Some tools

AirScan : a Nintendo DS Wi-Fi access point scanner

AirScan is a Wi-Fi scanning utility for the Nintendo DS. It offers various filtering features to facilitate access point discovery.
For example, it can be used to locate open access points in low WiFi density areas thanks to its sensivity.
Interesting features include :

Screenshot

sample image showing AirScan running

History

Download

Download it here : airscan-v1.0.zip

Github

You can find the code on GitHub too : https://github.com/trou/airscan.

Panasonic RW2 files lens distortion correction information

Panasonic includes lens distortion correction data in their RAW files as an EXIF tag. Unfortunately, they did not release the specification for this tag. Which is really annoying for people willing to use a RAW converter which is not vetted by Panasonic.

Inspired by this blog post : Dissecting Panasonic RW2 files. I decided to take the plunge and finally find out what's behind the format.
The following command allows us to get the raw hex bytes of the 0x119 tag, which includes the correction data :

$ exiv2 pr -ph -u sample.rw2 | grep -A2 0x0119 0x0119 PanasonicRaw 0x0119 Undefined 32 32 0000 29 54 9b 48 fc 00 00 00 69 01 00 00 e0 01 01 00 )T.H....i....... 0010 7f 0f 34 01 56 02 81 fb c4 09 28 03 ce 5a d6 8e ..4.V.....(..Z..

The data is only 32 bytes long, which should make it quite easy to parse.
After some (err a lot of) reverse engineering work, I finally understand enough to write a parser : the data is infact 16 short (16 bits) integers, represented in little endian order :

5429 489b 00fc 0000 0169 0000 01e0 0001 0f7f 0134 0256 fb81 09c4 0328 5ace 8ed6 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Words 0, 1, 14 and 15 are checksums, see the code for the algorithm.
Word 7 is a flag : 0 means the distortion correction data shouldn't be applied, 1 means it should. Other values seem to be invalid

The rest seems to represent 2 types of data, but only one seems to be used, consisting of words 12, 5, 8, 4 and 11. Changing words 2, 3, 6, 9, 10 and 13 doesn't seem to have any effect.

This can be summarized by :

n = data[12]; scale = 1.0/(1.0+(data[5]/32768.0)); a = data[8]/32768.0; b = data[4]/32768.0; c = data[11]/32768.0;

Now after playing with Adobe DNG Converter to get a clue on the equation used, it seemed parameters a b and c roughly match the following equation :

Ru = scale*(Rd + a*Rd^3 + b*Rd^5 + c*Rd^7)

Reversing SilkyPix confirms it. But it computes it in a weird way :

double table[100]; for(i=0; i<100; i++) table[i] = f(i/25.0); And stops computing if the derivative becomes negative or if the value exceeds 2.

Unfortunately, more tests with lensfun got me confused, and for example, trying the "poly3" model gives completely different results.
You can find below some tools which helped me reverse engineer the format, including the code to fix checksums.

Please check Andrew Johnston's work on the subject : http://www.andrewj.com/mft/

TODO

Tag 0x011b contains information to correct chromatic aberrations.

History

Download it here : panarw2-v0.1.tar

Windows, with binaries : panarw2-0.1.zip

Github : https://github.com/trou/panasonic-rw2

Arte+7 downloader

Arte offers a nice service to watch broadcastings you weren't able to see on TV. This little scripts makes it easy to download and archive the videos.
Unfortunately, the service is limited to French and German residents.

Usage

Basic usage : 1) downloading the latest broadcasts of a given program : $ ./arteget.rb karambolage 2) downloading a single video : $ ./arteget.rb http://www.arte.tv/guide/fr/040347-001/le-cerveau-et-ses-automatismes-1-2 3) downloading the 10 most viewed videos : $ ./arteget.rb --top=10 4) downloading the 10 best rated videos : $ ./arteget.rb -b 5) downloading in german, standard quality : $ ./artget.rb --qual=sd --lang=de karambolage

History

Download

Download it here: arteget-2.2.zip. Yoann Guillot's HTTP libs from : https://github.com/jjyg/libhttpclient are needed.
You will also need rtmpdump.

Github

You can find the code on GitHub too : https://github.com/trou/arteget.

MIPS (MIPS IDA PluginS)

IDA, until version 5.5, didn't understand the so-called "old abi" of MIPS ELF binaries.
I wrote this IDAPython plugin which parses the ELF itself to resolve calls to external libraries.
It also handles switch tables and internal symbols. It helps a LOT while reversing embedded binaries.
It is partially based on the work of Julien Tinnes : mips.elf.external.resolution.txt.

It also includes two little Python scripts (ident_func.py and ident_func_le.py) to identify all functions in a binary, which helps a lot for cross references.

Screenshot

sample image showing the difference of the asm listing before and after running the plugin

Usage

History

Download

Download it here: mips-analyser-1.5.3.zip

MBSA Extractor

MBSA is a tool from Microsoft used to verify if your systems are up-to-date.
My tool uses MBSA's database to download specific updates, extract them, sort them on the disk, etc.
It can be very useful to download several versions of the same file.

Usage

The tool has been designed for flexibility and updates can be selected using many criterias : Some valid search expressions : CVE=CVE-2006-1234 SID=date(20041225,20060101) KBID=147258 xpath='//Update[./ExtendedProperties/SecurityBulletinID[text()='MS06-040']]'

History

Download

You'll need the ruby-xml-smart library : http://raa.ruby-lang.org/project/ruby-xml-smart/.
Download it here: mbsa-1.0.tar.bz2

Debian OpenSSL vulnerability

We (Raphaël Rigo, Romain Raboin and Julien Tinnes) gave a short talk at SSTIC 08 about some of the tools we wrote after the OpenSSL/Debian advisory to remotely discover vulnerable keys in authorized_keys files, decipher SSH traffic and retrieve DSA private keys (even from non weak keys). We also wrote an article in french in this MISC issue.

The main page for those tools is there but you can find my tools (written with Yoann Guillot) to decrypt vulnerable OpenSSH session captures on Yoann's Github :https://github.com/jjyg/ssh_decoder and the keygen tool here : https://github.com/trou/ssh_key_keygen or here : ssh_kex_keygen-1.1.tar.bz2.

Various stuff

You will find some things not worthy of any description in there : stuff
If no licence is specified, consider it's GPL v3.