December 6-7, 2019 | Mesa AZ

ARMaHYDAN - Misadventures of ARM instruction encodings

Because some instruction bit fields in the ARM manual were unexplained and assembly language is too high-level, this talk explores the implications of shoving the wrong bits into the right instructions. The results of this experiment lead to things like having about 25% of the instructions in an ARM ELF binary looking undefined (but work as defined) to most disassembly engines (even worse in IDA). Or creating an army of executables that operate identically, have the exact same instructions and file sizes, but all with different hashes. Or how about another way to reduce some NULLs from particular instructions. And finally, have HYDAN-like steganography abilities. And yes I started the last sentences with Because, Or, and And. This talk is not just theoretical or academic, there is a PoC tool to go along with all of the above and it will be demonstrated.


@XlogicX hacks at anything low level. He's unmasked sanitized IP addresses in packets (because checksums) and crafts his own pcaps with just xxd. He feeds complete garbage to forensic tools, AV products, decompression software, and intrusion detection systems. He made evil strings more evil (with automation) to exploit high consumption regular expressions. Lately he has been declaring war on assembly language (calling it too high-level) and doing all kinds of ignorant things with machine code. More information can be found on