[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Phrack Prophile on Tiago ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ] [ 71 ]
Current issue : #63 | Release date : 2005-01-08 | Editor : Phrack Staff
IntroductionPhrack Staff
LoopbackPhrack Staff
LinenoisePhrack Staff
Phrack Prophile on TiagoPhrack Staff
OSX heap exploitation techniquesNemo
Hacking Windows CE (pocketpcs & others)San
Games with kernel Memory...FreeBSD Stylejkong
Raising The Bar For Windows Rootkit Detectionsherri sparks & jamie butler
Embedded ELF DebuggingELFsh crew
Hacking Grub for Fun & Profitcoolq
Advanced antiforensics : SELFripe & pluf
Process Dump and Binary Reconstructionilo
Next-Gen. Runtime Binary Encryptionzvrba
Shifting the Stack Pointerandrewg
NT Shellcode Prevention Demystifiedpiotr
PowerPC Cracking on OSX with GDBcurious
Hacking with Embedded Systemscawan
Process Hiding & The Linux Schedulerubra
Breaking Through a Firewallkotkrye
Phrack World NewsPhrack Staff
Title : Phrack Prophile on Tiago
Author : Phrack Staff
phrack.org:~# cat .bash_history

                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3f, Phile #0x04 of 0x14

 |=---------------=[ P R O P H I L E   O N   T I A G O ]=-----------------=|
 |=-----------------------------------------------------------------------=|
 |=------------------------=[ Phrack Staff ]=-----------------------------=|
                                                                                
 |=---=[ Specification
                                                                                
                   Handle: tiago
                      AKA: module
            Handle origin: Lemme call my mom and ask, just a second...
                           ok; "it was between pedro henrique and tiago,
			   but after looking for reasons that would define
			   we decided to throw a coin: head".
                catch him: By producing whatsoever sign/event pair that
		           would take my attention and get you the expected
			   feedback.
         Age of your body: 24
              Produced in: Southeastern Coconutland
          Height & Weight: 178cm, 70kg
                     Urlz: .
                Computers: SGI Indy (R4600PC at 100MHz, 128MB RAM, 2GB
		           hdd), Sun Ultra-10 (UltraSparc IIi at 440MHz,
			   1GB RAM, 9GB hdd), Toshiba Portege 4005
			   laptop (Intel P3 at 800MHz, 512MB RAM, 20GB
			   hdd).
                Member of: Teletubbies
                 Projects: Many fields in computer theory. Software
		           Engineering subjects such as: Abstract
			   Interpretation, Program Transformation, Reverse
			   Engineering, etc. Applied cryptography at work.
			   Enjoy hardware design, operating system
			   design/implementation hacks, software
			   design/implementation security related
			   exploitation. Anything that actually takes
			   my attention for whatever reason.

 |=---=[ Favorite things
                                                                                
                                                                                
           Women: je veux un petite pipe, s'il vous plait 
            Cars: I don't know how to drive                           
           Foods: taco-taco brrrito-brritooo                                   
         Alcohol: combined with Benflogin                        
           Music: Symantec iz in tha houuuuuuuuuse!!!!! c'mon
	          c'mooooooon sing sing! see tha solution! Symanteeeec,
		  revoooolutiooooon... we give yooooooouuu... sweet
		  soluttiooooonnss \o\ /o\ \o\ /o/ We! got your personal
		  firewalllz! ... dunt dunt..
		  -> http://www.phrack.org/symantec_fancyness.mp3,
		     por favor.
          Movies: GOBBLES.avi
 Books & Authors: HUHU, books are fancy q:D -- stuff that have been
                  remarkable on my near past. still reading some:                
		  . Whom the Gods Love: The Story of Evariste Galois,
		    infeld, (spanish, by Siglo Veintiuno Editores);
		  . Computer Architecture: A Quantitative Approach,
                    hennessy & patterson (english, by MK);
		  . Comprehensive Textbook of Psychiatry, kaplan &
		    sadock (english, LWW);
		  . The Art of Computer Programming, vol. 1-3, knuth
		    (3rd Ed., Addison Wesley) -- <3 dutchy;
		  . Systems and Theories in Psychology, marx & hillix
		    (portuguese, by Alvaro Cabral);
		  . Cognitive Psychology and its Implications, anderson
		    (portuguese, by LTC);
		  . Axiomatic Set Theory, bernays (english, by Dover,
		    2nd Ed., 1968-1991);
		  . La Fine della Modernit, vattimo (portuguese, by
		    Martins Fontes);
		  . Grundlegung zur Metaphysik der Sitten, kant (english,
		    by H.J. Paton);
		  . Einfhrung in die Metaphysik, heidegger (english, by
		    Gregory Fried and Richard Polt);
		  . Principia Mathematica, russel (english, by Cambrige
		    Mathematical Library, 2nd Ed., 1927-1997);
		  . Uber formal unentscheidbare Satze der Principia
		    Mathematica und verwandter Systeme, I, gdel (english,
		    by B. Meltzer);
		  . Tractatus Logico-Philosoficus, wittgenstein (english,
		    by Routledge & Kegan Paul);
		  . A Philosophical Companion to First-Order Logic,
		    hughes (english, by R.I.G.);
		  . Freedom and Organization 1814-1914, russel (english,
		    by Routledge);
		  . Ethica, spinoza (english, by Hafner);
		  . Gdel's Proof, nagel & newman (english, by NYU);
		  . Zur Genealogie der Moral, nietzsche (english, by
		    Douglas Smith);
		  . Theory of Matrices, perils (englisn, by Dover,
		    1958-1991);
		  . Modern Algebra, warner (english, by Dover,
		    1965-1990);
		  . Security Assessment: Case Studies for Implementing
		    the NSA -- National Symposium of Albatri;
            Urls: www.petiteteenager.com
          I like: HUHU'ing                     
       I dislike: not HUHU'ing                 
                                                                                
 |=---=[ Life in 3 sentences                                                    
                                                                                
 DG = DH - TDS
                                                                                
 |=---=[ Passions | What makes you tick                                        

 Too complex to be described with a set of words: totally undecidable;
 cannot be solved by any algorithm whatsover -- equivalently, english,
 portuguese, .... Cannot be recognized by a Turing Machine, of which
 should halt for any input...

 ... but for coconuts!
                                                                                
 |=---=[ Which research have you done or which one gave you the most fun?       

 Anything that made me stop and, extra-ordinarily, question the extra-ordinary.

 |=---=[ Memorable Experiences                                                  

 Going against my family and staying at the computer through nights.
 Having this to allow me to have fun and feel pain. Looking for the
 utopic job. Going to south Brazil, Mexico, and northeast Brazil to find
 it. Meeting the people I have met through this quest, seeing the
 history I have seen passing in front of my eyes in every place I
 stepped. Being drunk, being sober, falling down and off. Getting
 fucking up and HUHU'ing again. And again.
 
 Feeling, being cold, believing and being agnostic. Fighting. Getting girls
 for the pleasure and falling apart for theirs. Prank-calling, chopp-touring,
 writing, counting. Stopping.
 
 Looking for sharks, surfing, breaking my phusei-self. Going and
 bringging others into this.
 
 Being.

 |=---=[ Quotes                                                                 
 
 . HUHU
 . \o/
 . /o\
 . wish I was dead so I could be happy and safe!
 . \o\
 . q:D
 . :S
 . you better call someone smart!
 . \o\
 . :/
 . I'd rather have 300 beers a month than a formal education
 . /o/
 . <3

 |=---=[ Open Interview - General boring questions                              
 
 Q: What was your first contact with computers?
 A: Since really young I used to go to my grandparents' on the weekends.
 When I was 8 I started having some fun by sniffing around my uncle's
 electronic lab located at the back side of his room (the guy was an
 electronic eng. grad. student at the time). Fetching experiences
 from the subject I can tell I used to go crazy about the place --
 serio. From encyclopedias, through pieces of plastic, ending in
 broken VCR's and widely exposed TV's. In certain saturday of my 11's
 there was little tiago playing around that room: I can clearly
 remember climbing (theo style) the closet, looking for fun objects,
 when I faced this box; I took it, I opened it, I faced a computer.
 Assembled by some brazilian manufactor, there was the CP200 with a
 board based on a Z80A CORE. There was tiago huhu'ing around because
 of that piece of fancyness. It lasted for exact 3 months, till the
 day the tape that was responsable for connecting the keyboard to the
 main board got screwd; ripped -- R.I.P. 3 months were enough for
 playing around with basic BASIC and abstracting that new fancy
 stuff. The time went through and I haven't had the possibility of
 having a computer again. In january 1996 I went to Sao Paulo, kids
 vacations you know. I stood with an uncle whom had this company of
 which had some DOS based machines, maintained by this Clipper
 programmer. I remember perfectly being "taught" how to turn on the
 computer an press the keys. Very few time after this moment I was
 being introduced to this very fancy toy known as PCTools -- anyone?
 Yes, there was 15 year old tiago, who could barely turn on that
 thing, giving his first steps on reverse engineering. 15 days, that
 was the exact time of my exposition to the environment. Again, no
 more computers. August 1999, dad arrives home with a Packard Bell
 station. It was a Pentium MMX at 166MHz, with the amount of 16MB of
 RAM, and a 3.1GB IBM hard disk. Not just that, it had multimedia
 fancyness and the great thing known as modem. It carried, and was
 being carried by, a Windows 98 operating system. Wow! tiago had his
 first modern computer. Yes. But wait, where is my black screen full
 of unintelligible numbers written on green letters?! Fuck this!
 Frustration... time.. Internet! time.. ICQ! time ... IRC, #hacking.
 "yo, click start menu, execute. Now type: telnet huhu.fancyworld.net
 1470" -- orgasm --. It happened till the day I questioned what those
 sequence of magical pressed-keys actually meant. And then it
 began... HUUUU! coding! HUHUHUHHUHHUHUHUHUHUHUHUHUHUHUHUHUHUHU
 HUHUHUHUHUHU :D:D:D q:D \o/ \o\ /o/ /o/ /o\ \o/
 But yeah, that crazy image of a bunch of green code in a dark screen
 never went out of my mind, I needed to go lower-level... and so I
 went, and keep on going, to never reach, to never end.
 
    Wait, I would like to make a comment out of the belou, kthx: there
    is no point to writting zero-day if you are not going to use it!
    I'm welcome.

 Q: What was your first contact with computer security and how important
 for you is computer security relative to your interest in computers in
 general?
 A: In the end of the above story. After that I've met some other
 coconuts who have been responsable for my first real adventures in
 security. That was the real kick: reading phrack and going HUHU,
 reading code, not having a damn clue of what it was doing, and being
 days awake till I could get the mininum insight. Getting bored of the
 "usual" things, giving the finger to the "common games" and comming to
 play in whatever I pleased.
 How important? It transformed me into a new form of coconut.
 
 Q: Being relatively seperate from the "scene" in general, what was your
 opinion on the concept of "the scene" and was your distance from this
 concept (that may possibly exist) deliberate or not?
 A: As I see, it is just another society around there.
 As the "getting into it" was happening, I tended to get more and more
 detached from this so called "scene". My being was thrown aside by the
 scene. All I wanted was to sit down and hack. I couldn't digest it and
 it couldn't digest my self. I sat back, I played, I watched you guys.
                                                                                
 Q: Actually isn't the whole current concept of "scene" a big load of
 social correlation and acceptability bullshit?
 A: It is "normal"; expected. Nothing that I don't see when I go to the
 bakery or to a club with friends. People "look", people perceive,
 people infer -- people judge based on their a priori context.
 What in the hell am I doing?
 
 Q: What do you think of Phrack magazine?  Do you think it should be
 "resurrected" or continued to be maintained?  If so, do you think it
 should change themes in any way (since many suggest that phrack is no
 longer a magazine for hackers but some bullshit academic fame making
 fluff for the computer security industry)?  Would you rather see a
 Phrack that exclusively published movie reviews and cooking tips?
 A: It was responsable for many HU's bumping inside my head. I jumped, I
 got pissed, injuried and healthy. It gave me inputs, it drove me to
 many outputs, where all the results in between these events were
 responsable for keeping this coconut going on. Going on is the point,
 why to stop it? I was getting bored of the articles, yes. But I believe
 this is more for my personal changes than actually the magazine's.
 However, I see some big tendency of articles (as a reflection of the
 scene) converging always to the same place and getting stuck there, in
 a boring iteration that never ends. I've played with Linux's execution
 environment and the technical specs linked to it, but then I went to
 something else -- this being the same game, now with PalmOS or simply
 going play with Optimization, Obfuscation, or to hack the IrDA's driver
 of my laptop. How can people write articles on what you call "shellcodes"
 for every single computer architecture, operating system, supported
 ABI's, supported ISA's, or whatever? Isn't that just a matter of
 getting manuals? Why to dissert about the ELF format file and the
 dynamic linking system of some specific plataform without any
 "improvement" (take this as a big boom, I don't think it's worth to
 define the term here) in a "hacking technique"? I think that is what
 sucks in phrack nowadays. About the academic style, I have problems
 with formalism myself. Something what I really appreciate in phrack,
 for instance, is this mid-level formalism when compared to the academy.
 I believe it is very interesting the fact that you can submit a
 compilation of techniques with some basic scraps about it, in a
 non-defined format or dissertative way. If people behind it think the
 content is good, it will make it. Though, I also think that the minimum
 formalism is necessary, otherwise it gives excessive room for nonsense
 to be exposed, and I don't think it is cool for people to read
 "Assembly HOW-TO's" that "teach" you the usage of some "instructions",
 for some specific plataform, in some very restricted context and make
 the reader to believe they understand about that universe.
 About fame: unfair but expected -- feel like vomiting whenever I think
 of myths, however if I re-gurgitate myths will deliberately be pulled
 out, as gastric ulcer, of my very self.
 I would love to see a review of the /home/PORNO/ collection, indeed.
 And I really expect to be having some dope french food till the end of
 the year, yes.
 
 Q: What do you have to say about that whitehat/blackhat opposition that
 gained more attention in the last years and what do you reply to those
 people calling you a whitehat because one of your project was about
 porting PaX?
 A: How would I get called if I was running in circles and blubbering
 whilst wearing an orange suit? Teletubbie?

 Q: How would you qualify the hacking underground in 2005? Many people
 think there is no more underground because of all the commercial
 bullshit around security. Any comments?
 A: I believe thinking about this is an act of oblivion. You might be
 able to determine several characteristics and classify the pros and
 cons of the process. Though, as the process' development gets strongger
 its transformation power increases as well, thus the number of
 "ideal-branches" within this social group tend to increase and react
 between themselves. How are Montmartre and Montparnasse nowadays?

 Q: Who are your heroes of computer security, and why?
 A: I have many, serio -- and I'm a lucky bastard for being able to
 meet/know many of them. But what difference would it really make if I
 told you? The heroes are mine, the fucking myths are mine.

   Can I make a question myself? kthx.

   Q: Coxinha+guarana or Exchange 0-day?
   A:

 Q: How do you define the term "hacker"?
 A: I believe symbolic references determine a "fact". A linguistic
 representation of someone's type of reality, at certain time. As the
 Being of that being changes, so does its perception about that fact.
 When beings as such, or even as Nothing, interact, entropy increases
 and the fact tends to get more deformed. The technicism helps the
 process, as information media get more powerful and globally spread.
 Consumate Nihilism. I believe.

 Q: Come on, 'fess up. You're brazillian after all, so name all the
 sites you've defaced.
 A: HAPPY BIRTHDAAAAAAAY!!!!!!!!!!!!!!!1

 Q: If you were having sex with route, would you be the top or bottom?
 A: I would try both. I would try others. Though I would really just be
 interested in the muscles, tattoos and guns :D
 
 Q.1: We hear you're the guy who schooled [email protected] on PaX.
 Is this true? Explain.
 Q.2: What was your motivation in porting PaX to MIPS, what were the
 biggest problems you encountered and how did you resolve them?
 A: Schooled? I don't think so :>. There is this story about the
 impossibility of PAGEEXEC on MIPS based computers, initiated by the
 great Theoretical de Raadt {[1],[2]}.
 Motivation: I simply thought it would be fun to try to prove it wrong
 and started playing around. In the end, I just found out I was the
 wrong one. For now at least :>

 
 [Warning]
 
 I'd like to advise that I'm DRUNK, at Bulas's, having a great party in
 the name of Tango's bday: happy bday, Tango!!! No aids, bro ;> just
 beerz and cheerz!


 [First approach]
 
 Trying to play with caching system. Failed.


 [From Linux-MIPS mailing list]
 
 "PAX can't be fully supported on MIPS anyway; the architecture doesn't
 have a no-exec flag in it's pages. PAX docs are bullshit btw.
 execution proection doesn't require a split TLB and anyway, the MIPS
 uTLBs are split." -- Ralf
 

 [Response] (despite the fact that Ralf, one of my fancy germans, missed
             the entire point of the PaX project)
	     
 I see that MIPS has split TLB's, which can not be distinguished by
 software level, in another hand. Thus when a page-fault occours I don't
 see how a piece of (non-microcoded) exception handler can get aware
 whether the I-Fetch is being done in original ``code area'' or as an
 attempt to execute injected payload in a memory area supposed to carry
 only readable/writeable data. Plus the fact that JTLB holds references
 to data and code together in the address translation cache. Plus
 situations like kseg0 and kseg1 unmaped translations, which would
 occour outside of any TLB (having virtual address subtracted by
 0x80000000 and 0xA0000000 respectively to get physiscal locations)
 making, as you mentioned, only split uTLB's (not counting kseg2 special
 case). But PaX wants to take care of kernel level security too.
 Even MIPS split cache unities (which can be probed separately by
 software) wouldn't make the approach possible since if you have a piece
 of data previously cached in D-Cache (load/store) the cache line would
 need to suffer an invalidation and the context to be saved in the
 I-Cache before the I-Fetch pipe stage succeeds.

 Indeed, execution protection (in a general way) does not require split
 TLB. Other solutions designed and implemented by PaX are SEGMEXEC
 (using specific segmentation features of x86 basead core's) and
 MPROTECT. The last one uses vm_flags to control every memory mapping's
 state, ensuring that these never hold VM_WRITE | VM_MAYWRITE together
 with VM_EXEC | VM_MAYEXEC. But as the solution becomes more complex it
 also tends to get more issues. First of all, this wouldn't be as simple
 and ``automatic'' as per page control. Another point is that this
 solution wouldn't prevent kernel level attacks so, among others, any
 compromise in this level could lead to direct manipulation of a task's
 mappings flags. At the end a known problem is an attacker who is able
 to write to the filesystem and to request this file to be mapped in
 memory as PROT_EXEC. In other words: yes it is possible to achieve
 execution protection in other ways, but not as precise as page-level.
 
 
 [Second approach]

 "Plus the fact that JTLB holds references to data and code together in
 the address translation cache." went from a problem to a solution, when
 discussing it to PaX team.


 The quote:

 "Multiple Matches: If more than one entry in the TLB matches the
 virtual address being translated, the operation is undefined." -- from
 [3].


 The algorithm:

 - from the Refill exception handler, check fetching type {
     * _EPC = EPC;
     * if CP0(Cause(BD)) [
         . _EPC += 4;
     ]
     * compare ( CP0(_EPC) , CP0(BadVaddr) ) [
         . if TRUE  ( I-Fetch );
	 . else     ( D-Fetch );
     ]

     * I-Fetch [
         . build the valid PTE and load it normally in the J-TLB;
     ]
     * D-Fetch [
         . build a valid PTE and load it in the J-TLB;
	 . force it to be loaded in our lovely entry in the D-TLB (

	     __asm__ __volatile__ ("lw %0,0(%1)"\
	                       : "=r" (user_data)\
			       : "r"  (address));
         )
	 . build an invalid PTE, for the same ASID/VPN, marked by PaX (

	     static inline pte_t pte_mkpax(pte_t pte)
	     {
                  pte_val(pte) &= ~(_PAGE_READ|_PAGE_SILENT_READ|_PAGE_DIRTY);
             }

	 )
	 . load the invalid entry in the J-TLB
     ]
 }
 

 The conjecture:

  If a I-Fetch happens to that (previously marked by PaX) page, the
  circuit's TLB sorting algorithm should take the invalidated entry from
  J-TLB, load it within the I-TLB and generate a second page fault by
  trying to make use of this entry.
 
 - from the Refill exception handler, check fetching type {
     * _EPC = EPC;
     * if CP0(Cause(BD)) [
         . _EPC += 4;
     ]
     * compare ( CP0(_EPC) , CP0(BadVaddr) ) [
         . if TRUE  ( I-Fetch );
	 . else     ( D-Fetch );
     ]

     * I-Fetch [
         . for PaX marked pages (
	     pax_report_fault(...);
	     do_exit(SIGKILL);
	 )
	 . for non PaX pages, build the valid PTE and load it normally
	   in the J-TLB;
     ]
 }
 
 
 [The experiment] 
 
 The computer:
 
  IDT 79RV4600-100, 128MB of RAM.
 
 
 - Executive code {
     * play with CP0(Index);
     * play with CP0(EntryLo)'s flags;
     * play with CP0(Wired);
 }
 - Dump the Translation Lookaside Buffer entries to disk {
     * look for patterns;
 }
 

 The user code:

   #include <stdio.h>
   #include <unistd.h>
   #include <stdlib.h>
   #include <fcntl.h>
   #include <sys/mman.h>
   #include <asm/page.h>



                                        /* jr $31 ; nop */
   const unsigned long	payload[] = { 0x03e00008, 0x00000000 };


   int
   main(int argc, char **argv)
   {
   	unsigned long	page,
			vpn;
	void		*vaddr;
	int		fd;


	/* mmap itself won't load/store the page, which means a virgin
	 * place so we can be the fault's EPC.
	 */
	if (argv[1]) {
		fd = open(argv[1],O_RDWR);
		vaddr =  mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,\
				MAP_PRIVATE, fd, 0);
	} else {
		/* malloc's internals stores then loads somewhere in
		 * the page range, it will generate our fault.
		 */

		/* This is ridiculous, but MIPS glibc's
		 * does brk(PAGE_SIZE * 33) even if you
		 * just want to malloc(few bytes), normally you get:
		 * -> brk (0x10001000 + (PAGE_SIZE * 33))
		 * 
		 * If malloc requested size > 33 pages then it old_mmap
		 * PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS
		 *
		 * Even funnier cause as far as I can tell glibc
		 * assumes size >= 32 (instead of 33) to then
		 * get_unmapped_area....
		 *
		 * Thinking about the whole MIPS architecute i can't
		 * think of anything that could justify this crap.
		 */
		vaddr = malloc (33 * PAGE_SIZE);
		memcpy(vaddr, (void *) payload, 8);
	}

	page = ((unsigned long) vaddr & (PAGE_MASK));
	vpn  = ((unsigned long) vaddr & (PAGE_MASK << 1));


	printf("Payload   @    %08lx\n", (unsigned long) vaddr);
	printf("CP0_BADVADDR : %08lx [VPN = %08lx]\n\n", (page+8), vpn);

	/* I-Fetch vaddr */
	asm(
		"or	$8,$2,$3\n"
		"jalr	$8\n"
	: : "r" (page), "r" (((unsigned long) vaddr & ~(PAGE_MASK)))
	);

	return	page;
   }


 [The results]

 Patterns:
 
 No pattern. Sorting algorithm seems undecidable from the software
 interface.
 
 
 - Output example {

     surreal kernel: ######################################################
     surreal kernel: [do_page_fault] : Program      : Hello [3218]
     surreal kernel: [do_page_fault] : CP0_BADVADDR : 2aac3004
     surreal kernel: [do_page_fault] : EPC          : 2ab90928
     surreal kernel:   ---> TLBS Exception   (1000ffdb)
     surreal kernel:
     surreal kernel: ------------------------[BEFORE]---------------------
     surreal kernel: [__update_tlb] :  Program      : Hello [3218]
     surreal kernel: [__update_tlb] :  CP0_BADVADDR : 2aac3004
     surreal kernel: [__update_tlb] :  ASID         : 00000062
     surreal kernel: [__update_tlb] :  EntryHi      : 2aac2062
     surreal kernel: [__update_tlb] :  EntryLo0     : 32565e
     surreal kernel: [__update_tlb] :  EntryLo1     : 0
     surreal kernel: [__update_tlb] :  Index        : 45
     surreal kernel:
     surreal kernel:           ---- TLB Entries ----
      .............................................................
     surreal kernel: Index: 45 pgmask=4kb va=2aac2000 asid=62
     surreal kernel:    EntryLo0 : [pa=0c959000 c=3 d=1 v=1 g=0]
     surreal kernel:    EntryLo1 : [pa=00000000 c=0 d=0 v=0 g=0]
     surreal kernel:
     surreal kernel: ------------------------[AFTER]----------------------
     surreal kernel: [__update_tlb] :  Program      : Hello [3218]
     surreal kernel: [__update_tlb] :  CP0_BADVADDR : 2aac3004 [00000000]
     surreal kernel: [__update_tlb] :  ASID         : 00000062
     surreal kernel: [__update_tlb] :  EntryHi      : 2aac2062
     surreal kernel: [__update_tlb] :  EntryLo0     : 32565c
     surreal kernel: [__update_tlb] :  EntryLo1     : 3297dc
     surreal kernel: [__update_tlb] :  Index        : 47
     surreal kernel:
     surreal kernel:           ---- TLB Entries ----
      .............................................................
     surreal kernel: Index: 45 pgmask=4kb va=2aac2000 asid=62
     surreal kernel:    EntryLo0 : [pa=0c959000 c=3 d=1 v=1 g=0]
     surreal kernel:    EntryLo1 : [pa=0ca5f000 c=3 d=1 v=1 g=0]
     surreal kernel:
     surreal kernel: Index: 47 pgmask=4kb va=2aac2000 asid=62
     surreal kernel:    EntryLo0 : [pa=0c959000 c=3 d=1 v=0 g=0]
     surreal kernel:    EntryLo1 : [pa=0ca5f000 c=3 d=1 v=0 g=0]
 }
 - Working example {

     tiago@surreal(~)$ ./Hello
	 Payload   @    2aac3008
	 CP0_BADVADDR : 2aac3008 [VPN = 2aac2000]

	 Killed
     tiago@surreal(~)$ uname -a
	 Linux surreal 2.6.9-rc2 #125 Thu Oct 28 05:38:27 BRT 2004 mips unknown
	 tiago@surreal(~)$

      .............................................................

     surreal kernel: ################## EXECUTION ATTEMPT #################
     surreal kernel: [do_page_fault] : Program       : Hello [3218]
     surreal kernel: [do_page_fault] : CP0_BADVADDR  : 2aac3008
     surreal kernel: [do_page_fault] : EPC           : 2aac3008
 }
 - Possible reasons {
     * timing;
     * stupidity;
     * ...;
 }
 

 So? Looking at some opencores.org's projects and checking their MMU
 circuit implementations that might get me some ideas.
 Ah! Yes, BTW, if you have the HDL project of the Stanford MIPS, or any
 of its children, please hook me up -- warez. kthx.




 [1] http://www.securityfocus.com/archive/1/333303/2003-08-09/2003-08-15/2
 [2] http://cvs.openbsd.org/papers/auug04/mgp00009.html
 [3] MIPS R4000 Microprocessor's User Manual, 2nd Ed. (p.62).
 
 
 |=---=[ Open Interview - The real cool questions

 Q: Is the true you still entertain relation with the KIQ team? what kind
 of missions did you realised for them?
 A: I hate soccer.

 Q: How close is your personal relation with the scene whore halfdead?
 tell us about .ro/.br gangbangs...
 A: The hawk that is big?

 Q: We heard mayhem is moving to your country escaping french fascist
 laws, have you never tried ELFsh?
 A: Hrmmm, in fact it's just a genius play from big local beuh dealers.
 Guinness?

 Q: You said 4times by the past after posting bullshit in dailydave,
 you'll never do it again, but you are still posting. How do you live
 that addiction? Any idea why noone reading that mailing list can't
 understand a word of your philosofical ideas?
 A: 4? I've said it 82 times.
 I simply don't think of the subject, it's like having aids and being
 concerned about it.
 Are you nuts? I know for sure I'm the only retarded capable to
 understand my symbolism ;P

 Q: Coxinhaaaaa?
 A: Bico

 Q: About philosophy, why you ended in ITS world? There are rumors about
 you talking to your computers about your philosophy and asking them to
 comment before you post in dailydave?
 A: See 'Life'. False! That's why they suck so much.

 Q: Absynthe?
 A: Sharks!

 Q: Did you try to put some sense to your philosofical ideas _without_
 any absynthe effect?
 A: Bohmes, Dan Frank. <3

 Q: Does the number of 'hu' has a signification for you?
 A: Huhuhuhuhuhu hu huhuhu

 Q: Is there any kind of relation between 'hu' and 'uh'?
 A: Uh? Hu!
 
 Q: Absynthe?
 A: Spain

 Q: Rumor has it that pax team strong-armed you into being his MIPS
 bitch, any comments?
 A: :< Not fair. I almost cried because of petite pip.

 Q: How did your transition from inline skating to inline assembly come
 about?
 A: Sliding...

 Q: Which would you say has bigger scenewhores, the hacking scene or the
 X-games scene?
 A: 540 into True-spin kind grind, fake 360 out.

 Q: What does 'hu' actually mean?
 A: Mean? :/

 Q: What are your opinions on finger(1) ?
 A: HUHUHUHUHU q:D

 Q: Free [RaFa] ?
 A: Sit on your feet

 Q: Do you have anything to say to all the people scuttling around
 trying to figure out who the fuck you are right now?
 A: If they're really worried about that they should stop scuttling and
 start blubbering instead.

 Q: We would like to congratulate you on a succesful Phrack Prophile
 defacement, and actually managing to get it distributed. How _did_ you
 pull it off?
 A: I didn't :D

 Q: Can you answer a question with a paragraph less than 20 lines long?
 A: No.

 Q: Is your love of MIPS related at all to the 'Coyote & Road Runner'
 cartoon?
 A: "See MIPS Run"?

 Q: I heard you're the funder of huhushmail ? Can you give us some light
 about why Security through Obscurity actually works?
 A: One of them, yes. I have to agree, though if I give you any
 enlightenment I would be breaking the conecpt.

 Q: Can you guess what will be your next answer?
 A: No, but I know the question.

 Q: Any idea why Phrack shouldn't be renamed Phcrack?
 A: Because of current price of the blue mosquitos from Tanzania.

 Q: CRUZEIROOOOOOO
 A: Chupame la pija, boludo maricon!

 Q: Which is the better backdoor?  PaX or grsecurity?
 A: To be honest, I prefer the iGOBLIN backdooring technique.

 Q: What percentage of this interview is inside humor, that the reading
 audience will never understand?
 A: 95.46008097%. I might get the graphical analysis soon, from the
 widely known LRL -- Lance Research Laboratory. ;)

 Q: How does it feel to be famous now?  How will this Prophile change
 your life for the better?  For the worse?  Where can job recruiters
 contact you?
 A: I already got 83 phone calls, 68 fax messages, and 3 e-mails.
 Invitations from all the fancy elite hacker groups. I might as well
 apply to the NSA -- National Symposium of Albatri. I expect to be
 capable of decreasing brazilian poverty and DDoS attacks with this, by
 increasing the number of defacers that will bow down towards my
 fancyness. I am also looking forward to becoming friends with all the
 elite hackers and to be recognized as such. I will be beautiful,
 famous, loved -- a super hero!
 I'm welcome.

 Q: DURA?
 A: Hooray for Danny! *\o/*

 Q: What are your thoughts on Richard Johnson of iDEFENSE?
 A: Secure: never being a petit theft, he wears condoms!

 Q: Do you have any idea why Richard Johnson of iDEFENSE has not killed
 himself yet?
 A: Lack of fancyness.

 Q: Who is your favorite "hot shot hacker from Texas"?
 A: The KoolKrazyKlantastic -- fluffi leona \o/
 
 =---=[ One word comments                                                       
                                                                                
 [give a 1-word comment to each of the words on the left]                       
                                                                                
 WORD?                              : WORD!
                                                                                
                                                                                
 |=---=[ Any suggestions/comments/flames to the scene and/or specific people?   
 
 This bunch of bullshit spat above meant something when done. Fuck its
 political meanings and implications, even though I cannot avoid them.
 Carry on.
 
 |=---=[ Shoutouts & Greetings                                                  
 
 I don't believe in merit. To do is as arbitrary as to not do.

 However, I want to HUG some people;
 my family, my stag, my limey brother, my tukey, my albatross, my
 creyss, my frogs, my dutchies, my hungarian, the only guy who's hotter
 than the old apartment, my dot-pa-marine, my waismo, my joto, faggy,
 my fancy blackhat white american, my kurdish, my corcho, my sweedish,
 my boss, my tempest individuals, my metrosexual linguistic analystic
 K-master giant, my iGOBLIN defender grin, my tibu, and AAALLLL my fancy
 collection of fancy individuals!

 |=[ EOF ]=---------------------------------------------------------------=|    
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2024, Phrack Magazine.