I recently bought a T-Mobile G1 and I have been looking at learning how to write applications for it. I thought I would put up a quick tutorial on how to add text-to-speech capabilities to the translation application. The translation application was written by Cédric Beust.

Preliminaries:

Download and install the Android Software Development kit from here:

http://code.google.com/android/intro/installing.html

Information about using the Text-to-speech API can be found here:

http://eyes-free.googlecode.com/svn/trunk/documentation/tutorial/tutorial.html

Information about the Translation application can be found here:

http://beust.com/weblog/archives/000500.html

You can find information and source-code for applications that people from Google have written for Android here: http://code.google.com/p/apps-for-android/

1. Download the source code for the the Translate application.

You can use any svn client that you want to download the source code for the Translator application. I used tortoisecvs. Create a directory somewhere, and download the source code from http://apps-for-android.googlecode.com/svn/trunk/Translate

2. Create a new project in Eclipse

Select File->new->Android Project. Then select the option to "Create a New Project from existing source". Under location, click browse and select the directory where you downloaded the Translator files to. Give the project a name that is meaningful to you. I chose "TranslateActivity2". The other fields are automatically filled in for you.

3. Download the TTS library and add it as an external library

Download the tts library stub from here:

http://eyes-free.googlecode.com/svn/trunk/commonlibs/TTS_library_stub.jar

Go to Project > Properties > Java Build Path > Libraries and click on "Add External JARs..." Then add in the TTS_library_stub.jar file.

4. Edit the source code to use the TTS library

In the TranslateActivity.java file make the following changes:

In the imports section, add

import com.google.tts.TTS;

After the line "public class TranslateActivity extends Activity implements OnClickListener {" add a line that says:

private TTS myTts;

In the "onCreate(Bundle icicle)" method add:

myTts = new TTS(this, ttsInitListener, true);

After the oncreate method add:

private TTS.InitListener ttsInitListener = new TTS.InitListener() { public void onInit(int version) { } };

In the "doTranslate" method, after "setOutputText(result);" add:

myTts.speak(result, 0, null);

In the "setNewLanguage" method, add:

if(from) { if(language.getShortName().contains("zh")) myTts.setLanguage("zh"); else myTts.setLanguage(language.getShortName()); }

Conclusion

In this quick tutorial, I have shown you how to add speech to a real application using the text to speech library. I hope you have found it useful. Also, I hope they will include text to speech in a future version of the Translate application.

There has recently been a lot of discussion about Microsoft's User Access Control (UAC).

In Windows Vista, all programs run with lower privileges by default, even when ran by an administrator. The idea is that if you want to run a program as an administrator, Vista will prompt the user and ask them if they really want to allow it to run with higher privileges.

Some recent Blog's have pointed out some implementation flaws with this. See:

http://www.symantec.com/enterprise/security_response/weblog/2007/02/an_example_of_why_uac_prompts.html

The gist of it is that in order to help the user make an informed decision, Vista will display a different color on the UAC dialog box. Blue is supposed to mean that the application is signed by Microsoft. A sort of yellow-orange color means that the application is completely untrusted.
As it turns out, if you can get a user to run your executable (which hopefully isn't all that trivial in the first place) you can make the dialog box indicate that the application is digitially signed by Microsoft, but still run arbitrary code. The approach that the people above pointed out was to use a program called RunLegacyCPLElevated, which is designed to run legacy control panels with administrator privileges. To make this work, you have to compile a DLL as a control Panel.

That's not all that difficult, but why bother. It's just as easy to create a shortcut to command.exe. Then go into the properties and add

"\K echo Hello %username%"

or whatever arbitrary thing you want to do there. Then click on the advanced button and select "Run as administrator". Now, if you double click on that shortcut, it will ask the user if they want to run the "Windows Command Processor" with elevated privileges or not. The dialog will indicate that it is digitally signed by Microsoft, and will be a happy blue color indicating that all is well with the world. But, if the user allows it to run, it will run arbitrary commands with administrative privileges.

Is the sky really falling?

No. Not really. In Windows XP, if the user were running as an administrator, and he/she double-clicked a program that I gave them, then the game was pretty much over right there. If they were a regular user, then my program would be somewhat limited as to what it could do. I might be able to fool the user to use runas to run my program as administrator, but if I did, they wouldn't have any particular indication as to whether or not it was good or bad.

In Windows Vista, if you are running as a regular unprivileged user, you would have to enter the username and password of a privileged user in order to run something with escalated privileges. However, by default, Windows Vista prompts you to create a single user when you install it, and puts that user into the administrator's group. So, for the average home user, they would have to accept the UAC prompt, but they would not have to enter a password.

In conclusion, it is possible for an application in Windows Vista to make the user think it is safer than it actually is. If a user can be tricked into running something, they should pay attention to what it is that they are running and not just relay on the color of the UAC dialog box. In short, Vista is more secure than XP, but the additional security features in this case, are a heuristic, and not a foolproof prevention for user stupidity...

If you haven't checked out eEye's newly released tools, you'll want to head over to http://research.eeye.com/html/tools/ and check them out.

One of the more interesting tools they have there is SYSRQ2.

The ISO image for SysRQ2 is so small, I am not sure why they bothered to zip it up. Anyway, they describe it as:

SysRq is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup. It was first demonstrated at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh as an example of applied eEye BootRoot technology. Use the "create CD from ISO image" feature of your preferred CD burning software to create a bootable SysRq CD.

I was testing SysRQ2 yesterday and had mixed results. I was able to get it work on a Windows 2000 machine (and even one that used a very modified DII COE version of Windows 2000). Anyway, when I tested it on a Dell Latitude laptop running XP SP2 (and fully patched, I believe) it took a really long time to boot up, the screen went black for a long time, and then it blue screened with a “Stop C000021a” error.

But, on Windows XP, you can always use the trusty sethc.exe trick I mentioned a while back when reviewing Backtrack. But, hopefully, they will either fix it, or it will turn out to be an anomly resulting in my unique set of hardware and software.

Another tool they have that looks promising is the eEye Binary Diffing Suite(EBDS). I haven't gotten a chance to play with this yet. I think the Metasploit project is working on something similar.

So, H.D. Moore (you know, from the Metasploit project) has been up to a lot of Web Browser Fuzzing lately. He is publishing a browser bug a day at: http://browserfun.blogspot.com. He has several tools for browser fuzzing including hamachi , CSS-Die, Dom-Hanoi. And then, long ago someone had invented Magle-me.

One of the problems with web browser fuzzing is that the scripts take so long to execute that the browser keeps prompting you asking if you want to continue the script. Luckily, in Mozilla Firefox, there is a way to disable this. just go to about:config. This will bring up all of the advanced configuration options for Mozilla Firefox. Setting dom.max_script_run_time to zero should make Firefox run smoothly without complaining.

Under Internet Explorer, you should be able to disable the script timeout by going to HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Styles. (Create that if it doesn't exist.) Create a new DWORD value called "MaxScriptStatements" under this key and set the value to the desired number of script statements. By setting this number to an astronomically high number, you should be able to (mostly) avoid the annoyance of having to keep telling the script to continue all the time.

I haven't fully tested this yet. So, let me know if it works or not for you.

Oh, and this can have bad side effects for you if the javascript has an infinite loop in it, it will probably just lock up your web browser (at least with firefox). You could also considering setting the timeout to a really high value in Mozilla Firefix instead of zero, which is unlimited.

With other browsers, you are on your own.

I just got my registration confirmation to Black Hat. So, if anyone is actually reading this thing, who is going to Black Hat and you want to have a beer or talk about hacking or whatever let me know. Email me at justfriends4n0w [at] yahoo.

WSH stands for Windows Script Host. It is a way of automating various Windows tasks.

I was playing around with it today and thought I'd post something on how useful it is.

For example, you can open IE and make it open a certain web page like this:

---

' ie.vbs

' version 0.1 justfriends4n0w@yahoo.com
'Opens Internet explorer and goes to foo.com
set WshShell = CreateObject("WScript.Shell")
WshShell.Run "iexplore.exe"
WScript.Sleep 800

WshShell.SendKeys "%f{down}{enter}"

' Enter a url to go to and OK
WshShell.SendKeys "www.rhce2b.com{enter}"

---

All this does is open Internet Explorer and send a bunch of keystrokes to it. I was thinking of maybe using this approach to write a simple HTML fuzzer. I could generate a file and then use this to open the file.

Another thing you can automate is sending an e-mail in Micrsoft Outlook. Interestingly enough, if you have the option set to automatically sign outgoing mail, and you have recently sent mail, this script will sent mail that is signed by you.

---

' outlook.vbs

' version 0.1 justfriends4n0w@yahoo.com
'Opens outlook and sends a mail

set WshShell = CreateObject("WScript.Shell")
WshShell.Run "outlook.exe"
WScript.Sleep 1500

WshShell.SendKeys "%nm"
WScript.Sleep 200

'to:
WshShell.SendKeys "foo@foobar.com{tab}"
'note: the first time you hit tab in an address field it just resolves names and doesn't tab out of the field...
WScript.Sleep 200
'CC:
WshShell.SendKeys "{tab}{tab}"
'subject:
WshShell.SendKeys "Test{tab}"
'text of message:
WshShell.SendKeys "This was sent by a script impersonating Randy..."

'Here is how to insert a file

WshShell.SendKeys "%il"

'file name

WshShell.SendKeys "C:\Documents and Settings\icarus\Desktop\ol.txt{enter}"

'Send message
WshShell.SendKeys "%s"

---

I saw a paper somewhere about using scripts like this to open personal firewall configuration programs and send the keystrokes to disable them, or even add new firewall rules.

Anyway, there is a lot of fun things to do with this. And after about 5 minutes of playing with it, you will get the hang of it.