SlideShare a Scribd company logo

44CON London 2015 - reverse reverse engineering

44CON
44CON

reverse reverse engineering by Richo Healey

Technology
1 of 52
Download to read offline
reverse reverse engineering @rich0H
richo ‣ rich-oh! ‣ Computer Jerk at Stripe ‣ Duck Enthusiast ‣ Co-owner of plausibly the world's most ridiculous CVE ‣ WrongIslandCon jerk ‣ github.com/richo ‣ twitter.com/rich0H
What this talk is ‣ Neat tricks with bytecode vms ‣ Some hilarity inside of the Rubby'sVM ‣ Some reversing fu for people who don't like reversing ‣ Maybe a little opaque- please ask me questions
What this talk isn't ‣ Particularly full of bugs ‣ Having any 1337 exploits ‣ I am releasing a tool though ‣ Gunna name names ‣ Thanks Oracle ‣ Hi FireEye
The Problem ‣ They want to give you a black box that does computer ‣ They don't want you to know how it computers
Their Solution ‣ Obfuscation!
Their Solution ‣ Obfuscation! ‣ Not novel: ‣ Malware authors are on this case ‣ Native code has been doing this for years ‣ Obfuscating bytecode isn't new
This kinda sucks in a VM ‣ Your options for detecting fuckery are pretty limited ‣ No performance counters ‣ Very limited sidechannels ‣ No weird instructions to poke
This *really* sucks in a dynamic VM ‣ Dynamic dispatch means you can't mangle classes and methods ‣ Lack of a JIT means you can't do anything egregious to method bodies
Code obfuscation ‣ Typically packs up either source or a build product ‣ Loaders tend to be really complex ‣ Messing with RE's is seemingly fun to these people
What if you're really lazy
Some terminology ‣ Rubby:An interpreted, dynamic language ‣ YARV: Yet Another RubbyVM ‣ MRI: Matz Rubby Interpreter
The Rubby VM source_file.rb READ CODEGEN
The Rubby VM
The Rubby VM
inside an InstructionSequence
The Rubby VM source_file.rb READ CODEGEN EVAL
The Obfuscated Rubby VM source_file.rb READ CODEGEN OBFUSCATIONobfuscated_source_file.rb obfuscated_source_file.rb UNPACK EVAL
Packed code
Dynamic VM is Dynamic ‣ We can trivially insert instrumentation ‣ This.. sort of works. ‣ Tack binding.pry calls everywhere ‣ Attach a debugger, do a lot of `call rb_f_eval`
Rubby ‣ Open Source! ‣ We can just slam our own debug interfaces in ‣ Worked entirely with the reference implementation ‣ All mainstream loaders target it anyway ‣ Typically see a loader for each of the more recent rubbies
The Rubby VM ‣ Interesting symbols to start with: ‣ rb_eval_iseq ‣ rb_define_method ‣ vm_define_method
The Rubby VM ‣ Interesting symbols to start with: ‣ rb_eval_iseq ‣ rb_define_method ‣ vm_define_method ‣ rb_f_eval (lol)
Ok so we have bytecode right ‣ Now what?
A stack of Rubbies ‣ Rubby'sVM is a stack machine ‣ Opcodes consume operands from the stack and leave operands on it ‣ A few simple registers for storing branch conditions etc
Deeper into the YARV
Expressive IR is nice ‣ YARV bytecode is pretty easy to read ‣ Auditing by hand isn't too bad ‣ Happily it's also sufficiently expressive that decompilation is pretty tenable
Reversal ‣ Research project from Michael Edgar @ dartmouth ‣ Similar in operation to pyRETic by Rich Smith
Reversal ‣ Over the course of this research I found several versions of rubby that simply won't compile ‣ Several debug flags that cause rubby simply not to build ‣ TheVM has gained more instructions since 2010
Aside: instructions ‣ bitblt: ‣ Rubby is a srs bsns project for adults
Aside: Docs ‣ Rubby is an english language (now) ‣ This is.. not super true for large chunks of the codebase
Reviving Reversal ‣ Patched reversal until it started working again ‣ Added support for rubby 1.9.3 ‣ And it's delightful new instructions
Presenting: unrubby ‣ Hacked up rubbyVM ‣ Lots and lots of hooks into internal behaviour ‣ Reaches out to reversal for decompilation ‣ Gives you back source!
Why not just reversal ‣ Reversal's mode of operation is a bit fragile ‣ Unrubby hooks the behaviour of theVM, not the format of the bytecode ‣ Attempts to defeat unrubby would in turn be fragile
Digging further in ‣ Reversal suggests it can take the whole program and turn it back into source. ‣ This is largely untrue in my experience.
Digging further in ‣ We can keep abusing the runtime behaviour of theVM ‣ hook more stuff! ‣ rb_mod_include ‣ rb_obj_extend ‣ rb_define_class ‣ rb_define_method ‣ It's possible to define a class without defineclass
Bonus ‣ This also gives us a more flexible intermediate state ‣ Write your own hooks in rubby!
More bonus ‣ This has the impact of "unfurling" metaprogramming ‣ We get dynamically generated methods as well
Aside: Classes ‣ Rubby classes are weird ‣ If you think that hooking rb_define_class is enough you would be sadly mistaken ‣ Luckily our hook function is idempotent ‣ Skim class.c and hook *everything*
Demo time!
Making it go ‣ Rubby's insanity is super useful to us ‣ We can preload our library, then hijack execution flow during the eval step ‣ An atexit(3) hook will just dump the code to stdout
Real world breaking ‣ Things have dependencies ‣ Things want to talk to databases ‣ Rubby to the rescue again!
Naively ‣ Reimplement rails without any bodies
Rubby: richo has feels ‣ Rubby lets you do a bunch of shit it ought not to: ‣ method_missing ‣ const_missing ‣ reopening classes ‣ monkey patching ‣ etc
Or!
Stealth ‣ Reversing things is kinda noisy ‣ Do this in an unroutable vm ‣ Unroutable vm's are miserable to work with
Stealth ‣ Reversing things is kinda noisy ‣ Do this in an unroutable vm ‣ Unroutable vm's are misrable to work with ‣ Compromises end up getting made
What's in the box? ‣ Rubby source tree ‣ Patched version of reversal ‣ A rails shim that ought to appease many applications ‣ Please play with it! ‣ Please report bugs! ‣ I'll drop some tips in the readme for how to report bugs without coughing up privileged code
More goodies ‣ Lots of environment variables to control what gets emitted ‣ UNRUBBY_FULL_ISEQ ‣ UNRUBBY_METHODS ‣ YOLO ‣ Abusing the autoloader can yield results
How would I defeat it? ‣ No super obvious way ‣ Unfortunately Rubby is just a really obtuseVM to target ‣ Best I came up with was to shove everything into .rodata and statically link a binary
Gr33tz and shit ‣ Rich Smith - pyRETic ‣ Michael Edgar - Reversal ‣ Dominic for putting me up when I offbyone'd my flights and hotel ‣ 44con for having me ‣ Whoever I'm missing
Resources ‣ https://github.com/richo/unrubby ‣ https://github.com/michaeledgar/reversal ‣ I'll toot the link to these slides - @rich0H Questions?

Recommended

44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
Transforming WebSockets
Transforming WebSocketsTransforming WebSockets
Transforming WebSocketsArnout Kazemier
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Macdoored
MacdooredMacdoored
MacdooredShakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 

Recommended

44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
Transforming WebSockets
Transforming WebSocketsTransforming WebSockets
Transforming WebSocketsArnout Kazemier
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Macdoored
MacdooredMacdoored
MacdooredShakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Deploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinDeploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinAlessandro Nadalin
 
The beauty of virtualization
The beauty of virtualizationThe beauty of virtualization
The beauty of virtualizationVivek Juneja
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Continuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoContinuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoAOE
 
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Baruch Sadogursky
 
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...Pablo Godel
 
Modern Perl for the Unfrozen Paleolithic Perl Programmer
Modern Perl for the Unfrozen Paleolithic Perl ProgrammerModern Perl for the Unfrozen Paleolithic Perl Programmer
Modern Perl for the Unfrozen Paleolithic Perl ProgrammerJohn Anderson
 
徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 Sasaya Hu
 
Building a private CI/CD pipeline with Java and Docker in the cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the cloud as presen...Building a private CI/CD pipeline with Java and Docker in the cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the cloud as presen...Baruch Sadogursky
 
A Modest Introduction to Swift
A Modest Introduction to SwiftA Modest Introduction to Swift
A Modest Introduction to SwiftJohn Anderson
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Shakacon
 
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony AppsSymfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony AppsPablo Godel
 
Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015ice799
 
Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015ice799
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON
 

More Related Content

What's hot

Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Deploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinDeploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinAlessandro Nadalin
 
The beauty of virtualization
The beauty of virtualizationThe beauty of virtualization
The beauty of virtualizationVivek Juneja
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Continuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoContinuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoAOE
 
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Baruch Sadogursky
 
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...Pablo Godel
 
Modern Perl for the Unfrozen Paleolithic Perl Programmer
Modern Perl for the Unfrozen Paleolithic Perl ProgrammerModern Perl for the Unfrozen Paleolithic Perl Programmer
Modern Perl for the Unfrozen Paleolithic Perl ProgrammerJohn Anderson
 
徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 Sasaya Hu
 
Building a private CI/CD pipeline with Java and Docker in the cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the cloud as presen...Building a private CI/CD pipeline with Java and Docker in the cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the cloud as presen...Baruch Sadogursky
 
A Modest Introduction to Swift
A Modest Introduction to SwiftA Modest Introduction to Swift
A Modest Introduction to SwiftJohn Anderson
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Shakacon
 
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony AppsSymfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony AppsPablo Godel
 
Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015ice799
 
Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015ice799
 

What's hot (19)

Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Deploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinDeploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
 
The beauty of virtualization
The beauty of virtualizationThe beauty of virtualization
The beauty of virtualization
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Continuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoContinuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for Magento
 
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
 
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
 
Modern Perl for the Unfrozen Paleolithic Perl Programmer
Modern Perl for the Unfrozen Paleolithic Perl ProgrammerModern Perl for the Unfrozen Paleolithic Perl Programmer
Modern Perl for the Unfrozen Paleolithic Perl Programmer
 
徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人
 
Building a private CI/CD pipeline with Java and Docker in the cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the cloud as presen...Building a private CI/CD pipeline with Java and Docker in the cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the cloud as presen...
 
A Modest Introduction to Swift
A Modest Introduction to SwiftA Modest Introduction to Swift
A Modest Introduction to Swift
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony AppsSymfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
Symfony Live NYC 2014 - Rock Solid Deployment of Symfony Apps
 
Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015
 
Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015
 

Viewers also liked

44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON
 
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 

Viewers also liked (20)

44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 

Similar to 44CON London 2015 - reverse reverse engineering

Dear compiler please don't be my nanny v2
Dear compiler please don't be my nanny v2Dear compiler please don't be my nanny v2
Dear compiler please don't be my nanny v2Dino Dini
 
Continuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchhContinuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchhDirk Hoerig
 
High Performance Haskell
High Performance HaskellHigh Performance Haskell
High Performance HaskellHarendra Kumar
 
Building a JavaScript Module Framework at Gilt
Building a JavaScript Module Framework at GiltBuilding a JavaScript Module Framework at Gilt
Building a JavaScript Module Framework at GiltEric Shepherd
 
Ruby tutorial
Ruby tutorialRuby tutorial
Ruby tutorialknoppix
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Clearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsClearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsJonathan Hitchcock
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneDavid Glick
 
Puppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessonsPuppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessonsPuppet
 
Mobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance OptimizationMobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance OptimizationMaximiliano Firtman
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Angels versus demons: balancing shiny and inclusive
Angels versus demons: balancing shiny and inclusiveAngels versus demons: balancing shiny and inclusive
Angels versus demons: balancing shiny and inclusiveChris Mills
 
GitLab Frontend and VueJS at GitLab
GitLab Frontend and VueJS at GitLabGitLab Frontend and VueJS at GitLab
GitLab Frontend and VueJS at GitLabFatih Acet
 
WordPress Local Environments VVV
WordPress Local Environments VVVWordPress Local Environments VVV
WordPress Local Environments VVVAli Basheer
 
Beautiful code instead of callback hell using ES6 Generators, Koa, Bluebird (...
Beautiful code instead of callback hell using ES6 Generators, Koa, Bluebird (...Beautiful code instead of callback hell using ES6 Generators, Koa, Bluebird (...
Beautiful code instead of callback hell using ES6 Generators, Koa, Bluebird (...andreaslubbe
 
WebAssembly: Digging a bit deeper
WebAssembly: Digging a bit deeperWebAssembly: Digging a bit deeper
WebAssembly: Digging a bit deeperAll Things Open
 

Similar to 44CON London 2015 - reverse reverse engineering (20)

Dear compiler please don't be my nanny v2
Dear compiler please don't be my nanny v2Dear compiler please don't be my nanny v2
Dear compiler please don't be my nanny v2
 
Continuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchhContinuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchh
 
High Performance Haskell
High Performance HaskellHigh Performance Haskell
High Performance Haskell
 
Building a JavaScript Module Framework at Gilt
Building a JavaScript Module Framework at GiltBuilding a JavaScript Module Framework at Gilt
Building a JavaScript Module Framework at Gilt
 
groovy & grails - lecture 6
groovy & grails - lecture 6groovy & grails - lecture 6
groovy & grails - lecture 6
 
Ruby tutorial
Ruby tutorialRuby tutorial
Ruby tutorial
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Clearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsClearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad Decisions
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
 
Puppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessonsPuppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessons
 
Mobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance OptimizationMobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance Optimization
 
Concurrency in ruby
Concurrency in rubyConcurrency in ruby
Concurrency in ruby
 
Phonegap 1.0
Phonegap 1.0Phonegap 1.0
Phonegap 1.0
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Angels versus demons: balancing shiny and inclusive
Angels versus demons: balancing shiny and inclusiveAngels versus demons: balancing shiny and inclusive
Angels versus demons: balancing shiny and inclusive
 
GitLab Frontend and VueJS at GitLab
GitLab Frontend and VueJS at GitLabGitLab Frontend and VueJS at GitLab
GitLab Frontend and VueJS at GitLab
 
WordPress Local Environments VVV
WordPress Local Environments VVVWordPress Local Environments VVV
WordPress Local Environments VVV
 
Beautiful code instead of callback hell using ES6 Generators, Koa, Bluebird (...
Beautiful code instead of callback hell using ES6 Generators, Koa, Bluebird (...Beautiful code instead of callback hell using ES6 Generators, Koa, Bluebird (...
Beautiful code instead of callback hell using ES6 Generators, Koa, Bluebird (...
 
Old Dogs and New Tricks
Old Dogs and New TricksOld Dogs and New Tricks
Old Dogs and New Tricks
 
WebAssembly: Digging a bit deeper
WebAssembly: Digging a bit deeperWebAssembly: Digging a bit deeper
WebAssembly: Digging a bit deeper
 

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 

More from 44CON (17)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

44CON London 2015 - reverse reverse engineering

  • 2. richo ‣ rich-oh! ‣ Computer Jerk at Stripe ‣ Duck Enthusiast ‣ Co-owner of plausibly the world's most ridiculous CVE ‣ WrongIslandCon jerk ‣ github.com/richo ‣ twitter.com/rich0H
  • 3. What this talk is ‣ Neat tricks with bytecode vms ‣ Some hilarity inside of the Rubby'sVM ‣ Some reversing fu for people who don't like reversing ‣ Maybe a little opaque- please ask me questions
  • 4. What this talk isn't ‣ Particularly full of bugs ‣ Having any 1337 exploits ‣ I am releasing a tool though ‣ Gunna name names ‣ Thanks Oracle ‣ Hi FireEye
  • 5. The Problem ‣ They want to give you a black box that does computer ‣ They don't want you to know how it computers
  • 7. Their Solution ‣ Obfuscation! ‣ Not novel: ‣ Malware authors are on this case ‣ Native code has been doing this for years ‣ Obfuscating bytecode isn't new
  • 8. This kinda sucks in a VM ‣ Your options for detecting fuckery are pretty limited ‣ No performance counters ‣ Very limited sidechannels ‣ No weird instructions to poke
  • 9. This *really* sucks in a dynamic VM ‣ Dynamic dispatch means you can't mangle classes and methods ‣ Lack of a JIT means you can't do anything egregious to method bodies
  • 10. Code obfuscation ‣ Typically packs up either source or a build product ‣ Loaders tend to be really complex ‣ Messing with RE's is seemingly fun to these people
  • 11. What if you're really lazy
  • 12. Some terminology ‣ Rubby:An interpreted, dynamic language ‣ YARV: Yet Another RubbyVM ‣ MRI: Matz Rubby Interpreter
  • 17. The Rubby VM source_file.rb READ CODEGEN EVAL
  • 18. The Obfuscated Rubby VM source_file.rb READ CODEGEN OBFUSCATIONobfuscated_source_file.rb obfuscated_source_file.rb UNPACK EVAL
  • 20. Dynamic VM is Dynamic ‣ We can trivially insert instrumentation ‣ This.. sort of works. ‣ Tack binding.pry calls everywhere ‣ Attach a debugger, do a lot of `call rb_f_eval`
  • 21. Rubby ‣ Open Source! ‣ We can just slam our own debug interfaces in ‣ Worked entirely with the reference implementation ‣ All mainstream loaders target it anyway ‣ Typically see a loader for each of the more recent rubbies
  • 22. The Rubby VM ‣ Interesting symbols to start with: ‣ rb_eval_iseq ‣ rb_define_method ‣ vm_define_method
  • 23. The Rubby VM ‣ Interesting symbols to start with: ‣ rb_eval_iseq ‣ rb_define_method ‣ vm_define_method ‣ rb_f_eval (lol)
  • 24. Ok so we have bytecode right ‣ Now what?
  • 25. A stack of Rubbies ‣ Rubby'sVM is a stack machine ‣ Opcodes consume operands from the stack and leave operands on it ‣ A few simple registers for storing branch conditions etc
  • 27. Expressive IR is nice ‣ YARV bytecode is pretty easy to read ‣ Auditing by hand isn't too bad ‣ Happily it's also sufficiently expressive that decompilation is pretty tenable
  • 28. Reversal ‣ Research project from Michael Edgar @ dartmouth ‣ Similar in operation to pyRETic by Rich Smith
  • 29. Reversal ‣ Over the course of this research I found several versions of rubby that simply won't compile ‣ Several debug flags that cause rubby simply not to build ‣ TheVM has gained more instructions since 2010
  • 30. Aside: instructions ‣ bitblt: ‣ Rubby is a srs bsns project for adults
  • 31. Aside: Docs ‣ Rubby is an english language (now) ‣ This is.. not super true for large chunks of the codebase
  • 32. Reviving Reversal ‣ Patched reversal until it started working again ‣ Added support for rubby 1.9.3 ‣ And it's delightful new instructions
  • 33. Presenting: unrubby ‣ Hacked up rubbyVM ‣ Lots and lots of hooks into internal behaviour ‣ Reaches out to reversal for decompilation ‣ Gives you back source!
  • 34. Why not just reversal ‣ Reversal's mode of operation is a bit fragile ‣ Unrubby hooks the behaviour of theVM, not the format of the bytecode ‣ Attempts to defeat unrubby would in turn be fragile
  • 35. Digging further in ‣ Reversal suggests it can take the whole program and turn it back into source. ‣ This is largely untrue in my experience.
  • 36. Digging further in ‣ We can keep abusing the runtime behaviour of theVM ‣ hook more stuff! ‣ rb_mod_include ‣ rb_obj_extend ‣ rb_define_class ‣ rb_define_method ‣ It's possible to define a class without defineclass
  • 37. Bonus ‣ This also gives us a more flexible intermediate state ‣ Write your own hooks in rubby!
  • 38. More bonus ‣ This has the impact of "unfurling" metaprogramming ‣ We get dynamically generated methods as well
  • 39. Aside: Classes ‣ Rubby classes are weird ‣ If you think that hooking rb_define_class is enough you would be sadly mistaken ‣ Luckily our hook function is idempotent ‣ Skim class.c and hook *everything*
  • 41. Making it go ‣ Rubby's insanity is super useful to us ‣ We can preload our library, then hijack execution flow during the eval step ‣ An atexit(3) hook will just dump the code to stdout
  • 42. Real world breaking ‣ Things have dependencies ‣ Things want to talk to databases ‣ Rubby to the rescue again!
  • 43. Naively ‣ Reimplement rails without any bodies
  • 44. Rubby: richo has feels ‣ Rubby lets you do a bunch of shit it ought not to: ‣ method_missing ‣ const_missing ‣ reopening classes ‣ monkey patching ‣ etc
  • 45. Or!
  • 46. Stealth ‣ Reversing things is kinda noisy ‣ Do this in an unroutable vm ‣ Unroutable vm's are miserable to work with
  • 47. Stealth ‣ Reversing things is kinda noisy ‣ Do this in an unroutable vm ‣ Unroutable vm's are misrable to work with ‣ Compromises end up getting made
  • 48. What's in the box? ‣ Rubby source tree ‣ Patched version of reversal ‣ A rails shim that ought to appease many applications ‣ Please play with it! ‣ Please report bugs! ‣ I'll drop some tips in the readme for how to report bugs without coughing up privileged code
  • 49. More goodies ‣ Lots of environment variables to control what gets emitted ‣ UNRUBBY_FULL_ISEQ ‣ UNRUBBY_METHODS ‣ YOLO ‣ Abusing the autoloader can yield results
  • 50. How would I defeat it? ‣ No super obvious way ‣ Unfortunately Rubby is just a really obtuseVM to target ‣ Best I came up with was to shove everything into .rodata and statically link a binary
  • 51. Gr33tz and shit ‣ Rich Smith - pyRETic ‣ Michael Edgar - Reversal ‣ Dominic for putting me up when I offbyone'd my flights and hotel ‣ 44con for having me ‣ Whoever I'm missing