Recent Updates Toggle Comment Threads | Keyboard Shortcuts

  • matvp 8:57 pm on January 8, 2013 Permalink | Reply  

    EcoCar, efficient parking project 

    EcoCar is a somewhat social application where people can rent their parking lots for a fair price. Those who have a hard time finding a parking spot in a city, at an event, basically everywhere, can then rent available parking lots from others.

    This application took a fair amount of time, luckily I was not alone. My class mate, Tom, wrote a decent backend system. We matched up for this project and as it is right now, at a solid state, I offer you several pictures. As always, feedback is more than appreciated.

    Oh, yes, did I mention it’s written in WinRT / C#? Completely designed for Windows 8!

     

    • Geert Van Parijs 11:20 pm on January 19, 2013 Permalink | Reply

      Well done buddy !

  • matvp 9:59 pm on December 30, 2012 Permalink | Reply  

    MVC 4 WebApi Client Repository 

    Alright, when finishing my MVC 4.0 Web Api I got so used to portable code along the way that I didn’t want to bother providing the needed code to communicate with it project-based. I’m pretty sure classes as this one are out there already, but I’d rather want a lightweight and neat, tiny class provinding all the needs to communicate with my Web Api.

    What does it do?

    • Runs hand-in-hand with the auto generated controllers, no adjustments need to be made.
    • Serialization is done right away.
    • No need to specify the correct paths, as they match with your classname (if named correctly in the backend controller).

    This code suits WinRT, Windows 8 App development. A small sneak peak, as always, the complete class is at my paste repository. The link is posted below.

    http://matvp.info/paste/view.php?id=277

    See you next time.

     

  • matvp 11:50 am on November 3, 2012 Permalink | Reply  

    Swapping engine pointers in Warsow 

    Before I start, I’d like to note that this is for educational purpose only, by no means I want to hurt the Warsow game or their creators. It’s the first time I blog about a game hacking related topic, mainly because it is an interesting topic to talk about. I would like to illustrate two facts, at first, how to analyze an SDK to speed up your reverse engineering tasks and as second, how to apply a different approach to avoid anticheat detections.

    Analyze the SDK
    A function named GetCGameAPI is used to pass pointers to a side by side module such as cgame_x86.dll. As first argument, a pointer to the imports is given. So, basically, a hook on GetCGameAPI would provide us with two very important structures of the game (imports & exports). By storing the pointer given by the first, and only, argument we would have cgame_import_t. By storing the return value (stored in eax or by doing a defined call) permanently, we would also have access to the cgame_export_t instance. Now, this would require an integrity failure because of the change made in the first 5 bytes of the function by applying a detour (jmp instruction (1) + address (int:4)).

    A different approach
    API functions are static, a fixed address must be pointing to that API, always, period. This brought me to the idea of swapping pointers in the Import Address Table (IAT). The cgame_x86.dll module will push GetProcAddress to retrieve the address of GetCGameAPI. This allows us to do two things, at first, swapping the pointer in the IAT so cgame would call our function first, then proceed by executing the original function. When cgame requests the address of GetCGameAPI, we can easily return our own pointer and store the original for further execution. At this point, we have full access to GetCGameAPI and cgame_export_t, cgame_import_t. 

    FARPROC ( __stdcall* o_GetProcAddress )( HMODULE, LPCSTR );
FARPROC __stdcall h_GetProcAddress( HMODULE mod, LPCSTR proc ) {
	char modIdent[MAX_PATH];
	if ( GetModuleFileName( mod, modIdent, sizeof( modIdent ) ) ) {
		if ( HIWORD( proc ) ) {
			if( !strcmp( proc, "GetProcAddress" ) )
				return ( ( FARPROC ) h_GetProcAddress );

			if ( strstr( modIdent, "cgame_x86.dll" ) && !strcmp( proc, "GetCGameAPI" ) ) {
				o_cgameapi = ( cgame_export_t* ( __cdecl* ) ( cgame_import_t* ) ) o_GetProcAddress( mod, proc );
				return ( PROC ) Redirect_Api;
			}
		}
	}

	return o_GetProcAddress( mod, proc );
}

    The full source code is posted at my paste service: http://matvp.info/paste/view.php?id=255

     

  • matvp 12:31 pm on October 19, 2012 Permalink | Reply  

    Use Kinect as mouse pointer 

    I bet this is a concept everyone thinks of when they connect their Kinect to a computer. Basically controlling the mouse cursor with your hand. I’ve been looking on the internet for decent solutions as I would like to see how accurate this could be. Unfortunately, I haven’t found a free alternative and the so called “decent” tracking software wasn’t that cheap afterall. Their-for I have written my own library, it’s at solid state right now and tracks your hand pretty close. I tested it on my 50-inch TV, sensibility is probably way too high for a normal PC screen.

    private void InitKinect( ) {
	if ( !KinectVisual.SearchSensor( ) ) // Kinect is not found
        	return;

	KinectVisual.StartSkeletonTracking( Sensor_SkeletonFrameReady ); // Start tracking skeleton smoothly
}

internal void Sensor_SkeletonFrameReady( object sender, SkeletonFrameReadyEventArgs e ) {
	SkeletonFrame frame = e.OpenSkeletonFrame( );
      	Joint rightHand;

	if ( KinectVisual.GetActiveJointFromFrame( frame, JointType.HandRight, out rightHand ) ) {
        	MouseSimulator.MouseMovement( rightHand.Position.X, rightHand.Position.Y );
	}
}

    KinectVisual class, this is the class that gets the Kinect input (tracking right hand) and converts it to a suitable size for mouse control.
    http://matvp.info/paste/view.php?id=248

    MouseSimulator class, contains all methods to simulate a mouse click, a double click, mouse hold and release.
    http://matvp.info/paste/view.php?id=249

    Mouse clicks are performed with voice commands, but that’s another topic I’ll probably handle in a short while.

     

  • matvp 9:41 am on October 18, 2012 Permalink | Reply  

    I’m a proud owner of a Kinect since last night. I had some experimental tests with the SDK and they turned out pretty well. Stay tuned for code examples, tips and tricks about Microsoft’s Kinect.

     

  • matvp 3:49 pm on October 12, 2012 Permalink | Reply  

    Fix VS 2010 crash at XAML loading 

    Old but gold.

    Recently, an annoying bug came up. The problem with this one isn’t necessarily my code but relies on Visual Studio.
    Whenever I open a .xaml file, the IDE crashed right away. Without giving any instructions.

    I read a lot of “fixes” on the internet, yet, none really explained what the problem was. And they did not seem to work either.
    I attached a debugger and investigated what the inner problem was. Just a side note, my program compiles perfectly. But when I view the .xaml file in Visual Studio’s design manager, it crashed.

    Assume we got the following code behind:

    ThreadPool.QueueUserWorkItem(s => {	var data = proxy.GetData( );


	MyControl.Overview.Dispatcher.Invoke( DispatcherPriority.Normal, TimeSpan.FromSeconds(1), 
        	new Action( delegate( ) {
                	MyControl.Set( data );
            	}
     	) );
} );

    The design manager tries to apply real-time changes, and runs through the code. Checks the active thread in it's pool and sees it is occupied. Still, very strange VS can't handle with it and triggers a ProcessKill event. The following data got registered in the event log:

    Application: devenv.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException

    Where the StackTrace exactly shows the problem:

    Stack:
   at System.ServiceModel.Description.ConfigLoader.LoadChannelBehaviors(System.ServiceModel.Description.ServiceEndpoint, System.String)
   at System.ServiceModel.ChannelFactory.ApplyConfiguration(System.String, System.Configuration.Configuration)
   at System.ServiceModel.ChannelFactory.ApplyConfiguration(System.String)
   at System.ServiceModel.ChannelFactory.InitializeEndpoint(System.String, System.ServiceModel.EndpointAddress)
   at System.ServiceModel.ChannelFactory`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]..ctor(System.String, System.ServiceModel.EndpointAddress)
   at System.ServiceModel.EndpointTrait`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].CreateSimplexFactory()
   at System.ServiceModel.ClientBase`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].CreateChannelFactoryRef(System.ServiceModel.EndpointTrait`1)
   at System.ServiceModel.ClientBase`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].InitializeChannelFactoryRef()
   at System.ServiceModel.ClientBase`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]..ctor()
   at MonopolyServiceClient..ctor()
   at Monopoly.Connector.Gateway..ctor()
   at Monopoly.Connector.Gateway.get_Instance()
   at Monopoly.UserControlLibrary.LobbyPlayGame.Refresh_Callback()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()

    Now the fix, let the Designer decide what code to process:

    public void Initialize( ) {
	if ( DesignerProperties.GetIsInDesignMode( this ) )
		return;


	RunThreadPool( );
}

    Hope this helps. Also illustrates how to debug properly.

     

  • matvp 3:20 pm on October 12, 2012 Permalink | Reply  

    Windows App Day 

    Don’t miss the first Windows App Day, where Microsoft brings you national and international speakers to talk about App Development, User Experience and Design. So you can start an app right after!
    Interested? Sign up at Windows App Day.

     

  • matvp 10:41 pm on October 10, 2012 Permalink | Reply  

    Avoid anti-virus detection on suspicious API calls 

    This is kind of a funny one. I’m not unfamiliar with hacking, game-hacking to be more precise. This has always been a fun thing to do, now I came across something I find rather annoying. Let me explain, I wrote a small program that allocates a fixed size of memory at runtime and writes your own code in an existing process. In the end I load my module in the address space of the target process, this causes a call to DllMain with the reason argument set to DLL_PROCESS_ATTACH. I use this to run third-party code in an existing process. You might already guess this is suspicious behavior and would trigger an antivirus program way too fast. I’ve changed several games to my own needs with this technique but my antivirus doesn’t seem to like the host program at all.

    I could easily whitelist the executable file but I’m more interested in why, and more important, how an antivirus program gets a trigger from my host program. Their-for I build an easy test-case to a more familiar technique of writing viruses. I used the “URLDownloadToFileA” API located in the Urlmon.dll library to fake a trojan application. The actually trojan code was written in a file named “io.exe”, which of course wasn’t a trojan but simply spammed my view with a few MessageBox’s. With my testcase set up, it was time to upload the “host” program (which would eventually load the payload from io.exe) to https://www.virustotal.com/. Lots of virus alerts were triggered and the file was marked as “unsafe”.

    I took several steps in order to lay low on about any antivirus system out there.

    • Load Urlmon.dll into the address space of the calling process and get the pointer to the URLDownloadToFileA API.
    • Allocate a buffer space to replace the first 10 bytes at the URLDownloadToFileA API.
    • Write a jmp opcode and target it correctly.
    • Build an argument list that our target API needs and push them correctly onto the stack.
    • Store our target in eax and call the API manually.

    In our code, almost nothing pointed to the use of URLDownloadToFileA, almost… Two vital strings could be trapped fairly easy, “URLDownloadToFileA” and “Urlmon.dll”. By xor’ing both strings, that problem got off track and I didn’t have to worry about that. Another part, which would bust this method upside down, is to scan each page for known patterns. A sequence of opcodes matching known opcodes from an antivirus program’ database. But then again, rewriting the code or obfuscating at runtime would semi-avoid this detection.

    I choose to run the strings through an XOR function, the string is no longer visible when debugging / decompiling the file.

    void safe_api_call( ) {
	// This is an XOR of "URLDownloadToFileA", just to avoid anti-virus programs picking up a suspicious string
	char api[] = { 0x2D, 0x3D, 0x3E, 0x29, 0x19, 0x7, 0x16, 0x3, 0x1D, 0xC, 0x12, 0x24, 0x17, 0x29, 0x1B, 0x1, 0x13, 0x31, 0x78 };
	const char key[] = "xormvp";
	for ( int i = 0; i <= sizeof( api ) - 1; i++ )
		api[i] ^= key[i % ( sizeof( key ) - 1 )]; // Decrypting the string at runtime

	// Load "Urlmon.dll" into the address space of the calling process
	HMODULE hMod = LoadLibraryA( "Urlmon.dll" );

	if ( hMod == NULL )
		return;

	// Allocate a buffer space for the API call
	unsigned char* ptr = new unsigned char[10];
	DWORD ret;
	VirtualProtect( ptr, 10, PAGE_EXECUTE_READWRITE, &ret ); // Change page flags for read/write access

	unsigned char* ptr_url_dltofile = ( unsigned char* ) GetProcAddress( hMod, api ); // Pointer to "URLDownloadToFileA"
	memcpy( ptr, ptr_url_dltofile, 0x5 );
	...
}

    View the full source code here: http://matvp.info/paste/view.php?id=240

    I left some mistakes in there by purpose, the code posted above will probably compile but won't do what it has to do. Simply because I dislike a copy and paste behavior.
    The code is a Proof of Concept (PoC) and posted for educational reason only. Thus another reason I left some important stubs out of this source code (Note: "Urlmon.dll" as plain text).

    What next? With the same technique you could mask the shell execution (http://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx) and actually run malicious code on a target pc without the antivirus program triggering a detection. Another possibility is to write code and execute it in an existing process as I illustrated in the beginning of this post.

    Oh well, until next time.

     

  • matvp 10:13 pm on September 5, 2012 Permalink | Reply  

    Domo, part 2 

    We’re just a few days ahead and I’m proud to announce we both made a lot of process. The first video shows an application running on a phone with Android, browser-based. It runs as a stand-alone application on my iPhone (iOS) but I wanted it to be accessible by any kind of smartphone. Basically, it builds up a custom payload behind the screen and sends it over to a central server. The server is in contact with the micro-controller, where it gets its data and adapts itself to whatever data flows through. This part is completely build-up for data transfers on the HTTP protocol. Their-for it fits perfectly to control your home from anywhere in the world (with live updates of what happens!).

    The next part shows local management, see those buttons as switches on a wall. We soldered them quickly together to get a proof-of-concept up and running. They are all 8 connected to an 74HC165, 8-bit parallel-in/serial out shift register. The serial input is un-used, but we can expand our registers fairly quickly in order to control as many switches as we want (in theory). Note the white LED in the next video, it fades in/out if you hold the switch and operates as a bit operation if the button is pressed quickly.

    And ofcourse I’ll end this post with two pictures showing the construction of the switch buttons. If you take a sharp look, you’ll see the IC connected on top.

    Until next time.

     

  • matvp 9:34 am on August 29, 2012 Permalink | Reply  

    This is a project I had to work on last semester. In the end I was able to control a colourdome-camera with a joystick, processed by a micro controller (it’s at the left of my laptop on the screenshot).

    As final-in-touch, I made it possible to login with a smartcard (note the smartcard reader on the right), an interface pops up after successful authentication. Right after, data is snooped from the joystick to track it’s movement and apply it on the camera.

    I found some code on my paste service that describes how I’ve handled the smart-card reading, it might come in handy for somebody someday. http://matvp.info/paste/view.php?id=204

     

← Older posts

c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
shift + esc
cancel