0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/720 Thanks! 1 00:00:14,200 --> 00:00:15,550 So today, 2 00:00:17,260 --> 00:00:18,759 as the first session we're going to hear 3 00:00:18,760 --> 00:00:19,979 about Rawda, 4 00:00:22,570 --> 00:00:24,429 this is a reversing framework that has 5 00:00:24,430 --> 00:00:26,019 been gaining an immense amount of 6 00:00:26,020 --> 00:00:27,730 traction over the past few years. 7 00:00:29,590 --> 00:00:31,389 It even managed to get itself onto 8 00:00:31,390 --> 00:00:32,739 doctor. Sorry, Doctor. 9 00:00:32,740 --> 00:00:34,089 Mr. Robot. 10 00:00:34,090 --> 00:00:35,680 I hope you guys saw that series is great. 11 00:00:37,420 --> 00:00:39,579 It has a reputation, however, of 12 00:00:39,580 --> 00:00:41,799 being kind of fiddly and difficult 13 00:00:41,800 --> 00:00:43,989 and and just hard 14 00:00:43,990 --> 00:00:46,119 to use, which I think is unjustified 15 00:00:46,120 --> 00:00:48,189 personally. But to dispel all 16 00:00:48,190 --> 00:00:50,379 of these myths, we 17 00:00:50,380 --> 00:00:53,499 have the author himself, 18 00:00:53,500 --> 00:00:55,689 Sanjay Alvarez, also 19 00:00:55,690 --> 00:00:58,509 known as Pancake, also known as Trophy, 20 00:00:58,510 --> 00:01:00,849 and he's going to tell us all about 21 00:01:00,850 --> 00:01:02,829 it. And please give him a really warm 22 00:01:02,830 --> 00:01:03,830 welcome. 23 00:01:10,950 --> 00:01:13,079 Hello, uh, my told you 24 00:01:13,080 --> 00:01:16,199 about the mystifying rather I will try to 25 00:01:16,200 --> 00:01:18,089 explain a little bit what's rather and 26 00:01:19,110 --> 00:01:21,449 what are the reasons behind the 27 00:01:21,450 --> 00:01:22,659 title? 28 00:01:22,660 --> 00:01:23,709 Uh, 29 00:01:24,850 --> 00:01:26,909 to me, I mean, if I 30 00:01:26,910 --> 00:01:28,799 nicknaming other people and the Internet 31 00:01:28,800 --> 00:01:31,079 knows me a pancake, I am actually working 32 00:01:31,080 --> 00:01:32,459 at nonsecure. I'm doing research and 33 00:01:32,460 --> 00:01:34,349 development and security. 34 00:01:34,350 --> 00:01:36,899 And I'm the author of another one and 35 00:01:36,900 --> 00:01:39,089 rather two and also many other 36 00:01:39,090 --> 00:01:40,319 tools like A. 37 00:01:40,320 --> 00:01:42,449 Bind and all of them 38 00:01:42,450 --> 00:01:43,439 opensource. 39 00:01:43,440 --> 00:01:46,229 I've been working many things. 40 00:01:46,230 --> 00:01:47,369 I've been messing with Bluetooth. 41 00:01:47,370 --> 00:01:49,139 I've been coding assembly for call the 42 00:01:49,140 --> 00:01:51,749 optimizations, doing 43 00:01:51,750 --> 00:01:53,879 the firmware development and also 44 00:01:53,880 --> 00:01:56,459 participating in CTF at Def Con 45 00:01:56,460 --> 00:01:58,169 in The Sexy Panda. The theme. 46 00:01:58,170 --> 00:02:00,149 And also I've been doing Forensic's 47 00:02:00,150 --> 00:02:02,849 working as a sysadmin and 48 00:02:02,850 --> 00:02:04,949 I mainly, uh, doing stuff at a 49 00:02:04,950 --> 00:02:07,169 low level C and also I manage 50 00:02:07,170 --> 00:02:08,580 to do things in the website. 51 00:02:09,639 --> 00:02:11,369 Uh, what's another. 52 00:02:11,370 --> 00:02:12,779 Well, it's an open source software 53 00:02:12,780 --> 00:02:14,489 engineering framework. 54 00:02:14,490 --> 00:02:16,619 I try to focus on being portable, 55 00:02:16,620 --> 00:02:17,910 extensible and expressive. 56 00:02:19,530 --> 00:02:20,459 It's a hobby project. 57 00:02:20,460 --> 00:02:22,439 I don't really get money out of this. 58 00:02:22,440 --> 00:02:23,909 It's something that I just thought that 59 00:02:23,910 --> 00:02:26,379 just because I have some personal need 60 00:02:26,380 --> 00:02:28,319 to recover some files from my hard drive 61 00:02:29,490 --> 00:02:31,049 and I just I got to the time I was 62 00:02:31,050 --> 00:02:32,639 working as a forensic analysis analyst 63 00:02:32,640 --> 00:02:34,919 and I decided to implement Symbolics 64 00:02:34,920 --> 00:02:37,019 asking. Mm. For looking for some patterns 65 00:02:37,020 --> 00:02:38,729 and dumping the results. 66 00:02:38,730 --> 00:02:41,039 Uh, after I started doing some 67 00:02:41,040 --> 00:02:42,779 cracked me, so I decided to implement 68 00:02:42,780 --> 00:02:45,659 these assembler debugger etc. 69 00:02:45,660 --> 00:02:47,489 and I was extending the tool for 70 00:02:47,490 --> 00:02:49,979 everything that I knew, something I 71 00:02:49,980 --> 00:02:51,349 made for. 72 00:02:51,350 --> 00:02:53,249 Three years later, mainly because I it 73 00:02:53,250 --> 00:02:55,799 was like a big blob and I decided to 74 00:02:55,800 --> 00:02:57,359 make it more modular, implementing 75 00:02:57,360 --> 00:02:59,759 different libraries and supporting 76 00:02:59,760 --> 00:03:01,409 different scripting languages in a better 77 00:03:01,410 --> 00:03:03,719 way. Instead of just launching 78 00:03:03,720 --> 00:03:05,369 the interpreter from inside the project, 79 00:03:05,370 --> 00:03:07,859 just in exposing 80 00:03:07,860 --> 00:03:09,869 the APIs and allowing other libraries 81 00:03:09,870 --> 00:03:12,629 tool to use the project itself, 82 00:03:12,630 --> 00:03:15,389 uh, there was really a few contributors 83 00:03:15,390 --> 00:03:17,179 until two years ago. 84 00:03:17,180 --> 00:03:20,489 Uh, that's something that 85 00:03:20,490 --> 00:03:23,099 actually a lot of users, 86 00:03:23,100 --> 00:03:25,229 many contributors every day I 87 00:03:25,230 --> 00:03:27,299 have like three, five, four requests to 88 00:03:27,300 --> 00:03:29,519 review and merge. 89 00:03:29,520 --> 00:03:30,869 There are like five hundred users in 90 00:03:30,870 --> 00:03:33,119 telegram and now you're seeing more than 91 00:03:33,120 --> 00:03:35,369 five thousand users on following 92 00:03:35,370 --> 00:03:36,539 and Twitter. 93 00:03:36,540 --> 00:03:38,729 Uh, and this year I organized 94 00:03:38,730 --> 00:03:40,829 the first Congress about 95 00:03:40,830 --> 00:03:42,569 the two in Barcelona. 96 00:03:43,800 --> 00:03:45,749 And this is the third year that we are 97 00:03:45,750 --> 00:03:48,839 organizing the competition. 98 00:03:48,840 --> 00:03:51,129 So the person is really active and 99 00:03:51,130 --> 00:03:53,459 there are so many people behind, 100 00:03:53,460 --> 00:03:56,069 uh, what's 101 00:03:56,070 --> 00:03:57,829 the name stands for role that the 102 00:03:57,830 --> 00:04:00,179 recovery reason 103 00:04:00,180 --> 00:04:02,519 is because, uh, I started the project, 104 00:04:02,520 --> 00:04:04,379 uh, something something for forensics, 105 00:04:04,380 --> 00:04:05,729 not something for 106 00:04:06,870 --> 00:04:08,829 static offices or debugging, anything 107 00:04:08,830 --> 00:04:09,809 like that. 108 00:04:09,810 --> 00:04:12,149 So it comes with an exceptionally veter, 109 00:04:12,150 --> 00:04:14,489 which is the basic functionality, uh, 110 00:04:14,490 --> 00:04:15,869 but also supports assembling and 111 00:04:15,870 --> 00:04:17,289 disassembling the different backend. 112 00:04:17,290 --> 00:04:19,229 For this, you can implement new plugins 113 00:04:19,230 --> 00:04:21,179 for each of these functionalities. 114 00:04:21,180 --> 00:04:23,489 I support a lot of file formats, 115 00:04:23,490 --> 00:04:25,829 mainly, uh, if they are broken, 116 00:04:25,830 --> 00:04:27,029 they are also supported. 117 00:04:27,030 --> 00:04:29,549 We try to force every 118 00:04:29,550 --> 00:04:31,769 every single file format in order to find 119 00:04:31,770 --> 00:04:33,419 boxing to our passwords. 120 00:04:33,420 --> 00:04:35,099 So it's pretty safe right now. 121 00:04:35,100 --> 00:04:36,299 Um, 122 00:04:37,320 --> 00:04:39,119 it's subparts, mainly static things. 123 00:04:39,120 --> 00:04:41,189 But there are also, uh, 124 00:04:41,190 --> 00:04:42,309 capabilities for doing that. 125 00:04:42,310 --> 00:04:44,919 ISIS, it's also able to do 126 00:04:44,920 --> 00:04:47,519 checksums compute entropy, uh, 127 00:04:47,520 --> 00:04:49,169 and look for differences between 128 00:04:49,170 --> 00:04:50,170 different files. 129 00:04:51,040 --> 00:04:52,379 It's table to the back. 130 00:04:52,380 --> 00:04:54,659 It also comes with an emulator on 131 00:04:54,660 --> 00:04:56,819 their APIs for writing plugins 132 00:04:56,820 --> 00:04:58,959 to extend or emulate those like 133 00:04:58,960 --> 00:05:01,829 Unicorn and things like that. 134 00:05:01,830 --> 00:05:03,989 Uh, it's also comes with 135 00:05:03,990 --> 00:05:05,789 functionalities for exploiting, like I've 136 00:05:05,790 --> 00:05:07,889 got to train the payload generator, 137 00:05:08,910 --> 00:05:11,349 the bridging pattern, etc., uh, 138 00:05:11,350 --> 00:05:12,389 tsubasa scripting. 139 00:05:12,390 --> 00:05:14,129 And there is like a package manager 140 00:05:14,130 --> 00:05:16,229 because, uh, actually there are so many, 141 00:05:16,230 --> 00:05:18,479 uh, extensions and plug ins that people 142 00:05:18,480 --> 00:05:20,729 use and I don't want to bring them 143 00:05:20,730 --> 00:05:22,079 all together inside the car. 144 00:05:22,080 --> 00:05:24,149 So it's better if I can just provide 145 00:05:24,150 --> 00:05:25,230 a simple way for 146 00:05:26,580 --> 00:05:28,230 other people to install this plugin. 147 00:05:32,030 --> 00:05:32,989 What can you expect? 148 00:05:32,990 --> 00:05:35,239 Well, this is some examples of things 149 00:05:35,240 --> 00:05:37,279 that people are really messing up with, 150 00:05:37,280 --> 00:05:39,889 rather their spokesman, 151 00:05:39,890 --> 00:05:41,269 Rama, or Gameboy 152 00:05:42,620 --> 00:05:44,640 Streetfighter, famed for 153 00:05:46,040 --> 00:05:48,109 my words, DNA sequencers, 154 00:05:48,110 --> 00:05:50,419 the Apollo 11 C.P.U, 155 00:05:50,420 --> 00:05:51,420 etc. 156 00:05:52,600 --> 00:05:53,950 But wait, don't lose the. 157 00:05:55,030 --> 00:05:57,939 We try to focus on myth, so 158 00:05:57,940 --> 00:05:58,940 we shall. 159 00:06:00,750 --> 00:06:02,429 Which will explain a little bit, which 160 00:06:02,430 --> 00:06:04,470 means people things about this project. 161 00:06:05,520 --> 00:06:07,289 Many people think that this rather is not 162 00:06:07,290 --> 00:06:08,699 stable. 163 00:06:08,700 --> 00:06:10,289 Other people think that it's difficult. 164 00:06:10,290 --> 00:06:12,389 There are so many coalmines are difficult 165 00:06:12,390 --> 00:06:14,649 and hard to remember other people, 166 00:06:14,650 --> 00:06:16,799 things that it's it's it's not able 167 00:06:16,800 --> 00:06:19,439 to compile the backgrounds broken. 168 00:06:19,440 --> 00:06:20,489 So many complaints like these. 169 00:06:25,950 --> 00:06:28,289 But first, let's try to make a poll 170 00:06:28,290 --> 00:06:29,360 how many of you know this? 171 00:06:31,690 --> 00:06:33,759 OK, I guess everybody check 172 00:06:33,760 --> 00:06:34,959 the website before coming to us. 173 00:06:34,960 --> 00:06:37,179 OK, I 174 00:06:37,180 --> 00:06:39,249 know how many of you already use 175 00:06:39,250 --> 00:06:40,250 it all. 176 00:06:42,720 --> 00:06:44,329 Half of the attendees, 177 00:06:45,600 --> 00:06:47,339 that's pretty good. OK, so let's talk 178 00:06:47,340 --> 00:06:49,579 about the first myth, which is 179 00:06:49,580 --> 00:06:50,580 difficult. 180 00:06:54,960 --> 00:06:56,730 This is a graph about the learning curve 181 00:06:57,930 --> 00:06:59,549 starting from the point that you're 182 00:06:59,550 --> 00:07:01,859 opening a file and the point that 183 00:07:01,860 --> 00:07:04,049 you start doing something useful with 184 00:07:04,050 --> 00:07:06,599 it, uh, 185 00:07:06,600 --> 00:07:08,819 in fact, it's pretty 186 00:07:08,820 --> 00:07:10,919 hard to learn this and use 187 00:07:10,920 --> 00:07:12,889 this tool. But you can compare this this 188 00:07:12,890 --> 00:07:14,639 learning curve to other projects like it 189 00:07:14,640 --> 00:07:16,289 being, etc.. 190 00:07:16,290 --> 00:07:18,599 Um, the reasoning 191 00:07:18,600 --> 00:07:20,399 behind this is because there are so many 192 00:07:20,400 --> 00:07:21,599 comments, but there is a logic behind 193 00:07:21,600 --> 00:07:23,459 them. So if you understand the logic, 194 00:07:23,460 --> 00:07:25,619 it's pretty easy to start learning 195 00:07:25,620 --> 00:07:27,149 and testing things for yourself, for your 196 00:07:27,150 --> 00:07:27,779 own. 197 00:07:27,780 --> 00:07:30,839 So, uh, if you 198 00:07:30,840 --> 00:07:32,399 understand the logic behind them, you're 199 00:07:32,400 --> 00:07:34,739 getting great marks, expressive 200 00:07:34,740 --> 00:07:36,929 comments so you can make 201 00:07:36,930 --> 00:07:38,729 different comments and create new 202 00:07:38,730 --> 00:07:40,859 functionality, which you 203 00:07:40,860 --> 00:07:42,119 can easily hack into the code. 204 00:07:42,120 --> 00:07:43,529 It's pretty easy to find the place that 205 00:07:43,530 --> 00:07:45,959 you want to modify and just change 206 00:07:45,960 --> 00:07:47,309 anything in there. You can create 207 00:07:47,310 --> 00:07:49,469 plugins. You can write the new script in 208 00:07:49,470 --> 00:07:51,689 any scripting language for 209 00:07:51,690 --> 00:07:53,249 extending the functionality or just 210 00:07:53,250 --> 00:07:54,719 creating a specific analysis for your 211 00:07:54,720 --> 00:07:56,039 target. 212 00:07:56,040 --> 00:07:57,959 And you can also be on top of it. 213 00:07:57,960 --> 00:08:00,119 So it's pretty easy 214 00:08:00,120 --> 00:08:01,619 to hack on top of this. 215 00:08:01,620 --> 00:08:03,869 But let's focus on the difficult part of 216 00:08:03,870 --> 00:08:05,969 the comments coming from Ramonet 217 00:08:05,970 --> 00:08:08,379 comments. This means that they are, 218 00:08:08,380 --> 00:08:09,989 of course, looked at by letters. 219 00:08:09,990 --> 00:08:12,389 Each letter means something and 220 00:08:12,390 --> 00:08:13,739 they are still doing it in a way that the 221 00:08:13,740 --> 00:08:16,379 first letter means what the reason 222 00:08:16,380 --> 00:08:18,089 for the common like, for example, the 223 00:08:18,090 --> 00:08:19,379 letter B, it means that it's for 224 00:08:19,380 --> 00:08:21,839 printing. The second letter means that 225 00:08:21,840 --> 00:08:22,759 what do you want to print? 226 00:08:22,760 --> 00:08:24,719 So you want to printing, do you want to 227 00:08:24,720 --> 00:08:26,789 print disassemble, you want to print the 228 00:08:26,790 --> 00:08:28,289 updated, etc.. 229 00:08:28,290 --> 00:08:30,299 Uh, if you have a lot of Unix like 230 00:08:31,530 --> 00:08:33,599 concepts behind the shell so 231 00:08:33,600 --> 00:08:35,308 you can use firebase, you can use other 232 00:08:35,309 --> 00:08:37,079 X, there is an internal grep. 233 00:08:37,080 --> 00:08:39,749 You can also last you can then Jason 234 00:08:39,750 --> 00:08:41,879 and all these things comes inside 235 00:08:41,880 --> 00:08:44,669 the the the that 236 00:08:44,670 --> 00:08:46,979 you can also pipe to, to the shell. 237 00:08:46,980 --> 00:08:49,049 But the reason for this is because 238 00:08:49,050 --> 00:08:51,749 you can just ship the 239 00:08:51,750 --> 00:08:53,999 other two binary and in any 240 00:08:54,000 --> 00:08:55,619 device and you will have like a full 241 00:08:55,620 --> 00:08:57,809 unique shell in that more or less 242 00:08:57,810 --> 00:08:59,609 you don't really need to ship last 243 00:08:59,610 --> 00:09:02,369 command. You don't need any tool to ship 244 00:09:02,370 --> 00:09:05,819 other tools like Jason P, etc. 245 00:09:05,820 --> 00:09:07,949 and it tries to be Automan. 246 00:09:07,950 --> 00:09:09,189 All these means that you can make 247 00:09:09,190 --> 00:09:10,709 different comments and get the 248 00:09:10,710 --> 00:09:12,059 functionality out of there. 249 00:09:12,060 --> 00:09:13,919 So let's make a quick demo with the 250 00:09:13,920 --> 00:09:16,259 understanding which comments 251 00:09:16,260 --> 00:09:17,579 are the basic ones. 252 00:09:17,580 --> 00:09:19,799 You only need to remember five comments 253 00:09:19,800 --> 00:09:21,870 after this. You can start learning other 254 00:09:23,190 --> 00:09:25,229 modifiers or comments that can be helpful 255 00:09:25,230 --> 00:09:26,609 for your project. 256 00:09:26,610 --> 00:09:28,679 But the five basic comments are this. 257 00:09:30,600 --> 00:09:31,600 We can open the file. 258 00:09:36,100 --> 00:09:38,269 And we're going to seek any place. 259 00:09:38,270 --> 00:09:40,889 Can you read the I can make it 260 00:09:40,890 --> 00:09:41,890 bigger. 261 00:09:44,480 --> 00:09:45,619 We're going to take, for example. 262 00:09:50,080 --> 00:09:52,229 To this address, we can bring 263 00:09:52,230 --> 00:09:54,129 this time all of this out. 264 00:09:54,130 --> 00:09:56,319 We can think back as 265 00:09:56,320 --> 00:09:58,150 you see all the comments are. 266 00:10:00,730 --> 00:10:02,859 In the help, so you can just 267 00:10:02,860 --> 00:10:04,509 append a question mark at the end of the 268 00:10:04,510 --> 00:10:05,799 comment and you get the help of this with 269 00:10:05,800 --> 00:10:08,019 comments and 270 00:10:08,020 --> 00:10:10,239 you can also like make relative 271 00:10:10,240 --> 00:10:11,259 fix like this. 272 00:10:13,950 --> 00:10:15,509 The other comment is a B, which is for 273 00:10:15,510 --> 00:10:17,309 printing, we can print in different 274 00:10:17,310 --> 00:10:20,159 formats, you can print an example, 275 00:10:20,160 --> 00:10:22,079 you can print or disassemble, you can 276 00:10:22,080 --> 00:10:23,520 print instructions. 277 00:10:25,850 --> 00:10:28,019 And then the other comment is a 278 00:10:28,020 --> 00:10:30,359 double B, which is for writing, 279 00:10:30,360 --> 00:10:32,519 I will enable to God 280 00:10:32,520 --> 00:10:34,619 because I don't have I didn't open the 281 00:10:34,620 --> 00:10:36,059 file for writing. 282 00:10:36,060 --> 00:10:39,239 So if I want to write something here, 283 00:10:39,240 --> 00:10:41,459 I will have to enable to 284 00:10:41,460 --> 00:10:43,469 the judge so I can. 285 00:10:43,470 --> 00:10:46,259 But for example, the first instruction 286 00:10:46,260 --> 00:10:48,429 and we'll see the end up embarrassing. 287 00:10:48,430 --> 00:10:50,519 They're so common allows you 288 00:10:50,520 --> 00:10:52,889 to to write things in there. 289 00:10:52,890 --> 00:10:54,629 We're going to write the experts. 290 00:10:54,630 --> 00:10:56,819 You can write the family, you can 291 00:10:56,820 --> 00:10:58,889 write the contents of a file into 292 00:10:58,890 --> 00:11:01,049 the into the 293 00:11:01,050 --> 00:11:02,669 courtroom, etc. 294 00:11:02,670 --> 00:11:04,739 and then the less common and 295 00:11:04,740 --> 00:11:06,539 the less important is the queue for 296 00:11:06,540 --> 00:11:07,540 quitting the program. 297 00:11:08,640 --> 00:11:10,259 And we're going to feel there are some 298 00:11:10,260 --> 00:11:12,479 modifiers here we're gonna use. 299 00:11:12,480 --> 00:11:13,480 For example, 300 00:11:15,270 --> 00:11:17,129 if this is this or something like this, 301 00:11:17,130 --> 00:11:19,319 we can grab we 302 00:11:19,320 --> 00:11:21,479 can also grep for some 303 00:11:21,480 --> 00:11:23,519 specific strengths. We can just grab 304 00:11:23,520 --> 00:11:24,520 particles. 305 00:11:26,900 --> 00:11:28,639 We can also count the number of calls 306 00:11:28,640 --> 00:11:30,739 that are here, and 307 00:11:30,740 --> 00:11:32,839 if there is like a huge or long 308 00:11:32,840 --> 00:11:35,239 list of things, we can first 309 00:11:35,240 --> 00:11:37,309 ask if you want to print all 310 00:11:37,310 --> 00:11:39,069 these things, but you can also just the 311 00:11:39,070 --> 00:11:41,129 dot, which means no less, 312 00:11:41,130 --> 00:11:42,699 and they will get like scrolling in 313 00:11:42,700 --> 00:11:43,700 there. 314 00:11:44,730 --> 00:11:47,059 So that's more or less the 315 00:11:47,060 --> 00:11:49,279 logic behind this comment. 316 00:11:49,280 --> 00:11:50,659 We'll learn more comments after this. 317 00:11:55,260 --> 00:11:57,649 Rather than in into different models, 318 00:11:58,670 --> 00:12:00,379 there is a labor directive which contains 319 00:12:00,380 --> 00:12:02,719 all the different models, the library, as 320 00:12:02,720 --> 00:12:04,370 we can see in here, 321 00:12:05,930 --> 00:12:06,930 there is like a. 322 00:12:08,550 --> 00:12:10,799 Bercaw, which links against the other 323 00:12:10,800 --> 00:12:12,579 libraries and its other library. 324 00:12:12,580 --> 00:12:15,359 It's linking against other ones, 325 00:12:15,360 --> 00:12:17,429 are you dealing with the basic library 326 00:12:17,430 --> 00:12:18,430 on top of Lipsy? 327 00:12:19,380 --> 00:12:20,969 So if you want to talk to any other 328 00:12:20,970 --> 00:12:22,859 platforms, you usually need to want to 329 00:12:22,860 --> 00:12:24,509 patch on the table. 330 00:12:24,510 --> 00:12:27,299 Pipes, which usually is dybbuk back 331 00:12:27,300 --> 00:12:29,399 takes a la carte functionality for 332 00:12:29,400 --> 00:12:31,899 the backing of a specific platform 333 00:12:31,900 --> 00:12:33,869 and also built with debugging. 334 00:12:33,870 --> 00:12:34,870 So it's easy to. 335 00:12:36,530 --> 00:12:37,899 This is more or less a structure of all 336 00:12:37,900 --> 00:12:39,399 the libraries and each of these libraries 337 00:12:39,400 --> 00:12:41,739 allows you to create plugins 338 00:12:41,740 --> 00:12:42,699 out of them. 339 00:12:42,700 --> 00:12:45,489 They are under the AP, the rectory, 340 00:12:45,490 --> 00:12:47,379 and there is also the bin directly, which 341 00:12:47,380 --> 00:12:48,999 contains all the binaries. 342 00:12:49,000 --> 00:12:50,589 So we can check these. 343 00:12:59,380 --> 00:13:01,599 And we can also see this into the 344 00:13:01,600 --> 00:13:02,600 labor. 345 00:13:03,830 --> 00:13:06,199 So we see all the all the different 346 00:13:06,200 --> 00:13:07,200 models in their. 347 00:13:11,450 --> 00:13:13,909 OK, there is another myth, which is 348 00:13:13,910 --> 00:13:15,620 that it's useless for forensics. 349 00:13:17,360 --> 00:13:18,949 In fact, it was the first aim of the 350 00:13:18,950 --> 00:13:21,299 project. So there are some function 351 00:13:21,300 --> 00:13:22,909 ideas and there are strong, strong, 352 00:13:22,910 --> 00:13:25,129 strong points for doing forensic 353 00:13:25,130 --> 00:13:27,199 on this. But there are obviously other 354 00:13:27,200 --> 00:13:29,029 tools which only focus on forensics, 355 00:13:29,030 --> 00:13:31,339 which is probably better for for doing 356 00:13:31,340 --> 00:13:32,340 forensics. 357 00:13:33,030 --> 00:13:34,279 But you can do many things with it, 358 00:13:35,990 --> 00:13:37,819 like, for example, opening these devices. 359 00:13:37,820 --> 00:13:40,279 You can open them up 360 00:13:40,280 --> 00:13:42,199 as the A or a Windows device. 361 00:13:42,200 --> 00:13:44,299 You can also open to the 362 00:13:44,300 --> 00:13:46,239 physical randomize if it's supported by 363 00:13:46,240 --> 00:13:48,589 the government. There is also a network 364 00:13:48,590 --> 00:13:51,139 model which works on Linux and Windows 365 00:13:51,140 --> 00:13:53,389 and allows you to create 366 00:13:53,390 --> 00:13:54,979 physical and digital memory from from the 367 00:13:54,980 --> 00:13:57,049 kernel. It's got a model and you can 368 00:13:57,050 --> 00:13:58,050 interact with it. 369 00:13:58,810 --> 00:14:00,589 You can find out for bathrooms and the 370 00:14:00,590 --> 00:14:02,629 results. You can modify the systems. 371 00:14:02,630 --> 00:14:04,489 And it's also able to understand the 372 00:14:04,490 --> 00:14:06,709 protection systems, this 373 00:14:06,710 --> 00:14:08,329 code. This was report from group. 374 00:14:08,330 --> 00:14:10,819 So it's I also fix a bunch of boxing 375 00:14:10,820 --> 00:14:11,820 in Europe. 376 00:14:13,040 --> 00:14:15,229 It's also able to cry for known file 377 00:14:15,230 --> 00:14:16,549 formats. 378 00:14:16,550 --> 00:14:18,409 You can show a structure to understand 379 00:14:18,410 --> 00:14:20,689 and include files in order to 380 00:14:20,690 --> 00:14:22,909 show the content of a specific 381 00:14:22,910 --> 00:14:25,399 memory dump with a formatted 382 00:14:25,400 --> 00:14:26,400 memory. 383 00:14:27,020 --> 00:14:29,309 It's also able to compute incremental 384 00:14:29,310 --> 00:14:30,199 superblock checksums. 385 00:14:30,200 --> 00:14:32,719 So this is handy because if you want to 386 00:14:32,720 --> 00:14:35,329 compute the 387 00:14:35,330 --> 00:14:37,729 text, like amplify every 388 00:14:37,730 --> 00:14:40,399 megabyte on a gigabyte file, 389 00:14:40,400 --> 00:14:42,019 you will get the file with a list and you 390 00:14:42,020 --> 00:14:44,079 can also compare this with another dump 391 00:14:44,080 --> 00:14:45,789 and then decide which part of this file 392 00:14:45,790 --> 00:14:46,790 is modified. 393 00:14:48,950 --> 00:14:51,319 You can change the plugins for the I 394 00:14:51,320 --> 00:14:53,389 mean, as I said before, all the 395 00:14:53,390 --> 00:14:54,739 input and output is pluggable. 396 00:14:54,740 --> 00:14:57,139 So you can create plugins for anything. 397 00:14:57,140 --> 00:14:58,429 And there are plugins like, for example, 398 00:14:58,430 --> 00:15:00,499 Jessep, and it will be after loading in 399 00:15:00,500 --> 00:15:02,629 case images, you can 400 00:15:02,630 --> 00:15:04,849 get the list of your plugins do with 401 00:15:04,850 --> 00:15:05,850 this comment. 402 00:15:06,470 --> 00:15:09,139 And this is a lot less 403 00:15:09,140 --> 00:15:12,229 the list of plugins that can be used for 404 00:15:12,230 --> 00:15:14,049 opening local or remote targets. 405 00:15:15,090 --> 00:15:17,329 Uh, the uppercase windows 406 00:15:17,330 --> 00:15:19,759 of flag can be used with them, too, 407 00:15:19,760 --> 00:15:21,499 which is handy for getting the list of 408 00:15:22,670 --> 00:15:23,990 assembly and disassemble plugins. 409 00:15:26,310 --> 00:15:28,619 And the same thing goes for 410 00:15:28,620 --> 00:15:31,019 Robin, do that, get the least of 411 00:15:31,020 --> 00:15:33,029 plugins for binary formats that are 412 00:15:33,030 --> 00:15:34,030 supported by the project. 413 00:15:37,020 --> 00:15:38,879 OK, so let's go for the first Zemel. 414 00:15:51,130 --> 00:15:53,349 OK, so we have a file, which seems like 415 00:15:53,350 --> 00:15:54,350 it's. 416 00:15:55,540 --> 00:15:57,699 It's trash, I mean, there is nothing 417 00:15:57,700 --> 00:15:59,739 like interesting here, we can see the 418 00:15:59,740 --> 00:16:00,879 entropy computation here 419 00:16:02,050 --> 00:16:03,580 and there is like but the. 420 00:16:04,640 --> 00:16:06,799 Huge zeroes in 421 00:16:06,800 --> 00:16:07,800 there. 422 00:16:08,980 --> 00:16:11,859 But more or less, entropy is pretty high. 423 00:16:11,860 --> 00:16:13,989 So what we're looking at is 424 00:16:13,990 --> 00:16:16,179 just look for nonperformance 425 00:16:16,180 --> 00:16:18,489 using the same, which looks for magic. 426 00:16:22,270 --> 00:16:24,609 And it looks like it found something 427 00:16:24,610 --> 00:16:26,799 in this upset, so we'll check 428 00:16:26,800 --> 00:16:29,469 in there and we will 429 00:16:29,470 --> 00:16:30,470 we will ratify. 430 00:16:37,640 --> 00:16:40,069 This created a new file with 431 00:16:40,070 --> 00:16:41,789 the condoms are starting at the current 432 00:16:41,790 --> 00:16:44,069 offset, so we can open it 433 00:16:44,070 --> 00:16:47,119 and we see that 434 00:16:47,120 --> 00:16:49,279 this is just so 435 00:16:49,280 --> 00:16:50,960 we have to open it with Guiseppe. 436 00:16:56,340 --> 00:16:57,899 And now we see something in there we're 437 00:16:57,900 --> 00:16:59,219 going to just be on again and you will 438 00:16:59,220 --> 00:17:00,869 see that this is a flat file format, 439 00:17:02,760 --> 00:17:04,979 so we'll use that in order to demand 440 00:17:04,980 --> 00:17:07,259 this partition using the 441 00:17:07,260 --> 00:17:08,729 common will specify that we want them on 442 00:17:08,730 --> 00:17:10,858 this in the route, using the file 443 00:17:10,859 --> 00:17:12,939 format. And after that, we can specify 444 00:17:12,940 --> 00:17:14,639 a different offset. One tool among the 445 00:17:14,640 --> 00:17:15,640 different. 446 00:17:17,990 --> 00:17:18,879 Inside the file. 447 00:17:18,880 --> 00:17:21,439 Now you can use the mouse with the 448 00:17:21,440 --> 00:17:23,809 shell inside the amount for a month 449 00:17:23,810 --> 00:17:26,179 and we can see the contents 450 00:17:26,180 --> 00:17:27,108 of this file format. 451 00:17:27,109 --> 00:17:28,939 We can show the contents. 452 00:17:28,940 --> 00:17:31,269 We can see like watching 453 00:17:31,270 --> 00:17:32,209 inflation. 454 00:17:32,210 --> 00:17:34,549 We can get the this file 455 00:17:34,550 --> 00:17:36,949 and then we can just open 456 00:17:36,950 --> 00:17:37,950 the open it 457 00:17:39,170 --> 00:17:41,119 and see that this is a Linux elf 458 00:17:43,280 --> 00:17:44,280 common. 459 00:17:46,640 --> 00:17:48,559 So there is a bunch of functionalities 460 00:17:48,560 --> 00:17:49,969 that can be handy for forensics. 461 00:17:51,420 --> 00:17:53,450 Not complaining that this is slow. 462 00:17:55,780 --> 00:17:57,789 It's so nice, this is a regular slow 463 00:17:57,790 --> 00:17:59,889 operation to it's blocking 464 00:17:59,890 --> 00:18:02,109 mainly because it takes some time and 465 00:18:02,110 --> 00:18:04,179 you need to grab 466 00:18:04,180 --> 00:18:05,979 all the information before doing anything 467 00:18:05,980 --> 00:18:07,359 useful. You can do this analysis and 468 00:18:07,360 --> 00:18:09,399 background, but it will still take a lot 469 00:18:09,400 --> 00:18:11,499 of time. And doing it, the background 470 00:18:11,500 --> 00:18:13,619 means that you have to put a lot of mutex 471 00:18:13,620 --> 00:18:15,429 on the logic of the analysis. 472 00:18:15,430 --> 00:18:17,709 So it will slow down a little bit 473 00:18:17,710 --> 00:18:19,959 until it doesn't 474 00:18:19,960 --> 00:18:21,309 work really well for big minorities, 475 00:18:21,310 --> 00:18:22,869 mainly because it takes a lot of memory 476 00:18:22,870 --> 00:18:24,039 and time. 477 00:18:25,570 --> 00:18:27,369 It's sometimes not able to find all the 478 00:18:27,370 --> 00:18:29,679 functions until 479 00:18:29,680 --> 00:18:31,749 there is a rule of adding more ASW at 480 00:18:31,750 --> 00:18:34,269 the end of a. So if you use a comment 481 00:18:36,310 --> 00:18:38,469 like this, you use eight, 482 00:18:38,470 --> 00:18:39,579 you will analyze 483 00:18:40,660 --> 00:18:41,819 all the symbols. 484 00:18:41,820 --> 00:18:43,719 If you add another eight, you will do 485 00:18:43,720 --> 00:18:45,339 more analysis and you add more as you 486 00:18:45,340 --> 00:18:46,959 will get more things. 487 00:18:46,960 --> 00:18:49,089 So people at the end start 488 00:18:49,090 --> 00:18:50,619 adding more A's in order to get more 489 00:18:50,620 --> 00:18:52,059 analysis. And this is probably not the 490 00:18:52,060 --> 00:18:53,400 best way for making oligarchy's. 491 00:18:54,580 --> 00:18:55,959 So there are so many comments and 492 00:18:55,960 --> 00:18:58,239 configuration options for doing this. 493 00:18:58,240 --> 00:19:00,459 And there is this blog post that I wrote 494 00:19:00,460 --> 00:19:02,169 explaining some of them. 495 00:19:02,170 --> 00:19:03,639 So if you're interested, you can just 496 00:19:03,640 --> 00:19:05,619 read it or just being me a little bit and 497 00:19:05,620 --> 00:19:07,509 I would try to help you. 498 00:19:07,510 --> 00:19:09,759 But the idea behind this is not wasting 499 00:19:09,760 --> 00:19:12,039 a lot of time at all to finish 500 00:19:12,040 --> 00:19:13,449 the analysis and start doing something, 501 00:19:13,450 --> 00:19:15,459 because when if the ISIS takes a lot of 502 00:19:15,460 --> 00:19:17,529 time in that after doing it, 503 00:19:17,530 --> 00:19:20,259 it will be really slow 504 00:19:20,260 --> 00:19:21,969 in the operation. So you will have 505 00:19:23,020 --> 00:19:24,159 to think another 506 00:19:25,690 --> 00:19:27,849 way for solving the problem. 507 00:19:27,850 --> 00:19:30,339 So what I usually do is that 508 00:19:30,340 --> 00:19:32,109 90 percent of the problems that I try to 509 00:19:32,110 --> 00:19:33,340 solve, at least from my 510 00:19:35,140 --> 00:19:37,359 daily problems, is that I 511 00:19:37,360 --> 00:19:39,819 can just analyze 10 percent 512 00:19:39,820 --> 00:19:42,399 or part of the program on 513 00:19:42,400 --> 00:19:43,749 the information that I really need. 514 00:19:43,750 --> 00:19:46,089 And instead of seeing the 515 00:19:46,090 --> 00:19:48,269 whole binary, I usually 516 00:19:48,270 --> 00:19:50,409 just look for a string 517 00:19:50,410 --> 00:19:53,109 or look for references to these string 518 00:19:53,110 --> 00:19:55,359 functions without using this these 519 00:19:55,360 --> 00:19:57,879 references and then just analyzing 520 00:19:57,880 --> 00:20:00,189 just five, 10 functions. 521 00:20:00,190 --> 00:20:02,469 And after the issue during 522 00:20:02,470 --> 00:20:03,699 which my information. 523 00:20:03,700 --> 00:20:05,979 So, uh, you can just 524 00:20:05,980 --> 00:20:08,079 use the Commons for analyzing 525 00:20:08,080 --> 00:20:09,669 the actual information that you want. 526 00:20:09,670 --> 00:20:11,739 You can analyze 527 00:20:11,740 --> 00:20:13,809 much faster because it's much 528 00:20:13,810 --> 00:20:14,859 less condensed. 529 00:20:14,860 --> 00:20:17,679 And, uh, 530 00:20:17,680 --> 00:20:19,549 yeah, we are improving every release. 531 00:20:19,550 --> 00:20:21,999 So if you're dating 532 00:20:22,000 --> 00:20:24,279 frequently, you will get fixes and 533 00:20:24,280 --> 00:20:27,669 faster analysis and pre-built. 534 00:20:27,670 --> 00:20:30,069 Um, well, 535 00:20:30,070 --> 00:20:32,079 you'll have to understand the logic 536 00:20:32,080 --> 00:20:34,419 behind all these comments and options. 537 00:20:34,420 --> 00:20:36,550 And we will see some some of them. 538 00:20:45,930 --> 00:20:47,190 So this is the first demo 539 00:20:49,290 --> 00:20:50,189 I will open. 540 00:20:50,190 --> 00:20:51,749 Hello, Olingo. 541 00:20:51,750 --> 00:20:53,849 If we make, like a full analysis of all 542 00:20:53,850 --> 00:20:56,169 the symbols, goldminer 543 00:20:56,170 --> 00:20:57,509 is huge 544 00:20:58,590 --> 00:21:00,359 because they starting to link all the 545 00:21:00,360 --> 00:21:02,189 libraries and symbols, etc.. 546 00:21:02,190 --> 00:21:04,469 So we took what we can 547 00:21:04,470 --> 00:21:06,749 compute these like with 548 00:21:06,750 --> 00:21:07,750 this prefix. 549 00:21:08,370 --> 00:21:09,449 This is like dying in the bush. 550 00:21:15,240 --> 00:21:16,499 So I don't like excitement, 551 00:21:18,000 --> 00:21:20,219 and after this, we can 552 00:21:20,220 --> 00:21:21,220 speak to the. 553 00:21:24,910 --> 00:21:25,910 To the string. 554 00:21:30,270 --> 00:21:32,609 So we see that the HelloWallet here 555 00:21:32,610 --> 00:21:34,739 and we see that other reference in 556 00:21:34,740 --> 00:21:36,779 there, so we can just think of the 557 00:21:36,780 --> 00:21:38,039 reference and we see that. 558 00:21:44,180 --> 00:21:45,180 The. 559 00:21:49,650 --> 00:21:52,109 Not all those things are set in this 560 00:21:52,110 --> 00:21:53,110 institution. 561 00:21:55,680 --> 00:21:56,579 But it took some time. 562 00:21:56,580 --> 00:21:58,439 I mean, it was eight seconds. 563 00:21:58,440 --> 00:22:00,239 I mean, this is a simple example, but if 564 00:22:00,240 --> 00:22:02,339 you try to do this in a huge, bigger 565 00:22:02,340 --> 00:22:03,839 binary, it will take more time. 566 00:22:03,840 --> 00:22:05,400 So let's do the same 567 00:22:06,480 --> 00:22:07,709 using this script. 568 00:22:07,710 --> 00:22:09,929 This is basically looks 569 00:22:09,930 --> 00:22:11,219 for the lowest thing. 570 00:22:11,220 --> 00:22:13,799 It seeks to this address 571 00:22:13,800 --> 00:22:15,630 and then draw names, the flag. 572 00:22:17,310 --> 00:22:19,559 It defines that this is a string. 573 00:22:19,560 --> 00:22:21,749 It's in the boxes for speeding 574 00:22:21,750 --> 00:22:23,579 up the search and then look for 575 00:22:23,580 --> 00:22:24,710 references to this subset. 576 00:22:27,420 --> 00:22:28,799 If we run this script. 577 00:22:33,950 --> 00:22:37,039 It took only two seconds, almost three 578 00:22:37,040 --> 00:22:39,199 and a half identified the 579 00:22:39,200 --> 00:22:42,649 same offset and 580 00:22:42,650 --> 00:22:44,299 the print of the instruction. 581 00:22:44,300 --> 00:22:46,519 So, uh, as 582 00:22:46,520 --> 00:22:49,199 you can see, you can speed up 583 00:22:49,200 --> 00:22:50,219 the analysis. 584 00:22:50,220 --> 00:22:51,829 This is a simple example. 585 00:22:51,830 --> 00:22:54,209 It can be, which 586 00:22:54,210 --> 00:22:55,399 is much more different if you're 587 00:22:55,400 --> 00:22:57,559 traveling in a binary 588 00:22:57,560 --> 00:22:59,809 and order thing for analysis is that 589 00:22:59,810 --> 00:23:01,939 sometimes the references are 590 00:23:01,940 --> 00:23:02,899 not that clear. 591 00:23:02,900 --> 00:23:05,809 This is a had a wall in for idolizing 592 00:23:05,810 --> 00:23:08,419 or 64 and 593 00:23:08,420 --> 00:23:11,269 we can stick to the hollow string 594 00:23:11,270 --> 00:23:13,519 and we see that there is no reference 595 00:23:13,520 --> 00:23:15,259 because we didn't know anything. 596 00:23:15,260 --> 00:23:17,329 So we will make like 597 00:23:17,330 --> 00:23:18,380 all the analysis options. 598 00:23:28,940 --> 00:23:30,169 And we see that there is another 599 00:23:30,170 --> 00:23:32,269 reference in here, but if we try 600 00:23:32,270 --> 00:23:34,249 to analyze, like, in a simple way. 601 00:23:36,350 --> 00:23:38,109 We'll see, there is no reference, the 602 00:23:38,110 --> 00:23:39,729 reason behind this is because in the area 603 00:23:39,730 --> 00:23:42,459 and also the architecture, the 604 00:23:42,460 --> 00:23:44,409 references are computers in more than one 605 00:23:44,410 --> 00:23:45,939 structure. So you need to emulation in 606 00:23:45,940 --> 00:23:48,409 order to understand the 607 00:23:48,410 --> 00:23:50,470 reference out of the. 608 00:23:54,610 --> 00:23:57,189 So if we go to the main, we will see that 609 00:23:57,190 --> 00:23:59,649 the plaintiff is competing, 610 00:23:59,650 --> 00:24:01,809 is getting the address of this symbol 611 00:24:01,810 --> 00:24:03,879 in here. So it's it's 612 00:24:03,880 --> 00:24:05,649 getting the base address and then 613 00:24:05,650 --> 00:24:07,959 assuming an offset 614 00:24:07,960 --> 00:24:10,690 and we can enable the ambulation. 615 00:24:14,450 --> 00:24:16,429 And using demolition, you will see that 616 00:24:18,320 --> 00:24:20,479 every instruction is getting emulated and 617 00:24:20,480 --> 00:24:22,639 then we got the values of the 618 00:24:22,640 --> 00:24:24,259 resistance from each institution. 619 00:24:24,260 --> 00:24:26,449 So after this, we will see that 620 00:24:26,450 --> 00:24:29,929 it's great and 621 00:24:29,930 --> 00:24:31,189 it's great and getting the and the 622 00:24:31,190 --> 00:24:33,439 reference to the string section and 623 00:24:33,440 --> 00:24:35,539 it's incrementing the the 624 00:24:35,540 --> 00:24:37,039 the offset to get the hell on Wall 625 00:24:37,040 --> 00:24:38,040 Street. 626 00:24:39,050 --> 00:24:41,419 So there is a common theme 627 00:24:41,420 --> 00:24:44,539 which is analyzing, using emulation 628 00:24:44,540 --> 00:24:46,639 and for 629 00:24:46,640 --> 00:24:47,929 the many other categories, for example, 630 00:24:47,930 --> 00:24:50,959 in MIPS, it's really handy. 631 00:24:50,960 --> 00:24:53,329 There is other ways for getting 632 00:24:53,330 --> 00:24:56,059 references using a V, 633 00:24:56,060 --> 00:24:58,369 which looks for pointers to data 634 00:24:58,370 --> 00:25:00,499 or strings or pointers 635 00:25:00,500 --> 00:25:02,879 inside the same outer space. 636 00:25:02,880 --> 00:25:05,059 And you can see that there are so 637 00:25:05,060 --> 00:25:07,700 many comments under a 638 00:25:09,890 --> 00:25:10,890 subconscience. 639 00:25:12,520 --> 00:25:15,039 OK, no complaints, that, 640 00:25:15,040 --> 00:25:17,169 rather, is not documented, 641 00:25:17,170 --> 00:25:18,429 and that's not true. 642 00:25:18,430 --> 00:25:20,130 It's documented in C 643 00:25:21,160 --> 00:25:23,469 and there is help 644 00:25:23,470 --> 00:25:24,700 in every comment 645 00:25:25,900 --> 00:25:28,209 you can get in line to help without 646 00:25:28,210 --> 00:25:29,210 having to get 647 00:25:31,000 --> 00:25:33,159 any brochure or any book 648 00:25:33,160 --> 00:25:34,209 in front of you. 649 00:25:34,210 --> 00:25:35,459 There is also a book that I wrote for 650 00:25:35,460 --> 00:25:36,609 another one, and 651 00:25:38,080 --> 00:25:40,449 they did it for rather two and already 652 00:25:40,450 --> 00:25:42,699 a lot of dogs slides, blockbuster 653 00:25:42,700 --> 00:25:44,979 and YouTube tutorials for understanding 654 00:25:44,980 --> 00:25:46,689 how to solve some crack maze and things 655 00:25:46,690 --> 00:25:49,059 like that. So it's not really not 656 00:25:49,060 --> 00:25:50,019 really true. 657 00:25:50,020 --> 00:25:51,099 It's it's complex. 658 00:25:51,100 --> 00:25:53,229 And sometimes it's hard to find the help 659 00:25:53,230 --> 00:25:55,929 for something. But there is a Iasi and 660 00:25:55,930 --> 00:25:57,879 underground tunnels that you can ask him 661 00:25:57,880 --> 00:25:59,859 that and do it pretty quickly. 662 00:26:02,470 --> 00:26:04,459 Let's talk about the compilation, 663 00:26:04,460 --> 00:26:05,460 another, he's not able to the 664 00:26:06,640 --> 00:26:08,529 table to those things that are similar to 665 00:26:08,530 --> 00:26:10,689 the compilation, but that's not 666 00:26:10,690 --> 00:26:12,969 really the strength 667 00:26:12,970 --> 00:26:15,369 of the tool, because it's not 668 00:26:15,370 --> 00:26:15,849 the competition. 669 00:26:15,850 --> 00:26:16,809 It's not something easy. 670 00:26:16,810 --> 00:26:19,149 So we try to delegate these tools 671 00:26:19,150 --> 00:26:22,929 here. But the tools, um, 672 00:26:22,930 --> 00:26:25,569 neither man wrote the plug in for Redick, 673 00:26:25,570 --> 00:26:27,699 which is an online service 674 00:26:27,700 --> 00:26:28,629 for the compilation. 675 00:26:28,630 --> 00:26:31,089 It's basically a plug in within an object 676 00:26:31,090 --> 00:26:32,949 that uploads the binary that you are 677 00:26:32,950 --> 00:26:34,929 listening to their favorite, and you've 678 00:26:34,930 --> 00:26:37,239 got the API for getting 679 00:26:37,240 --> 00:26:38,979 the disassembly of the compilation of 680 00:26:38,980 --> 00:26:40,419 different functions that you are 681 00:26:40,420 --> 00:26:41,439 analyzing with rather. 682 00:26:41,440 --> 00:26:43,749 So you'll get the comments and 683 00:26:43,750 --> 00:26:44,750 go goatse like go 684 00:26:46,330 --> 00:26:48,819 into the rather shell. 685 00:26:48,820 --> 00:26:51,489 There is also the project which is 686 00:26:51,490 --> 00:26:53,559 robust implementation 687 00:26:53,560 --> 00:26:55,389 of the compiler, which is about the 688 00:26:55,390 --> 00:26:57,689 academic and it's not yet 689 00:26:57,690 --> 00:26:59,589 so stable. I mean it's working progress 690 00:26:59,590 --> 00:27:00,590 and and 691 00:27:01,900 --> 00:27:03,999 something of the project, but 692 00:27:04,000 --> 00:27:06,309 it's not really solving any 693 00:27:06,310 --> 00:27:07,829 real world problems yet. 694 00:27:07,830 --> 00:27:09,849 I hope that maybe in one year or two it 695 00:27:09,850 --> 00:27:10,850 will be an option. 696 00:27:12,460 --> 00:27:14,079 There is also a boomerang which was 697 00:27:14,080 --> 00:27:15,859 supported in the other one. 698 00:27:15,860 --> 00:27:17,349 I think that boomerang right now is not 699 00:27:17,350 --> 00:27:18,609 really maintain it. 700 00:27:18,610 --> 00:27:20,679 So there's not much interest 701 00:27:20,680 --> 00:27:22,479 in supporting it. 702 00:27:22,480 --> 00:27:24,579 But it will be pretty easy to pull those 703 00:27:24,580 --> 00:27:26,439 groups from another one to rather two. 704 00:27:26,440 --> 00:27:28,299 And last week I bought that. 705 00:27:28,300 --> 00:27:30,999 I just know that the compiler 706 00:27:31,000 --> 00:27:33,219 this is much more updated 707 00:27:33,220 --> 00:27:35,349 and it's around like this 708 00:27:35,350 --> 00:27:36,729 for 32 and 64 bit. 709 00:27:38,990 --> 00:27:39,990 Uh, 710 00:27:41,680 --> 00:27:43,900 we can make like a quick demo for this. 711 00:28:04,080 --> 00:28:05,080 We'll try to come back to that 712 00:28:06,690 --> 00:28:09,389 after it's compiled, so 713 00:28:09,390 --> 00:28:11,129 let's talk about this assembly. 714 00:28:11,130 --> 00:28:13,259 This assembly is probably the one of 715 00:28:13,260 --> 00:28:15,329 the good points of order because 716 00:28:15,330 --> 00:28:16,409 there are so many options for 717 00:28:16,410 --> 00:28:18,449 disassembling Jukan. 718 00:28:18,450 --> 00:28:20,219 Colorize the instructions depending on 719 00:28:20,220 --> 00:28:21,749 the type of instruction, which is pretty 720 00:28:21,750 --> 00:28:24,059 handy for reading code, because you can 721 00:28:24,060 --> 00:28:25,859 easily identify that one of those jams 722 00:28:25,860 --> 00:28:28,019 where the mathematical points are, 723 00:28:28,020 --> 00:28:30,689 the parts of the code that are 724 00:28:30,690 --> 00:28:32,909 doing Krypto or doing like 725 00:28:32,910 --> 00:28:35,279 traps or some Sisco's, etc.. 726 00:28:35,280 --> 00:28:37,409 Uh, there is also support for 727 00:28:37,410 --> 00:28:39,659 analyzing variables and arguments so 728 00:28:39,660 --> 00:28:41,669 you can identify where these variables 729 00:28:41,670 --> 00:28:44,319 are accepting the assembly. 730 00:28:44,320 --> 00:28:46,199 There's also support for this assembly. 731 00:28:46,200 --> 00:28:48,420 This means that it will pass things like 732 00:28:49,630 --> 00:28:50,630 a 733 00:28:51,840 --> 00:28:53,759 free and compare it to something more 734 00:28:53,760 --> 00:28:55,859 human friendly, like the expression with 735 00:28:55,860 --> 00:28:57,559 the right and. 736 00:28:58,600 --> 00:29:00,489 This is handy sometimes when you want to 737 00:29:00,490 --> 00:29:02,709 get some more 738 00:29:02,710 --> 00:29:04,899 see like gold, but it's not really a 739 00:29:04,900 --> 00:29:05,900 way to the combine. 740 00:29:07,000 --> 00:29:09,089 OK, so we got the entire. 741 00:29:18,180 --> 00:29:20,309 OK, but let's 742 00:29:20,310 --> 00:29:22,559 talk about the disassembly. 743 00:29:22,560 --> 00:29:23,690 It was working yesterday. 744 00:29:27,960 --> 00:29:30,089 So as you can see, there is 745 00:29:30,090 --> 00:29:32,309 this family and it's highlighting 746 00:29:32,310 --> 00:29:33,810 the institutions in different colors. 747 00:29:34,880 --> 00:29:37,020 You can change the color scheme. 748 00:29:40,790 --> 00:29:43,189 You can also use the enabled subway 749 00:29:43,190 --> 00:29:44,190 system. 750 00:29:59,960 --> 00:30:01,229 So you've got things like this, like 751 00:30:01,230 --> 00:30:02,230 this, 752 00:30:03,590 --> 00:30:05,779 and the thing is that there is, uh, 753 00:30:05,780 --> 00:30:08,179 PED's, which is a summary 754 00:30:08,180 --> 00:30:09,589 of the disassembly of the function. 755 00:30:09,590 --> 00:30:10,900 We if you analyze the 756 00:30:13,190 --> 00:30:15,529 event as a function and you get the 757 00:30:15,530 --> 00:30:17,599 bids, you will 758 00:30:17,600 --> 00:30:20,029 see all the references of strings 759 00:30:20,030 --> 00:30:21,799 and calls of this function. 760 00:30:21,800 --> 00:30:23,899 So you can read like a summary of 761 00:30:23,900 --> 00:30:26,509 the what the function is doing. 762 00:30:26,510 --> 00:30:29,299 Uh, you can also use BDC, which is, uh, 763 00:30:29,300 --> 00:30:30,799 Fairbrother the compilation, which is 764 00:30:30,800 --> 00:30:33,229 using the the ASMs tableau 765 00:30:33,230 --> 00:30:35,359 and doing some logic of 766 00:30:35,360 --> 00:30:36,619 basic blocks out all 767 00:30:38,240 --> 00:30:39,240 the different blocks. 768 00:30:40,910 --> 00:30:43,189 And you can put the comments right, 769 00:30:43,190 --> 00:30:45,019 put them at the bottom, etc.. 770 00:30:45,020 --> 00:30:47,189 And there is all the all these things 771 00:30:47,190 --> 00:30:48,619 are interactive in default mode. 772 00:30:48,620 --> 00:30:51,049 So if you pressed uppercase B, uh, 773 00:30:51,050 --> 00:30:53,419 you got these and you can scroll 774 00:30:53,420 --> 00:30:54,710 around to 775 00:30:57,470 --> 00:30:58,999 see what the destination of the stamp is 776 00:30:59,000 --> 00:31:00,519 going on, etc.. 777 00:31:04,710 --> 00:31:06,899 Um, finally, there is a 778 00:31:06,900 --> 00:31:09,209 nasty graph for. 779 00:31:11,120 --> 00:31:13,309 All the functions, so you can 780 00:31:13,310 --> 00:31:15,169 gather analysis. 781 00:31:15,170 --> 00:31:17,269 You can also I mean, if you 782 00:31:17,270 --> 00:31:19,789 are in this basic log and you want to 783 00:31:19,790 --> 00:31:21,799 follow it, you can also follow them. 784 00:31:21,800 --> 00:31:23,569 You can switch to this family. 785 00:31:23,570 --> 00:31:25,759 And you are moving back to the same 786 00:31:25,760 --> 00:31:28,069 point that during the graph or 787 00:31:28,070 --> 00:31:29,070 going back to here. 788 00:31:30,170 --> 00:31:32,269 So it's there is no different 789 00:31:32,270 --> 00:31:34,339 that phase, but common line used by the 790 00:31:34,340 --> 00:31:35,340 hundy. 791 00:31:37,210 --> 00:31:39,789 And our complaints about stability. 792 00:31:39,790 --> 00:31:42,419 People say that it's not stable 793 00:31:42,420 --> 00:31:44,769 and the main reason for this is because 794 00:31:44,770 --> 00:31:46,150 they are using an old version of it, 795 00:31:47,950 --> 00:31:49,929 because they are not using it or the 796 00:31:49,930 --> 00:31:51,189 latest releases. 797 00:31:51,190 --> 00:31:52,869 And we can talk about the stability, 798 00:31:52,870 --> 00:31:54,219 depending on the amount of crashes that 799 00:31:54,220 --> 00:31:56,349 the U.S. is experiencing and the amount 800 00:31:56,350 --> 00:31:58,389 of changes in the comments and ice like 801 00:31:58,390 --> 00:31:59,769 now we are after 1.0. 802 00:31:59,770 --> 00:32:01,899 So try to put 803 00:32:01,900 --> 00:32:03,589 some stability on top of this. 804 00:32:03,590 --> 00:32:05,889 The comments are pretty stable. 805 00:32:05,890 --> 00:32:07,749 Most of them are already used for many 806 00:32:07,750 --> 00:32:09,459 people and they are quite clear. 807 00:32:09,460 --> 00:32:11,349 So this is not going to change. 808 00:32:11,350 --> 00:32:13,449 The APIs are quite 809 00:32:13,450 --> 00:32:15,819 stable. I mean, we try to 810 00:32:15,820 --> 00:32:16,749 refactor all the time. 811 00:32:16,750 --> 00:32:18,369 It's a project that I mean, I don't 812 00:32:18,370 --> 00:32:20,229 really care about breaking something that 813 00:32:20,230 --> 00:32:21,849 was wrongly saying that in the past. 814 00:32:21,850 --> 00:32:24,159 So I don't want to keep compatibility 815 00:32:24,160 --> 00:32:26,439 for years for something 816 00:32:26,440 --> 00:32:27,729 that was wrong at some point. 817 00:32:27,730 --> 00:32:29,799 So I can change, 818 00:32:29,800 --> 00:32:31,479 but it's quite stable. So you can still 819 00:32:31,480 --> 00:32:32,379 do things like that. 820 00:32:32,380 --> 00:32:34,509 And if you want to comment, you can 821 00:32:34,510 --> 00:32:36,609 just open a letter at the end of 822 00:32:36,610 --> 00:32:37,749 the call and you will get the adjacent 823 00:32:37,750 --> 00:32:39,819 output so you can do things like this. 824 00:32:42,330 --> 00:32:44,519 If you press the letter, 825 00:32:44,520 --> 00:32:46,359 you will get the information about the 826 00:32:46,360 --> 00:32:48,669 heat, you can get the symbols, 827 00:32:48,670 --> 00:32:50,639 you're going to get the sections looking 828 00:32:50,640 --> 00:32:52,829 also at the sections like this. 829 00:32:52,830 --> 00:32:55,139 Um, the thing is, if you're 830 00:32:55,140 --> 00:32:57,269 up and at 831 00:32:57,270 --> 00:32:59,369 the end, you've got this, Jason, which 832 00:32:59,370 --> 00:33:00,599 can be indented. 833 00:33:00,600 --> 00:33:01,600 You're this. 834 00:33:04,240 --> 00:33:06,279 I look at the indentation in Jason. 835 00:33:06,280 --> 00:33:07,939 This is pretty easy to pass because all 836 00:33:07,940 --> 00:33:10,329 the programing languages, the modern 837 00:33:10,330 --> 00:33:12,339 programing languages have libraries or 838 00:33:12,340 --> 00:33:14,469 they support passing data on 839 00:33:14,470 --> 00:33:16,269 to native objects of the language 840 00:33:16,270 --> 00:33:18,939 directly. So it's very handy for 841 00:33:18,940 --> 00:33:21,309 scripting. And the thing is that 842 00:33:21,310 --> 00:33:23,409 this is much faster than using 843 00:33:23,410 --> 00:33:25,989 a fight or trying to destabilize 844 00:33:25,990 --> 00:33:28,359 all the binary structures 845 00:33:28,360 --> 00:33:30,639 from sea into python or any 846 00:33:30,640 --> 00:33:32,409 other language, because it's allocating a 847 00:33:32,410 --> 00:33:34,949 lot of objects in a 848 00:33:34,950 --> 00:33:37,269 probably way because Jason 849 00:33:37,270 --> 00:33:39,609 says much faster than any other busser 850 00:33:39,610 --> 00:33:43,169 right now so 851 00:33:43,170 --> 00:33:45,759 that some specific function ideas broken 852 00:33:45,760 --> 00:33:47,709 many complaints of complaints that they 853 00:33:47,710 --> 00:33:49,779 receive every day. And I don't see 854 00:33:49,780 --> 00:33:51,909 fix it in depth. So please update your 855 00:33:51,910 --> 00:33:52,910 best inadvertant. 856 00:33:54,550 --> 00:33:56,649 There are security. If if anybody 857 00:33:56,650 --> 00:33:58,839 reports the security back or any 858 00:33:58,840 --> 00:34:00,939 crash's phone, they fix it 859 00:34:00,940 --> 00:34:03,159 in less than one day, usually 860 00:34:03,160 --> 00:34:04,059 in less than one two. 861 00:34:04,060 --> 00:34:06,129 Depends on how far from the laptop is 862 00:34:06,130 --> 00:34:07,130 for me. 863 00:34:07,810 --> 00:34:09,908 I try to follow the rule of you see 864 00:34:09,909 --> 00:34:11,979 it, you fix it. So if you see a problem, 865 00:34:11,980 --> 00:34:14,888 I try to teach you how to fix it before 866 00:34:14,889 --> 00:34:16,959 this thing is broken and I try to fix 867 00:34:16,960 --> 00:34:18,129 it later. 868 00:34:18,130 --> 00:34:20,049 This is because the committee grooved too 869 00:34:20,050 --> 00:34:22,599 much and I tried to 870 00:34:22,600 --> 00:34:24,800 feed the community to be 871 00:34:26,380 --> 00:34:28,119 self aware of the problems and how to 872 00:34:28,120 --> 00:34:30,279 solve them and how to report properly and 873 00:34:30,280 --> 00:34:32,908 not to just report a 874 00:34:32,909 --> 00:34:35,049 reproducer, say, at least 875 00:34:35,050 --> 00:34:37,359 by the backtrace or something 876 00:34:37,360 --> 00:34:39,339 that can be useful for me to understand 877 00:34:39,340 --> 00:34:40,658 what the problem is. 878 00:34:40,659 --> 00:34:43,448 And mainly, 879 00:34:43,449 --> 00:34:45,669 you should also pass the best of 880 00:34:45,670 --> 00:34:47,829 that you are using in to 881 00:34:47,830 --> 00:34:49,899 see that if it's not the last person, I 882 00:34:49,900 --> 00:34:51,428 will not fix it because I'm only fixing 883 00:34:51,429 --> 00:34:52,570 bugs that are right to. 884 00:34:56,500 --> 00:34:58,449 So we try to make a release every six 885 00:34:58,450 --> 00:34:58,959 weeks. 886 00:34:58,960 --> 00:35:01,239 This is something that I decided 887 00:35:01,240 --> 00:35:04,239 after seeing how the 888 00:35:04,240 --> 00:35:06,459 project works, I think that six weeks 889 00:35:06,460 --> 00:35:09,499 is a pretty nice time schedule, 890 00:35:09,500 --> 00:35:11,649 mainly because having 891 00:35:11,650 --> 00:35:13,239 like one month is really productive. 892 00:35:13,240 --> 00:35:15,099 I mean, you expect, like the first day of 893 00:35:15,100 --> 00:35:16,659 every month of date something and every 894 00:35:16,660 --> 00:35:18,069 six weeks it's something more random. 895 00:35:18,070 --> 00:35:19,979 So at the end, I'm running up and down 896 00:35:19,980 --> 00:35:21,909 and you never really know when the next 897 00:35:21,910 --> 00:35:23,529 few days will be. So that's kind of 898 00:35:23,530 --> 00:35:26,079 surprise. And I'm 899 00:35:26,080 --> 00:35:26,979 funny. 900 00:35:26,980 --> 00:35:29,859 And the thing is that if you release 901 00:35:29,860 --> 00:35:31,809 some years ago I was releasing once or 902 00:35:31,810 --> 00:35:33,999 twice a year and this was not really good 903 00:35:34,000 --> 00:35:35,979 for the project, mainly because if you 904 00:35:35,980 --> 00:35:36,980 are really seeing 905 00:35:38,620 --> 00:35:41,079 to feel there was like 906 00:35:41,080 --> 00:35:43,059 two hundred thousand, call me to the 907 00:35:43,060 --> 00:35:45,269 review. There is a lot of things to test. 908 00:35:45,270 --> 00:35:46,809 There wasn't a lot of the time. 909 00:35:46,810 --> 00:35:49,059 And right now this is sort 910 00:35:49,060 --> 00:35:51,579 of by making shorter time releases. 911 00:35:51,580 --> 00:35:54,759 So we have to it and we test everything 912 00:35:54,760 --> 00:35:55,779 more frequently. 913 00:35:55,780 --> 00:35:57,939 So it's hard to to make 914 00:35:57,940 --> 00:36:00,039 that to make a IT clone and get a 915 00:36:00,040 --> 00:36:01,089 better standard product. It's not 916 00:36:01,090 --> 00:36:02,090 working. 917 00:36:02,500 --> 00:36:05,469 But there is also the problem of Debian 918 00:36:05,470 --> 00:36:07,689 Devaney's distribution that tries to be 919 00:36:07,690 --> 00:36:09,399 stable and stability. 920 00:36:09,400 --> 00:36:10,619 They mean that they are not updating 921 00:36:10,620 --> 00:36:11,939 really frequently. 922 00:36:11,940 --> 00:36:14,079 Um, well, the 923 00:36:14,080 --> 00:36:15,639 thing is that the current version of this 924 00:36:15,640 --> 00:36:17,379 table is five years old. 925 00:36:17,380 --> 00:36:19,659 And if you can imagine that 926 00:36:19,660 --> 00:36:21,789 every six weeks there is like four 927 00:36:21,790 --> 00:36:23,619 hundred comit. 928 00:36:23,620 --> 00:36:24,879 You're going to see how many comics are 929 00:36:24,880 --> 00:36:26,529 in five years. 930 00:36:26,530 --> 00:36:28,719 So I would recommend you to not use 931 00:36:28,720 --> 00:36:29,800 the packages from Debian 932 00:36:31,120 --> 00:36:33,069 packages that are shipped in my. 933 00:36:33,070 --> 00:36:34,659 And you can also 934 00:36:35,860 --> 00:36:37,479 use the packages from CIT, which are a 935 00:36:37,480 --> 00:36:39,739 little bit more dated, but they're still 936 00:36:39,740 --> 00:36:40,740 old. 937 00:36:41,860 --> 00:36:44,289 So as I said before, I try to 938 00:36:44,290 --> 00:36:46,609 use the sweet 939 00:36:46,610 --> 00:36:48,669 use added pattern, 940 00:36:48,670 --> 00:36:49,689 which was invented by me. 941 00:36:49,690 --> 00:36:52,389 And it's mainly a regression development 942 00:36:54,040 --> 00:36:56,229 pattern. And the thing is that after 943 00:36:56,230 --> 00:36:58,299 you find question, you write the test 944 00:36:58,300 --> 00:36:59,439 and then you test. 945 00:36:59,440 --> 00:37:01,239 These are beginning to happen again. 946 00:37:01,240 --> 00:37:02,829 The reason for this is because it's too 947 00:37:02,830 --> 00:37:04,989 late for doing 948 00:37:04,990 --> 00:37:06,299 the best they built. 949 00:37:06,300 --> 00:37:08,499 And this means that 950 00:37:08,500 --> 00:37:09,759 you write the test before writing the 951 00:37:09,760 --> 00:37:11,979 code. So 952 00:37:11,980 --> 00:37:14,019 as long as the code is already there to 953 00:37:14,020 --> 00:37:16,149 write the test after this and 954 00:37:16,150 --> 00:37:17,259 as long as we are doing continuous 955 00:37:17,260 --> 00:37:19,029 refactoring of everything in order to 956 00:37:19,030 --> 00:37:21,699 improve the stability and portability and 957 00:37:21,700 --> 00:37:23,949 reliability of the code, some 958 00:37:23,950 --> 00:37:24,969 bugs can get better. 959 00:37:24,970 --> 00:37:27,099 So it's important to test everything 960 00:37:27,100 --> 00:37:29,259 right now. The tests, we do things 961 00:37:29,260 --> 00:37:31,000 like 15 minutes to run 962 00:37:32,140 --> 00:37:34,599 on Trabis and 963 00:37:34,600 --> 00:37:36,789 half an hour in in four 964 00:37:36,790 --> 00:37:38,849 hours and it's too slow for 965 00:37:38,850 --> 00:37:40,449 about or for the windows. 966 00:37:40,450 --> 00:37:41,489 That's what is not running yet. 967 00:37:42,520 --> 00:37:44,769 We try to impose a fazing and inside 968 00:37:44,770 --> 00:37:45,759 the development process. 969 00:37:45,760 --> 00:37:48,189 So before any release or during the 970 00:37:48,190 --> 00:37:50,229 development of February least, there is 971 00:37:50,230 --> 00:37:51,759 some people doing fighting on different 972 00:37:51,760 --> 00:37:53,949 formats. The common lines have different 973 00:37:53,950 --> 00:37:56,469 inputs into the program and 974 00:37:56,470 --> 00:37:58,869 we use different tools like in the sun, 975 00:37:58,870 --> 00:38:00,309 like analyzer. It can cooperate in order 976 00:38:00,310 --> 00:38:02,819 to find identify which are the 977 00:38:02,820 --> 00:38:05,049 the parts of which are more buggy and 978 00:38:05,050 --> 00:38:07,359 which ones are the places tool 979 00:38:07,360 --> 00:38:09,159 to solve the bugs. 980 00:38:09,160 --> 00:38:10,239 This is important mainly because there 981 00:38:10,240 --> 00:38:11,709 are so many contributions. 982 00:38:11,710 --> 00:38:13,239 Many of them are from people that are 983 00:38:13,240 --> 00:38:16,449 starting to code and 984 00:38:16,450 --> 00:38:18,549 we try to follow some standards. 985 00:38:18,550 --> 00:38:20,739 So there is some coding style and this 986 00:38:20,740 --> 00:38:22,419 requires some application to the 987 00:38:22,420 --> 00:38:23,420 community. 988 00:38:24,280 --> 00:38:25,449 And we're complaining that this is not 989 00:38:25,450 --> 00:38:26,450 the way that in Python, 990 00:38:27,850 --> 00:38:28,899 I know that C is not the perfect 991 00:38:28,900 --> 00:38:29,900 language. 992 00:38:30,550 --> 00:38:32,739 It's easy to make mistakes, but Python is 993 00:38:32,740 --> 00:38:33,740 not the solution. I mean, 994 00:38:35,530 --> 00:38:36,609 maybe at some point there will be a 995 00:38:36,610 --> 00:38:38,679 language that can replace it, 996 00:38:38,680 --> 00:38:40,989 maybe a roast or 997 00:38:40,990 --> 00:38:43,089 maybe swift or I don't 998 00:38:43,090 --> 00:38:43,509 know. 999 00:38:43,510 --> 00:38:45,879 But maybe a roast is the one that fits 1000 00:38:45,880 --> 00:38:47,139 better inside the philosophy of the 1001 00:38:47,140 --> 00:38:48,159 project. 1002 00:38:48,160 --> 00:38:49,689 But if you want to use Python, there are 1003 00:38:49,690 --> 00:38:51,509 three different bindings for the native 1004 00:38:51,510 --> 00:38:52,519 APIs. 1005 00:38:52,520 --> 00:38:54,129 There are two different bindings for the 1006 00:38:54,130 --> 00:38:56,389 pipe supporting different 1007 00:38:56,390 --> 00:38:58,449 transports. I will explain later what the 1008 00:38:58,450 --> 00:39:00,639 pipe and you can write plugins 1009 00:39:00,640 --> 00:39:03,409 for your urban environment. 1010 00:39:03,410 --> 00:39:05,769 And the reason for not using dynamic 1011 00:39:05,770 --> 00:39:07,809 language for this is because the local 1012 00:39:07,810 --> 00:39:09,879 language allows you to compile 1013 00:39:09,880 --> 00:39:11,979 time so it's easier to identify 1014 00:39:11,980 --> 00:39:14,769 problems before running the program. 1015 00:39:14,770 --> 00:39:16,449 There are so many tools available in 1016 00:39:16,450 --> 00:39:18,719 order to provide Lobach and optimize 1017 00:39:18,720 --> 00:39:20,829 support to different platforms. 1018 00:39:20,830 --> 00:39:22,789 Um, it's faster. 1019 00:39:22,790 --> 00:39:24,939 It's not. If it's a smaller footprint, 1020 00:39:24,940 --> 00:39:27,099 there is not really a runtime array 1021 00:39:27,100 --> 00:39:29,259 of chips inside the final 1022 00:39:29,260 --> 00:39:31,419 binary, so you can easily 1023 00:39:31,420 --> 00:39:33,639 put on a link and 1024 00:39:33,640 --> 00:39:36,699 put it in a router or any other device 1025 00:39:36,700 --> 00:39:39,099 unseals, filtering, spinelessly 1026 00:39:39,100 --> 00:39:41,019 JavaScript so you can run in the Web 1027 00:39:41,020 --> 00:39:42,279 browser. 1028 00:39:42,280 --> 00:39:44,379 And that's fine for me, at least for the 1029 00:39:44,380 --> 00:39:45,369 90 percent of the problems. 1030 00:39:45,370 --> 00:39:47,169 And for the rest, you can just use any 1031 00:39:47,170 --> 00:39:48,170 scripting language. 1032 00:39:50,920 --> 00:39:53,139 OK, let's talk about the 1033 00:39:53,140 --> 00:39:54,239 graphical user interfaces. 1034 00:39:55,570 --> 00:39:56,799 The main complaint is that there is no 1035 00:39:56,800 --> 00:39:58,949 graphical interface, but that's not true, 1036 00:39:58,950 --> 00:40:00,399 that terminals are scary. 1037 00:40:00,400 --> 00:40:02,639 People are scared about 1038 00:40:02,640 --> 00:40:03,949 the terminals. 1039 00:40:03,950 --> 00:40:06,099 And they used to like to 1040 00:40:06,100 --> 00:40:08,199 use the mouse and try 1041 00:40:08,200 --> 00:40:10,509 to click on those things like that. 1042 00:40:10,510 --> 00:40:12,759 So the real problem for other two is 1043 00:40:12,760 --> 00:40:14,499 not that there is no game. 1044 00:40:14,500 --> 00:40:15,999 The problem is that there are so many of 1045 00:40:16,000 --> 00:40:17,000 them. 1046 00:40:17,350 --> 00:40:19,299 There is like this one note, there is a 1047 00:40:19,300 --> 00:40:22,329 Daily Beast mode, which is I'm like, 1048 00:40:22,330 --> 00:40:24,369 that is a different Web user interface is 1049 00:40:24,370 --> 00:40:25,839 one of them is this, which is material 1050 00:40:25,840 --> 00:40:27,909 like this is the default for Android. 1051 00:40:27,910 --> 00:40:30,579 There is the old one, which is a 1052 00:40:30,580 --> 00:40:33,339 domain where a mobile and 1053 00:40:33,340 --> 00:40:35,420 its smartphone desktop friendly. 1054 00:40:36,730 --> 00:40:38,899 I also brought the Plesser, which is not 1055 00:40:38,900 --> 00:40:41,589 gigas and of course it's like 1056 00:40:41,590 --> 00:40:43,719 interface with Windows and 1057 00:40:43,720 --> 00:40:44,720 things like that. 1058 00:40:45,790 --> 00:40:47,919 You also brought together, which was 1059 00:40:47,920 --> 00:40:50,059 written by then by another one. 1060 00:40:50,060 --> 00:40:52,179 Um, and this is 1061 00:40:52,180 --> 00:40:54,669 basically the terminal 1062 00:40:54,670 --> 00:40:57,249 with a interface 1063 00:40:57,250 --> 00:40:59,019 that there are some buttons and menus 1064 00:40:59,020 --> 00:41:00,039 like decongest. 1065 00:41:00,040 --> 00:41:01,449 Instead of typing commands, you can just 1066 00:41:01,450 --> 00:41:02,650 read the comments on the menu. 1067 00:41:04,060 --> 00:41:06,249 There was a, uh, complete 1068 00:41:06,250 --> 00:41:08,349 interface written in 1069 00:41:08,350 --> 00:41:10,569 Bullah and it was working pretty 1070 00:41:10,570 --> 00:41:12,279 fast and pretty nice, but it was 1071 00:41:12,280 --> 00:41:14,149 abandoning it because it was boring to 1072 00:41:14,150 --> 00:41:15,319 the right interface. 1073 00:41:15,320 --> 00:41:17,469 So I think that nobody cares about 1074 00:41:17,470 --> 00:41:18,469 that. 1075 00:41:18,470 --> 00:41:20,649 Uh, so I never released it, 1076 00:41:20,650 --> 00:41:21,650 but it's there. 1077 00:41:22,750 --> 00:41:24,939 There is also Buchen, which is a bayfront 1078 00:41:24,940 --> 00:41:26,799 interface, that it's like, no, not 1079 00:41:26,800 --> 00:41:27,879 really. I maintain it. 1080 00:41:27,880 --> 00:41:29,019 I think it's working in the last 1081 00:41:29,020 --> 00:41:31,089 paragraph, but it's not adding new 1082 00:41:31,090 --> 00:41:31,599 functionality. 1083 00:41:31,600 --> 00:41:32,909 So I just for static analysis, 1084 00:41:34,420 --> 00:41:37,059 know there is a guy who is 1085 00:41:37,060 --> 00:41:39,249 writing a new interface in 1086 00:41:39,250 --> 00:41:41,349 dot net, but he's 1087 00:41:41,350 --> 00:41:42,269 focusing on the window. 1088 00:41:42,270 --> 00:41:44,379 So the thing is that the dependencies of 1089 00:41:44,380 --> 00:41:46,779 this project are depending on the 1090 00:41:46,780 --> 00:41:48,999 Explorer widget and also 1091 00:41:49,000 --> 00:41:50,000 the Messier 1092 00:41:52,180 --> 00:41:54,579 API. So it doesn't really work on 1093 00:41:54,580 --> 00:41:56,349 Linux always. So it's it's not pretty. 1094 00:41:56,350 --> 00:41:57,839 Well, maybe someday it will be 1095 00:41:57,840 --> 00:41:58,840 profitable. 1096 00:41:59,740 --> 00:42:01,809 A few days ago, a guy mentioned to 1097 00:42:01,810 --> 00:42:03,309 me in Twitter, so I had to let this 1098 00:42:04,450 --> 00:42:06,519 slide and he's working on a cutie 1099 00:42:06,520 --> 00:42:08,259 pie interface. 1100 00:42:08,260 --> 00:42:10,359 You can see a screenshot from the 1101 00:42:10,360 --> 00:42:11,360 GitHub. 1102 00:42:12,040 --> 00:42:14,229 But let's talk about a real 1103 00:42:14,230 --> 00:42:16,449 user interface, uh, 1104 00:42:16,450 --> 00:42:18,549 the author of a 1105 00:42:18,550 --> 00:42:19,719 book and whatever. 1106 00:42:19,720 --> 00:42:22,539 So I been working for 1107 00:42:22,540 --> 00:42:24,759 a year or something like that in any 1108 00:42:24,760 --> 00:42:27,459 interface written in Kutty and C++, 1109 00:42:27,460 --> 00:42:28,719 which looks like this. 1110 00:42:30,940 --> 00:42:32,110 These are the main interface. 1111 00:42:33,310 --> 00:42:35,469 It's about actually, uh, only something 1112 00:42:35,470 --> 00:42:37,599 unexpected will support debugging and 1113 00:42:37,600 --> 00:42:39,729 emulation or things like that, 1114 00:42:39,730 --> 00:42:41,829 I believe, or at least early next 1115 00:42:41,830 --> 00:42:42,830 year. 1116 00:42:45,980 --> 00:42:48,289 OK, so let's talk about scripting, 1117 00:42:48,290 --> 00:42:50,149 it's something I think that it's 1118 00:42:50,150 --> 00:42:52,339 complicated and 1119 00:42:52,340 --> 00:42:54,079 really, if you focus on the problem, you 1120 00:42:54,080 --> 00:42:55,609 only need to understand the comments and 1121 00:42:55,610 --> 00:42:57,199 you only need to understand a little bit. 1122 00:42:57,200 --> 00:42:59,629 So if you know how to use a script, 1123 00:42:59,630 --> 00:43:02,149 but usually mainly because 1124 00:43:02,150 --> 00:43:05,179 I was trying to follow different 1125 00:43:05,180 --> 00:43:07,339 paradigms, like trying to make 1126 00:43:07,340 --> 00:43:08,780 the bindings more 1127 00:43:09,800 --> 00:43:10,800 language friendly. 1128 00:43:11,750 --> 00:43:13,939 So you look at the end, you don't 1129 00:43:13,940 --> 00:43:16,309 really need to have been 1130 00:43:16,310 --> 00:43:18,369 so specific for its language. 1131 00:43:18,370 --> 00:43:20,539 And the reason is that 1132 00:43:20,540 --> 00:43:22,579 this is too much work and APIs are 1133 00:43:22,580 --> 00:43:24,949 changing. So at the end I 1134 00:43:24,950 --> 00:43:26,329 wrote that tool, which is Malaby, and 1135 00:43:26,330 --> 00:43:28,609 which transpires 1136 00:43:28,610 --> 00:43:30,889 the interface into different interfaces 1137 00:43:30,890 --> 00:43:32,959 for different languages. So I create 1138 00:43:32,960 --> 00:43:35,899 a single file that interfaces 1139 00:43:35,900 --> 00:43:39,199 the zip code and integrates Python 1140 00:43:39,200 --> 00:43:41,029 notice, etc.. 1141 00:43:41,030 --> 00:43:43,579 I've been doing for all this DOGIT, 1142 00:43:43,580 --> 00:43:45,349 but these are not really stable at all 1143 00:43:45,350 --> 00:43:48,009 because they have some memory problems, 1144 00:43:48,010 --> 00:43:49,939 because sometimes it's hard to manage the 1145 00:43:49,940 --> 00:43:51,889 references and things like that. 1146 00:43:51,890 --> 00:43:53,959 So at the end I got 1147 00:43:53,960 --> 00:43:55,939 the idea of implementing Exabyte, which 1148 00:43:55,940 --> 00:43:58,129 is basically a pipe on 1149 00:43:58,130 --> 00:44:01,069 top of this for comment. 1150 00:44:01,070 --> 00:44:03,559 The API provides an open 1151 00:44:03,560 --> 00:44:05,119 method which allows you to open a 1152 00:44:06,230 --> 00:44:08,459 different time using a specific time 1153 00:44:08,460 --> 00:44:10,489 slot to open a file. 1154 00:44:10,490 --> 00:44:12,049 And then you have the same the common, 1155 00:44:12,050 --> 00:44:14,269 which basically runs in two, and 1156 00:44:14,270 --> 00:44:16,610 then you get the back the the result. 1157 00:44:17,630 --> 00:44:19,369 And there is the same with just one 1158 00:44:19,370 --> 00:44:21,129 output, which particular don't turn out 1159 00:44:21,130 --> 00:44:23,269 the object of the of the 1160 00:44:23,270 --> 00:44:24,349 of the rest. 1161 00:44:24,350 --> 00:44:25,339 And then there is quit. 1162 00:44:25,340 --> 00:44:27,739 So it just only one comment so 1163 00:44:27,740 --> 00:44:29,689 that only one method that you have to 1164 00:44:29,690 --> 00:44:31,460 remember for using this API. 1165 00:44:33,110 --> 00:44:35,269 Let's make a quick demo for 1166 00:44:35,270 --> 00:44:36,270 these. 1167 00:44:42,160 --> 00:44:43,709 This is a script. 1168 00:44:43,710 --> 00:44:44,710 For. 1169 00:44:45,640 --> 00:44:47,889 Getting the configuration file 1170 00:44:47,890 --> 00:44:50,499 off the Meeri malware, 1171 00:44:50,500 --> 00:44:52,869 this is a botnet and 1172 00:44:52,870 --> 00:44:55,329 this is the script, it's written and 1173 00:44:55,330 --> 00:44:56,330 it's using a debate 1174 00:44:58,120 --> 00:44:59,619 domestically, extracting the 1175 00:44:59,620 --> 00:45:01,779 configuration file out of a of 1176 00:45:01,780 --> 00:45:02,409 the binary. 1177 00:45:02,410 --> 00:45:05,229 You can use it like from 1178 00:45:05,230 --> 00:45:07,359 Python, like doing it like this. 1179 00:45:09,920 --> 00:45:11,239 And look at the conflict finder. 1180 00:45:15,890 --> 00:45:17,959 You can also use it from inside, so 1181 00:45:17,960 --> 00:45:18,960 you can just. 1182 00:45:22,380 --> 00:45:23,380 Connected like this. 1183 00:45:26,430 --> 00:45:27,359 Or inside the shell. 1184 00:45:27,360 --> 00:45:29,070 So if you are inside the shell. 1185 00:45:31,870 --> 00:45:33,949 You're going to read the the file 1186 00:45:33,950 --> 00:45:35,349 just using the dot. 1187 00:45:35,350 --> 00:45:37,480 So it's important to file and running it. 1188 00:45:42,960 --> 00:45:45,179 There are so many examples in 1189 00:45:45,180 --> 00:45:47,099 many different programing languages, in 1190 00:45:47,100 --> 00:45:49,199 fact, this is 1191 00:45:49,200 --> 00:45:50,279 the least of all the languages of the 1192 00:45:50,280 --> 00:45:51,320 support of the debate, 1193 00:45:52,680 --> 00:45:54,029 not all of them support all the time 1194 00:45:54,030 --> 00:45:56,129 sports, my time, sports, I mean, that you 1195 00:45:56,130 --> 00:45:58,299 can use to buy through to the 1196 00:45:58,300 --> 00:45:58,509 beer. 1197 00:45:58,510 --> 00:46:00,809 You can also use it if you disappeared. 1198 00:46:00,810 --> 00:46:02,699 You can also use it with pipes postponing 1199 00:46:02,700 --> 00:46:04,979 the binary and reading writing to 1200 00:46:04,980 --> 00:46:07,439 put these old platforms 1201 00:46:07,440 --> 00:46:09,769 in Windows, Linux, I and 1202 00:46:11,240 --> 00:46:12,240 other 1203 00:46:13,470 --> 00:46:15,569 examples inside the directory. 1204 00:46:15,570 --> 00:46:18,269 So if you go into the Atabay repository, 1205 00:46:18,270 --> 00:46:20,849 you will see that, for example, for 1206 00:46:20,850 --> 00:46:22,949 this, there are examples 1207 00:46:22,950 --> 00:46:24,689 in there and you're going to see, for 1208 00:46:24,690 --> 00:46:26,190 example, the Eastern Seaboard. 1209 00:46:30,390 --> 00:46:32,789 There is also a Cisco emulator, 1210 00:46:32,790 --> 00:46:35,609 which is basically implementing the 1211 00:46:35,610 --> 00:46:37,530 Cisco handler in JavaScript, 1212 00:46:38,790 --> 00:46:40,949 and you're going to run this 1213 00:46:42,080 --> 00:46:44,400 this Hanawalt, which is basically. 1214 00:46:47,980 --> 00:46:48,980 This coat. 1215 00:46:53,090 --> 00:46:55,159 And this will have to run 1216 00:46:55,160 --> 00:46:56,989 until 1:00 p.m.. 1217 00:47:26,650 --> 00:47:28,989 Well, I contend this is just a stupid 1218 00:47:28,990 --> 00:47:31,179 thing anyway, the 1219 00:47:31,180 --> 00:47:32,919 Python example, 1220 00:47:34,570 --> 00:47:35,570 there's a same environment. 1221 00:47:36,990 --> 00:47:37,990 Uh. 1222 00:47:51,350 --> 00:47:53,859 So during this Halloween, they're 1223 00:47:53,860 --> 00:47:56,129 basically saying that you have to 1224 00:47:56,130 --> 00:47:57,919 using a seal for immolating code and then 1225 00:47:57,920 --> 00:48:00,409 you've got the typescript executed 1226 00:48:00,410 --> 00:48:01,410 after this. 1227 00:48:03,390 --> 00:48:05,639 OK, so the budget is confusing, many 1228 00:48:05,640 --> 00:48:07,709 people think that the mother of two is 1229 00:48:07,710 --> 00:48:09,839 strange, mainly because it's a low 1230 00:48:09,840 --> 00:48:10,840 level Levuka. 1231 00:48:12,810 --> 00:48:14,309 The main reason for this is because I 1232 00:48:14,310 --> 00:48:16,019 don't try to replace sort of I guess 1233 00:48:17,400 --> 00:48:19,669 there is to be a levy and 1234 00:48:19,670 --> 00:48:20,989 school get, which are pretty good source 1235 00:48:20,990 --> 00:48:22,409 of budgets. 1236 00:48:22,410 --> 00:48:24,829 But I'm still work for beginners. 1237 00:48:24,830 --> 00:48:26,369 You don't have the source code or 1238 00:48:26,370 --> 00:48:27,599 different budget. 1239 00:48:27,600 --> 00:48:29,719 So when you're into the back with 1240 00:48:29,720 --> 00:48:30,989 another tool, you are starting to get 1241 00:48:30,990 --> 00:48:33,299 back into the dynamic. 1242 00:48:33,300 --> 00:48:35,729 A lot of the systems 1243 00:48:35,730 --> 00:48:36,959 not inside the entry point. 1244 00:48:38,340 --> 00:48:40,019 The reason for this is because some file 1245 00:48:40,020 --> 00:48:41,909 formats kind of exploit this inside the 1246 00:48:41,910 --> 00:48:43,979 belly and execute called 1247 00:48:43,980 --> 00:48:46,139 before the entry point, or there can be 1248 00:48:46,140 --> 00:48:47,140 more than one entry point. 1249 00:48:48,720 --> 00:48:51,359 Also, there can be changes in memory 1250 00:48:51,360 --> 00:48:53,879 that will be applied in the. 1251 00:48:53,880 --> 00:48:55,829 So some people complain that they putting 1252 00:48:55,830 --> 00:48:58,109 the binary in memory and then execute 1253 00:48:58,110 --> 00:48:59,789 the program. And the problem is not 1254 00:48:59,790 --> 00:49:01,509 budget. The reason for this is because 1255 00:49:01,510 --> 00:49:02,609 you are touching the memory and not the 1256 00:49:02,610 --> 00:49:03,969 binary itself. 1257 00:49:03,970 --> 00:49:06,509 And if you want to create a 1258 00:49:06,510 --> 00:49:08,729 specific environment, you have to use 1259 00:49:08,730 --> 00:49:11,129 one which is a tool that comes with 1260 00:49:11,130 --> 00:49:13,499 another tool that the great 1261 00:49:13,500 --> 00:49:15,259 upper file to specify, for example, the 1262 00:49:15,260 --> 00:49:16,739 Israeli the truth, 1263 00:49:17,820 --> 00:49:18,929 the different directorially that you want 1264 00:49:18,930 --> 00:49:21,029 to, and all the arguments, if 1265 00:49:21,030 --> 00:49:23,039 you want to change like a script, are 1266 00:49:23,040 --> 00:49:24,659 like thunder input. 1267 00:49:24,660 --> 00:49:26,699 Do you want to be stuck listening to a 1268 00:49:26,700 --> 00:49:28,559 specific part, etc. 1269 00:49:28,560 --> 00:49:30,149 This allows you to create the profile for 1270 00:49:30,150 --> 00:49:31,539 running the program every time this is 1271 00:49:31,540 --> 00:49:33,599 handy, if you are trying to make 1272 00:49:33,600 --> 00:49:34,769 a correct me or things like that. 1273 00:49:37,320 --> 00:49:39,629 So do the basics like this. 1274 00:49:39,630 --> 00:49:40,649 You can spawn at that. 1275 00:49:40,650 --> 00:49:42,299 You can create plugins for all these 1276 00:49:42,300 --> 00:49:44,519 things and 1277 00:49:44,520 --> 00:49:46,439 there are plug ins. As long as I said 1278 00:49:46,440 --> 00:49:48,789 before, they are plug ins for all this. 1279 00:49:48,790 --> 00:49:51,419 So you can use the bigger. 1280 00:49:51,420 --> 00:49:52,319 There are more than one of these 1281 00:49:52,320 --> 00:49:53,819 debugger. There's people writing their 1282 00:49:53,820 --> 00:49:55,469 own narrative that I got for windows and 1283 00:49:55,470 --> 00:49:56,869 things like that. You can use attachable 1284 00:49:56,870 --> 00:49:59,129 HDB. You can also attach the individual 1285 00:49:59,130 --> 00:50:01,319 box to death also for comments of the 1286 00:50:01,320 --> 00:50:03,149 Baggara under the letter. 1287 00:50:03,150 --> 00:50:05,699 And you can also do local or remote 1288 00:50:05,700 --> 00:50:08,159 debugging and you can inject code. 1289 00:50:08,160 --> 00:50:09,599 There is a common thread that allows you 1290 00:50:09,600 --> 00:50:11,309 to inject a bunch of bytes and then it 1291 00:50:11,310 --> 00:50:13,529 will get back to the 1292 00:50:13,530 --> 00:50:14,530 rest of the state. 1293 00:50:18,590 --> 00:50:19,940 The debate is not 1294 00:50:21,590 --> 00:50:23,119 working on the platforms, mainly because 1295 00:50:23,120 --> 00:50:25,289 the GDP protocol is crap, 1296 00:50:25,290 --> 00:50:27,079 it makes this binary plaintext and X 1297 00:50:27,080 --> 00:50:29,269 amount and single with US detections, 1298 00:50:29,270 --> 00:50:31,369 which is really bad decision. 1299 00:50:31,370 --> 00:50:33,589 But they try to 1300 00:50:33,590 --> 00:50:35,989 implement the thing for every single 1301 00:50:35,990 --> 00:50:38,059 platform. So every time that you 1302 00:50:38,060 --> 00:50:39,709 try to connect on a platform, you have to 1303 00:50:39,710 --> 00:50:40,710 use different 1304 00:50:42,020 --> 00:50:43,699 solutions for getting or writing the 1305 00:50:43,700 --> 00:50:45,739 resistors or reading, writing memory or 1306 00:50:45,740 --> 00:50:47,449 doing steps and setting breakpoints and 1307 00:50:47,450 --> 00:50:47,929 things like that. 1308 00:50:47,930 --> 00:50:50,059 So it's kind of, 1309 00:50:50,060 --> 00:50:51,979 um. 1310 00:50:51,980 --> 00:50:53,239 So it's working progress. And right now 1311 00:50:53,240 --> 00:50:54,379 it's about Sentell mainly. 1312 00:50:54,380 --> 00:50:56,089 So you can use it for debugging Windows 1313 00:50:56,090 --> 00:50:58,309 or Linux, attaching to QM or 1314 00:50:58,310 --> 00:50:59,310 things like that. 1315 00:51:00,230 --> 00:51:02,359 And he working for me is RAM and maybe 1316 00:51:03,470 --> 00:51:05,599 there are 12 Libbey, which is a project 1317 00:51:05,600 --> 00:51:07,789 that they wrote not secured, and it's 1318 00:51:07,790 --> 00:51:10,099 mainly a pipe script 1319 00:51:10,100 --> 00:51:12,299 that allows you to use 1320 00:51:12,300 --> 00:51:14,029 your inside Libya and you'll run this 1321 00:51:14,030 --> 00:51:15,889 Python script and it will allows you to 1322 00:51:15,890 --> 00:51:17,569 touch from in there. 1323 00:51:17,570 --> 00:51:19,449 And you can use all the functionalities 1324 00:51:19,450 --> 00:51:22,549 and memory from from runner to 1325 00:51:22,550 --> 00:51:23,539 just copy the shelling there. 1326 00:51:23,540 --> 00:51:25,459 This is nice because if you are working 1327 00:51:25,460 --> 00:51:27,649 with Apple, things like Apple Watch 1328 00:51:27,650 --> 00:51:29,809 or iPhone devices, you 1329 00:51:29,810 --> 00:51:32,299 can do what you can just to the back 1330 00:51:32,300 --> 00:51:33,509 by not using that without having 1331 00:51:33,510 --> 00:51:34,510 jailbreak. 1332 00:51:36,310 --> 00:51:38,709 And there is some sort of freedom 1333 00:51:38,710 --> 00:51:41,739 free, I didn't make the race or the 1334 00:51:41,740 --> 00:51:43,839 index library, which 1335 00:51:43,840 --> 00:51:45,639 contains JavaScript interpretor in there, 1336 00:51:45,640 --> 00:51:47,709 and you can put this graps in 1337 00:51:47,710 --> 00:51:49,989 there or just use the libraries for for 1338 00:51:49,990 --> 00:51:50,990 running code that 1339 00:51:52,870 --> 00:51:54,879 this project is written by Willandra. 1340 00:51:54,880 --> 00:51:57,129 Also working my company 1341 00:51:57,130 --> 00:51:58,749 on 1342 00:52:00,400 --> 00:52:02,349 its works in many platforms can be used 1343 00:52:02,350 --> 00:52:04,449 in exciting OS, Linux, 1344 00:52:04,450 --> 00:52:06,669 Unix, Windows, and it's 1345 00:52:06,670 --> 00:52:08,949 pretty fast. I mean, maybe thinking 1346 00:52:08,950 --> 00:52:11,169 about JavaScript and all these things 1347 00:52:11,170 --> 00:52:12,489 make you think that it's slow, but it's 1348 00:52:12,490 --> 00:52:14,559 really fast and it allows 1349 00:52:14,560 --> 00:52:16,239 you to make of introspection inside the 1350 00:52:16,240 --> 00:52:17,889 process so you can do the inside the 1351 00:52:17,890 --> 00:52:19,299 process. 1352 00:52:19,300 --> 00:52:21,219 Let's make a really fast demo. 1353 00:52:23,010 --> 00:52:24,010 Uh. 1354 00:52:41,900 --> 00:52:43,489 So I have no G.S. 1355 00:52:43,490 --> 00:52:45,529 running this terminal and I have another 1356 00:52:45,530 --> 00:52:47,689 doing the other one, and I will use that 1357 00:52:47,690 --> 00:52:49,459 to attach to this process like now. 1358 00:52:54,470 --> 00:52:55,669 We're going to get the information using 1359 00:52:55,670 --> 00:52:57,739 the backslash and we're 1360 00:52:57,740 --> 00:52:59,239 going to see the list of comments from 1361 00:52:59,240 --> 00:53:01,459 the three that blog, and from 1362 00:53:01,460 --> 00:53:02,599 here we can get information from the 1363 00:53:02,600 --> 00:53:04,399 minority. We can get information from the 1364 00:53:04,400 --> 00:53:05,989 experts, for example, the symbol of. 1365 00:53:24,250 --> 00:53:25,250 And. 1366 00:53:31,850 --> 00:53:33,499 You can read my money from the budget 1367 00:53:33,500 --> 00:53:36,219 process, you can modify it or whatever, 1368 00:53:36,220 --> 00:53:38,329 you can analyze it and get the graphs 1369 00:53:38,330 --> 00:53:39,330 of the dirt. 1370 00:53:41,910 --> 00:53:44,149 Um, yeah, 1371 00:53:44,150 --> 00:53:45,210 they work. 1372 00:53:52,140 --> 00:53:53,140 OK, it's not. 1373 00:53:57,390 --> 00:53:59,339 OK, so what I'm going to do now is 1374 00:54:00,810 --> 00:54:01,810 use the. 1375 00:54:03,330 --> 00:54:05,279 Did the comment, which allows you to 1376 00:54:05,280 --> 00:54:07,469 trace the specific symbol 1377 00:54:07,470 --> 00:54:09,869 and use of string for tracing 1378 00:54:09,870 --> 00:54:11,849 this its function. 1379 00:54:11,850 --> 00:54:14,279 So now every time that the Norges process 1380 00:54:14,280 --> 00:54:16,919 is writing, using the right symbol, 1381 00:54:16,920 --> 00:54:18,210 it will bring something in there. 1382 00:54:22,540 --> 00:54:25,119 We can also use a back to back trace in 1383 00:54:25,120 --> 00:54:26,880 great ascription there, etc.. 1384 00:54:30,300 --> 00:54:32,569 OK, let's talk about 1385 00:54:32,570 --> 00:54:33,570 the 1386 00:54:35,120 --> 00:54:37,889 of machine that comes inside. 1387 00:54:37,890 --> 00:54:40,829 It's got language that 1388 00:54:40,830 --> 00:54:43,169 basically it's translating 1389 00:54:43,170 --> 00:54:44,400 every instruction into string. 1390 00:54:47,590 --> 00:54:49,659 We're going to see this and 1391 00:54:49,660 --> 00:54:51,249 there are so depressed upper case, oh, 1392 00:54:51,250 --> 00:54:52,360 you will see a string. 1393 00:54:55,040 --> 00:54:57,199 And this is doing represents what 1394 00:54:57,200 --> 00:54:58,669 the institution is doing behind the 1395 00:54:58,670 --> 00:55:00,829 scenes, so 1396 00:55:00,830 --> 00:55:03,079 it's a forceful language. 1397 00:55:03,080 --> 00:55:05,239 It has two different stocks 1398 00:55:05,240 --> 00:55:07,549 on its tax base. 1399 00:55:07,550 --> 00:55:09,259 The reason for this is that you can 1400 00:55:09,260 --> 00:55:11,359 easily read and modify 1401 00:55:11,360 --> 00:55:12,379 what they're doing. 1402 00:55:12,380 --> 00:55:14,259 You can also change the institution 1403 00:55:14,260 --> 00:55:16,399 itself without having to 1404 00:55:16,400 --> 00:55:17,719 recompile. Right, until you can change 1405 00:55:17,720 --> 00:55:19,159 the expression. 1406 00:55:19,160 --> 00:55:20,399 And this is used for many things, not 1407 00:55:20,400 --> 00:55:22,339 just for emulation, just for analysis. 1408 00:55:22,340 --> 00:55:24,019 It's also used for debugging. 1409 00:55:24,020 --> 00:55:26,269 So if they want to specify a specific 1410 00:55:26,270 --> 00:55:28,369 string, like defining, 1411 00:55:28,370 --> 00:55:30,709 I want to continue this execution 1412 00:55:30,710 --> 00:55:32,989 until a specific resistor have a 1413 00:55:32,990 --> 00:55:35,119 value that is in this range, or 1414 00:55:35,120 --> 00:55:36,120 you want to 1415 00:55:38,630 --> 00:55:40,879 identify if the specific 1416 00:55:40,880 --> 00:55:43,429 jump is going to be executed or not, 1417 00:55:43,430 --> 00:55:45,389 or find different types of expressions 1418 00:55:45,390 --> 00:55:47,209 that the matching from memory, like, for 1419 00:55:47,210 --> 00:55:49,459 example, I want to find a specific 1420 00:55:49,460 --> 00:55:51,109 version of memory that contains something 1421 00:55:51,110 --> 00:55:53,329 worth and then from zero, etc.. 1422 00:55:53,330 --> 00:55:54,529 You're going to use more steel for this. 1423 00:55:56,140 --> 00:55:57,679 This is some of the comments that can be 1424 00:55:57,680 --> 00:55:59,809 used for for emulation. 1425 00:55:59,810 --> 00:56:02,449 It's basically the same for the back, but 1426 00:56:02,450 --> 00:56:04,500 using a specific since that day. 1427 00:56:06,040 --> 00:56:07,489 And there is also support for a unicorn, 1428 00:56:07,490 --> 00:56:09,599 but it's not as complete as 1429 00:56:09,600 --> 00:56:10,600 a full one. 1430 00:56:18,050 --> 00:56:20,159 So here is a crack me up 1431 00:56:20,160 --> 00:56:21,709 and it can be solved 1432 00:56:23,360 --> 00:56:25,879 using this script. 1433 00:56:25,880 --> 00:56:28,849 It can be solved using this after 1434 00:56:28,850 --> 00:56:31,549 this, after a script which is basically 1435 00:56:31,550 --> 00:56:34,159 sticking to a symbol that you want to 1436 00:56:34,160 --> 00:56:36,609 emulate, running the the 1437 00:56:36,610 --> 00:56:38,479 code in there and stopping at the point 1438 00:56:38,480 --> 00:56:40,069 of this, comparing the two strings and 1439 00:56:40,070 --> 00:56:41,810 then dumping the resistors values. 1440 00:56:43,610 --> 00:56:45,980 So we do like this. 1441 00:56:48,430 --> 00:56:49,430 You got the password. 1442 00:56:52,300 --> 00:56:53,530 And the same thing goes for. 1443 00:56:55,880 --> 00:56:56,880 For the Byrum. 1444 00:57:00,770 --> 00:57:01,849 So basically doing is. 1445 00:57:06,420 --> 00:57:09,419 Calling the tech password function, 1446 00:57:09,420 --> 00:57:11,489 which is in there and then 1447 00:57:11,490 --> 00:57:13,919 inside this function, it goes for 1448 00:57:13,920 --> 00:57:16,079 looking for the string compar. 1449 00:57:17,680 --> 00:57:19,399 And then getting the Bible thumpers, 1450 00:57:19,400 --> 00:57:20,400 sisters, 1451 00:57:22,960 --> 00:57:23,979 if you will, these. 1452 00:57:29,210 --> 00:57:30,879 You're going to see, for example, in the 1453 00:57:30,880 --> 00:57:31,959 background, you can continue the 1454 00:57:31,960 --> 00:57:34,089 execution, the entry point, and then 1455 00:57:34,090 --> 00:57:36,280 you can use the area to get the. 1456 00:57:40,080 --> 00:57:41,080 With. 1457 00:57:41,630 --> 00:57:42,630 Nothing to the. 1458 00:57:44,970 --> 00:57:47,639 So I'm continuing to the point 1459 00:57:47,640 --> 00:57:49,739 and then I'm just saying out or you're 1460 00:57:49,740 --> 00:57:52,109 still scoping in order to get information 1461 00:57:52,110 --> 00:57:53,879 of every CEO and where they're pointing 1462 00:57:53,880 --> 00:57:56,099 to. So you can also do the same 1463 00:57:56,100 --> 00:57:57,100 in the stock. 1464 00:57:58,690 --> 00:58:00,159 Together, the boundaries of the strings 1465 00:58:00,160 --> 00:58:01,160 and so on. 1466 00:58:02,800 --> 00:58:05,589 And many things like this are useful 1467 00:58:05,590 --> 00:58:07,779 and used from from 1468 00:58:07,780 --> 00:58:09,129 from there. 1469 00:58:09,130 --> 00:58:11,859 OK, so how exploiting which is the 1470 00:58:11,860 --> 00:58:13,090 final flight of. 1471 00:58:14,810 --> 00:58:15,899 There are so many functioning this 1472 00:58:15,900 --> 00:58:16,969 involved that can be handy for 1473 00:58:16,970 --> 00:58:19,669 exploiting, it's 1474 00:58:19,670 --> 00:58:22,039 like you can passcode in memory, 1475 00:58:22,040 --> 00:58:24,679 you can go things like that. 1476 00:58:24,680 --> 00:58:25,790 So I'm right now 1477 00:58:26,840 --> 00:58:27,840 into the background. 1478 00:58:29,420 --> 00:58:31,519 So I can just put the anywhere 1479 00:58:31,520 --> 00:58:33,139 and I can press uppercase A.. 1480 00:58:33,140 --> 00:58:35,719 And I can just buy the code 1481 00:58:35,720 --> 00:58:36,720 with a. 1482 00:58:38,990 --> 00:58:42,409 For example, with this, um, 1483 00:58:42,410 --> 00:58:45,319 this is for some specific 1484 00:58:45,320 --> 00:58:47,449 environments, there 1485 00:58:47,450 --> 00:58:49,579 are some static places and there are some 1486 00:58:49,580 --> 00:58:51,260 handy functionalities like 1487 00:58:52,580 --> 00:58:54,479 generating and finding offsets of the 1488 00:58:54,480 --> 00:58:56,209 burning patterns. 1489 00:58:56,210 --> 00:58:58,429 You can use the telescoping like I 1490 00:58:58,430 --> 00:59:00,709 showed before. You can keep analysis. 1491 00:59:00,710 --> 00:59:02,119 This is only working on Linux, but it 1492 00:59:02,120 --> 00:59:03,559 will be Partito. I was fixing the 1493 00:59:03,560 --> 00:59:04,560 Windows. 1494 00:59:05,510 --> 00:59:07,729 And let's make a quick 1495 00:59:07,730 --> 00:59:08,989 demo about 1496 00:59:11,030 --> 00:59:13,239 the real thing, which is from then 1497 00:59:15,570 --> 00:59:16,939 over a lot over it. 1498 00:59:16,940 --> 00:59:19,429 I mean, guess that basically 1499 00:59:19,430 --> 00:59:21,289 allows you to create the gadget. 1500 00:59:34,440 --> 00:59:36,539 So you have got to do the right side 1501 00:59:36,540 --> 00:59:39,419 that are of the lives of intellectualize 1502 00:59:39,420 --> 00:59:41,759 binary, you can add them in there, 1503 00:59:41,760 --> 00:59:42,869 you can also remove them, 1504 00:59:43,890 --> 00:59:45,429 you can move them around. 1505 00:59:45,430 --> 00:59:48,239 You can also drop on 1506 00:59:48,240 --> 00:59:50,259 when you have all this thing right. 1507 00:59:50,260 --> 00:59:51,260 You can just Abuk. 1508 00:59:54,620 --> 00:59:57,049 And you get the terminal 1509 00:59:57,050 --> 00:59:59,209 ready for the backing the guy gods that 1510 00:59:59,210 --> 01:00:01,519 you have rhythm, so you're stuck 1511 01:00:01,520 --> 01:00:03,949 inside the red, so you're stepping 1512 01:00:03,950 --> 01:00:06,020 and we are stepping on this rob gadget. 1513 01:00:08,730 --> 01:00:10,829 Um, and to finish, 1514 01:00:10,830 --> 01:00:13,109 I would like to show you one 1515 01:00:13,110 --> 01:00:15,269 of the reasons that 1516 01:00:15,270 --> 01:00:16,270 you can use. 1517 01:00:17,460 --> 01:00:19,439 Rather, a tool for extending or using a 1518 01:00:19,440 --> 01:00:20,440 specific exploit 1519 01:00:22,170 --> 01:00:24,359 I'm exploiting I'm using it to exploit 1520 01:00:24,360 --> 01:00:25,829 for writing on your blog in. 1521 01:00:30,500 --> 01:00:32,110 So this is a blog about Linux. 1522 01:00:33,170 --> 01:00:35,659 It's one month from one month ago, 1523 01:00:35,660 --> 01:00:36,829 I don't know if you did the global 1524 01:00:36,830 --> 01:00:39,439 already, but it's very funny and 1525 01:00:39,440 --> 01:00:42,229 you can read more in this or else, 1526 01:00:42,230 --> 01:00:44,389 uh, what this one 1527 01:00:44,390 --> 01:00:47,389 allows you to do is to modify files 1528 01:00:47,390 --> 01:00:48,949 that are not only by you so you can 1529 01:00:48,950 --> 01:00:52,009 modify, for example, to see services. 1530 01:00:52,010 --> 01:00:53,270 I don't have permission for these. 1531 01:00:56,270 --> 01:00:58,489 But if I'm using the vertical 1532 01:00:58,490 --> 01:00:59,490 plug in. 1533 01:01:04,860 --> 01:01:06,809 I can see this, but if I write some 1534 01:01:06,810 --> 01:01:07,810 string. 1535 01:01:09,830 --> 01:01:11,119 You'll see that it's not changing, the 1536 01:01:11,120 --> 01:01:12,499 reason for this is because this exploit 1537 01:01:12,500 --> 01:01:13,579 this condition. 1538 01:01:13,580 --> 01:01:15,679 So I have tried several times in there so 1539 01:01:15,680 --> 01:01:17,929 I can just further to the right, this 1540 01:01:17,930 --> 01:01:18,930 comment and times 1541 01:01:20,810 --> 01:01:21,810 it will buy the winery. 1542 01:01:23,500 --> 01:01:25,520 So you can just cut and. 1543 01:01:27,820 --> 01:01:30,279 And if I have intent 1544 01:01:30,280 --> 01:01:32,409 so you can use your plugins or any 1545 01:01:32,410 --> 01:01:34,330 other plugins for exploiting any of 1546 01:01:35,350 --> 01:01:37,839 the boxes that are in in the systems 1547 01:01:37,840 --> 01:01:38,840 to. 1548 01:01:47,890 --> 01:01:49,929 So I'm afraid we've run out of time for 1549 01:01:49,930 --> 01:01:52,299 questions, but but 1550 01:01:52,300 --> 01:01:54,519 says he said he's going to try to arrange 1551 01:01:54,520 --> 01:01:56,229 a meeting for you guys, someone here 1552 01:01:56,230 --> 01:01:58,809 during the the Congress still 1553 01:01:58,810 --> 01:02:00,549 where can they find you? 1554 01:02:00,550 --> 01:02:02,679 Uh, you 1555 01:02:02,680 --> 01:02:04,659 know, any place that they can meet with 1556 01:02:04,660 --> 01:02:05,499 our people there. 1557 01:02:05,500 --> 01:02:07,509 So I would say, yes, I was just linking 1558 01:02:07,510 --> 01:02:08,510 up with him on Twitter. 1559 01:02:09,790 --> 01:02:12,309 Let's thank him again for this 1560 01:02:12,310 --> 01:02:15,099 great series of demos and 1561 01:02:15,100 --> 01:02:16,389 give him a round of applause again.