Hey everyone, and welcome back. Yeah, welcome back to another deep dive.
It's a deep dive.
You ready to get our hands dirty with some Oh yeah absolutely or p ORC or GTFO volume three.
Yeah, digging right back in all right.
So just a reminder for listeners just joining us for the first time, right, p WORC or GTFO Volume three is a book.
It is a book, a real book. You can hold it.
It's fantastic.
Yeah.
It's a collection of various security research and kind of proofs of concept, absolutely, and different kind of just deep dives into various aspects of security.
Yep, and some hardware hacking.
Yeah, hard we're hacking all sorts of things.
Yeah, it's a really cool collection, really cool. Yeah.
So we're going to kind of jump around to different sections from the book that that were really interesting. So you get a little sampler platter, Yeah.
A little taste of everything.
Hopefully to entice you to go check out the book for yourself.
Yeah. Okay, so let's jump in.
Let's jump right in. Yeah. First one we have is this one was interesting to me just because.
That the target was so unexpected, unexpected, unexpected. Yeah, a children's toy.
Yeah, who would have thought?
So we have the uh, it's the Pokemon z Ring, that's right.
And this is security researcher named Vicky Fou who actually decided to look into this and to break it, to break it, figure out how it worked, and.
See what's going on.
So what's interesting about the z ring is it uses ultrasonic frequencies which.
Most people can't hear. Yeah, you and I probably can't hear.
Yeah, we're getting old, I know, I know.
And so she had to actually use a special equipment like in acilloscope to be able to see these sound waves.
In an emulator to run the game and.
An emulator, and so that she could really cool Yeah she could.
I mean, it's just amazing to me. She went to these lengths to figure this out, but it paid off because she discovered some really interesting stuff.
Yeah. So I guess kind of the first question.
Like why why go to all this trouble for right?
Right? Why break a kid's.
To a children's toy? Yeah? What I think the you know, the answer is the same for a lot of security researchers.
Curiosity. That's what drives a lot of this.
It's just that curiosity of how does this thing work?
Yeah? How does it work. What are its secrets?
Yeah, what are its secrets?
Can I control it? Can I make it do something it wasn't intended to do?
Exactly? So I think for her it was kind of a personal challenge of like, yeah, okay, this thing uses sound. I want to figure out what sounds, what a secret sound it's using, and how it's doing.
That, and how can I use those sound Yeah, kind of replicate that to do something else, right, exactly.
So pretty cool.
It is cool.
Okay, So moving on to another one that I thought was really interesting and a little mind bending.
This one's a little more technical.
Yeah it is. This is the flush plus reload side channel attack.
Wow.
Yeah, So side channel attacks in general are just fascinating.
Yeah, side channel attacks because.
They're not what you think about when you think about like typical hacking.
Right, it's not not like breaking You're not like breaking down the door, right.
You're not brute forcing a password. Yeah, you're kind of like looking for these like subtle little hints that the system's giving off.
Yeah, it's like eavesdropping.
It is eavesdropping, rather than that's like the spycraft of hacking.
Yeah exactly. That's really cool.
So the flesh plus reload attack. Specifically, it kind of exploits the way that modern CPUs use this shared memory space called the L three cash. Yes, And so the idea.
Is, so all the programs on your computer are sharing the space and accessing it to store data that they're using frequently. So it's like a common area.
Yeah, like a whiteboard that everyone can exactly.
It's like a whiteboard. And so what the attacker can do is they can basically flush a certain piece of memory from the cash.
Force it out of the cash, Yeah, force it out. So it's like a racing part of the whiteboard.
Yeah, raising part of the whiteboard, and then time how long it takes.
And then see how long it takes for somebody else to write in that same spot.
Yeah, for another process to write to that, Because.
If the victim process was using that data recently, yeah, it's going to reload it back into the cash and it's going to be faster, and that's going to be faster.
And so by timing how long that takes.
You can infer it. You can infer what the victim process was doing.
Yeah, what data they were accessing. That's crazy, it is crazy. It's like, so you can still data.
Without even without directly accessing.
It, directly accessing memory.
Yeah, you're just watching. It's just like you're just watching what's happening in this shared space.
You're watching the patterns of access.
Exactly and inferring information from that.
Yeah, that's so cool.
It is cool, but also kind of scary.
Well, yeah, a little bit scary because.
It means that our systems are leaking information in ways that you don't even realize.
Yeah, and that it's not just about like securing the memory itself. It's about securing.
Like goal systems, way everything interacts, weigh everything in act, timing the patterns, all that stuff. That's right, Okay, it's a whole new level of security.
All right. So now we're gonna jump way back in time, way back to the retro days, the retro days of the Apple two.
Ah, the Apple two classic classic, legendary machine.
Legendary machine. And we have a story here about a group of uh, some dedicated hackers, hackers that wanted to crack a particular game.
They did. They wanted to play it for free, gumble Gumball, a classic game.
It was not easy, it was those days.
Yeah, they didn't have the tools and the Internet that we have today.
Right, they couldn't just they couldn't just google how to do it? Google it?
Yea.
So they had figured out themselves.
So what made Gumball so hard?
Well, the Apple two itself was a limited machine, had a very simple processor, not a lot of memory, right, so you have to be really clever to do anything interesting with it.
So they had to really understand the system. Oh yeah, at a very low level.
Intimately, you had to know it inside and out.
So these two researchers, yeah, for Aim and Peter Ferry legends really just kind of like, yeah, painstakingly went through the code.
Line by line, Yeah, trying to figure out how the protection worked. Yeah, they had to kind of learn the secret language of the game, the game's secret link.
Yeah, it's like being a code breaker, you know, exactly back in the war. It's that kind of You've got this encrypted message, you've got to figure out the key.
You've got to figure out the cipher, you've.
Got to crack the code. And what they did, what it was doing, it's amazing.
Yeah, that's pretty cool.
It is cool.
So I guess the.
So why is the story important today?
Yeah? So why is this important. You know, why should we care about you know, why does this matter to us? Some retro hackers cracking this old game on this old system.
For one thing, it shows that the spirit of hacking has been around for a long time. It's not it's not a new thing. It's not like kids these days with their computers, right, this has been going on since the dawn of computing.
This is like a fundamental human desire. It's about curiosity to figure out how things.
Pushing the limits of what's possible.
And then I think also it shows that even seemingly simple systems can have.
Like the Apple, it seems simple, you can have these like hidden but.
Under the hood, there's a lot of complexity, complexities in that, and if you're willing to dig deep, you can find really interesting stuff.
You can find those and exploit them exactly.
So it's kind of a it's inspiring. It's inspiring, it is it is. Yeah, okay, all right, so let's move on to something a little more modern. All right, So let's move on to something a little more modern, little more high tech.
And this is an interesting technique.
Yeah, this is one of my favorites.
Actually, Zero copy networking.
Yeah, zero copy networking. So what is it's all about?
Zero copy networking.
Yeah, efficiency, getting the most out of your hardware.
It's kind of like in the realm of high performance, high.
Performance computing, real time systems.
Yeah, anything where latency matters, millisecond counts.
Yeah, this is where zero copy comes in.
Yeah, because traditional networking involves a lot of copying data.
Yeah. So the problem that it solves is that normally when you send data over a network, right, there's a lot of copying that happened.
From the CPU to the kernel, from.
The CPU to the CURL, the.
Kernel to the network card, the network call, all these different buffers and all that copying takes time.
It takes time, it consumes CPU cycles, and it uses resource.
It slows things down. So zero copy networking.
So the idea is, can we just skip all that?
Can we just cut out the middle man the middle man? Let the data flow directly from the application memory straight from point A to point B to the network card. Yeah, without all those extra stops along the way.
So how do they actually how do they do that? Do that?
Well? It involves a few tricks. Yeah, One is using something called DMA.
DMA direct memory access.
Direct memory access yeah, which allows the network card to access memory right directly without going through the CPU.
So the CPU can be doing other things exactly.
The CPU is like, hey, network card, you handle this, You handle this.
I'm busy, I've got other things to do. I'm playing a game over here.
I'm rendering this video.
Don't bother me. So DMA is one part of it, right. Another part is using specialized drivers okay, like PFR im PFR, which are designed specifically for high performance networking. They bypass a lot of the traditional networking stacks.
So they cut out all all.
The layers, the bureaucracy of the networking.
Stack, the unnecessary red tape.
Exactly, just get the data where it needs to go. Just get the data there as fast as possible. That's the goal.
So what kind of applications would this be really useful for?
Oh, so many things, so many things. Think about like high frequency trading where microseconds matter, milliseconds matter. If you can shave off right, if you can get you're trade in, you can make a lot of money a few milliseconds before the other guy.
Real time streaming. You don't want your video to lag.
Yeah, you don't want You want it to be smooth buffering.
Yeah, so any application gaming aiming where you need that low latency.
Where low latency is critical. So this is kind of like zero copy networking can really.
Make a difference under the hood.
It's the secret sauce, secret sauce that makes things fast.
Yeah, that you don't see, but it's there, work in its magic.
It's working hard behind the scenes.
That's cool.
Yeah. Okay, so all right, what's next?
What's next?
What other cool stuff do we have on our list in this book?
All right, so this one is a hardware hack.
Oh, hardware hacking. This is called the I Love Hardware Hacking.
The ip flip Wixer trick.
D I p flip wixer trick. That's a mouthful, it is, but it's a really cool trick.
It is a cool trick. Yeah, so uh what is it? This is from Joe.
Grant, Joe grand the King of hardware hacking. Yeah, he's amazing.
So the idea is, how do you reprogram a device without any special tools, without any special tools.
Without any special never hacking.
You know you've got You're stuck on a desert island. All you've got is a paper clip and a piece of chewing gum. Yeah, and you've got to reprogram.
This device shoelace, and somehow, somehow you do it reprogrammed. That's Joe Gran he's the master of that.
So in this particular case, he is exploiting the the.
Ftd I chick, the FTDI chick, which is a very common chip used for USB to serial communication.
Right, So if you've ever used like an Urduen or a Raspberry.
Pie or any kind of embedded device, you've probably used an FTDI chip. You've probably seen it. Yeah, these little chips, they're everywhere. And so what he figured out is that there's a way.
To uh reconfigure.
We can figure the gpio pins.
The gpo opins on the fly on the floor, which is kind of unusual.
So gpio pins are basically like little.
Switches you can turn on and off, and they could be used for all sorts of things.
Yeah, they can be used to control LEDs or motors or sensors or whatever you want, all sorts of things. And so he figured out a way to reconfigure.
Those to use those pins, to use those pins redirect the cereal data to redirect.
The serial data. So instead of going to.
The normal to basically reprogram the chair the device.
It's going back to the FTDI.
Chip, the FTDI chip itself and reprogramming it, which is so clever.
It is so clever. It's like using the device's own defenses against it.
Yeah, it's like turning its own power against it, exactly. And so, so how does he actually do this?
The way he does this is by using specific key strokes, Like so, if you press the right combination of keys, it.
It triggers a mode switch.
It triggers this mode switch and FTDI chip. Yeah, and then suddenly the serial data is and then suddenly the serial data is going to.
The data is flowing in a different direction to the chip. Yeah, you can reprogram it.
It's wild.
It is wild. It's like, so what does this It's like a secret back door, yeah, into the chip.
So what's the takeaway here?
So what can we learn from this?
Why is this important?
Besides the coolness factor, besides being super cool?
I mean, it's just so cool, it's super cool. Yeah, what's the practical lesson here? I think the lesson is that I think it teaches us to think outside the box.
To think outside the box, and to not don't assume.
That you need specialized tools.
Assume that you need these to do amazing things especial Sometimes the tools you need are right in front of you. You just have to know how to use them.
Sometimes the things you have in a different way can be used for something completely different than they were intended for.
It's about creativity, and that's about resourcefulness. It's about that hacker spirit, the hackers, you know, finding a way even when it seems impossible. Okay, okay, so one more, one more, one more for this segment.
For this segment, and then we'll hit me with it. We'll take a break. So this one is a little bit more in the.
Weeds, a little more technical.
Yeah, okay, so this is about uh.
Static ELF relocations.
Static ELF relocations.
Wow, that's a mouthful, but it's an important concept.
The security implications, especially.
If you're working with like low level systems. Yeah, embedded systems.
ELF is the operating system kernels, executable and linkable format.
That's right. It's basically it's the standard format programs are for executable files on.
Linux sort on Linux and any.
Other Unix like systems. Yeah, so it's pretty important.
And so when we talk about static ELF relocations we're talking about. UH. A statically linked binary.
Aesthetically linked binary is often seen is like a self contained unit, more secure. It's got everything it needs than dynamically. All the libraries are built.
In linked binary.
It's like a standalone program. You don't need anything else to run it.
Because it's self contained. What this research show there's.
A catch is that even there's always a catch, statically linked binaries can still have there's no such thing as perfect.
Security vulnerabilities relating to these relocations static binaries. The idea is even though there's statically.
Linked, even though they still contain relocation tables, which are basically instructions for how to load the different parts of the program into memory at run time. So even though the libraries are statically linked, there's still this there's still this table of information this function needs to be loaded at this address. Assumption this data needs to be loaded at this address.
Is here, and so on, this data is here.
And attackers can exploit and an attacker those relocation tables to do nasty things like shared library injection.
Shared library inject.
Which is a classic attack which is basically where you trick the program, picking the program into loading a malicious library loading your code instead of the legitimate one, and then your code gets executed.
So that's crazy.
It is crazy.
Because you think it's like, okay, you think you're saying statically linked.
Because you've got this statically linked binary self contained, but there's still these subtle ways that attackers can get in and mess things up.
Yeah, that's so cool.
It is cool, and it's a good reminders.
But what does this tell us that security is hard? In general?
Security is never easy, and it's not about you can't just rely on building the wall or one assumption.
You have to understand the system deeply and you have to be constantly deep looking for new ways.
Yeah. Attacks, it's like try to get in never ending is a never ending battle arms race, the arms race of security.
Yeah, okay, all right.
So that's it for this segment. So we've covered We've covered a lot of grounds quite a bit, from hacking children's toys to cracking retro games to exploiting the intricacies of modern CPU's children's toys. It's been a wild ride.
Cracking retro games.
We're gonna take a quick break the deep dark, but drink stretch.
Your lads to static binaries and.
We'll be back with more amazing stuff from PAC or GTFO Volume three.
We'll be right back.
Stay curious, Welcome back to the deep dive.
All right, so we are back back into.
The depths of PFEE or GTFO with.
PAC or GTFO Volume three, Volume three. That's right, and we're gonna jump right into the next. Uh okay, hacker, what do we have? Interesting concept that we found.
In what's next on the menu?
So this one is kind of a technique. Okay, it's not really a hack.
I guess it's a defensive technique.
Yeah, it's a defensive technique called anti keylogging with noise. And this is from a researcher named Mike Myers.
Mike Myers, Yeah he's a clever guy. So, uh, I guess first off, like, yeah, what's a keylogger is? Basically, it's a piece of software against it that sits on your computer yea, and it records every keystroke you make. Yeah, so everything you type, everything you type, your passwords, yeah, your credit card numbers, yeah, all your separate love letters, your deep dark secret it's all being recorded.
So it's basically like why this keylogger a digital spot.
It's a digital spy that's sitting on your shoulder.
And it's scary because watching everything you do, you don't know what's there.
Right, you don't know it's there.
It's running silently in.
The background, siphoning off your data. So how do you defend against that?
So how do you tough problem defend against something like that, because it's just Mike Myers came up with this idea sitting there of.
Using noise to drown out the signal.
So the idea is to flood.
Instead of trying to prevent the keylogger from recording your keystrokes.
The keylogger was so much do you.
Just overwhelm it with so much, so much garbage that it can't tell that it can't the real key strike, extinguish the real from the fig So it's like, so it's like creating a smoke screen to hide your real movement.
Like a digital a digital smoke screen, folk screen.
That's a great analogy. So how do you do that? How do you generate this noise?
Generate that noise?
That's the tricky part. Can't be too random because then because then it's obvious, it'll be obvious that it's fake. Right, it's like somebody just banging on the keyboard. Yeah, it has to be believable.
It has to sounds to sound like someone is actually typing even though it's not.
Yeah, so you have to consider things like typing speed, use of the shift keys, the frequency of different letters, and all that stuff.
It's like you're trying to trying to.
Mimic human behavior, behavior, but without actually being human. It's all an illusion. So it's a really So it's like.
You're creating a it's a challenge digital puppet.
It's a challenge to create this believable noise. It's just typing gibberish.
But it's effective if you can do it right. So I guess, So, what's the lesson here?
Was this?
What can we learn.
From this tell us about security in general?
I think it highlights the concept of obfuscation. Obfuscation which is basically making things harder to understand, even if you can't completely hide.
Them, try to prevent the attack.
Sometimes the best defense.
They're just trying is to just make it so difficult, make it harder for the attacker that they give.
Up to get what they want. So it's kind of.
Like hiding a needle in a haystack, like hiding a needle. Make the haystack so big that nobody can find the needle that.
It's just not worth the effort to try to find it.
So that's obfuscation.
Okay, cool, all right, all right, so what else we got?
Moving on to something completely different?
Okay, this one is, uh, this sounds interesting. Ethernet over GDB, Ethernet over GDB? What is that?
That sounds I'm intrigued, crazy.
Yeah, so break it down for me.
First off, what is GDB?
So? GDB is the gn you debugger. It's a tool that programmers use to analyze code, debug to step through code line by line, to inspect various to figure out what's going wrong, what's going on?
So it's a very powerful tool for understanding how software works.
So you're telling me, so we can use Micah Elizabeth Scott this debugging tool. It was a brilliant researcher.
To send data over figured out a way to use GDB.
How is that as a makeshift even pace?
How is that even possible?
It's mind blowing? Yeah, So basically, how did she do it? She figured out how to use the GDB protocol Okay, which is the language that GDD uses basically to communicate, to send and receive protocol work packets. So it's like.
It's like speaking a wrench Ethernet using GDB through GDBA. It's crazy, it's like using a wrench. But why in a nail?
Why would you even.
You know it's not the right tool for the job, want.
To do this? But it worked, Yeah, if you know how to use it, So why go through all that trouble?
Right?
Why bother to use GDD to send.
Imagine you're working on a tiny embedded system lacket like the woods in your car, when you could.
Just use it for your smart appliances, an Ethernet cable that.
Doesn't have a built in network card.
Yeah right.
Traditionally you wouldn't be able to get network access to that device because but with this technique, isn't you can't. You can use GDB okay to basically give it a voice on the network.
So it's like giving network giving a voice intivity.
To these devices that were previously.
Silent and these devices that were previously cut off. Next GAT, Yeah, that's pretty cool. It's pretty cool.
So I guess the takeaway here is.
What's the lesson that you can use.
Tools in unexpected ways.
I think it teaches us that limitations can breed creativity.
Yeah right, Necessity is the mother.
Sometimes when you're faced of invention.
With a constraint, it forces you to think differently, to find a new outside that you wouldn't have thought of otherwise.
The box.
So it's like those escape room puzzles.
Yeah, like an escape row where you have.
To use everyday objects unconventional ways. You've got to solve the puzzle.
You've got this thing and you have to think.
Like it's like, okay, how can I how can I.
Use this thing?
Use this in a way it wasn't that was not intended, intended to be used to achieve my goal.
Go achieve my goal.
And that's what Michael Elizabeth Scott did with this ethernet over GDB hack.
That's cool. Yeah, okay, so all right, what's next?
Moving on? Hit me to another vulnerability.
Okay, another vulnerability.
This one is, uh, where are we going now? In the Windows Control panel?
The Windows Control panel? That's right, okay, everyone's familiar with that favorite thing. We've all used it to change our settings, to customize our computers.
This vulnerability was discovered by a researcher right named Jeff Cheppell Jeff, And what did he find? He was basically digging.
Indeed, he was looking into into how the how the control panel handles Control panel CPL modules, which are basically programs that add functionality to the control panel.
Okay, so they're like plugins. So it's like they extend the functionality of the control.
Panel, the control panel. And what he found was he.
Found there's something subtle, subtle flaws in how these modules to these modules are are loaded and executed, loaded, which could potentially allow an attacker to run their.
Own code, some code and disguised as one of these modules.
So it's like you're sneaking in. It's like sneaking in delicious code through the back door.
Disguised as a harmless plug in.
That's crazy, It's pretty sneaky.
So how is that even possible?
How is that even possible? How do you smell?
Comes down to the way that software interacts with the operating system. So it's not just.
There are often a code itself, complex steps involved in loading and running a program, how it interacts, and even small errors in those steps can create opportunities for attackers. So it's like a chain reaction.
Chain reaction one week link.
One week link can bring down the whole system.
Can break the whole thing. So what is this reason?
So what's the lesson here to us? What can we learn from Jeff Chappel's work security? Yeah, I think it highlights.
What's the takeaway here the importance of secure coding practices. So it's not just right you have to write good code, but you also have.
To secure code carefully. Consider in time of a program life cycle.
From the moment it's loaded to the moment it's executed. More creatles, every step along the way has to be secure.
You've got to make sure otherwise there's a potential secure.
The entire way for vulnerability. So it's not just about the code itself.
The whole systems is.
Being secure that the code runs in.
Yeah, that's yeah, it's a holistic view keep security.
It's not just about it's not just one one piece, one thing, it's about the whole puzzle.
Yeah all right, Okay, what's next? So we're getting close to the end here.
Moving on? What else do we have to something a little bit more theoretical? Theoretical? I like theoretical.
I think it's still reletive. It's important to security. Yeah, so this is about.
Hit me with it.
Hash function, hash function, kudo fixed points, fixed points. Wow, that's a mouthful. That's a mouthful. All right, let's break it down off.
What's a hash function?
So, a hash function is a fundamental building block of cryptography, wire and security. So it's basically a function that takes some input and produces they're everywhere a fixed size output called a hash they're used for or a hash value, everything from password storage. The key property the hash functional signatures is that it's one way, meaning you can easily calculate the hash of an but you can't.
It's very difficult to go backwards in other way to find the input.
So and just the hash like a one way street.
It's a one way function.
So what does this have to do with pseudo fixed points? Pseudo fixed points you keep talking about.
A pseudo fixed point is essentially a program that outputs its own hash.
Value pseudo fixed points.
So it's a program that can calculate. So it's a program its own fingerprint that spits out in a sense fingerprint.
That's pretty weird. Yeah right, how do you even do that?
Well, there are a couple of ways make a program. One way is to use a technique to that called quins quins Quinn's programs that can print their own source code.
Okay, so it's a program.
So it's like a snake that can swallow its own tail, print.
Out its own code. It's a self replicating program.
So it's like a program that can look.
You can use that technique create a hash functions pseudo fixed point. This is me because if the program can print its own source code, it can also calculate its own hash and then output that hash as it's output. So that's one way to create a pseudo fixed point. The other way is to use why should we Care fixed points, which is a more mathematical concept.
Which why should we care about?
But it's basically a program and hash function that could be transformed pseudo fixed points into itself a series of operations, implication program, it's this that's its.
Own it's tell us in a funhouse mirror about security.
Right, why is this a problem?
It's a little bit trippy, Yeah, but it seems very It's a powerful technique and you can use it to create these hash function practical pseudo fixed points.
Application here.
Yeah, so Why is this a vulnerability?
Why is this important for security? Yeah, well, can attacker.
Imagine an attacker wants to bypass a security mechanism that relies on hash values, so.
He's using hashes.
So for example verify, Let's say you have a system that uses hashes to verify that.
An attacker can create the integrity of files. One of these programs that outputs you if you download a file hash, you can calculate its hash. They can base and compare it to the hash the system that was published by the author of the file, and if the hashes.
Match malicious program you know.
Hasn't been tampered with legitimate, right, But so they're basically if.
An attacker can create a file.
Merging that has a digital fingerprint.
A specific hash, they can basically.
To bypass the security mechanisms.
So it's like creating a fake ID for a file.
Yeah.
So it's like, so it looks legitimate, we think we're safe, even though it's not because we're using So that's why these pseudo fixed points are dangerous. But because they allow attackers to potentially bypass security mechanisms that rely on hash.
Values, that's mind blowing.
Yeah, it's a little bit mind bending, but it's important to understand because it shows that even these fundamentals, cryptographic techniques that has security, subtle weaknesses attackers can exploit.
There's some way.
Security is security constant arms. It's just a matter of the attackers are all ways finding it, trying to find new ways to break things, and the defenders always trying to stay one step ahead.
Very cool, Yeah, it's exciting.
Yeah, to challenge.
Okay, keeps things interesting.
So moving on, all right, what else? We got something a little more?
One more for this segment?
Fun?
Okay, fun hit me?
So this is project Okay.
Let's have some fun.
World video game video games. I love video games, the technical intricacies. So what kind of video games shenanigans are we talking about here? Of hash collisions, religions, and it's called I like where this is going. MT five S the MD five ne e S polyglot.
I know that sounds amazing.
Is that crazy?
Break it down for me? So what in the world?
What is a polyglot?
Is an MT five ne e S polyglot?
Well, in this context sounds like something alot is a file doctor that is valid in multiple formats. So in this case we have a file that is the file valid e s RAM, which just that games are stored in on the Nintendo Entertainment systems. And that's also a valid PDF document, so you can open it up.
Host speaker, Welcome back everyone to the final part of our deep Dive into Poscy or GTFO Volume three.
It's been quite a journey, it has been. We've seen some amazing stuff we have, from hardware hacking to software exploitation.
Yeah, from the very low level to the very high level, it's all connected.
Well, come step up with a few more a few more gems from the book, interesting things, okay that we found in the book. What do we got?
So? This first one is a a Kraken story game. And this is a Sega Genesis.
Game, Oh Sega Genesis called Peer Solar and the Great Architects Pure Solar.
I don't know if you've ever heard of this game.
I have heard of this game. It's a classic, a homebrew RPG. Homebrew, that's right.
So it wasn't like that.
It wasn't like an official and officially re cress.
It was made by independent developers.
It was actually cool. We at least way after the Genesis, way after the Genesis was even popular popular, so so they were really pushing the limits.
They were really what the hardware could do, pushing the limits of the hardware.
Yeah, and really impressive game.
The copy protection was a cracking itt tough, was no easy feat.
So how did they do it?
How did they actually crack this?
Yeah? What were the challenging game?
Well, first of all, they had to figure out how to.
Yeah, how do you even get the code? Get the code off a cartridge?
With the cartridge right, we're not.
Talking about like downloading a ROM file talking about from the internet, the physical cartridge. This is a physical cartridge.
So they had to So you have to find a way somehow to dump the ROM data from the cartridge off of it.
Which is a challenge in itself, but they figured it out.
They were able to do that.
They did and then thanks and now they got the code. They had a code. But then they had to actually do you crack it? That's the secret it worked? Yeah, so they had to so they had to dive in this assembly can dive into the assembly code, the.
Ones and zero's the machine language, get it understand, trying to figure out what it was doing, how.
It worked, and specifically.
Where's the copy protection?
Copy protection? What does it work? Mechanism work, So it's like detective work. This is like detective work.
You're following the clues, trying to piece together the puzzle of how this game is protecting itself.
The execution paths. Yeah, trying to figure out.
It's really challenging.
Okay, when does it get But they were up to the task protection they were. It happens if they had the skills, and it determinates what happens if it succeeds to crack this game, and they had to kind of like saw that together.
It's amazing.
It's out of work compressive that goes into something like this of reverse engineering is a testament. So I guess the takeaway here to their skill.
And their dedication, you know, even something. So what's the lesson here? Can we learn relatively simple from these hackers, like.
A video game actually very complex, that even seemingly systems can have incredible depth skills of knowledge, and that cracking them requires a unique blend engineer of technical skill, creativity, and perseverance.
So it's not just about it's about thinking outside the.
Box, thinking outside the box, and not giving up when things get tough.
Yeah, because and I think that's something that.
Cracking something like this, we see it takes a lot of patience.
Throughout a lot of trial and error this book and a lot of just banging your head against the wall that these research sometimes until you finally breakthrough.
Yeah, so they're not afraid to it's inspiring. Just keep trying it is.
It's a good lesson for life in general, I think the answer. Yeah, Okay, all right, so what's next?
So moving on what other hacking adventures to something a little bit more.
What we have in store?
Low level, A low level. This is about uh.
Getting down to the bits and bytes.
Writing secure a right, I like get code for our ICV architecture RSCV.
That's a hot topic these days.
Our SCV is a relatively.
It's a new processor architecture architecture. It's gaining a lot of popularity.
It's open source.
Because it's open source.
It's gaining very flexible, a lot of traction, a lot of potential industries.
Yeah, and so so why is secure coding the challenge here is important for ri CV?
Okay, Well, just like any other process or architecture, ri A s c V has its own unique.
Core instructions registers not careful. You can introduce vulnerability being a new language into your code. Yeah, except if you make.
A grammatical But the stakes are higher because if you make a mistake of security vulnerability to exploit.
It, take over your system to deal your data done, Bailey.
All sorts of bad things really took. So secure coding is crucial for any RSCV processor architecture code development, but especially for a new one. First off, like RI s CV is because we're still learning someone.
Out the potential pitfalls.
Yeah, why is it important?
We're still discovering new vulnerability.
Shell code is basically a small piece.
Of shell code. Shell code is basically a small piece of code that's a designed to exploit a vulnerability to the system. So it's often used as part of an exploit. So let's say you find a vulnerability in the program. You can write some.
Shell code deep understanding that.
Will take advantage of that vulnerability and give you control of the system. So it's a very powerful technique.
In this case, they had to. It's also very dangerous.
Because if it falls into the wrong hands r I s CV whisperer, So you have to be very careful.
The architectures.
When you're writing shell code.
The deepest secrets, you.
Have to make sure that it's not going to secure show do anything unintended.
So he had the master do you want.
To accidentally crash the system or instruction?
The register calling conventions give.
The attacker more control than you intended. So it's a delicate balance between the power and syntax of a new lege.
It's a challenging field, but it's also very rewarding.
Much higher states if you can do it right. Yeah, so because if you miss what.
Can we learn from Gone Bailey's.
Work A security hole? I think it shows the challenges of adapting security practices to new and emerging technologies.
So what does this tell us as we scurrey.
In general push the boundaries of computing.
What's the lesson here? We need to make sure a highlight the doors wide open attack.
An ongoing process. We can't just assume one thing is new technology that.
It's automatically secure.
We need to evolve ourselves talking about security.
From the ground up. We have to design our systems with security in mind.
Building a new house from the.
Very beginning, you want.
To you want to building a house, It structurally sounds on a solid foundation and secure.
From the ground up.
From the ground up.
To start thinking about reinforcements until.
You have to think about it from.
The start caves in to start.
That's a great analogy thinking about reinforcements. So that's what this whoc or gtf O I think that's all about.
It's about proactively identifying and mitigating identifying these vulnerabilities. It's not just about finding the vulnerabilities, it's also about.
How to fix them, how to mitigate them, building a more sharing that knowledge community.
With the community.
It's not just about sharing knowledge finding the.
Problem to make the world a safer place. It's a noble.
Goal and I think that's what's really inspiring. We need more people about this book like that in the world. A celebration of human curiosity. We're willing to share their knowledge ingenuity and it feels celebration.
Yeah. It's a great community to be a part of our collaboration and this book is a great example of that.
And it's a reminder that we all have a role to play for.
Our deep dive into sc or GTFO Volume three Technology. I hope you enjoyed it. I hope you learn.
Something and more securely for everyone.
It's inspired you.
Yeah, so go out there.
That's a wrap and hack something a deep dive responsibly of course.
Yeah. And to POSSE or GTFO.
Stay safe, Volume three, Stay Curious.
We hope you enjoyed it.
We'll see you next time for another year JEP dive into the world.
Of security research.
To keep hacking, hacking, keep learning, weap learning and pushing the boundaries.
Pushing the possible until next time of what's possible.
Stay curious and stay secure.
Stay curious, all right, and stay secure and stay