- H2HC 2016 and Ekoparty 2016: Lost your "secure" HDD PIN? We can help!, with Julien Lenoir. Slides, Paper.
- Black Hat Europe 2015 : A peek under the Blue Coat. Link, Slides, Video.
- Ruxcon 2015: A peek under the Blue Coat. Link, Slides.
- Hardwear.io 2015: Attacking hardware for software reversers: Analysis of an encrypted HDD, with Joffrey Czarny. Link, Slides.
- SSTIC 2015: Analysis of an encrypted HDD (Hardware RE for software reversers), with Joffrey Czarny. Link, Article, Slides (in French), Video.
- SyScan 2015: The challenges in designing a secure hard drive. Slides, Video.
- SSTIC 2012: Sécurité de RDP, with Aurélien Bordes and Arnaud Ebalard. Link, Article (in French).
- DeepSec 2010: Android: forensics and reverse engineering. Slides, Video.
- Program commitee membership:
- Security Seminar at LORIA : Sécuriser un grand parc Active Directory ?
- SSTIC Challenge (in French):
- SSTIC 2008 rump session on the Debian OpenSSL vulnerability: Slides.
Arte offers a nice service to watch broadcastings you weren't able to see on TV. This little script makes
it easy to download and archive the videos.
Unfortunately, the service is limited to French and German residents.
Basic usage :
1) downloading the latest broadcasts of a given program :
$ ./arteget.rb karambolage
2) downloading a single video :
$ ./arteget.rb http://www.arte.tv/guide/fr/040347-001/le-cerveau-et-ses-automatismes-1-2
3) downloading the 10 most viewed videos :
$ ./arteget.rb --top=10
4) downloading the 10 best rated videos :
$ ./arteget.rb -b
5) downloading in german, standard quality :
$ ./arteget.rb --qual=sd --lang=de karambolage
- 2016-11-29 : 2.6 : fix site parsing, new handler for "Le Dessous des Cartes"
- 2016-05-20 : 2.5 : now uses Net::HTTP, new site kind of works
- 2015-11-08 : 2.4 : basic functionnality with new site. Use wget instead of rtmpdump.
- 2014-09-20 : 2.3 : fixes : site parsing, rtmpdump invocation
- 2014-02-12 : 2.2 : destination dir support, description saving, improvements
- 2013-08-25 : 2.0 : handle the new site version, some improvements
- 2011-04-30 : 1.11 : fix URL downloading
- 2011-03-06 : 1.1 : top videos (views/ratings) support, internal rework, quiet mode
- 2011-02-20 : 1.01 : support URL argument, new site URL
- 2010-06-13 : 1.0 : first versioned release, supporting the new site
- 2008-xx-xx : first release
Download it here: arteget-2.6.zip
You can find the code on GitHub too : https://github.com/trou/arteget
Panasonic RW2 files lens distortion correction information
Panasonic includes lens distortion correction data in their RAW
files as an EXIF tag. Unfortunately, they did not release the
specification for this tag. Which is really annoying for people willing
to use a RAW converter which is not vetted by Panasonic.
Inspired by this blog post : Dissecting Panasonic RW2 files.
I decided to take the plunge and finally find out
what's behind the format.
$ exiv2 pr -ph -u sample.rw2 | grep -A2 0x0119
0x0119 PanasonicRaw 0x0119 Undefined 32 32
0000 29 54 9b 48 fc 00 00 00 69 01 00 00 e0 01 01 00 )T.H....i.......
0010 7f 0f 34 01 56 02 81 fb c4 09 28 03 ce 5a d6 8e ..4.V.....(..Z..
The following command allows us to get the raw
hex bytes of the 0x119 tag, which includes the correction data :
The data is only 32 bytes long, which should make it quite easy to parse.
5429 489b 00fc 0000 0169 0000 01e0 0001 0f7f 0134 0256 fb81 09c4 0328 5ace 8ed6
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
After some (err a lot of) reverse engineering work, I finally understand enough
to write a parser : the data is infact 16 short (16 bits) integers, represented
in little endian order :
Words 0, 1, 14 and 15 are checksums, see the code for the algorithm.
Word 7 is a flag : 0 means the distortion correction data shouldn't be applied,
1 means it should. Other values seem to be invalid
The rest seems to represent 2 types of data, but only one seems to be used,
consisting of words 12, 5, 8, 4 and 11. Changing words 2, 3, 6, 9, 10 and 13
doesn't seem to have any effect.
- word 12 seems to be always be equal to 2500, changing it disables
- words 5, 8, 4 and 11 are floating point numbers encoded as signed
integers. Divide them by 32768 to get the original value.
- Word 5 is a scale factor.
- Word 8 is the primary (a) coefficient for the distortion correction
- Word 4 is the second (b) coefficient for the distortion correction
- Word 11 is the third (c) coefficient for the distortion correction
This can be summarized by :
n = data;
scale = 1.0/(1.0+(data/32768.0));
a = data/32768.0;
b = data/32768.0;
c = data/32768.0;
Now after playing with Adobe DNG Converter to get a clue on the equation used,
it seemed parameters a b and c roughly match the following equation :
Ru = scale*(Rd + a*Rd^3 + b*Rd^5 + c*Rd^7)
Reversing SilkyPix confirms it. But it computes it in a weird way :
for(i=0; i<100; i++)
table[i] = f(i/25.0);
And stops computing if the derivative becomes negative or if the value exceeds 2.
Unfortunately, more tests with lensfun got me confused, and for
example, trying the "poly3" model gives completely different results.
You can find below some tools which helped me reverse engineer the
format, including the code to fix checksums.
Please check Andrew Johnston's work on the subject : http://www.andrewj.com/mft/
Tag 0x011b contains information to correct chromatic aberrations.
- 30/04/2011 : 0.1 : first public release
Download it here : panarw2-v0.1.tar
Windows, with binaries : panarw2-0.1.zip
Github : https://github.com/trou/panasonic-rw2
AirScan : a Nintendo DS Wi-Fi access point scanner
AirScan is a Wi-Fi scanning utility for the Nintendo DS. It offers various
filtering features to facilitate access point discovery.
For example, it can be used to locate open access points in low WiFi density
areas thanks to its sensivity.
Interesting features include :
- Display only desired protection levels (open, WEP, WPA)
- Connectivity testing for open access points (including retrieval of the Google homepage)
- Easy scrolling
- Timeouts for out of range APs
- 07/11/2010 : 1.0 : improved connectivity testing, new icon
- 20/02/2010 : 0.6 : fix for scrolling and timeouts
- 18/01/2010 : 0.5.1: mode selection bugfix
- 09/01/2010 : 0.5 : connectivity testing, many bugfixes
- 02/03/2009 : 0.2 : timeouts
- 26/06/2008 : 0.1a : first public release
Download it here : airscan-v1.0.zip
You can find the code on GitHub too : https://github.com/trou/airscan
MIPS (MIPS IDA PluginS)
IDA, until version 5.5, didn't understand the so-called "old abi" of MIPS ELF binaries.
I wrote this IDAPython plugin which parses the ELF itself to resolve calls to external libraries.
It also handles switch tables and internal symbols. It helps a LOT while reversing embedded binaries.
It is partially based on the work of Julien Tinnes : mips.elf.external.resolution.txt.
It also includes two little Python scripts (ident_func.py and
ident_func_le.py) to identify all functions in a binary, which helps a
lot for cross references.
- Read the documentation on top of the source
- (optional) run ident_func.py
- Run the plugin in IDAPython, it will ask if you want to analyze the whole segment or just the current function
- Click "yes" or "no"
- Enjoy !
- 26/02/2009 : 1.5.3 : Bugfix in switch table parsing (thx to the reporter)
- 18/09/2008 : 1.5.2 : Bugfix + ident_func_le.py
- 06/09/2008 : 1.5.1 : First public release
Download it here: mips-analyser-1.5.3.zip
MBSA is a tool from Microsoft used to verify if your systems
My tool uses MBSA's database to download specific updates, extract them, sort them on the disk, etc.
It can be very useful to download several versions of the same file.
The tool has been designed for flexibility and updates can be selected using many criterias :
Some valid search expressions :
- 15/10/2008 : 1.0 : First public release
You'll need the ruby-xml-smart library : http://raa.ruby-lang.org/project/ruby-xml-smart/
Download it here: mbsa-1.0.tar.bz2
Debian OpenSSL vulnerability
You will find some things not worthy of any description in there : stuff
If no licence is specified, consider it's GPL v3.