Avatar for XlogicX
XlogicX

Talks

This page is a listing of talks I have given; when, where, what conference, the title, and description (with a youtube link if the talk was recorded). They are listed in reverse-chronological order (most recent first).

Invisible Ink of Compression

Conference: HOPE_16 When: August, 2025 Where: Queens, NY

Abstract for the HOPE_16 (Hackers on Planet Earth 2025) conference:

When you pop the hood of RFC 1951 (DEFLATE), there lies an interesting playground that would be otherwise unseen in the context of compression use cases. This talk will address many aspects of the ubiquitous DEFLATE compression, none of which involve compressing data! “Designer Compression” scenarios will be explored, such as blocks of DEFLATE data that can be fully ASCII printable, contain no data, buffer underflow access of nulls, and even apply forms of recursion. We will also see forensic data extraction from compressed fragments, employ difficult to detect watermarking, demo a covert channel PoC (deflate in http), and forever-cookies. The presentation style will take a high-level first pass and then dig into the technical details with the time left.

Original source from the Internet Society: https://isoc.live/tag/hope/

https://www.youtube.com/watch?v=HGzlOU6GN6E

BootGenie

Conference: HOPE 2020 When: July 25, 2020 Where: Virtual

Saturday, July 25, 2020: 1700. Despite legacy BIOS going away, the boot sector gaming scene is on the rise. These are x86 16-bit games intended to fit inside the 512 byte MBR (Master Boot Record) space. Despite these limits, you’ll find playable clones of games like PacMan, Invaders, Arkanoid, Flappy Bird, Snake/Nibbles, a rogue-like dungeon crawler, Tetris, a ray-casting 3D game, some more independent titles, and new ones are still in the works.

However, this won’t be a history or overview of this interactive demoscene-adjacent playground. It’s the more meta playground of gaming the games - hacking and cheating at them. Though this talk will dive into the technical details of hacking the games, a showcase of a collection of patch files (aka Boot Genie) will be shown and demonstrated. These patches include cheats such as invincibility, more lives, speed slowdowns, score hacks, rule/logic hacks, multiplier mods, better powerups, level mods, and more.

Beyond cheat patches, another showcase of “gaming the game” will focus on the bootRogue game. This will be a deep dive of the consequences of choosing to use a simple RNG (random number generator) for procedural level generation. Though each dungeon is “randomly” generated, we use our knowledge to understand the specifically discrete amount of unique dungeons there really are, and how to get to any arbitrary dungeon of our choosing just based on the items we pick up along the way! Custom routing protocols were programed for optimal traversal.

https://www.youtube.com/watch?v=bWTNVXZuDEo

ARMaHYDAN - Misadventures of ARM instruction encodings

Conference: CactusCon VI (2018) When: 2018 Where: Phoenix, AZ

This talk was given at CactusCon 2018 (cactuscon.com)

Abstract: Because some instruction bit fields in the ARM manual were unexplained and assembly language is too high-level, this talk explores the implications of shoving the wrong bits into the right instructions. The results of this experiment lead to things like having about 25% of the instructions in an ARM ELF binary looking undefined (but work as defined) to most disassembly engines (even worse in IDA). Or creating an army of executables that operate identically, have the exact same instructions and file sizes, but all with different hashes. Or how about another way to reduce some NULLs from particular instructions. And finally, have HYDAN-like steganography abilities. And yes I started the last sentences with Because, Or, and And. This talk is not just theoretical or academic, there is a PoC tool to go along with all of the above and it will be demonstrated.

The ARMaHYDAN tool can be found at https://github.com/XlogicX/ARMaHYDAN

This conference doesn’t record their talks. This was screen captured with Quicktime and a friend recorded my face. Sometimes I went offscreen and the video is a little off sync with the audio. However, it’s just my face in a small screen-on-screen area, and my face is not important or integral to the information, so I’m not fixing it; I’m over it.

https://www.youtube.com/watch?v=qEfWt2naCx4

Ring-0 Assembly

Conference: CactusCon V (2017) When: August 7th, 2017 Where: Las Vegas, NV

The original title this talk was submitted as was “Boot And Play.”

Official Abstract: Would you like to experiment with Ring 0 assembly without having to piggy back off of a driver or something as equally complicated? Boot sector programming is a fun way to get started, where there is no operating system. This talk will help you to get started on how to quickly assemble these programs, the BIOS programming environment, and best strategies of debugging. This talk will provide some starting points like how to set up video memory and your own stack, important register use, a time delay loop, keyboard input, randomization, and colors. Finally, this talk will showcase some notable examples of some boot sector games and demos including: Tetranglix, some Trons, Nyanboot, Phosphene, Bootable Goatse, and a challenging reversing game called BootMeCrackMe.

Each slide is a self-contained boot sector image. They are all on github: https://github.com/XlogicX/CactusCon2017

There is also a PDF of the slides there.

CactusCon typically doesn’t record their talks, this talk was not recorded by CactusCon; it was recorded from a friends phone sitting in the front. There wasn’t a great angle on the slides so I superimposed them the best I could. The video quality was best effort.

https://www.youtube.com/watch?v=ZAETReauN7E

Assembly Language is Too High Level

Conference: Defcon 25 When: August 7th, 2017 Where: Las Vegas, NV

Do you have a collection of vulnerable programs that you have not yet been able to exploit? There may yet still be hope. This talk will show you how to look deeper (lower level). If you’ve ever heard experts say how x86 assembly language is just a one-to-one relationship to its machine-code, then we need to have a talk. This is that talk; gruesome detail on how an assembly instruction can have multiple valid representations in machine-code and vice versa. You can also just take my word for it, ignore the details like a bro, and use the tool that will be released for this talk: the Interactive Redundant Assembler (irasm). You can just copy the alternate machine code from the tool and use it in other tools like mona, use it to give yourself more options for self-modifying code, fork Hydan (stego) and give it more variety, or to create peace on earth.

https://www.youtube.com/watch?v=eunYrrcxXfw

REvisiting RE:DoS

Conference: Defcon 23 When: August 7th, 2015 Where: Las Vegas, NV

Regular Expression Denial of Service has existed for well over a decade, but has not received the love it deserves lately. There are some proof of concept attacks out there currently, most of which are ineffective due to implementation optimizations. Regardless of the effectiveness most of these PoC’s are geared only to NFA engines.

This talk will demonstrate working PoC’s that bypass optimizations. Both NFA and DFA engines will get love. Tools will be released (with demonstration) that benchmark NFA/DFA engines and automate creation of ‘evil strings’ given an arbitrary regular expression. Attendees can expect a review of regex and a deep under the hood explanation of both regex engines before abuses ensue.

https://www.youtube.com/watch?v=cIg-VT0EoRs

Internalized Context

Conference: CactusCon III (2015) When: March 13th, 2015 Where: Tempe, AZ

Data needs context to reliably provide meaning. Regardless, some streams of data can have patterns that are so consistent that it would be hard to interpret the data any other way than with very specific meanings. As an exercise, this talk starts with an analysis of packet data (with a PoC script).

Finally, the meat of this talk will be about the patterns in executable code. The PoC script demonstrated will show analysis of data streams at a machine-code level (assembly is too high-level) and attempts to make a determination of its executability. This is done without ELF/PE headers; just a snippet of potentially executable code (alignment agnostic). The PoC lua script could quickly be integrated with some IDS in order to raise the fidelity of some shellcode based rules (because why analyze shellCCCCCCCCCCCCCCCCCCCCCCCCode that’s not code).

Raw version (txt) of slides

https://www.youtube.com/watch?v=54vEGmENuZw

Learn a New Programming Language NOW

Conference: Toorcon 16 When: October, 2014 Where: San Diego, CA

Imagine that you are already comfortable with programming and have your favorite language (this is already you), your boss asks you to develop something in a language you are not familiar with (or whatever other reason). You don’t want to waste your time reading an entire book on this language. You already know how loops work, you don’t want to read a whole chapter on loops, just tell us how to do a while loop in the language in 1 or 2 sentences and we’re good. Additionally, in 50 lines or less: tell us how to input/output, math, data structure (variables, arrays, etc…), logic, compare, subroutine, and handle files. With that, we can start programming/scripting and just google those other edge cases.

I’m working on a project that I would like to share with everyone and would love contribution. It is a list of skeleton “50-liners” programs/scripts that have the above essential items. It works off of the theory that 90% of the code that we actually write, is only 10% of the actual language, and that 10% can be learned NOW. The languages I have made available so far are perl, python, ruby, lua, javascript, php, bash, C, spin and assembly (x86 and propeller). I’m hungry for moar.

https://www.youtube.com/watch?v=uy_huKgw46E

Hit the Ground Running with Assembly

Conference: Toorcon 16 When: October, 2014
Where: San Diego, CA

This workshop is target for those that have so far found assembly language a little intimidating. Assembly isn’t hard, but many textbooks make it harder than it needs to be. One approach is to saturate the reader with theory and then finally get to a “hello world” 500 pages in (challenge yourself to learn any programming language this way). Another popular teaching method is to start high level (such as HLA). Again, assembly isn’t hard, there’s no reason waste time with high level just to eventually get down to the low level that could have been achieved from the start.

This workshop rapidly cover essential theory (registers, memory, etc..) and then dives right into writing no nonsense assembly (no macros, high-level, #includes, etc..). We will then watch the theory and code unfold in a debugger. Expect to learn about registers, data movement, the stack, math/logic ops, memory, shifts/rotates, conditionals, subroutines, and some system calls. We will also explore cheating with gcc to discover how some high level concepts map to assembly.

This is not meant to be exhaustive (although some resources can be recommended for that), however, after this workshop, you should feel much more comfortable with assembly, be able to write simple asm programs, and not get stuck when furthering your reading of other material on assembly. This is targeted for Linux using nasm (assembler), ld (loader), and edb (debugger). This is meant to be interactive; so it is recommended to come with a working GNU/Linux (32-bit) environment with nasm and edb installed. If you come with Kali Linux (32-bit), you are already good to go.

https://www.youtube.com/watch?v=i6NFw0ugpIU

Abuse of Blind Automation in Security Tools

Conference: Defcon 22
When: August, 2014
Where: Las Vegas, NV

It is impossibly overwhelming for security personnel to manually analyze all of the data that comes to them in a meaningful way. Intelligent scripting and automation is key. This talk aims to be a humorous reminder of why the word “intelligent” really matters; your security devices might start doing some stupid things when we feed them.

This talk is about abusing signature detection systems and confusing or saturating the tool or analyst. Some technologies you can expect to see trolled are anti-virus, intrusion detection, forensic file carving, PirateEye (yep), grocery store loyalty cards (huh?), and anything we can think of abusing.

Expect to see some new open-source scripts that you can all use. The presenters don’t often live in the high-level, so you may see the terminal, some hex and bitwise maths, raw signatures, and demonstrations of these wacky concepts in action. We don’t intend to present dry slides on “hacker magic” just to look 1337. We want to show you cool stuff that we are passionate about, stuff we encourage everyone to try themselves, and maybe inspire new ideas (even if they’re just pranks…especially).

https://www.youtube.com/watch?v=XP9oEZIt6vk

This is the X You Are Looking For

Conference: Hackers on Planet Earth X (HOPEX)
When: July, 2014
Where: Midtown NYC, NY

When you hear you are being profiled for which books you check out in a library, what do you do with this knowledge? Do you tell your friends to “evade,” to not check these books out, or to find other means of getting this content? No. You tell everyone in the world to deliberately check these books out (and now we have had the pleasure of reading Catcher in the Rye).

This talk is about looking signature detection in the face and confusing or saturating the tool or analyst. A number of techniques will be explored, including a fun malware signature trick called a tumor (it’s OK, it’s benign), and others focusing on open source Intrusion Detection Systems. There may be some random banter about grocery loyalty cards, too. Although this talk intends to be just as technical as expected at a conference like this, it will also be light, fun, and philosophical in nature. Expect a gratuitous slide deck, lots of terminal action, signatures in the nude, hex, and beautiful regex.

https://www.youtube.com/watch?v=79Lhcz_xv2k

on Learning Languages

Conference: Neighbors on Planet Earth (NOPE) When: July, 2014 Where: Wall St area, NY

There was no official program guide, we were all told to tweet our topic the night before (or the morning of). Here’s my tweet:

None of the talks were recorded. But Nick Far snapped a picture while I was giving the talk:

It’s A Tumor

Conference: CactusCon II When: May, 2014 Where: Chandler, AZ

This talk is a look into a corner of malware we don’t often look at; the quarantining process. Since it is not very interesting, I naturally took an interest into it.This talk is about the result of this experimentation, a Tumor; A file that just kind of sits around, slowly growing larger. It’s okay though, the tumor is benign. Expect a proof of concept, a little bit of terminal action, and lots of hex and bitwise operations.

Talks at CactusCon II were allegedly recorded, but I don’t know of them actually getting out.

Mask Your Checksums

Conference: Toorcon 15 When: October, 2013 Where: San Diego, CA

When publicly submitting packet data, it is common wisdom to mask things such as your IP addresses. It is also advised that you mask your checksums, why? This talk attempts to beat this dead horse to the ground, with demonstrations and an open-source tool release.

https://www.youtube.com/watch?v=X5t1wVyof2I

Doing it Wrong with Scalpel

Conference: CactusCon I When: April, 2013 Where: Tempe, AZ

Despite the name of the talk, we will go through introductory concepts of what scalpel is used for, how to use it, and basic modifications to the scalpel.conf file. We start with doing it right. Then we start editing source code and do it wrong, very stupid wrong, then eventually kind of cool wrong. One misconfiguration of scalpel.h led to an exaggerated discovery that produced the magicbomb tool. I will explain how to avoid falling into the traps that magicbomb produces. Finally, we will trick scalpel to scan for viruses. As it turns out, scalpel will dig deeper where other AV vendors stop short…not that it turns out to be useful in any way.

This talk had an audio recording only…I have no idea where that file went at this point.

Explosive Steganography

Conference: Hackers on Planet Earth 9 (HOPE9) When: July, 2012 Where: Midtown NYC, NY

Encryption makes information secret, steganography hides the information in plain sight. We fancy hiding it in a “pile” that most people would avoid. This talk explores hiding steganography in mediums such as archive exploders, file carving exploders, and virus files. There will be a release of the open source tools eZIPlode/asour, magicbomb/-asour and hivasour/hivsneeze.

https://www.youtube.com/watch?v=aiupXHi2BIA

Intro to Steganography

Conference: BSidsPHX 2012 When: March, 2012 Where: Tempe, AZ

This talk had no official program guide description. The main organizer of the con had a speaker flake on him last minute. I through something together half from a recent 2600 presentation and another small piece for a bigger topic I was toying with (that I ended up doing later in 2012 for HOPE 9).

This talk was not recorded