TITLE HERE

On the nature of Free software

- 25 Jul 2023 - Does your synthetic colleague pose a threat to you? + 25 Jul 2023 - Does your synthetic colleague pose a threat to you?

@@ -153,7 +152,7 @@ hassle of learning few new habbits and sticking with free/open tools as much as possible. And in the end, I guess the Ash would too.

Happy ash

@@ -187,13 +186,13 @@

diff --git a/blogs/phantom-menace.html b/blogs/phantom-menace.html new file mode 100755 index 0000000..8abc5eb --- /dev/null +++ b/blogs/phantom-menace.html @@ -0,0 +1,157 @@ + + + + + + The Phantom Menace is good + + + + + + + + + + + + + + +

The Phantom Menace is good

+ 18 Aug 2024 - An inevitable STAR WARS rant. +
+

+ + TITLE +

+ The year is 1999. A new STAR WARS movie is about to hit theaters, and fans + still have a sour taste in their mouths from the special editions released + two years prior. However, the Extended Universe is flourishing, thanks to + the well-orchestrated Shadows of the Empire and the iconic Thrawn trilogy. + Expectations are high, and the stage is set for the best STAR WARS movie + yet. Fortunately, everything turned out well. +

+ I like the Phantom Menace. It is something I was always open about, + and after watching the movie The People vs. George Lucas, I knew I would + write this blog one day. It was a really good interview-style documentary about STAR + WARS fans who (among other things) didn't like The Phantom Menace. + Consider this blog my reaction to their testimony. +

+ Many people's disappointment stemmed from the explanation of how the Force + works. During the original trilogy, it was described as: + + "an energy field created by all living things. It surrounds us, + penetrates us, and binds the galaxy together." + + From a certain point of view, this is anoter well-played hand from Bens side. + Manipulating a naive farmer into your pseudo-religion doubles down on + Bens character from the Episode V as well as the ways of the Jedi seen in + the Episode I and rest of the prequels. With each new movie, people learn + that late Old Republic Jedi were not the good guys like described in originals.[*] +

+ The sudden appearance of midichlorians and the revelation of the Jedi's + true nature are elements that don't align with the story of the original + trilogy. Inconsistencies in fictional worlds can harm a brand's perception. + However, expecting consistency in STAR WARS is a big stretch. The story was + originally meant to be a standalone movie, but as soon as Lucasfilm smelled + money, it was immediately renamed Episode IV. STAR WARS has been constantly + changing, with alternative sequels, the removal of some materials from canon, + and even changes to world elements like the Jedi's Kendo-inspired fighting + style. +

+ Regarding Jar Jar... I see strong parallels between his character + and R2 & 3PO from the beginning of Episode IV. + It isnât exactly high sci-fi when you watch two robots arguing in the + desert, expressing their feelings about each other. Yet, many people are + disappointed that Episode I is too oriented toward a younger audience. + This critique of a space fairy tale not being "adult enough" is often + followed by complaints that it brings up too much politics. It's a + paradox I just can't follow. To me, both the droids and the Gungan are + just jesters in a technically exceptional Flash Gordon derivative. +

+ Personally, I applaud the movie for exploring a time so close to A New + Hope yet so different, as we witness the final years of the noble Galactic + Republic. We finally see the Jedi Temple and its questionable role in + maintaining galactic peace, as well as the harsh reality of how + impoverished worlds remain untouched by the ruling apparatus in both eras. + We see how the actions of unlikely heroes shape the lives and world around + themâjust like in every STAR WARS story before. Visually, the movie feels + sleek and new with its advanced CGI, yet the set design and costumes still + resemble the 1970s Ralph McQuarrie style. This is especially evident in + the design of the Naboo starships. +

+ But if thereâs any letdown from my side, it's that they could have + expanded a bit more on the different Jedi training schools that Obi-Wan + and Qui-Gon practiced. The only hint was their saber colors, which is fine, + I guess, but they could have spared a few words here and there about how + the way of the Force is interpreted differently by each student. Then again, + one should realize that the whole concept of "training schools" is more of + an afterthought, since the saber colors were originally changed just to + visually fit the scenery. In Episode VI, Luke originally had a blue lightsaber, + but it didn't stand out against the blue sky of Tatooine, so they changed + it to green. +

+ Lastly, there's the Phantom Cut - The fan edit that streamlines + the movie by cutting a few scenes with Jar Jar, some of the politics, + and even the midichlorian explanation. I personally liked that the part + where Queen Amidala asks for the name of the droid that repaired + the ship was removed. (Why would she do that anyway?) The edit is also + slightly sped up to reduce the runtime and make the movie feel less static. + All in all, the Phantom Cut is nice and definitely + worth checking out if you don't like the idea of the Force emitting bacteria. +

+ All I'm saying is that you should enjoy the movie for what it is and not + try to look too deeply into something with the depth of a glass of Bantha milk. +

a generic star wars picture

+
+

+ +
+
+ * There is this very well dubbed Episode I fan/fun edit called The Jedi party. It portrais Jedi + as arogant trouble makers and it's actually one of the best STAR WARS community + projects I've seen in a long time. You can check it out + here. +
+
+ +

+ + + +

+ + + diff --git a/blogs/pics/win-xp2.png b/blogs/pics/win-xp2.png new file mode 100755 index 0000000..1b810fd Binary files /dev/null and b/blogs/pics/win-xp2.png differ diff --git a/blogs/pics/win95.png b/blogs/pics/win95.png new file mode 100755 index 0000000..eef11e3 Binary files /dev/null and b/blogs/pics/win95.png differ diff --git a/blogs/windows-95-printer-hack.html b/blogs/windows-95-printer-hack.html new file mode 100755 index 0000000..b011a50 --- /dev/null +++ b/blogs/windows-95-printer-hack.html @@ -0,0 +1,320 @@ + + + + + + Reproducing the printer hack of Windows 95 + + + + + + + + + + + + + + +

Reproducing the printer hack of Windows 95

+ + 12 Apr 2024 - Start me up! + +
+

+ + TITLE + +

+ During my daily web crawl I encountered a very interesting + [É¡Éªf] + that I haven't seen in a long time. It was a hack of an unspecified version of + Windows 95, which showed how to bypass the login screen with the help of the + menu and printing dialog. However, after a brief check, I found a fair + amount of people stating that "just hitting the cancel" button would do + the same. Sharp-eyed viewers would notice that it was the very first action + taken in the picture. In order to find out if the hack is real at all, + I decided to reproduce it and document it for the good of the internet. +

Analysis

+ The Windows 9x family ran on + FAT file-system which does not support permission models. It was + originally used for floppies and later for other portable media where + permissions are simply not desired. You wouldn't want to throw away a + perfectly fine floppy just because you can't delete the file on it from + your Solaris machine... This means that all access rights on 9x's are + managed on the OS level only. +

+ In addition, a new user can be added simply by entering new credentials + on the login screen(!). While in the OS itself, users can encounter + 4 types of "permissions": read-only, hidden, archive and + system. However in standard terms, every user had read and + execute permissions. And since all users can execute the + files with the archive permission, like File Explorer + for example, they can easily change the read-only attribute to + false, de facto giving them the write permission too. +

+ However, the login dialog shown in the picture was for a network and that's + where things might get tricky. + Accessing the client-server network does in fact require credentials, + even on the 95. To crack the setup of Windows NT 5.31 Domain Controller + is beyond scope of this OS hack, but a user who has accessed the machine + might just have enough tools to get in the network as well. +

Prerequisites

+ I used a virtual machine since I don't have much + hardware to spare. Here is my setup and everything needed to reproduce it. +

+ Host machine +

+ VirtualBox 6.1.50 r161033 (Qt5.15.8)
+ Debian 12.5

+

+ Virtual machine* +

+ Windows 95 RTM (4.00.950) (FAT16)
+ Windows 95 OSR2.5 (4.00.950 C) (FAT32)
+ Windows 95 Boot Floppy
+ FIX95CPU
+ HP DeskJet 710C Series driver v10.3

+

+ I started with Windows 95 v4.00.950, the very first release. + As a rule of thumb, if there are going to be bugs, they are likely to + appear in the initial version. The 4.00.950 C is a somewhat special version. + It is the final release of the 95 with some features which will come handy + later. + The boot floppy is needed only for installation, and the FIX95CPU is + necessary if your host has an equal/faster CPU than 2.1 Ghz. +

Preparation

+ After a fresh install, every user profile shares the same machine, + from folders to settings. In order to set up the user profiles, + navigate to the Control Panel > Passwords > User Profiles + and check the Users can customize their prefferences... option. + Make sure to check two more checkboxes from User Profile Settings + to include the network preferences. After a restart, every new user + that logs in can customize his machine to their needs. Now we can focus on + the printer. +

+ Windows 95 offers quite a lot of drivers for various printers. You can + check the list of printers in the Control Panel > Printers > Add Printers. + However, the HP DeskJet 710C is not included. Closest match with this + device is HP DeskJet 560C which will work just fine. After all, every HP + printer ending with the letter "C" (and only "C", not "C/PS") will work + too. The "C" stands for "Color", and it is the color printer's + Printing Properties dialog which we will exploit.** +

+ The next step would be to connect the VM to simple a peer-to-peer network. + In the network properties, enable the File and Print Sharing. + Then we need to add a new protocol as a component. + Pick Microsoft as the manufacturer and select the TCP/IP network protocol. + When done, open the protocol properties and on the IP Address tab + add the IP address of your choice. Upon saving, the machine will restart + again. +

+ In VirtualBox, navigate to network settings of the VM and enable + the network adapter, attach it to Internal Network and in advanced + options pick PCnet-FAST III (Am79C973) adapter. Set the + Allow All in Promiscuous Mode option. Now we can clone + the machine. Then, for the newly cloned machine, make sure to: +

generate new mac address in VirtualBox network settings
change the machine name in Windows 95 network properties under Identification tab
change the host identifier (last number) of the IP address in TCP/IP properties

+ You can now start both VMs. Create a new folder on one machine and share + it on the network via folder Properties. If everything was done + correctly, you should see both VMs in Windows 95 Network Neighborhood. +

+ Lastly, the client-server network. We don't actually need to create new a + Windows NT 3.51 server VM, because we can simulate its presence by + registry edit. When disabling the Cancel button, Windows will try + to validate the user input with the server. Unless all three, username, password + and domain name, aren't checked with the server, the user won't be let in the system. + It's the same registry edit shown in the original gif. Obviously, without + the presence of any server, we will lock our selves out of the system, so I + recommend creating a VM snapshot before the next step. +

+ In regedit navigate to HKEY_LOCAL_MACHINE > Network > Logon. + Open Edit menu pick New > DWORD Value. In the right pane, + a new empty line will be added. Enter MustBeValidated and then Modify + the value. In a new dialog, change the current value 0 to new 1. + After another restart, users will not be able to "cancel" the login prompt. +

Test

+ Login into Windows 95 virtual machine with the user name "Bill" and password "Gates". + This user has a shared folder on the peer-to-peer network named "Halloween files" + which contains one file called "secret.txt". Then start up the second VM of + which we don't know any credentials. +

+ At the login prompt click the ? button and then the Cancel + button. A help message will appear stating: + + Closes this dialog box withput saving any changes you have made. + + Right-click the message and choose the Print Topic... option. + A Print window will appear. Make sure to select the HP DeskJet + printer which has the letter C in the name and click the + Properties button. +

+ A new window with ColorSmart(tm) options will appear. Click the + Help... button. On the new HP DeskJet help window + menu bar pick options File > Open. A new Open window + will appear. Next to the Look in: combobox press the + Up One Level button (the one with the folder and arrow on it) until + you get to the Desktop. Right click My Computer and + select Open. +

+ We are allowed into the system as default nameless user. Partially... + The Desktop is not responsive, however the Start menu + works and therefore the Run... does too. Also, the login prompt + Enter Network Password is still present. +

What now? +

+ Now we can easily revert the system hardening we've done during the + preparation phase. Using rgedit we navigate again to the + HKEY_LOCAL_MACHINE > Network > Logon. Since we are still logged + as null profile, the registry will be in the default state, without the DWORD value + we've added. We will add it again but this time we will keep the value 0. + After that, we will be able to close the login prompt. +

+ Let's open the Start > Find > File or Folders and enter + the "pwl". Results will list the Bill.pwl file that contains the login + credentials for the user Bill. Copy it on the Desktop or anywhere + safe and then delete it from its original location. Right now we can insert the + Microsoft Windows 95 CD-ROM Extras + floppy number 5. This floppy contains the PWLEDIT.exe which can + now decrypt the passwords from the .pwl files we saved.*** +

+ When we run PWLEDIT.exe we will be asked to enter the + password for the user from new login prompt pop-up. Since we deleted the users + .pwl file from C:\Windows, we can assign new password to + mentioned user. After this action, a new .pwl file will be created + in C:\Windows with new password, and the PWLEDIT window will + open. We can use it to decipher the password for the client-server network. +

Conclusion

+ The hack is real! It offers enough tools to gain access to the machine, + peer-to-peer network and client-server network as well. A question arises. + Will it always work ? Sadly, no. +

+ The printer hack itself will work, but when you disable password caching + in the registry editor, you won't be able to access any network, since the + .pwl files won't be stored anymore. This is "solved" however, in + later releases. You see, the very last Windows 95 release I mentioned + in prerequisites, offers the Users option in the Control Panel. + This allows us to change the password for user profiles and therefore + gain access to the peer-to-peer network. The situation is same on 98FE and + 98SE too. No luck for the client-server network. Once there is nothing to + decrypt, you are stuck. +

+ There is, of course, a way how to perform this hack without a printer - + through the power of MS-DOS prompt. By pressing F8 during startup, + you could enter the MS-DOS mode only where you can utilize the + regedit command. This will require the knowledge of locating the + registries in the system files. I can not emphasize how awful work it is, but + I would rather go to get the physical DeskJet 710C than edit registries + with the DOS prompt. +

+
+

+ + The printer that started it all... + +

+
+

+ +
+ * I prefer to use + VirtualBox because I am unable to make QEMU/KVM work, since I am not + a rocket scientist. + I don't see the advantage of a package manager when I have to edit random + config files and hunt for tutorials. Why this can't be managed by APT + or explained by the developer/maintainer? Seriously, why this needs + to be another Wine-like experience is beyond me. +
+
+ ** If you want to install the 710C after all, you will encounter a few problems. + The HPDJ710C.INF file prevents the driver from being installed by the + "Add Printer" dialog and the HP's installation wizard requires a physical + device to be connected via parallel port. The workaround may be manually + (re)placing the HPFPNP.DLL, and any other files the driver requires, in + C:\Windows\System. Honestly I don't know, but I will update this + when/if I find out. +
+
+ *** This was an official Microsoft tool, which you could freely download + from http://www.microsoft.com/windows95/admintools.htm +
+
+ +

+ + + +

+ + + diff --git a/blogs/y292b.html b/blogs/y292b.html new file mode 100755 index 0000000..0cecab3 --- /dev/null +++ b/blogs/y292b.html @@ -0,0 +1,350 @@ + + + + + + Y292B bug + + + + + + + + + + + + + + +

Y292B bug

+ 26 Jun 2024 - We're doomed! Again... +
+

+ + + TITLE +

+ Timekeeping is bitch. I found out the hard way while trying to program + extendable time keeper for other celestial bodies in the Solar system. The + problem is that, every calendar system is flooded with so many rules and + exceptions that the calendar builder basically becomes another programming + language. I am well aware of the Zawinski's + Law* however, I wanted to avoid creating another + Emacs. +

+ Common timekeeping obstacles include inconsistent leap intervals, + ever changing time zones and conversions from one timekeeping system to another. + In addition to these algorithmic problems, there are device limitations + like precision of the oscilator or memory capacity. + In modern age, these are usually overlooked, especially memory allocation + is not considered a serious problem since the Y2K bug came and went. +

+ Y2K, Y2038 and other Y2xx bugs are not really "bugs" but + simple overflow of reserved memory space. You see, Unix and unix-like + computer systems measure time by incrementing seconds in single integer + variable time_t. Naturally, this timekeeping is named the Unix time + and its 0 is equal to midnight, 1st of January 1970. +

+ Different + implementations of the Unix time, use different data type for time_t. + When the data type reaches its upper limit, it will "flip", either + to its opposite (negative) value or to the 0. + Current, main branch of the Linux kernel uses signed 64-bit integer. + This solution has rollover point in year 292,277,026,596. + That is roughly 292 billion, 277 million, 24 thousand years into future. +

+ But then what? +

+ The number overflows and the date will jump back 278 billion years before the Big + Bang**? Needles to say, this needs to be fixed. + Luckily, we have 33 life times of our Sun to solve this problem but we could + propose some solutions even today. The obvious solution is to use dynamically + typed language. +

+	#!/usr/bin/perl

+	use strict;

+	use warnings;

+	my $time_f = 9223372036854775809; # out of long int range

+	my $year_s = 31536000;            # seconds in year

+	while (1) {

+	   my $year = int($time_f / $year_s + 1970);
 
+	   print "unix time: $time_f \tyear: $year\n";

+	   $time_f++;

+	   #sleep(1);

+	}
+

+ +

+ Problem solved. Devoted fans of parentheses can use Lisp. Now the variable will increment indefinitely with + only limitation being the physical memory. The time_f (f stands for fix) + can consist of slightly over 1 billion digits per 1GB of memory. However, Linus Torvalds would rather + use Debian than program in anything other than C, so if we want to put this into + the kernel, we need to get more static. +

+#include  <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+#include <gmp.h>    // GNU Multiple Precision Arithmetic Library

+
+int main() {

+    
+   mpz_t time_f, year_s, year;

+   mpz_init(time_f);

+   mpz_init(year_s);

+   mpz_init(year);

+    
+   mpz_set_str(time_f, "9223372036854775809", 10); // out of long int range

+   mpz_set_str(year_s, "31536000", 10);    
+		       // seconds in year

+    
+       while (1) {

+       mpz_tdiv_q(year, time_f, year_s);

+       gmp_printf("unix time: %Zd", time_f);
	
+       gmp_printf("\t\tyear: %Zd\n", year);

+        
+       // Increment unix time by 1

+       mpz_add_ui(time_f, time_f, 1);

+   }

+   return 0;

+}

+

+ In C, we can utilize the GNU Multiple Precision Arithmetic Library + which will allow us to dynamically allocate memory for variables. + Unfortunately, the gmp.h is not compatible with kernel space, so + we will need to design this heresy from scratch. +

+ For dynamic memory allocation in C we can use arrays. Then with strings + we can read + numbers beyond long long int just like with the gmp.h. + It would be also nice to create a division function for converting + seconds into reasonable time units, like years. +

+ Let the structure BigInt represent large integers with arbitrary + precision using an array of digits. +

+	typedef struct {

+	   int *digits;  // Pointer to an array of digits

+	   int size;    // Number of digits

+	} BigInt;
+      

+ Then we need to initialize the BigInt from the string input. +

+	BigInt initBigInt(const char *str) {

+	   int len = strlen(str);   // Get the length of the string

+	   BigInt num;             // Declare a BigInt variable

+	   num.size = len;          // Set the size of BigInt to the length of the string

+	   num.digits = (int *)malloc(len * sizeof(int));  // Alloc memory for the digits

+	   for (int i = 0; i < len; i++) {

+               num.digits[i] = str[len - 1 - i] - '0';    // Convert digits to int and store them in reverse

+	   }

+	   return num;              // Return the initialized BigInt

+}
+

+ And of course, we need to free the memory like all good mannered people. +

+	void freeBigInt(BigInt *num) {

+	   free(num->digits);

+	   num->digits = NULL;

+	   num->size = 0;

+	}
+      

+ When we have our structures fully defined, we will use them to feed + variables with values. +

+	int main() {

+	   BigInt time_f = loadCurrentUnixTime();

+           BigInt year_s = initBigInt("31536000"); // Seconds in a year
+	

...

+      

+ Now we can focus on the long division. This part was little bit problematic + for me because of two reasons. C isn't my preferred + language*** and as I found out, the long division is + taught differently all over this planet. It seems that I have learnt + the + + Germanic-Euroasian method + + which is little bit different than the method tought in english speaking + countries. (Turns out, math ain't such universal language after all...) + Anyway, with the help of my elementary school notes and one C book from + local library, I managed to spit out next division function. +

+	void divideBigInt(BigInt *dividend, BigInt *divisor, BigInt *result) {

+           // Initialize result size and allocate memory for its digits

+           result->size = dividend->size; 

+           result->digits = (int *)calloc(result->size, sizeof(int));

+
+	   // Initialize help BigInt named current

+           BigInt current;

+           current.size = 0;

+           current.digits = (int *)calloc(dividend->size, sizeof(int));

+
+	   // Fill the "current" helper var

+           for (int i = dividend->size - 1; i >= 0; i--) {

+              // Shift digits in the "current" to the left

+              for (int j = current.size; j > 0; j--) {

+                 current.digits[j] = current.digits[j - 1];

+              }

+              // Add the next digit from dividend to the "current"

+              current.digits[0] = dividend->digits[i];

+              current.size++;

+
+              // Remove leading zeros in the "current"

+              while (current.size > 1 && current.digits[current.size - 1] == 0) {

+                 current.size--;

+              }

+
+              int count = 0;

+              // Do division until the  "current" is less than the divisor

+              while (isGreaterOrEqual(&current, divisor)) {

+              BigInt tempResult;

+              // Subtract divisor from the "current"

+              subtractBigInt(&current, divisor, &tempResult);

+              free(current.digits);

+              current = tempResult;

+              count++;

+              }

+              // Store the quotient in the result

+              result->digits[i] = count;

+           }

+
+           // Remove leading zeros in the result

+           while (result->size > 1 && result->digits[result->size - 1] == 0) {

+               result->size--;

+           }

+           free(current.digits);

+}
+
+

+ With addition of few more functions to monitor the progress, I was able + to get output for current Unix time and fictional with over 400 digits + too. +

+ The next logical step would be to modify it to fit the time.c in the + Linux kernel, however, my knowledge of kernel-space programming is converging + to a zero. Also, I am not sure how will the division function handle + prime numbers larger than long long int. +

+ Anyway, the fixed.c is published under GPLv3 and available + here + for anyone who wants to fix the Y292b problem on a kernel level for future + generations. Good luck and remember, the time is ticking. +

+
+

Update

+ 5 Jul 2024 +
+

+ Usually, I tend not to update my blogs as I believe every post is a + product of its time and circumstances, but today I will be the George + Lucas of obscure web writings. My email inbox got quite flooded with all + kinds of responses to this not bug not fix proposition, so + I wanted to make some things straight. +

+ First of all, the post was written with a funny attitude, but it is in + no way meant to be a joke, parody, or insult. Quite a lot of people + understood what I meant by this software complete solution to an + integer overflow problem and the tradeoffs of it. I still believe that + such a solution could be implemented in some optional kernel module. + (And not only for timekeeping). +

+ Secondly, I know the linked demo has some optimizations + to be done; for example, the digits of BigInt should be byte, + not int. However, I want to emphasize that this is just an + algorithmic demo, not finished code. +

+ Lastly, I want to address something that was not mentioned many times but + felt tough to read nevertheless. I was not ordering people to immediately + start working on this. The sole reason why I posted this to the Linux + Kernel Mailing List was to inspire people with sufficient skill in kernel + space to look into this unconventional idea. And I still believe that + there must be someone who will try this out of curiosity - + like in the old days. +

+ I hope this will make less people angry. +

+
+

+ +
+ * Zawinski's Law is fictional law in computer science that mocks the inevitable + feature creep, stating that every program will eventually try to + read email. Please note that the law was formulated during 90's, + hence the email feature. I also found good website with more + computer science laws. +
+
+ ** In + this vlog Mr. Tyson mentions + that time is not really relevant before the Big Bang. He proposes that + before this point, time as now known concept might not even exist. To + me, it is very interesting to think about time this way. +
+
+ *** Even though + I can appreciate the speed and direct control of the code, + I still want to write code that is little bit more intuitive. But since + by that I mean Pearl, I guess this all boils down to a personal preference. +
+
+ +

+ + + +

+ + + diff --git a/blogs/zork.html b/blogs/zork.html index 918857b..7487659 100755 --- a/blogs/zork.html +++ b/blogs/zork.html @@ -2,8 +2,7 @@ - - + Let's play Zork @@ -178,7 +177,6 @@

Let's play.

The House

@@ -427,16 +425,16 @@ -

+ Copyright 2023 David Polakovic - + This publication is licensed under + CC BY-SA 4.0. +
+ This site is javascript and cookie free. The source code is available + here + under + GPLv3 license. +