Welcome!

Check out my posts below, I'd love to hear your feedback! You can find my e-mail within my resume.

• Reverse Engineering Netgear's Auth to extend my Meural 18 min read - Aug 4, 2020

  Back in January 2020 I shared a tweet demonstrating a Twilio integration with my Meural Canvas digital picture frame.

  Used #twilio to add SMS to my ⁦@MeetMeural⁩ Canvas today! pic.twitter.com/IRRH9HYV3o

  — Martin Amps (@MartinAmps) January 12, 2020

  In the months since, guests have had a lot of fun with it and it’s been awesome seeing occasional surprise memories from friends pop up. That said, building that integration wasn’t the most straightforward task. I documented the journey (and failures) I took to arrive at the ultimate solution, with the intention of illustrating that reverse engineering is largely about persistence, and full of surprises. Most notably, I did not expect to encounter a dynamically generated virtual machine that generates and injects the headers required to validate authentication requests. I did find reference to Google’s Widevine Content Decryption Module but I’m not certain that technology is in play, or if the code tries to check for its presence at some point.

  Update: Since posting, folks have noted this exact same technology is in use at Nordstrom (https://www.nordstrom.com/mwp/integration/ns_common.js?async) and Target (https://assets.targetimg1.com/ssx/ssx.mod.js).

  Read More
• When HHVM Doesn't Work Quite Right 4 min read - Jul 20, 2015

  Despite generally resisting the hype train, in the past year I’ve jumped onto two relatively new Facebook projects. ReactJS and HHVM. I’m a huge proponent of both and enjoy working with them immensely. Except when I don’t.

  Around 3 months ago I chose HHVM for a new project and was initially very excited by the static analysis tools, built in profiling and great performance. Despite many great examples of HHVM deployments, shortly after deploying to production we started hitting OOMs pretty frequently:

  

  Read More
• Reverse Engineering Shopify Private Apis 6 min read - Mar 1, 2013

  Recently when working to migrate an e-commerce website to the aspiring Shopify Cloud Platform, generating coupon codes through the API was dismissed as being a obvious, simple, and apparently one of the most requested features back in March, 2011.

  Unfortunately, I was wrong. So I contacted their support team to see what’s up!

  

  Thanks for the help, Brian. /s

  Read More
• Hacking Games to Make Them Better 5 min read - Feb 5, 2011

  The duplication of items has been a huge issue in a variety of games, ruining the economy in both official and in particular, private servers. A select few have figured out solutions to this, however the majority of which are offline solutions usually within stored procedures which hasn’t proven too reliable since the database is only amended every 5 minutes by default in Knight Online. As such, we needed to figure out a live way to do it.

  Fortunately, to communicate between the various server files a block of shared memory (or Memory Mapped File) is used. This means tapping into the data isn’t all that difficult. Reversing the structure is much trickier. As such, I’ll provide a near-complete structure below which will serve as a good base for this article.

  Read More
• Native Executable Patching 4 min read - Feb 5, 2011

  I was continuously asked how to apply security patches which were being released, instead of including instructions in each patch that I released I decided to put together a quick general guide. While this guide primarily focuses on Knight Online private server files, it serves as a good example and all terminology and methods will apply.

  To begin, we’ll start with the screen you’ll be prompted with just after you open ebenezer in OllyDbg. I’m using Ollydbg because it’s easier, don’t use a hex editor it’s just silly. Olly will translate opcodes to hex for me and will make far less mistakes! Also note, I’m using the classic version (v1.10 final) - the v2 alpha is becoming increasingly popular and sports some exciting new features and some amazing improvements. So be sure to check it out! (Note: The original images were lost and the updated ones now reflect OllyDBG 2.01).

  Read More
• PHP 5.3.3 x86 Vulnerability 2 min read - Jan 13, 2011

  Recently a new vulnerability has been exposed (and patched) which targets specific platforms as a result of certain assumptions made within the zend core (specifically zend_strtod.c) when handling floating-point arithmetic.

  The issue was only being manifested by gcc builds with -O2 so a recompile could fix it, reportedly -O0 fixes it but I would recommend using -mfpmath=sse which will favour a newer instruction set rather than the older deprecated x87 math instructions. A diff of the new PHP revision revealed the actual commited patch was an additional keyword in a declaration:

  double aadj, aadj1, adj;
  

  vs

  volatile double aadj, aadj1, adj;
  

  The volatile keyword instructs the compiler not to perform optimisations

  Read More