Some stuff about

I'm just a guy who enjoys doing things in various low-level fields. You will find some of my work on this webpage.

Blog Posts






Vulnerability Exploitation

  • 2011-07-04 - Analysis of CVE-2011-1938 - ROP exploitation in PHP 5.3.6


  • Triton: A dynamic binary analysis library

    Abstract: Triton is a dynamic binary analysis library. It provides internal components that allow you to build your program analysis tools (symbolic, taint, synthesis, etc.), automate reverse engineering, perform software verification or just emulate i386, x86-64, ARM and AArch64 code.

  • Kaminou-Kernel: Another (unfinished) mini Kernel from scratch

    Abstract: Just another (unfinished) kernel from scratch... At first I didn't plan on releasing this project, but it's dying in a directory. This project was just for understanding how the kernel works and contains these following features: Protected mode 32 bits, Multitasking, Paging, Memory Allocation, Interrupts, Exceptions, Syscalls.

  • Useless emulator for fun (VMNDH-2k12)

    Abstract: This emulator was created for the CTF NDH 2012. Some challenges was on the NDH architecture. The NDH architecture is a new architecture which look like a mix between ARM and x86. The project contains a compiler, a debugger and a virtual machine.

  • ROPgadget: Gadgets finder and auto-roper

    Abstract: This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports the ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. It also offers a dumb ROP-chain generation.

  • Presentations and publications

  • Use of symbolic execution for binary deobfuscation in an industrial environment

    PhD Thesis, Grenoble, France, 2020. [french thesis] [french slide] [bibtex]
    Abstract: This thesis work has been done in an industrial environment where the main activities were reverse engineering for vulnerability research and security properties verification on binary programs. The first part of this doctoral work focuses on the collection and sharing of the industrial problems when analyzing binary programs. Based on these issues, a binary dynamic analysis framework has been developed and formalized. Real examples of use are then presented, such as the detection of opaque predicates in branch conditions. Finally, a new automatic approach for deobfuscation of binary code protected by virtualization is presented combining features of the framework as well as those of other tools.

  • Symbolic Deobfuscation: From Virtualized Code Back to the Original

    Talk at DIMVA, Paris-Saclay, France, 2018. [paper] [slide] [bibtex]
    Abstract: Software protection has taken an important place during the last decade in order to protect legit software against reverse engineering or tampering. Virtualization is considered as one of the very best defenses against such attacks. We present a generic approach based on symbolic path exploration, taint and recompilation allowing to recover, from a virtualized code, a devirtualized code semantically identical to the original one and close in size. We define criteria and metrics to evaluate the relevance of the deobfuscated results in terms of correctness and precision. Finally we propose an open-source setup allowing to evaluate the proposed approach against several forms of virtualization.

  • Deobfuscation of VM based software protection

    Talk at SSTIC, Rennes, France, 2017. [french paper] [english slide] [french video] [bibtex]
    Abstract: In this presentation we describe an approach which consists to automatically analyze virtual machine based software protections and which recompiles a new version of the binary without such protections. This automated approach relies on a symbolic execution guide by a taint analysis and some concretization policies, then on a binary rewriting using LLVM transition.

  • How Triton can help to reverse virtual machine based software protections

    Talk at CSAW SOS, NYC, USA, 2016. [slide]
    Abstract: The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.

  • Dynamic Binary Analysis and Obfuscated Codes

    Talk at St'Hack, Bordeaux, France, 2016. [slide]
    Abstract: At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.

  • How Triton may help to analyse obfuscated binaries

    MISC magazine 82, 2015. [french article]
    Abstract: Binary obfuscation is used to protect software's intellectual property. There exist different kinds of obfucation but roughly, it transforms a binary structure into another binary structure by preserving the same semantic. The aim of obfuscation is to ensure that the original information is "drown" in useless information that will make reverse engineering harder. In this article we will show how we can analyse an ofbuscated program and break some obfuscations using the Triton framework.

  • Triton: A Concolic Execution Framework

    Talk at SSTIC, Rennes, France, 2015. [french paper] [detailed english slide] [light french slide] [bibtex]
    Abstract: This talk is about the release of Triton, a concolic execution framework based on Pin. It provides components like a taint engine, a dynamic symbolic execution engine, a snapshot engine, translation of x64 instruction to SMT2, a Z3 interface to solve constraints and Python bindings. Based on these components, Triton offers the possibility to build tools for vulnerabilities research or reverse-engineering assistance.

  • Dynamic Behavior Analysis Using Binary Instrumentation

    Talk at St'Hack, Bordeaux, France, 2015. [slide]
    Abstract: This talk can be considered like the part 2 of my talk at SecurityDay. In the previous part, I talked about how it was possible to cover a targeted function in memory using the DSE (Dynamic Symbolic Execution) approach. Cover a function (or its states) doesn't mean find all vulnerabilities, some vulnerability doesn't crashes the program. That's why we must implement specific analysis to find specific bugs. These analysis are based on the binary instrumentation and the runtime behavior analysis of the program. In this talk, we will see how it's possible to find these following kind of bugs : off-by-one, stack / heap overflow, use-after-free, format string and {write, read}-what-where.

  • Covering a function using a Dynamic Symbolic Execution approach

    Talk at Security Day, Lille, France, 2015. [slide]
    Abstract: This talk is about binary analysis and instrumentation. We will see how it's possible to target a specific function, snapshot the context memory/registers before the function, translate the instrumentation into an intermediate representation,apply a taint analysis based on this IR, build/keep formulas for a Dynamic Symbolic Execution (DSE), generate a concrete value to go through a specific path, restore the context memory/register and generate another concrete value to go through another path then repeat this operation until the target function is covered.

  • An introduction to the Return Oriented Programming and ROP-chain generation

    Course lecture at Bordeaux University, France, 2014. [slide]
    Abstract: This course lecture is about an introduction to the return oriented programming and its variants like JOP, SOP... It also describes some techniques and active works about ROP-chain generation based on backtracking or symbolic execution.

  • An introduction to the Return Oriented Programming

    MISC Magazine HS-09, 2014. [link]
    Abstract: This article is about an introduction to the return oriented programming. In this article we describe the Operating Systems' protections in detail and explains why the ROP exploitation is useful. We also provides a detailled step-by-step example of the ROP exploitation on the CVE-2011-1938 vulnerability.

  • Software testing and concolic execution

    Talk at LSE Summer Week, Paris, France, 2013. [slide]
    Abstract: This talk is about an introduction to the concolic execution using Valgrind and Z3. Concolic execution is a technique that uses both symbolic and concrete execution. In this talk we introduce a little tool which breaks a dumb crackme.

  • Vulnerabilities publicly disclosed

  • CVE-2015-1801 - Samsung S4 (GT-I9500) - Multiple Kernel memory corruption in the video driver
  • CVE-2015-1800 - Samsung S4 (GT-I9500) - Kernel memory disclosure in the video driver
  • CVE-2013-6392 - Kernel MSM < 3.10 - Kernel memory disclosure in the Genlock driver
  • CVE-2013-6122 - Goodix gt915 Android touchscreen driver - Kernel race condition
  • CVE-2013-4740 - Goddix gt915 Android touchscreen driver - Multiple Kernel memory corruption
  • CVE-2013-4739 - Android Kernel msm-3.4/jb_3* - Kernel memory disclosure in the Gemini JPEG/Jpeg1.0 engines
  • CVE-2013-4738 - Android Kernel msm-3.4/jb_3* - Kernel Stack overflow in camera post processing driver (CPP)
  • CVE-2013-2239 - OpenVZ kernel 2.6.32 (042stab080.1) - Multiple kernel memory disclosure
  • CVE-2013-2164 - Linux Kernel 3.9.5 - Kernel memory disclosure in cdrom driver
  • CVE-2009-4800 - Sysax FTP server 4.5 - DELE request handling Traversal arbitrary file deletion
  • CVE-2009-1031 - Serv-U FTP server 7.4 - MKD request handling Traversal arbitrary directory creation