ChaosPad V1.1
Full screen

Server Notice:

hide

33c3-talk-8095 Latest text of pad 33c3-talk-8095 Saved Jan 12, 2021

 
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
 
 
So today, as the first session we're going to hear about Rawda, this is a reversing framework that has been gaining an immense amount of traction over the past few years. It even managed to get itself onto doctor. Sorry, Doctor. Mr. Robot. I hope you guys saw that series is great. It has a reputation, however, of being kind of fiddly and difficult and and just hard to use, which I think is unjustified personally. But to dispel all of these myths, we have the author himself, Sanjay Alvarez, also known as Pancake, also known as Trophy, and he's going to tell us all about it. And please give him a really warm welcome. Hello, uh, my told you about the mystifying rather I will try to explain a little bit what's rather and what are the reasons behind the title? Uh, to me, I mean, if I nicknaming other people and the Internet knows me a pancake, I am actually working at nonsecure. I'm doing research and development and security. And I'm the author of another one and rather two and also many other tools like A. Bind and all of them opensource. I've been working many things. I've been messing with Bluetooth. I've been coding assembly for call the optimizations, doing the firmware development and also participating in CTF at Def Con in The Sexy Panda. The theme. And also I've been doing Forensic's working as a sysadmin and I mainly, uh, doing stuff at a low level C and also I manage to do things in the website. Uh, what's another. Well, it's an open source software engineering framework. I try to focus on being portable, extensible and expressive. It's a hobby project. I don't really get money out of this. It's something that I just thought that just because I have some personal need to recover some files from my hard drive and I just I got to the time I was working as a forensic analysis analyst and I decided to implement Symbolics asking. Mm. For looking for some patterns and dumping the results. Uh, after I started doing some cracked me, so I decided to implement these ass
embler debugger etc. and I was extending the tool for everything that I knew, something I made for. Three years later, mainly because I it was like a big blob and I decided to make it more modular, implementing different libraries and supporting different scripting languages in a better way. Instead of just launching the interpreter from inside the project, just in exposing the APIs and allowing other libraries tool to use the project itself, uh, there was really a few contributors until two years ago. Uh, that's something that actually a lot of users, many contributors every day I have like three, five, four requests to review and merge. There are like five hundred users in telegram and now you're seeing more than five thousand users on following and Twitter. Uh, and this year I organized the first Congress about the two in Barcelona. And this is the third year that we are organizing the competition. So the person is really active and there are so many people behind, uh, what's the name stands for role that the recovery reason is because, uh, I started the project, uh, something something for forensics, not something for static offices or debugging, anything like that. So it comes with an exceptionally veter, which is the basic functionality, uh, but also supports assembling and disassembling the different backend. For this, you can implement new plugins for each of these functionalities. I support a lot of file formats, mainly, uh, if they are broken, they are also supported. We try to force every every single file format in order to find boxing to our passwords. So it's pretty safe right now. Um, it's subparts, mainly static things. But there are also, uh, capabilities for doing that. ISIS, it's also able to do checksums compute entropy, uh, and look for differences between different files. It's table to the back. It also comes with an emulator on their APIs for writing plugins to extend or emulate those like Unicorn and things like that. Uh, it's also comes with
 functionalities for exploiting, like I've got to train the payload generator, the bridging pattern, etc., uh, tsubasa scripting. And there is like a package manager because, uh, actually there are so many, uh, extensions and plug ins that people use and I don't want to bring them all together inside the car. So it's better if I can just provide a simple way for other people to install this plugin. What can you expect? Well, this is some examples of things that people are really messing up with, rather their spokesman, Rama, or Gameboy Streetfighter, famed for my words, DNA sequencers, the Apollo 11 C.P.U, etc. But wait, don't lose the. We try to focus on myth, so we shall. Which will explain a little bit, which means people things about this project. Many people think that this rather is not stable. Other people think that it's difficult. There are so many coalmines are difficult and hard to remember other people, things that it's it's it's not able to compile the backgrounds broken. So many complaints like these. But first, let's try to make a poll how many of you know this? OK, I guess everybody check the website before coming to us. OK, I know how many of you already use it all. Half of the attendees, that's pretty good. OK, so let's talk about the first myth, which is difficult. This is a graph about the learning curve starting from the point that you're opening a file and the point that you start doing something useful with it, uh, in fact, it's pretty hard to learn this and use this tool. But you can compare this this learning curve to other projects like it being, etc.. Um, the reasoning behind this is because there are so many comments, but there is a logic behind them. So if you understand the logic, it's pretty easy to start learning and testing things for yourself, for your own. So, uh, if you understand the logic behind them, you're getting great marks, expressive comments so you can make different comments and create new functionality, which you can ea
sily hack into the code. It's pretty easy to find the place that you want to modify and just change anything in there. You can create plugins. You can write the new script in any scripting language for extending the functionality or just creating a specific analysis for your target. And you can also be on top of it. So it's pretty easy to hack on top of this. But let's focus on the difficult part of the comments coming from Ramonet comments. This means that they are, of course, looked at by letters. Each letter means something and they are still doing it in a way that the first letter means what the reason for the common like, for example, the letter B, it means that it's for printing. The second letter means that what do you want to print? So you want to printing, do you want to print disassemble, you want to print the updated, etc.. Uh, if you have a lot of Unix like concepts behind the shell so you can use firebase, you can use other X, there is an internal grep. You can also last you can then Jason and all these things comes inside the the the that you can also pipe to, to the shell. But the reason for this is because you can just ship the other two binary and in any device and you will have like a full unique shell in that more or less you don't really need to ship last command. You don't need any tool to ship other tools like Jason P, etc. and it tries to be Automan. All these means that you can make different comments and get the functionality out of there. So let's make a quick demo with the understanding which comments are the basic ones. You only need to remember five comments after this. You can start learning other modifiers or comments that can be helpful for your project. But the five basic comments are this. We can open the file. And we're going to seek any place. Can you read the I can make it bigger. We're going to take, for example. To this address, we can bring this time all of this out. We can think back as you see all the comments are. In the he
lp, so you can just append a question mark at the end of the comment and you get the help of this with comments and you can also like make relative fix like this. The other comment is a B, which is for printing, we can print in different formats, you can print an example, you can print or disassemble, you can print instructions. And then the other comment is a double B, which is for writing, I will enable to God because I don't have I didn't open the file for writing. So if I want to write something here, I will have to enable to the judge so I can. But for example, the first instruction and we'll see the end up embarrassing. They're so common allows you to to write things in there. We're going to write the experts. You can write the family, you can write the contents of a file into the into the courtroom, etc. and then the less common and the less important is the queue for quitting the program. And we're going to feel there are some modifiers here we're gonna use. For example, if this is this or something like this, we can grab we can also grep for some specific strengths. We can just grab particles. We can also count the number of calls that are here, and if there is like a huge or long list of things, we can first ask if you want to print all these things, but you can also just the dot, which means no less, and they will get like scrolling in there. So that's more or less the logic behind this comment. We'll learn more comments after this. Rather than in into different models, there is a labor directive which contains all the different models, the library, as we can see in here, there is like a. Bercaw, which links against the other libraries and its other library. It's linking against other ones, are you dealing with the basic library on top of Lipsy? So if you want to talk to any other platforms, you usually need to want to patch on the table. Pipes, which usually is dybbuk back takes a la carte functionality for the backing of a specific platform and also bui
lt with debugging. So it's easy to. This is more or less a structure of all the libraries and each of these libraries allows you to create plugins out of them. They are under the AP, the rectory, and there is also the bin directly, which contains all the binaries. So we can check these. And we can also see this into the labor. So we see all the all the different models in their. OK, there is another myth, which is that it's useless for forensics. In fact, it was the first aim of the project. So there are some function ideas and there are strong, strong, strong points for doing forensic on this. But there are obviously other tools which only focus on forensics, which is probably better for for doing forensics. But you can do many things with it, like, for example, opening these devices. You can open them up as the A or a Windows device. You can also open to the physical randomize if it's supported by the government. There is also a network model which works on Linux and Windows and allows you to create physical and digital memory from from the kernel. It's got a model and you can interact with it. You can find out for bathrooms and the results. You can modify the systems. And it's also able to understand the protection systems, this code. This was report from group. So it's I also fix a bunch of boxing in Europe. It's also able to cry for known file formats. You can show a structure to understand and include files in order to show the content of a specific memory dump with a formatted memory. It's also able to compute incremental superblock checksums. So this is handy because if you want to compute the text, like amplify every megabyte on a gigabyte file, you will get the file with a list and you can also compare this with another dump and then decide which part of this file is modified. You can change the plugins for the I mean, as I said before, all the input and output is pluggable. So you can create plugins for anything. And there are plugins like, for example, J
essep, and it will be after loading in case images, you can get the list of your plugins do with this comment. And this is a lot less the list of plugins that can be used for opening local or remote targets. Uh, the uppercase windows of flag can be used with them, too, which is handy for getting the list of assembly and disassemble plugins. And the same thing goes for Robin, do that, get the least of plugins for binary formats that are supported by the project. OK, so let's go for the first Zemel. OK, so we have a file, which seems like it's. It's trash, I mean, there is nothing like interesting here, we can see the entropy computation here and there is like but the. Huge zeroes in there. But more or less, entropy is pretty high. So what we're looking at is just look for nonperformance using the same, which looks for magic. And it looks like it found something in this upset, so we'll check in there and we will we will ratify. This created a new file with the condoms are starting at the current offset, so we can open it and we see that this is just so we have to open it with Guiseppe. And now we see something in there we're going to just be on again and you will see that this is a flat file format, so we'll use that in order to demand this partition using the common will specify that we want them on this in the route, using the file format. And after that, we can specify a different offset. One tool among the different. Inside the file. Now you can use the mouse with the shell inside the amount for a month and we can see the contents of this file format. We can show the contents. We can see like watching inflation. We can get the this file and then we can just open the open it and see that this is a Linux elf common. So there is a bunch of functionalities that can be handy for forensics. Not complaining that this is slow. It's so nice, this is a regular slow operation to it's blocking mainly because it takes some time and you need to grab all the information before d
oing anything useful. You can do this analysis and background, but it will still take a lot of time. And doing it, the background means that you have to put a lot of mutex on the logic of the analysis. So it will slow down a little bit until it doesn't work really well for big minorities, mainly because it takes a lot of memory and time. It's sometimes not able to find all the functions until there is a rule of adding more ASW at the end of a. So if you use a comment like this, you use eight, you will analyze all the symbols. If you add another eight, you will do more analysis and you add more as you will get more things. So people at the end start adding more A's in order to get more analysis. And this is probably not the best way for making oligarchy's. So there are so many comments and configuration options for doing this. And there is this blog post that I wrote explaining some of them. So if you're interested, you can just read it or just being me a little bit and I would try to help you. But the idea behind this is not wasting a lot of time at all to finish the analysis and start doing something, because when if the ISIS takes a lot of time in that after doing it, it will be really slow in the operation. So you will have to think another way for solving the problem. So what I usually do is that 90 percent of the problems that I try to solve, at least from my daily problems, is that I can just analyze 10 percent or part of the program on the information that I really need. And instead of seeing the whole binary, I usually just look for a string or look for references to these string functions without using this these references and then just analyzing just five, 10 functions. And after the issue during which my information. So, uh, you can just use the Commons for analyzing the actual information that you want. You can analyze much faster because it's much less condensed. And, uh, yeah, we are improving every release. So if you're dating frequently, you will ge
t fixes and faster analysis and pre-built. Um, well, you'll have to understand the logic behind all these comments and options. And we will see some some of them. So this is the first demo I will open. Hello, Olingo. If we make, like a full analysis of all the symbols, goldminer is huge because they starting to link all the libraries and symbols, etc.. So we took what we can compute these like with this prefix. This is like dying in the bush. So I don't like excitement, and after this, we can speak to the. To the string. So we see that the HelloWallet here and we see that other reference in there, so we can just think of the reference and we see that. The. Not all those things are set in this institution. But it took some time. I mean, it was eight seconds. I mean, this is a simple example, but if you try to do this in a huge, bigger binary, it will take more time. So let's do the same using this script. This is basically looks for the lowest thing. It seeks to this address and then draw names, the flag. It defines that this is a string. It's in the boxes for speeding up the search and then look for references to this subset. If we run this script. It took only two seconds, almost three and a half identified the same offset and the print of the instruction. So, uh, as you can see, you can speed up the analysis. This is a simple example. It can be, which is much more different if you're traveling in a binary and order thing for analysis is that sometimes the references are not that clear. This is a had a wall in for idolizing or 64 and we can stick to the hollow string and we see that there is no reference because we didn't know anything. So we will make like all the analysis options. And we see that there is another reference in here, but if we try to analyze, like, in a simple way. We'll see, there is no reference, the reason behind this is because in the area and also the architecture, the references are computers in more than one structure. So you need to emulati
on in order to understand the reference out of the. So if we go to the main, we will see that the plaintiff is competing, is getting the address of this symbol in here. So it's it's getting the base address and then assuming an offset and we can enable the ambulation. And using demolition, you will see that every instruction is getting emulated and then we got the values of the resistance from each institution. So after this, we will see that it's great and it's great and getting the and the reference to the string section and it's incrementing the the the offset to get the hell on Wall Street. So there is a common theme which is analyzing, using emulation and for the many other categories, for example, in MIPS, it's really handy. There is other ways for getting references using a V, which looks for pointers to data or strings or pointers inside the same outer space. And you can see that there are so many comments under a subconscience. OK, no complaints, that, rather, is not documented, and that's not true. It's documented in C and there is help in every comment you can get in line to help without having to get any brochure or any book in front of you. There is also a book that I wrote for another one, and they did it for rather two and already a lot of dogs slides, blockbuster and YouTube tutorials for understanding how to solve some crack maze and things like that. So it's not really not really true. It's it's complex. And sometimes it's hard to find the help for something. But there is a Iasi and underground tunnels that you can ask him that and do it pretty quickly. Let's talk about the compilation, another, he's not able to the table to those things that are similar to the compilation, but that's not really the strength of the tool, because it's not the competition. It's not something easy. So we try to delegate these tools here. But the tools, um, neither man wrote the plug in for Redick, which is an online service for the compilation. It's basically a plug i
n within an object that uploads the binary that you are listening to their favorite, and you've got the API for getting the disassembly of the compilation of different functions that you are analyzing with rather. So you'll get the comments and go goatse like go into the rather shell. There is also the project which is robust implementation of the compiler, which is about the academic and it's not yet so stable. I mean it's working progress and and something of the project, but it's not really solving any real world problems yet. I hope that maybe in one year or two it will be an option. There is also a boomerang which was supported in the other one. I think that boomerang right now is not really maintain it. So there's not much interest in supporting it. But it will be pretty easy to pull those groups from another one to rather two. And last week I bought that. I just know that the compiler this is much more updated and it's around like this for 32 and 64 bit. Uh, we can make like a quick demo for this. We'll try to come back to that after it's compiled, so let's talk about this assembly. This assembly is probably the one of the good points of order because there are so many options for disassembling Jukan. Colorize the instructions depending on the type of instruction, which is pretty handy for reading code, because you can easily identify that one of those jams where the mathematical points are, the parts of the code that are doing Krypto or doing like traps or some Sisco's, etc.. Uh, there is also support for analyzing variables and arguments so you can identify where these variables are accepting the assembly. There's also support for this assembly. This means that it will pass things like a free and compare it to something more human friendly, like the expression with the right and. This is handy sometimes when you want to get some more see like gold, but it's not really a way to the combine. OK, so we got the entire. OK, but let's talk about the disassembly. 
It was working yesterday. So as you can see, there is this family and it's highlighting the institutions in different colors. You can change the color scheme. You can also use the enabled subway system. So you've got things like this, like this, and the thing is that there is, uh, PED's, which is a summary of the disassembly of the function. We if you analyze the event as a function and you get the bids, you will see all the references of strings and calls of this function. So you can read like a summary of the what the function is doing. Uh, you can also use BDC, which is, uh, Fairbrother the compilation, which is using the the ASMs tableau and doing some logic of basic blocks out all the different blocks. And you can put the comments right, put them at the bottom, etc.. And there is all the all these things are interactive in default mode. So if you pressed uppercase B, uh, you got these and you can scroll around to see what the destination of the stamp is going on, etc.. Um, finally, there is a nasty graph for. All the functions, so you can gather analysis. You can also I mean, if you are in this basic log and you want to follow it, you can also follow them. You can switch to this family. And you are moving back to the same point that during the graph or going back to here. So it's there is no different that phase, but common line used by the hundy. And our complaints about stability. People say that it's not stable and the main reason for this is because they are using an old version of it, because they are not using it or the latest releases. And we can talk about the stability, depending on the amount of crashes that the U.S. is experiencing and the amount of changes in the comments and ice like now we are after 1.0. So try to put some stability on top of this. The comments are pretty stable. Most of them are already used for many people and they are quite clear. So this is not going to change. The APIs are quite stable. I mean, we try to refactor all the time
. It's a project that I mean, I don't really care about breaking something that was wrongly saying that in the past. So I don't want to keep compatibility for years for something that was wrong at some point. So I can change, but it's quite stable. So you can still do things like that. And if you want to comment, you can just open a letter at the end of the call and you will get the adjacent output so you can do things like this. If you press the letter, you will get the information about the heat, you can get the symbols, you're going to get the sections looking also at the sections like this. Um, the thing is, if you're up and at the end, you've got this, Jason, which can be indented. You're this. I look at the indentation in Jason. This is pretty easy to pass because all the programing languages, the modern programing languages have libraries or they support passing data on to native objects of the language directly. So it's very handy for scripting. And the thing is that this is much faster than using a fight or trying to destabilize all the binary structures from sea into python or any other language, because it's allocating a lot of objects in a probably way because Jason says much faster than any other busser right now so that some specific function ideas broken many complaints of complaints that they receive every day. And I don't see fix it in depth. So please update your best inadvertant. There are security. If if anybody reports the security back or any crash's phone, they fix it in less than one day, usually in less than one two. Depends on how far from the laptop is for me. I try to follow the rule of you see it, you fix it. So if you see a problem, I try to teach you how to fix it before this thing is broken and I try to fix it later. This is because the committee grooved too much and I tried to feed the community to be self aware of the problems and how to solve them and how to report properly and not to just report a reproducer, say, at least by the 
backtrace or something that can be useful for me to understand what the problem is. And mainly, you should also pass the best of that you are using in to see that if it's not the last person, I will not fix it because I'm only fixing bugs that are right to. So we try to make a release every six weeks. This is something that I decided after seeing how the project works, I think that six weeks is a pretty nice time schedule, mainly because having like one month is really productive. I mean, you expect, like the first day of every month of date something and every six weeks it's something more random. So at the end, I'm running up and down and you never really know when the next few days will be. So that's kind of surprise. And I'm funny. And the thing is that if you release some years ago I was releasing once or twice a year and this was not really good for the project, mainly because if you are really seeing to feel there was like two hundred thousand, call me to the review. There is a lot of things to test. There wasn't a lot of the time. And right now this is sort of by making shorter time releases. So we have to it and we test everything more frequently. So it's hard to to make that to make a IT clone and get a better standard product. It's not working. But there is also the problem of Debian Devaney's distribution that tries to be stable and stability. They mean that they are not updating really frequently. Um, well, the thing is that the current version of this table is five years old. And if you can imagine that every six weeks there is like four hundred comit. You're going to see how many comics are in five years. So I would recommend you to not use the packages from Debian packages that are shipped in my. And you can also use the packages from CIT, which are a little bit more dated, but they're still old. So as I said before, I try to use the sweet use added pattern, which was invented by me. And it's mainly a regression development pattern. And the thing is 
that after you find question, you write the test and then you test. These are beginning to happen again. The reason for this is because it's too late for doing the best they built. And this means that you write the test before writing the code. So as long as the code is already there to write the test after this and as long as we are doing continuous refactoring of everything in order to improve the stability and portability and reliability of the code, some bugs can get better. So it's important to test everything right now. The tests, we do things like 15 minutes to run on Trabis and half an hour in in four hours and it's too slow for about or for the windows. That's what is not running yet. We try to impose a fazing and inside the development process. So before any release or during the development of February least, there is some people doing fighting on different formats. The common lines have different inputs into the program and we use different tools like in the sun, like analyzer. It can cooperate in order to find identify which are the the parts of which are more buggy and which ones are the places tool to solve the bugs. This is important mainly because there are so many contributions. Many of them are from people that are starting to code and we try to follow some standards. So there is some coding style and this requires some application to the community. And we're complaining that this is not the way that in Python, I know that C is not the perfect language. It's easy to make mistakes, but Python is not the solution. I mean, maybe at some point there will be a language that can replace it, maybe a roast or maybe swift or I don't know. But maybe a roast is the one that fits better inside the philosophy of the project. But if you want to use Python, there are three different bindings for the native APIs. There are two different bindings for the pipe supporting different transports. I will explain later what the pipe and you can write plugins for your urb
an environment. And the reason for not using dynamic language for this is because the local language allows you to compile time so it's easier to identify problems before running the program. There are so many tools available in order to provide Lobach and optimize support to different platforms. Um, it's faster. It's not. If it's a smaller footprint, there is not really a runtime array of chips inside the final binary, so you can easily put on a link and put it in a router or any other device unseals, filtering, spinelessly JavaScript so you can run in the Web browser. And that's fine for me, at least for the 90 percent of the problems. And for the rest, you can just use any scripting language. OK, let's talk about the graphical user interfaces. The main complaint is that there is no graphical interface, but that's not true, that terminals are scary. People are scared about the terminals. And they used to like to use the mouse and try to click on those things like that. So the real problem for other two is not that there is no game. The problem is that there are so many of them. There is like this one note, there is a Daily Beast mode, which is I'm like, that is a different Web user interface is one of them is this, which is material like this is the default for Android. There is the old one, which is a domain where a mobile and its smartphone desktop friendly. I also brought the Plesser, which is not gigas and of course it's like interface with Windows and things like that. You also brought together, which was written by then by another one. Um, and this is basically the terminal with a interface that there are some buttons and menus like decongest. Instead of typing commands, you can just read the comments on the menu. There was a, uh, complete interface written in Bullah and it was working pretty fast and pretty nice, but it was abandoning it because it was boring to the right interface. So I think that nobody cares about that. Uh, so I never released it, but it
's there. There is also Buchen, which is a bayfront interface, that it's like, no, not really. I maintain it. I think it's working in the last paragraph, but it's not adding new functionality. So I just for static analysis, know there is a guy who is writing a new interface in dot net, but he's focusing on the window. So the thing is that the dependencies of this project are depending on the Explorer widget and also the Messier API. So it doesn't really work on Linux always. So it's it's not pretty. Well, maybe someday it will be profitable. A few days ago, a guy mentioned to me in Twitter, so I had to let this slide and he's working on a cutie pie interface. You can see a screenshot from the GitHub. But let's talk about a real user interface, uh, the author of a book and whatever. So I been working for a year or something like that in any interface written in Kutty and C++, which looks like this. These are the main interface. It's about actually, uh, only something unexpected will support debugging and emulation or things like that, I believe, or at least early next year. OK, so let's talk about scripting, it's something I think that it's complicated and really, if you focus on the problem, you only need to understand the comments and you only need to understand a little bit. So if you know how to use a script, but usually mainly because I was trying to follow different paradigms, like trying to make the bindings more language friendly. So you look at the end, you don't really need to have been so specific for its language. And the reason is that this is too much work and APIs are changing. So at the end I wrote that tool, which is Malaby, and which transpires the interface into different interfaces for different languages. So I create a single file that interfaces the zip code and integrates Python notice, etc.. I've been doing for all this DOGIT, but these are not really stable at all because they have some memory problems, because sometimes it's hard to manage t
he references and things like that. So at the end I got the idea of implementing Exabyte, which is basically a pipe on top of this for comment. The API provides an open method which allows you to open a different time using a specific time slot to open a file. And then you have the same the common, which basically runs in two, and then you get the back the the result. And there is the same with just one output, which particular don't turn out the object of the of the of the rest. And then there is quit. So it just only one comment so that only one method that you have to remember for using this API. Let's make a quick demo for these. This is a script. For. Getting the configuration file off the Meeri malware, this is a botnet and this is the script, it's written and it's using a debate domestically, extracting the configuration file out of a of the binary. You can use it like from Python, like doing it like this. And look at the conflict finder. You can also use it from inside, so you can just. Connected like this. Or inside the shell. So if you are inside the shell. You're going to read the the file just using the dot. So it's important to file and running it. There are so many examples in many different programing languages, in fact, this is the least of all the languages of the support of the debate, not all of them support all the time sports, my time, sports, I mean, that you can use to buy through to the beer. You can also use it if you disappeared. You can also use it with pipes postponing the binary and reading writing to put these old platforms in Windows, Linux, I and other examples inside the directory. So if you go into the Atabay repository, you will see that, for example, for this, there are examples in there and you're going to see, for example, the Eastern Seaboard. There is also a Cisco emulator, which is basically implementing the Cisco handler in JavaScript, and you're going to run this this Hanawalt, which is basically. This coat. And this will h
ave to run until 1:00 p.m.. Well, I contend this is just a stupid thing anyway, the Python example, there's a same environment. Uh. So during this Halloween, they're basically saying that you have to using a seal for immolating code and then you've got the typescript executed after this. OK, so the budget is confusing, many people think that the mother of two is strange, mainly because it's a low level Levuka. The main reason for this is because I don't try to replace sort of I guess there is to be a levy and school get, which are pretty good source of budgets. But I'm still work for beginners. You don't have the source code or different budget. So when you're into the back with another tool, you are starting to get back into the dynamic. A lot of the systems not inside the entry point. The reason for this is because some file formats kind of exploit this inside the belly and execute called before the entry point, or there can be more than one entry point. Also, there can be changes in memory that will be applied in the. So some people complain that they putting the binary in memory and then execute the program. And the problem is not budget. The reason for this is because you are touching the memory and not the binary itself. And if you want to create a specific environment, you have to use one which is a tool that comes with another tool that the great upper file to specify, for example, the Israeli the truth, the different directorially that you want to, and all the arguments, if you want to change like a script, are like thunder input. Do you want to be stuck listening to a specific part, etc. This allows you to create the profile for running the program every time this is handy, if you are trying to make a correct me or things like that. So do the basics like this. You can spawn at that. You can create plugins for all these things and there are plug ins. As long as I said before, they are plug ins for all this. So you can use the bigger. There are more than one
 of these debugger. There's people writing their own narrative that I got for windows and things like that. You can use attachable HDB. You can also attach the individual box to death also for comments of the Baggara under the letter. And you can also do local or remote debugging and you can inject code. There is a common thread that allows you to inject a bunch of bytes and then it will get back to the rest of the state. The debate is not working on the platforms, mainly because the GDP protocol is crap, it makes this binary plaintext and X amount and single with US detections, which is really bad decision. But they try to implement the thing for every single platform. So every time that you try to connect on a platform, you have to use different solutions for getting or writing the resistors or reading, writing memory or doing steps and setting breakpoints and things like that. So it's kind of, um. So it's working progress. And right now it's about Sentell mainly. So you can use it for debugging Windows or Linux, attaching to QM or things like that. And he working for me is RAM and maybe there are 12 Libbey, which is a project that they wrote not secured, and it's mainly a pipe script that allows you to use your inside Libya and you'll run this Python script and it will allows you to touch from in there. And you can use all the functionalities and memory from from runner to just copy the shelling there. This is nice because if you are working with Apple, things like Apple Watch or iPhone devices, you can do what you can just to the back by not using that without having jailbreak. And there is some sort of freedom free, I didn't make the race or the index library, which contains JavaScript interpretor in there, and you can put this graps in there or just use the libraries for for running code that this project is written by Willandra. Also working my company on its works in many platforms can be used in exciting OS, Linux, Unix, Windows, and it's pretty fast. I mea
n, maybe thinking about JavaScript and all these things make you think that it's slow, but it's really fast and it allows you to make of introspection inside the process so you can do the inside the process. Let's make a really fast demo. Uh. So I have no G.S. running this terminal and I have another doing the other one, and I will use that to attach to this process like now. We're going to get the information using the backslash and we're going to see the list of comments from the three that blog, and from here we can get information from the minority. We can get information from the experts, for example, the symbol of. And. You can read my money from the budget process, you can modify it or whatever, you can analyze it and get the graphs of the dirt. Um, yeah, they work. OK, it's not. OK, so what I'm going to do now is use the. Did the comment, which allows you to trace the specific symbol and use of string for tracing this its function. So now every time that the Norges process is writing, using the right symbol, it will bring something in there. We can also use a back to back trace in great ascription there, etc.. OK, let's talk about the of machine that comes inside. It's got language that basically it's translating every instruction into string. We're going to see this and there are so depressed upper case, oh, you will see a string. And this is doing represents what the institution is doing behind the scenes, so it's a forceful language. It has two different stocks on its tax base. The reason for this is that you can easily read and modify what they're doing. You can also change the institution itself without having to recompile. Right, until you can change the expression. And this is used for many things, not just for emulation, just for analysis. It's also used for debugging. So if they want to specify a specific string, like defining, I want to continue this execution until a specific resistor have a value that is in this range, or you want to identify if 
the specific jump is going to be executed or not, or find different types of expressions that the matching from memory, like, for example, I want to find a specific version of memory that contains something worth and then from zero, etc.. You're going to use more steel for this. This is some of the comments that can be used for for emulation. It's basically the same for the back, but using a specific since that day. And there is also support for a unicorn, but it's not as complete as a full one. So here is a crack me up and it can be solved using this script. It can be solved using this after this, after a script which is basically sticking to a symbol that you want to emulate, running the the code in there and stopping at the point of this, comparing the two strings and then dumping the resistors values. So we do like this. You got the password. And the same thing goes for. For the Byrum. So basically doing is. Calling the tech password function, which is in there and then inside this function, it goes for looking for the string compar. And then getting the Bible thumpers, sisters, if you will, these. You're going to see, for example, in the background, you can continue the execution, the entry point, and then you can use the area to get the. With. Nothing to the. So I'm continuing to the point and then I'm just saying out or you're still scoping in order to get information of every CEO and where they're pointing to. So you can also do the same in the stock. Together, the boundaries of the strings and so on. And many things like this are useful and used from from from there. OK, so how exploiting which is the final flight of. There are so many functioning this involved that can be handy for exploiting, it's like you can passcode in memory, you can go things like that. So I'm right now into the background. So I can just put the anywhere and I can press uppercase A.. And I can just buy the code with a. For example, with this, um, this is for some specific environment
s, there are some static places and there are some handy functionalities like generating and finding offsets of the burning patterns. You can use the telescoping like I showed before. You can keep analysis. This is only working on Linux, but it will be Partito. I was fixing the Windows. And let's make a quick demo about the real thing, which is from then over a lot over it. I mean, guess that basically allows you to create the gadget. So you have got to do the right side that are of the lives of intellectualize binary, you can add them in there, you can also remove them, you can move them around. You can also drop on when you have all this thing right. You can just Abuk. And you get the terminal ready for the backing the guy gods that you have rhythm, so you're stuck inside the red, so you're stepping and we are stepping on this rob gadget. Um, and to finish, I would like to show you one of the reasons that you can use. Rather, a tool for extending or using a specific exploit I'm exploiting I'm using it to exploit for writing on your blog in. So this is a blog about Linux. It's one month from one month ago, I don't know if you did the global already, but it's very funny and you can read more in this or else, uh, what this one allows you to do is to modify files that are not only by you so you can modify, for example, to see services. I don't have permission for these. But if I'm using the vertical plug in. I can see this, but if I write some string. You'll see that it's not changing, the reason for this is because this exploit this condition. So I have tried several times in there so I can just further to the right, this comment and times it will buy the winery. So you can just cut and. And if I have intent so you can use your plugins or any other plugins for exploiting any of the boxes that are in in the systems to. So I'm afraid we've run out of time for questions, but but says he said he's going to try to arrange a meeting for you guys, someone here during the th
e Congress still where can they find you? Uh, you know, any place that they can meet with our people there. So I would say, yes, I was just linking up with him on Twitter. Let's thank him again for this great series of demos and give him a round of applause again.