The goal of this blag post is to get a legacy software used by teachers to run under Linux. The software is used to put grades of pupils into a database.
<img fetchpriority="high" decoding="async" src="https://blag.nullteilerfrei.de/wp-content/uploads/2026/03/Schild-Notenmodul-1024x652.png" alt="Screenshot of running application" width="1024" height="652" class="aligncenter size-large" />
<a href="https://blag.nullteilerfrei.de/2026/03/15/helping-move-the-german-educational-system-to-linux/#more-6172" class="more-link">Would you like to know more?</a>
In this blob post, I will describe how I wrote a config extractor for obfuscated JavaScript-based GootLoader component. The hard part of automating the config extraction is the obfuscation: the C2 servers are just plain text in the last stage. All <a href="https://github.com/larsborn/gootloader-babel-deobfuscator">code is on Github</a> if you are just interested in that.
# Intro
A fellow Cyberian struppigel recently released <a href="https://samplepedia.cc/">Samplepedia</a>, a platform were people can drop SHA256 hashes of files with a description and an analysis goal and some other metadata. My understanding is that the goal is to finally have a place to find interesting malware to analyze, a question I get asked a lot when teaching reverse engineering.
Naturally I picked a task myself and decided to do one involve JavaScript, something I don't have a lot of expose to as a reverse engineer (I do have some exposure to it as a forward engineer, but that's a different story). The sample in question is ``1bc77b013c83b5b075c3d3c403da330178477843fc2d8326d90e495a61fbb01f`` and the task is:
> Create a static C2 extractor that uses abstract syntax tree transformations with Babel. You can use astexplorer.net as helper tool.
I was particularly intrigued because I've recently seen other people be extremely successful leveraging "normal dev tooling" in the JavaScript ecosystem to tackle challenges with JavaScript-based malware.
<a href="https://blag.nullteilerfrei.de/2026/01/18/use-babel-to-deobfuscate-javascript-malware/#more-6162" class="more-link">Would you like to know more?</a>
I've been using a Co2 sensor for a long time now to remind myself to regularly open the window and vent the used up air. With my recently newly acquired hobby of home automation, I wanted to get its data into HomeAssistant to _automatically_ switch on the ventilation. This blag post documents my journey with a couple of detours and a bit of hacking.
<a href="https://blag.nullteilerfrei.de/2025/01/17/my-quest-for-a-reliable-co2-sensor-in-home-assistant/#more-5989" class="more-link">Do you want to know more?</a>
I've recently fallen into the rabbit hole of using home-automation. The obvious choice is Home Assistant and I've enjoyed the journey a lot so far. This blag post documents my process of automating all those crappy remote controlled gadget that accumulated in the house: that cheap light bulb, those cheap fairy lights, or that cheap LED strip … you might know what I mean. The remotes come in all forms and sizes and are often quite thin, powered by a button cell, and work occasionally. I have a literal box full of them.
<a href="https://blag.nullteilerfrei.de/2024/12/22/broadlink-rm4-pro-in-home-assistant-without-the-app/#more-5954" class="more-link">Do you want to know more?</a>
I'm known for my Ghidra stand-up comedy routines. In order to make them enjoyable for everyone in the room, the font size better be not as tiny as it normally is when you do your day-to-day reverse engineering. There are two places to consider:
1. menus, dialogs, etc.
2. specialized components like the assembly listing view and the decompiler
# Font Size Override
The first can be adjusted by editing the `launch.properties` file, which is normally located in the `support` directory within your Ghidra directory (`C:\Users\born\Programs\ghidra_11.0.1_PUBLIC\support\launch.properties` on my machine). Just add the following somewhere in the file to adjust the font size to 23:
```
VMARGS=-Dfont.size.override=23
```
# Components
In order to adjust the font size in dialogs, I recommend searching the settings dialog ("Edit" -> "Tool Options") for "font". By the time of writing this involved the following entries (I use 12 for small and 18 for presentations):
* Byte Viewer
* Console
* Decompiler -> Display
* Graph -> Program Graph Display Options -> Miscellaneous
* Listing Display
This blag post covers scanning the Ghidra virtual memory with YARA.
<a href="https://blag.nullteilerfrei.de/2023/10/21/ghidra-yara-scanning/#more-5903" class="more-link">Do you want to know more?</a>
This is a quick one: If you are living in Germany but enjoy using a US keyboard layout — for one reason or another — I recommend using the EU keyboard layout instead.
<a href="https://blag.nullteilerfrei.de/2023/10/19/advertisement-for-the-eu-keyboard-layout/#more-5901" class="more-link">Do you want to know more?</a>
NSQ is an awesome and extremely simple distributed message queue. You can simply use it by publishing messages — that is arbitrary text, I often use JSON — on a so called "topic". A second process can than attach to a topic to consume messages on a so called "channel". Each messages is forwarded into each channel (at least once). This blag post covers deployment of NSQ in the simplest scenario: one box running everything.
<a href="https://blag.nullteilerfrei.de/2023/10/13/install-nsq-on-debian-with-init-d-and-nginx/#more-5889" class="more-link">Do you want to know more?</a>
Assume you did all the proper and mature building steps for your Symfony application. You have a build environment independent of your development environment. You really made sure all the environment variables like `COMPOSER_NO_DEV` and `NODE_ENV` are set correctly without getting the double negatives confused. And you execute `composer`, `yarn`, and whatnot with all the good switches like `--no-dev`, `--frozen-lockfile`, and `--production`. But you still get the following error message:
```text
Attempted to load class "WebProfilerBundle" from namespace "Symfony\Bundle\WebProfilerBundle".
Did you forget a "use" statement for another namespace?
```
Then you _might_ have forgotten to set `APP_ENV="prod"` on the **production system**. It of course makes sense when you think about it. But it always does, once you figured out. Anyway: I hope this helps a fellow traveler at some point in the future! ❤️
Just a quick blag for my future self:
```
FOR row IN coll
FOR entry in doc.array
FILTER entry.field_name != @field_name
LIMIT @limit
RETURN DISTINCT doc
```
Didn't give me what I wanted. While slapping `DISTINCT` on the `RETURN` fixed the problem of "I'm getting the same document over and over again" it now doesn't return `@limit` many documents but seemingly a random — but lower — number. What's actually happening here is, that the indentation is deceiving: the last two lines should be indented one more.
```
FOR row IN coll
FILTER POSITION(doc.array[*].field_name , @field_name) == false
LIMIT @limit
RETURN doc
```
Is what I _actually_ wanted.
Edit (2023-04-18): And _now_ I learned that you should actually do this:
```
FOR row IN coll
FILTER @field_name NOT IN doc.array[*].field_name
LIMIT @limit
RETURN doc
```
The official documentation on ArangoDB usage in Symfony is [literally from 2013](https://www.arangodb.com/2013/03/getting-started-with-arangodb-and-symfony-part1/) and hence targeting a pretty old Symfony version. This blag post will cover adding minimal ArangoDB support by hand. The actual database protocol and interacting will be handled by [ArangoDBClient](https://github.com/arangodb/arangodb-php).
<a href="https://blag.nullteilerfrei.de/2023/04/04/use-arangodb-in-symfony-without-an-external-bundle/#more-5858" class="more-link">Show me what you've got!</a>
If you want to perform `SOUNDEX` similarity searches with Doctrine in Symfony, you first need to define it as a so called "DQL User Defined Functions". <a href="https://ourcodeworld.com/articles/read/243/how-to-implement-soundex-search-in-mysql-with-doctrine-and-symfony-3">Resources online</a> are a bit dated so I decided to publish this quick blag post.
<a href="https://blag.nullteilerfrei.de/2023/01/14/mysql-soundex-function-in-symfony-with-doctrine/#more-5844" class="more-link">That _sounds_ nice, show me more!</a>
When creating invitations to Discord servers – or "guilds" how they seem to called internally – you can configure some limits. For example, you can limit the number of times a link can be used to join a server or you can configure an expiry date. The default setting for the time limit is 7 days btw, which is why most links are expired when you come back to them after some time. I was in the situation that I wanted to invite a limited number of people to a Discord server and each should only receive a link that can only be used once. So in some sense, I wanted to create personalized invite links, which doesn't seem to be a use case that's supported out of the box.
<a href="https://blag.nullteilerfrei.de/2022/11/01/use-python-to-generate-discord-invite-ulrs-en-masse/#more-5832" class="more-link">So let's use Python!</a>