├── 2017 ├── 00_matefest-infofest-ub │ ├── README.md │ └── slides.pdf └── 01_hackday-udg │ ├── README.md │ ├── slides.pdf │ └── stego_challenge │ ├── hint.pdf │ └── pic.jpg ├── 2018 ├── 00_hackday-udg │ ├── README.md │ └── slides.pdf ├── 01_rootedcon │ ├── README.md │ └── slides.pdf ├── 02_noconname-lab │ ├── IOLI-crackme │ │ ├── README.txt │ │ ├── bin-linux │ │ │ ├── crackme0x00 │ │ │ ├── crackme0x01 │ │ │ ├── crackme0x02 │ │ │ ├── crackme0x03 │ │ │ ├── crackme0x04 │ │ │ ├── crackme0x05 │ │ │ ├── crackme0x06 │ │ │ ├── crackme0x07 │ │ │ ├── crackme0x08 │ │ │ ├── crackme0x09 │ │ │ └── test │ │ ├── bin-pocketPC │ │ │ ├── crackme0x00.arm.exe │ │ │ ├── crackme0x01.arm.exe │ │ │ ├── crackme0x02.arm.exe │ │ │ ├── crackme0x03.arm.exe │ │ │ ├── crackme0x04.arm.exe │ │ │ ├── crackme0x05.arm.exe │ │ │ ├── crackme0x06.arm.exe │ │ │ ├── crackme0x07.arm.exe │ │ │ ├── crackme0x08.arm.exe │ │ │ └── crackme0x09.arm.exe │ │ └── bin-win32 │ │ │ ├── crackme0x00.exe │ │ │ ├── crackme0x01.exe │ │ │ ├── crackme0x02.exe │ │ │ ├── crackme0x03.exe │ │ │ ├── crackme0x04.exe │ │ │ ├── crackme0x05.exe │ │ │ ├── crackme0x06.exe │ │ │ ├── crackme0x07.exe │ │ │ ├── crackme0x08.exe │ │ │ └── crackme0x09.exe │ ├── README.md │ └── slides.pdf ├── 03_overdriveconference │ ├── README.md │ └── slides.pdf └── 04_r2con │ ├── README.md │ └── slides.pdf ├── 2019 ├── 00_overdriveconference │ ├── README.md │ ├── demos │ │ ├── cheat.txt │ │ ├── eilam │ │ │ ├── Defender.exe │ │ │ └── decrypt.py │ │ └── ioli │ │ │ ├── crackme0x02 │ │ │ └── crackme0x03 │ ├── slides.odp │ └── slides.pdf ├── 01_hackinthebox-ams │ ├── README.md │ ├── demos │ │ ├── cheat.txt │ │ ├── eilam │ │ │ ├── Defender.exe │ │ │ └── decrypt.py │ │ ├── ioli │ │ │ └── crackme0x02 │ │ └── r2frida │ │ │ ├── counter │ │ │ └── counter.c │ ├── slides.odp │ └── slides.pdf └── 02_r2con │ ├── README.md │ ├── demos │ ├── cheat.txt │ ├── eilam │ │ ├── Defender.exe │ │ └── decrypt │ └── ioli │ │ ├── crackme0x02 │ │ └── crackme0x03 │ ├── slides.odp │ └── slides.pdf ├── 2020 ├── 00_h-c0n │ ├── README.md │ ├── demos │ │ ├── eilam │ │ │ ├── Defender.exe │ │ │ └── decrypt │ │ ├── overlong │ │ │ ├── FlareOn6_Challenge2_Solution_Overlong.pdf │ │ │ ├── Message.txt │ │ │ └── Overlong.exe │ │ └── r2frida │ │ │ ├── counter │ │ │ └── counter.c │ ├── install.sh │ ├── pract │ │ ├── ioli │ │ │ ├── crackme0x00 │ │ │ ├── crackme0x01 │ │ │ ├── crackme0x02 │ │ │ ├── crackme0x03 │ │ │ ├── crackme0x04 │ │ │ ├── crackme0x05 │ │ │ ├── crackme0x06 │ │ │ ├── crackme0x07 │ │ │ ├── crackme0x08 │ │ │ └── crackme0x09 │ │ └── sonda │ │ │ └── sonda │ ├── slides.odp │ └── slides.pdf ├── 01_ruhrsec │ ├── README.md │ ├── demos │ │ ├── eilam │ │ │ ├── Defender.exe │ │ │ └── decrypt │ │ ├── ioli │ │ │ └── crackme0x02 │ │ └── sonda │ │ │ ├── brute_magic.py │ │ │ └── sonda │ ├── slides.odp │ └── slides.pdf └── 02_hackinthebox-sin │ ├── README.md │ ├── slides.odp │ └── slides.pdf ├── 2021 └── 00_intent │ ├── README.md │ ├── demos │ ├── check_mba.c │ ├── check_mba.py │ ├── check_oc.c │ ├── check_oc.py │ ├── check_poly.c │ ├── check_poly.py │ ├── create_oc.py │ ├── eq.py │ ├── linear_mba.c │ └── prove.py │ └── slides.pdf ├── 2022 ├── 00_h-c0n │ ├── README.md │ ├── demos │ │ ├── check_mba.c │ │ ├── check_mba.py │ │ ├── check_oc.c │ │ ├── check_oc.py │ │ ├── check_poly.c │ │ ├── check_poly.py │ │ ├── create_oc.py │ │ ├── eq.py │ │ ├── linear_mba.c │ │ └── prove.py │ └── slides.pdf ├── 01_r0-workshop │ ├── Dockerfile │ ├── README.md │ ├── install.txt │ ├── slides.pdf │ └── src │ │ ├── r0-workshop.ipynb │ │ ├── scramble1 │ │ ├── scramble1.c │ │ ├── scramble2 │ │ ├── scramble2.c │ │ ├── scramble3 │ │ ├── scramble3.c │ │ ├── scramble4 │ │ └── scramble4.c └── 02_hackinthebox-sin │ ├── README.md │ ├── demos │ ├── check_mba.c │ ├── check_mba.py │ ├── check_oc.c │ ├── check_oc.py │ ├── check_poly.c │ ├── check_poly.py │ ├── create_oc.py │ ├── eq.py │ ├── linear_mba.c │ └── prove.py │ ├── live │ ├── predicates.txt │ ├── rules.txt │ ├── vm │ ├── vm.c │ ├── vm_obf │ ├── vm_obf.c │ ├── xor │ ├── xor.c │ ├── xor_op_pred │ └── xor_op_pred.c │ └── slides.pdf ├── 2023 ├── 00_h-c0n │ ├── Dockerfile │ ├── INSTALL.txt │ ├── README.md │ └── src │ │ ├── scramble1 │ │ ├── scramble1.c │ │ ├── scramble2 │ │ ├── scramble2.c │ │ ├── scramble3 │ │ ├── scramble3.c │ │ ├── scramble4 │ │ ├── scramble4.c │ │ └── workshop.ipynb ├── 01_rootedcon │ ├── README.md │ └── slides.pdf ├── 02_euskalhack │ ├── README.md │ ├── demos │ │ ├── example │ │ │ ├── example.asm │ │ │ └── example.o │ │ ├── fuzz │ │ │ ├── afl-build │ │ │ │ └── fuzz │ │ │ ├── cheatsheet.txt │ │ │ ├── crash │ │ │ ├── fuzz │ │ │ ├── fuzz.c │ │ │ └── symcc-build │ │ │ │ └── fuzz │ │ └── opaque │ │ │ ├── XTunnel.bin │ │ │ └── XTunnel_patched.bin │ └── slides.pdf └── 03_navajanegra │ ├── README.md │ ├── demos │ ├── example │ │ ├── example.asm │ │ └── example.o │ ├── fuzz │ │ ├── afl-build │ │ │ └── fuzz │ │ ├── crash │ │ ├── fuzz │ │ ├── fuzz.c │ │ ├── in │ │ │ └── seed │ │ ├── out │ │ │ ├── afl-master │ │ │ │ ├── .synced │ │ │ │ │ ├── afl-secondary │ │ │ │ │ ├── afl-secondary.last │ │ │ │ │ ├── symcc │ │ │ │ │ └── symcc.last │ │ │ │ ├── cmdline │ │ │ │ ├── crashes │ │ │ │ │ ├── README.txt │ │ │ │ │ └── id000000,sig08,src000010,time34760,execs138682,ophavoc,rep2 │ │ │ │ ├── fuzz_bitmap │ │ │ │ ├── fuzzer_setup │ │ │ │ ├── fuzzer_stats │ │ │ │ ├── plot_data │ │ │ │ └── queue │ │ │ │ │ ├── .state │ │ │ │ │ └── redundant_edges │ │ │ │ │ │ ├── id000000,time0,execs0,origseed │ │ │ │ │ │ ├── id000001,src000000,time1,execs10,ophavoc,rep16 │ │ │ │ │ │ ├── id000002,src000000,time3,execs18,ophavoc,rep16 │ │ │ │ │ │ ├── id000003,src000000,time5,execs26,ophavoc,rep8 │ │ │ │ │ │ ├── id000006,src000000,time12,execs54,ophavoc,rep2 │ │ │ │ │ │ ├── id000007,src000000,time14,execs64,ophavoc,rep16 │ │ │ │ │ │ ├── id000008,src000000,time25,execs108,ophavoc,rep16 │ │ │ │ │ │ └── id000009,src000000+000004,time4215,execs17635,opsplice,rep16 │ │ │ │ │ ├── id000000,time0,execs0,origseed │ │ │ │ │ ├── id000001,src000000,time1,execs10,ophavoc,rep16 │ │ │ │ │ ├── id000002,src000000,time3,execs18,ophavoc,rep16 │ │ │ │ │ ├── id000003,src000000,time5,execs26,ophavoc,rep8 │ │ │ │ │ ├── id000004,src000000,time8,execs35,ophavoc,rep16,+cov │ │ │ │ │ ├── id000005,src000000,time10,execs45,ophavoc,rep4 │ │ │ │ │ ├── id000006,src000000,time12,execs54,ophavoc,rep2 │ │ │ │ │ ├── id000007,src000000,time14,execs64,ophavoc,rep16 │ │ │ │ │ ├── id000008,src000000,time25,execs108,ophavoc,rep16 │ │ │ │ │ ├── id000009,src000000+000004,time4215,execs17635,opsplice,rep16 │ │ │ │ │ └── id000010,syncsymcc,src000004,+cov │ │ │ ├── afl-secondary │ │ │ │ ├── .synced │ │ │ │ │ ├── afl-master │ │ │ │ │ └── afl-master.last │ │ │ │ ├── cmdline │ │ │ │ ├── crashes │ │ │ │ │ ├── README.txt │ │ │ │ │ └── id000000,sig08,src000011,time25520,execs100255,ophavoc,rep2 │ │ │ │ ├── fuzz_bitmap │ │ │ │ ├── fuzzer_setup │ │ │ │ ├── fuzzer_stats │ │ │ │ ├── plot_data │ │ │ │ └── queue │ │ │ │ │ ├── .state │ │ │ │ │ └── redundant_edges │ │ │ │ │ │ ├── id000000,time0,execs0,origseed │ │ │ │ │ │ ├── id000001,src000000,time2,execs11,ophavoc,rep8 │ │ │ │ │ │ ├── id000002,src000000,time4,execs19,ophavoc,rep16 │ │ │ │ │ │ ├── id000003,src000000,time6,execs27,ophavoc,rep16 │ │ │ │ │ │ ├── id000004,src000000,time8,execs36,ophavoc,rep16 │ │ │ │ │ │ ├── id000006,src000000,time13,execs53,ophavoc,rep8 │ │ │ │ │ │ ├── id000007,src000000,time15,execs62,ophavoc,rep16 │ │ │ │ │ │ ├── id000009,src000000,time24,execs101,ophavoc,rep8 │ │ │ │ │ │ └── id000010,syncafl-master,src000009 │ │ │ │ │ ├── id000000,time0,execs0,origseed │ │ │ │ │ ├── id000001,src000000,time2,execs11,ophavoc,rep8 │ │ │ │ │ ├── id000002,src000000,time4,execs19,ophavoc,rep16 │ │ │ │ │ ├── id000003,src000000,time6,execs27,ophavoc,rep16 │ │ │ │ │ ├── id000004,src000000,time8,execs36,ophavoc,rep16 │ │ │ │ │ ├── id000005,src000000,time11,execs45,ophavoc,rep16 │ │ │ │ │ ├── id000006,src000000,time13,execs53,ophavoc,rep8 │ │ │ │ │ ├── id000007,src000000,time15,execs62,ophavoc,rep16 │ │ │ │ │ ├── id000008,src000000,time18,execs76,ophavoc,rep4,+cov │ │ │ │ │ ├── id000009,src000000,time24,execs101,ophavoc,rep8 │ │ │ │ │ ├── id000010,syncafl-master,src000009 │ │ │ │ │ └── id000011,syncafl-master,src000010,+cov │ │ │ └── symcc │ │ │ │ ├── .cur_input │ │ │ │ ├── bitmap │ │ │ │ ├── queue │ │ │ │ ├── id000000,src000008 │ │ │ │ ├── id000001,src000008 │ │ │ │ ├── id000002,src000008 │ │ │ │ ├── id000003,src000008 │ │ │ │ ├── id000004,src000000 │ │ │ │ ├── id000005,src000001 │ │ │ │ └── id000006,src000010 │ │ │ │ └── stats │ │ └── symcc-build │ │ │ └── fuzz │ └── opaque │ │ ├── XTunnel.bin │ │ ├── XTunnel_patched.bin │ │ └── clean.py │ └── slides.pdf ├── 2024 ├── 00_bar │ ├── README.md │ ├── paper.pdf │ └── slides.pdf └── 01_euskalhack │ ├── Dockerfile │ ├── INSTALL.txt │ ├── README.md │ ├── slides.pdf │ └── workshop │ ├── bin │ ├── scramble1 │ ├── scramble2 │ ├── scramble3 │ └── scramble4 │ └── workshop.ipynb ├── 2025 └── 00_ringzer0 │ ├── Dockerfile │ ├── INSTALL.txt │ ├── README.md │ ├── slides.pdf │ └── workshop │ ├── bin │ ├── scramble1 │ ├── scramble2 │ ├── scramble3 │ └── scramble4 │ └── workshop.ipynb ├── .gitignore ├── LICENSE.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .ipynb_checkpoints -------------------------------------------------------------------------------- /2017/00_matefest-infofest-ub/README.md: -------------------------------------------------------------------------------- 1 | # Auditing WiFi networks 2 | 3 | Slides for the workshop "Auditing WiFi networks" by [@HackingLliure](https://twitter.com/HackingLliure) during matefest-infofest 2017 at the University of Barcelona. -------------------------------------------------------------------------------- /2017/00_matefest-infofest-ub/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2017/00_matefest-infofest-ub/slides.pdf -------------------------------------------------------------------------------- /2017/01_hackday-udg/README.md: -------------------------------------------------------------------------------- 1 | # Introduction to RE and stego using r2 2 | 3 | Slides and resources for the workshop "Introduction to RE and stego using r2" by [@HackingLliure](https://twitter.com/HackingLliure) on December 2nd, 2017, during the HackDay at the University of Girona. 4 | 5 | Unfortunately, there is no video recording available. -------------------------------------------------------------------------------- /2017/01_hackday-udg/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2017/01_hackday-udg/slides.pdf -------------------------------------------------------------------------------- /2017/01_hackday-udg/stego_challenge/hint.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2017/01_hackday-udg/stego_challenge/hint.pdf -------------------------------------------------------------------------------- /2017/01_hackday-udg/stego_challenge/pic.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2017/01_hackday-udg/stego_challenge/pic.jpg -------------------------------------------------------------------------------- /2018/00_hackday-udg/README.md: -------------------------------------------------------------------------------- 1 | # IoT, S stands for security 2 | 3 | Slides for the talk "IoT, S stands for security" by [@HackingLliure](https://twitter.com/HackingLliure) on February 17th, 2018, during the HackDay at the University of Girona. 4 | 5 | Unfortunately, there is no video recording available. -------------------------------------------------------------------------------- /2018/00_hackday-udg/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/00_hackday-udg/slides.pdf -------------------------------------------------------------------------------- /2018/01_rootedcon/README.md: -------------------------------------------------------------------------------- 1 | # Hacking tokens: a massive POC 2 | 3 | Slides for the talk "Hacking tokens: a massive POC" I gave during RootedCON 2018. 4 | 5 | Find video recording here: [ES](https://www.youtube.com/watch?v=IRwxOooQVZY) | [EN](https://www.youtube.com/watch?v=a2R1hx3fhB8) 6 | 7 | -------------------------------------------------------------------------------- /2018/01_rootedcon/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/01_rootedcon/slides.pdf -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/README.txt: -------------------------------------------------------------------------------- 1 | ======================= IOLI CRACKME v1.2 by pof ======================= 2 | 3 | [Goal] 4 | Crack the executable files to accept any password 5 | 6 | 7 | [Hints] 8 | Level 0x00: strings is your friend 9 | Level 0x01: 5274 10 | Level 0x02: ((10*9)+(123*4))^2 11 | Level 0x03: same password as in level 0x02 12 | Level 0x04: 9+6=15 - try 69 13 | Level 0x05: 9+7=16 but one is not enough - try 970 14 | Level 0x06: same algorithm as in 5, but envp LOLO=1 15 | Level 0x07: if you find this level too difficult, try the next 16 | one and then come back 17 | Level 0x08: same algorithm as in 0x06 18 | 19 | 20 | [Tools] 21 | strings 22 | Displays printable strings in files 23 | included in all linux distributions 24 | http://sources.redhat.com/binutils/ 25 | 26 | HT Editor 27 | File editor/viewer/analyzer for executables. 28 | sudo apt-get install ht 29 | http://hte.sourceforge.net/ 30 | 31 | radare 32 | Complete toolchain for working with binary files 33 | http://radare.nopcode.org/ 34 | 35 | IDA Pro 36 | Interactive multi-processor disassembler and debuger 37 | http://www.datarescue.com/idabase/ 38 | 39 | ======================================================================== 40 | [EOF] 41 | -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x00: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x00 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x01: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x01 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x02 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x03 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x04: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x04 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x05: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x05 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x06: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x06 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x07: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x07 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x08: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x08 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x09: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/crackme0x09 -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-linux/test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-linux/test -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x00.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x00.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x01.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x01.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x02.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x02.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x03.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x03.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x04.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x04.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x05.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x05.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x06.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x06.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x07.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x07.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x08.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x08.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x09.arm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-pocketPC/crackme0x09.arm.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x00.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x00.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x01.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x01.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x02.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x02.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x03.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x03.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x04.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x04.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x05.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x05.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x06.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x06.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x07.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x07.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x08.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x08.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x09.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/IOLI-crackme/bin-win32/crackme0x09.exe -------------------------------------------------------------------------------- /2018/02_noconname-lab/README.md: -------------------------------------------------------------------------------- 1 | # Brief introduction to reverse engineering using radare2 2 | 3 | Slides and resources for the talk "Brief introduction to reverse engineering usign radare2" I gave at NcNLabs event. 4 | 5 | Find video (ES audio) here: https://vimeo.com/267633324 -------------------------------------------------------------------------------- /2018/02_noconname-lab/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/02_noconname-lab/slides.pdf -------------------------------------------------------------------------------- /2018/03_overdriveconference/README.md: -------------------------------------------------------------------------------- 1 | # Playing with binary formats 2 | 3 | Slides for the talk "Playing with binary formats" I gave during Overdrive Conference 2018. 4 | 5 | Unfortunately, there is no video recording available. -------------------------------------------------------------------------------- /2018/03_overdriveconference/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/03_overdriveconference/slides.pdf -------------------------------------------------------------------------------- /2018/04_r2con/README.md: -------------------------------------------------------------------------------- 1 | # Overcoming fear: reversing with radare2 2 | 3 | Slides for the talk "Introducing radare2 for humans" I gave during r2con 2018. 4 | 5 | Find video recording here: https://www.youtube.com/watch?v=ARH1S8ygDnk -------------------------------------------------------------------------------- /2018/04_r2con/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2018/04_r2con/slides.pdf -------------------------------------------------------------------------------- /2019/00_overdriveconference/README.md: -------------------------------------------------------------------------------- 1 | # Stack machines unchained: code emulation with ESIL 2 | Slides and resources for the talk "Stack machines unchained: code emulation with ESIL" I gave during Overdrive Conference 2019. 3 | 4 | Unfortunately, there is no recording available, but you might want to check out my other (recorded) talks covering this topic: 5 | 6 | - [HITB SecConf Amsterdam (2019)](../01_hackinthebox-ams/) 7 | - [r2con (2019)](../02_r2con/) -------------------------------------------------------------------------------- /2019/00_overdriveconference/demos/cheat.txt: -------------------------------------------------------------------------------- 1 | IOLI 2 | ====== 3 | 4 | cd talks/overdrive2019/demos/ioli 5 | r2 crackme0x02 6 | 7 | aaa 8 | pdf @ main 9 | s 0x0804842b 10 | aeim 11 | (aer) 12 | aeip 13 | (aer) 14 | aesu 0x0804844e 15 | pf d @ ebp-0xc 16 | 17 | --- 18 | ENCRYPTED CODE 19 | ====== 20 | 21 | cd talks/overdrive2019/demos/eilam 22 | r2 Defender.exe 23 | 24 | aaa 25 | afl 26 | s fcn.004033d1 27 | pdf 28 | # show push, pop, jmp at the end and next instructions as encrypted 29 | pd 20 @ 0x004034d5 30 | e io.cache = 1 31 | aeim 32 | aeip 33 | aer 34 | aesu 0x004034db 35 | pd 20 36 | -------------------------------------------------------------------------------- /2019/00_overdriveconference/demos/eilam/Defender.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/00_overdriveconference/demos/eilam/Defender.exe -------------------------------------------------------------------------------- /2019/00_overdriveconference/demos/eilam/decrypt.py: -------------------------------------------------------------------------------- 1 | import r2pipe 2 | r2 = r2pipe.open("Defender.exe") 3 | r2.cmd("aaa") 4 | r2.cmd("s fcn.004033d1") 5 | r2.cmd("e io.cache = 1") 6 | r2.cmd("aeim") 7 | r2.cmd("aeip") 8 | r2.cmd("aesu 0x004034db") 9 | -------------------------------------------------------------------------------- /2019/00_overdriveconference/demos/ioli/crackme0x02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/00_overdriveconference/demos/ioli/crackme0x02 -------------------------------------------------------------------------------- /2019/00_overdriveconference/demos/ioli/crackme0x03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/00_overdriveconference/demos/ioli/crackme0x03 -------------------------------------------------------------------------------- /2019/00_overdriveconference/slides.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/00_overdriveconference/slides.odp -------------------------------------------------------------------------------- /2019/00_overdriveconference/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/00_overdriveconference/slides.pdf -------------------------------------------------------------------------------- /2019/01_hackinthebox-ams/README.md: -------------------------------------------------------------------------------- 1 | # Overcoming fear: reversing with radare2 2 | 3 | Slides and resources for the lab "Overcoming fear: reversing with radare2" I gave during HITB SecConf Amsterdam 2019. 4 | 5 | Find video recording here: https://www.youtube.com/watch?v=317dNavABKo -------------------------------------------------------------------------------- /2019/01_hackinthebox-ams/demos/cheat.txt: -------------------------------------------------------------------------------- 1 | ====== 2 | IOLI 3 | ====== 4 | 5 | cd talks/hitb2019/demos/ioli 6 | r2 crackme0x02 7 | 8 | aaa 9 | pdf @ main 10 | s 0x0804842b 11 | aeim 12 | (aer) 13 | aeip 14 | (aer) 15 | aesu 0x0804844e 16 | pf d @ ebp-0xc 17 | 18 | ====== 19 | EILAM 20 | ====== 21 | 22 | cd talks/hitb2019/demos/eilam 23 | r2 Defender.exe 24 | 25 | aaa 26 | afl 27 | s fcn.004033d1 28 | pdf 29 | # show push, pop, jmp at the end and next instructions as encrypted 30 | pd 20 @ 0x004034d5 31 | e io.cache = 1 32 | aeim 33 | aeip 34 | aer 35 | aesu 0x004034db 36 | pd 20 37 | 38 | ===== 39 | r2frida 40 | ===== 41 | 42 | cd talks/hitb2019/demos/r2frida 43 | # term1 44 | ./counter 45 | # term2 46 | sudo r2 frida://counter 47 | 48 | \? 49 | \ie 50 | s 0x5605a414416a 51 | pd 20 52 | V 53 | p 54 | c 55 | # change no 1 (sleep) at "0x5605a414418f 1 bf01000000 mov edi, 1" 56 | # change no 1 (inc) at "0x5605a4144199 8345fc01 add dword [rbp - 4], 1" 57 | 58 | 59 | 60 | 61 | -------------------------------------------------------------------------------- /2019/01_hackinthebox-ams/demos/eilam/Defender.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/01_hackinthebox-ams/demos/eilam/Defender.exe -------------------------------------------------------------------------------- /2019/01_hackinthebox-ams/demos/eilam/decrypt.py: -------------------------------------------------------------------------------- 1 | import r2pipe 2 | r2 = r2pipe.open("Defender.exe") 3 | r2.cmd("aaa") 4 | r2.cmd("s fcn.004033d1") 5 | r2.cmd("e io.cache = 1") 6 | r2.cmd("aeim") 7 | r2.cmd("aeip") 8 | r2.cmd("aesu 0x004034db") 9 | -------------------------------------------------------------------------------- /2019/01_hackinthebox-ams/demos/ioli/crackme0x02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/01_hackinthebox-ams/demos/ioli/crackme0x02 -------------------------------------------------------------------------------- /2019/01_hackinthebox-ams/demos/r2frida/counter: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/01_hackinthebox-ams/demos/r2frida/counter -------------------------------------------------------------------------------- /2019/01_hackinthebox-ams/demos/r2frida/counter.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() { 5 | int x = 0; 6 | while(1) { 7 | printf("%d HITBAMS2019\n", x); 8 | sleep(1); 9 | x++; 10 | } 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /2019/01_hackinthebox-ams/slides.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/01_hackinthebox-ams/slides.odp -------------------------------------------------------------------------------- /2019/01_hackinthebox-ams/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/01_hackinthebox-ams/slides.pdf -------------------------------------------------------------------------------- /2019/02_r2con/README.md: -------------------------------------------------------------------------------- 1 | # A journey through ESIL: understanding code emulation within radare2 2 | 3 | Slides and resources for the talk "A journey through ESIL" I gave during r2con2019. 4 | 5 | Find video recording here: https://www.youtube.com/watch?v=MaFafykTASw 6 | -------------------------------------------------------------------------------- /2019/02_r2con/demos/cheat.txt: -------------------------------------------------------------------------------- 1 | IOLI 2 | ====== 3 | 4 | r2 crackme0x02 5 | 6 | aaa 7 | pdf @ main 8 | s 0x0804842b 9 | aeim 10 | (aer) 11 | aeip 12 | (aer) 13 | aesu 0x0804844e 14 | pf d @ ebp-0xc # or afvd 15 | 16 | --- 17 | ENCRYPTED CODE 18 | ====== 19 | 20 | r2 Defender.exe 21 | 22 | aaa 23 | afl 24 | s fcn.004033d1 25 | pdf 26 | # show push, pop, jmp at the end and next instructions as encrypted 27 | pd 20 @ 0x004034d5 28 | e io.cache = 1 29 | aeim 30 | aeip 31 | aer 32 | aesu 0x004034db 33 | pd 20 34 | -------------------------------------------------------------------------------- /2019/02_r2con/demos/eilam/Defender.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/02_r2con/demos/eilam/Defender.exe -------------------------------------------------------------------------------- /2019/02_r2con/demos/eilam/decrypt: -------------------------------------------------------------------------------- 1 | aaa 2 | s fcn.004033d1 3 | e io.cache=1 4 | aeim 5 | aeip 6 | aesu 0x004034db 7 | -------------------------------------------------------------------------------- /2019/02_r2con/demos/ioli/crackme0x02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/02_r2con/demos/ioli/crackme0x02 -------------------------------------------------------------------------------- /2019/02_r2con/demos/ioli/crackme0x03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/02_r2con/demos/ioli/crackme0x03 -------------------------------------------------------------------------------- /2019/02_r2con/slides.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/02_r2con/slides.odp -------------------------------------------------------------------------------- /2019/02_r2con/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2019/02_r2con/slides.pdf -------------------------------------------------------------------------------- /2020/00_h-c0n/README.md: -------------------------------------------------------------------------------- 1 | # Overcoming fear: reversing with radare2 2 | 3 | Slides and resources for the training "Overcoming fear: reversing with radare2" I gave during h-c0n 2020. -------------------------------------------------------------------------------- /2020/00_h-c0n/demos/eilam/Defender.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/demos/eilam/Defender.exe -------------------------------------------------------------------------------- /2020/00_h-c0n/demos/eilam/decrypt: -------------------------------------------------------------------------------- 1 | aaa 2 | s fcn.004033d1 3 | e io.cache=1 4 | aeim 5 | aeip 6 | aesu 0x004034db 7 | -------------------------------------------------------------------------------- /2020/00_h-c0n/demos/overlong/FlareOn6_Challenge2_Solution_Overlong.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/demos/overlong/FlareOn6_Challenge2_Solution_Overlong.pdf -------------------------------------------------------------------------------- /2020/00_h-c0n/demos/overlong/Message.txt: -------------------------------------------------------------------------------- 1 | The secret of this next challenge is cleverly hidden. However, with the right approach, finding the solution will not take an overlong amount of time. 2 | -------------------------------------------------------------------------------- /2020/00_h-c0n/demos/overlong/Overlong.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/demos/overlong/Overlong.exe -------------------------------------------------------------------------------- /2020/00_h-c0n/demos/r2frida/counter: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/demos/r2frida/counter -------------------------------------------------------------------------------- /2020/00_h-c0n/demos/r2frida/counter.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() { 5 | int x = 0; 6 | while(1) { 7 | printf("%d H-C0N_2020\n", x); 8 | sleep(1); 9 | x++; 10 | } 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /2020/00_h-c0n/install.sh: -------------------------------------------------------------------------------- 1 | # Update repositories and install required dependencies 2 | sudo apt update 3 | sudo apt -y install git build-essential libc6-i386 4 | 5 | # Clone and install radare2 6 | git clone --depth=1 https://github.com/radareorg/radare2 7 | ./radare2/sys/install.sh 8 | 9 | # Install required dependencies for r2frida 10 | sudo apt -y install libzip-dev nodejs npm curl pkg-config 11 | 12 | # Init radare2 package manager and install plugins 13 | r2pm init 14 | r2pm -ci r2frida 15 | r2pm -ci r2dec 16 | 17 | # Download Cutter and give exec perm 18 | wget https://github.com/radareorg/cutter/releases/download/v1.10.0/Cutter-v1.10.0-x64.Linux.AppImage 19 | chmod +x ./Cutter-v1.10.0-x64.Linux.AppImage 20 | -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x00: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x00 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x01: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x01 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x02 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x03 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x04: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x04 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x05: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x05 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x06: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x06 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x07: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x07 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x08: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x08 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/ioli/crackme0x09: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/ioli/crackme0x09 -------------------------------------------------------------------------------- /2020/00_h-c0n/pract/sonda/sonda: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/pract/sonda/sonda -------------------------------------------------------------------------------- /2020/00_h-c0n/slides.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/slides.odp -------------------------------------------------------------------------------- /2020/00_h-c0n/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/00_h-c0n/slides.pdf -------------------------------------------------------------------------------- /2020/01_ruhrsec/README.md: -------------------------------------------------------------------------------- 1 | # Code emulation for reverse engineers: A deep dive into radare2's ESIL 2 | 3 | Slides and resources for the talk "Code emulation for reverse engineers: A deep dive into radare2's ESIL" I gave during RuhrSec 2020. 4 | 5 | Find video recording here: https://www.youtube.com/watch?v=4ATseh8aRTE 6 | -------------------------------------------------------------------------------- /2020/01_ruhrsec/demos/eilam/Defender.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/01_ruhrsec/demos/eilam/Defender.exe -------------------------------------------------------------------------------- /2020/01_ruhrsec/demos/eilam/decrypt: -------------------------------------------------------------------------------- 1 | aaa 2 | s fcn.004033d1 3 | e io.cache=1 4 | aeim 5 | aesu 0x004034db 6 | -------------------------------------------------------------------------------- /2020/01_ruhrsec/demos/ioli/crackme0x02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/01_ruhrsec/demos/ioli/crackme0x02 -------------------------------------------------------------------------------- /2020/01_ruhrsec/demos/sonda/brute_magic.py: -------------------------------------------------------------------------------- 1 | import r2pipe 2 | r2 = r2pipe.open("./sonda") 3 | 4 | r2.cmd("aei") 5 | 6 | for i in range(0x14 + 1): 7 | r2.cmd("aer ecx = " + str(i)) 8 | r2.cmd("s 0x90e") 9 | r2.cmd("aeip") 10 | r2.cmd("aesu 0x92c") 11 | if (r2.cmd("aer eax") == r2.cmd("aer edx")): 12 | print("Candidate magic number: " + str(i)) 13 | 14 | r2.quit() 15 | -------------------------------------------------------------------------------- /2020/01_ruhrsec/demos/sonda/sonda: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/01_ruhrsec/demos/sonda/sonda -------------------------------------------------------------------------------- /2020/01_ruhrsec/slides.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/01_ruhrsec/slides.odp -------------------------------------------------------------------------------- /2020/01_ruhrsec/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/01_ruhrsec/slides.pdf -------------------------------------------------------------------------------- /2020/02_hackinthebox-sin/README.md: -------------------------------------------------------------------------------- 1 | # A Review of Modern Code Deobfuscation Techniques 2 | 3 | Slides and resources for the talk "A review of modern code deobfuscation techniques" I gave during HITB Lockdown 002. 4 | 5 | Find video recording here: https://www.youtube.com/watch?v=tYqXStZv1W4 6 | -------------------------------------------------------------------------------- /2020/02_hackinthebox-sin/slides.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/02_hackinthebox-sin/slides.odp -------------------------------------------------------------------------------- /2020/02_hackinthebox-sin/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2020/02_hackinthebox-sin/slides.pdf -------------------------------------------------------------------------------- /2021/00_intent/README.md: -------------------------------------------------------------------------------- 1 | # Code obfuscation through Mixed Boolean-Arithmetic expressions 2 | 3 | Slides and resources for the workshop "Code obfuscation through Mixed Boolean-Arithmetic expressions" I gave during Intent Summit 2021. 4 | 5 | Find video recording here: https://www.youtube.com/watch?v=ty-RG2BmGEI 6 | -------------------------------------------------------------------------------- /2021/00_intent/demos/check_mba.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t E(uint8_t x, uint8_t y) { return x-y + 2*(~x&y) - (x^y); } 6 | 7 | int main(int argc, char* argv[]) 8 | { 9 | uint8_t i = 0; uint8_t j = 0; 10 | do 11 | { 12 | do 13 | { 14 | if (E(i, j) != 0) { printf("E(x, y) != 0)\n"); return -1; } 15 | j++; 16 | } while (j != 0); 17 | i++; 18 | } while (i != 0); 19 | printf("E(x, y) = 0\n"); return 0; 20 | } -------------------------------------------------------------------------------- /2021/00_intent/demos/check_mba.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | x = BitVec('x', 8) 3 | y = BitVec('y', 8) 4 | 5 | def E(x, y): return x-y + 2*(~x&y) - (x^y) 6 | 7 | prove(E(x, y) == 0) -------------------------------------------------------------------------------- /2021/00_intent/demos/check_oc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t OC(uint8_t x, uint8_t y) 6 | { 7 | return 195 + 97*x + 159*y + 8 | 194*~(x | ~y) + 159*(x ^ y) + 9 | (163 + x + 255*y + 2*~(x | ~y) + 255*(x ^ y))* 10 | (232 + 248*x + 8*y + 240*~(x | ~y) + 8*(x ^ y)); 11 | } 12 | 13 | int main(int argc, char* argv[]) 14 | { 15 | uint8_t i = 0; uint8_t j = 0; 16 | do 17 | { 18 | do 19 | { 20 | if (OC(i, j) != 123) 21 | { 22 | printf("OC(x, y) != 123)\n"); 23 | return -1; 24 | } 25 | j++; 26 | } while (j != 0); 27 | i++; 28 | } while (i != 0); 29 | printf("OC(x, y) = 123\n"); return 0; 30 | } -------------------------------------------------------------------------------- /2021/00_intent/demos/check_oc.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | x = BitVec('x', 8) 4 | y = BitVec('y', 8) 5 | 6 | def OC(x, y): 7 | return 195 + 97*x + 159*y +\ 8 | 194*~(x | ~y) + 159*(x ^ y) +\ 9 | (163 + x + 255*y + 2*~(x | ~y) + 255*(x ^ y))*\ 10 | (232 + 248*x + 8*y + 240*~(x | ~y) + 8*(x ^ y)) 11 | 12 | prove(OC(x, y) == 123) -------------------------------------------------------------------------------- /2021/00_intent/demos/check_poly.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t P(uint8_t x) { return 97*x + 248*x*x; } 6 | uint8_t Q(uint8_t x) { return 161*x + 136*x*x; } 7 | 8 | int main(int argc, char* argv[]) 9 | { 10 | uint8_t i = 0; 11 | do 12 | { 13 | if (P(Q(i)) != i) { printf("P(Q(X)) != X)\n"); return -1; } 14 | i++; 15 | } while (i != 0); 16 | printf("P(Q(X)) = X\n"); 17 | return 0; 18 | } -------------------------------------------------------------------------------- /2021/00_intent/demos/check_poly.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | X = BitVec('X', 8) 3 | 4 | def P(X): return 97*X + 248*X*X 5 | def Q(X): return 161*X + 136*X*X 6 | 7 | prove(P(Q(X)) == X) -------------------------------------------------------------------------------- /2021/00_intent/demos/create_oc.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | X = BitVec('X', 8) 4 | def P(X): return 97*X + 248*X*X 5 | def Q(X): return 161*X + 136*X*X 6 | 7 | x = BitVec('x', 8) 8 | y = BitVec('y', 8) 9 | def E(x, y): return x-y + 2*(~x&y) - (x^y) 10 | 11 | K = BitVecVal(123, 8) 12 | 13 | # Opaque Constant 14 | OC = P(E(x,y) + Q(K)) 15 | 16 | # Apply basic simplification rules 17 | print (simplify(OC)) 18 | -------------------------------------------------------------------------------- /2021/00_intent/demos/eq.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | x = BitVec('x', 8) 3 | y = BitVec('y', 8) 4 | E = (x ^ y) + 2*(x & y) 5 | E_simp = x + y 6 | prove (E == E_simp) 7 | -------------------------------------------------------------------------------- /2021/00_intent/demos/linear_mba.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t E1(uint8_t x, uint8_t y) 6 | { return x + y; } 7 | uint8_t E2(uint8_t x, uint8_t y) 8 | { return (x ^ y) + 2 * (x & y); } 9 | uint8_t E3(uint8_t x, uint8_t y) 10 | { return 151 * (39 * ((x ^ y) + 2 * (x & y)) + 23) + 111; } 11 | 12 | int main(int argc, char* argv[]) 13 | { 14 | uint8_t x = (uint8_t) atoi (argv[1]); 15 | uint8_t y = (uint8_t) atoi (argv[2]); 16 | printf ("%s(%d, %d) = %d\n", "E1", x, y, E1(x, y)); 17 | printf ("%s(%d, %d) = %d\n", "E2", x, y, E2(x, y)); 18 | printf ("%s(%d, %d) = %d\n", "E3", x, y, E3(x, y)); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /2021/00_intent/demos/prove.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | x = BitVec('x', 8) 3 | y = BitVec('y', 8) 4 | 5 | E1 = x + y 6 | E2 = (x ^ y) + 2 * (x & y) 7 | E3 = 151 * (39 * ((x ^ y) + 2 * (x & y)) + 23) + 111 8 | 9 | prove (E1 == E2) 10 | prove (E2 == E3) 11 | prove (E3 == E1) 12 | 13 | -------------------------------------------------------------------------------- /2021/00_intent/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2021/00_intent/slides.pdf -------------------------------------------------------------------------------- /2022/00_h-c0n/README.md: -------------------------------------------------------------------------------- 1 | # Code obfuscation through Mixed Boolean-Arithmetic expressions 2 | 3 | Slides and resources for the talk "Code obfuscation through Mixed Boolean-Arithmetic expressions" I gave during h-c0n 2022. 4 | 5 | Find video recording here (ES audio): https://www.youtube.com/watch?v=DhzxnzrP_ps 6 | -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/check_mba.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t E(uint8_t x, uint8_t y) { return x-y + 2*(~x&y) - (x^y); } 6 | 7 | int main(int argc, char* argv[]) 8 | { 9 | uint8_t i = 0; uint8_t j = 0; 10 | do 11 | { 12 | do 13 | { 14 | if (E(i, j) != 0) { printf("E(x, y) != 0)\n"); return -1; } 15 | j++; 16 | } while (j != 0); 17 | i++; 18 | } while (i != 0); 19 | printf("E(x, y) = 0\n"); return 0; 20 | } -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/check_mba.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | x = BitVec('x', 8) 3 | y = BitVec('y', 8) 4 | 5 | def E(x, y): return x-y + 2*(~x&y) - (x^y) 6 | 7 | prove(E(x, y) == 0) -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/check_oc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t OC(uint8_t x, uint8_t y) 6 | { 7 | return 195 + 97*x + 159*y + 8 | 194*~(x | ~y) + 159*(x ^ y) + 9 | (163 + x + 255*y + 2*~(x | ~y) + 255*(x ^ y))* 10 | (232 + 248*x + 8*y + 240*~(x | ~y) + 8*(x ^ y)); 11 | } 12 | 13 | int main(int argc, char* argv[]) 14 | { 15 | uint8_t i = 0; uint8_t j = 0; 16 | do 17 | { 18 | do 19 | { 20 | if (OC(i, j) != 123) 21 | { 22 | printf("OC(x, y) != 123)\n"); 23 | return -1; 24 | } 25 | j++; 26 | } while (j != 0); 27 | i++; 28 | } while (i != 0); 29 | printf("OC(x, y) = 123\n"); return 0; 30 | } -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/check_oc.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | x = BitVec('x', 8) 4 | y = BitVec('y', 8) 5 | 6 | def OC(x, y): 7 | return 195 + 97*x + 159*y +\ 8 | 194*~(x | ~y) + 159*(x ^ y) +\ 9 | (163 + x + 255*y + 2*~(x | ~y) + 255*(x ^ y))*\ 10 | (232 + 248*x + 8*y + 240*~(x | ~y) + 8*(x ^ y)) 11 | 12 | prove(OC(x, y) == 123) -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/check_poly.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t P(uint8_t x) { return 97*x + 248*x*x; } 6 | uint8_t Q(uint8_t x) { return 161*x + 136*x*x; } 7 | 8 | int main(int argc, char* argv[]) 9 | { 10 | uint8_t i = 0; 11 | do 12 | { 13 | if (P(Q(i)) != i) { printf("P(Q(X)) != X)\n"); return -1; } 14 | i++; 15 | } while (i != 0); 16 | printf("P(Q(X)) = X\n"); 17 | return 0; 18 | } -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/check_poly.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | X = BitVec('X', 8) 3 | 4 | def P(X): return 97*X + 248*X*X 5 | def Q(X): return 161*X + 136*X*X 6 | 7 | prove(P(Q(X)) == X) -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/create_oc.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | X = BitVec('X', 8) 4 | def P(X): return 97*X + 248*X*X 5 | def Q(X): return 161*X + 136*X*X 6 | 7 | x = BitVec('x', 8) 8 | y = BitVec('y', 8) 9 | def E(x, y): return x-y + 2*(~x&y) - (x^y) 10 | 11 | K = BitVecVal(123, 8) 12 | 13 | # Opaque Constant 14 | OC = P(E(x,y) + Q(K)) 15 | 16 | # Apply basic simplification rules 17 | print (simplify(OC)) 18 | -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/eq.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | x = BitVec('x', 8) 3 | y = BitVec('y', 8) 4 | E = (x ^ y) + 2*(x & y) 5 | E_simp = x + y 6 | prove (E == E_simp) 7 | -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/linear_mba.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t E1(uint8_t x, uint8_t y) 6 | { return x + y; } 7 | uint8_t E2(uint8_t x, uint8_t y) 8 | { return (x ^ y) + 2 * (x & y); } 9 | uint8_t E3(uint8_t x, uint8_t y) 10 | { return 151 * (39 * ((x ^ y) + 2 * (x & y)) + 23) + 111; } 11 | 12 | int main(int argc, char* argv[]) 13 | { 14 | uint8_t x = (uint8_t) atoi (argv[1]); 15 | uint8_t y = (uint8_t) atoi (argv[2]); 16 | printf ("%s(%d, %d) = %d\n", "E1", x, y, E1(x, y)); 17 | printf ("%s(%d, %d) = %d\n", "E2", x, y, E2(x, y)); 18 | printf ("%s(%d, %d) = %d\n", "E3", x, y, E3(x, y)); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /2022/00_h-c0n/demos/prove.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | x = BitVec('x', 8) 3 | y = BitVec('y', 8) 4 | 5 | E1 = x + y 6 | E2 = (x ^ y) + 2 * (x & y) 7 | E3 = 151 * (39 * ((x ^ y) + 2 * (x & y)) + 23) + 111 8 | 9 | prove (E1 == E2) 10 | prove (E2 == E3) 11 | prove (E3 == E1) 12 | 13 | -------------------------------------------------------------------------------- /2022/00_h-c0n/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/00_h-c0n/slides.pdf -------------------------------------------------------------------------------- /2022/01_r0-workshop/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | RUN apt-get update && apt-get -y dist-upgrade 4 | RUN apt-get install -y git python3-pip python3-venv 5 | 6 | ENV VIRTUAL_ENV=/opt/r0workshop 7 | RUN python3 -m venv $VIRTUAL_ENV 8 | ENV PATH="$VIRTUAL_ENV/bin:$PATH" 9 | 10 | RUN pip3 install jupyterlab astunparse 11 | 12 | COPY src /opt/src 13 | 14 | WORKDIR /opt 15 | RUN git config --global advice.detachedHead false 16 | RUN git clone https://github.com/mrphrazer/msynth.git 17 | 18 | WORKDIR /opt/msynth 19 | RUN git checkout 1418accdc106926bedc8f5a6ae406e9f6c029d74 20 | RUN git submodule update --init --rebase 21 | RUN pip3 install -r requirements.txt 22 | RUN pip3 install . 23 | 24 | WORKDIR /opt/src 25 | EXPOSE 8888 26 | ENTRYPOINT ["jupyter-lab", "--ip=0.0.0.0","--allow-root"] 27 | -------------------------------------------------------------------------------- /2022/01_r0-workshop/README.md: -------------------------------------------------------------------------------- 1 | # Hands-on binary (de)obfuscation 2 | 3 | Slides and resources for the workshop "Hands-on binary (de)obfuscation" I gave with RingZer0 free workshops. 4 | 5 | Find video recording here: https://vimeo.com/723157684 -------------------------------------------------------------------------------- /2022/01_r0-workshop/install.txt: -------------------------------------------------------------------------------- 1 | Build the docker image from Dockerfile 2 | --- 3 | docker build -t r0workshop . 4 | 5 | 6 | Run the docker image exposing jupyter-lab instance on localhost:8888 7 | --- 8 | docker run -p 8888:8888 r0workshop 9 | -------------------------------------------------------------------------------- /2022/01_r0-workshop/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/01_r0-workshop/slides.pdf -------------------------------------------------------------------------------- /2022/01_r0-workshop/src/scramble1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/01_r0-workshop/src/scramble1 -------------------------------------------------------------------------------- /2022/01_r0-workshop/src/scramble1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t scramble(uint64_t x, uint64_t y) { 6 | return (x | y) + (x ^ y); 7 | } 8 | 9 | int main() { 10 | printf("Result %" PRIu64 "\n", scramble(1234,5678)); 11 | return 0; 12 | } -------------------------------------------------------------------------------- /2022/01_r0-workshop/src/scramble2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/01_r0-workshop/src/scramble2 -------------------------------------------------------------------------------- /2022/01_r0-workshop/src/scramble2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t scramble(uint64_t x, uint64_t y) { 6 | return ((((x + ((~ x) & y)) | ((x + y) - (2 * (x & y)))) + ((~ (x + ((~ x) & y))) | ((x + y) - (2 * (x & y))))) - (~ (x + ((~ x) & y)))); 7 | } 8 | 9 | int main() { 10 | printf("Result %" PRIu64 "\n", scramble(1234,5678)); 11 | return 0; 12 | } -------------------------------------------------------------------------------- /2022/01_r0-workshop/src/scramble3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/01_r0-workshop/src/scramble3 -------------------------------------------------------------------------------- /2022/01_r0-workshop/src/scramble3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t scramble(uint64_t x, uint64_t y) { 6 | return ((((((((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x)) + ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y))))) | ((~ (x + ((~ x) & y))) + ((~ (~ (x + ((~ x) & y)))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y)))))) + ((~ ((((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x)) + ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y)))))) | ((~ (x + ((~ x) & y))) + ((~ (~ (x + ((~ x) & y)))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y))))))) - (~ ((((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x)) + ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y))))))) - (~ (x + ((~ x) & y)))); 7 | } 8 | 9 | int main() { 10 | printf("Result %" PRIu64 "\n", scramble(1234,5678)); 11 | return 0; 12 | } -------------------------------------------------------------------------------- /2022/01_r0-workshop/src/scramble4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/01_r0-workshop/src/scramble4 -------------------------------------------------------------------------------- /2022/01_r0-workshop/src/scramble4.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t scramble(uint64_t x, uint64_t y) { 6 | return ((((((((((((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x)) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x))) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x)))) + ((~ ((((((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x)) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x))) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x))))) & ((((~ (x + ((~ x) & y))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (~ (x + ((~ x) & y)))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (~ (x + ((~ x) & y))))))) | ((~ ((((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x)) + ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y)))))) + ((~ (~ ((((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x)) + ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y))))))) & ((((~ (x + ((~ x) & y))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (~ (x + ((~ x) & y)))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (~ (x + ((~ x) & y)))))))) + ((~ (((((((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x)) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x))) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x)))) + ((~ ((((((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x)) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x))) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x))))) & ((((~ (x + ((~ x) & y))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (~ (x + ((~ x) & y)))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (~ (x + ((~ x) & y)))))))) | ((~ ((((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x)) + ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y)))))) + ((~ (~ ((((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x)) + ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y))))))) & ((((~ (x + ((~ x) & y))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (~ (x + ((~ x) & y)))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (~ (x + ((~ x) & y))))))))) - (~ (((((((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x)) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x))) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x)))) + ((~ ((((((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x)) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x))) | ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (((((x + ((~ x) & ((~ x) & y))) | ((~ x) + ((~ (~ x)) & ((~ x) & y)))) + ((~ (x + ((~ x) & ((~ x) & y)))) | ((~ x) + ((~ (~ x)) & ((~ x) & y))))) - (~ (x + ((~ x) & ((~ x) & y))))) - (~ x))))) & ((((~ (x + ((~ x) & y))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y))))) + ((~ (~ (x + ((~ x) & y)))) | ((~ (~ (x + ((~ x) & y)))) & ((((((x + ((~ x) & y)) | ((~ x) + ((~ (~ x)) & y))) + ((~ (x + ((~ x) & y))) | ((~ x) + ((~ (~ x)) & y)))) - (~ (x + ((~ x) & y)))) - (~ x)) - (2 * (x & y)))))) - (~ (~ (x + ((~ x) & y))))))))) - (~ ((((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x)) + ((~ (((x | ((~ x) & y)) + ((~ x) | ((~ x) & y))) - (~ x))) & ((((x | y) + ((~ x) | y)) - (~ x)) - (2 * (x & y))))))) - (~ (x + ((~ x) & y)))); 7 | } 8 | 9 | int main() { 10 | printf("Result %" PRIu64 "\n", scramble(1234,5678)); 11 | return 0; 12 | } -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/README.md: -------------------------------------------------------------------------------- 1 | # A Practical Approach to Advanced Code Obfuscation with MBA Expressions 2 | 3 | Slides and resources for the lab "A practical approach to advanced code obfuscation with MBA expressions" I gave during HITB SecConf Singapore 2022. 4 | 5 | Find video recording here: https://www.youtube.com/watch?v=5yDzbFz2yWo 6 | -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/check_mba.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t E(uint8_t x, uint8_t y) { return x-y + 2*(~x&y) - (x^y); } 6 | 7 | int main(int argc, char* argv[]) 8 | { 9 | uint8_t i = 0; uint8_t j = 0; 10 | do 11 | { 12 | do 13 | { 14 | if (E(i, j) != 0) { printf("E(x, y) != 0)\n"); return -1; } 15 | j++; 16 | } while (j != 0); 17 | i++; 18 | } while (i != 0); 19 | printf("E(x, y) = 0\n"); return 0; 20 | } -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/check_mba.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | x = BitVec('x', 8) 3 | y = BitVec('y', 8) 4 | 5 | def E(x, y): return x-y + 2*(~x&y) - (x^y) 6 | 7 | prove(E(x, y) == 0) -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/check_oc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t OC(uint8_t x, uint8_t y) 6 | { 7 | return 195 + 97*x + 159*y + 8 | 194*~(x | ~y) + 159*(x ^ y) + 9 | (163 + x + 255*y + 2*~(x | ~y) + 255*(x ^ y))* 10 | (232 + 248*x + 8*y + 240*~(x | ~y) + 8*(x ^ y)); 11 | } 12 | 13 | int main(int argc, char* argv[]) 14 | { 15 | uint8_t i = 0; uint8_t j = 0; 16 | do 17 | { 18 | do 19 | { 20 | if (OC(i, j) != 123) 21 | { 22 | printf("OC(x, y) != 123)\n"); 23 | return -1; 24 | } 25 | j++; 26 | } while (j != 0); 27 | i++; 28 | } while (i != 0); 29 | printf("OC(x, y) = 123\n"); return 0; 30 | } -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/check_oc.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | x = BitVec('x', 8) 4 | y = BitVec('y', 8) 5 | 6 | def OC(x, y): 7 | return 195 + 97*x + 159*y +\ 8 | 194*~(x | ~y) + 159*(x ^ y) +\ 9 | (163 + x + 255*y + 2*~(x | ~y) + 255*(x ^ y))*\ 10 | (232 + 248*x + 8*y + 240*~(x | ~y) + 8*(x ^ y)) 11 | 12 | prove(OC(x, y) == 123) -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/check_poly.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t P(uint8_t x) { return 97*x + 248*x*x; } 6 | uint8_t Q(uint8_t x) { return 161*x + 136*x*x; } 7 | 8 | int main(int argc, char* argv[]) 9 | { 10 | uint8_t i = 0; 11 | do 12 | { 13 | if (P(Q(i)) != i) { printf("P(Q(X)) != X)\n"); return -1; } 14 | i++; 15 | } while (i != 0); 16 | printf("P(Q(X)) = X\n"); 17 | return 0; 18 | } -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/check_poly.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | X = BitVec('X', 8) 3 | 4 | def P(X): return 97*X + 248*X*X 5 | def Q(X): return 161*X + 136*X*X 6 | 7 | prove(P(Q(X)) == X) -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/create_oc.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | X = BitVec('X', 8) 4 | def P(X): return 97*X + 248*X*X 5 | def Q(X): return 161*X + 136*X*X 6 | 7 | x = BitVec('x', 8) 8 | y = BitVec('y', 8) 9 | def E(x, y): return x-y + 2*(~x&y) - (x^y) 10 | 11 | K = BitVecVal(123, 8) 12 | 13 | # Opaque Constant 14 | OC = P(E(x,y) + Q(K)) 15 | 16 | # Apply basic simplification rules 17 | print (simplify(OC)) 18 | -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/eq.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | x = BitVec('x', 8) 3 | y = BitVec('y', 8) 4 | E = (x ^ y) + 2*(x & y) 5 | E_simp = x + y 6 | prove (E == E_simp) 7 | -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/linear_mba.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint8_t E1(uint8_t x, uint8_t y) 6 | { return x + y; } 7 | uint8_t E2(uint8_t x, uint8_t y) 8 | { return (x ^ y) + 2 * (x & y); } 9 | uint8_t E3(uint8_t x, uint8_t y) 10 | { return 151 * (39 * ((x ^ y) + 2 * (x & y)) + 23) + 111; } 11 | 12 | int main(int argc, char* argv[]) 13 | { 14 | uint8_t x = (uint8_t) atoi (argv[1]); 15 | uint8_t y = (uint8_t) atoi (argv[2]); 16 | printf ("%s(%d, %d) = %d\n", "E1", x, y, E1(x, y)); 17 | printf ("%s(%d, %d) = %d\n", "E2", x, y, E2(x, y)); 18 | printf ("%s(%d, %d) = %d\n", "E3", x, y, E3(x, y)); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/demos/prove.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | x = BitVec('x', 8) 3 | y = BitVec('y', 8) 4 | 5 | E1 = x + y 6 | E2 = (x ^ y) + 2 * (x & y) 7 | E3 = 151 * (39 * ((x ^ y) + 2 * (x & y)) + 23) + 111 8 | 9 | prove (E1 == E2) 10 | prove (E2 == E3) 11 | prove (E3 == E1) 12 | 13 | -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/predicates.txt: -------------------------------------------------------------------------------- 1 | #1 (x ^ y) + 2 * (x & y) == 151 * (39 * ((x ^ y) + 2 * (x & y)) + 23) + 111) 2 | #2 x-y + 2*(~x&y) - (x^y) == 0 3 | #3 195 + 97*x + 159*y + 194*~(x | ~y) + 159*(x ^ y) + (163 + x + 255*y + 2*~(x | ~y) + 255*(x ^ y))* (232 + 248*x + 8*y + 240*~(x | ~y) + 8*(x ^ y)) == 123 -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/rules.txt: -------------------------------------------------------------------------------- 1 | ADD 3*(op1 & op2) - (op1 | op2) + 2*(op1 ^ op2) 2 | SUB -3*(op1 & op2) - 2*(op1 ^ op2) + 2*op1 + (op1 | op2) 3 | MUL -op1 + op2 + (op1^op2) + (op1*op2) + 2*(op1 | (~op2)) + 2 4 | XOR 39*(151*(op1 - op2 - 2*(op1 | ~op2) - 2) + 111) + 23 5 | AND -op1 + op2 - 2*(op1 ^ op2) + 2*op1 + (op1 | op2) - 2*(op1 & op2) 6 | OR -op1 - op2 + 3*(op1 & op2) + 2*(op1 ^ op2) -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/vm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/02_hackinthebox-sin/live/vm -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/vm.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | typedef struct stack 6 | { 7 | uint8_t size; // Enough to address 256 elements 8 | uint64_t content[256]; 9 | } stack; 10 | 11 | //inline void vm_push(stack* s, uint64_t value) __attribute__((always_inline)); 12 | //inline uint64_t vm_pop(stack* s) __attribute__((always_inline)); 13 | inline void vm_add(stack* s) __attribute__((always_inline)); 14 | inline void vm_sub(stack* s) __attribute__((always_inline)); 15 | inline void vm_mul(stack* s) __attribute__((always_inline)); 16 | inline void vm_xor(stack* s) __attribute__((always_inline)); 17 | inline void vm_and(stack* s) __attribute__((always_inline)); 18 | inline void vm_or(stack* s) __attribute__((always_inline)); 19 | 20 | void vm_push(stack* s, uint64_t value) 21 | { 22 | s->content[++(s->size)] = value; 23 | } 24 | 25 | uint64_t vm_pop(stack* s) 26 | { 27 | return s->content[(s->size)--]; 28 | } 29 | 30 | inline void vm_add(stack* s) 31 | { 32 | uint64_t op1, op2, result; 33 | op2 = vm_pop(s); 34 | op1 = vm_pop(s); 35 | result = op1 + op2; 36 | vm_push(s, result); 37 | } 38 | 39 | inline void vm_sub(stack* s) 40 | { 41 | uint64_t op1, op2, result; 42 | op2 = vm_pop(s); 43 | op1 = vm_pop(s); 44 | result = op1 - op2; 45 | vm_push(s, result); 46 | } 47 | 48 | inline void vm_mul(stack* s) 49 | { 50 | uint64_t op1, op2, result; 51 | op2 = vm_pop(s); 52 | op1 = vm_pop(s); 53 | result = op1 * op2; 54 | vm_push(s, result); 55 | } 56 | 57 | inline void vm_xor(stack* s) 58 | { 59 | uint64_t op1, op2, result; 60 | op2 = vm_pop(s); 61 | op1 = vm_pop(s); 62 | result = op1 ^ op2; 63 | vm_push(s, result); 64 | } 65 | 66 | inline void vm_and(stack* s) 67 | { 68 | uint64_t op1, op2, result; 69 | op2 = vm_pop(s); 70 | op1 = vm_pop(s); 71 | result = op1 & op2; 72 | vm_push(s, result); 73 | } 74 | 75 | inline void vm_or(stack* s) 76 | { 77 | uint64_t op1, op2, result; 78 | op2 = vm_pop(s); 79 | op1 = vm_pop(s); 80 | result = op1 | op2; 81 | vm_push(s, result); 82 | } 83 | 84 | uint64_t interpreter(uint64_t* bytecode) 85 | { 86 | uint64_t vm_ip, current_ins, result; 87 | stack s; 88 | 89 | vm_ip = 0; 90 | s.size = 0; 91 | 92 | while (current_ins = bytecode[vm_ip]) 93 | { 94 | switch (current_ins) 95 | { 96 | case 0xA0: 97 | vm_push(&s, bytecode[++vm_ip]); 98 | break; 99 | 100 | case 0xB0: 101 | vm_pop(&s); 102 | break; 103 | 104 | case 0x10: 105 | vm_add(&s); 106 | break; 107 | 108 | case 0x20: 109 | vm_sub(&s); 110 | break; 111 | 112 | case 0x30: 113 | vm_mul(&s); 114 | break; 115 | 116 | case 0x40: 117 | vm_xor(&s); 118 | break; 119 | 120 | case 0x50: 121 | vm_and(&s); 122 | break; 123 | 124 | case 0x60: 125 | vm_or(&s); 126 | break; 127 | } 128 | vm_ip++; 129 | } 130 | return vm_pop(&s); 131 | } 132 | 133 | uint64_t vmSecretComputation(uint64_t x, uint64_t y) 134 | { 135 | uint64_t result; 136 | 137 | // POSTFIX: 4 x y + x y & x y | ^ - * 138 | uint64_t bytecode[] = 139 | { 140 | 0xA0, // vm_push 141 | 0x04, // 4 142 | 0xA0, // vm_push 143 | x, // x 144 | 0xA0, // vm_push 145 | y, // y 146 | 0x10, // vm_add 147 | 0xA0, // vm_push 148 | x, // x 149 | 0xA0, // vm_push 150 | y, // y 151 | 0x50, // vm_and 152 | 0xA0, // vm_push 153 | x, // x 154 | 0xA0, // vm_push 155 | y, // y 156 | 0x60, // vm_or 157 | 0x40, // vm_xor 158 | 0x20, // vm_sub 159 | 0x30, // vm_mul 160 | }; 161 | 162 | result = interpreter(bytecode); 163 | return result; 164 | } 165 | 166 | uint64_t secretComputation(uint64_t x, uint64_t y) 167 | { 168 | uint64_t result; 169 | result = 4 * ( (x + y) - ((x & y) ^ (x | y)) ); 170 | return result; 171 | } 172 | 173 | int main() 174 | { 175 | printf("Result %" PRIu64 "\n", vmSecretComputation(1234, 5678)); 176 | return 0; 177 | } -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/vm_obf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/02_hackinthebox-sin/live/vm_obf -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/vm_obf.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | typedef struct stack 6 | { 7 | uint8_t size; // Enough to address 256 elements 8 | uint64_t content[256]; 9 | } stack; 10 | 11 | //inline void vm_push(stack* s, uint64_t value) __attribute__((always_inline)); 12 | //inline uint64_t vm_pop(stack* s) __attribute__((always_inline)); 13 | inline void vm_add(stack* s) __attribute__((always_inline)); 14 | inline void vm_sub(stack* s) __attribute__((always_inline)); 15 | inline void vm_mul(stack* s) __attribute__((always_inline)); 16 | inline void vm_xor(stack* s) __attribute__((always_inline)); 17 | inline void vm_and(stack* s) __attribute__((always_inline)); 18 | inline void vm_or(stack* s) __attribute__((always_inline)); 19 | 20 | void vm_push(stack* s, uint64_t value) 21 | { 22 | s->content[++(s->size)] = value; 23 | } 24 | 25 | uint64_t vm_pop(stack* s) 26 | { 27 | return s->content[(s->size)--]; 28 | } 29 | 30 | inline void vm_add(stack* s) 31 | { 32 | uint64_t op1, op2, result; 33 | op2 = vm_pop(s); 34 | op1 = vm_pop(s); 35 | result = 3*(op1 & op2) - (op1 | op2) + 2*(op1 ^ op2); 36 | vm_push(s, result); 37 | } 38 | 39 | inline void vm_sub(stack* s) 40 | { 41 | uint64_t op1, op2, result; 42 | op2 = vm_pop(s); 43 | op1 = vm_pop(s); 44 | result = -3*(op1 & op2) - 2*(op1 ^ op2) + 2*op1 + (op1 | op2); 45 | vm_push(s, result); 46 | } 47 | 48 | inline void vm_mul(stack* s) 49 | { 50 | uint64_t op1, op2, result; 51 | op2 = vm_pop(s); 52 | op1 = vm_pop(s); 53 | result = -op1 + op2 + (op1^op2) + (op1*op2) + 2*(op1 | (~op2)) + 2; 54 | vm_push(s, result); 55 | } 56 | 57 | inline void vm_xor(stack* s) 58 | { 59 | uint64_t op1, op2, result; 60 | op2 = vm_pop(s); 61 | op1 = vm_pop(s); 62 | result = 39*(151*(op1 - op2 - 2*(op1 | ~op2) - 2) + 111) + 23; 63 | vm_push(s, result); 64 | } 65 | 66 | inline void vm_and(stack* s) 67 | { 68 | uint64_t op1, op2, result; 69 | op2 = vm_pop(s); 70 | op1 = vm_pop(s); 71 | result = -op1 + op2 - 2*(op1 ^ op2) + 2*op1 + (op1 | op2) - 2*(op1 & op2); 72 | vm_push(s, result); 73 | } 74 | 75 | inline void vm_or(stack* s) 76 | { 77 | uint64_t op1, op2, result; 78 | op2 = vm_pop(s); 79 | op1 = vm_pop(s); 80 | result = -op1 - op2 + 3*(op1 & op2) + 2*(op1 ^ op2); 81 | vm_push(s, result); 82 | } 83 | 84 | uint64_t interpreter(uint64_t* bytecode) 85 | { 86 | uint64_t vm_ip, current_ins, result; 87 | stack s; 88 | 89 | vm_ip = 0; 90 | s.size = 0; 91 | 92 | while (current_ins = bytecode[vm_ip]) 93 | { 94 | switch (current_ins) 95 | { 96 | case 0xA0: 97 | vm_push(&s, bytecode[++vm_ip]); 98 | break; 99 | 100 | case 0xB0: 101 | vm_pop(&s); 102 | break; 103 | 104 | case 0x10: 105 | vm_add(&s); 106 | break; 107 | 108 | case 0x20: 109 | vm_sub(&s); 110 | break; 111 | 112 | case 0x30: 113 | vm_mul(&s); 114 | break; 115 | 116 | case 0x40: 117 | vm_xor(&s); 118 | break; 119 | 120 | case 0x50: 121 | vm_and(&s); 122 | break; 123 | 124 | case 0x60: 125 | vm_or(&s); 126 | break; 127 | } 128 | vm_ip++; 129 | } 130 | return vm_pop(&s); 131 | } 132 | 133 | uint64_t vmSecretComputation(uint64_t x, uint64_t y) 134 | { 135 | uint64_t result; 136 | 137 | // POSTFIX: 4 x y + x y & x y | ^ - * 138 | uint64_t bytecode[] = 139 | { 140 | 0xA0, // vm_push 141 | 0x04, // 4 142 | 0xA0, // vm_push 143 | x, // x 144 | 0xA0, // vm_push 145 | y, // y 146 | 0x10, // vm_add 147 | 0xA0, // vm_push 148 | x, // x 149 | 0xA0, // vm_push 150 | y, // y 151 | 0x50, // vm_and 152 | 0xA0, // vm_push 153 | x, // x 154 | 0xA0, // vm_push 155 | y, // y 156 | 0x60, // vm_or 157 | 0x40, // vm_xor 158 | 0x20, // vm_sub 159 | 0x30, // vm_mul 160 | }; 161 | 162 | result = interpreter(bytecode); 163 | return result; 164 | } 165 | 166 | uint64_t secretComputation(uint64_t x, uint64_t y) 167 | { 168 | uint64_t result; 169 | result = 4 * ( (x + y) - ((x & y) ^ (x | y)) ); 170 | return result; 171 | } 172 | 173 | int main() 174 | { 175 | printf("Result %" PRIu64 "\n", vmSecretComputation(1234, 5678)); 176 | return 0; 177 | } -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/xor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/02_hackinthebox-sin/live/xor -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/xor.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(int argc, char* argv[]) 6 | { 7 | uint8_t x, y, z; 8 | x = (uint8_t) atoi (argv[1]); 9 | y = (uint8_t) atoi (argv[2]); 10 | 11 | z = x ^ y; 12 | 13 | printf("z = %d\n", z); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/xor_op_pred: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/02_hackinthebox-sin/live/xor_op_pred -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/live/xor_op_pred.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(int argc, char* argv[]) 6 | { 7 | uint8_t x, y, z; 8 | x = (uint8_t) atoi (argv[1]); 9 | y = (uint8_t) atoi (argv[2]); 10 | 11 | if ((uint8_t)(151 * (39 * ((x ^ y) + 2 * (x & y)) + 23) + 111) > (uint8_t)((x ^ y) + 2 * (x & y))) 12 | { 13 | z = x & y; 14 | } 15 | 16 | else if ((uint8_t)(x-y + 2*(~x&y) - (x^y)) == 0x17) 17 | { 18 | z = x | y; 19 | } 20 | 21 | else if ((uint8_t)(195 + 97*x + 159*y + 194*~(x | ~y) + 159*(x ^ y) + (163 + x + 255*y + 2*~(x | ~y) + 255*(x ^ y))* (232 + 248*x + 8*y + 240*~(x | ~y) + 8*(x ^ y)) - 57) < 100) 22 | { 23 | z = x ^ y; 24 | } 25 | 26 | else { 27 | z = 0; 28 | } 29 | 30 | printf("z = %d\n", z); 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /2022/02_hackinthebox-sin/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2022/02_hackinthebox-sin/slides.pdf -------------------------------------------------------------------------------- /2023/00_h-c0n/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | RUN apt-get update && apt-get -y dist-upgrade 4 | RUN apt-get install -y git python3-pip python3-venv 5 | RUN apt-get install -y graphviz 6 | 7 | ENV VIRTUAL_ENV=/opt/hc0n-env 8 | RUN python3 -m venv $VIRTUAL_ENV 9 | ENV PATH="$VIRTUAL_ENV/bin:$PATH" 10 | 11 | RUN pip3 install jupyterlab sympy numpy showast networkx matplotlib 12 | 13 | RUN mkdir /opt/tools 14 | RUN git config --global advice.detachedHead false 15 | 16 | # Install msynth, miasm, and dependencies 17 | WORKDIR /opt/tools 18 | RUN git clone https://github.com/mrphrazer/msynth.git 19 | WORKDIR /opt/tools/msynth 20 | RUN git checkout 1418accdc106926bedc8f5a6ae406e9f6c029d74 21 | RUN git submodule update --init --rebase 22 | RUN pip3 install -r requirements.txt 23 | RUN pip3 install . 24 | 25 | # Install MBA-Solver 26 | WORKDIR /opt/tools 27 | RUN git clone https://github.com/softsec-unh/MBA-Solver.git 28 | WORKDIR /opt/tools/MBA-Solver 29 | RUN git checkout c76231aadb8b033d9e8e6be2baa05ff1464f247e 30 | RUN sed -i 's/np.int/int/g' ./tools/mba_string_operation.py # Fix deprecated 31 | 32 | # Install sagemath 33 | ENV DEBIAN_FRONTEND=noninteractive 34 | RUN apt-get install -y sagemath sagemath-jupyter 35 | 36 | RUN mkdir /opt/demo 37 | # COPY demo /opt/demo 38 | WORKDIR /opt/demo 39 | EXPOSE 8888 40 | ENTRYPOINT ["jupyter-lab", "--ip=0.0.0.0","--allow-root"] 41 | -------------------------------------------------------------------------------- /2023/00_h-c0n/INSTALL.txt: -------------------------------------------------------------------------------- 1 | Build the docker image from Dockerfile 2 | --- 3 | docker build -t hc0n-2023-deobfuscation . 4 | 5 | 6 | Run the docker image exposing jupyter-lab instance on localhost:8888 7 | --- 8 | docker run -p 8888:8888 hc0n-2023-deobfuscation 9 | 10 | * Depending on your docker installation, you might need to "sudo" the previous commands. 11 | -------------------------------------------------------------------------------- /2023/00_h-c0n/README.md: -------------------------------------------------------------------------------- 1 | # Hands-on binary (de)obfuscation (updated '23) 2 | 3 | Resources for the workshop "Hands-on binary (de)obfuscation" I gave during h-c0n 2023. 4 | 5 | Interactive workshop, no slides or recording available. 6 | -------------------------------------------------------------------------------- /2023/00_h-c0n/src/scramble1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/00_h-c0n/src/scramble1 -------------------------------------------------------------------------------- /2023/00_h-c0n/src/scramble1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t scramble(uint64_t x, uint64_t y) { 6 | return (x | y) + (x ^ y); 7 | } 8 | 9 | int main() { 10 | printf("Result %" PRIu64 "\n", scramble(1234,5678)); 11 | return 0; 12 | } -------------------------------------------------------------------------------- /2023/00_h-c0n/src/scramble2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/00_h-c0n/src/scramble2 -------------------------------------------------------------------------------- /2023/00_h-c0n/src/scramble2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t scramble(uint64_t x, uint64_t y) { 6 | return (x + (~x & y) | x + y - 2 * (x & y)) + (~(x + (~x & y)) | x + y - 2 * (x & y)) - ~(x + (~x & y)); 7 | } 8 | 9 | int main() { 10 | printf("Result %" PRIu64 "\n", scramble(1234,5678)); 11 | return 0; 12 | } -------------------------------------------------------------------------------- /2023/00_h-c0n/src/scramble3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/00_h-c0n/src/scramble3 -------------------------------------------------------------------------------- /2023/00_h-c0n/src/scramble3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t scramble(uint64_t x, uint64_t y) { 6 | return 2155511622373988895 + 16804540376168033095*(14474691768414218647 + 7223014174769139319*((x + (~x & y) | x + y - 2*(x & y)) + (~(x + (~x & y)) | x + y - 2*(x & y)) - ~(x + (~x & y))) + 18246968630623338496*((x + (~x & y) | x + y - 2*(x & y)) + (~(x + (~x & y)) | x + y - 2*(x & y)) - ~(x + (~x & y)))*((x + (~x & y) | x + y - 2*(x & y)) + (~(x + (~x & y)) | x + y - 2*(x & y)) - ~(x + (~x & y)))) + 17386697504552124416*(14474691768414218647 + 7223014174769139319*((x + (~x & y) | x + y - 2*(x & y)) + (~(x + (~x & y)) | x + y - 2*(x & y)) - ~(x + (~x & y))) + 18246968630623338496*((x + (~x & y) | x + y - 2*(x & y)) + (~(x + (~x & y)) | x + y - 2*(x & y)) - ~(x + (~x & y)))*((x + (~x & y) | x + y - 2*(x & y)) + (~(x + (~x & y)) | x + y - 2*(x & y)) - ~(x + (~x & y))))*(14474691768414218647 + 7223014174769139319*((x + (~x & y) | x + y - 2*(x & y)) + (~(x + (~x & y)) | x + y - 2*(x & y)) - ~(x + (~x & y))) + 18246968630623338496*((x + (~x & y) | x + y - 2*(x & y)) + (~(x + (~x & y)) | x + y - 2*(x & y)) - ~(x + (~x & y)))*((x + (~x & y) | x + y - 2*(x & y)) + (~(x + (~x & y)) | x + y - 2*(x & y)) - ~(x + (~x & y)))); 7 | } 8 | 9 | int main() { 10 | printf("Result %" PRIu64 "\n", scramble(1234,5678)); 11 | return 0; 12 | } -------------------------------------------------------------------------------- /2023/00_h-c0n/src/scramble4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/00_h-c0n/src/scramble4 -------------------------------------------------------------------------------- /2023/00_h-c0n/src/scramble4.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t scramble(uint64_t x, uint64_t y) { 6 | return 17188393767951940199 + 10441007794851070987 * (13473451123818078059 + 3398791266673272739 * ((2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) + (~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) - ~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))))) + 13243469762442297344 * ((2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) + (~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) - ~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))))) * ((2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) + (~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) - ~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))))) + 8046993899073306624 * (13473451123818078059 + 3398791266673272739 * ((2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) + (~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) - ~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))))) + 13243469762442297344 * ((2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) + (~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) - ~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))))) * ((2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) + (~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) - ~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))))) * (13473451123818078059 + 3398791266673272739 * ((2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) + (~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) - ~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))))) + 13243469762442297344 * ((2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) + (~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) - ~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))))) * ((2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) + (~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))) | 4368369358058645032 + 18201185361712082273 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) + 14550288483659808768 * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y))) * (13203382768830271704 + 10131431409256887969 * (x + y - 2 * (x & y)) + 12017493690218971136 * (x + y - 2 * (x & y)) * (x + y - 2 * (x & y)))) - ~(2155511622373988895 + 16804540376168033095 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) + 17386697504552124416 * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y))) * (14474691768414218647 + 7223014174769139319 * (x + (~x & y)) + 18246968630623338496 * (x + (~x & y)) * (x + (~x & y)))))); 7 | } 8 | 9 | int main() { 10 | printf("Result %" PRIu64 "\n", scramble(1234,5678)); 11 | return 0; 12 | } -------------------------------------------------------------------------------- /2023/01_rootedcon/README.md: -------------------------------------------------------------------------------- 1 | # Tales of software protection: cryptography and obfuscation, better together 2 | Slides for the talk "Tales of software protection: cryptography and obfuscation, better together" I gave during RootedCON 2023 within the Criptored track. 3 | 4 | Find video recording here (ES audio): https://www.youtube.com/watch?v=juAqtXCCjVQ 5 | -------------------------------------------------------------------------------- /2023/01_rootedcon/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/01_rootedcon/slides.pdf -------------------------------------------------------------------------------- /2023/02_euskalhack/README.md: -------------------------------------------------------------------------------- 1 | # Symbolic execution for security researchers 2 | Slides and resources for the talk "Symbolic execution for security researchers" I gave during EuskalHack Security Congress VI (2023). 3 | -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/example/example.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | mov rax, 123 7 | add rax, rsi 8 | xor rax, rdi 9 | mov rbx, 0x2 10 | add rax, rbx 11 | mov rdi, 0x3 12 | mov rsi, rax 13 | add rax, rbx 14 | xor rax, rdi 15 | mov rbx, 0x7 16 | and rax, rbx 17 | mov rdi, 1336 18 | add rax, rdi 19 | cmp rax, 1337 20 | jnz bad 21 | 22 | good: 23 | xor rdi, rdi 24 | jmp exit 25 | 26 | bad: 27 | mov rdi, 1 28 | 29 | exit: 30 | mov rax, 0x3c 31 | syscall -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/example/example.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/02_euskalhack/demos/example/example.o -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/fuzz/afl-build/fuzz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/02_euskalhack/demos/fuzz/afl-build/fuzz -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/fuzz/cheatsheet.txt: -------------------------------------------------------------------------------- 1 | echo EuskalHack2023 > /in/seed 2 | 3 | afl-fuzz -M afl-master -i ./in -o ./out -- ./afl-build/fuzz @@ 4 | afl-fuzz -S afl-secondary -i ./in -o ./out -- ./afl-build/fuzz @@ 5 | symcc_fuzzing_helper -o ./out -a afl-secondary -n symcc -- ./symcc-build/fuzz @@ 6 | -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/fuzz/crash: -------------------------------------------------------------------------------- 1 | ᯡ`K203 2 | -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/fuzz/fuzz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/02_euskalhack/demos/fuzz/fuzz -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/fuzz/fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int stuff(char *data, long fsize) { 6 | for (size_t i = 0; i < fsize; i++) { 7 | if (data[i] == ('F' ^ i)) return i+1; 8 | } 9 | 10 | if (*(int*)data != 0xfa1afe1) return 0; 11 | 12 | return (int)(0x1337/(fsize - 10)); 13 | } 14 | 15 | int main(int argc, char* argv[]) { 16 | if (argc != 2) return -1; 17 | 18 | FILE *f = fopen(argv[1], "rb"); 19 | 20 | fseek(f, 0, SEEK_END); 21 | long fsize = ftell(f); 22 | 23 | fseek(f, 0, SEEK_SET); 24 | char *data = malloc(fsize + 1); 25 | fread(data, 1, fsize, f); 26 | fclose(f); 27 | 28 | int r = stuff(data, fsize); 29 | 30 | } -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/fuzz/symcc-build/fuzz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/02_euskalhack/demos/fuzz/symcc-build/fuzz -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/opaque/XTunnel.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/02_euskalhack/demos/opaque/XTunnel.bin -------------------------------------------------------------------------------- /2023/02_euskalhack/demos/opaque/XTunnel_patched.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/02_euskalhack/demos/opaque/XTunnel_patched.bin -------------------------------------------------------------------------------- /2023/02_euskalhack/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/02_euskalhack/slides.pdf -------------------------------------------------------------------------------- /2023/03_navajanegra/README.md: -------------------------------------------------------------------------------- 1 | # Symbolic execution for security researchers 2 | Slides and resources for the talk "Symbolic execution for security researchers" I gave during Navaja Negra XI (2023). 3 | 4 | Find video recording here: https://www.youtube.com/watch?v=ZyuGNtzm0jE 5 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/example/example.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | mov rax, 123 7 | add rax, rsi 8 | xor rax, rdi 9 | mov rbx, 0x2 10 | add rax, rbx 11 | mov rdi, 0x3 12 | mov rsi, rax 13 | add rax, rbx 14 | xor rax, rdi 15 | mov rbx, 0x7 16 | and rax, rbx 17 | mov rdi, 1336 18 | add rax, rdi 19 | cmp rax, 1337 20 | jnz bad 21 | 22 | good: 23 | xor rdi, rdi 24 | jmp exit 25 | 26 | bad: 27 | mov rdi, 1 28 | 29 | exit: 30 | mov rax, 0x3c 31 | syscall -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/example/example.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/example/example.o -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/afl-build/fuzz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/afl-build/fuzz -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/crash: -------------------------------------------------------------------------------- 1 | ᯡja gr -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/fuzz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/fuzz -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/fuzz.c: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/in/seed: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/.synced/afl-secondary: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/.synced/afl-secondary.last: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/.synced/afl-secondary.last -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/.synced/symcc: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/.synced/symcc.last: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/.synced/symcc.last -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/cmdline: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/crashes/README.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/crashes/id000000,sig08,src000010,time34760,execs138682,ophavoc,rep2: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/fuzz_bitmap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/fuzz_bitmap -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/fuzzer_setup: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/fuzzer_stats: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/plot_data: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000000,time0,execs0,origseed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000000,time0,execs0,origseed -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000001,src000000,time1,execs10,ophavoc,rep16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000001,src000000,time1,execs10,ophavoc,rep16 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000002,src000000,time3,execs18,ophavoc,rep16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000002,src000000,time3,execs18,ophavoc,rep16 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000003,src000000,time5,execs26,ophavoc,rep8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000003,src000000,time5,execs26,ophavoc,rep8 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000006,src000000,time12,execs54,ophavoc,rep2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000006,src000000,time12,execs54,ophavoc,rep2 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000007,src000000,time14,execs64,ophavoc,rep16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000007,src000000,time14,execs64,ophavoc,rep16 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000008,src000000,time25,execs108,ophavoc,rep16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000008,src000000,time25,execs108,ophavoc,rep16 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000009,src000000+000004,time4215,execs17635,opsplice,rep16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-master/queue/.state/redundant_edges/id000009,src000000+000004,time4215,execs17635,opsplice,rep16 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000000,time0,execs0,origseed: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000001,src000000,time1,execs10,ophavoc,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000002,src000000,time3,execs18,ophavoc,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000003,src000000,time5,execs26,ophavoc,rep8: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000004,src000000,time8,execs35,ophavoc,rep16,+cov: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000005,src000000,time10,execs45,ophavoc,rep4: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000006,src000000,time12,execs54,ophavoc,rep2: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000007,src000000,time14,execs64,ophavoc,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000008,src000000,time25,execs108,ophavoc,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000009,src000000+000004,time4215,execs17635,opsplice,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-master/queue/id000010,syncsymcc,src000004,+cov: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/.synced/afl-master: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/.synced/afl-master.last: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/.synced/afl-master.last -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/cmdline: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/crashes/README.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/crashes/id000000,sig08,src000011,time25520,execs100255,ophavoc,rep2: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/fuzzer_setup: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/fuzzer_stats: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/plot_data: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000000,time0,execs0,origseed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000000,time0,execs0,origseed -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000001,src000000,time2,execs11,ophavoc,rep8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000001,src000000,time2,execs11,ophavoc,rep8 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000002,src000000,time4,execs19,ophavoc,rep16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000002,src000000,time4,execs19,ophavoc,rep16 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000003,src000000,time6,execs27,ophavoc,rep16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000003,src000000,time6,execs27,ophavoc,rep16 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000004,src000000,time8,execs36,ophavoc,rep16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000004,src000000,time8,execs36,ophavoc,rep16 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000006,src000000,time13,execs53,ophavoc,rep8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000006,src000000,time13,execs53,ophavoc,rep8 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000007,src000000,time15,execs62,ophavoc,rep16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000007,src000000,time15,execs62,ophavoc,rep16 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000009,src000000,time24,execs101,ophavoc,rep8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000009,src000000,time24,execs101,ophavoc,rep8 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000010,syncafl-master,src000009: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/.state/redundant_edges/id000010,syncafl-master,src000009 -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000000,time0,execs0,origseed: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000001,src000000,time2,execs11,ophavoc,rep8: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000002,src000000,time4,execs19,ophavoc,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000003,src000000,time6,execs27,ophavoc,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000004,src000000,time8,execs36,ophavoc,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000005,src000000,time11,execs45,ophavoc,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000006,src000000,time13,execs53,ophavoc,rep8: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000007,src000000,time15,execs62,ophavoc,rep16: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000008,src000000,time18,execs76,ophavoc,rep4,+cov: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000009,src000000,time24,execs101,ophavoc,rep8: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000010,syncafl-master,src000009: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/afl-secondary/queue/id000011,syncafl-master,src000010,+cov: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/symcc/.cur_input: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/symcc/queue/id000000,src000008: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/symcc/queue/id000001,src000008: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/symcc/queue/id000002,src000008: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/symcc/queue/id000003,src000008: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/symcc/queue/id000004,src000000: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/symcc/queue/id000005,src000001: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/symcc/queue/id000006,src000010: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/out/symcc/stats: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/fuzz/symcc-build/fuzz: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/opaque/XTunnel.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/opaque/XTunnel.bin -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/opaque/XTunnel_patched.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/demos/opaque/XTunnel_patched.bin -------------------------------------------------------------------------------- /2023/03_navajanegra/demos/opaque/clean.py: -------------------------------------------------------------------------------- 1 | import z3 2 | 3 | from miasm.core.locationdb import LocationDB 4 | from miasm.analysis.binary import Container 5 | from miasm.analysis.machine import Machine 6 | from miasm.ir.symbexec import SymbolicExecutionEngine 7 | from miasm.ir.translators.z3_ir import TranslatorZ3 8 | 9 | 10 | # Check whether expr and target path constraints are compatible 11 | def cannot_branch(expr, target): 12 | solver = z3.Solver() 13 | translator = TranslatorZ3() # convert miasm ir into z3 14 | 15 | c1 = translator.from_expr(expr) 16 | c2 = translator.from_expr(target) 17 | 18 | solver.add(c1 == c2) 19 | return solver.check() == z3.unsat 20 | 21 | 22 | # File path 23 | xtunnel = "./XTunnel.bin" 24 | 25 | # Setup miasm context for XTunnel.bin file 26 | loc_db = LocationDB() 27 | container = Container.from_stream(open(xtunnel, 'rb'), loc_db) 28 | machine = Machine(container.arch) 29 | dis_engine = machine.dis_engine(container.bin_stream, loc_db=loc_db) 30 | 31 | # Define function start address and construct asmcfg and ircfg 32 | f_addr = 0x491AA0 33 | asmcfg = dis_engine.dis_multiblock(f_addr) 34 | lifter = machine.lifter_model_call(dis_engine.loc_db) 35 | ircfg = lifter.new_ircfg_from_asmcfg(asmcfg) 36 | 37 | # Load the file as raw bytes 38 | xtunnel_bytes = bytearray(open(xtunnel, 'rb').read()) 39 | 40 | # Iterate over function basic blocks 41 | for bb in asmcfg.blocks: 42 | # Extract address of current basic block 43 | bb_addr = bb.lines[0].offset 44 | 45 | # Initialize the symbolic execution engine 46 | symex_engine = SymbolicExecutionEngine(lifter) 47 | 48 | # Execute basic block 49 | expr = symex_engine.run_block_at(ircfg, bb_addr) 50 | 51 | # Check if the basic block branches (conditional expression) 52 | if expr.is_cond(): 53 | # Check if it CANNOT branch to the TRUE branch 54 | if cannot_branch(expr, expr.src1): 55 | # Get the virtual offset of the jump 56 | jump_inst = bb.lines[-1] 57 | jump_virtual_offset = jump_inst.offset 58 | 59 | # Get the initial and end file offsets for the jump basic 60 | block 61 | jump_file_offset_init = 62 | container.bin_stream.bin.virt2off(jump_virtual_offset) 63 | jump_file_offset_end = jump_file_offset_init + 64 | len(jump_inst.b) 65 | 66 | # Patch with NOPs 67 | for byte in range(jump_file_offset_init, 68 | jump_file_offset_end): 69 | xtunnel_bytes[byte] = 0x90 # NOP 70 | 71 | open("XTunnel_patched.bin", 'wb').write(xtunnel_bytes) 72 | 73 | -------------------------------------------------------------------------------- /2023/03_navajanegra/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2023/03_navajanegra/slides.pdf -------------------------------------------------------------------------------- /2024/00_bar/README.md: -------------------------------------------------------------------------------- 1 | # Hands-on binary (de)obfuscation (updated '24) 2 | 3 | Slides for the presentation talk of my research [paper](./paper.pdf) "Efficient Normalized Reduction and Generation of Equivalent Multivariate Binary Polynomials" at the Workshop on Binary Analysis Research (BAR) within the Network and Distributed System Security (NDSS) Symposium in 2024. 4 | 5 | Find video recording here: https://www.youtube.com/watch?v=1aGFgD69deU&t=15212s 6 | -------------------------------------------------------------------------------- /2024/00_bar/paper.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2024/00_bar/paper.pdf -------------------------------------------------------------------------------- /2024/00_bar/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2024/00_bar/slides.pdf -------------------------------------------------------------------------------- /2024/01_euskalhack/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | RUN apt-get update 6 | RUN apt-get install -y git python3-pip python3-venv graphviz 7 | RUN git config --global advice.detachedHead false 8 | 9 | ENV VIRTUAL_ENV=/opt/eh-env 10 | RUN python3 -m venv $VIRTUAL_ENV 11 | ENV PATH="$VIRTUAL_ENV/bin:$PATH" 12 | RUN pip3 install jupyterlab sympy numpy showast networkx matplotlib 13 | 14 | # Install msynth, miasm, and dependencies 15 | RUN mkdir /opt/tools 16 | WORKDIR /opt/tools 17 | RUN git clone https://github.com/mrphrazer/msynth.git 18 | WORKDIR /opt/tools/msynth 19 | RUN git checkout 1418accdc106926bedc8f5a6ae406e9f6c029d74 20 | RUN git submodule update --init --rebase 21 | RUN pip3 install -r requirements.txt 22 | RUN pip3 install . 23 | 24 | RUN mkdir /opt/workshop 25 | WORKDIR /opt/workshop 26 | EXPOSE 8888 27 | ENTRYPOINT ["jupyter-lab", "--ip=0.0.0.0","--allow-root"] 28 | -------------------------------------------------------------------------------- /2024/01_euskalhack/INSTALL.txt: -------------------------------------------------------------------------------- 1 | Build the docker image from Dockerfile 2 | --- 3 | docker build -t eh2024-deobfuscation . 4 | 5 | 6 | Run the docker image exposing jupyter-lab instance on localhost:8888 7 | --- 8 | :: Linux / MacOS :: 9 | docker run -p 8888:8888 -v ./workshop:/opt/workshop eh2024-deobfuscation 10 | 11 | :: Windows :: 12 | docker run -p 8888:8888 -v $PWD/workshop:/opt/workshop eh2024-deobfuscation 13 | 14 | 15 | > Note: host's ./workshop folder and docker's /opt/workshop folder will be synchronized. 16 | > Note: Depending on your docker installation, you might need to "sudo" the previous commands. 17 | -------------------------------------------------------------------------------- /2024/01_euskalhack/README.md: -------------------------------------------------------------------------------- 1 | # Hands-on binary (de)obfuscation (updated '24) 2 | 3 | Slides and resources for the workshop "Hands-on binary (de)obfuscation" I gave during EuskalHack Security Congress VII (2024). -------------------------------------------------------------------------------- /2024/01_euskalhack/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2024/01_euskalhack/slides.pdf -------------------------------------------------------------------------------- /2024/01_euskalhack/workshop/bin/scramble1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2024/01_euskalhack/workshop/bin/scramble1 -------------------------------------------------------------------------------- /2024/01_euskalhack/workshop/bin/scramble2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2024/01_euskalhack/workshop/bin/scramble2 -------------------------------------------------------------------------------- /2024/01_euskalhack/workshop/bin/scramble3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2024/01_euskalhack/workshop/bin/scramble3 -------------------------------------------------------------------------------- /2024/01_euskalhack/workshop/bin/scramble4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2024/01_euskalhack/workshop/bin/scramble4 -------------------------------------------------------------------------------- /2025/00_ringzer0/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | RUN apt-get update 6 | RUN apt-get install -y git python3-pip python3-venv graphviz 7 | RUN git config --global advice.detachedHead false 8 | 9 | ENV VIRTUAL_ENV=/opt/eh-env 10 | RUN python3 -m venv $VIRTUAL_ENV 11 | ENV PATH="$VIRTUAL_ENV/bin:$PATH" 12 | RUN pip3 install jupyterlab sympy numpy showast networkx matplotlib 13 | 14 | # Install msynth, miasm, and dependencies 15 | RUN mkdir /opt/tools 16 | WORKDIR /opt/tools 17 | RUN git clone https://github.com/mrphrazer/msynth.git 18 | WORKDIR /opt/tools/msynth 19 | RUN git checkout 1418accdc106926bedc8f5a6ae406e9f6c029d74 20 | RUN git submodule update --init --rebase 21 | RUN pip3 install -r requirements.txt 22 | RUN pip3 install . 23 | 24 | RUN mkdir /opt/workshop 25 | WORKDIR /opt/workshop 26 | EXPOSE 8888 27 | ENTRYPOINT ["jupyter-lab", "--ip=0.0.0.0","--allow-root"] 28 | -------------------------------------------------------------------------------- /2025/00_ringzer0/INSTALL.txt: -------------------------------------------------------------------------------- 1 | Build the docker image from Dockerfile 2 | --- 3 | docker build -t r0_2025-deobfuscation . 4 | 5 | 6 | Run the docker image exposing jupyter-lab instance on localhost:8888 7 | --- 8 | :: Linux / MacOS :: 9 | docker run -p 8888:8888 -v ./workshop:/opt/workshop r0_2025-deobfuscation 10 | 11 | :: Windows :: 12 | docker run -p 8888:8888 -v $PWD/workshop:/opt/workshop r0_2025-deobfuscation 13 | 14 | 15 | > Note: host's ./workshop folder and docker's /opt/workshop folder will be synchronized. 16 | > Note: Depending on your docker installation, you might need to "sudo" the previous commands. 17 | -------------------------------------------------------------------------------- /2025/00_ringzer0/README.md: -------------------------------------------------------------------------------- 1 | # Hands-on binary (de)obfuscation 2 | 3 | Slides and resources for the workshop "Hands-on binary (de)obfuscation" I gave during Ringzer0 BOOTSTRAP25. -------------------------------------------------------------------------------- /2025/00_ringzer0/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2025/00_ringzer0/slides.pdf -------------------------------------------------------------------------------- /2025/00_ringzer0/workshop/bin/scramble1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2025/00_ringzer0/workshop/bin/scramble1 -------------------------------------------------------------------------------- /2025/00_ringzer0/workshop/bin/scramble2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2025/00_ringzer0/workshop/bin/scramble2 -------------------------------------------------------------------------------- /2025/00_ringzer0/workshop/bin/scramble3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2025/00_ringzer0/workshop/bin/scramble3 -------------------------------------------------------------------------------- /2025/00_ringzer0/workshop/bin/scramble4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arnaugamez/talks/a5d3993deb481bef3264a0921532a88254da2d91/2025/00_ringzer0/workshop/bin/scramble4 -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public licenses. 379 | Notwithstanding, Creative Commons may elect to apply one of its public 380 | licenses to material it publishes and in those instances will be 381 | considered the “Licensor.” The text of the Creative Commons public 382 | licenses is dedicated to the public domain under the CC0 Public Domain 383 | Dedication. Except for the limited purpose of indicating that material 384 | is shared under a Creative Commons public license or as otherwise 385 | permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the public 393 | licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. 396 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 3 | [![LinkedIn](https://img.shields.io/badge/LinkedIn-Follow-blue)](https://www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=arnaugamez) 4 |   5 | ![Mastodon Follow](https://img.shields.io/mastodon/follow/109298831472487864?domain=https%3A%2F%2Finfosec.exchange&style=social) 6 |   7 | [![License: CC BY 4.0](https://img.shields.io/badge/License-CC_BY_4.0-lightgrey.svg)](https://creativecommons.org/licenses/by/4.0/) 8 | 9 | --- 10 | ## Upcoming trainings 11 | ### Public offerings 12 | Looking for public offerings? [Get notified](https://subscribe.furalabs.com/) 13 | 14 | ### Private training 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
Training:Advanced Software Protection - Attacks and Defense
Location:In-person / Remote
Length:4 days (flexible)
31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 |
Training:An Analytical Approach to Modern Binary Deobfuscation
Location:In-person / Remote
Length:4 days (flexible)
48 | 49 | ## Presentations 50 | 51 | ### 2025 52 | [**Hands-on binary (de)obfuscation (updated '25)**
*03/2025* | Ringzer0](2025/00_ringzer0/) 53 | 54 | ### 2024 55 | [**Hands-on binary (de)obfuscation (updated '24)**
*06/2024* | EuskalHack](2024/01_euskalhack/) 56 | 57 | [**Efficient Normalized Reduction and Generation of Equivalent Multivariate Binary Polynomials**
*03/2024* | Workshop on Binary Analysis Research (BAR) @ NDSS](2024/00_bar/) 58 | 59 | ### 2023 60 | [**Symbolic execution for security researchers (updated)**
*10/2023* | Navaja Negra](2023/03_navajanegra/) 61 | 62 | [**Symbolic execution for security researchers**
*06/2023* | EuskalHack](2023/02_euskalhack/) 63 | 64 | [**Tales of software protection: cryptography and obfuscation, better together**
*03/2023* | RootedCON](2023/01_rootedcon/) 65 | 66 | [**Hands-on binary (de)obfuscation (updated '23)**
*02/2023* | h-c0n](2023/00_h-c0n/) 67 | 68 | ### 2022 69 | [**A practical approach to advanced code obfuscation with MBA expressions**
*08/2022* | HITB SecConf Singapore](2022/02_hackinthebox-sin/) 70 | 71 | [**Hands-on binary (de)obfuscation**
*06/2022* | Ringzer0](2022/01_r0-workshop/) 72 | 73 | [**Code obfuscation through Mixed Boolean-Arithmetic expressions**
*02/2022* | h-c0n](2022/00_h-c0n/) 74 | 75 | ### 2021 76 | [**Code obfuscation through Mixed Boolean-Arithmetic expressions**
*11/2021* | Intent Summit](2021/00_intent/) 77 | 78 | ### 2020 79 | [**A review of modern code deobfuscation techniques**
*07/2022* | HITB Lockdown 002](2020/02_hackinthebox-sin/) 80 | 81 | [**Code emulation for reverse engineers: A deep dive into radare2's ESIL**
*05/2020* | RuhrSec](2020/01_ruhrsec/) 82 | 83 | [**Overcoming fear: reversing with radare2**
*02/2020* | h-c0n](2020/00_h-c0n/) 84 | 85 | ### 2019 86 | [**A journey through ESIL**
*09/2019* | r2con](2019/02_r2con/) 87 | 88 | [**Overcoming fear: reversing with radare2**
*05/2019* | HITB SecConf Amsterdam](2019/01_hackinthebox-ams/) 89 | 90 | [**Stack machines unchained: code emulation with ESIL**
*04/2019* | Overdrive Conference](2019/00_overdriveconference/) 91 | 92 | ### 2018 93 | [**Introducing radare2 for humans**
*09/2018* | r2con](2018/04_r2con/) 94 | 95 | [**Playing with binary formats**
*04/2018* | Overdrive Conference](2018/03_overdriveconference/) 96 | 97 | [**Brief introduction to reverse engineering using radare2**
*04/2018* | NcNLabs](2018/02_noconname-lab/) 98 | 99 | [**Hacking tokens: a massive POC**
*03/2018* | RootedCON](2018/01_rootedcon/) 100 | 101 | [**IoT, S stands for security**
*02/2018* | HackDay UDG](2018/00_hackday-udg/) 102 | 103 | ### 2017 104 | [**Introduction to RE and stego using r2**
*12/2017* | HackDay UDG](2017/01_hackday-udg/) 105 | 106 | [**Auditing WiFi networks**
*04/2017* | Matefest-Infofest UB](2017/00_matefest-infofest-ub/) 107 | 108 | ## License 109 | All the slides and materials authored are under [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/) unless stated otherwise. 110 | 111 | You can find a copy of the license at [LICENSE.md](LICENSE.md) for your convenience. 112 | --------------------------------------------------------------------------------