Witchcraft Compiler Collection: Towards Programs Self Awareness

okay legal disclaimer so my employer is not as sitting with this joke which is great news I can tell you for instance that I support abortion from a legal standpoint it means when you present your reverse engineering and your company is not backing you you turn to ffs I saw they have a booth somewhere please give a warm round of applause for those people there would really be no such talks you know without there without the backing I'd like to thank Christian Fisher for you know leaving me from my cage at Salesforce today opening the door of my cage and you know patting me on the back nicely to me it's time to go let's time to let me out was for Burning

Man that's why I'm just like this so I don't know if you see this but from my my point of view this is super [ __ ] impressive and thanks for general enslaving us this looks totally like yeah this clip from ac/dc you familiar with the thing called the thunderstruck yeah I kind of I kind of miss singing we used to do that in Australia you want to give me a thunderstruck you've been straight again you've been [ __ ] yeah so for the demos if you liked it feel free to yeah thunderstruck me okay if you want to live right now so the tool is a free software it's all real MIT BSD license it's already on github so feel

free to submit feel free to you know commit code and explain your own ideas and wish that I will maintain it [Laughter] all right so a bit of Who am I so I'm an immigrant absolutely

thanks for adopting me so I was born in France no that's not friends that's friends so tell me is she then I moved to Brazil do you have anybody from France by the way yeah the notes invading us do you have anybody from Brazil yes you from Fresno Kato Brazil Greta yo I William watch it all right so I'm very grateful to these communities around the world that's what I'm mentioning them the community in Brazil is like absolutely amazing then I moved to India yeah anybody from India all right if you caught this man it was my first bus in India it's called big cache easier this week if you seemed like please give him a beer okay maybe

alpha beer yeah be nice to him and then I moved to the third world in a year in Australia okay so you know the problem with this countries is that when they send the engineers I mean they don't send the best people you know this ends the exploit writers you know the malware engineers you know the reverse engineers and I mean I'm sure some of them are good people but then bringing the problem with us all right so that's what we're going to be talking about today there's a massive delay with the video sorry about that okay since we have some time to catch up on the video I'd like all of you to give you an to your

neighbor we're gonna pray for the demo gods you've got the gold yeah we got it okay so today I'm gonna I'm gonna introduce you a tool which has many use and many components because like all good acting tools you don't know what you're doing before you actually try we're going to do a few things which are supposed to be super difficult problems in reverse engineering we're going to start with Libby firings so that's transforming an application into a shared library so we can steal the function inside our I mean reuse the functions inside of course we're gonna try to unlink binaries so that's doing when you compile source code you typically first create object files

which is the output of the compiler and then you link them together into a binary or shared library and we're gonna try to undo the work of the linker then we're gonna try to transform e.l.f files into sorry P files into LF and then we do like batshit crazy stuff as much as we can alright the components so the witchcraft compiler collection is basically a linker a compiler and a dynamic interpreter the difference with a typical tool chain is that the impetus not source code its final binaries that you're trying to steal routines from and it's built on top of Lua which allows for you know easy extensions without any C without any assembly or any things like this and

allows to do funny things for you know a level propose when you want to play with the AI and things like this which hopefully we like to cover so the also currently has to be x86 64 bit we will see that we can actually debug applications for other platforms with witchcraft compiler collection natively on Linux because it's cool okay they start with the Libya fication thing so basically the goal of this exercise is to take an elf executable and transform it into a library so we can reuse functions in it let's start with demos

okay so the MacPhail is a contains most of the magic let me show you also the C code and comment along so basically what we changed you here is to call a given function inside a binary called per FTP D which is like an FTP server I'd like to call this particular function init PR and discover and get string which is what print the version number so this C code says what we're gonna use GL a pen to to load fro FTP d dot a so into memory find the given function that we want to call and well just essentially call it it's returning a string and we're going to display the string so what's a bit magic is proof TPT is not

initially a shared library so we're going to take out private epd copy to /tmp and Libby fie it so transform it into a shared library which will allow me to then so I mean if we stick back we're taking an FTP server we transform it into a library and then I'm writing my own C code to interface with that is there any IT teacher in the room I mean if anybody like you know is in academia and stuff like that make sure to check the pulse like every minute or so the man not like this too much okay so I compiled that you got the IG right we're going to take privacy PD and we're going

to call a function inside privacy PG which we change the version boom so this one for instance is pro FTP d1 the 3.5 a you saw what we did yeah give me a thunderstruck what da exactly okay so that was too easy so we need to transform applications into libraries to do this I packaged exactly one byte inside the heater so if you look at the solution you might be like yeah that's super trivial if you try to understand why this works it's actually pretty deep in particular this doesn't work on a Linux kernel before 3.6 dot 16 what we really did is transform so the type of the object from its exact to eten which are like two

type of executable binaries essentially the way we introduced address space layout randomization in the Linux kernel was by allowing executing shared libraries directly it's a bit of a funny way to do it when you think about it but it makes a lot of sense compared to recreating an entire tool chain able to like generate executable that can have a base address randomized in memory since it's a fundamental property of of shared libraries if you compile for instance Apache as a shared library so it again it will be randomized and that's a we that's how we introduced randomization in the Linux kernel and that's why this trick which is not obvious works any questions so far okay all right so we're

going to do something a bit a bit more violent there's essentially two types of executables right in in the Linux in the Linux world and in the e.l.f world so it's the exact which is exactly the type we took for private epd to transform into a shared library and those which already support a SLR and it's typically the case of Apache all right so how much did you print the demo gods give you hand to your neighbor if it doesn't work it's your fault I told you it wouldn't work okay so truth is I knew this demo didn't work the reason for it is the linker of of the latest version of Ubuntu is basically broken so there's a plan B

okay I'm gonna connect your remote server or recorded this as a script but it does exactly the same thing okay so I'm connecting to a remote server even LS is slow in script okay so make fails if you Google like the error that's very much a problem in the tool chain of their latest Ubuntu zinnia can do nothing about this I mean I don't care so I compiled this on a remote server and what I'm gonna do is link my own C code against Apache directly to do exactly the stuff we just did with the pro FTP D take a second to look at this though okay I need to show you the source code

first okay the source code of the C program is very similar to what we just did okay I want to call this function inside Apache

oh okay you're gonna see this like in a minute basically I want to call the function ap gets every banner which belongs to Apache and return this version number from my own C code the difference with the previous case is I don't actually need to transform Apache into a shared library because it's already compiled with the SLR so very much like a shared library so I'm gonna do something which is a bit unorthodox I'm gonna pretend I didn't understand that Apache was not made to be linked that way and I'm gonna link against Apache as if it really was a shared library it's like the LD flags over there okay so let's run the demo again

because it was cool so what's interesting in those cases is that I did 0 proper reverse engineering in terms of you know decompiling disassembling or trying to understand like what are the calling conventions or complicated things like that from the functions like wanna call from Apache I just said like let's just call it okay any word thunderstruck yes so one thing super weird if you look at the the way the binary is actually linked you can see that the second line is super unusual through shared libraries very much slash user is being slash apache2 which sounds like what that was too easy okay we just solved a major problem of reverse engineering let's move to

another one which is bigger so if I tell you reverse engineering you might be thinking this like yeah yeah I'm gonna take my binary and disassemble it and transform it back to C and then I'm gonna recon pilot and truth is like this is a whole lot of work so the typical way would look like this if you take C source code a normal tool chain like a compiler would produce relocatable objects that you leaked into binaries and the standard way to do reverse engineering is to go back to the source code oh but we don't do that instead of doing that let's just and do the work of the final step the Dyna linker because if I get

back the relocatable object files I can embed them inside my own code so I think I lost you a little bit let's imagine I'm studying an application like I did that with my team last week like you have an SS 7 stack which is a super exotic Network stack and the main application doesn't work but you'd like to still functions all of it can we do that without disassembling so the tool we're going to use is called WCC it the core compiler of the witchcraft tool chain and unlike a standard compiler it doesn't take source code as an input text binaries but the output is very similar to what GCC would give you and actually the the comment line is made to

be somewhat yeah no not yeah somewhat no it's actually dissimilar the front end is built on top of lead BFG which stands for PFD exactly right big [ __ ] deal so the backstory the guys like knew were like you know discussing having a layer of abstraction between file formats and they were like yeah that's going to be super trivial let's call it big [ __ ] deal when you look at text she at the complexity of the problem and the quality of the code you lie here all right the benefit is that my compiler by leveraging the BFG can cross compile to other things and take all the things as an import than Aleph so we're going to

demo this so let's take a binary transform it back to an object file and strip it potentially and make a use of it so if I take privacy PD we can run this demo right now if I take privacy PD the waste shipped so the binary is doesn't have you know debug symbols and things like this the binary has been stripped and WCC is capable of analyzing this and stripping it to an object file and I mean the neat trick is instead of recreating your entire chain is to fit into the existing elements so I'm just enjoying the work of the link are with WCC and then I'm reading King very much with GCC to produce a shared library

yeah too easy you kidding me I have 10 minutes left ok let's get started so let's cross a P and an e LF this is my favorite slide over I think it makes a lot of sense Oh

okay I'm just gonna run that I'm just gonna do the demo okay so if we go into chrome here I have a version of Chrome and I have a version of Internet Explorer when it's 32-bit the other one is 64-bit I'm just gonna type make it should come it's just slow Wow and I just created chromed up beam and Internet Explorer that Ben yeah what the hell is going on here you guys stop don't think the the thing the network when I'm trying to connect here okay you know yeah the the demos that public so you would have to trust me on that one okay and you can see the slides I though right amazing

thunderstruck [Music]

that sure was going on you so you have amazing exploit that I'm gonna I'm gonna explain you while typing them okay let's imagine we have a see source code I lost my connection to the network maybe that's related

come on

my brother I may need you to action something

okay freestyle time so you check the code and like are we back there's something on my screen okay my favorite part of the tool is basically once you know to transform something into a shared library what would be interesting would be to map it in memory and in a state so that it can be executed without actually leaving to run exactly so the way to do this is basically to abuse a primitive called GL open which will solve the relocation for us and recursively load all the dependencies fix the relocations and do all the other work for us of interfacing with a dynamic linker I'm not sure what's going on

so that works wonders you can do that with the Intel application and you can do that natively on a Linux machine which is an Intel CPU you can actually debug arm applications - so the way to do this is to without vm so I'm debugging natively arm libraries on my Linux machine and I get the binary translation from like a web mode of qmu I would love to demo you this way now that I have interfaced with like a very cool Lua interpreter which gives us the equivalent of reflection that exists in Java but without the need of a virtual machine so you can load shared libraries in memory export the API and directly call the functions and I'm not sure I

managed to demo you this

can do something about this [ __ ] it yeah all right and with you that was a great talk thank you for coming have a great day [Applause] thanks Jonathan on behalf of Fitbit and besides SF we'd like to thank you and my absolute pleasure thank you folks