Bof.

No theme, no regular posting.

© 2014-2015. Raphaël Rigo CC-BY-SA 4.0

About.

Let's Encrypt cron with acme-tiny

So, Let's Encrypt is awesome, even if the official client is a terrifying beast. I chose to use acme-tiny and this post is a quick HOWTO.

  • First, create a directory for challenges in your web root: mkdir -p /var/www/.well-known/acme-challenge/
  • Then, create a letsencrypt user : adduser --home /var/www/.well-known/acme-challenge/ --shell /bin/sh --no-create-home --disabled-password --disabled-login letsencrypt
  • Change ownership : chown letsencrypt acme-challenge
  • Create /etc/letsencrypt and setup ACL : mkdir /etc/letsencrypt ; setfacl -m u:letsencrypt:rx /etc/letsencrypt
  • Put your CSR and user key in /etc/letsencrypt/ as site.csr and user.key, set ACL : setfacl -m u:letsencrypt:r /etc/letsencrypt/*
  • Put acme-tiny somewhere, make it world readable
  • Create /etc/cron.d/letsencrypt :
MAILTO=root

1 1 21 * *  letsencrypt umask 033; python /usr/local/acme-tiny/acme_tiny.py --account-key /etc/letsencrypt/user.key --csr /etc/letsencrypt/site.csr --acme-dir /var/www/.well-known/acme-challenge/ > /tmp/site.crt && cat /tmp/site.crt > /etc/ssl/certs/site.crt
10 1 21 * * root service apache2 reload
  • test with su -c 'umask 033; python /usr/local/acme-tiny/acme_tiny.py --account-key /etc/letsencrypt/user.key --csr /etc/letsencrypt/site.csr --acme-dir /var/www/.well-known/acme-challenge/ > /tmp/site.crt && cat /tmp/site.crt > /etc/ssl/certs/site.crt' letsencrypt

Just a caveat, Let's Encrypt does not easily support challenges over HTTPS, so configure a redirect from http to https :

<VirtualHost *:80>
        ServerName syscall.eu
        Redirect permanent / https://syscall.eu/
</VirtualHost>

Lesser known tricks for IDA configuration

This post is mainly for reference but it can be useful.

Being tired of copy/pasting my IDA config and plugins after each update, I decided to check what I could do to centralize my config. As I'm running Linux, I expect everything to be configurable from ~/.idapro.

ida.cfg

You can override configuration options for IDA in ~/.idapro/idauser.cfg. For example, the classic :

#define DEMNAM_CMNT  0                  // comments
#define DEMNAM_NAME  1                  // regular names
#define DEMNAM_NONE  2                  // don't display
DemangleNames   = DEMNAM_NAME           // Show demangled names as comments

IDAPython

IDApython will load ~/.idapro/idapythonrc.py which can then be used to specify additionnal paths to python, for example :

import sys
sys.path.append('/home/raph/.idapro/python')

You can now add Python libraries that will be available in all your IDA versions. For example :

python/
├── miasm2 -> /home/raph/bin/python/lib/python2.7/site-packages/miasm2
└── pyparsing.py -> /usr/lib/python2.7/dist-packages/pyparsing.py

Plugins

Unfortunately there's no easy way right now to handle a custom user directory for plugins. While discussing the issue with Ilfak, he offered the following workaround:

User plugins can be handled the following way: defined IDAPLG envvar 
that points to the user plugins directory. Create symlinks to all IDA 
plugins from this directory.

Which is not exactly the same but may help if the user has no write access to the IDA directory. Maybe a future version will offer this feature :) Update : IDA 6.9 supports the IDAUSR environment variable. See doc for awesomness :)

High DPI screen on Linux.

I recently received a high-DPI screen at work (24" ultra HD). While the quality is excellent, a few problems arise as everything is very small by default.

As I use it on my laptop, I had to find an easy way to switch between different settings :

  • high DPI for my UHD screen
  • medium DPI when using the laptop screen (12" Full HD)
  • normal DPI when using a normal external screen

First, to handle the display configuration I'm using autorandr which is awesome.

Then, I use a little bash script that will change the needed settings :

  • cursor size
  • font size in awesome
  • layout.css.devPixelsPerPx setting in Thunderbird and Firefox

But some things still won't work :

  • Chrome
  • Flash
  • Java
  • Windows XP (in my virtual machine)

You can find my ugly shell script here.

Automated BinDiff.

Sometimes it can be useful to automate IDA by running it from the command line (reference). You can do the same with BinDiff but it is not as easy. You must use a custom IDC script that will call the BinExport plugin :

    #include <idc.idc>
    static main() {
      Batch(0);
      Wait();
      RunPlugin( "zynamics_binexport_5", 2 );
      Exit(0);
    }

You can then run it from the CLI : idaq.exe -A "-OExporterModule:<OUTPATH>" "-SBinExport.idc" "XXX.idb"
Be careful : ALL paths MUST be full paths.

You can then use BinDiff command line tools to compare binaries. It is particularly useful to compare directory trees, for example after a firmware update :)

So, I have a blog.

Sometimes it's nice to have a place to post random stuff on the Internet. So, embracing modernity in 2014, I now have a blog.