BSides Rochester 2017: Jon Szymaniak: Get Low To All STC STC STC STC
Show transcript [en]
that's another sticker oh yeah this is not more like the song get low get low yeah good date that was that's like two weeks you alright so normally RTC no interest here forever years and they recently moved up Chicago start working for ID seeker my favorite things in life for a minute systems talk to me later and and the whole link thing about this talking from is that recently I have been faced multiple situations with [Music] situations where I had my controller or us to see blue glitter dos where you know selling pile of symbols like strings you know I pieces a like did you know about memory method the thing so you're looking at idea there you
normally see any details but let me see if I can things like some addresses that it doesn't I wanted to find some ways that I can improve my ability to comprehend assembly language what we're saying and I'm the type of person that really prefers to dynamically debug things have friends that are like just amazing at when they find both a pair couple bugs they just look at code and they can fix it and they think of their patients and I don't know I got John the dog has had to write a unicorn based Booker we'll talk about we get corns later so I can interact with interesting pieces of code and if the bootloader is unpacking here
you know maybe decrypting or of decompressing something into Rama Ford execute on and be able to run it to grab it instead of messing around and you know there's tons of tools out there they're awesome and a lot more CTS and things like that and I try a couple but it's really just kind of a matter of like I want to write something to myself so that I can I need to make me know I tweaked it on the fly and that's why the bend there's absolutely awesome tools out there that are probably doing a lot of stuff so we're going to do here is I want to give you like a fuel for something that programming I want to
company big program back now have a lot of programming experience I wanna give you like it if you love it I really wanted to give us talking have you 50 minutes of like both lips to arm assembly but you can I even after I think about more I decided to try and kind of be more high-level coach then a little bit so you know the arm details for the end because time lows and all the way along it kind of exemplify my like we're gonna bike giving approach if you're in a security or you want to get into security more Serpentis you don't want to focus on like things but just like how do I learn and just learn to
learn and know if we're gonna like writing down all the commands people are doing try to run like okay I saw this one time and I remember this thing and now we know how to look it up and now I know how to learn about it and focus on that and then of course good and you term assembly language is new to you it's one give you some context like part over your you know my record controller or whatever and then machine languages the ones and zeros that are executing on that and the bits in an instruction are essentially configuring circuits and logic within some you know units and then ship to describe an instruction to
perform so the humans it's kind of going to work with we have some language which is a little bit easier that's got some onyx describe the instruction and then the assemblers will give us things and then on top of that we have quote-unquote high-level languages like C C++ if you look at this diagram in a textbook it's almost like Fortran and stuff do and then they usually stop there and then I just added higher-level languages so we have you know if you have like interpreted languages Ruby Python so we're gonna be there so I want to start with this kind of intro or the interview from somebody any computer architecture and try to do this from one
kind of a machine agnostic perspective so you can just get a sense of how things are going and you can apply that knowledge to specific architectures later so when you're executing on that machine there's this notion of effect fetch decode and execute cycles oilier so there's a register called a program counter metal is the address of what the instruction is you're executing and then go get loaded into something called a memory address register so I show about there and don't worry about right now and why that's our difference in one that we later but just know we're going into memory and we're going to take the the the instruction out of memory and sort of register and the register is
it's a one word location for the CPU needs to soul storage location and very fast access only going out to memory as costlier than going out to extraordinary time and stuff so you going in that instruction and then we read it out into instruction register so now it's there so we going on our next page decode cycle so you're going to take the instruction and they're going to go into like different parts of a circuit that will describe some logic that essentially controls everything else in the machine to perform that operation and that maybe configures the register is to select them and things like that and then we're gonna execute the instruction and there so it's usually
referred to as an arithmetic logic unit it's carpet a copper ations they can do it and you're really a lot of things like that and you see this kind of like Emory loom and in the middle what's going on there is something you'll see this fetch decode execute some panels would like a medal of stuff where you might have to link below in for memory so if you're like indexing into an array that's like kind of load that confidence for memory Louis I kind of miss annotate that way and then in the right back there's a stage where you know we've gotta do something with other about what so you may sort of a memory
data register your program counter so they kind of see why you know so okay I've got this any of us some machine and what operations that we need to do something useful so you need you know operations you add subtract multiply by so we got a times B shift - right - does anyone know what each it the right to implements that by four it's a free sticker to someone else other than Frank later I would try thrown them out that's more bit a logical if a is true B or C is true then you know get the latest or maybe we'll access memory so we need to be able to say okay we want to go to the
location reference by variable V and then want to index into the array by some value that's a register and of course need to control flow so okay we not have tested some values in all or 0 we'll go do this they're handling otherwise we'll go to something else so put all these things together and that's how you so to give you some more context I want to give you like a seed like language we're gonna go through some line level by Bible item I'm gonna strike the operations that are occurring because one line of code is actually multiple instructions so we're gonna call this calculate function with some variables flags now the first thing we want to do
is you know a capitalist functions to put the values of parameters that function some registers so hurry up wrenches are 0 1 2 and the status register which is some special meaning the what's call the calling convention is kind of describes how you know what who is responsible for what he does well here you know passive control between functions so the reservoir 0 for the return value so the update are just long enough to with our parameters and then we have maybe we need to pass when we've run out of registers we can't use a status register instead of a special meaning so this is dead you know the stack it's a regional memory where if
you want to pass this information between functions it's just you know you think of examples always it's like a stack plates I'm going to have something you sell specs plates up when you you know do we want we're gonna putting the other side is pushing and popping on the stack so we put the baby in there that's our value for C and then and then we're going to increment our stack pointer that's pushing top usually automatically increments of increments that stack pointer instruction so then we also need to push the return address when we're done with a word that's it so here is that you see I push the address if result the next instructions right I jump to in the
function X so we make our function call and now what we need to do well you know me and see the families maybe you might need to use later in the code so it'd be nice of us if we didn't like mess up though the registers when we return so we're at push the value of those on the stacks well so we're store that would be nice later so the next caller that call be and it's needed to see like there's multiple very local variables in a function you'll push those on the stack as well however here let's pretend our imaginary compiler has found this optimization which we'll see in a second so we don't actually need to push to be
so we're going to test the value to be using greater than 0 x8 you let's pretend Yogi's are unsigned so you see the status but you should register change as a result of instruction there so there's like a greater than or equal to bit or something that we greater than bit I guess in this case so we're gonna mess okay we'll make a decision based on that John and then let's just clean that out so that we don't thanks for an implant equals C minus beads or an operation to do that so again I remember that seems actually stacks about instructions can be encoded in a way that says when you when to describe see
it's gonna be the value at this what's point about a stack pointer plus for this case so that's how that and now you'll see that hey we stored even where we gotta be before we should be clobbered it yeah we don't need to be anymore so that's cool so we do that next we're going to go the description where you want to do this expression but you know we can't do like these separate missions on once around first do 1 plus D in the minute and then mechanimal also negates a that's our ones complement all the one of its go 0 one Mississippi pet and then we'll have the two and finally put that energy to
return that value it's already okay so now we don't ask ourselves so we start gonna clear the status maybe two you know about our sales and then we're going to pop DNA back so we first row those registers from the state you're in we come back to where we were and you're going to carry on our merry way so hopefully you know you have a kind of appreciation for what's going to be going on us on the language before we actually start diving into instructions so okay so I want to get into this what can I use so Unicorn is super popular is a lightweight multi-platform support of mobile operating systems multi architecture that emulates you know arm
MIPS x86 it's super popular like cts and stuff like that although it seems like in the CTF community hey I'm gonna like start focusing on our first ability if the framework is based on the human cookies but the two projects are very different intents you know Unicorn is a framework that's made for you to kind of you know extend things and implement things whereas like humans kind of you know a little second check out the showcase under obviously I'm gonna see there's a lot of projects with interested in security and reverse engineering and there's stuff close to what I've done you know I played all this other minutes hello singly I like this feature I like that feature Saul I
kind of just come all together - Mike - this is awesome only simple and concise easy I have just always been making API and there's tons of my name is Ray and you love and I highly recommend you check out her like at 2015 slides which are fantastic later so I just wanna quickly show you some code code like it lets this we take some binary code we found or it was a founded in the peak at 5 or something so online I love of their main there's some code but the fire you get in there and get the length of it 20 we're gonna initialize any emulator armoured emulation and then our architecture and then there's 26 gonna
have something like imaginary memory to working right so we're gonna say okay the atmosphere oh it's math one megabyte and that's gonna be read write execute you can change the permissions to it at your exceptions when things are you know trying to execute or non-taxable memory and stuff like that later sorry we're gonna write the code into memory 31 and then next Tremec code is it just have a list of register names the enumeration value that describes the register in unicorns IDs and then the values a lot up in there and for each one of those definitions I adore them I rape them into the emulators saying all you write R 0 of this value or this value etc so
you need to get the initial state of the machine and then finally you've executed so there's an options thing there's a time element milliseconds an account the counts like how many instructions you want to execute and you set the zero it just keep going until something happens so in this case I have the code there I'm going to see when the baby goes into it or you know cause of exception so say timeout at my second and then we can put the results go read each of the registers for each register go print death so I print the name and then the value so excuse me so there's a you know that's pretty cool because they should this like took some
RAM code and you know a couple minutes per running it that's capstone is a related project so this is kind of the same idea but it does disassembly and it's made by the same people so you know again it's simple since I see the findings disassembly framework and it's really targeting you know the people wanted reverse engineering so come before us by it's kind of has that stuff so again I'm just going to show you that code we want to disassemble so it's a very similar process you can instantiate this assembler until the ARM architecture and you're an armload rather than the thumb we'll come back to thumb again and then this is a very
important thing I found you're gonna tell it to develop instructions because if you don't do that and it finds that something only not secure but instruction it's just gonna stop you won't see the disassembly of stuff after it what you probably understand so you can you tell it to turn it off and you can customize how I handle it but you know that one of those things ever taking like 15 minutes to figure out okay what am i doing I'm gonna do it's not you know going past this something I deal with garbage so then you just call this is immiscible this code this kind rest and you can say like oh it's just some of the 64 instructions
we clearly know that there aren't even see keyboard whites they're a little don't see some for instructions but you know they just set a max and we'll go and then for each instruction in a range of you know that least disassembled instructions will be sorted by the order will print the address that the instruction was that so you know we know where it was and then the plates that make up that machine code representation and then the human readable assembly the mic and the cards excuse me so yeah there you go quick disassembly for you it's breezy I don't worry about what the code does look about that alright so now we can I mean it's tough and we can disassemble
it what about right you know that's kind of got my whole thing I want to do a little break code and better play with it and mess around understand like what is this instruction you this so there's lots of options there's Keystone which again it's not a part of the whole like community of the unicorn capstone popular area in the CTF in Reverse if you've seen the canoe to will change I actually love the ladder and the reason for that is a lot of like to change stuff and some of projects I'm interested I know they're using it so hopefully hopefully you'll kind of get a different way to go about doing things and you might see elsewhere so the
general process is rate code in a dot X file that's kind of a standard convention and your editor will live for you well stumble up using a picnic file and then execute it using unicorn says 1x a quick make file around I think how many people do make me fear no make perfect so I was going to go do this so I like to define variables to be mine engineer reasonable and so it finally prefix of the command are going to be a eai if you go to Monte or something you can have to install our none DCC to get the tool chain and usually define cross-compile will say what prefix it is because you're gonna get it from
architectural a hipster on the API and what that means is arm architecture known as opposed it's gonna be bare metal as opposed to like Linux and then the TBI application binary interface is emitted application binary interface it's kind of describing some standard ways of storing data structures and things like that so how that and how their access to this and then the next one defines me but command we're gonna run for assembling and how I run it actually using GCC and then the similar but cpp options pre-processing so that I can get like fine and all that other good stuff instead of just using raw human somewhere guess you know kind of occasion let me use an object copy to
extract the the binary code so when we run it through GCC we're actually I'm going to yell out of it you know the format for executables so we want to just kind of scrape out the wrong instructions to open a copy of that so it all target you say okay I'm gonna make it up in and kind of jump down to line 19 let's see that okay to create that I need to make it hello world over that's gonna media less but first to that we've got to do going sixteen which says we need meaning tell the world oh that's what we have we're gonna you know somewhere on it it's not so bad a source
and specify output and obviously you can get people in don't make you know we can do that shorter and much quicker ways but I want to be explicit so all those two things it's just an example of you know gonna make its gonna print commands afford it and then you know that's the you lap versus the you know the data then execute so if we take a look at this next up you kind of see the you know the instructions and how they're associated with obesity Maxim says want to show that so sorry you're not going in there to see the details but so this is it's not quite done things like that so what I wanted to do is write a go
based batch execution tool and the debugger GUI pro tip don't decide to learn you go like a month before you talk no actually I think it's a testament to how much I like I'm gonna see and stuff like that it's a testament of languages because the super easy you don't learn to pick up a problem so anyway so you can see that the green there those are the external libraries on capstone and then this cool library cocoa see why I watched if you turn box support you get your Lego fuse and you can update that I would just like printf into them for definitely so time that I belts I have two corporate clients this is a kind of
little debugger framework that I can then use to expose a batch command execution environments that I can just get script stuff and then also a GUI with you guys so first execution would wait am i screaming areas just specify the architecture and the big base address to put stuff what code I will not execute and then as far as a batch execution and how someone be able to specify the file but also the initial State this little thing where I say okay I want you to map some memory region I'm going to call it SRAM I'll give you the address so it's going to be expected to be a the length of the permissions so
you know there's you know all right
excellent work so it does a read reduced instruction set machine this would be simpler instructions all right so you probably know the whole thing where like if you want to try to you know trick copy just assemblers that are gonna just do one pass through some things we do is like just put a couple garbage bytes in your code and then jump into the middle of instruction and go from there and then you know if something just doing one pass disassembled it's not gonna succeed so can't do that arm has 32 bit well aren't 32-bit or 64-bit small or 32 only here that's fixed with pretty two-bit Hopkins and there's also this 16 bit opcode and it strengthens more
limited with shields higher density anything about the microcontroller space or implanting a bootloader and it's the case of you know the device is gonna go you know from an internal wrong it's gonna go to a tiny internal SRAM and then go execute that so I can bootstrap DDR memory and then go with a code from there and we want to be related you know dense and in small codes so the whole idea there is you have denser instructions that you know they can't necessarily address or jump to use larger ranges but you probably don't need to if you're no little code and the reason why that's kind of cool think about from the security perspective for us if you're writing
like X plate code that gives you some more opportunities so let's say you don't want to defeat some sort of restrictions on what whites can be an opinion you know maybe switching between the modes they'll get it'll be able to get an encoding or something you like better or if you're looking for gadgets you can not basically have a place the code would work but you can you know okay what does this look I try to disassemble it Sauron versus Tom so those are some cool things security-related way too much most instructions take this kind of for Marie of the instruction and some sort of suffix and then the operands and this is cool so the suffix can be the condition
under which you want to execute that instruction so you can definitely go if something else something and there's only one like operation in those you can just have the instruction be conditionally executed and enough otherwise so that's pretty cool right and that something's not so to note whether the instruction should update the status register so ok if you want to figure out the status register an example or other great that's kind of pain so you just have an instruction say that you know this one shouldn't update is that I want to have to clean up later so that's cool so use two examples you know branch not cool to label so we do the comparison and of two things are
equal wrench label and another example is having with updating the status register versus not so like if you had two bikes and they overflow and never they going to cause a carry bit to decide or you just ignore and said no I was just gonna mask a little you know quite anyways I don't care so the registers you have are 0 through R 15 and then a current program status register and you know an application program status register and just kind of an interesting relationship between them where the ApS are is a subset of the CPS are or vice versa but just know that so let's just test you know some things about the kernel
processor states like whether it's in the CPS art tells you that like whether it's in thumber our mood and Giselle though the thing I love Giselle is this is fine Giselle like at one point they decided like oh we want to be able to run Java bytecode like yeah that's not really a thing any more than you care about but I don't know at the time seems like a good idea so like if anyone wants to chat later be fun to like I've never like so that's another thing to wear that's a bull's-eye every time so they get be ready like an x-wing and will they be kind of fun to be like oh we can
you know what we're looking for I gotta change and we can do it you know armor thumb like what about this out so that's kind of cool haven't they do myself there's tons of material it'll be fun Gareth and there's also a little notes and they're safe program status registers so like a context change occurs or something like that you know there's no those exist for a quick comment so R 0 through R 12 eternal purpose we can use those in our code as we wish our thirteen is the stack pointer so pushing pop instructions are gonna work on that so don't use that for your title stuff unless you want to our protein is it's
called link registers so when you do you can do a branch and link what's gonna happen is you're going to be the branch and then for you it's gonna put the return address in this register so then if you don't have to put it on the stack manually unless you're gonna do something else it's gonna take that later so let's go and then our 15 of their program counter and you can do a limited operations early moving to but when you go back and you're not only going to go back to the instruction set that's in there's one of operations that are undefined in our 15 so that kind of that's kind of cool like what do
different implementations do it's something that might be kind of interesting okay so finally smart it's like talking what you do John so let's just kind of go this line by line you know we have a sense of what we're doing so see ad R 0 R 1 R to the first power there is use destination and then the other ones are late sources so organized a our 0 equals R 1 plus R 2 to the students and I executed it's cool all right I'm gonna rotate R 1 by 5 bits rotate it's essentially an eternity so have our register you so the most significant minutes these significant bits rotated right so we're gonna shift right so these extra minima subtract R 3
equals R 1 minus R 0 I'm sure and then I'm exclusive or so are two eagles are creatives or r1 and then we're gonna look at are zeroed with the value dead leaf and then V dot so you know somewhere use the dot there first bit currently assessing then whatever this instruction is okay so this is actually paired so sorry let's simple example and wait starting so usually you use a move instruction like move our zeros when you know Hector but it simply used element data from so if I wanted to you know load R 0 you know R 1 but also 5 and for more then beef that's 32 bits and I said that the
instructions are 32-bit instructions how is that even possible and so when we put a capstone there there you notice that there is no line there but code and that's some instruction that's deadly it's a little any might order because on the one hand I think though there is technically some votes to do some beginning stuff so yeah and capstone told us that although we wrote that thing above it's telling us that it's saying where's your who equals PC that you know but offset so that doesn't make sense either because it's our current starting so what does that matter so usually in this sort of situation what I've been doing this like all right long ago a minute I don't see what I
have to say okay show me basically what I wrote which is cool right because you know if you're trying to first of all is coming to you have some something that looks more like what throughout it's awesome so I didn't know the original arm design is a three stage pipeline of fetch decode excuse me I know that is right to simplify the design they chose to have a PC read as the very currently and needs an instruction fetch address lines rather than that of currently executing instructions two cycles ago so this is fetch execute excuse me fetch decode execute I think about it you can pipeline it and while you're doing that in code you can
start fetching the next one so that you're more efficient so they pipeline going on so pcs getting updated well and we work on stuff compensate for that change direction offset the design object to get the correct pieces value this is basically a fact so if you're programming in assembly and you know it's not that dot they do this instruction you don't have to worry about Allison taking care but if you're reversing something like this is the kind of important fact of know already so okay we're covering our SATA you know so now we know that you know it's not really PC plus 0 is piece plus 8 and we're actually loading you know the contents of that memory ain't ours true
so that's cool and if you were gonna leave a new assembler I don't think you can't always think the other ones but if you do load RR 0 equals 5 the pound sign their innocence and their immediate value it'll actually give you the move instruction so you can always just do that and let it take care of you know picking the right way to do it for you knowing so if you look at if you start disassembling code and looking this is functions at the end of them just a bunch of garbage instructions those are actually data and you know usually I don't show you it's just a this so that's good to know so kind of
start getting into you know some more relevant stuff in writing it ourselves so you say you're writing some exploit code and you're gonna need to access something back in your payload but you can't use the absolute address because you don't know where a memory that's gonna be seen to keep your code position you know keep it position independent of P is positioned appendix people so I was writing the writing of any 500 patients the way that this was served on my like tests codes is you know testing move PC into FP is in frame pointer is actually a tenant so you move PC into a register it's a very first thing your payload execute so now we know exactly where we
are but again I've heard this is you can reference this where you can actually find the whole thing about pieces plus 8 we just talked about okay now I've got this so you then assemble all your code assuming that it's all executing at at a zero and then whenever you're really going to go that's something to repeal it or whatever you just add them to P to it and just keep one register around through so that you can and then something up the stack here just so they can okay so there's a branch instructions so there's branch branch at link and branch Millikan exchange I can pull this out of documentation that link there you have more details
branch is just a conditional branch let's go do some more cool branch with link is saying I want you to branch it with the return events in that link register so I have that later so you can pick which one makes more sense for you branch of Lincoln exchange is cool because you can exchange try the instruction says I think it's double check I think it's the lowest order bit that's set and switching to thumb mode and it's not come back to me so how many implement stacks with multiple so this is side example so hard to use so store multiple full sending the full descending is just describing the way the stack works don't worry about that
you get to that time so the way this reads is giving stack pointer an exclamation point saying I want you to store these values on the stack and then update the stack pointer for me and I want you to store registers are five or six or seven and the link registers so it's happening it's preparing to take a function call and then we're saying okay I have their investment the last function we're in but I don't want to lose that so restore that and some registers they don't weigh in dirty so this whole entitling convention is like who's responsible for doing stuff that caller they call idiom or different things so then we going to branch into
our function of random link so that the return address is placed in a large and then we return me back eventually we're going to load that stuff back in the stack so we're going to say you know lewd memory and updated just the stack pointer but you know it'll blow those contents at our 5r7 and then put lrpc what's cool here is you see that you know it's not hard on this scenario you're the guy that's PC because of taking the old return the rest are writing into the program your honor so you don't have to load and store the same things you did so you can these other registers things like that so you
know go by using this so this is something code from the mp5 implementation of writing used to tell myself wearing things a little bit one neat thing to know here is a 45 there so that range would Lincoln exchange that's not just to switch modes branch limit doesn't support operations unit is stored in registers so if you have you want to like get the address of function or subroutine you have to do the elects and you can do that again double because there's gonna be a line I'm looking for for white words have a situation without or something so then I just kind of show a little words of the call function so it's roundup see see
I'm storing the things that have been dirty and link register operations like this you know you know here in CT I'm something years going crazy right on time for this but if you're writing something that you're gonna lose your mind so packing that you're like input parameters so you remember what you're doing and what's lifting up division parameters and then even like side effects because if you come back to this stuff like weeks later you don't want to like get the load up either or something to figure out what you cannot like pay what they're doing so let's wrap up a little bit early cuz I rest a little but we can't spend the time ago longer
questions or I can show it to a little bit so with my roadmap of this and I kind of mentioned it work out so original one that I have ready to go I think do us all of this service of I did that so I'm gonna finish another couple remaining items have already be nice maybe kind of take some of this content but that didn't like wiki hey you know a feature dream right on the plane I was working in color scheme so there's a couple of like tools that have like um yeah codes are colored nicely and stuff and implemented the whole thing in like this couple bugs so and pulled it up I don't want to be
putting code freeze the night before you talk about your code so probably the same week of May I'm gonna try to have this up like you know watch it another long-term goals like this what I want to do and this is kind of my sales pitch and I'm trying to find people that are interested to help me of some of this because I don't have enough time to do it myself hobo love what I really wanna do is have some memory and execution tracing so that I can execute stuff and for every instruction executed and you can have hooks in uniform we're just say okay before the memories touch I don't have a call back and I think kind of watch the
stuff that's how I have committed to great points in single styling I want to watch that and also know when stuff is Excel a lot of my code I don't be able to see that view it and I want to render that and maybe like the browser rather leads and also I like say all those things on that Jason is react or something can be like a really really nice like interactive post board or the thing that I cannot know and I'm gonna use Coverity by chance it's a static analysis tool and they have a really nice thing where like when it finds I don't have to abide building step by step looking through it state of things
so what I want is to be able to like have a browser-based thing that I can click through into the state of things memory registers and things like that so I don't have to run it through this again it's just one page like kind of it you know is JavaScript also anyone interested in that or I know some of that guy over here so yeah if start kind of prototyping at some point and when you have something marketing should be am paying and I love that Chad and everything is going back to where this came from you know had some of my control controllers or mega processors that I didn't know like we have do some crazy
stuff expert rate data so I'd like to move the kind of emulate some peripherals in try to get a sense of okay the Sam pre sure this is like a standard 0:44 so I'm gonna like emulate that I know that the right bytes out you are and you know it's more tracing and doing things like okay coming along this code path and I know that there's instructions testing a bit so I know the weight pulling a flag and I would kind of like to be able to start doing the point where I can kind of infer what's going on in a more like semantic level that sounds like crazy so probably for summer the top four and it gets into place so
this is a lot throughout the morning I was working on this I was thinking man like it could be your architecture was an entire class it took like it suddenly was an entire class I took and even after that like tons of time just to really actually do anything and I'm still learning so for me to what I'd say is every the instruction set documents there's a Google is stuff you're gonna find tons of lecture notes and an armed exploitation material so that kind of meant earlier you just only go for armed exploitation you kind of like missing some of the big pictures so come and do a little bit all of the instruction set boring but you know try
to go back and forth a little bit and then write code test it to debug it now we can position independent like I was doing you try to do that like take baby steps and then one thing I wanted to have and I was gonna actually try to get done for the CTF but the next where you have 32 PRG PRNG and then XOR your code and then right on Packer that's gonna unpack that code you know pelo that's something you can make it different every time so you don't buy IDs or something isn't gonna latch on to Silicon Valley's project and then those write some code takes moment source code or in the CD or something and then I'll
go to zero go to two or three and go with this is somewhat look at it how are you write it how does it do it understand that and what does GCC do what does Microsoft baby C do so you know those two particularly if they have different calling conventions so understand how that stuff works and this is kind of my approach I mean I haven't mastered this yellow stuff either but this time what I'm trying to do to get a better sense of things and develop a more of a mastery of stuff so I'm always devices people are you thinking about something advice and before I can finish up I just wanna go big thank you to you
besides Russians fourteen you guess it I'm something to do but the work put into this is huge I helped out last year and I could not believe how much effort and so let me go find that collect on the same sort of home butcher it's a Creative Commons Licence image check that out it's human malaria Sophia to the name actually I was trying to find a cool name right I think the most there's a Dilbert comic that's like you know they're sitting in a meeting room the guys like we need a name for the project or like that's like the least important item again it's like well if you don't want to know the name it's how we gonna
know what it does so check my cool name for right I can find things so it's Latin it's a conjugation of definitely but I don't know if I'm pronouncing it correctly or when I don't know why so I'm gonna just call it our end so meet it in terms of what I want to see so basically kind of saw a little give you their let me actually do this never really start Windows during office [Music] so now we know somewhere I don't know so I have asked you rate I don't have operates um so yeah if you say so - as I'm stepping through to these instruments essentially I want the information that's each of the registers
and memory readings I'm active and now that could be kind of what's also trying to decide was it make more sense to just have the Dulles so that case the implementation would have to kind of state and I don't know if that makes sense in like a JavaScript application is that going to blow up in the future is that make sense so those are the things so essentially I'm gonna try to export me to the dozens or everything all the time or something like that and you want to parse that and then kind of like that [Music]
okay so then what some witness we're like in addition to this assembly you know maybe not necessarily you know the nice basic block view but I'm going to be able to kind of go and like step through the sitcom debugging you kind of post-mortem and then be able to say okay it goes over here then I can kind of highlight over it and then it would show me the state of register there's something like that so the kind of is a kind of picture of innocence and then be super cool because I gave you this execution trace inoculate can go ahead and fiddling with it I could just have one like kind of a fourth document I
keep going back to you all in JavaScript so much
our enemies along the way in terms of what sort of the bug I must say that I don't consider myself of an expert to make such a claim like maybe the developers I'm not sure and then also like even if I would have the authority to say that I'm not really sure that it's wrong like they're showing where that's right so like it's wicked so that's a matter of perspective is why I need some answer and I have to think of it because I can look at like I'm always looking at mobile tools you know I don't just look at it but between operators there are you know I'm still learning more all the time but super really some a lot of
interesting things later just throw out some kind of the things the first when you've dumped something on the microcontroller this is an animated question that's just a random inside because so the first region in code is really going to be what's called an interrupt vector table and this is basically where exceptions go to like different types of exceptions or interrupts occur it's gonna go here and then figure out where to jump to next and look who's talking to detects like okay this is an our binary if I don't even know the architecture it was a messy words are like something something something yeah and it's gonna be a bunch of if you look up the arm IBT to see
what positions are the mean and what they're used for but many every few by this is a quick easy way that's like a weird quirk but like an interesting observation well the this the first time you look at it you know the the store and load memory with full descending versus I'm still that begin to the only have a best be like a subset of and there's you see how big they're girls pants are so I think if you're doing someone I need to correct me on this feel like I read an article where you had to make sure you've watched a cache before if you were writing into data memory before you actually try to
execute that's that's true yeah I think vixx's well first of all so that's kind of weird and it's kind of like a thank you very much
[Applause]
[Music]
Related talks
49:29
53:02
55:21
28:47
47:05
51:46