Articles

A project dump

Current endeavors

  • Creative verification software for the online ad industry
  • Run legacy windows apps in an HTML5 environment
  • Payments for the SmartTV era

Past experience

  • 2008-2011
    CFO then GM at Fotolog and Allopass USA
  • 2004-2008
    Finance
  • 2000-2004
    Audencia business school-France
Let's talk!
    Here are a few hacks I dug out from my archives.
    I will add more stuff including more recent works in the future (or not).
  • AdLive

    An android app that retrieves reporting information from your favorite web monetization platforms

    I built AdLive when I was running Fotolog because I wanted a quick way to get a snapshot of the performance of our various monetization platforms. The alternative was to log in to each and every website, and see how much money we made. We had someone in the team do that every day and put everything in an excel spreadsheet = p-a-i-n-f-u-l-l

    I've implemented a scripting language making heavy use of Xpath. This let me add more sources without changing the code base. Here is an example with Commission Junction:

                    
    {"Commission Junction",
        
    NAME    Login
    QUERIES    1
    URL    https://members.cj.com/member/foundation/memberlogin.do
    METHOD    POST
    DATA    uname=%%email%%&pw=%%password%%&submit.x=15&submit.y=5", 
           
    NAME    Yesterday
    QUERIES    1
    URL    https://members.cj.com/member/publisher/home.do
    METHOD    GET
    DATA     
    MATCHES    1
    XPATH    //td[@id='qs_commission']
    INSTANCE    0",
    
    NAME    Today
    QUERIES    2
    URL    https://members.cj.com/member/||CONTID||/performance/publisher/account/affil_edit_quickstats.jsp
    METHOD    POST
    DATA    as_period=today&as_website=All&ai_commission=1&ai_ctr=1&ai_cpm=1&ai_epc=1&ai_imps=1&ai_sales=1&ai_leads=1&ai_hits=1&save_settings=Save+Settings
    NEXT
    URL    https://members.cj.com/member/publisher/home.do
    METHOD    GET
    DATA     
    MATCHES    1
    XPATH    //td[@id='qs_commission']
    INSTANCE    0            
    }, 
                            

    Et voila!

    Users requested additional platforms so I contacted them and sometimes they gave me access to their API (thanks Vibrant Media...).

    After a while, some sites broke. Although I had designed it to be easily fixable, I lost interest and didn't keep it up-to-date. It is still on the Market with some disappointed user comments Hopefully someone will take over.

    LanguageJava
    PlatformAndroid
    Year2010
    LicenseGPL
    Download[zip]
  • RTMP swfUrl spoofing

    A proof-of-concept that defeats an RTMP security measure

    RTMP is the video streaming format built by Adobe for Flash. RTMP was closed source and undocumented until Howard Chu and Andrej Stepanchuk notably reverse-engineered it to build the famous program rtmpdump. They followed-up with librtmp that is now implemented in various open-source tools like xbmc, lifting the need for the Flash player to play RTMP video streams.

    RTMP is secured by various means. One of them is to have Flash send its hosting URL (the "referring" URL) and have it validated by the server. This is called the swfUrl in the protocol. rtmpdump implements such swfUrl masquerading. I thought it would be interesting to modify Flash so that the swfUrl is automatically adjusted to the value expected by the server. Instead of patching Flash though, I implemented a mozilla plugin that hooks into the Flash dll and intercepts all network packets. It simply modifies the swfUrl as needed.

    The interception is achieved through IAT hooking of the socket send() function. Please have a look at hook.cpp in the source.

    LanguageC(++)
    PlatformWindows
    Year2010
    LicenseBSD
    Download[zip]
  • DebugIt

    Automated stack overflow vulnerability identification for Windows Software

    I wrote this program to evaluate the security impact of incorrect usage of commonly used Win32 APIs like RegQueryValueEx.

    You typically have to call RegQueryValueEx twice: Once to get the size of the data to retrieve (and to allocate a buffer accordingly), then another time to retrieve the actual data. Many incorrect implementations in various Windows software would only call it once, with a fixed size buffer. It is then reasonably easy to build a stack overflow exploit with some shell code stored in the Windows registry.

    I will leave it to your imagination to figure out what are the potential exploitations of such a flaw.

    This program uses the Win32 Debug API to place a breakpoint on potentially exploitable Win32 function(s) to inject large amounts of data in the application calls and detect overflows. Apologies for the half-French commented code :-/

    LanguageC++ (MFC)
    PlatformWindows
    Year2004
    LicenseBSD
    Download[zip]
  • Reverse CRC32

    A home-made algorithm that forges CRC32 signatures

    CRC32 is great to verify data integrity but provides no security. Not only does it only provide 32 bit long signatures, but it is also a completely reversible algorithm. A myriad a file formats and protocols rely on CRC32 to ensure data integrity, including zip, gzip and all their derivatives (SWF flash files, PNG).

    For a given data buffer, this program allows you to produce 4 bytes of data (crc32) that will make the whole data match a given crc32.

    data inputcrc32
    CdMV-KEQPQM1-jerome => 0x00000000
    X5LR-2FN6XP-jerome => 0x00000000
    Kr7i-6L6PVS1-jerome => 0x00000000
    GoEn-WESBA01-jerome => 0x00000000
    xB4X-U4G18R1-deadbeefisyummy => 0xDEADBEEF
    =>

    The algorithm is made so that the whole output is valid ASCII, not some unprintable binary characters. The input data is formatted as follows:

    AAAA-BBBBB-anytext
    • AAAA: Four bytes calculated by the program to match a given CRC32 according to the rest of the data
    • BBBBB: Some random ASCII characters. The algorithm restarts with a fresh BBBBB string until the first AAAA characters are valid ASCII characters
    • Anything, really.

    At the time I wrote this program, bruteforcing CRC32 would take a few seconds to process on a desktop PC. It is probably instantaneous by now. Still interesting for education purposes.

    I've built a command line tool for Windows that implements the algorithm (get it in the download):
          Usage: reverse_crc32 <input> <crc>
          <input>: string that should be included in the final result
          <crc>: target value for crc32 (decimal notation)
                            

    Conclusion: If you can modify 4 bytes of the data or prepend/append 4 bytes to it, then you can choose an arbitrary CRC32 checksum for it.

    LanguageC
    PlatformAny
    Year2000
    LicenseBSD
    Download[zip source + Windows exe] [source]
  • ASM Mod Player

    A tiny embedded protracker player

    I wrote this tiny program in year 2000.
    It wraps together a protracker module, the AMP dll file (to play modules) and plays the module at execution. Works fine on recent windows versions. I am still a big fan of chip tunes :) Here's a nice collection

    LanguageAsm x86
    PlatformWindows
    Year2000
    LicenseBSD
    Download[zip]

[1] This javascript-based crc32 is based on a routine by jdcantrell on stackoverflow.

All Rights Reserved. - Hosted by site44.com