The Best Campfire Tales that Reverse Engineers Tell - Travis Goodspeed with Sergey Bratus

won't you be my neighbor welcome to uh so has anybody read the rotten.com expose on the secret life of Mr Rogers because there were these rumors going around that Mr Rogers was um like a sniper and that he had uh he had killed upwards of a 100 men in Cold Blood um and and not just a sniper but that you know like the stories grow and then he was like like his thing was to snipe the children of officials and he felt guilty about it and right so rotten.com decided that whatever dirt there was in Mr Rogers they were going to get to the bottom of it um this is a website that made their like claim to

fame by showing like graphic images of violent deaths and stuff and so when you read the expose you know the guy begins with all of the conspiracy theories about Mr Rogers and then he looks into the the man's life uh and what he found was that the guy was actually just just a saint and he apologized for ever thinking otherwise and it's the the most touching expose you've ever read uh on the most vile website not run by weave um okay so uh when I watch talks I'm very impatient and one of my problems with talks is that the talk is about some specific thing that's being hacked or some specific Target um so you'll wind up with like a talk about

stuck or uh a talk about this malware or that malware or um car hacking or or like thing hacking uh and I I'm the world's greatest fan of junk hacking I really am but it's because I don't care about the target you you can learn more about how to write an exploit or how to reverse engineer something from a good article about how to exploit a tamagachi then then you will from the very best article about uh doomsday and destruction and everything um and as a devout cthul list I know that like the Elder Gods will return and we're all going to to die a horrible death um so I'm not really concerned about the

security of my toaster um instead I'm concerned with cool things that you can do with firmware patches to the toaster so today my buddy Sergey and I are going to be telling stories and we're going to be arguing a little bit and we're going to be talking about all of the Nifty tricks that allow reverse engineering and exploitation to be possible rather than the end effects and this is a reverse engineering discussion if it ever Strays into security that's by accident and only because security comes as a sort of a side effect of understanding how the hell something works yeah so the thing about security is that when you look at the mechanism uh the vum the exploit at some some

point just becomes an afterthought because you really see how the thing works and well how it won't and of course uh one man's uh junk is another man's iot or you know uh mobile Health uh something uh but um uh that's really the thing whatever it is it becomes a lot clearer uh when you have gone through the mechanism with the point of actually understanding the mechanism and forgetting about all the lives that you could ruin and all the uh uh lws that you could sew and you know uh all the money that you could reap so we're going to begin with um uh so I I can't see you because of the way that lighting works here

although this has the best air conditioning of any stage I've been on like some of them are sweltering hell holes um and look you're right in front of the f well exactly yeah that works so um because I can't see you we're not going to do a show of hands thing I just want you to cheer uh or or just scream like as loud as you can what was your first programming language and don't be embarrassed if it's line numbered basic basic all right the basics have it yeah goddamn basic uh so basic actually came out of Dartmouth College where uh Sergey teaches and I I I had the uh opportunity to meet one of the original authors of

it and I went up to him and like I don't very often have Fanboy moments but they come up every now and then and I I gave this guy the most impassioned explanation of how basic is the greatest programming language on Earth because of peak and poke and then he looks at me like I've just insulted like his recently deceased dog and he says you know that Peak and poke were designed by the microcomputer jerks and were never in the time sharing version of basic right cuz of course the other thing that came out from the very same lab was the time sharing system in which you could actually connect to one computer while being

man now if if Sergey and I let's say that I'm a bit of a jerk and Sergey is a good neighbor um if we're sharing a server and the server is running basic as its operating system it's not that hard to uh do Cooperative multitasking around the basic instructions so that he can run his program and I can run my program um but there are these two commands in basic Peak and poke and what Peak does is it just gives you whatever value was at an address so if you type Peak uh of like 375 it goes to address 375 it's done in decimal just to keep you on your toes uh but it goes to address 375 and it just

grabs that bite and returns it and what poke lets you do is it lets you write a value into that address so if they had included this in the time sharing version then um I could read out his projects I because I could just do a core dump of memory to my local workstation um this is why they didn't do it now the micro computer designers at the time we're talking uh alair basic from Microsoft or uh Apple basic on the Apple 2 or even the going back further the Apple 1 they had the exact opposite problem in that they didn't give a damn what security boundaries between different users because they're not trying to share the machine securely

they're just trying to allow Hardware drivers to be written in the lowest level possible of the the lowest um the easiest language possible so instead of having to write a driver in Assembly Language you can just read and write the addresses of the floppy disc controller and then instead of a driver in that architecture um you just have memory mapped registers you read them and you write them so uh this really opens up your world right uh you really get to find out that there is an operating system out there which of course crashes if you poke uh in the wrong place uh which is probably the best lesson uh uh budding student of programming can learn

that you crash not just the uh your program but the whole thing and then of course you're interested in finding out how that whole thing works and what is it that you WR overwrote that that crashed it um so when you're when you're learning to program the Apple 2 you wind up with this um uh you know the the first chapter tells you how to print hello world 10 print hello world 20 go21 the second chapter teaches you how to do inputs the third teach uh chapter teaches you how to do loops eventually you get to like chapter seven and they're teaching you how to make sound in The Sound Chapter I kid you not says uh that you need to run

peak of 3,695 and you run that in a tight Loop and it'll make a motorcycle noise and you're looking at this and you're like you're [ __ ] me like why do I have to type in the direct address but then you realize how much of the guts of the internal machine that's exposes you can do a ROM dump from an Apple 2 by sitting down at it starting up the basic interpreter my favorite thing about the Apple 2 is that if you don't know how to start the basic interpreter you just um flip the power switch back and forth and then the voltage glitching of that on the CPU causes it to fall into the basic

interpreter as a backup this really works so some of us started our programming with a machine that had no Rome because Rome was expensive so what was in the memory was this program you call the monitor which had just about five onlet commands uh which let you uh Peak memory poke memory uh it had a really nice usable feature in which if you poke poke that memory it gave you the prompt to poke the next address and only when you type dot uh it would uh dump you back to the main command line and of course uh your basic had to be loaded from uh an audio cassette uh and there was a lot of it so

if a car drove by then you basically had to restart because the line was too noisy uh the basic that way was something that you could actually poke into as well because it was not in the ROM wasn't that nice uh of course since it didn't have any kind of editing then stealing the string out of the screen which of course was just a bite forbite video RAM and then poking it back after you have edited it using the very Posh uh Delete uh you know it shifts the string over the character so you don't have to retype everything else man those were the days right those were the days and there's no hitting the

up Arrow to just like get a previous command or they didn't even have um an interactive text editor so instead you would type a new line of basic code in order to overwrite the old one and they were all kept as a linked list one of the things about a linked list is that it doesn't have to be in the appropriate order so some of the designers as a copy protection feature would uh swap the order of the lines so that when you tell it to print the source code of the program all of the lines are in the wrong order um but sneaky sneaky right but then um you look at modern machines and

it turns out that these debug monitors that were used for debugging on the Apple 2 uh they never really went away they just changed bit so now they're called masrom bootloaders and they're still in modern microcontrollers because you need some way to program the device for the first time and as as long as you're programming it for the first time well maybe we could add a Serial port for that maybe we could add USB for that and this feature creep winds up with a very complicated monitor with lots of commands that's also required to keep everything inside of the chip safe and away from prying eyes like mine um so if you're trying to attack

microcontrollers and you're wondering like what's a good Target you know the the physical thing isn't the good Target the really good Target the reusable Target is to attack that mask on bootloader because they have bugs they also have the authority to read and write all of memory and if you get an exploit on those it's in permanent mask ROM and it can't be patched without a million-dollar mask revision at the Fab so you have this moment uh you know that suddenly your life flashes uh in front of your eyes or something and then the monitor lives right and that thing that you learned back then and thought you never actually will encounter in the grown-up

life it's right there the um there's also this concept when you're you're running through the device that there are these uh layers of abstraction and you always gain something by dropping one level lower um for example when you're um when you're working with uh a program in C um there are parts of even a language as Bare Bones as C that nobody really pays attention to until they're writing an expit um one of the things that in modern exploit writing you need to understand very well is the behavior of the Heap uh and they don't make this easy so you have lots of different heaps that behave differently um but you also have reliability issues with uh heaps

on on machines and that you um you have memory leaks you have improper use of the Heap this causes programs to crash and it causes them to crash in like very subtle and um and long-term ways uh by understanding these data structures you were able to do things like audit the Heap metadata you you can ask like is the Heap corrupted this is uh a question that a simple C function can answer in the blink of an eye just by running through the data and making sure that it all lines up in the end um you can ask uh this thing that I'm about to free like is it allocated and good to free or am I just going to be trashing

the the state of the program you can search for that you can find it and you can um you can use these same tricks that are used in reverse engineering and in exploit writing to improve the reliability of embedded systems or host computers so like size does matter right it does yeah so uh in your typical Heap good luck doing that now when you're reverse engineering and and you're looking at this thing you get it into this um this headp space where you're understanding every little thing about how the function works and you don't really know what's valuable yet so in the few functions that you decide to Deep dive into you wind up learning a lot more about Its Behavior

than you think anyone would ever need just as a a side effect of exploring it um and there are types of bugs that we're taught to look for for security reasons uh double frees or uh use after free or these days uh zero references yeah zero references um but there are also ones that you're you're told are like an annoyance but they're not really exploitable um one of them is an unindexed null poiny reference um and I I say unindexed because uh a n poiny reference is exploitable if you can control the distance after the pointer um for example if uh a very large array is Malik and then you control which item gets like written to

first if you can make Malik fail it will then return zero and from that offset well the offset is your real pointer and zero added to the real pointer gets you the real pointer but when you don't control that index you're you're told that this will hit a guard page that uh address zero will uh trap and that the program will Segal and then that will be the end of it so from the attacker's perspective this should be useless and then except sorry what except except um there are these things called uh microcontrollers and a lot of them run arm code and the arm developers thought that it would be a really cool idea um uh if the memory layout would

reflect the source that you booted from so in arm your in say arm cortex M3 to use a specific example your RAM will probably be somewhere around 2,000 and change hex like two then three zeros then four zeros your flash memory will be at 800 and change hex so 080 0 and then four zeros um and you can sort of Imagine where these are placed and there might be a mask ROM way up in the top of memory and you have large gaps between these um so the arm developers realized that you might write software that would run from flash memory in deployment but you're doing a lot of different attempts at development so you might develop it

on a larger chip running from Ram so that you don't stress out the flash memory and you can very quickly um try new revisions so your compiler will just flush out an executable the executable can then run either from Ram or from Flash and the way to make it do that effectively uh they decided that whatever memory you booted from should be mapped to address zero uh so if you can imagine the machine booting up you have uh flash memory at 0800 and change you have Ram at 2000 and change and then down at zero you have more flash memory which is a perfect clone of what you have at 0800 uh I forget the name of the the lady

from Jeopardy but Sergey you're doing an excellent impersonation why thank you Vanna White yes Vanna white ladies and gentlemen cheers neighbors so inside of the program when you have a pointer that you're not actually doing anything with the arm compiler will put that in the BSS region which gets zeroed at startup so on arm with GCC any undefined Global variable will have a value of zero just by the way the the things are arranged so this this pointer to a buffer might then point to zero and if you can read that buffer then you can read the very beginning of flash memory um there's a a handheld ham radio called the Tiera md380 that I wrote a

jailbreak for which I published back in January and the way that I I got a copy of the internal bootloader that Crypts firmware updates that that exposes the rest of the firmware is I found a region in the code that would dreference a null pointer and hand the data back over USB and then I use that to read a complete copy of the bootloader so these vulnerabilities that aren't exploitable on Unix are often very easily exploitable on embedded systems because the mitigations that you have things like guard Pages or um in a larger machine the items on the Heap if if they're large they're separated into different pages uh of memory with guard Pages between them so you can't write

off the end of one into the beginning of the next none of that exists in embedded systems which sort of makes them like um an easier Target but it also means that things that you're taught to ignore in the host end are suddenly um useful again so it's like uh you learn you remember those skills that you learned the child right finding a fairy country in in a wardrobe that kind of thing and you think it's old gone and then they're back again and like you just need to brush up on the skills yeah so hop on the Magic School Bus and you can play around with it wardrobe as it were but yes I think in filler it was a telephone

booth or a clock uh search me neighbor oh too many um it's also this concept that like we're we're taught to look for memory corruption exploits because they're sexy um and then we're separately taught to look for um like web stuff because it's easy and it has a very U large Target right um but there are other types of vulnerabilities to look for um for example there's something called a parse tree differential which is a pretentious way to say the two interpreters see the same file as having different meanings pretentious neighbor a little bit pretentious we got to have some terminology but you're an academic you're supposed to be pretentious it comes with the job description now

you're

insulting yet we're going to move on before I say some Russian words that sergey's wife thinks I should never have learned that would get you kicked out of the house nebor okay so we've we've got um you know two parsers that disagree about the meaning of a file um big whoop like how is this us useful s well like the Android master key useful so you know what shouldn't you ever do right write your own crypto Library so they didn't so Android packages are verified um and their signature is checked by this Java crypto Library which is a Bonafide crypto Library written by crypto Library people and God forbid we ever uh you know seek

to redo that kind of thing because Thou shalt not write your own crypto it's Bonafide yeah yeah so then everyone has phds and you know we're talking uh some serious development effort okay except of course when you actually deploy and it's Linux why would you ever want to uh write in Java because like Java right okay so then the installer part is in C++ which you know makes sense sense however the uh package is zipped so then you unzip it in Java check the signature then if the signature passes then you pass it on and your uh installer unzips it and installs it because you know why not except there is this thing Java really doesn't have

unsigned integers and C++ do does and zip kind of likes them so those two streams of uh compressed data they would actually disagree about there were three not just one uh ways they would disagree about it and one of them uh came down to signed versus unsigned and you know uh what's that joke about uh Java uh packages right they make you sign everything or something like that so it goes so it goes anyway uh so then uh you unzip in Java uh your uh packet and then you check the signature and it passes and it says great so it's time to install it right except when you unzip it in C++ you're seeing a completely different stream

which you happily install so um you know what good is your signature uh what good is your phone call if you can speak it's a matrix I have no dial tone and I must scream yeah one of those things uh you know uh what good is your phone call um agent Smith right uh agent Eland come on The Matrix the first Matrix the first and only metrix yeah it's a shame they made no sequels they could have been really good yeah so so then uh you know and uh of course uh uh you know the Neo's face just runs together and he can speak he can open his mouth okay so what good is your signature if uh you don't

know what it applies to and so that was the Android master key the uh perfect example of why uh two things disagreeing about what's in the Stream are a big big deal because you know that's part of the trust model and zip files themselves are are a strange format because they sort of evolved rather than being created um when they were initially designed you would have a series of floppy discs or you might have a tape and so they designed it to work with um with those sorts of interactions like the um uh when you have a large file on a hard disk you want the headers and such to be at the very beginning because

on a modern computer it cost you nothing to rewrite the entire file um but back in those days it was a lot cheaper to append onto the file than to rewrite it from scratch um the the floppy discs that you have as your badges these might take minutes to to fill and your zip file might stretch across a dozen discs so rather than make you reinsert every single disc to add one file zip files begin at the end and work their way back to the beginning so you insert the very last dis you append the one file and the the archive grows larger and you just sort of like remove the old header at the end or maybe you

just depend your own one without removing it um there's also this concept that you might be freshening a file you might install uh a new version of a file that you have an old version of and the old version might be on disk 6 so why get rid of it when that would require reinserting a bunch of floppies instead uh the way that a zip file works you just add a second copy of it you could have multiple copies of the same file in different versions within uh a zip file uh PDF and zip work together rather well you can make what's called a polyglot by appending a very small zip file to the end of a PDF file and if you

adjust the records you can inter leave them and make a very large file that's both a zip and a PDF um and while you're at it you can do more because a PDF doesn't have to begin at address zero it has to begin within the first 10,24 bytes so uh it's uh these are I mean all the things existed be before they are discovered or recreated or something so that's sort of a match uh for the standard distribution of a certain scholly journal the international Journal of proof of concept or the other thing or get the [ __ ] out the the other thing neighbor yeah know uh that has been its standard distribution format a

PDF and the zip and then whatever else you can throw in uh given that the uh header floats and gives you uh about a kilobyte uh to put in whatever elements you want then skip over whatever other elements you want and say uh jpeg would allow you to do this uh any format that allows chunks of unrecognized data to be skipped uh would allow you to do that and then there is a little zip uh thingy at the end I think the um most um convoluted Edition was the one that was a PDF a zip a picture of a cat and a picture of another cat if you encrypted the file with a specific uh

initialization Vector yeah this used a a trick called orang cryption by orang albertini and the way that it works is that in um in uh CBC mode for C uh for Block ciphers which is where you feed in the output of the prior block um and into the next block in order to um uh to make repeated blocks look different you also have this thing called an initialization Vector which is what you feed into the first block and by CH carefully choosing the initialization Vector you can make the first 128 bits uh be uh you can make the first 128 bits after encryption chosen which means that you can make one file encrypt into another file as long

as the first block is the only block that is Meaningful both before and after encryption so you put comments in the encrypted version around all of the blocks that need to make sense clear text and in clear text you make comments ments around the blocks that need to make sense encrypted and then you're able to have two files shared in one being before and one being after crypto so that kind of changes your whole idea of encryption right encryption is something that you put a thing through and you get something that has no sense whatsoever it's just random garbage data uh whereas of course if you decrypt a thing and you don't have a key again you

get this thing which is uh random garbage data well not so much right it could be a picture of a cat uh so there used to be this dis encryption software called true Crypt um and true Crypt has a a weird little header requirement in that the first block is the salt and the second block is the encrypted header and you don't actually see the header until you decrypt it um this allowed for a Nifty little trick which is that you can make a legitimate file also be a true Crypt volume if your salt is the header of some file format so we released an issue of the international Journal of PR concept to get the [ __ ] out the other thing the

other thing yeah um this is a bar I think we're allowed to use um more than Mr Rogers language although I think you are all very special and I love you just for who you are [ __ ] you too neighbor [ __ ] you too be my neighbor so so you can do this thing where like any file can be a true Crypt file you can make a PDF that's a true Crypt file you can make um a regular bootable disc image that is also a true Crypt file um by virtue of its file format and this is one of the things that was allowed by the specification but was never actually done until it was done as

a prank uh so maybe we should do more things as pranks and fewer things um for the ponage well maybe and far fewer for the politics um ponage before politics I mean I'm from a country where uh well from a country that's long gone but where apolitical was actually uh pejorative you know you're apolitical you can do this thing you can you know go talk to people you know you're not good enough for uh uh a lot of jobs you're apolitical hey hey but youone youone um yeah then there po Lots like you can do them for files but you can also do them for packets um you can make a radio transmission that is valid in multiple

packet formats where the receivers um decide you can combine uh Wi-Fi and Morse code um suppose that you control a web server that I'm going to through T over like seven proxies in a firewall if I'm to quote the um uh cyber Criminal song by Ben Naga oh well yeah so yeah so I'm connecting to this and um you are controlling the the foreign server you control the hidden service now whatever data you send to me is going to be encrypted um through tour and through the seven proxies and a firewall and that sort of stuff um but you still control the rate at which you send it um a little bit of latency is added by the

Network conditions themselves but you're able to decide that like you're going to speed things up or you're going to slow things way down um and you can use this to hide messaging and you can even use this to like send Morse code over my Wi-Fi channel that someone with the morse code receiver on the appropriate band would be able to hear um and then you can look for this injected signal which is not a nice thing to do it's not a very nice thing to do but it works and there's no reason not using tour is like a closed door right you just don't barge into the room right well yeah we'll see what Twitter says afterward

um so in fact you can do this uh with more things than uh Morse code uh the mor code is sort of like the lowest denominator of fi's uh but uh interestingly enough when you build a radio receiver you build it to ignore the things that don't matter right so if you're building a uh frequency shift modulation module so you you choose those two frequencies and you shift between them uh to give a one or a zero so the high frequency is a one the low frequency is a zero or uh you're building then you ignore everything that's not frequency you ignore the amplitude so uh you know that uh transmitter may be going away uh maybe

coming back uh there may be people people who are otherwise known as uh bags of water um getting in between you don't care your uh entire modulation scheme is uh simply frequency and this makes sense right because any thing that's not containing the data that changes you're supposed to ignore because that's a natural effect that's not the intent of the transmitter so same thing with uh the phase you know you've got this uh wave going and so long as it doesn't change phase uh you've got a run of uh ones or zeros and so long when you change it and when you know it's a cosine wave all of a sudden uh then uh you've got a run of

um you've got to switch uh to to ones so um psk right you could switch between uh two or four phases or however many you like and in that case uh again you ignore amplitude you ignore frequency if it floats back and forth you know without affecting the phase uh that's what you got to ignore now uh let's say uh you are looking to talk to two receivers at once one is doing frequency the other phase could you make them hear different things from the same signal and it turns out you can so a a change in frequency turns out to be about the same as an a abrupt change in Phase um a change in amplitude very

often gets ignored by these things um you also have transmitters that use uh frequency shift keying with more than two frequencies they might have four they might have 16 it turns out that because of What's called the Locking effect it's always um possible for you to inject down from a high number of symbols to otherwise comparable protocol with a fewer number of uh symbols so like H you you have uh transmitter with four FSK or say four psk four phases for frequencies and you want to talk to this radio which is just two so no problem you can even though uh those radios were not meant to be compatible they kind of are now when

you're reverse engineering something you have this problem that um you know the thing that you really want in the end is horrendously complex so you need to break it up into smaller pieces and learn them one at a time uh with radio this is a particular challenge because modern radio is getting like as close as can be done to the um the limits of how much information can be carried over the channel so it's very difficult to work with a um uh 82.1 n or AC or um but you also have older protocols so you could maybe work with 11b or you have this nice little loophole in amateur radio protocols in that they're restricted by narrow

bandwidth to where they sort of have to be human intelligible with the right reverse engineering tools and the right reverse engineering tools in the form of very nice software defined radios and um software for actually navigating the recordings are just now becoming available things like bod line and in Spectrum allow you to reverse engineer a signal in the same way that you might previously reverse engineer um a Cump or a firmware dump so it's uh the way that uh signal corruption leads to interesting things uh just memory just as uh memory corruption is just as memory corruption does and and so you have the sign right uh misunderstood or difference of opinion uh between parsers okay so you

know there is some something fun going on here or you see the sign difference of opinion between uh receivers you can bet that there is uh going to be some fun in that in the years to come so when I first met Sergey he um got me very drunk and then the next day um I missed my flight back to the United States I that too yeah I know um I missed my flight back to the United States and I had to hitchhike home from Canada so I'm like hey Sergey can I like bum a ride to New Hampshire and he said sure but you do remember like after the whatever round last night when you promised to do

a fingerprinting research project and I said why the hell would I do that fingerprinting is boring yeah I mean who the hell wants to know who just transmitted you this message if you like it you like it if not then you know when you get into it though um what really makes fingerprinting frustrating is that you're you're paying so much attention to a signal and you're like learning all the little details about it um that you would do when you were trying to write an exploit but at the end of all of that effort you just say like this signal is from that radio and not that radio kind of probably maybe the way to make this

more interesting is to try and look for an exploit in it and the exploits are all and the receiver side so um one mistaken belief that people have is uh particularly in our community like um you've all heard of The OSI seven layer model um just give me a cheers if you thought it was worth bothering to to learn yeah yeah okay I I hear three people who are lying and the rest of you were silent um but there is something you in it which is that it um the layers aren't like at the same positions as in the OSI model right I mean you separate them different layers but this Con this concept of like the the guy who's

designing the radio chip doesn't really care about routing he's just trying to get a packet from point A to point B and the guy who's doing the routing doesn't really care about the onair protocol because he's just taking the interior of that pack and shuffling it from one spot to the other so this way only the low-level guy has to deal with the radio artifacts and only the high level guy has to deal with the um uh the routing protocols these layers of abstraction become boundaries of components and like if you look at that dividing line you very often find problems uh that's simply because uh whoever is handling the higher layer is trusting or assuming

that the lower layer there is somehow a magic validity filter which would pass up only the right data only or the data exactly it was meant to be uh reaching this point or exactly as it was meant to be sent and of course in a world when just about everything is a polyglot uh Guess How likely that is so uh that's sort of a the layer model is actually incredibly instructive in which it tells you where the boundaries of competence are and exactly where gratuitous assumptions would be made I mean essentially look at this model as fairy stories upon fairy stories upon fairy stories upon fairy stories some of which are believed and of course uh to you you

know to someone it's a fairy story to somebody else it's an exploit because of course uh an assumption an unwarranted assumption is uh the other side of ponage and there's this thing where there are lots of things that you're told to um that that you sort of learn in general right like uh when you have a computer science class and they tell you that the um that the Heap grows upward and the stack grows downward and you're like okay I know this fairy story um and then they come back to you and they're like well there are these things called threads yeah yeah so you see this is the moment in your life when you meet

someone uh and you say well you know I'm a teacher and he says Ah I know liar to Children lying to Children is a very valuable profession no it really is because if the very first time you're told about the Heap you're told about all of the exceptions to the rule that like everything that's so large gets created by map and is not within the contiguous Heap at the bottom where that every time you're taught about the stack you're uh taught that the um uh you have multiple Stacks per thread with guard Pages between them and that if they grow too deep they die so infinite recursion is probably a bad thing um and these details will kind of

like bore you to tears until you have a reason to care and as soon as you're trying to write a heap exploit that requires the two objects be adjacent Suddenly It's really handy to know that large objects are never adjacent to one another or to anything um so you sort of need to like file away these misconceptions that you've learned and then later on in your career go back and try and figure out what the details are and the best way to do that is to take these things apart uh and the nicest thing about the era that we live in is that so much is open source that you can open up the source

code and see how something functioned uh you can take apart a heap you can change the Heap you can rebuild all of Linux with your own Heap rather than the default one and have all of the behaviors change as you like personally my favorite uh was the uh the thing that I ended up calling unorthodox debugging because people who invented it did not really have a name for it and that was the idea that uh well yeah to debug you need to uh stop and go somewhere else and that thing could be absolutely any uh fault or trap or exceptional condition at all it did not at all have to be what your debugger uses and in fact you didn't know that

the debugger used that until you actually started circumventing the debugger because otherwise it was it was just this magical machine that was always there and that you never thought about but then of course uh your break point being your floating Point exception uh gets rather interesting yeah so think of all the different exceptions that can happen in a c program you can have um Sig bus which comes on an unaligned exception this doesn't occur very often in x86 but it does on um on risk processors a lot so um the idea is that your CPU doesn't necessarily have to actually Implement unaligned instructions instead your operating system can fake it whenever the request is made you have uh Sig

fault like um a a nice well- behaved program will never from memory that's not allocated it will never touch a guard page um but you can rewrite it to touch a guard page and make that your Handler and then your program sort of crashes and you catch it and then restore it and then of course uh the question is if you're doing uh anti-debugging tricks right which one of these things is a debugger and you know you do your kill dasl and you get your 32 signals and which one of those is a debugger in the answer is all of them all of them are debuggers so you can bring your own debugger into uh a

process when you without using the GDB one uh you can either drop a small GDB stub or you can just add your own methods for hooking and for redirecting calls so that was an epiphany uh when uh I uh got this idea from the uh talk at Recon called the Silver Needle in the Skype these were the guys that um reverse engineered Skype uh to find list of sites that blocked and other interesting things that the developers uh did not care to reveal and because they just made this uh uh concession to some friendly governments and uh it was just an epiphany it's just this it was this uh pot of gold it was just this thing that

uh was a steal and unorthodox debugging whereas of course uh uh they had to write their own uh ring zero debugger the Rasta debugger uh and I was so sad when the web page for that went away web pages go away it's called bit rot when we're uh editing proof of concept or the other thing which may or may not have been known as gut the [ __ ] out um a a constant problem we have is that authors send in um lists of URLs as there like citations and very often those URLs will bit rot within two months and if they don't do that they'll bit R within two years or within 10 um so much of the history of how to

do reverse engineering has fallen apart um there there was brilliant work done in attacking embedded systems that was only documented in closed satellite TV piracy forums that has evaporated it's just gone and we'll never get that back um yeah this this is sad which is why of course every issue uh includes uh all the previous issues well we we stopped doing that at Sol the designer's request um uh because he calculated that in 10 more issues it will uh uh increase to the mass of the Sun or the universe perhaps well jokes on him it's only half that large um so at this point what we ought to do but what we will not do is ask uh you

find folks for questions um and we're not going to do this because when you when you ask an audience for questions there's always some guy who's really excited uh you know who you are and he jumps up to the microphone and instead of asking a question he tells a story yes neighbor yes uh so we have just enough time for a three minute story you can jump up on the stage right now and tell your story but we're going to judge you afterward do we have a volunteer I I'm not joking I'm not being factious I really want someone to jump up and tell a three-minute story I think we have no volunteers well in that case we'll

conclude with uh everything's a polyglot uh things that are old uh are new again things that used to uh surprise you as a young reverse engineer are probably useful in some obstru Internet of Things thing uh somewhere which is coming to the power station near you well okay just rephrase that last one every technique you have ever heard of works on some Internet of Things thing techniques never die there's no exception to this somebody's going to raise his hand and be like what about dos exploits yes some of them run Doss like so techniques never die so if you have a clever thing uh that is just this a clever cute thing uh do not let it die

document it send it to uh the pastor atr.org uh to the Journal of proof of concept um we we're good Buddhists we believe in cherishing bugs and helping them to grow instead of squashing them uh and we need your help for that um uh I'm going to close this by ripping off a closing from Dan gear who um is a brilliant scholar and a saint um there isn't enough time and thank you kindly for yours there isn't enough time and thank you kindly for yours yeah