham/Rogdham_files/screen.min.css 3111 Defl:X 2379 24% 2017-03-12 16:31 1dec0453 Rogdham/Rogdham_files/gifmd5hashquine_spq_white_bg.png 109727 Defl:X 101137 8% 2017-03-12 16:31 1f4d8660 Rogdham/Rogdham_files/gifmd5hashquine_spq_hexdump_nop.png 15809 Defl:X 15439 2% 2017-03-12 16:31 0c64cb28 Rogdham/Rogdham_files/gifmd5hashquine_proof.png 36787 Defl:X 3132 92% 2017-03-12 16:31 e09e2120 Rogdham/Rogdham_files/gifmd5hashquine_animated_loop.gif 107699 Defl:X 99437 8% 2017-03-12 16:31 dbad197f Rogdham/Rogdham_files/gifmd5hashquine_spq_hexdump_img.png 291259 Defl:X 277061 5% 2017-03-11 13:14 8b87ac55 Stupid certificate tricks.pdf 0 Stored 0 0% 2017-03-11 13:14 00000000 The Infinitely Profitable Program/ 4339 Defl:X 3130 28% 2017-03-11 13:14 6d2f2f80 The Infinitely Profitable Program/1_launchCPM.pdf 592835 Defl:X 576846 3% 2017-03-11 13:14 441a509f The Infinitely Profitable Program/The Infinitely Profitable Program.pdf 4426 Defl:X 3296 26% 2017-03-11 13:14 bee6ae48 The Infinitely Profitable Program/2_PoC.pdf 27567 Defl:X 26234 5% 2017-03-12 03:32 d8e1e597 fastcoll-v1.0.0.5-1.zip 1282 Defl:X 711 45% 2017-03-18 18:59 9772c655 index.txt 38160 Defl:X 8403 78% 2017-03-13 16:25 b3c0f169 issues.bib 16886 Defl:X 7903 53% 2017-03-13 16:25 171cb6e0 issues.txt 421076 Defl:X 371855 12% 2017-03-13 02:58 ff6773d4 md5-1block-collision.pdf 85606 Defl:X 36885 57% 2017-03-08 03:32 b1d21bf2 md5.gif 42337 Defl:X 19532 54% 2017-03-08 03:32 e5ea690e md5.ps 398906 Defl:X 175550 56% 2017-03-08 03:32 54481b33 md5_avp_loop.gif 392219 Defl:X 74028 81% 2017-03-08 17:43 d30a3419 md5jpg.pdf 202288 Defl:X 103214 49% 2017-03-08 17:43 268d5455 md5text.pdf 33767 Defl:X 4305 87% 2017-03-05 15:14 96a21b21 phreakium-js.html 6633 Defl:X 5599 16% 2017-03-05 15:14 835cc4e2 phreakium-z.zip 12770 Defl:X 954 93% 2017-03-08 03:32 252f36ff quine.pdf 88023 Defl:X 75281 15% 2017-03-05 15:14 87e946d3 rgbds.zip 8558972 Defl:X 8554223 0% 2017-03-18 18:59 1ef8b6fe sha1collider.zip 530778 Defl:X 454800 14% 2017-03-12 03:32 5a6ff16e shattered.pdf 666661 Defl:X 519871 22% 2017-03-13 02:58 89e24629 stevensthesis.pdf 69 Stored 69 0% 2017-03-14 10:27 ec3b55b1 zring-flash-info.txt 524288 Defl:X 320940 39% 2017-03-14 10:27 597c16a0 zring-flash.bin -------- ------- --- ------- 13913242 12233866 12% 78 files

  

  PoC||GTFO - Issue 0x15

I SLIPPED A LITTLE BUT LAPHROAIG WAS THERE WITH A HELPING HAND, A NIFTY IDEA AND TWO LITERS OF COFFEE

June 17, 2017 | 50.6M PDF/ZIP/ILDA | Includes | md5sum: 8363161248b01cc83bc7b437c423ce70 | Archive.org Entry

1. There's No Excuse for Not Knowing
2. Pier Solar and the Great Reverser  - At BSides Knoxville in 2015, Brandon Wilson gave one hell of a talk on how he dumped the cartridge of Pier Solar, a modern game for the Sega Genesis; the lost lecture was not recorded and the slides were never published.  After others failed with traditional cartridge dumping techniques, Brandon jumped in to find that the cartridge only provides the first 32 kB until an unlock sequence is executed, and that it will revert to the first 32 KB if it ever detects that the CPU is not executing from ROM.  On page 5, Brandon will explain his nifty tricks for avoiding these protection mechanisms, armed with only the right revision of Sega CD, a serial cable, and a few cheat codes for the Game Genie, by Brandon L. Wilson
3. That Car by the Bear Ain't Got No Fire; or, A Sermon on Alternators, Voltmeters, and Debugging  - A sermon on alternators, Studebakers, and bug hunting in general.  This allegory of a broken Ford might teach you a thing or two about debugging, and why all the book learning in the world won't match the experience of repairing your own car, by Pastor Manul Laphroaig
4. Text2COM  - Saumil Shah reminds us of those fine days when magazines would include type-in code.  This particular example is one that Saumil authored twenty-five years ago, a stub that produces a self-printing COM file for DOS, by Saumil Shah
5. RISC-V Shellcode  - Don A. Bailey presents on page 17 an introduction to writing shellcode for the new RISC-V architecture, a modern RISC design which might not yet have the popularity of ARM but has much finer prospects than MIPS, by Don A. Bailey
6. Gumball  - The monumental task of cracking Gumball for the Apple ][.  Neighbors 4am and Peter Ferrie spent untold hours investigating every nook and cranny of this game, and their documentation might help you to preserve a protected Apple game of your own, or to craft some deviously clever 6502 code to stump the finest of reverse engineers, by 4am and Peter Ferrie
7. In Which a PDF is a Git Repository Containing its Own LaTeX Source and a Copy of Itself  - Evan Sultanik has been playing around with the internals of Git, and on page 60 he presents a PDF which is also a Git repository containing its own source code, by Evan Sultanik
8. Zero Overhead Networking  - Rob Graham is our most elusive author, having promised an article for PoC||GTFO Issue 0x04 that finally arrived this week.  On page 66 he will teach you how to write Ethernet card drivers in userland that never switch back to the kernel when sending or receiving packets.  This allows for incredible improvements to speed and drastically reduced memory requirements, allowing him to portscan all of /0 in a single sweep, by Robert Graham
9. Detecting Emulation with MIPS16 Delay Slots  - Ryan Speers and Travis Goodspeed have been toying around with MIPS anti-emulation techniques, which this journal last covered in PoC||GTFO 6:6 by Craig Heffner.  This new technique, found on page 76, involves abusing the real behavior of a branch-delay slot, which is a bit more complicated than what you might remember from your Hennessy and Patterson textbook, by Ryan Speers and Travis Goodspeed
10. Windows Kernel Race Condition Analysis While Accessing User-Mode Data  - Page 82 describes how BSDaemon and NadavCH reproduced the results of the Gynvael Coldwind's and Mateusz Jurczyk Pwnie-winning 2013 paper on race conditions, using Intel's SAE tracer to not just verify the results, but also to provide new insights into how they might be applied to other problems, by BSDaemon and NadavCh
11. x86 is Turing-Complete Without Data Fetches  - Chris Domas, who the clever among you remember from his M/o/Vfuscator, returns on page 87 to demonstrate that x86 is Turing-complete without data fetches, by Chris Domas  (GitHub)
12. Nail in the Java KeyStore Coffin  - Tobias Ospelt shares with us a nifty little taleon page 89 about the Java KeyStore (JKS) file format, which is the default key storage method forboth Java and Android.  Not content with a simple proof-of-concept, Tobias includes a fully functional patch against Hashcat to properly crack these files in a jiffy, by Tobias "Floyd" Ospelt
13. The Gamma Trick: Two PNGs for the Price of One  - There's a trick that you might have fallen prey to: sometimes there's a perfectly innocent thumbnail of an image, but when you click on it to view the full image, you are hit with different graphics entirely.  On page 97, Hector Martin presents one technique for generating these false thumbnail images with gAMA chunks of a PNG file, by Hector 'marcan' Martin
14. Laphroaig's Home for Unwanted Polyglots and Ø-Day  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Man of the Book..................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen .................................and sundry others

Technical Note:  This file, pocorgtfo15.pdf, is valid as PDF document and as a ZIP file of the relevant source code.  Those of you who have laser projection equipment supporting the ILDA standard will find that this issue can be handily projected by your laser beams.

Cover Art:  The cover illustration from this issue is a Hildebrand engraving of a painting by Léon Benett that was first published in Le Tour Du Monde En Quatre-Vingts Jours (Around the World in Eighty Days) by Jules Verne in 1873.  In George M. Towle's English translation of the same year, you will find this illustration on page 137.

$ file pocorgtfo15.pdf pocorgtfo15.pdf: ILDA Image Data Transfer Format Color Palette, palette poc|gtfo, number of records 20, palette number 0 $ unzip pocorgtfo15.pdf ... $ git clone PDFGitPolyglot.pdf repo Cloning into 'repo'... Receiving objects: 100% (432/432), 622.40 KiB | 41.49 MiB/s, done. Resolving deltas: 100% (270/270), done. $ unzip -v pocorgtfo15.pdf Archive: pocorgtfo15.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 144090 Defl:X 137711 4% 2017-06-06 14:47 a7d8c92a 18bytes.pdf # Chris Evans' 18 byte file write-up 28767 Defl:X 9508 67% 2017-05-10 11:18 63075b72 AdvancedGenGGtips.txt # Tony Hedstrom's Advanced Game Genie code making tips for Sega Genesis 16818 Defl:X 6009 64% 2017-05-10 11:18 691ac4ea MakingGenesisGGcodes.txt # Tony Hedstrom's How to make Sega Genesis Game Genie codes 638270 Defl:X 608654 5% 2017-06-06 15:01 0234d2bf PDFGitPolyglot.pdf # Evan Sultanik's PDF/Git Bundle Polyglot Article and PoC 1065865 Defl:X 926259 13% 2017-06-12 07:23 7f591035 bochspwn.pdf # The original Bochspwn paper 2492489 Defl:X 2074544 17% 2017-06-12 07:23 acfae939 chachmon.pdf # Simulation and Analysis Engine for Scale-Out Workloads 310421 Defl:X 309394 0% 2017-06-06 14:47 1cc19460 comcable11.zip # chaostavi's Sega CD Transfer Suite 676881 Defl:X 509789 25% 2017-06-06 14:47 ffe56b2c flexsc-osdi10.pdf # Livio Soares & Michael Stumm's Flexible System Call Scheduling with Exception-Less System Calls 145178 Defl:X 144370 1% 2017-06-06 14:47 c8bec947 gammatrick.png # Marcan's gamma trick PoC 3268 Defl:X 1628 50% 2017-06-06 14:47 deda91e1 gammatrick.sh # Marcan's gamma trick script 486631 Defl:X 191797 61% 2017-06-12 07:23 5e76cd39 godsathirst.html # The Gods are Athirst, a novel 173382 Defl:X 159513 8% 2017-06-06 14:47 0a46bf9a gumball_ebook.pdf # Gumball's writeup, in ASCII ebook PDF 1336 Defl:X 770 42% 2017-06-17 19:40 706d8c3d index.txt 39976 Defl:X 9048 77% 2017-06-17 20:55 f703b1b6 issues.bib 18275 Defl:X 8544 53% 2017-06-17 20:55 d93cfcbb issues.txt 0 Stored 0 0% 2017-06-08 07:49 00000000 jksprivk/ # Tobias Ospelt's Java KeyStore private key password cracking suite 5991 Defl:X 2233 63% 2017-06-06 14:47 63ccbb5f jksprivk_crack.py 27263 Defl:X 24844 9% 2017-06-08 07:49 11e70bd7 jksprivk_resources.zip 10021 Defl:X 9689 3% 2017-06-07 08:45 6bf84a61 JksPrivkPrepare.jar 542324 Defl:X 526408 3% 2017-06-06 14:47 c28b97b1 kdf.zip # BSDaemon and NadavCh's Article Materials on Kernel Double Fetch 1358803 Defl:X 403041 70% 2017-06-12 07:23 e4581784 mips16e-isa.pdf # MIPS16 Instruction Set Architecture 153298 Defl:X 104388 32% 2017-06-06 14:47 3edfc5f7 mips74kc.pdf # MIPS32 74KcTM Processor Core Datasheet 17434 Defl:X 15227 13% 2017-06-06 14:47 12bbeca9 riscv-security.zip # Don Bailey's RISC-V research materials, documentation, and code 6663858 Defl:X 5343681 20% 2017-06-17 19:40 b8ab30ac thisnetisyournet.mp3 # Don Bailey and Alex Kreilein's summer hit 884 Defl:X 490 45% 2017-06-17 19:40 0f11222f thisnetisyournet.txt # Lyrics to the summer hit 4578 Defl:X 3387 26% 2017-06-06 14:47 06d9111b tiresias.zip # Chris Domas' PoC that ARM and x86 are Turing-complete without actually reading data -------- ------- --- ------- 15026101 11530926 23% 26 files

  PoC||GTFO - Issue 0x16

PASTOR LAPHROAIG RACES THE RUNTIME RELINKER AND OTHER TRUE TALES OF CLEVERNESS AND CRAFT

October 23, 2017 | 50.4M PDF/ZIP/WebIDE | Includes | md5sum: 077321dc32ba752a1b52039649e9bf31 | Archive.org Entry

1. Every Man His Own Cigar Lighter
2. Sapere Aude!; or, Do You Have a Moment to Talk About Enlightenment?  - A sermon on intellectual tyranny dressed up in the name of science, by Pastor Manul Laphroaig
3. Saving My '97 Chevy by Hacking It  - Brandon Wilson shares his techniques for emulating the 68K Electronic Control Unit (ECU) of his 1997 Chevy Cavalier.  Even after 315 thousand miles, there are still things to learn from your daily driver, by Brandon L. Wilson
4. Bars of Brass or Wafer Thin Security?  - Deviant Ollam was so kind as to include an article describing why electronic defenses are needed, beyond just a strong lock.  You'll find his explanation on page 17, by Deviant Ollam
5. Fast Cash for Useless Bugs!  - Page 18 features uses for useless bugs, finger-printing proprietary forks of old codebases by long-lived unexploitable crashes, so that targets can be accurately identified before the hassle of making a functioning exploit for that particular version, by EA
6. The Adventure of the Fragmented Chunks  - Page 21 holds Yannay Livneh's Adventure of the Fragmented Chunks, describing a modern heap-based buffer overflow attack against a recent version of VLC, by Yannay Livneh
7. Extracting the Game Boy Advance BIOS ROM through the Execution of Unmapped Thumb Instructions  - On page 39, you will find Maribel Hearn's technique for dumping the protecting BIOS ROM of the Game Boy Advance.  While there is some lovely prior work in this area, her solution involves the craziest of tricks.  She executes code from unmapped parts ofthe address space, relying of bus capacitance to hold just one word of data without RAM, then letting the pre-fetcher trick the ROM into believing that it is being executed.  Top notch work, by Maribel Hearn
8. Naming Network Interfaces  - Cornelius Diekmann, on page 45, shows us a nifty trick for the naming of Ethernet devices on Linux.  Rather than giving your device a name of eth0 or wwp0s20f0u3i12, why not name it something classy in UTF-8, like ☃?  (Not to be confused with, ☃ of course), by Cornelius Diekmann
9. Code Golf and Obfuscation with Genetic Algorithm Based Symbolic Regression  - On page 47, JBS introduces us to symbolic regression, a fancy technique for fitting functions toavailable data.  Through this technique and a symbolic regression solver (like the one included in the feelies), he can craft absurdly opaque functions that, when called with the right parameters, produce achosen output, by JBS
10. Locating Return Addresses via High-Entropy Stack Canaries  - Given an unannotated stack trace, with no knowledge of where frames begin and end, Matt Davis identifies stack return addresses by their proximity to high-entropy stack canaries.  You'll find it on page 49, by Matt Davis
11. Rescuing Orphans and their Parents with Rules of Thumb2  - Binary Ninja is quite good at identifying explicit function calls, but on embedded ARM it has no mechanism for identifying functions which are never directly called.  On page 52, Travis Goodspeed walks us through a few simple rules which can be used to extend the auto-analyzer, first to identify unknown parents of known child functions and then to identify unknown children called by unknown parents.  The result is a Binary Ninja plugin which can identify nearly all functions of a black box firmware image, by Travis Goodspeed
12. This PDF is a Shell Script that Runs a Python Webserver that Serves a Scala-Based JavaScript Compiler with a HTML5 Hex Viewer; or, Reverse-Engineer Your Own Damn Polyglot  - On page 58, Evan Sultanik explains how he integrated the hex viewer IDE from Kaitai Struct as a shell script that runs a Python webserver within this PDF polyglot, by Evan Sultanik
13. Laphroaig's Home for Unwanted Polyglots and Ø-Day  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Man of the Book..................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen Scooby Crew Bus Driver...........Ryan Speers .................................and sundry others

Technical Note:  This file, pocorgtfo16.pdf, is a polyglot that is valid as a PDF document, a ZIP archive, and a Bash script that runs a Python webserver which hosts Kaitai Struct's WebIDE which, allows you to view the file's own annotated bytes.  Ain't that nifty?

Cover Art:  As with the previous issue, the cover illustration from this release is a Hildebrand engraving of a painting by Léon Benett that was first published in Le Tour Du Monde En Quatre-Vingts Jours (Around the World in Eighty Days) by Jules Verne in 1873.

# To run the webserver $ bash pocorgtfo16.pdf Listening on port 80... $ unzip -v pocorgtfo16.pdf Archive: pocorgtfo16.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 6066 Defl:X 2001 67% 2017-10-10 20:13 f7fd5605 canarypoc.c # C source code for PoC||GTFO 16:10 188835 Defl:X 179495 5% 2017-09-26 09:41 51129a66 clemency.pdf # cLEMENCy architecture from Defcon 2017's CTF. 2290846 Defl:X 2144561 6% 2017-09-26 09:41 b19aac5b crosstalk.pdf # Nifty paper on USB crosstalk. 4757 Defl:X 2221 53% 2017-09-26 09:41 3ef0f078 dakarand_linux.txt # Patch for implementing a Dakarand number generator in Linux. 585378 Defl:X 374431 36% 2017-10-12 09:40 d4f48ecc ehrevents.pdf # Paper on events of Electronic Health Records 53511 Defl:X 15989 70% 2017-10-12 09:40 8bec069d feynman-what_is_science.html # Richard Feynman's essay on the meaning of science. 1020086 Defl:X 692721 32% 2017-10-12 09:40 ced2b63b forgottenchunks.pdf # GlibC Adventures: The Forgotten Chunks by Goichon 1169408 Defl:X 1149370 2% 2017-10-17 07:24 a90c5627 hackedintranslation.pdf # Director's cut of the VLC subtitle exploit paper. 220672 Defl:X 128573 42% 2017-10-12 09:40 33de218b how2heap.tar.gz # Heap exploit tutorial from the ShellPhish team. 1535 Defl:X 858 44% 2017-10-17 07:24 0f08026d index.txt 973 Defl:X 839 14% 2017-10-12 09:40 0f94b839 iodump.zip # Memory dumping code from PoC||GTFO 16:07. 42637 Defl:X 9683 77% 2017-10-23 07:27 acb03093 issues.bib 19582 Defl:X 9143 53% 2017-10-23 07:27 0f1d7647 issues.txt 15849 Defl:X 6652 58% 2017-10-12 09:40 ab20a458 kant-sapere-aude.html # Philosophy paper by Kant. 52173 Defl:X 16048 69% 2017-10-12 09:40 c1d36c62 MallocMaleficarum.txt # Classic heap corruption paper. 3042349 Defl:X 1040380 66% 2017-10-10 20:13 2bb38340 mc68332um.pdf # Motorola 68332 User's Manual 1329318 Defl:X 1190897 10% 2017-09-26 09:41 9c41981a mc68705u3_eprom.pdf # Datasheet for a Motorla EEPROM. 717623 Defl:X 448785 38% 2017-10-10 07:38 e3c13db2 mc68hc58.pdf # Datasheet for the Motorola data link controller. 15454366 Defl:X 12863165 17% 2017-09-26 09:41 01ba3ee0 oflynn.pdf # Colin O'Flynn's Dissertation 34812 Defl:X 12359 65% 2017-10-12 09:40 8f402a82 onceuponafree.txt # Phrack paper on heap exploits. 6632534 Defl:X 6460923 3% 2017-10-24 07:52 b7623a8e PoC.pdf 1123237 Defl:X 1118026 1% 2017-09-26 09:41 a58c84ae solver430.pdf # Nifty paper on automatically reverse engineering the MSP430 instruction set with solvers. 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/ 26 Stored 26 0% 2017-09-26 09:41 d59066ed SymbolicRegression/gatry/intfunc.csv 2724 Defl:X 879 68% 2017-09-26 09:41 9d42ade5 SymbolicRegression/gatry/pom.xml 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/main/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/main/java/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/main/java/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/main/java/com/nibbler/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/main/java/com/nibbler/app/ 178 Defl:X 139 22% 2017-09-26 09:41 d157d31a SymbolicRegression/gatry/src/main/java/com/nibbler/app/App.java 4147 Defl:X 1415 66% 2017-09-26 09:41 ae0ca85c SymbolicRegression/gatry/src/main/java/com/nibbler/app/HelloSymbolicRegression.java 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/test/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/test/java/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/test/java/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/test/java/com/nibbler/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/src/test/java/com/nibbler/app/ 643 Defl:X 280 57% 2017-09-26 09:41 ba94c29b SymbolicRegression/gatry/src/test/java/com/nibbler/app/AppTest.java 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/classes/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/classes/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/classes/com/nibbler/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/classes/com/nibbler/app/ 545 Defl:X 342 37% 2017-09-26 09:41 041da0ba SymbolicRegression/gatry/target/classes/com/nibbler/app/App.class 1888 Defl:X 989 48% 2017-09-26 09:41 ab349824 SymbolicRegression/gatry/target/classes/HelloSymbolicRegression$1.class 4818 Defl:X 2456 49% 2017-09-26 09:41 5f3705f5 SymbolicRegression/gatry/target/classes/HelloSymbolicRegression.class 5162 Defl:X 4070 21% 2017-09-26 09:41 fe461cd6 SymbolicRegression/gatry/target/dateutils.jar 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/dependency-jars/ 12828 Defl:X 10971 15% 2017-09-26 09:41 33d1ca81 SymbolicRegression/gatry/target/dependency-jars/ga-1.0.2.jar 86413 Defl:X 76258 12% 2017-09-26 09:41 637eea80 SymbolicRegression/gatry/target/dependency-jars/gp-1.0.jar 191 Defl:X 124 35% 2017-09-26 09:41 912ee871 SymbolicRegression/gatry/target/g1 6610 Defl:X 5507 17% 2017-09-26 09:41 2e7c3ac2 SymbolicRegression/gatry/target/ga-with-integer-functions.jar 4564 Defl:X 3458 24% 2017-09-26 09:41 a6181895 SymbolicRegression/gatry/target/gatry-1.0-SNAPSHOT.jar 180 Defl:X 93 48% 2017-09-26 09:41 94b9cb7e SymbolicRegression/gatry/target/i2func.csv 180 Defl:X 116 36% 2017-09-26 09:41 1b52e3ad SymbolicRegression/gatry/target/i2func.done 26 Stored 26 0% 2017-09-26 09:41 d59066ed SymbolicRegression/gatry/target/intfunc.csv 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/maven-archiver/ 112 Defl:X 111 1% 2017-09-26 09:41 32fa37a5 SymbolicRegression/gatry/target/maven-archiver/pom.properties 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/maven-status/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/maven-status/maven-compiler-plugin/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/maven-status/maven-compiler-plugin/compile/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/maven-status/maven-compiler-plugin/compile/default-compile/ 88 Defl:X 60 32% 2017-09-26 09:41 3e4612f8 SymbolicRegression/gatry/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst 158 Defl:X 87 45% 2017-09-26 09:41 42a65094 SymbolicRegression/gatry/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/maven-status/maven-compiler-plugin/testCompile/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/ 30 Stored 30 0% 2017-09-26 09:41 926055ba SymbolicRegression/gatry/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst 73 Defl:X 68 7% 2017-09-26 09:41 90933635 SymbolicRegression/gatry/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst 248 Defl:X 176 29% 2017-09-26 09:41 b79ef617 SymbolicRegression/gatry/target/r.c 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/surefire-reports/ 268 Defl:X 100 63% 2017-09-26 09:41 ab54a20e SymbolicRegression/gatry/target/surefire-reports/com.nibbler.app.AppTest.txt 4376 Defl:X 1167 73% 2017-09-26 09:41 e876d900 SymbolicRegression/gatry/target/surefire-reports/TEST-com.nibbler.app.AppTest.xml 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/test-classes/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/test-classes/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/test-classes/com/nibbler/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/gatry/target/test-classes/com/nibbler/app/ 609 Defl:X 370 39% 2017-09-26 09:41 73e089eb SymbolicRegression/gatry/target/test-classes/com/nibbler/app/AppTest.class 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/about/ 78172 Defl:X 73984 5% 2017-09-26 09:41 476c77c4 SymbolicRegression/genetic-algorithm/about/architecture.png 75733 Defl:X 71222 6% 2017-09-26 09:41 53fa3591 SymbolicRegression/genetic-algorithm/about/population_size.png 11898 Defl:X 4140 65% 2017-09-26 09:41 7ba6c723 SymbolicRegression/genetic-algorithm/LICENSE-2.0.html 1696 Defl:X 785 54% 2017-09-26 09:41 3a6d92e7 SymbolicRegression/genetic-algorithm/pom.xml 4684 Defl:X 1664 65% 2017-09-26 09:41 5e9eedc3 SymbolicRegression/genetic-algorithm/README.md 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/main/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/main/java/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/main/java/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/main/java/com/lagodiuk/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/main/java/com/lagodiuk/ga/ 922 Defl:X 478 48% 2017-09-26 09:41 653d6c42 SymbolicRegression/genetic-algorithm/src/main/java/com/lagodiuk/ga/Chromosome.java 1126 Defl:X 558 50% 2017-09-26 09:41 a38860c4 SymbolicRegression/genetic-algorithm/src/main/java/com/lagodiuk/ga/Fitness.java 4578 Defl:X 1454 68% 2017-09-26 09:41 0ebc9116 SymbolicRegression/genetic-algorithm/src/main/java/com/lagodiuk/ga/GeneticAlgorithm.java 931 Defl:X 491 47% 2017-09-26 09:41 dd75aa9c SymbolicRegression/genetic-algorithm/src/main/java/com/lagodiuk/ga/IterartionListener.java 2098 Defl:X 865 59% 2017-09-26 09:41 d5ffed1b SymbolicRegression/genetic-algorithm/src/main/java/com/lagodiuk/ga/Population.java 4879 Defl:X 1779 64% 2017-09-26 09:41 3b9a0e2a SymbolicRegression/genetic-algorithm/src/main/java/Demo.java 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/test/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/test/java/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/test/java/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/test/java/com/lagodiuk/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/src/test/java/com/lagodiuk/ga/ 5852 Defl:X 1580 73% 2017-09-26 09:41 c0e5e815 SymbolicRegression/genetic-algorithm/src/test/java/com/lagodiuk/ga/ArrayChromosomeTest.java 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/classes/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/classes/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/classes/com/lagodiuk/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/classes/com/lagodiuk/ga/ 368 Defl:X 216 41% 2017-09-26 09:41 99f1cc37 SymbolicRegression/genetic-algorithm/target/classes/com/lagodiuk/ga/Chromosome.class 314 Defl:X 201 36% 2017-09-26 09:41 8638c650 SymbolicRegression/genetic-algorithm/target/classes/com/lagodiuk/ga/Fitness.class 228 Defl:X 166 27% 2017-09-26 09:41 965ac9d5 SymbolicRegression/genetic-algorithm/target/classes/com/lagodiuk/ga/GeneticAlgorithm$1.class 2521 Defl:X 1078 57% 2017-09-26 09:41 1ce6a45e SymbolicRegression/genetic-algorithm/target/classes/com/lagodiuk/ga/GeneticAlgorithm$ChromosomesComparator.class 5343 Defl:X 2207 59% 2017-09-26 09:41 8829fa16 SymbolicRegression/genetic-algorithm/target/classes/com/lagodiuk/ga/GeneticAlgorithm.class 355 Defl:X 224 37% 2017-09-26 09:41 057de6ed SymbolicRegression/genetic-algorithm/target/classes/com/lagodiuk/ga/IterartionListener.class 2458 Defl:X 1087 56% 2017-09-26 09:41 d0baa3b7 SymbolicRegression/genetic-algorithm/target/classes/com/lagodiuk/ga/Population.class 1834 Defl:X 969 47% 2017-09-26 09:41 987edf2a SymbolicRegression/genetic-algorithm/target/classes/Demo$1.class 2222 Defl:X 1130 49% 2017-09-26 09:41 52a3fd80 SymbolicRegression/genetic-algorithm/target/classes/Demo$MyVector.class 1196 Defl:X 716 40% 2017-09-26 09:41 90189b96 SymbolicRegression/genetic-algorithm/target/classes/Demo$MyVectorFitness.class 2274 Defl:X 1100 52% 2017-09-26 09:41 b4bbb57f SymbolicRegression/genetic-algorithm/target/classes/Demo.class 12828 Defl:X 10971 15% 2017-09-26 09:41 33d1ca81 SymbolicRegression/genetic-algorithm/target/ga-1.0.2.jar 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/maven-archiver/ 99 Stored 99 0% 2017-09-26 09:41 f98201df SymbolicRegression/genetic-algorithm/target/maven-archiver/pom.properties 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/surefire-reports/ 280 Defl:X 113 60% 2017-09-26 09:41 3dfa22db SymbolicRegression/genetic-algorithm/target/surefire-reports/com.lagodiuk.ga.ArrayChromosomeTest.txt 4497 Defl:X 1193 74% 2017-09-26 09:41 8805ce00 SymbolicRegression/genetic-algorithm/target/surefire-reports/TEST-com.lagodiuk.ga.ArrayChromosomeTest.xml 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/test-classes/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/test-classes/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/test-classes/com/lagodiuk/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-algorithm/target/test-classes/com/lagodiuk/ga/ 1977 Defl:X 839 58% 2017-09-26 09:41 a511fb15 SymbolicRegression/genetic-algorithm/target/test-classes/com/lagodiuk/ga/ArrayChromosomeTest$1.class 2297 Defl:X 1062 54% 2017-09-26 09:41 33e47271 SymbolicRegression/genetic-algorithm/target/test-classes/com/lagodiuk/ga/ArrayChromosomeTest$ArrayChromosome.class 1512 Defl:X 755 50% 2017-09-26 09:41 594fb271 SymbolicRegression/genetic-algorithm/target/test-classes/com/lagodiuk/ga/ArrayChromosomeTest$ConsecutiveNumbersFitness.class 2942 Defl:X 1279 57% 2017-09-26 09:41 cfa458cc SymbolicRegression/genetic-algorithm/target/test-classes/com/lagodiuk/ga/ArrayChromosomeTest.class 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/bin/ 3860 Defl:X 1624 58% 2017-09-26 09:41 25a71781 SymbolicRegression/genetic-programming/bin/data.txt 6210 Defl:X 1993 68% 2017-09-26 09:41 cf009ece SymbolicRegression/genetic-programming/bin/data2.txt 9210 Defl:X 2413 74% 2017-09-26 09:41 d43cf39f SymbolicRegression/genetic-programming/bin/data3.txt 1026 Defl:X 526 49% 2017-09-26 09:41 8f2ea2d4 SymbolicRegression/genetic-programming/bin/extrapolation.txt 1468 Defl:X 691 53% 2017-09-26 09:41 161dd46d SymbolicRegression/genetic-programming/bin/sin_as_cos.txt 1473 Defl:X 695 53% 2017-09-26 09:41 468ef25f SymbolicRegression/genetic-programming/bin/sin_polynome.txt 86413 Defl:X 76258 12% 2017-09-26 09:41 637eea80 SymbolicRegression/genetic-programming/bin/symbolic_regression_1.0.jar 1102 Defl:X 540 51% 2017-09-26 09:41 e6dfcd84 SymbolicRegression/genetic-programming/bin/x2_add_y2.txt 1004 Defl:X 534 47% 2017-09-26 09:41 b82037fe SymbolicRegression/genetic-programming/bin/xyz.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/antiderivative/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/antiderivative/1/ 6754 Defl:X 1910 72% 2017-09-26 09:41 1366f910 SymbolicRegression/genetic-programming/experiments/antiderivative/1/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/antiderivative/2/ 2163 Defl:X 847 61% 2017-09-26 09:41 f9c1efca SymbolicRegression/genetic-programming/experiments/antiderivative/2/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/antiderivative/3/ 5632 Defl:X 2027 64% 2017-09-26 09:41 bb1530d2 SymbolicRegression/genetic-programming/experiments/antiderivative/3/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/derivative/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/derivative/1/ 5512 Defl:X 2115 62% 2017-09-26 09:41 a85ea018 SymbolicRegression/genetic-programming/experiments/derivative/1/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/derivative/2/ 14741 Defl:X 3756 75% 2017-09-26 09:41 f5edb83f SymbolicRegression/genetic-programming/experiments/derivative/2/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/extrapolation/ 1026 Defl:X 526 49% 2017-09-26 09:41 8f2ea2d4 SymbolicRegression/genetic-programming/experiments/extrapolation/extrapolation.txt 5356 Defl:X 1781 67% 2017-09-26 09:41 7805aa2e SymbolicRegression/genetic-programming/experiments/extrapolation/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x)/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x)/1/ 167090 Defl:X 119832 28% 2017-09-26 09:41 a7e2bf22 SymbolicRegression/genetic-programming/experiments/f(x)/1/Graphic.png 10644 Defl:X 2911 73% 2017-09-26 09:41 11e968ac SymbolicRegression/genetic-programming/experiments/f(x)/1/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x)/2/ 8307 Defl:X 1923 77% 2017-09-26 09:41 071b3956 SymbolicRegression/genetic-programming/experiments/f(x)/2/log.txt 137671 Defl:X 96477 30% 2017-09-26 09:41 83179477 SymbolicRegression/genetic-programming/experiments/f(x)/2/target_evolved_graphics_1.png 70959 Defl:X 42486 40% 2017-09-26 09:41 0c6f4c34 SymbolicRegression/genetic-programming/experiments/f(x)/2/target_evolved_graphics_2.jpg 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x)/3/ 10229 Defl:X 2641 74% 2017-09-26 09:41 66a834ec SymbolicRegression/genetic-programming/experiments/f(x)/3/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x)/4/ 8534 Defl:X 2693 68% 2017-09-26 09:41 41ffa897 SymbolicRegression/genetic-programming/experiments/f(x)/4/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x)/5/ 9076 Defl:X 2470 73% 2017-09-26 09:41 7370ddeb SymbolicRegression/genetic-programming/experiments/f(x)/5/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x)/6/ 14617 Defl:X 4645 68% 2017-09-26 09:41 aef38445 SymbolicRegression/genetic-programming/experiments/f(x)/6/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/1/ 108953 Defl:X 99712 9% 2017-09-26 09:41 a3011a3f SymbolicRegression/genetic-programming/experiments/f(x,y)/1/evolved.jpg 11588 Defl:X 3342 71% 2017-09-26 09:41 c95949c0 SymbolicRegression/genetic-programming/experiments/f(x,y)/1/log.txt 77736 Defl:X 70323 10% 2017-09-26 09:41 299b1e3e SymbolicRegression/genetic-programming/experiments/f(x,y)/1/target.jpg 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/10/ 5724 Defl:X 1799 69% 2017-09-26 09:41 22327392 SymbolicRegression/genetic-programming/experiments/f(x,y)/10/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/2/ 44999 Defl:X 40358 10% 2017-09-26 09:41 f0414c45 SymbolicRegression/genetic-programming/experiments/f(x,y)/2/delta.jpg 183251 Defl:X 174328 5% 2017-09-26 09:41 7692ef01 SymbolicRegression/genetic-programming/experiments/f(x,y)/2/evolved.png 9153 Defl:X 2870 69% 2017-09-26 09:41 b7aa3347 SymbolicRegression/genetic-programming/experiments/f(x,y)/2/log.txt 49473 Defl:X 44749 10% 2017-09-26 09:41 a902889a SymbolicRegression/genetic-programming/experiments/f(x,y)/2/target.jpg 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/3/ 3977 Defl:X 1414 64% 2017-09-26 09:41 8b138669 SymbolicRegression/genetic-programming/experiments/f(x,y)/3/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/4/ 7921 Defl:X 2247 72% 2017-09-26 09:41 582656df SymbolicRegression/genetic-programming/experiments/f(x,y)/4/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/5/ 80704 Defl:X 74051 8% 2017-09-26 09:41 f61fe31d SymbolicRegression/genetic-programming/experiments/f(x,y)/5/evolved.jpg 11144 Defl:X 3152 72% 2017-09-26 09:41 642be591 SymbolicRegression/genetic-programming/experiments/f(x,y)/5/log.txt 51530 Defl:X 45488 12% 2017-09-26 09:41 9044535c SymbolicRegression/genetic-programming/experiments/f(x,y)/5/target.jpg 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/6/ 5901 Defl:X 1813 69% 2017-09-26 09:41 e91f83ab SymbolicRegression/genetic-programming/experiments/f(x,y)/6/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/7/ 6883 Defl:X 2256 67% 2017-09-26 09:41 b0c323cd SymbolicRegression/genetic-programming/experiments/f(x,y)/7/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/8/ 9664 Defl:X 3420 65% 2017-09-26 09:41 ac9f156b SymbolicRegression/genetic-programming/experiments/f(x,y)/8/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/f(x,y)/9/ 2238 Defl:X 952 58% 2017-09-26 09:41 e69026b3 SymbolicRegression/genetic-programming/experiments/f(x,y)/9/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/old_unsorted/ 44032 Defl:X 13597 69% 2017-09-26 09:41 e9d861ce SymbolicRegression/genetic-programming/experiments/old_unsorted/Experiment1.xls 35328 Defl:X 12277 65% 2017-09-26 09:41 a0d88ec3 SymbolicRegression/genetic-programming/experiments/old_unsorted/Experiment2.xls 43008 Defl:X 13196 69% 2017-09-26 09:41 7cac26a4 SymbolicRegression/genetic-programming/experiments/old_unsorted/Experiment3.xls 35840 Defl:X 12127 66% 2017-09-26 09:41 aa9baec1 SymbolicRegression/genetic-programming/experiments/old_unsorted/Experiment4.xls 5764 Defl:X 1722 70% 2017-09-26 09:41 2b8fd1ad SymbolicRegression/genetic-programming/experiments/old_unsorted/Experiment5.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/principal_component_analysis/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/principal_component_analysis/1/ 2311 Defl:X 999 57% 2017-09-26 09:41 4d0ceb65 SymbolicRegression/genetic-programming/experiments/principal_component_analysis/1/log.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/raw_data/ 3860 Defl:X 1624 58% 2017-09-26 09:41 25a71781 SymbolicRegression/genetic-programming/experiments/raw_data/data.txt 6210 Defl:X 1993 68% 2017-09-26 09:41 cf009ece SymbolicRegression/genetic-programming/experiments/raw_data/data2.txt 9210 Defl:X 2413 74% 2017-09-26 09:41 d43cf39f SymbolicRegression/genetic-programming/experiments/raw_data/data3.txt 35290 Defl:X 34216 3% 2017-09-26 09:41 570dfb88 SymbolicRegression/genetic-programming/experiments/raw_data/evolved.png 43517 Defl:X 41653 4% 2017-09-26 09:41 edeac0fc SymbolicRegression/genetic-programming/experiments/raw_data/extrapolation.png 2216 Defl:X 1104 50% 2017-09-26 09:41 7c77bf58 SymbolicRegression/genetic-programming/experiments/raw_data/inp.txt 8450 Defl:X 2053 76% 2017-09-26 09:41 78cea08a SymbolicRegression/genetic-programming/experiments/raw_data/log.txt 10230 Defl:X 2372 77% 2017-09-26 09:41 e67c1c71 SymbolicRegression/genetic-programming/experiments/raw_data/log_data_3.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/experiments/sin_as_cos/ 2350 Defl:X 1058 55% 2017-09-26 09:41 9d368126 SymbolicRegression/genetic-programming/experiments/sin_as_cos/log.txt 3631 Defl:X 1600 56% 2017-09-26 09:41 0014ff5c SymbolicRegression/genetic-programming/experiments/sin_as_cos/log1.txt 5197 Defl:X 1560 70% 2017-09-26 09:41 145e9c26 SymbolicRegression/genetic-programming/experiments/sin_as_cos/log2.txt 2372 Defl:X 1044 56% 2017-09-26 09:41 f2979711 SymbolicRegression/genetic-programming/experiments/sin_as_cos/log3.txt 1468 Defl:X 691 53% 2017-09-26 09:41 161dd46d SymbolicRegression/genetic-programming/experiments/sin_as_cos/sin_as_cos.txt 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/img/ 178860 Defl:X 178890 0% 2017-09-26 09:41 70271861 SymbolicRegression/genetic-programming/img/crossover.png 103115 Defl:X 103135 0% 2017-09-26 09:41 b064c981 SymbolicRegression/genetic-programming/img/equiv_syntax_trees.png 48516 Defl:X 44987 7% 2017-09-26 09:41 37af5be1 SymbolicRegression/genetic-programming/img/examle_1.jpg 75750 Defl:X 75765 0% 2017-09-26 09:41 f0a3c470 SymbolicRegression/genetic-programming/img/mutation_1.png 102002 Defl:X 102022 0% 2017-09-26 09:41 57c72910 SymbolicRegression/genetic-programming/img/mutation_2.png 101524 Defl:X 101544 0% 2017-09-26 09:41 1565464b SymbolicRegression/genetic-programming/img/mutation_3.png 84248 Defl:X 84263 0% 2017-09-26 09:41 12484a22 SymbolicRegression/genetic-programming/img/mutation_4.png 45390 Defl:X 45400 0% 2017-09-26 09:41 bcd0b0dc SymbolicRegression/genetic-programming/img/mutation_5.png 112456 Defl:X 112476 0% 2017-09-26 09:41 e2800202 SymbolicRegression/genetic-programming/img/optimize_coefficients_ga.png 97389 Defl:X 97404 0% 2017-09-26 09:41 399928da SymbolicRegression/genetic-programming/img/pruning_1.png 149525 Defl:X 149550 0% 2017-09-26 09:41 ece530fa SymbolicRegression/genetic-programming/img/pruning_2.png 55689 Defl:X 55699 0% 2017-09-26 09:41 721755ab SymbolicRegression/genetic-programming/img/syntax_tree.png 78718 Defl:X 78733 0% 2017-09-26 09:41 5abed021 SymbolicRegression/genetic-programming/img/why_should_optimize_coefficients.png 11898 Defl:X 4140 65% 2017-09-26 09:41 7ba6c723 SymbolicRegression/genetic-programming/LICENSE-2.0.html 2550 Defl:X 1042 59% 2017-09-26 09:41 adbb2697 SymbolicRegression/genetic-programming/pom.xml 9698 Defl:X 3293 66% 2017-09-26 09:41 84fb2959 SymbolicRegression/genetic-programming/README.md 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/src/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/src/main/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/src/main/java/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/src/main/java/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/ 2093 Defl:X 790 62% 2017-09-26 09:41 bbd2b899 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/DerivativeFitness.java 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/ 2020 Defl:X 834 59% 2017-09-26 09:41 5270ae63 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/Antiderivative.java 1484 Defl:X 675 55% 2017-09-26 09:41 1b300784 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/Derivative.java 2145 Defl:X 892 58% 2017-09-26 09:41 49a75fb2 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/Launcher.java 2708 Defl:X 1024 62% 2017-09-26 09:41 259ea935 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/Launcher2.java 2432 Defl:X 984 60% 2017-09-26 09:41 0d31293f SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/LauncherDerivative.java 2974 Defl:X 1124 62% 2017-09-26 09:41 3eec1f83 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/LauncherXYZ.java 6965 Defl:X 2094 70% 2017-09-26 09:41 994c228d SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/Main.java 1671 Defl:X 737 56% 2017-09-26 09:41 243b5f77 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/TestExpressionFitness.java 1576 Defl:X 673 57% 2017-09-26 09:41 2b40a1fa SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/example/TestExpressionFitness2.java 997 Defl:X 478 52% 2017-09-26 09:41 107cde51 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/ExpressionFitness.java 11140 Defl:X 2482 78% 2017-09-26 09:41 4d8d1120 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/GpChromosome.java 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/interpreter/ 3976 Defl:X 1238 69% 2017-09-26 09:41 637bd6f1 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/interpreter/Context.java 4305 Defl:X 1283 70% 2017-09-26 09:41 40ae88bf SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/interpreter/Expression.java 1219 Defl:X 579 53% 2017-09-26 09:41 b2a873b9 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/interpreter/Function.java 23905 Defl:X 1613 93% 2017-09-26 09:41 9d4fdd88 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/interpreter/Functions.java 3212 Defl:X 1039 68% 2017-09-26 09:41 fb64a77f SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/interpreter/SyntaxTreeUtils.java 3642 Defl:X 1178 68% 2017-09-26 09:41 9962e17d SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/SymbolicRegressionEngine.java 1407 Defl:X 606 57% 2017-09-26 09:41 78f57dae SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/SymbolicRegressionFitness.java 913 Defl:X 458 50% 2017-09-26 09:41 f664bc06 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/SymbolicRegressionIterationListener.java 1906 Defl:X 802 58% 2017-09-26 09:41 a2e26d96 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/TabulatedFunctionFitness.java 1522 Defl:X 616 60% 2017-09-26 09:41 966e2150 SymbolicRegression/genetic-programming/src/main/java/com/lagodiuk/gp/symbolic/Target.java 2975 Defl:X 1146 62% 2017-09-26 09:41 43eb564b SymbolicRegression/genetic-programming/src/main/java/HelloSymbolicRegression.java 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/target/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/target/classes/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/target/classes/com/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/ 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/ 2098 Defl:X 911 57% 2017-09-26 09:41 d95adc9e SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/DerivativeFitness.class 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/ 1770 Defl:X 847 52% 2017-09-26 09:41 407f59d6 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/Antiderivative.class 1385 Defl:X 704 49% 2017-09-26 09:41 419ca472 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/Derivative.class 1955 Defl:X 973 50% 2017-09-26 09:41 7df5f3b5 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/Launcher$1.class 2073 Defl:X 990 52% 2017-09-26 09:41 2e790196 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/Launcher.class 1959 Defl:X 975 50% 2017-09-26 09:41 b8b85ad2 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/Launcher2$1.class 2649 Defl:X 1205 55% 2017-09-26 09:41 f15d208e SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/Launcher2.class 695 Defl:X 405 42% 2017-09-26 09:41 5efa2223 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/LauncherDerivative$1.class 1995 Defl:X 981 51% 2017-09-26 09:41 fc253d71 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/LauncherDerivative$2.class 2431 Defl:X 1130 54% 2017-09-26 09:41 a11a4d44 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/LauncherDerivative.class 1949 Defl:X 975 50% 2017-09-26 09:41 b35cf91d SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/LauncherXYZ$1.class 3039 Defl:X 1411 54% 2017-09-26 09:41 47eae241 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/LauncherXYZ.class 2012 Defl:X 1008 50% 2017-09-26 09:41 4069d246 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/Main$1.class 8131 Defl:X 3849 53% 2017-09-26 09:41 f0c97402 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/Main.class 1138 Defl:X 562 51% 2017-09-26 09:41 1a002bc4 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/TestExpressionFitness.class 1200 Defl:X 605 50% 2017-09-26 09:41 4226759d SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/example/TestExpressionFitness2.class 259 Defl:X 163 37% 2017-09-26 09:41 5154261c SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/ExpressionFitness.class 234 Defl:X 171 27% 2017-09-26 09:41 7b1bbff6 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/GpChromosome$1.class 3718 Defl:X 1579 58% 2017-09-26 09:41 32cc7774 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/GpChromosome$CoefficientsChromosome.class 1936 Defl:X 717 63% 2017-09-26 09:41 ca7aab83 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/GpChromosome$CoefficientsFitness.class 10453 Defl:X 4060 61% 2017-09-26 09:41 c8eddad4 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/GpChromosome.class 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/ 4346 Defl:X 1963 55% 2017-09-26 09:41 248cbd2e SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Context.class 6183 Defl:X 2354 62% 2017-09-26 09:41 40361cbc SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Expression.class 871 Defl:X 345 60% 2017-09-26 09:41 78fc8ff7 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Function.class 3144 Defl:X 1283 59% 2017-09-26 09:41 9728ef0a SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$1.class 2930 Defl:X 1102 62% 2017-09-26 09:41 4d0f3876 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$10.class 2929 Defl:X 1105 62% 2017-09-26 09:41 f20ddd96 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$11.class 2929 Defl:X 1117 62% 2017-09-26 09:41 a71b819a SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$12.class 2986 Defl:X 1167 61% 2017-09-26 09:41 d53d40dd SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$13.class 2926 Defl:X 1118 62% 2017-09-26 09:41 4f593e90 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$14.class 2983 Defl:X 1134 62% 2017-09-26 09:41 c1e3d85a SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$15.class 3065 Defl:X 1193 61% 2017-09-26 09:41 a240cc02 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$16.class 2898 Defl:X 1096 62% 2017-09-26 09:41 37a935e8 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$17.class 2898 Defl:X 1100 62% 2017-09-26 09:41 542162c1 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$18.class 2851 Defl:X 1066 63% 2017-09-26 09:41 a7b26ec2 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$19.class 2419 Defl:X 862 64% 2017-09-26 09:41 9eb0f4de SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$2.class 2850 Defl:X 1056 63% 2017-09-26 09:41 a02680c1 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$20.class 2927 Defl:X 1111 62% 2017-09-26 09:41 97b1dc9a SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$3.class 2985 Defl:X 1163 61% 2017-09-26 09:41 0c8b8295 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$4.class 2996 Defl:X 1158 61% 2017-09-26 09:41 ef79b750 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$5.class 2927 Defl:X 1107 62% 2017-09-26 09:41 7d8e847a SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$6.class 2927 Defl:X 1113 62% 2017-09-26 09:41 15dc64e6 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$7.class 2927 Defl:X 1118 62% 2017-09-26 09:41 41df6980 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$8.class 2928 Defl:X 1121 62% 2017-09-26 09:41 7356322f SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions$9.class 3769 Defl:X 1486 61% 2017-09-26 09:41 7348e916 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/Functions.class 3745 Defl:X 1728 54% 2017-09-26 09:41 557dd542 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/interpreter/SyntaxTreeUtils.class 1620 Defl:X 583 64% 2017-09-26 09:41 a13d4ef0 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/SymbolicRegressionEngine$1.class 4983 Defl:X 1707 66% 2017-09-26 09:41 4fdc86bf SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/SymbolicRegressionEngine.class 1598 Defl:X 630 61% 2017-09-26 09:41 f54be7f6 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/SymbolicRegressionFitness.class 250 Defl:X 162 35% 2017-09-26 09:41 e1415e87 SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/SymbolicRegressionIterationListener.class 2809 Defl:X 1326 53% 2017-09-26 09:41 d9f7e0fb SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/TabulatedFunctionFitness.class 1548 Defl:X 706 54% 2017-09-26 09:41 0b45907a SymbolicRegression/genetic-programming/target/classes/com/lagodiuk/gp/symbolic/Target.class 1669 Defl:X 824 51% 2017-09-26 09:41 c4e21c97 SymbolicRegression/genetic-programming/target/classes/HelloSymbolicRegression$1.class 2543 Defl:X 1195 53% 2017-09-26 09:41 03803e9f SymbolicRegression/genetic-programming/target/classes/HelloSymbolicRegression.class 74304 Defl:X 65442 12% 2017-09-26 09:41 a7ce27f9 SymbolicRegression/genetic-programming/target/gp-1.0.jar 0 Stored 0 0% 2017-09-26 09:41 00000000 SymbolicRegression/genetic-programming/target/maven-archiver/ 97 Stored 97 0% 2017-09-26 09:41 25b12579 SymbolicRegression/genetic-programming/target/maven-archiver/pom.properties 216 Defl:X 130 40% 2017-09-26 09:41 4e63f357 SymbolicRegression/README.md 33824 Defl:X 12894 62% 2017-09-26 09:41 62735c04 timeenoughatlast.txt # The short story behind the classic Twilight Zone episode. 234373 Defl:X 226736 3% 2017-09-26 09:41 796663ff us-17-Domas-Breaking-The-x86-Instruction-Set-wp.pdf # A nifty paper by Chris Domas on identifying unknown X86 instructions. 148992 Defl:X 148530 0% 2017-10-10 20:13 3c3feafe useless_crashers.zip # EA's collection of useless crashers for PoC||GTFO 16:05. 2644408 Defl:X 2581900 2% 2017-09-26 09:41 96d8df89 woot17-paper-obermaier.pdf # Excellent paper on STM32 readout protection bypasses. -------- ------- --- ------- 40571113 33613667 17% 348 files

  

  PoC||GTFO - Issue 0x17

It's damned cold outside, so let's light ourselves a fire!  Warm ourselves with whiskey!  And teach ourselves some tricks!

December 30, 2017 | 59.7M PDF/ZIP/AGC | Includes | md5sum: 4d5097fb4bab124475cb5c7b0bd04de8 | Archive.org Entry

1. I Thought I Turned It On, But I Didn't
2. Constructing AES-CBC Shellcode  - As you'll recall from PoC||GTFO 3:11, AES in CBC mode allows you to flip bits of the initialization vector to flip bits of the first cleartext block.  On page 5, Albert Spruyt and Niek Timmers share some handy tricks for using a similar property: by flipping bits of one block's ciphertext you can also flip blocks of the subsequent ciphertext block after decryption.  In this manner, they can sacrifice half of the blocks by flipping their bits to control the other half, loading shellcode into the cleartext of an encrypted ARM image for which they have no key, by Albert Spruyt and Niek Timmers
3. In the Company of Rogues: Pastor Laphroaig's Tall Tales of Science and of Fiction  - Pastor Laphroaig has a sermon for you on page 9, concerning the good ol' days of juvenile science fiction, when chemistry sets were dangerous and Dr. Watson's trusty pistol was always at hand, by Pastor Manul Laphroaig
4. Sniffing BTLE with the Micro:Bit  - On page 13, Damien Cauquil shows ushow to write custom firmware for the nRF51 chip in the BBC Micro:Bit to sniff an ongoing Bluetooth Low Energy connection, without previously knowing the hop interval, increment, or even the channel map, by Damien Cauquil  (GitHub)
5. Up-Close and Personal with Ethernet  - Speaking of PHY layer tricks, what does a clever neighbor do when he hasn't got a hardware PHY?  For Ethernet, Andrew Zonenberg simply bit-bangs it from an old Spartan-6 FPGA and the right resistors, by Andrew D. Zonenberg
6. The DIP Flip Whixr Trick: An Integrated Circuit that Functions in Either Orientation  - When assembling hardware, sometimes it can be ambiguous whether a chip is inserted one way, or rotated one hundred and eighty degrees from that way.  On page 32, Joe Grand shares with us a DIP-8 design that selectively re-adjusts itself to having the chip rotated.  Build your PCB by the ferric chloride method with a 0.1" DIP socket for proper nostalgia, by Joe "Kingpin" Grand  (Additional Info)
7. Injecting Shared Objects on FreeBSD with libhijack  - Back in the good ol' days, folks would share hooking techniques over a pint of good ale.  Now that pints have as few as eight ounces, and some jerk ranting about Bitcoin ruins all our conversations, it's nice to read that Shawn Webb has been playing with methods for hooking functions in FreeBSD processes through unprivileged ptrace() debugging, by Shawn Webb
8. Murder on the USS Table  - Page 42 features a gumshoe detective novella, one in which Soldier of Fortran hangs out his neon sign and teams up with Bigendian Smalls to create the niftiest EBCDIC login screen for his z/OS mainframe, by Soldier of Fortran
9. Protecting ELF Files by Infecting Them  - Leandro Pereira has some clever tricks on page 56 for injecting additional code into pre-existing ELF files to enable defensive features through seccomp-bpf, by Leandro "acidx" Pereira
10. Laphroaig's Home for Unwanted Polyglots and Ø-Day  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Man of the Book..................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen Scooby Bus Driver................Ryan Speers with the good assistance of Samizdat Postmaster.....................Nick Farr

Technical Note:  This file, pocorgtfo17.pdf, is valid as a PDF file, a ZIP file, and as firmware for the Apollo Guidance Computer  We the editors do not recommend it for use in space navigation, and we warn our fine readers that replacing a spaceship's navigational firmware before a flight would be a joke in extremely poor taste.

Cover Art:  As with the previous issue, the cover illustration from this release is a Hildebrand engraving of a painting by Léon Benett that was first published in Le Tour Du Monde En Quatre-Vingts Jours (Around the World in Eighty Days) by Jules Verne in 1873.

# Start the emulator GUI on localhost:19697 $ (cd VirtualAGC/Resources && ../bin/yaDSKY2) & # Assemble the firmware image. $ yaYUL pocorgtfo17.pdf # Engage! $ yaAGC --nodebug pocorgtfo17.pdf.bin $ unzip -v pocorgtfo17.pdf Archive: pocorgtfo17.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 1215 Defl:X 630 48% 2017-12-30 11:28 6b1bfb8c index.txt 734494 Defl:X 711328 3% 2017-12-07 13:20 0c6a388b ethertiny.zip # A firmware-only half-duplex 10Base-T implementation for AVRs 1595020 Defl:X 1556154 2% 2017-12-23 16:46 d369c8bc promiscuousnrf24l01.pdf # Promiscuity blog post for the BTLE Sniffing article. 25438 Defl:X 7467 71% 2017-12-22 16:29 b1a6419c phrack56-7.txt # Phrack citation for the libhijack article 2556531 Defl:X 1500629 41% 2017-11-21 11:05 4b4d8ab7 audioformats.pdf # Audio formats reference by Brian Langenberger 205819 Defl:X 205132 0% 2017-12-07 16:44 e5b509e8 ubitle.tar.gz # Source code attachment in the BTLE article 101406 Defl:X 101411 0% 2017-10-31 08:16 7dc91589 ELFkickers-3.1.tar.gz # Kickers for "Protecting ELF Files by Infecting Them" 1503257 Defl:X 1107207 26% 2015-08-31 03:15 116073c7 nrf51.pdf # nRF51 family guide for "Sniffing BTLE with the Micro:Bit" 2574418 Defl:X 2508504 3% 2017-12-28 12:28 62ceaaf4 sec17-koppe.pdf # Reversing microcode paper - included for good reading 44974 Defl:X 10199 77% 2017-12-30 11:28 2cd6f100 issues.bib 20685 Defl:X 9613 54% 2017-12-30 11:28 88db59d8 issues.txt 11509 Defl:X 10842 6% 2017-12-20 20:15 9d3b6bab infect.zip # Another feelie for "Protecting ELF Files by Infecting Them" 1418161 Defl:X 1347866 5% 2017-12-14 22:16 7c716cba ubertooth.zip # Ubertooth code as cited in the BTLE article 162870 Defl:X 155635 4% 2013-09-26 04:42 7e37813d woot13-ryan.pdf # Mike Ryan's WOOT13 paper for the BTLE article 9710680 Defl:X 9366650 4% 2017-12-07 13:27 466dd4c4 antikernel.zip # Antikerel OS source 49194 Defl:X 41484 16% 2017-11-06 16:41 c9f6d290 libhijack.zip # Source code for "Injecting shared objects on FreeBSD with libhijack" 48130 Defl:X 32785 32% 2017-12-22 16:34 77715fba phrack59-8.txt # Phrack citation for the libhijack article 316749 Defl:X 313294 1% 2017-12-23 13:30 b7299278 dipflip.zip # Feelies associated with the "The DIP Flip Whixr Trick" article 131072 Defl:X 115189 12% 2017-12-30 11:28 38014fac selfmd5-release.zip # Mako's hashquines' sources and MegaDrive MD5 collider polyglot 1304978 Defl:X 563219 57% 2017-12-18 07:59 0d88c58c christmas.pdf # Christmas polyglot presentation by Michael Schwarz 1050609 Defl:X 835687 21% 2016-11-26 22:11 40fee8e6 Asm-1.pdf # IBM 360 assembly slides -------- ------- --- ------- 23567209 20500925 13% 21 files

  

    Poc||GTFO - Issue 0x18

Pastor Manul Laphroaig's Montessori Soldering School and Stack Smashing Academy for Youngsters Gifted and Not

June 23, 2018 | 92.3M PDF/ZIP/SHA-1 | Includes | md5sum: 84c49ffee3fffebed5875a162e43bb1d (or f5879ccb9570ec8def41c36854021b4e) | Archive.org Entry

1. I Thought I Turned It On, But I Didn't
2. An 8 Kilobyte Mode 7 Demo for the Apple II  - Nintendo's SNES platform was famous for its Mode 7, a video mode in which a background image could be rotated and stretched to create a faux 3D effect.  This didn't exist for the Apple ][, so on page 4 Vincent Weaver describes his recreation ofthe technique in software as a recent demo coding exercise, by Vincent M. Weaver
3. Fun Memory Corruption Exploits for Kids with Scratch!  - Many of us began our careers in reverse engineering through line numbered BASIC, and we fondly remember the PEEK and POKE commands that let us do sophisticated things with a child's language.  On page 10, Kev Sheldrake extends the Scratch language so that his son can experiment with memory corruption exploits, by KevSheldrake
4. Concealing ZIP Files in NES Cartridges  - Vi Grey was reading PoC||GTFO 14:12, and a nifty thought occurred.  Why not merge a ZIP file into an NES cartridge itself, and not just its iNES emulator file?  See page 17 for all the practical details, by Vi Grey
5. House of Fun; or, Heap Exploitation Against glibc in 2018  - If you enjoyed Yannay Livneh's article on the VLC heap from PoC||GTFO 16:6, turn to page 22 for his notes on the House of Fun, exploiting glibc heaps in the year 2018, by Yannay Livneh
6. RelroS: Read Only Relocations for Static ELF  - Ryan O'Neill, whom you might know as ElfMaster, has been playing around with static-linking of ELF files on Linux.  You certainly know that static files are handy for avoiding missing libraries, but did you know that static-linking breaks Address Space Layout Randomization (ASLR) and RELRO defenses, that the global offset table might still be writable?  See page 37 for his notes on producing a static executable that does include these defenses, by Ryan "ElfMaster" O'Neill
7. A Trivial Exploit for TetriNET; or, Update Player TranslateMessage to Level Shellcode  - TetriNET is a multiplayer clone of Tetris that St0rmCat released in 1997.  On page 48, John Laky and Kyle Hanslovan give us a remote code execution exploit for that game just twenty years too late for anyone to expect a patch, by John Laky and Kyle Hanslovan
8. A Guide to KLEE LLVM Execution Engine Internals  - I would like to talk to you about KLEE, an open-source symbolic execution engine originally developed at Stanford University and now maintained at Imperial College in London.  Symbolic Execution (SYMEX) stands somewhere between static analysis of programs and [dynamic] fuzz testing, by Julien Vanegue
9. Memory Scrambling on Intel Sandy Bridge DDR3  - When performing a cold-boot attack, it's important to recover not just the contents of memory but also to descramble it, and this scrambler is often poorly documented on modern systems.  On page58, Nico Heijningen patches Coreboot to reverse-engineer the scrambler of the DDR3 controller on Intel's Sandy Bridge processors, by Nico van Heijningen
10. Easy SHA-1 Colliding PDFs with PDFLaTeX  - Ange Albertini was one of the fine authors of the SHAttered attack that demonstrated a practical SHA-1 collision.  On page 63, he shows how to reuse that same colliding block to substitute an arbitrary image in a larger document, conveniently generated by pdflatex.  As is the tradition in most of Ange's articles, pocorgtfo18.pdf uses this technique to place a stamp on the front cover.  We'll release two variants, but because they have the same SHA-1 hash, we politely ask mirrors to include the MD5 hashes as well, by Ange Albertini
11. Bring Out Your Dead!  Bugs, That Is  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Man of the Book..................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen Scooby Bus Driver................Ryan Speers with the good assistance of Virtual Machine Mechanic.........Dan Kaminsky

Technical Note:  This file, pocorgtfo18.pdf, is valid as a PDF, ZIP, and HTML.  It is available in two different variants, but they have the same SHA-1 hash.

$ unzip -v pocorgtfo18.pdf Archive: pocorgtfo18.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 2522 Defl:X 1416 44% 2018-06-22 10:08 ec44b3c8 index.txt 25936 Defl:X 11217 57% 2018-05-15 09:12 d559b662 manwholostthesea.txt # Brilliant sci-fi story of an explorer's noble end. 5257758 Defl:X 5074434 4% 2018-02-06 09:59 1236430a heijningen-thesis.pdf # Heijningen's thesis on Intel's memory scramblers. 652547 Defl:X 616791 6% 2018-06-21 09:53 7788fb46 automatedwhiteboxfuzzing.pdf # Microsoft Research paper on SAGE 469377 Defl:X 427063 9% 2018-06-03 15:46 4d9d37b6 stp.pdf # A Decision Procedure For Bit-Vectors and Arrays 2485699 Defl:X 2391447 4% 2008-06-11 14:00 3768349c cytron.pdf # Paper on reversing SSA from a control graph. 22685 Defl:X 7493 67% 2018-06-21 10:34 79c7c48d FromHeapToRip.md # FrizN's From heap to RIP 435553 Defl:X 66537 85% 2018-02-06 20:53 ca193131 paper.pdf # Tom7's ASCII C89 compiler 11483 Defl:X 4237 63% 2018-01-04 15:43 28da8b57 relros.c # Read Only Relations for Static Elf, source code. 39295 Defl:X 11686 70% 2018-06-07 14:43 c4d31920 300writeup.md # CTF writeup cited in House of Fun. 1074497 Defl:X 988128 8% 2018-02-06 20:53 ba305f4a SIGGRAPH2001_Tupper.pdf # Jeff Tupper's self referential formula 478053 Defl:X 455862 5% 2018-06-21 09:53 2efb14fc s2e.pdf # S2E: A platform for in-vivo multi-path analysis of software systems 70358 Defl:X 62115 12% 2018-06-03 15:45 7c16ac4e z3.pdf # Z3: An efficient SMT solver. 27977 Defl:X 6511 77% 2011-11-17 06:48 9e5d73bb checksec.sh # Checksec.sh script from trapkit.de, cited in RelroS. 47265 Defl:X 10742 77% 2018-06-07 15:50 a81c4d6a issues.bib 21750 Defl:X 10121 54% 2018-06-07 15:50 082f12c0 issues.txt 65310 Defl:X 28796 56% 2018-06-03 13:47 ef0a5950 yetanotherfree.txt # Phrack 66:6, Yet another free() exploitation technique. 14137 Defl:X 9411 33% 2018-01-11 12:17 cec51cee IntelMemoryScrambler.zip # Source code for Heijningen's article on Intel's memory scrambler. 15258 Defl:X 13337 13% 2017-12-20 13:00 4d4e81fb iTetrinet-wiki.zip # Offline archive of the Tetrinet wiki. 270920 Defl:X 265378 2% 2017-11-02 11:19 643d1c91 tetrinet.zip # Tetrinet game and exploits. 161481 Defl:X 41837 74% 2017-02-08 08:22 347a9ea2 APPNOTE.TXT # PKWare ZIP File Format Specification 177689 Defl:X 177596 0% 2018-06-03 12:26 ebf3cb6d scratchexploits.zip # Scratch Exploit Source Code 120796 Defl:X 31234 74% 2018-04-09 12:00 a76743eb vudo.txt # Phrack 57:8, Vudo - An object superstitiously believed to embody magical powers. 8955 Defl:X 3950 56% 2018-03-17 11:17 e7b7c66b pciwhitelistwithoutbiosmods.txt # How to defeat whitelisting without BIOS modding. 52173 Defl:X 16048 69% 2018-04-09 11:55 c1d36c62 MallocMaleficarum.txt # Glibc Malloc Exploitation Techniques by Phantasmal Phantasmagoria 1615511 Defl:X 1321233 18% 2018-06-22 10:08 17c669ba bochspwn_reloaded.pdf # Mateusz Jurczyk's brilliant paper on detecting kernel memory disclosures. 90995 Defl:X 30158 67% 2018-06-03 13:41 83da36ac mallocdesmaleficarum.txt # Phrack 66:10 by Blackngel 8545083 Defl:X 8539322 0% 2018-06-07 14:18 1813f99c sha1collider.zip # SHA1 Collider Scripts 614163 Defl:X 557359 9% 2018-06-03 15:47 fc53f7d0 kleenet.pdf # Using KLEE to track distributed components. 25931 Defl:X 23551 9% 2018-06-07 14:40 f5ae8dc8 how2heap.zip # Nifty repo on learning heap techniques by the Shellphish CTF team. 37772357 Defl:X 37702714 0% 2018-06-21 09:53 ce44e8da THC-Archive.zip # Archive of The Hacker's Choice. (Mildly redacted of old versions to save space.) 21111 Defl:X 20725 2% 2018-02-24 11:56 1c3a474c BeautifulSky.zip # x86/x64 virus code by hh86 34812 Defl:X 12359 65% 2018-04-09 12:01 8f402a82 onceuponafree.txt # Phrack 57:9, Once Upon a Free 1390 Defl:X 568 59% 2018-01-09 20:06 3ba388cf static_to_dyn.c # Elfmaster's tool for converting a static executable to a dynamic one. 73781 Defl:X 73641 0% 2018-05-03 10:44 54a2f916 mode7.tar.gz # Source code to Vincent Weaver's 8kb Mode7 demo for the Apple ][. 749675 Defl:X 749072 0% 2018-06-05 13:15 b0d06dde dietlibc.tar.gz # Diet Libc from fefe.de. 24592 Defl:X 10123 59% 2018-02-24 11:56 e67608ee neszip-example.nes # Vi Grey's ZIP file that doubles as a Nintendo cartridge. 21660 Defl:X 7445 66% 2018-06-05 09:41 984f63ee vmmirror.txt # VMA Mirroring Docs from the PaX Team 409600 Defl:X 137913 66% 2018-06-07 14:32 514bf74c MainframeHacker.img # Disk image for a Mainframe Choose-Your-Own-Adventure game! 333041 Defl:X 313727 6% 2018-06-11 10:24 4ccb8ed5 nextgendebuggers.pdf # Julien Vanegue's paper on next generation debuggers for reverse engineering. -------- ------- --- ------- 62343176 60233297 3% 40 files

  PoC||GTFO - Issue 0x19

This janky old piano has a few more tunes!  And so do you!  And so do I!

March 27, 2019 | 64.7M PDF/ZIP/HTML/MD5(PE/PNG/MP4) | Includes | md5sum: ac75bf434f3624612cc3b6ee1aa59218 | Archive.org Entry

1. Let's Start a Band Together!
2. Of Coal and Iron  - Our editor-in-chief regales us with tales of coke!  Neither the soft drink nor the alkaloid, he speaks here of the refined coal that ushered in the Industrial Revolution, the compromises necessary to build an affordable bridge from wrought and cast iron when steel has yet to be invented, and the disastrous collapse of the Tay Bridge in Scotland.  What modern marvels are made affordable and efficient by similar fancy tricks, only to collapse under an adversarial load?, by Pastor Manul Laphroaig
3. On CSV Injection and RFC 5322  - On page 11, Jeff Dileo presents a trick for formatting PowerShell scripts as email addresses, such that they are executed when exported by spammers into Microsoft Excel as CSV textfiles, by Jeff Dileo
4. Undefining the ARM  - Eric Davisson shows on page 17 that, at least in the instructions of modern ARM executables, it is possible to scramble the constants, breaking compatibility with disassemblers while executing exactly as intended on real hardware.  Perhaps you, dear reader, can do the same to other architectures?, by Eric Davisson
5. An MD5 Pileup Fit for Jake and Elwood  - After our paper release, and only when quality control has been passed, we will make an electronic release named pocorgtfo19.pdf.  It is a valid PDF document, an HTML page, and a ZIP file filled with fancy papers and source code.  You might also find pocorgtfo19.exe, pocorgtfo19.png and pocorgtfo19.mp4 with the same MD5 hash.  On page 21, our very own Ange Albertini will show youshow he made this pileup of a polyglot and hash collisions,by Ange Albertini and Marc Stevens
6. Selectively Exceptional UTF-8; or, Carefully Tossing a Spanner in the Works  - There's a lot of fancy work that can be do with homoglyphs in UTF-8, but what other clever things can be done with it?  Ryan Speers and Travis Goodspeed have been fuzzing UTF-8 interpreters not for crashes, but for differences of opinion on string legality.  On page 39, they will show you how to make a string that is happily allowed by Java and Golang, but impossible to insert into a PostgreSQL table, by Travis Goodspeed and Ryan Speers
7. Never Fret that Unobtainium  - Even the best among us, having hoarded electronic components for years, sometimes lack that one nifty piece that would make a project work.  Page 44 presents one such project, a vacuum fluorescent display driver that was saved by clever thinking and a refusal to give into frustration, by Matthew Peters
8. Steganography in .ICO Files  - Rodger Allen presents us, on page 47, with a clever tool in Haskell that hides text in the unused space of BMP and ICO palettes.  You just might find a copy of its source code in the favicon of your favorite PoC//GTFO mirror!, by Rodger Allen
9. The Pages of PoC||GTFO  - We relax for intermission on page 53 with a delightful ditty by Dr. EVM and MMX Show, their hit single, The Pages of PoC//GTFO!, by Dr. EVM and the MMX Show
10. Vector Multiplication as an IPC Primitive  - So there's this idea that wherever two users share a constrained resource, they can use it as a communications channel, just by hogging the resource or leaving it be.  The faster and more tightly constrained the resource is, the better to communicatewith it.  On page 55, Lorenzo Benelli shows us that vector multiplication on Intel's AVX instruction set is a constrained resource, and that its startup and shut down delays can be used as a communications channel, by Lorenzo Benelli
11. Camelus Documentum: A PDF with Two Humps  - Gabriel Radanne presents his Camelus Documentum on page 60, a PDF file that is also executable OCaml bytecode.  The Sapir-Albertini hypothesis - you heard of it here first - neighbors!, by Gabriel 'Drup' Radanne
12. Inside the Emulator of Windows Defender  - You might remember Alexei Bulazel from his hilarious AVLeak research at WOOT, in which he exfiltrated file and registry listings from cloud anti-virus products through thousands of preselected false positives and a fresh unpacker.  Windows Defender has been a pet research project of his, and on page 64, he explains the internals of its emulator.  You'll learn how its custom apicall instruction can be added to IDA Pro, how to add an output channel for printf() debugging from the emulator, and how to bypass Microsoft's mitigations against abuseof this emulation layer, by Alexei Bulazel
13. What Clever Things Have You Learned Lately?  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Man of the Book..................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen Scooby Bus Driver................Ryan Speers

Technical Note:  This file, pocorgtfo19.pdf, is valid as a PDF document, a ZIP archive, and a HTML page.  It is also available as a Windows PE executable, a PNG image and a MP4 video, all of which have the same MD5 as this PDF.

$ unzip -v pocorgtfo19.pdf Archive: pocorgtfo19.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 15905 Defl:X 14500 9% 2019-01-04 10:19 838d0657 defender.zip # Code accompanying "Inside the Emulator of Windows Defender". 90291 Defl:X 23139 74% 2019-03-04 13:23 8da8fe88 phrack6612.txt # Alphanumeric RISC ARM Shellcode. 181069 Defl:X 181080 0% 2019-01-04 10:19 a00486ec jonesforth.tar.gz # Mirror of Richard WM Jones's excellent literate x86 assembly implementation of Forth. 95259 Defl:X 77726 18% 2019-03-04 13:23 6f6633b9 hydan.pdf # Hydan: Hiding Information in Program Binaries. 22868 Defl:X 10578 54% 2019-03-25 15:17 7439e221 issues.txt 603752 Defl:X 588233 3% 2019-03-09 13:41 f477ff8d camlpdf.zip # CamlPDF is an OCaml library for reading, writing and modifying PDF files. 28380 Defl:X 27629 3% 2019-02-22 13:10 51ea928c word-decrementer.zip # Helper for writing a MD5-related crypto song/poem. 1075200 Defl:X 176180 84% 2019-03-04 13:23 e00f3579 hydan-0.13.tar.gz # Hydan steganographically conceals a message into an application. 65552 Defl:X 26040 60% 2019-01-04 10:19 0d9ef401 opexii.nes # I Dream of Game Genies and ZIP Files Presentation NES ROM File (HOPE XII). 3096660 Defl:X 2978685 4% 2019-03-09 12:01 ba128e24 winalskiworm.mp3 # Paul Winalski: On Crashing DECnet for Fun and Profit. 192504 Defl:X 57264 70% 2019-03-09 12:01 d7df3e33 rfc2821.txt # RFC 2821: Simple Mail Transfer Protocol. 269027 Defl:X 258781 4% 2019-01-04 10:19 f963e8aa BreakOutPDF.zip # Horrifying PDF Experiments Github Repository Archive. 168131 Defl:X 141594 16% 2019-03-10 16:53 a929afef thomsenmd2.pdf # An improved preimage attack on MD2. 1250401 Defl:X 1117819 11% 2019-01-04 10:19 5d052ab8 avgvawtrak.pdf # Analysis of Banking Trojan Vawtrak White Paper. 2371249 Defl:X 2368980 0% 2019-03-09 13:41 446638d1 bytepdf.zip # A tool to create PDFs that are also OCaml bytecodes. 10437803 Defl:X 10222369 2% 2019-01-04 10:19 3ddd39f9 softstripthesis.pdf # Reverse Engineering The Cauzin Softstrip. 157703 Defl:X 130609 17% 2019-01-04 10:19 25a0e435 caml-formats.pdf # Caml Virtual Machine - File & data formats. 85611 Defl:X 73089 15% 2019-01-04 10:19 da22e955 utf.pdf # Hello World or Καλημέρα κόσμε or こんにちは 世界. 49800 Defl:X 11294 77% 2019-03-25 15:17 9553e216 issues.bib 380650 Defl:X 347230 9% 2019-01-13 11:55 82ebfb5f ARMaHYDAN.zip # A tool for manipulating 'optional' bits in ARM processor instructions. 122322 Defl:X 32150 74% 2019-03-09 12:01 59f0fba6 rfc5322.txt # RFC 5322: Internet Message Format 5316181 Defl:X 4734743 11% 2019-02-22 13:10 fffd6b98 stevensthesis.pdf # Attacks on Hash Functions and Applications. 24967 Defl:X 9371 63% 2018-09-30 20:35 89e381a6 vaxhax-0xabad1dea.txt # VaxHax: A Quick Guide to Asm on the VAX-11. 64954 Defl:X 60284 7% 2019-03-09 13:41 9c252ad5 obytelib.zip # OCaml bytecode library tools. 24087 Stored 24087 0% 2019-01-04 10:19 8267d0d9 stegpal-0.2.8.0.tar.gz # Steganography in .ICO Files, PoC in Haskell. 134809 Defl:X 131531 2% 2016-08-08 02:11 863df509 avleak.pdf # AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing. 298853 Defl:X 70216 77% 2019-01-04 10:19 ca2e12e2 galaxian.asm # Galaxian 1979 Reverse Engineered Assembly Code. 852868 Defl:X 370976 57% 2019-01-04 10:19 ddf712d1 caml-instructions.pdf # Caml Virtual Machine - Instruction set. 4008193 Defl:X 3917253 2% 2019-01-25 06:28 1af71635 reverse-engineering-ble-devices.pdf # Reverse Engineering BLE Devices Documentation. 2145 Defl:X 1238 42% 2019-03-25 15:17 fe048d98 index.txt 2306945 Defl:X 2192382 5% 2019-01-04 10:19 c78f5e48 urh.pdf # Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols. 19676 Defl:X 17862 9% 2019-03-09 13:41 d8324af6 polyocamlbyte.zip # An OCaml bytecode which is also a PDF and a PNG. 83900 Defl:X 77184 8% 2019-01-04 10:19 c1f51574 PDFRick.zip # Handcrafted PDF with an interactive Game Of Life in WebAssembly. -------- ------- --- ------- 33897715 30472096 10% 33 files

  PoC||GTFO - Issue 0x20

Grab gifts from the genizah, reading every last page!  And write in their margins!  And give them all again!

January 21, 2020 | 39.9M PDF/ZIP/TI-sign(PDF) | Includes | md5sum: c1624bd2a775a0f179fad0c1b8d5fae9 | Archive.org Entry

1. Let's Start a Band Together!
2. Let's Build a Geniza from the World's Flash Memory!  - A sermon about preserving books for the long haul on page 5, which imagines a technique by which we could put unused pages of Flash memory to good use, preserving the books of our civilization just as well as the fine folks of the Ezra synagogue in Cairo did a thousand years ago, by Pastor Manul Laphroaig
3. NFC Exploitation with the RF430RFL152 and 'TAL152  - Travis Goodspeed and Axelle Apvrille introduce us to the RF430FRL152H chip from Texas Instruments, an NFC tag with a built-in microcontroller that runs from FRAM instead of Flash memory.  Not only is it handy for emulating other NFC Type V tags, but we'll also learn how to dump memory from a locked tag with a custom mask ROM, by Travis Goodspeed and Axelle Apvrille  (GitHub)
4. Turtles All the Way Down  - In this day of hardware virtualization, we often take emulation for granted, and it is no surprise that programs for one platform run on another.  But on page 14, Charles Mangin presents an Altair 8800 emulator that runs accurately on the Apple ][, with fewer registers and less configurable memory, by Charles Mangin
5. An Arbitrary Read Exploit for Ryzenfall  - You might recall that in March of 2018, there was a bit of drama around an arbitrary physical memory read vulnerability in AMD's Ryzen platform, but did you ever understand the bug well enough to exploit it?  Those of us who merely made a flippant comment on Twitter about disclosure policies, and therefore must ask forgiveness for our crass ways, can find a thorough and technical explanation with code examples, by David Kaplan on page 25. by David Kaplan  (Twitter, GitHub)
6. A Short History of Texas Instrument Calculator Hacks  - Quite a few of us first learned Z80 assembly language for our calculators in high school, and on page 32, we bring you Brandon Wilson's short history of TI graphing calculator hacking.  You'll learnhow the TI-85's memory backups were used to corrupt function pointers in the Custom menu, how the TI-83+ RSA512 signing keys were factored in bedrooms, and how the Z80 emulation mode of the Zilog eZ80 calculators left holes through which the operating system could be patched, by Brandon L. Wilson
7. Modern ELF Infection Techniques of SCOP Binaries  - Ryan O'Neill, whom you might know as ElfMaster, is back on page 45 with an accurate technical description of ld's -separate-code feature that changes the ways in which ELF segments are parsed and might be infected, by Ryan "ElfMaster" O'Neill
8. Encryption is Not Integrity!  - Page 62 presents a nice little riddle in cryptographic numerology by Cornelius Diekmann, which is itself generated by a Python script, by Cornelius Diekmann
9. RSA GTFO  - We then continue to a second crptography rant, in mildly more explicit language, by Ben Perez on page 68, by Ben Perez
10. A Code Pirate's Cutlass: Recovering Software Architecture from Embedded Binaries  - EVM concludes this release with tricks for detecting the boundaries between statically-linked objects.  He begins by noticing that functions at the beginning of a module are more likely to call forward than backward, while by the end of the module the call backward more than forward until the beginning of the next module, when they abruptly begin to call forward again.  Through this and other tricks, plus a lot of necessary calibration, he presents a polished toolkit for cutting apart linked objects on page 73, by EVM
11. What Clever Things Have You Learned Lately?  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Man of The Book..................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen Scooby Bus Driver................Ryan Speers Samizdat Postmaster..............Nick Farr

Technical Note:  The electronic edition of this magazine is valid as both PDF and ZIP.  The PDF has been cryptographically signed with a factored private key for the TI-83+ graphing calculator.

$ pdfsig pocorgtfo20.pdf Digital Signature Info of: pocorgtfo20.pdf Signature #1: - Signer Certificate Common Name: TI-83 Plus Silver Edition OS Signing Key - Signer full Distinguished Name: CN=TI-83 Plus Silver Edition OS Signing Key - Signing Time: Jan 21 2020 19:28:53 - Signing Hash Algorithm: SHA1 - Signature Type: adbe.pkcs7.sha1 - Signed Ranges: [0 - 39897127], [39898675 - 39903679] - Total document signed - Signature Validation: Signature is Valid. - Certificate Validation: Certificate issuer isn't Trusted. $ unzip -v pocorgtfo20.pdf Archive: pocorgtfo20.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 2388 Defl:X 1340 44% 2020-01-21 11:55 dd4c3b61 index.txt 102530 Defl:X 34589 66% 2019-11-03 04:29 77087fb1 ti83plus.inc # TI-83 Plus Include File, by Brandon Wilson. 1901300 Defl:X 1855666 2% 2019-11-03 04:29 e3907236 SIM8800.zip # SIM-8800: Altair 8800 emulator for Apple II, by Dann McCreary. 455128 Defl:X 182484 60% 2019-11-03 04:29 109eca67 revolt_en.txt # The Project Gutenberg EBook of The Revolt of the Angels, by Anatole France. 64811 Defl:X 20275 69% 2019-12-06 04:44 9603091c phrack61-8.txt # The Cerberus ELF Interface, by mayhem 48667 Defl:X 11496 76% 2020-01-20 10:16 0631d209 issues.bib 2472176 Defl:X 1436312 42% 2019-11-03 04:29 106aa609 decompilerthesis.pdf # Reverse Compilation Techniques, by Cristina Cifuentes. 22573 Defl:X 10813 52% 2020-01-20 10:16 4f7c0cb2 issues.txt 12411 Defl:X 9568 23% 2019-11-03 04:29 5d7e3bc6 ti83pluskeys.zip # TI-73/83/84/89/92 and Voyage 200 Flash and OS Signing Keys. 2295101 Defl:X 210041 91% 2020-01-20 12:16 7f02503e pocsag.pdf # The POCSAG Paging Protocol, application note by Adam Hickerson 386802 Defl:X 363850 6% 2020-01-04 13:55 3b3cd0c0 weakkeys12.pdf # Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices, by Nadia Heninger 520283 Defl:X 515498 1% 2020-01-04 13:55 4117f45e primeandprejudice.pdf # Prime and Prejudice: Primality Testing Under Adversarial Conditions, by Martin R. Albrecht 1329049 Defl:X 1239285 7% 2019-11-03 04:29 ffb2973b w25q128fv.pdf # W25Q128FV (128M-bit) Serial Flash memory datasheet. 54047 Defl:X 16068 70% 2019-12-06 04:44 e0daf514 retaliation.txt # An unofficial analysis of the Retaliation Virus (Authored by JPanic). 964 Defl:X 512 47% 2019-11-03 04:29 f761500b exactitude.txt # Relic of the Disciplines of Binary Analysis. 50472 Defl:X 24544 51% 2019-12-06 04:44 470e7375 elf-pv.txt # UNIX ELF Parasites and Virus, by Silvio Cesare. 124687 Defl:X 109871 12% 2020-01-04 13:55 73ff1ffd historyofrsa.pdf # The RSA Cryptosystem: History, Algorithm, Primes. 4987220 Defl:X 4974984 0% 2019-11-03 04:29 cd97cd11 wabbitemu-1.9.5.22.tar.gz # A TI graphing calculator emulator. 10026 Defl:X 8772 13% 2020-01-20 12:16 76a1613d scop.zip # Code by ElfMaster for PoC||GTFO 20:07 65927 Defl:X 17392 74% 2020-01-21 11:55 2c055855 poc.py # The source code to Encryption Is Not Integrity, PoC||GTFO 20:08 by Cornelius Diekmann. 317705 Defl:X 122868 61% 2019-11-03 04:29 71a28847 thais.txt # The Project Gutenberg EBook of Thais, by Anatole France. 13057 Defl:X 4422 66% 2019-11-22 16:29 47ca92ce scop2018.txt # Secure Code Partitioning With ELF binaries, aka. SCOP. 1687150 Defl:X 1605247 5% 2019-11-03 04:29 941cdbed bxthesis.pdf # Types for the chain of trust: No (loader) write left behind, by Rebecca ".bx" Shapiro. 1925108 Defl:X 1529902 21% 2019-11-03 04:29 486318a7 preboot.pdf # Bypassing pre-boot authentication passwords by instrumenting the BIOS keyboard buffer. 11322095 Defl:X 11225250 1% 2019-11-03 04:29 e0d40440 CodeCut.zip # Detecting Object File Boundaries in IDA Pro, by The Johns Hopkins University APL. 398631 Defl:X 149060 63% 2019-11-03 04:29 55ec6db7 80days.txt # The Project Gutenberg EBook of Around the World in 80 Days, by Jules Verne. 186919 Defl:X 138055 26% 2019-11-03 04:29 990684ae flashretention.pdf # Understanding MSP430 Flash Data Retention, by Texas Instruments. 75511 Defl:X 73272 3% 2019-11-03 04:29 61489c32 ryzenfallen.zip # A Windows PoC exploit for the Ryzenfall series of vulnerabilities discovered by CTS Labs. 94898 Defl:X 92346 3% 2019-11-03 04:29 c72a4a3d phx.zip # Phoenix - The ultimate(?) shoot-em-up for the TI-82 through TI-86! -------- ------- --- ------- 30927636 25983782 16% 29 files

  PoC||GTFO - Issue 0x21

Notebook of Altera NIOS Disassembly, Routable IPIP Spoofing, PCAP-NG Polyglots, Weird Machinery, Code Golfing, and UHF-VHF TUNERS

February 12, 2022 | 63.9M PDF/ZIP/PCAP-NG | Includes | md5sum: 991b5bb29a0ad0449910a441cef73fb9 | Archive.org Entry

1. Don't Give Up on Your Library Card!
2. A Tale of Glavlit and Samizdat  - The old joke goes that Stalin's 1936 Constitution of the USSR guaranteed freedom of speech, but that rat bastard never made any promises about freedom after speech.  On page 6, our own Pastor Manul Laphroaig takes a step back from the tragedy of so many brilliant works being unpublished or unwritten, to consider another question: If you had the power to censor just the bad stuff, would you use it?, by Rt. Revd. Pastor Manul Laphroaig
3. Spoofing IP with IPIP  - A long time ago in a fancy bar in Tel Aviv, Yannay Livneh told us of a bug in the IPIP tunneling protocol that might allow for convenient injection of an IP frame into a remote network, that this might be nested to create a very complicated route, and that a large number of machines on the Internet were possibly vulnerable.  His proof of concept took just a week or two, but the coordinated disclosure dragged on for many months, and the only way you can re-pay this blood debt is by reading his fine article on page 7, by Yannay Livneh
4. Anti-Debugging Tips and Tricks for Cortex-M Microcontrollers  - Suppose that you have some firmware, but you don't want us meddle some reverse-engineers to run that same firmware under a debugger, even after they've defeated the readout protection.  On page 8, Balda describes a grab bag of these anti-debugging tricks, by Balda
5. Symgrate: A Web API for Thumb2 Symbol Recovery  - Travis Goodspeed and EVM have spent the past year collecting three hundred gigabytes of microcontroller SDKs, which they've parsed and blinded into a SQL database.  Accessible through a JSON API, this database allows such nifty queries as function name recovery and I/O port naming, by Travis Goodspeed and EVM
6. Reversing the Fair-Play 710 Baseball Scoreboard  - EVM has also been playing with a baseball scoreboard, the Fair-Play 710.  On page 17, he describes his method for attaching this ancient artifact to a modern network, allowing parents in his town to display the scores from the comfort of the bleachers, by EVM
7. A Tourist's Guide to Altera NIOS  - Our fine journal frequently runs tourist guides to strange CPU architectures.  On page 24, Christopher Hewitt introduces us to Altera's original Nios architecture, a soft-CPU from the year 2000 that was largely forgotten after Intel's acquisition of the FPGA company in 2015.  This particular Nios machine was used in a GPS-disciplined oscillator that Chris wanted to repurpose for other uses, by Christopher Hewitt
8. An Electromechanical Telephone Exchange  - Those of our readers old enough to have used a rotary telephone might have explored the network with a blue box or at least made free payphone calls with a red box.  Younger readers might've made their own small telephone networks with VoIP and other newfangled technologies.  An anonymous article on page 31 goes beyond those tricks, to show you how a rotary telephone network might be built from scratch with vintage technology, by Anonymous
9. An ELF Palindrome for AMD64  - Netspooky is a damned clever code golpher who is new to these pages.  On page 42, you'll find a technique for producing palindrome ELF files, by Netspooky  (Twitter, GitHub, YouTube Channel)
10. BootNoodle: A Palindromic Bootloader for BGGP  - Harvey Phillips also describes his own techniques for machine code palindromes, applied to a x86 boot-loader on page 50.  These were both written for 2020's Binary Golf Grand Prix, and we eagerly await what clever things they'll do this year, by Harvey Phillips
11. Windrose Fingerprinting of Code Architecture  - Suppose that you have a bit of raw firmware that you're pretty sure is executable code, but you don't yet know the architecture.  You might try looking for common sequences, or you might check that relative function calls match entry points.  EVM has a simpler method, which is to draw a windrose diagram of byte frequencies, skipping universally common ones like 0x00, by EVM
12. NSA's Backdoor of the PX-1000Cr  - In the early eighties, a gizmo called the Text Lite PX-1000 allowed folks to encrypt short messages with DES, then transmit them by audio coupler modem.  At some point the NSA got nervous about this, purchased all outstanding units, and convinced the manufacturer to update the ROM to support aunique and proprietary encryption protocol, rather than the standard for which it was made.  On page59, Stefan Marsiske explains how he reverse engineered the backdoored algorithm and cracked it with modern tooling, by Stefan Marsiske
• PoCorGTFO 21:12 Apocrypha
• NSA's Backdoor of the PX1000-Cr  Hacker News
• Camp++ 0x7e5 // A Historical NSA Backdoor  by Stef  (YouTube)
13. Solving the Load Address; or, Fixing Useless Firmware Disassembly  - It's not so uncommon to find a firmware image, but not a load address.  On page 67, EVM describesa generalized solution to this problem, first defining function entry points as a function of the load address and then solving for the load address that matches a strong majority of any absolute calls, by EVM
14. Counting Words with a State Machine  - Robert Graham has often lectured our editors on the virtues of state machine implementations of software, as a leaner and meaner alternative to the object-oriented monstrosities that might be more organized, but are undeniably more computationally expensive.  On page 71, he applies his highfalutin performance optimizations to the wc command, by Robert Graham
15. Never Say 'No' to Adventures  - We pass the collection plate and beg that you contribute some PoC of your own, by Pastor Manul Laphroaig

Man of The Book..................Manul Laphroaig Editor of Last Resort............Melilot LaTeXnician......................Evan Sultanik Editorial Whipping Boy...........Jacob Torrey Funky File Supervisor............Ange Albertini Assistant Scenic Designer........Philippe Teuwen Scooby Bus Driver................Ryan Speers Stunts (Uncredited)..............Alexei Bulazel with the good assistance of Tree Killer......................EVM

Technical Note:  The electronic edition of this magazine is valid as both PDF and ZIP.  Thanks to Ange Albertini, it is also a PcapNG packet capture of an experiment by Yannay Livneh.  See page 7.

Cover Art:  The cover art for this issue is adapted from a 1951 television repair manual by Edward M. Noll, a lecturer at Temple University in Philadelphia.

$ file pocorgtfo21.pdf pocorgtfo21.pdf: pcapng capture file - version 1.0 $ unzip -v pocorgtfo21.pdf Archive: pocorgtfo21.pdf Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 2024322 Defl:X 1934885 4% 2021-11-24 12:02 437f28f7 packratgps.pdf # A GPS receiver project by WA2OMY and WA3YUE of the Packrats club. 21258 Defl:X 7527 65% 2000-05-11 11:40 e8260089 bcp38.txt # IETF BCP38 standard. 23110 Defl:X 20623 11% 2020-09-07 11:25 663f2948 i2ao.zip # Intro to Assembly Optimization 1936 Defl:X 955 51% 2022-02-11 07:40 c6389789 index.txt 18632 Defl:X 17481 6% 2020-11-04 18:23 7e5f8b2f bootnoodle.zip # A palindrome bootloader. 814172 Defl:X 724553 11% 2014-07-17 03:09 6acf84fb brucker-thesis.pdf # Ben Bruecker's thesis on the PX-1000, cited in PoC||GTFO 21:12. 3735300 Defl:X 3705870 1% 2022-02-05 09:53 1ea9770b phones3.mp3 # Audio recording of a hobby phone network. 7511 Defl:X 6658 11% 2021-11-24 12:02 5ded6885 FairPlay.zip # Source code for the Fairplay baseball scoreboard controller. 3704610 Defl:X 3704847 0% 2020-04-28 09:35 9f1be183 nrfsec.tar.bz2 # nRF52 Security Tools - Corrupted file? 563380 Defl:X 538583 4% 2021-10-22 16:01 fa1b5777 sim68xx.zip # Main branch of sim68xx. 594280 Defl:X 565624 5% 2022-02-12 12:01 05c1a979 bakoev-afn.pdf # Valentin Bakoev's paper on fast bitwise implementations of AFNs. 88431 Defl:X 23003 74% 2021-11-24 12:02 d49e897e phrack5715.txt # Rix' article on alphanumeric shellcode from Phrack 57:15. 674487 Defl:X 659570 2% 2021-12-05 14:25 2b27363e px1k.zip # PX1K cracking source code. 4681425 Defl:X 4513193 4% 2021-10-22 15:56 a3f242ac hd6303rp.pdf # Datasheet for the HD6303. Pages are out of order. 5042857 Defl:X 4142611 18% 2022-02-12 12:01 63a1a967 schwarzthesis.pdf # Michael Schwarz' thesis on software side-channel attacks. 255045 Defl:X 10657 96% 2021-11-24 12:02 429a7e92 nios-epp-mmap.txt # NIOS Memory Map 2843256 Defl:X 2740485 4% 2022-02-12 12:01 11ff4a58 woot20-paper-obermaier.pdf # Excellent paper from Usenix WOOT on exploiting counterfeit STM32 chips. 20559 Defl:X 8683 58% 2020-06-29 10:38 c4aba46f innerring.txt # Who should you learn from? 669672 Defl:X 640416 4% 2021-10-22 16:05 9f81102d sim68xx-px1000.zip # PX1K fork of sim68xx. 34082 Defl:X 5862 83% 2021-05-03 07:50 0cbd7951 zmap-ipip.patch # Patch to ZMAP for scanning for the IPIP reflection vulnerability. 5853935 Defl:X 5848759 0% 2021-05-14 12:59 ded1c9b1 tmp.0ut.1.txt.zip # Issue 1 of tmp.0ut, a fine journal. 4252321 Defl:X 3426483 19% 2020-08-10 09:18 8dbb1ea5 ble-rce.pdf # Veronica Kovah's paper on writing memory corrption exploits for Bluetooth LE. 6747035 Defl:X 6398769 5% 2020-05-15 15:45 3a6ac585 atari-protections.pdf # Old book by George Morrison on Atari copy protections. 51577 Defl:X 12141 77% 2022-02-05 17:02 d290cc93 issues.bib 40013 Defl:X 14540 64% 2021-11-27 16:04 39219a7e phrack6317.txt # Cawan's article on FPGA hacking, from Phrack 63:17. 447904 Defl:X 422999 6% 2021-11-06 12:18 39e98807 cortex-m-antidebug.zip # Source code for Balda's anti-reversing tricks. 23792 Defl:X 11269 53% 2022-02-05 17:02 a8881665 issues.txt 45911 Defl:X 43425 5% 2021-11-28 11:50 3d0721cc wc2.zip # Rob Graham's state machine implementations of WC. -------- ------- --- ------- 43280813 40150471 7% 28 files >>> from scapy.all import * >>> pcap = defrag(rdpcap("pocorgtfo21.pdf")) >>> for packet in pcap: ... packet.show() ... 0000 Ether / IP / UDP / DNS Qry "b'a2862978690.com.'" 0000 Ether / IP / IP / IP / IP / IP / IP / IP / IP / IP / ... / 117.239.221.1 > 81.134.10.64 4 / Raw >>>

######          #####    # #    #####  ####### ####### ####### 
#     #  ####  #     #   # #   #     #    #    #       #     # 
#     # #    # #         # #   #          #    #       #     # 
######  #    # #         # #   #  ####    #    #####   #     # 
#       #    # #         # #   #     #    #    #       #     # 
#       #    # #     #   # #   #     #    #    #       #     # 
#        ####   #####    # #    #####     #    #       #######