Monday, May 21, 2012

Stirling Engine (Attempt to build one)

In this era of Internal combustion engines this blog post brings you a sneak at external types and also our trails in building one. This will be regularly updated based on our completion of the work. Aim is to build a small Stirling Engine which is small but powerful enough to power a RC car. Lets take a look at the Stirling cycle
It consists of four thermodynamic processes acting on the working fluid. Let us take a look at the β type Stirling engine, the one we are planning to build so that it can be analyzed along with the cycle.
  
This is how basically the β Stirling engine works. The red colored part is the heated part blue is the heat sink. Observe that the working fluid unlike Internal combustion engines isn't changed every cycle but is the same every cycle. The engine has two pistons the one at the far end that encloses the gas is simply referred to as piston throughout the article. The other one inside will be referred to as displacer piston.

1.Constant volume Heat addition ( aka Isovolumetric or Isochoric Heat addition)
    

Here the piston has compressed the gas and the displacer piston is also at the far end the gas absorbs the heat from the heat source and expands. This displaces the piston to the towards highest point, leading to isothermal expansion.

2.Isothermal Expansion

This is also called power stroke. The piston is pushed to the farthest end. Note that the displacer piston is already moving downwards.

3.Constant volume Heat removal ( aka Isovolumetric or Isochoric Heat removal)


The displacer piston finally hits the bottom. This results in displacement of gas to the other end cooler part). The heat sink there reduces the temperature of the gas thus resulting in its contraction.

4. Isothermal Compression


This leads to the gas contraction aided by the flywheel momentum causing the piston to fall back. And then again back to Constant volume Heat addition process.

The 3D working model would look somewhat like this

The one we will be trying to build will look similar to this. 

Plan 

Start with a metal (steel or aluminium) cylinder 15 cms long
Cut the part as shown below using a lathe.
Machine out the extruding 5 cm length to get a heat sink as shown below.

Drill a  5 cm bore from end A 14 cms deep.

This gives us the cylinder. The piston, displacer, camshaft and flywheel are yet to be designed. For piston we plan to use a cylinder 2 cms long and  5 cms such that it fits in perfectly. This must house a bore and a pole at one side of it.

Displacer piston must be of  4.5 cms. 

Sunday, May 20, 2012

Reverse engineering C binaries ( Linux ELF )

Most of the people know about writing a C library, seldom does a common man think about how to know what is written into it. Suppose there is a binary given to you and nothing about is known to you. Now you have to get it running, But you have no clue whats going on....

Consider such a circumstance

Let the program be such that it asks for a password in the beginning, depending upon the password given it runs further. Consider this code

 #include<stdio.h>
int main()
{
int password;    //A integer password
printf("Enter Password :-");
scanf("%d",&password);
if(password==1024)  //Compare if the password is correct
       printf("correct!\n");
else 
       printf("wrong\n");
return 0;
}


This compares the password first and then outputs correct or wrong based on the password. Compile and run this. You are prompted by

Enter Password:-

Now suppose we have only the executable how do we tell what is the password. Basically our first instinct is to try all possibilities.




$./passwrd
Enter Password:-1032
wrong


$./passwrd
Enter Password:-1045
wrong




Its tiresome and sometimes impossible. Lets take another approach. The first basic thing is to know what sort of executable it is, so type in

$file passwrd


It gives output about the type of file, which in my case turns out to be

passwrd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped



It says that the file is a ELF 64-bit LSB executable and belongs to x86-64 architecture. It also reveals that the file is dynamically linked meaning that it uses inbuilt libraries of the system lastly it says the GNU/Linux version. Not much helpful but we still got to know what type of a file it is.

Now that the file is a architecture specific binary and all the binaries are formed by translating assembler instructions to the machine code. We must be able to reverse engineer it to the assembler part at least. So we try objdump


$objdump -d passwrd

It gives an output that starts like this



passwrd:     file format elf64-x86-64




Disassembly of section .init:


0000000000400460 <_init>:
  400460: 48 83 ec 08           sub    $0x8,%rsp
  400464: e8 93 00 00 00       callq  4004fc <call_gmon_start>
  400469: e8 22 01 00 00       callq  400590 <frame_dummy>
  40046e: e8 3d 02 00 00       callq  4006b0 <__do_global_ctors_aux>
  400473: 48 83 c4 08           add    $0x8,%rsp
  400477: c3                   retq   


Disassembly of section .plt:


0000000000400478 <printf@plt-0x10>:
  400478: ff 35 72 0b 20 00     pushq  0x200b72(%rip)        # 600ff0 <_GLOBAL_OFFSET_TABLE_+0x8>
  40047e: ff 25 74 0b 20 00     jmpq   *0x200b74(%rip)        # 600ff8 <_GLOBAL_OFFSET_TABLE_+0x10>
  400484: 0f 1f 40 00           nopl   0x0(%rax)


0000000000400488 <printf@plt>:
  400488: ff 25 72 0b 20 00     jmpq   *0x200b72(%rip)        # 601000 <_GLOBAL_OFFSET_TABLE_+0x18>
  40048e: 68 00 00 00 00       pushq  $0x0
  400493: e9 e0 ff ff ff       jmpq   400478 <_init+0x18>


0000000000400498 <puts@plt>:
  400498: ff 25 6a 0b 20 00     jmpq   *0x200b6a(%rip)        # 601008 <_GLOBAL_OFFSET_TABLE_+0x20>
  40049e: 68 01 00 00 00       pushq  $0x1
  4004a3: e9 d0 ff ff ff       jmpq   400478 <_init+0x18>


00000000004004a8 <__libc_start_main@plt>:
  4004a8: ff 25 62 0b 20 00     jmpq   *0x200b62(%rip)        # 601010 <_GLOBAL_OFFSET_TABLE_+0x28>
  4004ae: 68 02 00 00 00       pushq  $0x2
  4004b3: e9 c0 ff ff ff       jmpq   400478 <_init+0x18>


00000000004004b8 <__isoc99_scanf@plt>:
  4004b8: ff 25 5a 0b 20 00     jmpq   *0x200b5a(%rip)        # 601018 <_GLOBAL_OFFSET_TABLE_+0x30>
  4004be: 68 03 00 00 00       pushq  $0x3
  4004c3: e9 b0 ff ff ff       jmpq   400478 <_init+0x18>


The first part is the init part of the program or that part that executed at the starting of the program. Followed by .plt(Procedure Linkage Table) contains Global Offset Tables to link the program to the required libraries. This part is followed by

Disassembly of section .text:

00000000004004d0 <_start>:
  4004d0: 31 ed                 xor    %ebp,%ebp
  4004d2: 49 89 d1             mov    %rdx,%r9
  4004d5: 5e                   pop    %rsi
  4004d6: 48 89 e2             mov    %rsp,%rdx
  4004d9: 48 83 e4 f0           and    $0xfffffffffffffff0,%rsp
  4004dd: 50                   push   %rax
  4004de: 54                   push   %rsp
  4004df: 49 c7 c0 a0 06 40 00 mov    $0x4006a0,%r8
  4004e6: 48 c7 c1 10 06 40 00 mov    $0x400610,%rcx
  4004ed: 48 c7 c7 b4 05 40 00 mov    $0x4005b4,%rdi
  4004f4: e8 af ff ff ff       callq  4004a8 <__libc_start_main@plt>
  4004f9: f4                   hlt    
  4004fa: 90                   nop
  4004fb: 90                   nop

00000000004004fc <call_gmon_start>:
  4004fc: 48 83 ec 08           sub    $0x8,%rsp
  400500: 48 8b 05 d9 0a 20 00 mov    0x200ad9(%rip),%rax        # 600fe0 <_DYNAMIC+0x190>
  400507: 48 85 c0             test   %rax,%rax
  40050a: 74 02                 je     40050e <call_gmon_start+0x12>
  40050c: ff d0                 callq  *%rax
  40050e: 48 83 c4 08           add    $0x8,%rsp
  400512: c3                   retq   
  400513: 90                   nop
  400514: 90                   nop
  400515: 90                   nop
  400516: 90                   nop
  400517: 90                   nop
  400518: 90                   nop
  400519: 90                   nop
  40051a: 90                   nop
  40051b: 90                   nop
  40051c: 90                   nop
  40051d: 90                   nop
  40051e: 90                   nop
  40051f: 90                   nop

0000000000400520 <__do_global_dtors_aux>:
  400520: 55                   push   %rbp
  400521: 48 89 e5             mov    %rsp,%rbp
  400524: 53                   push   %rbx
  400525: 48 83 ec 08           sub    $0x8,%rsp
  400529: 80 3d 00 0b 20 00 00 cmpb   $0x0,0x200b00(%rip)        # 601030 <__bss_start>
  400530: 75 4b                 jne    40057d <__do_global_dtors_aux+0x5d>
  400532: bb 40 0e 60 00       mov    $0x600e40,%ebx
  400537: 48 8b 05 fa 0a 20 00 mov    0x200afa(%rip),%rax        # 601038 <dtor_idx.6559>
  40053e: 48 81 eb 38 0e 60 00 sub    $0x600e38,%rbx
  400545: 48 c1 fb 03           sar    $0x3,%rbx
  400549: 48 83 eb 01           sub    $0x1,%rbx
  40054d: 48 39 d8             cmp    %rbx,%rax
  400550: 73 24                 jae    400576 <__do_global_dtors_aux+0x56>
  400552: 66 0f 1f 44 00 00     nopw   0x0(%rax,%rax,1)
  400558: 48 83 c0 01           add    $0x1,%rax
  40055c: 48 89 05 d5 0a 20 00 mov    %rax,0x200ad5(%rip)        # 601038 <dtor_idx.6559>
  400563: ff 14 c5 38 0e 60 00 callq  *0x600e38(,%rax,8)
  40056a: 48 8b 05 c7 0a 20 00 mov    0x200ac7(%rip),%rax        # 601038 <dtor_idx.6559>
  400571: 48 39 d8             cmp    %rbx,%rax
  400574: 72 e2                 jb     400558 <__do_global_dtors_aux+0x38>
  400576: c6 05 b3 0a 20 00 01 movb   $0x1,0x200ab3(%rip)        # 601030 <__bss_start>
  40057d: 48 83 c4 08           add    $0x8,%rsp
  400581: 5b                   pop    %rbx
  400582: c9                   leaveq 
  400583: c3                   retq   
  400584: 66 66 66 2e 0f 1f 84 data32 data32 nopw %cs:0x0(%rax,%rax,1)
  40058b: 00 00 00 00 00 

0000000000400590 <frame_dummy>:
  400590: 48 83 3d b0 08 20 00 cmpq   $0x0,0x2008b0(%rip)        # 600e48 <__JCR_END__>
  400597: 00 
  400598: 55                   push   %rbp
  400599: 48 89 e5             mov    %rsp,%rbp
  40059c: 74 12                 je     4005b0 <frame_dummy+0x20>
  40059e: b8 00 00 00 00       mov    $0x0,%eax
  4005a3: 48 85 c0             test   %rax,%rax
  4005a6: 74 08                 je     4005b0 <frame_dummy+0x20>
  4005a8: bf 48 0e 60 00       mov    $0x600e48,%edi
  4005ad: c9                   leaveq 
  4005ae: ff e0                 jmpq   *%rax
  4005b0: c9                   leaveq 
  4005b1: c3                   retq   
  4005b2: 90                   nop
  4005b3: 90                   nop

00000000004005b4 <main>:
  4005b4: 55                   push   %rbp
  4005b5: 48 89 e5             mov    %rsp,%rbp
  4005b8: 48 83 ec 10           sub    $0x10,%rsp
  4005bc: b8 fc 06 40 00       mov    $0x4006fc,%eax
  4005c1: 48 89 c7             mov    %rax,%rdi
  4005c4: b8 00 00 00 00       mov    $0x0,%eax
  4005c9: e8 ba fe ff ff       callq  400488 <printf@plt>
  4005ce: b8 0e 07 40 00       mov    $0x40070e,%eax
  4005d3: 48 8d 55 fc           lea    -0x4(%rbp),%rdx
  4005d7: 48 89 d6             mov    %rdx,%rsi
  4005da: 48 89 c7             mov    %rax,%rdi
  4005dd: b8 00 00 00 00       mov    $0x0,%eax
  4005e2: e8 d1 fe ff ff       callq  4004b8 <__isoc99_scanf@plt>
  4005e7: 8b 45 fc             mov    -0x4(%rbp),%eax
  4005ea: 3d 00 04 00 00       cmp    $0x400,%eax
  4005ef: 75 0c                 jne    4005fd <main+0x49>
  4005f1: bf 11 07 40 00       mov    $0x400711,%edi
  4005f6: e8 9d fe ff ff       callq  400498 <puts@plt>
  4005fb: eb 0a                 jmp    400607 <main+0x53>
  4005fd: bf 1a 07 40 00       mov    $0x40071a,%edi
  400602: e8 91 fe ff ff       callq  400498 <puts@plt>
  400607: b8 00 00 00 00       mov    $0x0,%eax
  40060c: c9                   leaveq 
  40060d: c3                   retq   
  40060e: 90                   nop
  40060f: 90                   nop

0000000000400610 <__libc_csu_init>:
  400610: 48 89 6c 24 d8       mov    %rbp,-0x28(%rsp)
  400615: 4c 89 64 24 e0       mov    %r12,-0x20(%rsp)
  40061a: 48 8d 2d 03 08 20 00 lea    0x200803(%rip),%rbp        # 600e24 <__init_array_end>
  400621: 4c 8d 25 fc 07 20 00 lea    0x2007fc(%rip),%r12        # 600e24 <__init_array_end>
  400628: 4c 89 6c 24 e8       mov    %r13,-0x18(%rsp)
  40062d: 4c 89 74 24 f0       mov    %r14,-0x10(%rsp)
  400632: 4c 89 7c 24 f8       mov    %r15,-0x8(%rsp)
  400637: 48 89 5c 24 d0       mov    %rbx,-0x30(%rsp)
  40063c: 48 83 ec 38           sub    $0x38,%rsp
  400640: 4c 29 e5             sub    %r12,%rbp
  400643: 41 89 fd             mov    %edi,%r13d
  400646: 49 89 f6             mov    %rsi,%r14
  400649: 48 c1 fd 03           sar    $0x3,%rbp
  40064d: 49 89 d7             mov    %rdx,%r15
  400650: e8 0b fe ff ff       callq  400460 <_init>
  400655: 48 85 ed             test   %rbp,%rbp
  400658: 74 1c                 je     400676 <__libc_csu_init+0x66>
  40065a: 31 db                 xor    %ebx,%ebx
  40065c: 0f 1f 40 00           nopl   0x0(%rax)
  400660: 4c 89 fa             mov    %r15,%rdx
  400663: 4c 89 f6             mov    %r14,%rsi
  400666: 44 89 ef             mov    %r13d,%edi
  400669: 41 ff 14 dc           callq  *(%r12,%rbx,8)
  40066d: 48 83 c3 01           add    $0x1,%rbx
  400671: 48 39 eb             cmp    %rbp,%rbx
  400674: 72 ea                 jb     400660 <__libc_csu_init+0x50>
  400676: 48 8b 5c 24 08       mov    0x8(%rsp),%rbx
  40067b: 48 8b 6c 24 10       mov    0x10(%rsp),%rbp
  400680: 4c 8b 64 24 18       mov    0x18(%rsp),%r12
  400685: 4c 8b 6c 24 20       mov    0x20(%rsp),%r13
  40068a: 4c 8b 74 24 28       mov    0x28(%rsp),%r14
  40068f: 4c 8b 7c 24 30       mov    0x30(%rsp),%r15
  400694: 48 83 c4 38           add    $0x38,%rsp
  400698: c3                   retq   
  400699: 0f 1f 80 00 00 00 00 nopl   0x0(%rax)

00000000004006a0 <__libc_csu_fini>:
  4006a0: f3 c3                 repz retq 
  4006a2: 90                   nop
  4006a3: 90                   nop
  4006a4: 90                   nop
  4006a5: 90                   nop
  4006a6: 90                   nop
  4006a7: 90                   nop
  4006a8: 90                   nop
  4006a9: 90                   nop
  4006aa: 90                   nop
  4006ab: 90                   nop
  4006ac: 90                   nop
  4006ad: 90                   nop
  4006ae: 90                   nop
  4006af: 90                   nop

00000000004006b0 <__do_global_ctors_aux>:
  4006b0: 55                   push   %rbp
  4006b1: 48 89 e5             mov    %rsp,%rbp
  4006b4: 53                   push   %rbx
  4006b5: 48 83 ec 08           sub    $0x8,%rsp
  4006b9: 48 8b 05 68 07 20 00 mov    0x200768(%rip),%rax        # 600e28 <__CTOR_LIST__>
  4006c0: 48 83 f8 ff           cmp    $0xffffffffffffffff,%rax
  4006c4: 74 19                 je     4006df <__do_global_ctors_aux+0x2f>
  4006c6: bb 28 0e 60 00       mov    $0x600e28,%ebx
  4006cb: 0f 1f 44 00 00       nopl   0x0(%rax,%rax,1)
  4006d0: 48 83 eb 08           sub    $0x8,%rbx
  4006d4: ff d0                 callq  *%rax
  4006d6: 48 8b 03             mov    (%rbx),%rax
  4006d9: 48 83 f8 ff           cmp    $0xffffffffffffffff,%rax
  4006dd: 75 f1                 jne    4006d0 <__do_global_ctors_aux+0x20>
  4006df: 48 83 c4 08           add    $0x8,%rsp
  4006e3: 5b                   pop    %rbx
  4006e4: c9                   leaveq 
  4006e5: c3                   retq   
  4006e6: 90                   nop
  4006e7: 90                   nop

.text houses the executable code in the ELF binary. This is followed by

Disassembly of section .fini:

00000000004006e8 <_fini>:
  4006e8: 48 83 ec 08           sub    $0x8,%rsp
  4006ec: e8 2f fe ff ff       callq  400520 <__do_global_dtors_aux>
  4006f1: 48 83 c4 08           add    $0x8,%rsp
  4006f5: c3                   retq   

Now what is important to us is the executable code. We see that .text has been divide into lot of formats like 

00000000004004d0 <_start>:

0000000000400590 <frame_dummy>:

00000000004005b4 <main>:

These represent the functions created by the user and the compiler so as to link the program to run the shared code and also run the program over the OS. As there is no other function that seems to be created by the programmer lets check out 00000000004005b4 <main>:

On close observation we spot a instruction 

4005ea: 3d 00 04 00 00        cmp    $0x400,%eax 

It is preceded by 

4005e2: e8 d1 fe ff ff        callq  4004b8 <__isoc99_scanf@plt>
4005e7: 8b 45 fc              mov    -0x4(%rbp),%eax

And followed by

 4005ef: 75 0c                 jne    4005fd <main+0x49>
  4005f1: bf 11 07 40 00        mov    $0x400711,%edi
  4005f6: e8 9d fe ff ff        callq  400498 <puts@plt>
  4005fb: eb 0a                 jmp    400607 <main+0x53>
  4005fd: bf 1a 07 40 00        mov    $0x40071a,%edi
  400602: e8 91 fe ff ff        callq  400498 <puts@plt>
  400607: b8 00 00 00 00        mov    $0x0,%eax

With enough common sense we can understand that this code is directly after scanf function and also prints over to the screen based on the compare instruction. 

4005ea: 3d 00 04 00 00        cmp    $0x400,%eax 

Compares contents of register %eax to 0x400. And if true branches to 0x4005fd

4005ef: 75 0c                 jne    4005fd <main+0x49>

Where it calls printf function (puts@plt ( putstring) )

  4005fd: bf 1a 07 40 00        mov    $0x40071a,%edi
  400602: e8 91 fe ff ff        callq  400498 <puts@plt>
  400607: b8 00 00 00 00        mov    $0x0,%eax

If the comparison is wrong it moves on linearly in the code, where it calls printf again

  4005f1: bf 11 07 40 00        mov    $0x400711,%edi
  4005f6: e8 9d fe ff ff        callq  400498 <puts@plt>
  4005fb: eb 0a                 jmp    400607 <main+0x53>

And then jumps of to 0x400607(Standard way of implementation of "if-else" statement by compiler), so as to avoid execution of the other printf function.

So our program compares the number 0x400 and prints accordingly. So the password must be 0x400 or 1024 if it is not altered by any function in between. And we see that no manipulation has been done in between. So straightaway try 1024 as the password.

Enter Password:-1024
correct!

Congratulations! you successfully reverse engineered the binary and cracked the password, of course we knew it beforehand. For further reading on ELF (widely used executable format of present day ) see http://www.acsu.buffalo.edu/~charngda/elf.html

Wednesday, May 16, 2012

Android Web Server using "lophttpd"

Android platform can be easily altered to meet most of our specifications. Today we'll launch a web server from an Android phone. We need

Decompress the binaries from their tar files

Use winrar in windows or if you are on terminal emulator, navigate to the folder where you have downloaded the binaries

$cd /sdcard/<folder-housing-.tar-file-downloaded-from-net>

and type 

$tar -x -f lhttpd-android-bin-0.tar

Incase it doesn't work try

$su
#tar -x -f lhttpd-android-bin-0.tar

or

$su
#busybox tar -x -f lhttpd-android-bin-0.tar


Now we have to get the binaries into the phone. Use adb push if you are on Command Prompt

C:\<path-to-android-sdk>\platform-tools>adb.exe push C:\<path-to-decompressed-binaries-folder>\lhttpd /data/local/tmp


Or else if you already have path variable pointing to Android SDK


C:>adb.exe push C:\<path-to-decompressed-binaries-folder>\lhttpd /data/local/tmp




or else cp it using Terminal Emulator.

$su
#cd /sdcard/<folder-housing-lhttpd-binaries>/lhttpd
#cp lhttpd /data/local/tmp

or else 

$su
#cp /sdcard/<path-to-decompressed-binaries/lhttpd /data/local/tmp


If you are on Command Prompt get adb shell. Connect your phone to computer using usb cable. Make sure you have enabled USB debugging. you'll find it under Settings > Applications > Development


C:\<path-to-android-sdk>\platform-tools>adb.exe shell


or if path variable exists


C:\>adb.exe shell

you must now get $ prompt. Enter root by typing


$su
#


Now whatever you are using you have access to the root shell. Change to the directory /data/local/tmp


#cd /data/local/tmp

Now lets run our web server


#./lhttpd -u root -i -R /sdcard -p 8000 -q





-p 8000 refers to the broadcast port and -q refers to quite mode. For more details type


#./lhttpd

Now got to your browser on mobile and type


http:/localhost/

or


http:/127.0.0.1/


You must see this screen


Now if you are connected to internet on a data pack. Go to http://www.whatsmyip.org/ and copy down your IP.


Or enable Wi-Fi hotspot on your phone. You must find it in Settings > Wireless and Networks > Tethering & portable hotspot


Now open Terminal Emulator and type

#netcfg


Copy down IP address against wl0. Now connect your computer to the hotspot or Get it online and type in the IP address in the address bar.

http:/<your-IP-address>:8000

or

http:/<your-IP-address>:<port>


Now that you have your own webserver. This thing is safe as it runs in a chroot ed  environment. But I wouldn't recommend running it for long times as it isn't safe.

Incase you want to take a look at the source