Werewolf is a social game in the ilk of Mafia and has become very popular at un-conferences such as BarCamps. There are many rule variants of Werewolf, but this bot probably most closely matches the rules set out in ultimate werewolf, with some changes to make it fit better to IRC, the voting system is slightly different for example.

WolfBot is based on the popular PircBot Java IRC framework. It is a collabrative project between me, Twigathy, and a number of other people. The code is avaliable on github (tpcarlson/Werewolf).

WolfBot is currently playable in #wolfbot on the boredicons irc network and. Use the command “!join” to start playing (please note if there is a game in progress you will have to wait for it to finish before you will get voice in the channel).

This post is a quick follow up to a talk I gave at BarCamp Canterbury, my original slides are available.

BarCamp Canterbury 2012

Updates on the blog have been a bit thin and far between recently, but that’s because a lot of us have been busy organising BarCamp Canterbury. The event was run a couple of weekends ago (Saturday 28th and Sunday 29th of April 2012) and thankfully all our preparation was worth it as the event went without a (noticeable) hitch.

I thought it would be helpful to share what we have learned, for any one else thinking of organising a BarCamp.

Tickets

• Use EventBrite, their service is brilliant, and made keeping track of people/tickets sold a piece of cake.
• Oversubscribe. We have a 30% no show. If your limit is 100 people you can probably issue 120+ tickets safely.

Food and Drink

• Fifty people got through 140 pints of Ale and 40 pints of cider.
• Sainsburys do Catering!
• People get grumpy without coffee.

Sponsorship

• Follow up with sponsors. Some companies only replied to second email.
• Make it clear what you expect from your sponsors, and what they should expect from you.
• Ask for “stuff” many companies won’t give money but they will hand out freebies.

I hope this helps you if your thinking of running a BarCamp or similar event yourself. Please leave a comment if you think of anything else that would be helpful.

Unlike the Arduino, it comes with an integrated keyboard and chair screen. For further hardware specifications click here.

My investigations of the Z2 led me to Mozzwald’s site which contains most of what I wanted to know. There are Zipit guides on U-Booting, Ubuntu, etc.

While my Zipit was winging its way from the USA, I started work on my clock application. Using the Lazarus IDE and the Free Pascal Compiler I created the first draft. Setting up the cross compile environment was straight forward and I soon had a binary ready for the Zipit’s ARM v5 compatible processor.

After a week of anticipation, I was finally introduced to my Zipit at the Rochester Can’t Hack meet. I started by flashing the Z2 with a U-Boot image I downloaded. To get the image flashed I booted into the Z2′s stock OS and selected the reset to defaults option.

Using Mozzwald’s z2sidX image I booted into Debian Sid. Following this was a back and forth between the Can’t Hack group about keyboard layout. Needless to say I was a very happy to see X start and spent a few minutes playing Free Doom.

For the past few days I have been perfecting the sid image I am using, including changes that allow for better integration of my Clock application.

Some notes on my changes:

Installed avahi-daemon openssh-clients nfs-common

For the dbus install (avahi-deamon dependancy) I selected not to overwrite the dbus config file with the package maintainer’s version. This caused issues with dbus failing to load. To fix this I purged dbus and reinstalled avahi-daemon.

Something I noted was the MAC address used by Debian Sid was not the MAC address printed on a sticker found under the battery. To fix this I edited /etc/network/interfaces.

user@zipit:~$ cat /etc/network/interfaces
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.
auto wlan0
iface wlan0 inet dhcp
hwaddress ether 00:12:34:56:78:ab

To change the host name to “zipit” I used the hostname command and also edited /etc/hostname and the /etc/hosts file.

Note: I installed avahi-daemon to enable machines on the local network to find the Zipit on the network using the .local domain. i.e. ping zipit.local will resolve. This is why /etc/hosts contains the information below.

127.0.0.1 localhost.localdomain localhost zipit

I then configured samba by editing  /etc/samba/smb.conf and used pdbedit to add a samba user login.
# pdbedit -a -u user

I have noted that the EWOC script provided on the z2sidX image has trouble configuring the wireless network when SSID’s contain spaces. I have fixed this issue and informed Mozzwald.

My work then shifted to my Clock application. I started adding features including a five day weather report, a week day alarm, timer and reminders. Another feature I wanted to add, was the ability to play music from a NFS share. I tested mpg123 and found that mp3′s played well when they were on the local flash drive but streaming off the NFS share was unworkable due to stuttering.

After adding the MP3 playback feature to Clock, I purchased a 32GB Sandisk Micro SDHC card to use for Zipit music storage. To my disappointment the card did not work with the Zipit Z2. The boot precess ended with I/O errors.

It seemed my dreams of adding music to the Zipit were in tatters, but then the word “buffers” popped into my head. When mpg123 plays back MP3′s on the Zipit it only uses about 15% of the processor’s capabilities. The stuttering had to be related to networking because local playback worked, the solution had to be buffering.

I changed the mpg123 command line for Clock to include a 2MB output buffer. Problem solved.

Clock's main window showing five day weather report.

The original idea was to open-source Clock under GPL, the problem is that the site I scrape weather information from prohibits scraping. Perhaps the solution is to get information from another source. I am willing to implement this alternative and release the source and binary for Clock. Suggestions are welcome.

My remaining issues include a long reboot time which I believe is related to the error – libertas failed to find firmware.

On boot up I get the error “boot wlan0 link not ready” from addrconf
and 200 second boot time.

Thanks go to Tristan and the Can’t Hack group, Mozzwald and all those that contributed to z2sid, Lazarus, FPC, Linux, GNU, etc …

I found a new hobby! Crafty but not too difficult (unlike sewing/knitting/jewellery making malarkey). I’m not very patient, and I find fiddly things too…well…fiddly! So I’ve found something on my level. According to Wikipedia, “plastic fusible beads are also known as Perler Beads, or called “melty beads” by young children. These small colorful beads can be placed on a solid plastic-backed peg array to form designs and then melted together with a clothes iron; alternatively, they can be strung into necklaces or bracelets, or woven into keychains. Fusible beads come in many colors and degrees of transparency/opacity, including varieties that glow in the dark or have internal glitter; peg boards come in various shapes and several geometric patterns.”

The main thing to note here is that this is usually a hobby for children. This means that it’s not fiddly (yippee!) and you don’t need to be very patient (hooray!!) so it suits me down to the ground.

I started off making coasters, by copying patterns I found online and filling in the space around the pattern and making it into a square. I then began going “freestyle” and making up patterns, as well as interpreting cross-stitch patterns to make other designs. Then I came across how much 8-bit art has been made with these beads. There’s an amazing amount!

Some of my hama bead creations

I then had a go at turning my creations into necklaces, brooches and magnets, which worked well. I have since sold some of them at various craft fairs, and have plans for giant 8-bit art as well as more different types of wearable geekery

Knowing this, Reashlin’s colleague wrote a C# application that leaves the computer running whatever it was before until the mouse is moved, when it switches to a full screen RickRoll video with the machine locked.

A whole C# application to do this seemed a bit much, so I distilled the whole thing into the following 4 line bash script. The script is quite simple. It simply waits for input from /dev/input/mice then spawns full screen mplayer in the background, and xtrlock in the foreground. xtrlock is a handy little program that captures all keyboard/mice events until the users password is entered, a bit like a transparent xlock. There is an issue with this script if the user is proficient in keyboard short-cuts they might never touch the mouse… but that’s something for another day.

If the others at canthack.org try and do this to me again they will be getting a surprise (well not that much; they do read this after all).

#!/bin/bash
sudo cat /dev/input/mice | read -n 1
mplayer -fs rick.flv &
xtrlock

I decided to make a temperature sensor, using the cheap and easy-to-use LM35 integrated circuit, which is a compact package that looks just like a transistor.

LM35

It offers a linear 10mV per degree C voltage change with temperature and so requires minimal mathematics to covert the analogue input into a temperature reading.

The current temperature, and a running minimum and maximum are displayed on an LCD display (using the LiquidCrystal Library), with the pushbutton allowing the maximum and minimum to be reset. The temperatures are calculated using a circular buffer providing a running mean value over 10 samples.

SD card hack

The project also writes the temperature values to an SD card using the SD Library, which was attached via an awesome hack I came up with involving soldering a pin header directly to it, although in this case it’s a micro-SD adaptor to allow for changing the card more easily. The pinout is almost exactly lined up to make this hack work!

Temperature Sensor

What I like about this project is that it combines all the usual cool things a beginner would want to do with their Arduino. Sensor reading, LCD screen output, SD card read/write, and button capture (which will be done with an interrupt, when I get a chance to do it).

The code, and Fritzing schematic, can be found on my GitHub page.

To celebrate armistice day, the last binary day for another 88 years and 51 days, and the joy of the bodge, CantHack is at it again!

We have TI hacking, watch designing, plenty of Arduinos, crafting, and software packaging. There was also beer (and Lemsip for Omer).

Hack in pictures

PROTIP: *Never* leave your laptop unattended at a hackathon

However, in general, because of it’s usefulness in malicious programs, self modifying code is a bit of a security problem for operating systems. For this reason modern operating systems do not allow memory pages to be both writeable and executable. This is known as W^X – write XOR execute, meaning a page of memory is writable or executable, but never both.

The main reason for this post is an interesting work-around that Edd and I discovered today. It turns out that it is possible to map a file into memory twice. When a file is mapped into memory, the permissions are set at the same time as it is mapped. Given this, you can be a bit sneaky, and map a file as writeable, then map it again as executable. This will give you two pointers to different areas of your programs virtual address space, but both referencing the same file. You can then write some code to the file using one pointer, and execute it using the other.

As an example I created a little test C program with a single function in it as follows:

int
add(int a, int b)
{
        return a+b;
}

main() {
        int a = add(12, 2);
}

I then built this with debug symbols and no compiler optimisation (since this program doesn’t do anything, with optimisations turned on the add function would disappear completely):

gcc testcode.c -o testcode -g

This function is nothing really to do with the exploit per se. The plan is:

• Create a file
• Map the file into memory as writeable
• Copy the add function from the above code into this writeable memory (ending up in the file)
• Map the file into memory as executable
• Assign a function pointer to point to the executable memory
• Execute the add function that we just wrote into memory using the function pointer

To do this, the code below is used:

#include <sys/mman.h>
#include <stdio.h>
#include <stdlib.h>

#define MEM_MAP_FILE "/tmp/a"
#define TESTCODE_FILE "testcode"
#define TESTCODE_SIZE 8427
#define FUNCTION_ADDR 0x394
#define FUNCTION_SIZE 0xE

int
main(void)
{
	void *p1, *p2, *p3;
	int fd, fd2;
	FILE *f, *f2;
	int (*add)(int a, int b);

	/* Create/open the file */
	f = fopen(MEM_MAP_FILE, "w+");
	fd = fileno(f);

	/* Make some space in the file to copy the function in */
	lseek(fd, FUNCTION_SIZE, SEEK_SET);
	/* Have to write to actually make the space */
	write(fd, "", 1);

	/* Map file as write */
	p1 = mmap(0, FUNCTION_SIZE, PROT_WRITE, MAP_SHARED, fd, 0);

	/* Open test code */
	f2 = fopen(TESTCODE_FILE, "r");
	fd2 = fileno(f2);

	/* mmap the test code */
	p3 = mmap(0, TESTCODE_SIZE, PROT_READ, MAP_SHARED, fd2, 0);

	/* Copy function into writeable memory */
	memcpy(p1, p3 + FUNCTION_ADDR, FUNCTION_SIZE);

	/* Map the file as executable */
	p2 = mmap(0, FUNCTION_SIZE, PROT_EXEC, MAP_SHARED, fd, 0);

	/* Make function pointer point to the executable memory*/
	add = p2;

	/* Execute function we just wrote! */
	printf("Result = %d\n", (*add)(1, 2));
}

There are a couple of things to note. First, this code does no checks on return values of mmap, fopen etc. This is purely for readability on this blog! Second, the 3 #define pre-processor macros at the start of the program must be set up for the function that is being copied in from testcode, in our case ‘add’. The first is the size of the testcode executable, which can be found with “ls -l”. The second is the offset of the add function within the executable, and the third the size of the add function. The easiest way to get these last two is probably with objdump. We use “objdump -d testcode” to disassemble the file, and then scroll through until we see the add function, which will look something like:

08048394 <add>:
 8048394:	55                   	push   %ebp
 8048395:	89 e5                	mov    %esp,%ebp
 8048397:	8b 45 0c             	mov    0xc(%ebp),%eax
 804839a:	8b 55 08             	mov    0x8(%ebp),%edx
 804839d:	8d 04 02             	lea    (%edx,%eax,1),%eax
 80483a0:	5d                   	pop    %ebp
 80483a1:	c3                   	ret

Unfortunately objdump relocates the file before disassembly. Therefore, we only use the last 3 digits of the address. So in this case, the add function starts at offset 394 and ends at 3a2 (the last instruction, ret, is only 1 byte long, and starts at 3a1). So the size of the function is 3a2-394 = E.

Running the executable afterwards will now result in:

Result = 3

So we have managed to write to some memory and then execute what we wrote, working around the W^X feature!

However, this isn’t as bad as it might seem. There are actually other ways to get around W^X, for example the mprotect system call. And this doesn’t really allow you to elevate privileges very easily. You might be able to write self-modifying code, but you can’t, for example, overwrite code of a process already running as root, make the text area of an address space writable, the data area executable, or modify a file such as /bin/ls (because you still don’t have write permission to the file).

The room I was in was affectionately known as “Mex’s sweatshop”.  Here, I was employed to sew Mex’s Tinkersoc t-shirt, ready for him to wear at the University of Kent Freshers’ Fair.  He stencilled the logo on the t-shirt, and I sewed EL wire onto it in the shape of a transistor.  I covered the parts that didn’t need to light up with black electrical tape, and soon it was complete.  Sadly there are no action shots of it!

I then moved on to make some things from felt under the instruction of Debora (a felting pro). Marianne copied a picture of Shaun the Sheep for me onto some paper, and I used it as a guide to cutting out pieces of felt. I went on to make a Sonic the Hedgehog (without using a template, hence a tad wonky) and a bracelet made of buttons, a necklace mainly made of buttons, and fixed an old heart-shaped necklace. Debora made the troll, Pacman and ghost, button ring and flower hairclip. Marianne made the keyhole necklace and Mex wore the hairclips! All in all it was a really fun and productive day. Just wish the place was nearer then we could join and hack away there as often as we wanted!

It is called hgdc-x. The X alludes to the cross-platform nature of the GUI code. By writing it from the ground up in Lazarus/Freepascal, it can be compiled for Windows/Linux/Mac OS X/FreeBSD among others, targeting various toolkits like GTK, QT, Win32, and Carbon.

I have since essentially finished the client, which supports all of the usual hgd user features like user authentication, SSL encrypted connection, listing the playlist, queuing tracks and voting tracks off, but also includes added features like album artwork fetching (using the Last.fm API). Limited support is provided for hgd’s administrative features, so hgdc-x supports song pausing and skipping as long as you are logged in as a user who is an admin on the hgd server.

In the future I will add Last.fm scrobbling, remaining admin features and other cool stuff.

The development version (available right now) been tested on Windows, Linux and Mac OS X, and works fine on all three.

hgdcx on Linux

Proper tagged releases and pre-compiled binaries will follow, as soon as the hgd server makes its next release (0.5). When this happens the version numbers will be kept in sync with the server. Until then, the HEAD of hgdc-x should work correctly with the HEAD of the main hgd server repository, as I scramble to keep up with API and protocol improvements, so if you can install Lazarus 0.9.30, give it a go if you like!

The source is available from GitHub, where an Issue Tracker is active for any inevitable bugs or indeed feature requests you may like to add.

When complete, the same GitHub page will be the place to go for the pre-compiled binaries.