Software Hacks

958 Articles

ImHex: An Open Hex Editor For The Modern Hacker

January 10, 2023 by 37 Comments

It’s little surprise that most hackers have a favorite text editor, since we tend to spend quite a bit of time staring at the thing. From writing code to reading config files, the hacker’s world is filled with seemingly infinite lines of ASCII. Comparatively, while a hex editor is a critical tool to have in your arsenal, many of us don’t use one often enough to have a clear favorite.

But we think that might change once you’ve taken ImHex for a spin. Developer [WerWolv] bills it specifically as the hex editor of choice for reverse engineering, it’s released under the GPL v2, and runs on Windows, Linux, and macOS. Oh, and did we mention it defaults to a slick dark theme designed to be easy on the eyes during those late night hacking sessions — just like your favorite website? Continue reading “ImHex: An Open Hex Editor For The Modern Hacker”

Chataigne: An Open-Source Swiss Army Knife

January 6, 2023 by 47 Comments

[Ben Kuper] is a developer with a history of working on art installations, and had hit upon a common problem often cited by artists. When creating installations involving light, sound, and motion, they often spend too much time on the nuts and bolts of electronics, programming, and so on. Such matters are a huge time sink with a steep learning curve and oftentimes just a plain distraction from the actual artistic intent they’re trying to focus upon. [Ben] has been working for a few years on a software tool, Chataigne which is designed as the glue between various software tools and hardware interfaces, enabling complex control of the application using simple building blocks. Continue reading “Chataigne: An Open-Source Swiss Army Knife”

Screenshot of the framework-built app, showing it running through Firefox

Turn A Webpage Into A Desktop App With Gluon

December 30, 2022 by 39 Comments

Electron is software for running web-written apps in the same way as native ones, and has gotten plenty of bad press for its RAM appetite around these parts. But while the execution might leave something to be desired, the concept itself is quite solid —  if you’ve already got code written for the web, a quick and easy way to bring it over to the desktop would be very valuable.

Which is why [CanadaHonk] is building a framework called Gluon, which aims to turn your web pages into desktop apps with little to no effort. We’ve seen their work a few months ago with the OpenASAR project, hacking the Discord desktop app to speed it up. Drawing from that experience, Gluon is built to be lean – with apps having low RAM and storage footprints, lightning-speed build times, and a no-nonsense API.

One of the coolest parts is that it’s able to use your system-installed browser, and not a bundled-in one like Electron. Firefox support is firmly on the roadmap, too, currently in experimental stage. Linux support is being worked on as well — the framework is Windows-born, but that’s to change. There’s also room to innovate; [CanadaHonk] recently added a hibernation feature with aggressive RAM and CPU footprint reduction when the app is minimized, something that other frameworks like this aren’t known for.

If you want to write user-facing software, JavaScript’s a decent language, and quite a few of you are going to be familiar with it. You aren’t limited to the software side of the tech world, either — tools like WebUSB and WebSerial will let you write a user interface for a board that you’ve just developed. For instance, here’s a WebSerial-based oscilloscope, a nifty serial terminal, or a hacker conference badge programming toolkit. For all that browsers have gotten wrong, they certainly don’t seem to become less abundant, and if that means you can quickly develop cross-platform hardware-facing apps, it’s certainly a useful addition to one’s toolkit.

Blinky Project Is 6502s All The Way Down

December 24, 2022 by 19 Comments

Virtually any platform you might find yourself programming on has some simple method of running a delay. [Joey Shepard] got rather creative on a recent project, though, relying on a rather silly nesting method that we’re calling 6502s All The Way Down.

The project in question was a simple PCB that was shaped like a robot, with blinking LED eyes. Typically, you’d simply reach for the usual sleep() or delay() function to control the blink rate, but [Joey] went off-piste for this one. Instead, the PIC32 on the board runs a 6502 emulator written in MIPS assembly. This emulated 6502 is then charged with running a further 6502 emulator coded in 6502 assembly, and so on, until there’s 6502 emulators running six-deep on the humble microcontroller. The innermost emulator runs a simple program that blinks the LED eyes in a simple loop. With the overhead of running six emulators, though, the eyes only blink at a rate of roughly once every two seconds.

It’s an amusing and complicated way to write a blink program, and we applaud [Joey] for going to all that trouble. We imagine it was a great way to learn about programming the PIC32 as well as emulation in general. Meanwhile, if you’re working on your own emulator feats, be sure to let us know!

GitHub ESP32 OTA Updates, Now In MicroPython Flavor

December 23, 2022 by 5 Comments

Wouldn’t it be great if you could keep all of your small Internet-connected hacks up to date with a single codebase? A couple of weeks ago, we wrote up a project that automagically pulls down OTA updates to an ESP32 from GitHub, using the ESP32 C SDK. [Pascal] asked in the comments, “but what about MicroPython?” Gauntlet thrown, [TURFPTAx] wrote ugit.pya simple library that mirrors all of the code from a public GitHub Python repo straight to your gizmo running Micropython.

[Damped] wrote in about Senko, another library that does something very similar, but by then [TURFPTAx] was already done. Bam! Part of the speed is that MicroPython includes everything you need to get the job done – parsing streamed JSON was the hard part with the original hack. MicroPython makes those sorts of things easy.

This is one of those ideas that’s just brilliant for a hacker with a small flock of independent devices to herd. And because ugit.py itself is fairly simple and readable, if you need to customize it to do your own bidding, that’s no problem either. Just be sure that when you’re storing your WiFi authentication info, it’s not publicly displayed. ([TURFPTAx], could I log into your home WiFi?)

What’s [TURFPTAx] going to be using this for? We’re guessing it’s going to be deploying code to his awesome Open Muscle sensing rigs. What will we be using it for? Blinky Christmas decorations for the in-laws, now remotely updatable without them having to even learn what a “repo” is.

Continue reading “GitHub ESP32 OTA Updates, Now In MicroPython Flavor”

This Week In Security: Scamming The FBI, In The Wild, And AI Security

December 16, 2022 by 16 Comments

If you’re part of a government alphabet agency, particularly running a program to share information to fight cybercrime, make sure to properly verify the identity of new members before admission. Oh, and make sure the API is rate-limited so a malicious member can’t scrape the entire user database and sell it on a dark web forum.

Putting snark aside, this is exactly what has happened to the FBI’s InfraGuard program. A clever user applied to the program using a CEO’s name and phone number, and a convincing-looking email address. The program administrators didn’t do much due diligence, and approved the application. Awkward.

BSD Ping

First off, the good folks at FreeBSD have published some errata about the ping problem we talked about last week. First off, note that while ping does elevate to root privileges via setuid, those privileges are dropped before any data handling occurs. And ping on FreeBSD runs inside a Capsicum sandbox, a huge obstacle to system compromise from within ping. And finally, further examination of the bug in a real-world context casts doubt on the idea that Remote Code Execution (RCE) is actually possible due to stack layouts.

If someone messes up somewhere, go look if you messed up in the same or similar way somewhere else.

Sage advice from [Florian Obser], OpenBSD developer. So seeing the ping problem in FreeBSD, he set about checking the OpenBSD ping implementation for identical or similar problems. The vulnerable code isn’t shared between the versions, so he reached for afl++, a fuzzing tool with an impressive list of finds. Connect afl++ to the function in ping that handles incoming data, and see what shakes out. The conclusion? No crashes found in this particular effort, but several hangs were identified and fixed. And that is a win. Continue reading “This Week In Security: Scamming The FBI, In The Wild, And AI Security”

VHS-Decode Project Could Help Archival Efforts

December 13, 2022 by 47 Comments

Archiving data from old storage media can be a highly complex process. It can be as simple as putting a disk in an old drive and reading out the contents. These days, though, the state of the art is more complex, with advanced techniques helping to recover the most data possible. The VHS-Decode project is an effort to improve the archiving of old analog video tapes.

The project is a fork of the LaserDisc-focused ld-decode, started by [Chad Page] back in 2013, which readers may recall was used for the Domesday Duplicator — a device aimed to recover data from the BBC’s ancient Domesday LaserDiscs. VHS-Decode is designed to capture the raw RF signals straight out of a tape head, which are the most direct representation of the signals on the physical media. From there, these signals can be processed in various ways to best recover the original audio and video tracks. It’s much the same technique as is used by floppy disk recovery tools like the FluxEngine.

Despite the VHS name, the code currently works with several tape formats. VHS, S-VHS and U-Matic are supported in PAL and NTSC formats, while Betamax, Video8 and High8 tape capture remains a work in progress. Using the code requires a video tape player with test points or traces that make signals from the head accessible. Capturing those signals is achieved via a Domesday Duplicator hardware device, or alternatively a Conexant CX2388x analog-to-digital converter, often found in many old PCI TV tuner cards. Various techniques can then be used to turn the captured signals into watchable video files.

We love a good archival project, and VHS-Decode is clearly a useful tool when it comes to salvaging old video tapes. Continue reading “VHS-Decode Project Could Help Archival Efforts”