Endless Christmas X-MAS CTF Writeup

Posted on by
Reply

This is a writeup for the Endless Christmas challenge, md5 hash 866c92038d6e9fc47db4424f71f6167a (download binary). It appeared in the X-MAS CTF, and it’s a Reverse challenge.

Using afl with Radare we can see there are calls to write and execve, both happening in main, a sign that this program creates (and maybe executes?) something else.

Putting a breakpoint just before the execve happens will reveal what file is being loaded (looking into the rax register).

I went down 60 rabbit holes disassembling this binary further, but the best thing we can do at this point is change point of view, step out of Radare, and launch the binary by itself – it certainly doesn’t seem to be doing anything nasty up to this point.

It takes some time before any output is shown, so this may be a sign that some decoding happens. The program creates a good number of other binaries which all look identical, albeit different from the original one (as their size shows), but that are actually different upon closer inspection with their md5 hashes.

Continue reading

On knowing when to stop in software development

Posted on by
Reply

One of the very few things I learnt in art class is what the role of Jackson Pollock was in his art. Because, we were asked, what is the role of the artist, if the only thing he does is let paint drop on a canvas? His role is to decide when the work is complete.

This is something we most often overlook in computer science: there comes a time when a project, or a feature, is complete, and any more improvements, any more work put into it is likely to decrease its value and ruin all the good work. Too often we want progress in our applications, without realizing that it’s actually destroying them. Sometimes it’s just better to move on and work on something else. Even if a solution is 10 years old, it doesn’t mean it has to be updated because progress requires it.

Let me present a couple examples.

The Gutenberg editor in WordPress

WordPress 5 introduced the new Gutenberg editor, a project that has been rated with 2 stars out of 5 with a total of around 2000 reviews at the time of writing. It’s a product that is so buggy and un-usable that it is bewildering that it made it into Core, but whatever (in 10 minutes of usage, I found 7 crucial and unreported bugs just 4 months prior to release – see my review).

gutenberg reviewsLet us pause and ponder why it was introduced. Any apology of Gutenberg will say that is because the classic editor felt old. It looked so much like Office 2003, and it’s 2018, they say! You see, they say, 15 years in computer science is a huge deal!

But, you see, what is the main purpose of an editor? To write. And to that it must be apt. Gutenberg shifted the focus from writing content to designing a page, effectively forcing a progress in the wrong direction. Not much has changed in writing since Office 2003 came around: we still use bold, italic, headings, text alignment and little more. Anything else requires the careful crafting of a designer and writing of some HTML, as it should be. Nothing else is needed, really, when it comes to writing. But, they say, you cannot even create a table with the classic editor! And I say, that’s right, it should be possible! But that doesn’t require trashing a whole editor and building a cumbersome React-y thing just so that we can have tables, does it?

But, they say, this way you don’t need a designer to design your pages anymore. Of course, people must be really stupid if they have been paying web-developers/designers to put up their websites for the last 25 years, of course! So stupid of us! There, instead of hiring a professional photographer to shoot at your weeding, just give a compact camera to your uncle, since technology and progress have enabled you to do so. Because it really is just the same. When I was a kid, websites designed with Dreamweaver were looked down on, and anybody who wanted a real site should have hired a professional. Not it looks like everybody can do everything – expect that, uhm, they can’t.

Too often the right questions are not asked and carefully considered. Those are the most basic ones: do we really need this thing? How difficult is it to build it? Is it really worth it? What is the impact it will have on users/market? Does it add something really useful and needed without breaking anything else?

Continue reading

A day tour in Cork, Ireland: the best things to see and do!

Posted on by
Reply

After spending two months in Cork, Ireland, I feel like I can provide good advice for a nice day tour in Cork. I stayed in July-August, so some of my comments may be affected (by good weather, mostly). Here is the photo album of the whole time.

I think the best way to go around is on foot, as you can really enjoy the town, but there are the Coca Cola bikes that can be rent for 3 days: you just need to register online, pay a few euros, and then pick a bike in the many bike points scattered around Cork, and return it in any other one.

A day tour in Cork

If you want to go to the tourist office, for example to take a map or ask for some information, the best time to do so in when you get in town. In fact, the office is near both the bus station and the CityLink stops. In the building just in front of the tourist office, at the second floor, there are free toilets, handy in any circumstance!

In Shandon (St. Anne’s Church) you can ring the church bells! It really is amazing! Music sheets are provided with popular songs (Hey Jude, Lord of the rings soundtrack, and many more) and the bells sequence to be played. It is a bit out of the centre, but it does even go through nice streets. For students, the entrance is just 4 euros, and you can also get to the top of the bell tower and see Cork from above. Beware that the last entry is early in the afternoon, at around 16. This church is also called The Four Liars because, with strong winds, the four clocks on its sides are said to never display the same time.

The four liars, St. Anne's Church, Shandon

The four liars, St. Anne’s Church, Shandon

Exactly on the other bank of the river there is Elizabeth Fort. It is not much, they are basically some high walking paths, but again you can see Cork from above (although not as high as the Church), and it is free! Closes at around 17. Near here there is also St. Fin Barre’s Church, which is patron saint of the city. The church surroundings are not bad, the church is huge (but entry is not free) and there is a very disappointing labyrinth.

On a clear day, Fitzgerald Park is a beautiful place. It’s the biggest park of the city, there are often events in the weekend (music/festivals). There is even a bar that makes nice launches for reasonable prices (~5 euros for a sandwich), and you can then eat on the grass on the river banks. It’s a bit out of town, like 20 minutes on foot, but you can go there basically all through pedestrian-only streets, and there is a walking route that goes along the river bank on the other side: it starts from Shandon’s side and is called something like Banks of Lee Walkway.

Continue reading

Tasks un-owned are task that go forgotten

Posted on by
Reply

If you are a tech company, and your people commit code, then you probably have some code review policy. And if you do not, you definitely should: you want to have an extra pair of eyes on the code that goes live. You certainly do not want a mistake to break things. And that is why you do pull requests to contribute to GitHub repos, and why Google employees must have a certain degree of maturity to commit code without review.

BUT, as long as that is a good idea, we must be careful to implement it the right way. Just enforcing reviews is not enough. You want to make the time between the code is sent for review and the code is deployed as short as possible. The longer the review time span is, the more work will be needed when the review comes. That is because:

  1. Who wrote the code simply does not have it fresh in their mind anymore. The context switch between the current task and the code he wrote days/weeks ago is just more demanding;
  2. Conflicts are more likely to arise, and then more work is needed in solving them;
  3. Other issues may depend on the code being held for review. Other people may spend (waste) time debugging an issue for which a solution is already available;
  4. If the repo is public, it makes more difficult for other to jump in and contribute, because they also have to be aware of all the pending code.

The right way to implement a code review system in a tech company

I think the best way to implement a code review system is to:

  1. Assign each code review to a particular member of the team. If everybody owns a task, then nobody does as well. That is why you want that particular review to be a responsibility of someone specific. An automated system can randomly assign a review to a team member.
  2. Each code review comes with a deadline. That’s it: code reviews are as important as any other task – basically because every other task often generates a code review at some point, so if we lag on those, nothing gets carried to the end and we are getting no work done at all! We may have different priorities associated with different deadlines, but we want each review to expire at some point (with the longest being a couple days)!
  3. Team members can turn down their assignments, but only if they have a good reason to. Again, if code does not get reviewed, it cannot go live, and thus the work has been done for nothing. Reviews are important and must be considered as such.
  4. Then just track how it goes: who is turning down most assignments? Is the weight uniformly distributed across the team?

A tale in topology – The large clovers meadow

Posted on by
Reply

A small tale with a topological soul, with the aim of providing a very high level intuition for the notion of density and dense set in topology.

Smally Open was a cheeky youngster of the Open family who lived in a large meadow. It was a very nice and green meadow, well cared for and abundant in clovers. Smally Open liked it much because he found it magic. Oh, I wish you were there as well, my smally readers: Smally Open climbed the highest trees, went as far as he could from his home, went down below the blades of grass, but there was no way: anyway he was, Smally Open would always see his verdant meadow, as if it moved with him and changed its look. Anyway he looked, Smaly Open would always see a large green meadow.

You will wonder, my dears, if Smally Open did not get bored to death in always seeing the very same meadow anywhere he went… well, I hope you do not believe that it was just all alike! The meadow looked all the same if you looked from afar and without attention, but sometimes there was a butterfly here, some other time there was an amazingly beautiful red leaf there: at any rate, there was always some new thing to fascinate him.

Anyway, when Smally Open did get bored, there always was a nice way he liked to use to spend his time: go and bother Mr. Dense-D. He was pretty a weird and extraordinary sir, in fact he had a lot of heads (how many, you ask? Try to count the stars in a cloudless night: Mr Dense-D had at least three-times-twice-one-thousand-times-that-number-of-heads!) You should not however think of D-Dense as a green weird martian with several scary heads, going away pecking at children’s ears, no! D-Dense was a very distinguished man, very kind and happy.

Indeed, D-Dense was the happiness of the meadow in which he lived together with Smally Open, because he was its clovers. But not a few crumpled and frail clovers, oh well stop with these prejudices towards Mr. D-Dense! No, those were beautiful clovers, big and comfortable, and above all there was one in any part of the meadow you would look for. When Smally Open was tired, he would look around and immediately find one of the heads of Mr. D-Dense, upon which he could rest under the sunlight.

Apertolo, paying, would often jump from one blade of grass to another. When he would lose his balance and fall in the void he was always lucky that Mr. D-Dense lived in his same meadow, because were it not for his many heads that would catch him, falling on the ground he would at least get a big bruise! But Smally Open sometimes take advantage of Mr. D-Dense’s kindness: he would jump on his heads from tree tops on purpose, he would eat on the clovers, crumbling on D-Dense’s heads, or he would ruffle all his hair intentionally. At any rate, he would really bother him! Mr. D-Dense was a patient man, but one day he was fed up and said: “Enough, I am old and tired: I need a quiet holiday. I am going to leave.” And so he started lifting himself.

First, Smally Open fell on the ground. Then he heard a great rumble, as if the whole land was shaking, and saw all the clovers moving and lifting, with mountains of soil up in the air, until Mr. D-Dense headed with all his clover-heads towards the horizon.

Continue reading