 Good morning deaf con. Thank you for coming to see our session. Hopefully you'll enjoy it a little bit I'm a little bit about myself. My name is dr. Bramble prison dine I'm the former and founding director of the Verona lab which specializes in vulnerability and exploitation research create a creator of several different tools the shell wasp job rocket and Sharon and I'm presently an assistant professor at UAH I do have a PhD in cyber operations, which is a highly technical degree specializing in reverse engineering and exploitation This is a kind of a side note I have kind of lost my voice a bit, but it has been improving so I'll just try to do the best that I can There is some contact information down below. So feel free to Reach out to me if you so desire I'm joined by my graduate student Shiva And he is a master's of computer science student at UAH and he's interested in writing the software Web apps as well as blockchain He's got a lot of contact information there. So feel free to reach out with any opportunities for Shiva So when we started this research The goal the idea was can we bring something fresh something Something new to rock because quite frankly it seemed to be getting a little bit kind of stale kind of predictable No doubt it with the techniques that we used seemed to work very well But it's just a lot of the same types of things Over and over now there are a number of tools that can facilitate getting Rob gadgets Mona, which of course has been around forever. Rob gadget ropper as well as others and Additionally for jump-oriented programming the job rocket, which is actually a tool that I created myself and presented at DEF CON in 2019 so again the idea is to try to make it fresh to try to make it exciting again and part of this inspiration is because code reuse attacks in general should be inherently Very free very flexible. We shouldn't be confined by the shackles of What has been done before But instead I'd rather see us embrace and openness a desire to do something new to something a little bit different So part of my thinking is trying to kind of think out of the box So I spend a huge amount of time Actually thousands of hours working with a jump-oriented programming now I didn't create it, but I did to create the tool that helped to facilitate that and a lot of Practical job just really had not been documented and so I set about Providing that documentation So the people actually wanted to do something significant with it They'd have the capability of doing so and there are a few different white papers out there that myself and Austin Babcock have written so By its very nature job is extraordinarily flexible And I wanted to try to bring some of that to to rock and to introduce some new ideas so Without further ado, then let's see what some of these novel contributions may include so the Next generation state-of-the-art Rob gadget tool Rob rocket is going to be among these and part of the part of it is going to be Everything you see here will have automatic Rob chain generation. So it will create the chains for these different techniques But some of them are also in their own regard Novel approaches or novel techniques. So adapting heavens gate to to return oriented programming Utilizing Windows sys calls to bypass debt rather than the traditional Windows APIs And then something that I like to call Shell codeless robber we're instead of Trying to avoid date x or avoid Trying to bypass a date execution Prevention, and we just simply avoid it and invoke that shell code like functionality directly by calling the the appropriate Windows APIs Obfuscation of Rob gadgets, which I'll get into more later on and then emulation of Rob gadgets and as well as chains, which does help us quite significantly Okay, so we're gonna start out here with heavens gate and Rob And I know that some of you are gonna be very familiar with heavens gate for others It may be your first time encountering it. So a little bit of history lesson now This is a traditional way in which we invoke it. So We're gonna go from x86 transition to 64-bit mode. This is something that the Windows operating system does continuously Whenever we make use of an in NTDOL function. So it just happens automatically as part of making use of Windows sys calls So the the old kind of Formula if you want to call it that that you'll see in malware or shell code as you'll do put push 33 for the 33 CS selector which designates it going to 64-bit mode and then we do go call red f and call next red f Which is just an address. So the compiler would then produce that address and Then we're going to then at that particular location. We're gonna modify ESP add five to it so that Our desk or return address or destination address as I like to call it will be immediately after the red f And that's typically how we how it's always done when do you see this? But the reality is you don't have to have that return address or that destination address Immediately after the red f it could be anywhere in process memory. So that's a tremendous amount of flexibility That just isn't really being used So of course, we're not writing shell code. We are writing Return-oriented programming. So we need to find a new way to do that because we can't just simply write shell code so we are introducing a couple new ways to do that that will Allow us to perform heavens gate and by doing this we can thereby expand the attack surface From while 64, which means we're working in 32-bit. We're emulating a 32-bit application 264-bit mode now you could do the opposite if you wanted. I don't really see much of a point But that's fine. You can still do it so Our approach here is we're going to be utilizing the push that instruction So if you're familiar with virtual alloc a virtual protect The types of change produced by something like Mona is following the same idea and Shiva will be talking a little bit more about how this works But these are the patterns for For heavens gate. So we have 11 of them and I can actually increase it to to more than those 11 and So if one of these is not able to work then the tool will just simply try another one now these gadgets They're not exceedingly difficult to find so very likely we will succeed So take a look here at pattern seven so we just simply load up the registers with the appropriate values and these values a lot of them are very simple They're rock knobs or in this case when we do the push out it's going to push them in a predefined order So it'll go EDI ESI all the way to EAX. And so we'll have there that red zero C and that's going to skip over a bunch of subtle It'll firstly execute the rock-knop and ESI and it'll skip over stuff until we get to that jump due to reference EBS and then that will then cause us to go to EBS. What is EBS? Well, that's the red F and so then the red F will then call that's gonna what's gonna initiate the heavens gate and then on the stack after that we'll have the destination address and the 33 selector so Everything will be perfectly set up and it should work. So let's take a look at the stack before and after so DD ESP we can see we have our Destination address and the 33 selector and then after that red F They're gone And you'll notice that the the address is now a Q word instead of a D words It has expanded and we have actually switched architectures, so We have that red F up above and then down below again everything we have Q words and then notice we have push Rbp instead of Ebp so we have switched to to 64 bit mode Now just one little note for those who may not be aware the only time you can actually view this is if you're in the 64-bit version of Windabug any other debugger will not work or it will produce Aburant behavior and there's no reason you can't open up a 30-bit application and then attach it with the 64-bit windabug Let's take a look quickly here at pattern number 11 now this one is very very simple So we have a couple Rob knobs. We have a pop ebp to consume the the ESP, which we just want to skip with another Rob knob and then the red F and Everything is set up. You have the destination address and we have the 33 selector So okay, we've done the heavens gate What is the advantage of this? Why do we want to do this good question? Wow? excellent question so by doing this there could be Many more registers 64 bit registers and the idea is maybe there's something that worry we want to do in 32-bit mode, but we just don't have the right gadgets But if we expand it to 64-bit mode, maybe there are additional gadgets now The reality is a lot of times however There may not be some of these extra 64-bit gadgets just because the bytes were required to produce them may not be there and so Sometimes they will be purely by happenstance And additionally there can be some very valuable structures that are accessible in x64 Which you can access via the R 12 R 12 register For instance the the tab 64 you get the tab 64 you can go to tab 32 and then pep 32 and pep 64 So it's actually immensely valuable. So if you can do that and then leak the R 12 then That's very useful Okay, so we've done x86 We want to go back to x64 because otherwise you're in 64-bit mode for 32-bit application Technically you could call 64-bit NTDL functions that be very difficult. It's not something I personally would recommend Trying to do people out out there have done that in terms of malware development, but I don't think it's too terribly realistic for return on to programming so at this stage You would want to return back Back to x86 And so we have a forbidden gadget unfortunately, so the push-at simply doesn't exist So if you try to do a push-add you'll see hex 60 and three question marks how sad so in this case we're going to do a series of move dereferences and Kind of like a snipe gadget So we'll create an allocation of memory and we'll just set up What we want the stack to be and then we'll do a stack pivot and then everything should be should be good and jolly So we'll take a look at some of these Different Steps that we can it can take so first thing we want to do we want to get a pointer to memory Let's make it easy and simple we can do ESP And we're going to go move ahead 250 bytes and That's going to be our point of reference. We're going to start building our different Parameters our return address, etc And we're not going to do every little thing here because a little bit tedious. We'll do a few of them We will do want to write that the red f because remember that red f is going to be what's going to kick it off It's that that's a far ret We only we're not going to typically do that and and rock but it does allow us to initiate the heavens gate So we'll get a red f it doesn't matter which red f and we'll write that address there And we do that with the move D reference. So it's move D word pointer rbx ea x And it's not a Q word Which some of you who are very observant may notice It's going to be a lot more common. You'll see the D words just because you're going from 32 bit to 64 bit and A lot of times when you do a move D reference technique, which is very Effective by the way and traditional rock you'll do a series of four increments. Well, guess what? It's not going to work out too well With this because the the bite to produce those increments Will no longer produce increments. So the only increments you have will be created by happenstance So instead we'll just do an add register register And do a distance of four. It's a little bit more tedious But it's something that the tool can automate for us. So We don't worry about it too much And then we also want to finish writing the address of the red f because remember 64 bit mode So we're we need to do a Q word rather than a D word and our move D reference catch It was a D word. So I'm going to do XOR ea x ea x the result is zero We're going to write that there. So we get a monstrously long Red f gadget address there And then now we need to do the destination Address and the 23 selector. So the 23 selector allows us to go back To 64 bit mode And this is kind of where it's kind of weird kind of funky We're 64 bit mode. We've been dealing with Q words But now we're going to go back to to D words So we're going to represent the destination address and the 23 selector is D words. Hey, it makes our life a little bit easier So I'm not complaining So I didn't show the steps for those But now what we want to do is do a stack pivot and of course there are many different ways to do a stack pivot But what we're going to do is we want to get it get it aligned so that Our a x which is kind of where we've been building our gadgets We want it to point to to the red f and so we're going to do a very long 16-digit number which is actually equal to negative 12 And then once we do that then I'm going to take another before and after so do DD ESP We have the the return address and the 23 selector and then after that notice that x86 is present and We have succeeded. We've gone back to x86. So let's actually do a quick little demo here Okay, it's all set up for us. So there's our push add and We can do that red up right there. So it's going to be the first red up We go from x86 to x64. We have destination address 33 selector So now we are in x64. You can see that registers have indeed changed. It's awesome and we're gonna skip ahead a little bit and to not be too tedious and We are going to We're at the red up to go from x64 to x86 Let's look at the stack rather destination address and 23 selector and now we're back at x86 So we did it we did two heavens gates Right there in that little demo Okay, so this novel form of heavens gate again, it's gonna allow us to go back and forth between them Obviously considerations may the size of the payload. We want to be very We wouldn't want definitely want to be aware of that and it's really designed for for wow 64 or 32 bit Applications, I mean, there's no reason you can't do it in the 64 bit mode I just can't really think of a good reason why except maybe just for the novelty of it And again, this this is potentially capable of expanded expanding the attack surface and The the technique or the approach that we've introduced is a little bit more complex and different from the Standard approach that we showed you earlier Okay, so when it says take way into our next topic here, which is going to be Windows syscalls So very briefly I'm gonna speed through some of these just to kind of refresh her for some people So what is a windows syscall? It's gonna be something where you you could call a kernel 32 function like virtual alloc that will call an NTDL function such as NT allocate virtual memory and then that NTDL function will then call a windows syscall in order to do that It will load into EAX the appropriate SSN syscall system number and then you transition from user mode to kernel mode and then after that There's a bunch of stuff going on in kernel mode. It's really outside the scope of this So this is not something that's really intended for the average programmer to be doing and the appeal of windows syscalls is It's much much harder for it to be hooked by EDR and to be To To prevent it from from from working So that can definitely be very beneficial Melissa's eight windows API is as much easier to to hook those of thereby preventing their their usage To my knowledge, I don't think this has been used in x86 while 64 again, that's the 32 bit If you're doing syscalls in 64 bit mode that the technique and approach is going to be a little bit different You can actually use an actual syscall instruction 64-bit instruction, you're not going to be using that and While 64 will be doing things in a different way And one of the issues with syscalls is what we have a what we call a problem on portability So with windows 10 for instance That SSN Potentially could change you have more than 13 different OS builds. So sometimes those SSNs will stay the same, but other times they will change so you could have I Think NT protect virtual memory, I think if windows 7 is hex 15 and I think for windows 10 and 11 it's hex 18 so Those have changed others will change much more frequently some less frequently so very briefly let's Go over how we could reverse engineer them so windows 7 What we're gonna be looking for is that call dword fsc0 that will point to a special address Which will be a far jump and you can see we're loading into eax hex 15 So all we can say is NT allocate virtual memory was off there and That fs register is going to be pointing to the thread environment block So what we can do is we can weaponize that we can utilize that that not that fsc0 is going to be reliable Way for us to interface with that and the fs is actually a register So it's gonna always be there so we just need to get instructions that have fs in it And GS is gonna be the 64 bit equivalent So there you see though you have a jump and you have a 33 selector and colon and then the address So that'll be switching to 64 bit mode so that'll be a form of heaven's gate in and of itself and Windows 10 is a little bit different. So we have hex 18 and to allocate virtual memory and the setup is a little bit different, but For our purposes, we don't really care because we go to fsc0 It's gonna be pointing to that same address. So we can still continue to use that fsc0 And windows 11 things a little bit different again, but again that windows 7 a way of invoking the syscalls is still able to to work so As many of you are aware a lot of a windows based Rop is gonna be focused on bypassing Mitigation is one of the most prevalent mitigations is gonna be data execution prevention Which says that memory should be readable and writable or executable But not both that doesn't mean it can't be both They can be but we need to use certain apis or syscalls in order to make that happen virtual alloc We created a region memory that has the desired permissions for virtual protect. We modify the permissions of Existing memory allocations So those are some very old very Simple ways of doing it and can be easily blocked. There are alternative ways as well or ways to make them work but Windows syscalls is going to be something that is a little bit more low-level a little bit deeper way of doing this And again those syscalls SSNs do change, but the good news is for for windows 10 and 11 they're gonna stay the same for the two that we care about And windows 7 it's gonna be the same. So that works out very well for us We don't what this means practically speaking is we don't have to worry about Resolving the OS build like you would if you were using a traditional windows syscall tool We can just say okay. I'm attacking windows 10 doing windows 11. I've done a little bit of reconnaissance I know about my targets, so We can dispense with that step it's not necessary for these particular apis and I think it'd be a lot more challenging to To do that and in Rob, but maybe we'll do that later on So how do we perform these the windows syscall in windows 10 and 11 particularly while 64? Well, that can be a little bit challenging But ultimately as long as we follow the proper calling convention whether it be for the API or the syscall It's gonna work. So we just simply get the stack aligned properly With the return addresses and notice I did say return addresses. That's not a I didn't misspeak there It has been deep plural for for windows syscalls and Then Initiate things and it should work. So we'll see how that works here Shortly so important windows syscalls that are this tool utilizes gonna be in to allocate virtual memory the deeper version of virtual alloc and Nt protect virtual memory, which is the deeper version of a virtual protect So we're gonna focus here on nt protect virtual memory from a Rob standpoint. It's a little bit more challenging to set up and One of the big things with windows syscalls is instead of just using direct values like your windows apis You'll have a lot of pointers. So a pointer is going to be you go inside of the pointer and it has that value So we need to somehow Create these pointers for for a base address number bytes to protect and also access protection And if we do that then We should be in a good position so we're using the move dereference approach rather than the push that approach and So we want to get a point of reference to memory This is gonna be where we are going to build our parameters our return addresses And we're gonna put a gadget there to invoke the windows syscall, which we'll talk about momentarily So we'll just move ESP to EAX and then push it ahead 250 bytes Now what this is gonna be something that'll be a little bit different for a lot of people is we need to set up a value for For a pointer. How do we do this and romp and my solution is? So you could either do increments or decrements. I've chosen to do you decrements for the automation and for this example and So we're just gonna build the values for the pointers immediately after the parameters and then that just makes it easier for us to then Move the pointers over to the parameters where where that where they need to be So get base address value for pointer is what we're creating here And this may look a little weird if you're scrutinizing it very closely We moved ESP into EAX and now I'm moving that into ebx. So that doesn't really seem to make much sense Does it why am I not be choosing a better one? Well, I'll dress that in a little bit And so then we then write that base address to to memory with a move dereference And then we have a series of four decrements So we then decrement to our next slot that we will then initialize with the next Value for another pointer and this one is gonna be number of bytes to protect and if you look very closely I'm putting one byte. I'm gonna protect one byte. That's kind of bizarre I'll explain that again momentarily It's kind of what I like to call a little trick just to save on gadgets So we'll write that with a move dereference and four decrements And I'm also gonna at this point. I'm gonna save a point of reference to the number of bytes Moving that into EDI I'll be using that in a little bit and I'm gonna skip through some of these I'm not gonna go through the whole thing. There is gonna be a white paper So if you want to scrutinize the entire source code, you'll have that available as well as the tool itself So then we've skipped a little bit here, but giving the pointer is a parameter So we have the point of reference now in EDI We're gonna move EDI into ebx and now we're gonna increment ebx four times So we're incrementing not decrementing and then we're gonna write that to EAX and that's gonna be our number of bytes to protect which again is just the value of one Which is odd and so now I'm gonna explain why I'm doing some of these kind of bizarre and odd type things so the base address What we're gonna do is we're gonna get it to round down to the the base address of that particular allocation So I don't need to be precise here a number of bytes Because it's so low it's just gonna round up to the maximum size for that allocation So in some of my examples that allocation maximum size was 1,000 bytes So it'll be 1,000 bytes And that will just happen automatically for us So we don't have to tediously try to put a particular value in there. That's not necessary so let's try to finish things up and Again, I alluded to the fact that we're gonna have two Return addresses and so if you were trying to do this and you do one return address It's never gonna work because it's an insufficient number So you would really only know this if you were going through and reverse engineering very closely So in any case we go ahead and write that and you'll notice a lot of these gadgets are repetitive the same gadgets That's just how a lot of this types of type of things works And then we do another return address in this case. It's just simply a rockknot a ret. It doesn't really do anything But we could also Make that something else if we wanted So now we're gonna write our windows sys call our method of invoking that to the stack and so There are a number of ways in which to do that the one that I prefer the most is going to be something like push d-word pointer fs and then edx And that edx we can then change that to to c0 now a more desirable one would be like push d-word pointer fsc 0 But something like that is going to be so obscure. It's not likely to be found But we just simply write that address to the stack and there are many other Possibilities where the fs register is present and we could select one of them and we can manipulate manipulate things And it's such a fashion that they could be in the form of a push red We don't have time to talk about that But there are a lot of other possibilities just as long as we can kind of leak that fs register register, then we're good And if there is not a direct way well We actually could potentially find that from the r12 register Via heavens gate a little bit more tedious to set that up and the automation actually doesn't do that at least not a present So we want to also specify anti protect virtual memory all we got to do is just load the appropriate ssn So it's going to be hex 50 for windows 10 And if you're doing a windows 7 they're going to be additional steps. So the ecx will need to be zero And then edi will then need to load the first parameter Address or a pointer and there are a few different ways you can do that through Rob and the the white paper We're going to some more detail You can do this with windows 10. It doesn't hurt me hurt anything. It just does it's not required And then our final steps here is do a stack pivot to to the start of everything so start of Invoking the sys call so let's look at our ESP. We have the pointer to The gadget to invoke the sys call we have a return address two of them and then our anti protect virtual memory addresses We can go ahead and do that we have the post you word pointer fs ebx that then takes us to a far jump And then after that call we can see our return addresses are still there There is no stack clean up. You're responsible for that yourself. So you might want to do a small little stack pivot with your return address or one of them and You can see the size has been Upcreated to a thousand bytes and the base address has been provided rather than the address that we had input previously And we could look at the vprox permissions there and it's 18 Are we a page execute read write? Um Nt allocate virtual memory the setup is going to be similar We're not going to go into that just the interest of time do a quick little demo here All right, so we are going to get things set up right here. We're doing that far jump to invoke the This is messed up. Oh, let's just skip this demo All right with that we are going to change directions a bit and we are going to Talk about shell close Rob and invite Michael speaker The purpose of this exploit is to have three different Windows APIs working together collectively this allows us to Realize more advanced attack than just having just one API We can implement the functionality of a shell code directly without needing to bypass step and without actually having a shell code This one is relatively simple We'll use the load library to get the handle to the module also known as H module and then pass it to get proc address to get the runtime address of the system and then System enables us to execute any command Let's talk briefly about some of these API's load library The purpose here is to load a DLL or a module or if it is already loaded Which is in in a lot of times. We simply return the address of it. That is the HES module We have the handle to the module now, which is the absolute requirement Our return address, which is Rob now, which will then take us to the next gadget Get proc address allows us to take that handle and then we can provide the name of the function and then function Gives us the runtime address of the system. Then there is written address as well Finally, the most important API is going to be system which allows us to execute system commands directly In this case, we are doing proof of concept string calc.axe But you can use any command you want to execute Our point with this is not just to call this one time But in a sense is to create a recipe so that we can automate the Rob chain generation Which enables us to do it on many different binaries Next, we're going to talk about finding patterns. How do we find patterns for a specific Windows API first determine the push-hat order? As you can see from the above table, the EDI is in slot one ranging all the way till EAX in slot 8. Push-hat puts the registers on the stack in predefined predictable order This push-hat order is helpful to create many patterns This is one set of patterns that could be used We have many that we are we gonna talk about later each register holds a value But in the case of ESP will always keep over it This is a pattern for system as you can see each register holds a value or a Rob gadget For command we have to provide the pointer to the command and command will be part of the payload This is one of the script that is generated by Rob rocket each register has its own slot It is usually not that difficult to load registers But in the case of EAX it is using a temporary register ebx to locate the string MSVCRT on the stack dynamically I would have to calculate that value manually But with emulation Rob rocket can do that for you at the end of all the slots. We have push-hat Let's see what happens after push-hat Let's take a look at the stack values the Rob knob is in EDI and then there is red child Which will execute the next one and skip over the following two then there is load library pointer and jump dereference to that load library along with the return address and MSVCRT as a parameter as you can see The value of EAX is a base address of MSVCRT This is the result for get proc address as well as you can see the value is like runtime address of system And finally if all three Rob chain functions correctly The command will be executed which is just popping up a calculator at this point This is a good demonstration of using shellcode. Let's stop. We are able to execute shellcode like functionality without needing to bypass depth But seriously you can do a lot more than just popping up a boring calculator The possibilities are endless Throughout this research. I have created a lot of time to develop these patterns trial and error Experimentation with the burgers and these are some of the patterns I found here. We have a dozen patterns for load library and here I have like 11 patterns for get proc address And finally nine patterns for system I created these patterns for Rob rocket if it is not able to build the chain using one pattern It can go and try the other one since we have a lot of patterns It is likely to succeed if one pattern fails due to lack of Rob gadgets having multiple patterns can be really helpful Let's take a look at the demo Here is a script generated by Rob rocket and there is a payload at the bottom of the script We have like three push ads we're going to stop at the third push ad And we finally execute the push ad we'll get inside the system. We are jump dereferencing to the system And now we are inside the system. We're going to step out of that And here we go Thank you very much Shiva. So the purpose with this shellcode is some Rob attack is to again automate the whole process so that we can have one of A multitude of possibilities and then Rob rocket if one doesn't work then there are many others that are available We have created other changes as well that are not currently part of the tool But will be included in the future such as get proc address at load library URL download to file and create process a so you can download a file from the internet and then execute it Okay, so Under the next topic Offuscation of Rob gadgets. So why do a lot of Rob gadgets fail? Sometimes it may be due to the recipe used to generate them We may need particular gadgets that simply cannot be found or it could be bad bytes So bad bytes could be something like you have Push ad but there are bad bytes there We could also call some of these gadgets that have bad bytes Forbidden gadgets. They're not supposed to be accessible because of the so-called bad bytes But what if we were to to encode them or obfuscate them? Could we use them directly? So this is a script created by a student of mine Bailey Bellisario Fused back during the pandemic And it was a challenging assignment and the the only push out available wasn't really something that could be easily done because of bad bytes and so he essentially Encoded it and then decoded it in memory and then used that push rat to then cause it to be executed So very clever very elite if you will And how he did that was an integer overflow so that integer overflow will exceed the Constraints of a d-word and then be truncated producing the desired result So he used the found add gadget to do that and then a push eax return So for very common ways to encode a value all supported by rap rocket zore not Meg and integer overflow So here's an example produced by rap rocket, which gives us some lovely commentary The nade gadget and it just automates that so you can specify hex 40 read write executable And it'll do the magic for you So these are pretty simple other two tools can do these they have the not gadget there We have the zore gadget so we can weaponize that we have a couple pops And then a zore giving us the desired result And we also have a found zore gadget so we can evaluate the something like zore eax one And figure out hey it needs a 41 in order to create a hex 40 And then integer overflow with a found add gadget So we have ad eax and some large number And the rap rocket will calculate exactly what it needs to be to produce hex 40 And then also integer overflow where we have two pops And then we do an add register register And in this case we're doing hex 40 once again So you're going to input a desired value and the tool will just automatically do this on its own So rap rocket is actually very special in terms of how it generates these integer overflows It will have start out with 10 predetermined values if those fail I will generate it from the available character set I don't keep on doing that using its own unique formula until it finds Set up two values that are free of bad bytes and produce the desired value so Let's get back to our example from from bailey. Can we be elite? Sorry and do an integer overflow to get our push add And so in this case, we actually can so it starts out with Eight ease a rather large number and then we add another Value and that gives us an integer overflow producing 40 1 8 1 12, which is indeed push add And so this is something that rap rocket can just automate and do in you know less than a second Makes our life a little bit easier We could also do that with a found add gadget too. It's another option And we get the same exact result and so that push ex read allows us to access that forbidden gadget So highly effective as a way to obscure Um or obfuscate rob gadgets and so It greatly expands the number of possibilities So the tool does have a remake function so that remake function can allow us to if something doesn't work Because of bad bytes We can still use it and we can remake it by encoding it and then having it decoded on the fly And then do a push for it. So that really really expands the attack surface So the tool is really fast. It does have parallelism to maximize available cores persistence. So If you've already evaluated a binary, it'll save the gadgets found And you can see some of what it looks like right there And it also provides emulation the emulation is done internally So we can evaluate each and every gadget if it needs to to try to find something that may be sub-optimal So an optimal gadget could be a very short brief gadget like Add ebx 5 and then a less optimal one may have other Intervening lines, but it might be okay. So The emulation can allow us to find other possibilities and this is not something you would see it's just internal debugging output And it also will emulate actual ROP chain. So sometimes we need to calculate the distance to a Parameter because we need a pointer and so it can recursively do that And how it will work is It will start with a guess and if it's wrong, it probably will be wrong It'll try again and it'll use the output to try to get it closer And it'll keep doing that recursively until it is correct and it's smart enough that it knows When it has actually achieved its goal and so that's some more internal debugging information there And there is a great deal of metadata to help facilitate that. So it has return addresses. This is a syscall different parameters, and so they can check to see You know if we've achieved a certain particular goal And so calculating distances for certain types of syscalls Or even some of the what what shiva did is it going to be necessary for success? And so that emulation makes some of this possible without this emulation We couldn't do that. So it is immensely useful We are we come to the conclusion of our talk The tool is not up right now, but it should be up about some time in the next week or so So go ahead and take a picture of that if you like and Be sure to check it out. And if you have any feedback Be sure to let us know We are happy to meet down there and take any questions. I think we're about out of our time. So Thank you very much for attending our session and hope you enjoy the rest of your defcon