Having fun with crypto


, , , ,

I don’t write much in my blog because I don’t have some interesting stories to share. Today I am kind a bored and want to talk about some old story. I want to talk about some crypto, security and Gangnam style in a single post. As you know, Gangnam style video was my inspiration to prank students. After I have pranked them in their presentation, I was looking something big. It had to be something that should affect everybody in the school and yet it shouldn’t be tracked back to me. Challenge accepted!

Gathering information

Our school has a main computer which deals with everything such as database, and bell ringing. So I had to access to that computer to plant my software so that It would play Gangnam style song during the exam. I couldn’t ask for permission because I knew that the answer would be no. I couldn’t physically access the computer because it was locked in the administration. I had to access it remotely. Since that computer is regularly updated, remote exploits were no go. How administrators were managing that computer? They were managing the computer by using VNC. VNC is remote controlling software that allows you control other computers. Stop here if you think VNC is a magical software to control every computer. VNC is a software that must be installed to a server to server computer so that you can use a client software to control the machine. I need to find the password of the VNC so that I could connect to server computer.

Attacking VNC

Trying every password by brute forcing would take so much time and also it could increase the load in our network. I had to do it clean and neatly. I have to find another way to get access to the computer enough access to get at least the password of VNC.  Server has Windows XP and runs Apache, PHP and MYSQL. Because no one would bother to download Apache, PHP, and MYSQL separately, most of the Windows users use WAMP or its derivatives. I checked WAMP vulnerabilities and found a candidate for the attack. WAMP creates WebDAV directory named /webdav with username: wampp and password: xampp. I have downloaded WebDAV client and checked if the default username and password was there. YES! I could upload any file to WebDAV directory. Because server has PHP installed, I have the remote code execution.

VNC password

I have downloaded RealVNC software and checked how it is storing server password. RealVNC is storing encrypted server password in HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver key by using Password. I have searched the internet and found out that it is encrypted by DES algorithm with key 23,82,107,6,35,78,88,7

I needed to get the content of that registry key so that I could decrypt and get hold of VNC server. It sounds easy :) I wrote a simple PHP code to get the key from registry. I first tried by using registry class of PHP but it didn’t work. So I just executed reg.exe and dumped the content of registry key to file and read the file and showed as a password. The code was messy but it worked. I had the encrypted server password. I could code my own DES decrypter but why reinvent the wheel. There are couple of DES decrypter and I used one of it that I don’t remember. I put my encrypted password and hit decrypt and I got the key. I tried to connect the server and wrote my password. BOOM! Wrong password!


I have the password how it could be wrong. I have tried different decrypter but the result was same password and it was still not accepted. I have stopped for a while and tried different things on my test environment with VNC server and tried different authentication mechanisms and different passwords. However it was still not working. Finally I have checked the contents of encrypted key again. It was not 8 bytes long. That means server had a long password. So I have divided encrypted key to blocks and decrypted them and add them together. It worked because VNC was using DES in ECB mode. In ECB mode blocks are independent from each other and they can be decrypted separately. As a side note using ECB in block ciphers are bad. However for this implementation it wouldn’t matter because we have the key of DES. For more information about cipher modes please check Wikipedia article.


I had the password of VNC and it was working. Next thing was setting up the program so that it would run during the chemistry exam and play the music. The program had to leave no traces and shouldn’t be visible. Therefore I coded a simple application which was running in the background and checking the time and when the time was right (17/11/2012 8:30) it played 11 seconds of Gangnam Style song. After the song is played, executable first deleted the MP3 and then it deleted itself.

Even though some students suspected, nobody from teachers suspected about me. The funny thing is one of the teachers asked what happened and Administrator said that workers were testing speakers so they played that song to test. I said, yeah, damn workers :) Students asked me whether I did or not, of course I couldn’t tell a lie so I told them.

Lessons Learned and Notes

  • I wrote this post in hurry. Therefore grammar Nazis can email me for my mitsakes.
  • All the bugs I mentioned were closed after I report. So kids don’t try this at home.
  • Always check the documentation (RTFM) for any kind of default password and change them immediately.
  • There is nothing more dangerous than a bored person.
  • I think next term I will be pretty bored :)

Adding PIN to Evernote


, ,

I like Evernote. It is multi-platform, convenient and supported by many software. However there is one feature that bugs me a lot. It has almost zero security.Tech savvy user can open your database and see your notes if they are sitting on your computer. Any simple sqlite reader can read the database. You can protect yourself against these attacks by encrypting your notes. However after you logged in and minimized Evernote, it doesn’t ask you password again when you try to open it again. Evernote has a PIN feature in its mobile clients. I just can’t understand the logic why they don’t add PIN feature to Windows version. I at least want to have some kind of security. Therefore I added PIN feature to Evernote.
Continue reading

LG TV Hack

I always wanted to control all my devices with single remote control. Actually remote control of my satellite receiver, Dreambox DM800, is an universal remote control. However mine is old one so it doesn’t have the code of my LG TV. Actually remote can be programmed with JP1 cable. However the cable itself is more expensive than my remote control. During my holiday I was working with my receiver. I installed couple of iPhone applications to remotely control the receiver. It is actually very cool to control your receiver with the phone. However one thing was missing; controlling the TV.
Continue reading

Subtitles of Beni Böyle Sev (Love me as I am)



Recently, I have started to translate one of the Turkish TV series. If I find a time, I will try to translate all episodes. It takes long time to translate and synchronize subtitles. Therefore I am not sure, whether I will continue or not. However, for now, I translated first two episodes. There could be some errors in the text, I hope you don’t mind. Because it was exhausting to finish it.

In order to use subtitles, download following YouTube videos and use attached subtitles. Enjoy.

Episode 1


Episode 2


Note: I added Episode 3 as a separate post. I will add next episodes as separate posts from now on. Enjoy.

EZ430-Chronos watch

I have acquired a brand new EZ430-Chronos watch. It has a 96 segment LCD display and provides an integrated pressure sensor and 3-axis accelerometer for motion sensitive control.

I tried to use different programs that were advertised on Chronos wiki site. However, my favorite app Chronos Flying Mouse didn’t work as I had expected. I had trouble calibrating and using it as it is shown in the video. My efforts to contact the authors were fruitless. So today, I downloaded source code of the programs and started working with the libraries. My C++ skills suck, therefore I had to change libraries to work with masm32. Finally I managed to connect the watch and get accelerometer data.

I thought how can i use this watch for something useful, something meaningful, something for the sake of humanity. Finally I found my answer, I would prank my students. I wrote a small software which sits in the background and checks for pressed keys of Chronos. For example if ^ key is pressed, program runs a music video called “Gangnam Style”, * button terminates the music video and # button plays a short clip from “Gangnam Style”. In order to add extra evil, software also disables the mouse and keyboard during video playback. I had a couple of problems during this prank. First of all, the range of the watch is extremely limited. I have tried several times to find the optimal position for executing the prank. In order to hide the watch, I always wore long sleeved shirt. My last victim class was extremely cautious therefore I wore a black shirt and pretended to use phone for the remote control. It was all mostly fun to watch their faces.

If I get permission from students I will update this post with videos. Stay tuned! Oppa Gangnam Style :)

Update: I got permission from two three classes. Here are their videos. Enjoy :)

12-C Class

12-B Class

12-A Class

I also uploaded source code and binary of my programs. You can download from here. Because this was a quick and dirty hack, I hard coded paths. Prank assumes that you have Media Player Classic installed at

“C:\Program Files\MPC-HC\mpc-hc64.exe”

All the files must be located at C:\g folder. Inside the folder following files should exist;

gangnam.mp3 Short MP3 from Gangnam style
g.avi Music Video of Gangnam style
ComProject.exe Main executable
eZ430_Chronos_CC.dll DLL to communicate with Chronos watch

You can change the hardcoded paths by compiling the source code with MASM32 or by doing some hex-editing.

If you have any question feel free to leave a comment.


Get every new post delivered to your Inbox.