Gianni Tedesco

This is the web page for Gianni Tedesco <gianni at scaramanga dot co dot uk> by accessing this website, you are agreeing to the terms of the secret agreement. Refusing these terms indicates acceptance of terms.

These days I am mostly working on smartcard and RFID related projects. I am also still active in developing an intrusion detection system and a library for creating and querying constant databases. As of the last few weeks I have also become a hacker cliche by beginning work on a small, high-performance web server for hosting static content. More on this at a later date. I am also working on a toy operating system kernel called scaraOS.

I no longer accept communications encrypted with my public GPG Key (ID: 8646BE7D) since that bitch is revoked.

Current projects

With free software you have freedom!

Firestorm Network Intrusion Detection System - A high performance modular network intrusion detection system. This project has been inactive for a while but a new version is in the pipeline. Watch this space...
CCID Utils - A USB CCID (smartcard device) driver and interactive shell. Includes a graphical interface for credit/debit cards based on the EMV specification and a basic GSM SIM card utility.
acgtools - A driver and set of tools for the ACG HF MultiISO RFID reader.
autober - A language for generating BER decoders. It's different from an ASN.1 compiler in that it's much simpler and it only deals with BER encoded messages. It is intended for smartcard and RFID applications where much of the data stored on these devices is, in-fact, BER encoded TLV data. The language is designed to be very similar to the template definitions found in the specifications for smartcard and RFID applications.
gidx - A library for creating and querying constant databases. Constant databases are important for a wide range of applications where databases are very infrequently modified but very frequently accessed. They have the oppertunity to make very extensive optimizations compared to read/write databases. They allow many clients to simultaneously access the database without any locking or synchronisation.
ScaraOS - 32bit multiboot OS kernel with virtual memory for IA32 (PC/AT).

Older projects

Skunk DB - A constant database for mapping string or integer values to integer keys
ircnukes - An irc based nuclear war game
tbot - An extremely unfair tetrinet bot which will anihilate any competitor in a (configurably) short span of time. Trash-talk IS included :)
nads-0.3.tar.gz - N.A.D.S. (Normalized Attack Detection System) is an HTTP normalization library and squid ACL helper.

Reverse Engineering

PCI Host Proxy Support for QEMU - The worlds sexiest PC emulator can now use real PCI devices inside the virtual machine (while also logging data sent back and forth across the virtual PCI bus).
I began a project reverse-engineering the pokerstars protocol. A number of technical challenged had to be overcome to do this. Firstly the protocol is SSL encrypted. I worked around this by using a debugger and a hex editor to patch the binary so that the certificate was not checked. I then developed an SSL man-in-the middle proxy and used network address translation to force the pokerstars client to connect to that rather than directly to the official servers. At this point I was able to observe the traffic going back and forth between the client and server. However after an initial exchange of messages, all communications were compressed. By examining strings in the binary I guessed that the LZHL algorithm was being used for this. A further search for LZHL lookup tables confirmed this. However I was never able to get my decompressor to work fully. Some of the data is decompressed fine but for some reason there are "holes" in the output consisting of all zero bytes. Perhaps some brave soul can figure this out and apply it to the latest version of pokerstars. This code is some 5 years old. I have some example log files: pokerstars0.txt pokerstars1.txt pokerstars2.txt pokerstars3.txt
intrusig.c - parses intrushield signatures out of some binary file retrieved from the appliances disk image. Unfortunately this code is so old (intrushield is now McAfee Secure something-or-other platform) that I have forgotten the exact details. But the output gives you a rough idea of the time investment and consideration that was put in to the product.
webschlong.c - Queries websense servers using WISP. You can also get tcpdump captures of some WISP traffic if you are interested.
Broadcom BCM94306 802.11g Adapter - Some data logs and information about the BCM94306 card, I was aiming to write a full specification but the b43 driver came along. I think they used my data-logs to extract the firmware blob though ;)
sweet-rev-eng - This is a graphical decompiler and reverse engineering toolkit that I work on now and then. I am developing some patent-not-pending techniques for retreiving C source code from machine code (as close as is possible) as well as other things. I have also written an x86 control flow graph generator and a GNOME based binary level debugger for PowerPC using ptrace. You can see the main window and register view.
act.c and bytesex.h - Allow you to extract data from Symantec ACT! databases. I started turning the code in to a GUI called fuct.

Code-Fu and Other Stuff..

USB Support for QEMU - I wrote the initial code for USB OHCI emulation in qemu
Firewall Monitor (Linux only) - A firewall monitor for Linux kernels, can dump full packets to tcpdump files or hex dump to screen.
sieve.c - Generate prime numbers using Eratosthenes sieve. Implemented using a bit-vector making it a little less sensitive to cache timings and memory consumption.
rbtree.c - A simple red-black tree implementation. The left and right handed versions of the various tree rotation algorithms have been folded in to both-handed functions by using the XOR operator. This technique is important because the code size is halved meaning more efficient use of CPU instruction caches not to mention simplicity of implementation.
lincap.c - A FAST and lean packet sniffer for Linux (mmap() packet socket), slightly stolen from Alexey Kuznetzov ;)
genpass.c - A program which generates strong random passwords from the system entropy pool. Probably pwgen does this just as well these days?
crack-o-matic.c - A program which checks the strength of passwords read from stdin. Requires cracklib (-lcrack)
cache.c - A tool which displays which pages of a file are in the kernels page cache utilising the mincore(2) system call.
netfilter-promisc.diff - Adds support for capturing packets in promiscous mode in netfilter (iptables). I am not sure what sort of nefariuous use one might apply this to.
tproxy-gid.diff - allows you to specifiy a GID (via. /proc/sys/net/ipv4/tproxy_gid) to allow access to the linux TPROXY functions. Applies on 2.4.21 + TPROXY.
squid-ssl-hw-acceleration.diff - hardware SSL acceleration for squid 2.5
squid-2.5-tproxy-03.diff - Linux transparent proxy support for squid 2.5
squid-HEAD-tproxy-00.diff - And for squid 3.0 CVS branch
squid-HEAD-fnv1a.diff - Fibonacci string hashing function for squid 3.0 (benchmark it for yourself)
GP32 stuff - Defunct GP32 utilities...

Development Environment

All the tools I use in my hacking work

VIM - I do most of my stuff in vim, it's really efficient to code with.
I compile all my code with GNU GCC, a portable C compiler, and use GNU binutils for a linker etc..
I recommend Anjuta, a free IDE for the GNOME desktop (similar to KDevelop).
I sometimes program in python, a cross-platform interpreted object oriented language.
The GNU binutils are VERY useful!
I love GNU diffutils for creating patches
I used to use CVS for version control.
Then I used subversion.
But now I use git.
Qemu is a CPU emulator that pwns vmware - very useful for reverse engineering shitty hardware.
KVM is based om qemu and uses NX extention of your CPU if you have a modern bling computer.