Wednesday, October 30, 2024

Using gdb

Using gdb


I figured I'll write a mini-tutorial on how to use gdb, because there's not that many places where they teach you how to use gdb effectively.


Let's say you have a program and it crashes, what do you do?


Example code:


```


void func() { char *p = 0; *p = 0x69; }


int main() { func(); }



```



Next:


```


gdb a.out


```



Followed by the `run` command:


```


(gdb) run

Starting program: /home/d/a.out

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".


Program received signal SIGSEGV, Segmentation fault.

0x000055555555513d in func () at test.c:1

1 void func() { char *p = 0; *p = 0x69; }

(gdb)



```



You can see where it crashes, but you'd like a stacktrace...


```


gdb) bt

#0 0x000055555555513d in func () at test.c:1

#1 0x0000555555555155 in main () at test.c:3

(gdb)



```


(NB: `bt` stands for backtrace)


You can go up a frame and check local variables:


```


(gdb) up

#1 0x0000555555555155 in main () at test.c:3

3 int main() { func(); }

(gdb) info local

No locals.



```



Or down a frame and check local variables:


```


(gdb) down

#0 0x000055555555513d in func () at test.c:1

1 void func() { char *p = 0; *p = 0x69; }

(gdb) info local

p = 0x0



```




You can continue after the segfault:


```

(gdb) cont

Continuing.


Program terminated with signal SIGSEGV, Segmentation fault.

The program no longer exists.

(gdb)



```



Now we can re-run it, but before we do, we can set a breakpoint:


```

(gdb) break func

Breakpoint 1 at 0x555555555131: file test.c, line 1.

(gdb)



```



Now we run it again, it will stop at the breakpoint:


```


(gdb) run

Starting program: /home/d/a.out

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".


Breakpoint 1, func () at test.c:1

1 void func() { char *p = 0; *p = 0x69; }

(gdb)


```


We can single step through it:


```


(gdb) step


Program received signal SIGSEGV, Segmentation fault.

0x000055555555513d in func () at test.c:1

1 void func() { char *p = 0; *p = 0x69; }

(gdb)


```



We can also try the command `next`, which is similar to `step` but skips over subroutines.


We can get help from gdb at any time using `help`.


Another useful `info` command is `info reg`, which shows CPU registers.


Also useful is `disas` command, which disassembles the code.

 

Tuesday, October 29, 2024

More Captain Drone Killer ideas...

More Captain Drone Killer ideas...

 

Disclaimer: These are just ideas, use them at your own risk.


Some interesting DIY wide-band jammers


A wide-band jammer that only costs $120 to make:


https://eee.yasar.edu.tr/wp-content/uploads/2015/06/cem_anil_kivanc_jammer_poster_yasar.pdf


Another wide-band jammer, this one uses a spark to generate noise. It's very interesting, but I would be scared of all the x-rays being generated from the spark:


https://www.instructables.com/Simple-broadband-jammer/


And of course, I've seen alot of wide-band jammers for sale. I can't recommend any, since I haven't personally tried them out.


These wide-band jammers would obviously be useful for knocking out drones. Unless you want to use a Microwave Oven Cannon(TM).


Microwave Oven Cannon(TM)


This one is quite simple. If you dismantle your microwave oven and take out the magnetron, waveguide and the electronics, you could turn it into a Microwave Oven Cannon(TM).


I wouldn't recommend it, unless you re-design the waveguide so that it is more of a parabolic dish, so that it projects all the waves in a parallel line.


Speaking of which... drone jamming isn't all that difficult?

It seems drone jamming and knocking out drones isn't all that difficult.


It might be that drone detection is more difficult, because the cellular mobile frequency range is being used by mobile phones as well as drones (drones with SIM cards).


Drone detection, various ways...


  • Radar
    • Hard, because drones are so small you could mistaken them for birds
  •  Microphone
    • Easier than radar, cause they make a buzzing noise
  • Camera
    • Easiest, if you have a fish-eye wide-angle lens with computer vision algorithms
  • Radio Frequency (RF) usage, e.g. cellular frequencies, normal RC (radio controller) frequencies, WiFi frequencies
    • Hard, because it's hard to distinguish normal cellular and WiFi usage from drone usage




Monday, October 14, 2024

Chuck Norris

Chuck Norris


Chuck Norris is such an elite hacker, that when he looks at his smartwatch, the time is always 13:37.

Sunday, September 29, 2024

Using RTL-SDR under Linux

Using RTL-SDR under Linux


First steps:

```

sudo apt install rtl-sdr gnuradio-dev gqrx

```


This will install GQRX, which is an excellent program to view and listen to the spectrum.

When running GQRX, you need to specify the I/O device. Input should be your RTL-SDR and output should be your soundcard device.

Next, specify an FM radio station and you should be able to tune to it quite easily, remembering to demodulate WFM (Wide FM) Stereo to hear it properly.

Note the spectrum analysis is done by FFT (Fast Fourier Transform) on the signals received by the SDR. This is the brilliancy of using SDRs -- they make cheap spectrum analyzers -- spectrum analyzers used to cost $250k AUD back in the day!

Next you might want to try dump1090, which gets you an airplane's transponder information.

```

sudo apt install dump1090 (or it's dump1090-mutability)

dump1090 --interactive --net

```

Some other interesting things:

NSW Police radio band (unfortunately they use encrypted radios, but it's interesting if you're studying P25 encrypted radio protocol):

https://www.radioreference.com/db/aid/1026

There's something interesting about using encryption (AES-256) -- it means they use a shared key, and for it to be a stream cipher (e.g. CBC or GCM modes), it means everyone has to lock onto some timing signal to synchronize the stream cipher, or else they use the insecure block modes to encrypt their data. Best case is they use a nonce in AES-256-GCM mode.

I wonder if the radios they use are easily buffer overflow hackable... (e.g. imagine sending a dodgy encrypted packet on the air and hacking every police radio at the same time!)

I wish I could get my hands on a police radio to reverse engineer. But I think since they use a standard protocol (P25), all I need is an encrypted P25 radio, e.g. from Motorola, etc.

Something for the people at ASD (Australian Signals Directorate) to play with, I'm sure.

Monday, September 23, 2024

Spread spectrum signal jamming (ideas)

Spread spectrum signal jamming (ideas)


First off, spread spectrum (frequency hopping) signal jamming is difficult if you hop on "pseudo-random" frequencies... that is, the frequencies are generated pseudo-randomly -- most likely via a special cryptographic random number generator.

They would use a shared private key between both transceivers. This is most likely used by military-grade radios.

However, they could be limited by the number of channels available for use, i.e. hardware or software.

For example, with Wi-Fi there's only 14 channels available for the 802.11b/g standard. So if you jam all 14 channels, you've essentially blocked all the possible frequency hopping that could be done.

So if you log all incoming frequencies using a spectrum analyser (or an SDR with a FFT) you can see which frequencies are being used by the hopping algorithm. From there, you can determine whether there's a fixed number of channels (so they're cycling through them) or there's an infinite number of channels (pseudo-random generated via an SDR for example).

If it's the latter, another approach must be taken.

Breaking the pseudo-random number generator, or reverse engineering it.

Utilising neural-networks capabilities in being excellent pattern recognition classifiers, we can attempt to reverse engineer the PRNG / frequency hopping algorithm.

Ultimately, one could employ a wide-band jammer -- for example, a microwave oven generates 2.4ghz, and can be used to disrupt Wi-Fi (802.11b/g) because it's very noisy and disturbs the entire band that 802.11b/g is on.

Anyway, to summarize, these are the ideas:

  • Fixed channel frequency hopping:
    • Log all frequencies and then jam them
  • PRNG based SDR frequency hopping:
    • Use NN to analyse and jam accordingly
    • Alternatively, deploy wide-band jammer on frequency band that it uses

 

 


Wednesday, September 18, 2024

Captain Drone Killer (captaindronekiller.com)

Captain Drone Killer (captaindronekiller.com)


I'm making a new product from Drudget called "Captain Drone Killer".

Its purpose is to detect and bring down drones, using a variety of methods.

They include:

- spread spectrum signal jamming (using SDR)
- detection and locating drones using trilateration and triangulation from radio and audio sensors
- anti-AI based drones, utilising backdoors or kill switches in their products, or exploiting security flaws in their code (e.g. buffer overflows).

Saturday, September 7, 2024

Video game, FPGA CPU or SDR?

So I'm looking for volunteers who are interested in making something cool on the weekends.

Basically it falls down to 3 things: 1) a video game using Irrlicht or Unreal (C++), 2) an FPGA based CPU using verilog/vhdl, 3) something cool with SDR (software defined radio).

Let me know if any of those 3 things interests you, by sending me a message on the form at https://www.drudget.com.au

Using gdb

Using gdb I figured I'll write a mini-tutorial on how to use gdb, because there's not that many places where they teach you how to...