I’ll be in Las Vegas the week of DEF CON 33: presenting, teaching, and meeting with folks like you. This page serves as a reference to that content, as well as general information about the conferences going on that week (BSidesLV, Black Hat USA, and DEF CON 33). I’ll also provide some recommendations for those attending that seek to make the most of their time at “hacker summer camp”.
My Content
Talk: Amber64: Mining Hacker History from Over Half a Million Commodore 64 Disks
- Time: Saturday, August 9, 17:00 - 17:45
- Location: LVCC - L1 - EHW3 - Track 5
The Commodore 64 home computer, which sold at least 12.5 million units from 1982 to 1994, was widely used during a formative early decade in the subcultures of hacking, phreaking, piracy, and cybercrime. Like ancient insects trapped in amber, discovered and studied millions of years later, ephemera of hacker history has been fortuitously preserved in the file system structures of C64 floppy disks from the 1980s and 90s.
Enthusiasts and researchers have created byte-for-byte copies of disks in order to preserve games, applications, and demos of the time period. What is less obvious, however, is that users of the time tended to reuse disks, deleting old files to make space for new programs. This and other use patterns have resulted in interesting data being retained in unallocated sectors alongside the overtly-accessible programs and data. Often, this data can be recovered and includes logs of online sessions, hacker text files, and more.
In this talk, Dr. McGrew describes software and workflow he developed to perform forensic processing and full-text indexing of over 650,000 unique C64 floppy disk images from publicly-accessible online archives. He will also present interesting findings from searches and analysis that illustrate, for the modern audience, day-to-day hacker communications and tools of the past.
DEF CON Workshop: 64-bit Intel Assembly Language Programming for Hackers
- Time: Friday, August 8, 14:00 - 18:00
- Location: LVCC - L2 - Workshops
- Registration required I’ll provide links here when I know the date/time/URL for registering.
Assembly language has a reputation for being intimidating, but once you learn the basics–and know how to read the documentation–you can easily pick up the rest. There are many interesting fields of study in computer security that depend on the “closer to the metal” knowledge you’ll gain from learning to code in assembly:
- Software reverse engineering
- Vulnerability and exploit research
- Malware/implant development
- Digital forensics
…among others. There is no substitute for the confidence that you gain from being able to research and understand computer systems at lower levels of abstraction.
The purpose of this workshop is to introduce Intel x64 architecture and assembly language to the attendees. We will be using the Microsoft Macro Assembler, and we will be examining our code step-by-step in the x64dbg debugger. No prior programming experience is required–we will be working from first principles. This is a new version of the workshop that makes better use of the x64dbg debugger to illustrate concepts of the class, live. Attendees can follow along with their own laptops and programming environments.
We will cover the following topics:
- Assembling and linking code
- The execution environment of x64 programs
- Memory
- Registers
- A wide variety of instructions
- Addressing modes
- How to read instruction documentation in the Intel manuals
- Moving data around
- Stack operations
- x64 ABI and calling conventions
- Representing data
- Integer math
- Program flow: conditional execution, loops
- Leveraging the Windows API
- How to read MSDN articles on Windows API functions
- Resources for reference and future learning
Malware Village: Getting Started in Malware Analysis With Ghidra
- Time: Thursday August 7, 9AM
- Location: Malware Village @ DEF CON 33
- Registration Required: Registration Link
In this workshop, I will give a hands-on introduction to using the Ghidra disassembler to navigate and analyze malware. This will be immersive learning with no slides: concepts, strategies, and techniques will be illustrated within the user interface of Ghidra and other supporting tools. A malware sample will serve as the “case study”, but the structure of the class is informal. Attendees are encouraged to lead the class with their own questions, problems and observations into the level of detail and direction they want. Attendees new to malware analysis that are participating in the Malware Village MARC I contest are welcome to bring in the samples they are working on, if they need help getting started (or getting unstuck).
Attendees may bring laptops and follow along on their own systems, but those wanting to simply observe will also benefit. Intel assembly language knowledge is helpful, but we will cover the basics as we go, and resources will be provided for independent learning.