*nix mischief: The “Button Guy” sends me an April Fool’s Joke
For March 31, the “Button Guy” over at http://www.biggiantbutton.com/ (which is a big flash app which every day links to a new site) linked to my blog buddy, Jacqueline Mackie Paisley Passey. To tell you the truth, I think the idea is pretty silly, and I said so over there, but he has done something cool to earn himself a linkback. What follows is some basic standard *nix mischief.
I grabbed the flash file off his server using cURL and saved myself a copy:
standardmischief $ curl http://www.biggiantbutton.com/button.swf -o button.swf
Then I used a program called flasm to peek inside it:
standardmischief $ flasm -d button.swf|less
That should give you an idea of what’s inside that little app. I think it looks on your local system for the day of the month and then sends you somewhere based on a table inside the app. You can see it if you do something like this:
standardmischief $ flasm -d button.swf|grep -o 'http:[-a-zA-Z0-9/\._]*'|head -n31
Did you follow that? Good, OK, then I got this obvious “sock puppet” comment here:
?Hey there, stumbled onto your blog via the blog linked from the Big Giant Button today.
…?
Umm, OK, Hi Jay Button Guy. You do know that nowhere in the world is it April 1st yet, so that big button should not have sent you here yet unless your clock is off.
Suspecting a joke, I grabbed his flash file again, naming it differently this time:
standardmischief $ curl http://www.biggiantbutton.com/button.swf -o button2.swf
This is where he earned the linkback. Using the flasm line above, I got the same output as before, but the original files are different:
standardmischief $ md5sum button.swf
23fbd93380ce9dcd7ce7455abe605842 button.swf
standardmischief $ md5sum button2.swf
fbb59a2e1792dd06cd3940cf0b7d07f6 button2.swf
There’s an extra 220 bytes too:
standardmischief $ la button*
-rw-r--r-- 1 standard mischief 35348 2006-03-31 20:10 button2.swf
-rw-r--r-- 1 standard mischief 35128 2006-03-31 10:02 button.swf
So I assumed that he spoofed my regex expression [-a-zA-Z0-9/\._]* with something like this:
http://www.joecartoon.com@standardmischief.com
Which should send you back here. But that does not seem to be the case. I’m also not 100% sure that he really did link to me, or that is further is part of the joke.
Really gives that old gray matter a workout.
Because the decompiler output matches exactly (except for the filename):
standardmischief $ flasm -d button.swf> button.txt
standardmischief $ flasm -d button2.swf> button2.txt
standardmischief $ diff button.txt button2.txt
1c1
< movie 'button.swf' compressed // flash 7, total frames: 1, frame rate: 12 fps, 550x400 px
---
> movie 'button2.swf' compressed // flash 7, total frames: 1, frame rate: 12 fps, 550x400 px
I’m guessing that he threw in some kind of junk that breaks the Flash standard, but that’s just a Wild Ass Guess right now. Updates, if any, to follow.
Update: Sorry about the crappy whitespace around the code examples. I can’t figure out the style sheet right now to fix it. Bash can ignore extra whitespace, I hope you can too.
Update: What a letdown! See the comments.
Jay Moonah Says :
Okay dude, so 2 things:
1) What I said in my comment, which was meant to be a minor ruse to the fact that I am indeed responsible for said button (not a big secret really, a quick WHOIS of the domain would reveal it), was actually this:
?Hey there, stumbled onto your blog VIA THE BLOG linked from the Big Giant Button today.” (note the added capitals).
In other words, I got to your blog via Jacqueline’s blog, which is in fact (at least here in EST) linked from the Big Giant Button. Which, incidentally, is absolutely true – I did click on the button today (a number of times) to get to Jacqueline’s blog, and I saw your comments and link there, which lead me her.
What I DID NOT say say was that I was going to link to you April 1 or any other day. I just want to be clear on this.
2) You are obviously SO utterly hardcore for going to all this trouble to figure all this shit out – backward compiling an SWF file to find the links from my big goofy button?!? Get the hell out of here!!!
Anyway, after all that I probably WILL link the button to you anyway at some point. Maybe not today. Maybe not tomorrow. But some day. Stay tuned.
Happy (early) April Fools!
2006-04-01 00:13 Permalink- J.
a.k.a. Tht Button Guy
Standard Mischief Says :
Actually that was the easy part. That took about 15 minutes. 1. Quick search 2. Downloaded one file 3. Unpack it 4. Skim the documentation 5. write one line of code, refining the regex once. Done.
The tough part is figuring out what’s up with the md5sum differences on files snatched 10 hours apart. Like I said, when decompiled there was no difference in the source. Got any clue?
Well that’s a big letdown. I suppose I was skimming again. Too many blogs. You know, you were a whole lot more interesting when I thought you inserted protected code in your SWF source as a last minute April Fool’s joke for me. I may even have to revoke that link. Some fluke sent me off down a blind alley here. This, I wasted 2.5 hours on, but I suppose I refined some mad skillz with hd, diff, and cmp, so it’s not a total waste.
2006-04-01 01:48 PermalinkStandard Mischief Says :
Oh yea, Jay, why the heck are you planning on linking to this blog:
http://ein-neger-mit-gazelle-zagt-im-regen-nie.de/
next Sunday? He has not updated in over 90 days. Surely my blog is bunches more interesting than that crap.
http://www-cse.ucsd.edu/~bsy/coke.html (for next tuesday)
This is a dead page. you can find it at archive.org, but there are much better pages on coke machines that you can finger. Just Google it. Plus, a network accessible coke machine is so very 1979.
http://whipup.net/ (saturday, April 8th)
Crafts? WTF? Are you yanking this stuff out of a hat?
http://www.jesusdressup.com/ (April 15)
Sweet Jesus, do you know what day this is? This is Buy A Gun Day! Try linking to http://aarons.cc/category/memes/buy-a-gun-on-april-15/ instead.
http://www.xe.com/ucc/ (April 19)
Well this is about money, but you put it on the wrong day. April 19 is the day set aside for that politically incorrect day with the patriotic name. http://en.wikipedia.org/wiki/Patriots_Day “Shot heard ’round the world”
2006-04-01 02:52 PermalinkJay Moonah Says :
Yeah, some of those are placeholders. I was actually trying to find a real Coke machine that is still linked, although most of them seem to be dead now. We may have to find something different to do with that day. This stuff isn’t necessarily meant to be cutting edge, the point of the Coke machine thing was to show an old-school Internet hacker meme that seem to be a dying breed. Dead perhaps, based on my inability to find one that is consistently live.
As far as “Buy-A-Gun” day and “Patriots Day”, frankly living in here in lovely Toronto we were blissfully unaware of them.
However there is another anniversary on 15th… something that millions of people all over the world believe about some guy who would have spent all of a particular Saturday about 2000 years ago up on a cross… now THAT’S a crappy Saturday! And he had to wait a whole another day to come down and eat chocolate bunnies and stuff… or something like that, it’s a long time since Sunday school So I thought, why not liven it up with a game of dress-up? Make a long Saturday go a little quicker.
Anyway, all this is moot ‘cus we don’t take requests. But hey, thanks for playing along!
> The tough part is figuring out what?s up with the md5sum differences on files snatched 10 hours apart. Like I said, when decompiled there was no difference in the source. Got any clue?
Umm, well I don’t know for sure but I’m guessing, as I think I said or at least implied above, it’s ‘cus I didn’t change the file at all during that period.
Listen, you’re obviously a very smart guy, but you seem to take the long way ’round on things. Here’s a little principle that I’m sure you know about but perhaps should brush up on applying:
http://en.wikipedia.org/wiki/Occam%27s_Razor
(And yes, I’m a smartass. Surprise, surprise, the guy who came up with BigGiantButton .com is a smartass.)
Anyway I still think you’re hardcore and I’m gonna link to you at some point. Probably.
Cheers,
2006-04-01 10:29 Permalink- J.