no42 Posted March 8, 2013 Share Posted March 8, 2013 (edited) Produced due to demand: a merge of the multi-duck (former Naked Duck, now know as Detour Duck), and the Twin-Duck firmwares.Duck will initially mount as Mass Storage Device. Numlock - triggers payload 1 (inject.bin) Capslock - triggers payload 2 (inject2.bin) Due to memory restrictions, as both payloads are loaded into Ducky memory - you are limited to 2048-Bytes of instructions!Also only one payload can be triggered, so you have a choice payload A or payload B. NOT BOTH!!! Download: http://code.google.com/p/ducky-decode/downloads/detail?name=cm_duck.hex&can=2&q= ~~Snake Edited March 8, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted March 8, 2013 Share Posted March 8, 2013 Jees, 2KB will be pushing it for most stuff! Quote Link to comment Share on other sites More sharing options...
h4x0r666 Posted March 8, 2013 Share Posted March 8, 2013 How comes, that it has to be so low? Anyway thanks for merging it! So 2 KB per payload ? And.. so you put it in, and it will automaticly start the first inject.bin like the default firmware(i have) does.. and then when you want the other one you press capslock? or will it only start after you pressed something(any inject.bin)? How many lines could a payload contain of 2 KB o.0? Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted March 8, 2013 Share Posted March 8, 2013 How many lines depends on the length of the line. You have 2048 bytes. Each character is a byte. Also, DELAY takes up bytespace as well. Also, remember that 2049 bytes won't work, if the file says 2KB, make sure it is exactly 2KB. 2047 bytes will read as 1KB. If, when you put the duck into the PC, NUM_LOCK is enabled, inject.bin will fire. If, when you put the duck into the PC, CAPS_LOCK is enabled, inject2.bin will fire. Take the Duck out and replace it if you want the other script to trigger. Quote Link to comment Share on other sites More sharing options...
no42 Posted March 8, 2013 Author Share Posted March 8, 2013 I currently only have 4096 Bytes to work with (TwinDuck), for two payloads 4096/2 = 2048 Bytes you actually only have 2046, just to prevent one payload overflowing into the other(I have hardest \0 (null byte)s) at positions 2047 & 2048! Memory space is tight!!! Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted March 8, 2013 Share Posted March 8, 2013 Am I right in thinking then that a single line: DELAY 2046 would fill the memory bank? Quote Link to comment Share on other sites More sharing options...
no42 Posted March 9, 2013 Author Share Posted March 9, 2013 Am I right in thinking then that a single line: DELAY 2046 would fill the memory bank? That would be approximately 18 Bytes. Leaving you with 2028 Bytes to play with. Delays are coded in byte form, therefore two bytes hold a maximum of 255 msecs (or micro-secs i forget), Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted March 9, 2013 Share Posted March 9, 2013 Ahh yeah, I forgot it breaks it down into 255ms chunks. "DELAY 260865" would max it out. When you start adding commands in though, it ramps up the byte-count a lot. Quote Link to comment Share on other sites More sharing options...
no42 Posted March 9, 2013 Author Share Posted March 9, 2013 2048Bytes should be enough to call an executable. As it triggers on keypress and not time, you don't need the initial long delay. Its enough to use wmic/for loop to call an exe on the sdcard for windows, and enough to have a payload execute on the sdcard in either OSX/Ubuntu. Its ok for a PoC, but need to know more about the architecture and inner chip workings to possibly increase the memory space (if it is possible???). Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted March 9, 2013 Share Posted March 9, 2013 Do you have the datasheet for the chipset it uses? Quote Link to comment Share on other sites More sharing options...
no42 Posted March 10, 2013 Author Share Posted March 10, 2013 Everything is here: http://forums.hak5.org/index.php?/topic/28627-info-how-i-wrote-the-community-edition-firmware/ Quote Link to comment Share on other sites More sharing options...
parkour86 Posted September 8, 2013 Share Posted September 8, 2013 (edited) Does the REM command count as byte size or does the encoder remove those lines before compiling? Also under properties is it the "Size" or "Size on DIsk"? I'm assuming "Size" since it's smaller. Edited September 8, 2013 by parkour86 Quote Link to comment Share on other sites More sharing options...
no42 Posted September 8, 2013 Author Share Posted September 8, 2013 No as REM instructions are ignored, the calculation is not related directly to the file size (due to blank lines and REM lines), each keystroke is typically represented as two bytes (incase shift/alt/ctrl is used as a modifier) so both "shift-a" and "a" are represented by 2-bytes. In Twin Duck you can have approximately 4096 bytes or 2048 key presses, as there are two optional payloads in this alpha build this memory is now halfed ; 2048 bytes = 1024 key presses for each payload to fit in memory Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.