Bio About Me Almost Every Weekend Most of the time Once a year With VN Security since year 2009 Running zxandora.com project. Hack in The Box Crew >  CTF player >  Soon >  Weekend gamer >  Very Soon >  Brand New Online Sandbox >  Good friends >  CTF CTF and CTF About Me >  2008, Hack In The Box CTF Winner >  2010, Hack In The Box Speaker, Malaysia >  2012, Codegate Speaker, Korea >  2015, VXRL Speaker, Hong Kong >  2015, HITCON CTF, Prequal Top 10 >  2016, Codegate CTF, Prequal Top 5 >  2016, Qcon Speaker, Beijing >  OSX, Local Privilege Escalation >  Code commit for metasploit 3 >  GDB Bug hunting >  Metasploit module >  Linux Randomization Bypass >  http://www.githiub.com/xwings/tuya >  微博: @kaijern vnsecurity.net Introduction VN Security >  Active CTF Player (CLGT) >  Active speaker at conferences >  >  Our Tools Nations >  PEDA >  Vietnamese >  Blackhat USA >  Unicorn/ Capstone/ Keystone >  Malaysian >  Tetcon >  Xandora >  Singaporean >  Hack In The Box >  OllyDbg, Catcha! >  Xcon >  ROPEME Nguyen Anh Quynh >  Security Researcher >  Active speaker at conferences >  Research Topics >  Emulators >  Blackhat USA >  Virtualization >  Syscan >  Binary Analysis >  Hack In The Box >  Tools for Malware Analysis >  Xcon When gdb meets peda GDB PEDA Why KCON Fake Websites What Are These Things What Is Disassembler Example   From binary to assembly code   Core part of all binary analysis/ reverse engineering / debugger and exploit development Binary Analysis Disassembly framework (engine/library) is a lower layer in stack of architecture Disassembler CPU Assembler Engine Emulator Engine Engine   §  01D8 = ADD EAX,EBX (x86) §  1169 = STR R1,[R2] (ARM’s Thumb) Debugger Exploit Development What Is Emulator Example   Software only CPU Emulator §  01D1 = add eax,ebx (x86) §  Load eax & ebx register   Core focus on CPU operations.   Design with no machine devices   Safe emulation environment   Where else can we see CPU emulator. Yes, Antivirus §  Add value of eax & ebx then copy the result to eax §  Update flag OF, SF, ZF, AF, CF, PF accordingly Binary Binary Analysis Analysis Debugger Exploit Exploit Development Development Disassembler CPU Assembler Engine Emulator Engine Engine What Is Assembler Example   From assembly to machine code   Support high level concepts such as macro, functions and etc.   §  ADD EAX,EBX = 01D8 (x86) §  STR R1,[R2] = 1169 (ARM’s Thumb) Binary Binary Analysis Analysis Debugger Exploit Exploit Development Development Dynamic machine code generation Disassembler CPU Assembler Engine Emulator Engine Engine Where are we currently Showcase >  CEnigma >  Cerbero Profiler >  Qira >  Shwass >  Unicorn >  CryptoShark >  Rekall >  Nrop >  CEbot >  Ropper >  Inficere >  Illdb-capstone-arm >  Camal >  Snowman >  Pwntools >  Capstone-js >  Radare2 >  X86dbg >  Bokken >  ELF Unstrip Tool >  Pyew >  Concolica >  Webkitties >  Binjitsu >  WinAppDbg >  Memtools Vita >  Malware_config_parsers >  Rop-tool >  PowerSploit >  BARF >  Nightmare >  JitAsm >  MachOview >  rp++ >  Catfish >  OllyCapstone >  RopShell >  Binwalk >  JSoS-Module-Dump >  PackerId >  ROPgadget >  MPRESS dumper >  Vitasploit >  Volatility Plugins >  Frida >  Xipiter Toolkit >  PowerShellArsenal >  Pwndbg >  The-Backdoor-Factory >  Sonare >  PyReil >  Lisa.py >  Cuckoo >  PyDA >  ARMSCGen >  Many Other More Showcase >  UniDOS: Microsoft DOS emulator. >  Roper: build ROP-chain attacks on a target binary using genetic algorithms. >  Radare2: Unix-like reverse engineering framework and commandline tools. >  Sk3wlDbg: A plugin for IDA Pro for machine code emulation. >  Usercorn: User-space system emulator. >  Angr: A framework for static & dynamic concolic (symbolic) analysis. >  Unicorn-decoder: A shellcode decoder that can dump self-modifying-code. >  Cemu: Cheap EMUlator based on Keystone and Unicorn engines. >  Univm: A plugin for x64dbg for x86 emulation. >  ROPMEMU: Analyze ROP-based exploitation. >  PyAna: Analyzing Windows shellcode. >  BroIDS_Unicorn: Plugin to detect shellcode on Bro IDS with Unicorn. >  GEF: GDB Enhanced Features. >  UniAna: Analysis PE file or Shellcode (Only Windows x86). >  Pwndbg: A Python plugin of