Episode 120: SpaceRaccoon - From Day Zero to Zero Day

Title: Transcript - Thu, 01 May 2025 14:24:46 GMT
Date: Thu, 01 May 2025 14:24:46 GMT, Duration: [01:36:59.19]
[00:00:00.72] - Justin Gardner
You know, binaries are not binary. You know, there are many things, right? They might be just...

[00:00:09.58] - Justin Gardner
Dude, what a quote! Richard put that in the beginning of the podcast. That is going to be our hook for this podcast. That's amazing. Binaries are not binary. Best part of hacking, when you can just, you know, critical things. Dude. One of the things we love the most as hackers, right, is people or industries that are just pushing the boundaries of what are possible. They're on the bleeding edge and they're asking the tough questions and pushing industries forward, right? And that, I just want to be clear, is why we've had Threat Locker on as a sponsor of this podcast for so long, is they are doing that for the Zero Trust industry, and they're constantly coming up with innovative solutions to push the industry forward. And the latest one that they've come up with is Threat Locker User Store, right? Because one of the main problems with Zero Trust is everything has to be validated on the last mile, right? There has to be a response team that's approving applications as it's coming through, and that's burdensome to the user. And so they decided to preload that compute, right, and approve a set of applications in advance that Threat Locker users can utilize to accomplish their business goals. For example, if they're trying to download SketchyPDFileReader.exe Instead, the user store will give them instant access to Adobe Acrobat, saying, hey, why don't you open it with this one instead? Rather than having to go through the whole response team. It's instantaneous, it's quick, it's preloaded. That's another way that Threat Locker is pushing the industry forward. All right, let's go back to the show. All right, hackers, I just got off an episode with space raccoon Eugene Lim, the Bug Bounty legend, and this episode is freaking fire. You guys are going to love this. Eugene is writing a book that's going to be released soon called From Day Zero to Zero Day, and it is about vulnerability research, how to get into it from the perspective of somebody who kind of started in Bug Bounty, right? So if any of you guys are looking to take that extra deep dive and kind of go towards that vulnerability research realm, then this is an awesome book for you. For the rest of the podcast, we are going to kind of go through all of the chapters of the book. And. And I asked Eugene, okay, listen, each of these chapters has one little tidbit of gold in it that you gotta give to the listeners. And then he just kind of gives that to us here on the pod. So, you know, you'll get a lot of value out of this podcast. A lot of the tips that he gives and the perspectives are extremely valuable. But of course, getting your hands on the book is gonna provide a much more in depth understanding of all these things that he's talking about. So Eugene was kind enough to give us a discount code for the critical thinking listeners. The discount code is zero day deal. We'll go and put that on the screen now. Zero day deal. And that gets you 30% off when you buy through. No starch. I have bought the book, Richard. Put the confirmation up on the screen now. And I will be reading it especially after this episode. And there's also a free chapter on binary taxonomy, which essentially, what are the different types of binaries? How can you reverse them? You know what, when you look at a binary, how do you, you know, know the next step? Super helpful chapter. That's available for free now. So if you want even more of a, of a taste of the book, you can go grab that. Let me see. Let me look at my notes real quick. Yes. Also, we are going to buy six copies of this book and give it away to the critical thinkers tier in Discord. So if you're not already in the critical thinkers tier, head over to CTVB show Discord, hop on in there, and you'll have a chance at winning one of those six copies that we're going to give out to the community as a way to support Eugene and thank him for coming on the podcast and sharing such amazing tidbits. So I think that is it. Yep, that's it. Enjoy this episode with space raccoon Eugene Lim. The man, the myth, the legend, and the guy in front of you watching on YouTube that this plushie is related to right here. All right, let's go. All right, my man Eugene, welcome back to the podman. And has been, what, 117 episodes since you last came on the pod. So thanks for coming back on, man.

[00:04:22.27] - Eugene Lim
Yeah, it's great to be back. Nice to be talking to you again, Justin.

[00:04:25.75] - Justin Gardner
Yeah, man, that's crazy. The pod has evolved quite a bit since that first. I think you were the first. I think you were the first guest interview we did on the pod. So I don't even know if I want to tell people about that, actually. Like, I'm sure that episode was super sketchy because in the beginning we were figuring out so many things. But I appreciate you bearing with me when I was a less experienced podcaster.

[00:04:49.36] - Eugene Lim
No, I Bet. I mean, I kind of also don't want people to read that because I kind of recall talking about using an Excel sheet to keep track of my targets back then.

[00:04:57.98] - Justin Gardner
Oh, my gosh. Yeah, it was a different era. It was a different era back then, but we are moving into a new era. And that era will be supplemented by additional learning materials that are being released. And the top of that list is from Day Zero to Zero Day, which is your new book. What a title, man. That is beautiful. I love that.

[00:05:25.87] - Eugene Lim
Yeah, it's really interesting story about that, actually, because when I first pitched this book to no such, the title was Product Security Assessment and just straight.

[00:05:36.81] - Justin Gardner
Product Security Assessment.

[00:05:37.85] - Eugene Lim
Yeah, Product Security Assessments. Like, so. So exciting. So cool. But obviously, you know, I'm glad it's evolved since then.

[00:05:44.87] - Justin Gardner
Yeah. Dude, did you come up with this yourself? Did the team come up with it? Did Darsh come up with it? You know?

[00:05:49.89] - Eugene Lim
No, I came up with it. I think, you know, I was kind of playing around because they were just like, hey, think of a better title. Kind of boring right now. It's like, okay, go back and think about it. So, yeah, that was an interesting process.

[00:06:02.31] - Justin Gardner
Yeah, that's great, man. I love how they're just like, yeah, yeah, we're going to need you to go back and come up with a better title than what you've got.

[00:06:09.18] - Eugene Lim
Yeah, boring.

[00:06:11.19] - Justin Gardner
That's good, man. Okay, so I guess I'm really excited to get my hands on this thing. I'd like to hear a little bit. You released the table of contents for what the contents are going to be. And it looks to me like this book is on vulnerability research, right. And how to. How to get rolling on that, which I think is an amazing topic because vulnerability research is such a niche skill. And so much of it is like, all right, now I'm going to go do vulnerability research, you know, and you're like, I don't know how the heck to do that, but I'm going to try to go find Bones, you know, So I think this could be a great primer on where to start. It seems to me like you focused a lot on a little bit more of the binary, like, exploitation aspect, the reversing aspect of it. And, you know, I've just got the chapter titles since the full book hasn't been released yet. But, you know, I'm wondering where. My first question when I look at this is when I think about you, Eugene, you know, I think about the time that we've spent together hacking, right? Personally, which has been mostly focused on like web and mobile related targets. And I know that you've pivoted a little bit over the years into a little bit more of a binary exploitation realm. And I'm wondering if the stuff that we talked about, the stuff that we've worked on together, you know, doing the more web aspects are covered in this book or whether this is targeted a little bit more towards binary exploitation.

[00:07:36.73] - Eugene Lim
Yeah. So I think, you know, one of the key things distinguishing like web to binary kind of exploitation obviously is the kind of attack vectors like you kind of wouldn't have an SSRF and you wouldn't stop there, you would try to get to some kind of binary exploit. But what I tried to highlight here was that there are actually a lot of common approaches. There is like code review, source and sync analysis. There is trying to get a better sense of what's going on within the target through debugging or reverse engineering. So while we're not really focusing on web attack vectors per se, I think the vulnerability discovery aspect of things is too important. And that's not something I think focus on in terms of binary exploitation. So I'm not going like heat, feng shui or moving things around in memory, but I'm focusing on like how do you get to that first exploit? Right. That first vulnerability. And you can go as far as you want with that. But that's another book I'm focusing on, the discovery. How do you kind of break down a target even if it's a web binary or even if it's a web server? There's still many, many ways to exploit something regardless of what attack surface you're using these days.

[00:08:48.78] - Justin Gardner
Okay, I got you. So it's a little bit more about the metagaming of vulnerability research, what approaches we should take regardless of what type of target we're going at after to sort of land on. Hey, here's my first bug or my first results from security research or vulnerability research.

[00:09:08.36] - Eugene Lim
Yeah. And there's a ton of CVEs and zero days that are basically web vulnerabilities. Right. It's just that the approach is a little different because most times d people discover them to reverse engineering the web binary or source code review. It's a little different from the typical black box approach that I think kind of sets apart how we used to approach targets in bug bounty. I mean obviously some overlap these days, but how we see it in boundary research.

[00:09:35.64] - Justin Gardner
Yeah, it's a different world, man. A lot of people take a vulnerability research approach to bug bounty and then you know, will and that's great. Sometimes, you know, they find zero days and those get spread, you know, across all the book Danny programs and you get, get results from it. But it is a very different skill having sort of like a black box environment and, and trying to, trying to test through it and, and I think it's also very different than what a lot of people perceive from like a, an apt perspective as well. Like if you're, if you're working. I've just anecdotally spoken to some of my friends that have worked in that sort of environment, but from what I understand, it's very rehearsed. A lot of these operations that are happening, they're spending more time doing the zero day analysis. They're saying, okay, I know that our target over here is using this software stack or whatever, so I'm going to go download that, reproduce that whole environment, find a zero day and then utilize that against my, my target. Right. That's the normal flow versus like with Bug Bounty it's like all right, let's like just show up and just guess at what's happening and like hack stuff. So it's, there's a, there's a bunch of different realms to all this and Bug Bounty definitely doesn't correlate one to one with, with any of them, I think.

[00:10:56.62] - Eugene Lim
Yeah. And I think it's super interesting as well having, you know, seeing more crossovers because I think you had a episode with Sharon couple. Yeah, yeah. So met him. Super cool guy. Right. And you see the things that come in the Bug Bounty. You have a completely different approach and it's pretty amazing the kind of things they find. And the other way around as well.

[00:11:14.40] - Justin Gardner
Yeah, yeah. And then, and then even within Bug Bounty, right, there's more like the PWN to own realm and stuff like that, which is a whole different beast. So yeah, definitely lots of different strategies that can work.

[00:11:25.34] - Eugene Lim
Right.

[00:11:25.58] - Justin Gardner
You know, you can do the traditional Bug Bounty approach like we did in the beginning where it's like, all right, we, we show up, we open up our Kaido or burp suite instance and we hack some stuff. Or you go the vulnerability route research route more like Sharon or anybody who's doing vulnerability research. So definitely lots of way to ways to approach the game. And so I guess going back to the book though, I love how it starts with chapter zero. Thank you for that. That's great.

[00:11:53.12] - Eugene Lim
Zero index.

[00:11:54.94] - Justin Gardner
Yes. Yes, that's beautiful. I don't know, when I see stuff like that, I'm like, yes, this is the right material that I want to Be reading. And then it goes. So it goes. Day zero, taint analysis. And then chapter two is called Mapping Code to Attack Surface. And when I read that title, and actually I want to go through each one of these chapters and sort of talk to you a little bit about what your mentality was with it. Because, you know, to be all right, Eugene, you know, I have a little man crush on you. Like, I've got your little, little, you know, plushie sitting right in the background here.

[00:12:32.05] - Eugene Lim
You're in my wedding cell.

[00:12:33.53] - Justin Gardner
Yeah, exactly, exactly. So I really, I have high expectations for this book and I want to go through each one of these chapters and kind of pick your brain a little bit about what you're thinking on each of them. But the one that one that stood out to me was chapter two, Mapping Code to Attack Surface. Because it really reflects one of the principles that I talked about. I talk about whenever I have access to source code, which is this one quote from Sam Erb, who I think you might have met at live hacking events. But whenever I was a little bit younger of a hacker and Sam and I were hacking together, and I was looking up to Sam as this guy that has been more experienced in industry. He says, I always like to play this game called the Find the Endpoint game. And essentially he's using an app and he looks at his HTTP proxy and says, oh, here's an API endpoint. Let me go find where that API endpoint is triggered in the client side code and where it is defined in the server side code. And then just work backwards from there, like what routes are adjacent to that, what functionality is adjacent to that, and then just use that to make sure you're getting the full picture of the application. That's such a simple concept and it has worked so well for me whenever I've done source code review. So that's kind of what I imagined this chapter two was about. Is that accurate? Is there more to that than what I've described here?

[00:14:00.83] - Eugene Lim
Yeah, so I think pretty much that is one of the key concepts, right from sink to source, trying to find the vector to reach the vulnerable function that you're looking at. But I think also part of it was about expanding your definition of what the Attack surface is, because this is something that I wish I learned like three years ago. Right. Because you first start obviously with APIs and endpoints, and at some point you kind of realize there's more to it. Right now there's like WebRTC, there are other protocols that still go over the web for one reason or another. And the people who actually take time to understand these post message and all kinds of other client side properties, they expand the opportunity so much more. And so I think that was kind of thing I was trying to get across as well is like, hey, let's go beyond this one thing. And now you have many things and this kind of expands all your options as well. And that makes things exciting because then you can chain them and bring out a lot more interesting exploits.

[00:14:57.30] - Justin Gardner
Absolutely, man. It's funny you mentioned WebRTC because I was looking at a target that was using that the other day and I don't know, maybe you just threw it out there as one of the adjacent technologies, but I have not seen anything that allows us to effectively inspect that traffic.

[00:15:13.09] - Eugene Lim
Yeah.

[00:15:13.90] - Justin Gardner
Have you looked into that at all, like from a technical perspective or is that something that. Am I knocking on the door of some research that's unreleased yet or what?

[00:15:22.60] - Eugene Lim
Yeah, I mean, so I haven't actually looked at WebRTC specifically, but what has interested me a lot is the browser APIs that are available these days. Right. There's so much weird stuff going on that are not just simple HTTP requests anymore that a browser can do. And the tooling for that is super interesting because it's probably in a binary. You have to do some kind of. You could intercept it, but you probably do have to do some kind of debugging as well to get there. The crazy thing is that these days people are writing applications that use WebRTC to send API requests and there's some really interesting stuff in there.

[00:15:59.26] - Justin Gardner
Yeah, dude, it's very fascinating. And I have only because I've been so siloed in web a lot of my research experience, whether it be. And applying that to IoT and mobile. Right. Because it does apply. I feel like my perspective is a little limited, but when I have strayed away from HTTP protocol and focused more on SIP and, and like custom binary protocols, I'm thinking of like three or four bugs that I found in those arena. Very limited set of experience. But I look back on those so fondly, I'm like, yes, that was the real hacker shit.

[00:16:42.54] - Eugene Lim
No, I still remember the SIP bug that you found in that. I think it's a biggest Vegas event. Right? Yeah. That was amazing.

[00:16:48.13] - Justin Gardner
That's right, man. I was just. I don't know, man. It does really energize me in a way that, you know, a lot of other stuff doesn't. And I guess just speaking anecdotally, personally as well, like I've talked to a friend recently who's kind of struggling with. Okay, now I'm like, three years into bug bounty and I'm, like, kind of getting comfortable with everything, and I want that again. I want that, like, something needs to be interesting and new. And while I totally understand what he's saying, like, I also am a little bit of a sucker for just like, good old HTTP vulnerabilities, man. Like. Like, I don't. There's just something inherently about Justin that just loves to find a freaking exercise, you know? Yeah, Yeah. I don't know. It's just. I think I'm paired pretty well to it because it's like, there's still a lot of, like, passion and excitement that comes out of finding a vulnerability that I've found like, a thousand times before. So I don't know, maybe that's just me, but definitely, you know, looking deeper into those different protocols and stuff like that is really exciting and I think is a very ripe attack surface for anybody who's willing to take that extra dive. And you're helping people do that with this book. Let's backdate it a little bit. We talked a little bit about mapping code to Attack Surface. Talk to me about Day zero and Taint Analysis, specifically. Taint Analysis is interesting to me because that is a very interesting term that I've seen applied to a lot of different things, and I think that fits the global viewpoint of your book really well.

[00:18:21.16] - Eugene Lim
Yeah. So what I found interesting, because obviously it's something that we all have picked up intuitively in this space. Like you mentioned, code review, trying to figure out where the endpoint, find the hidden endpoint. That's essentially it. You're trying to find the sync, which is a vulnerable function or some kind of exploitable part of the code, and you're trying to trace it back to the source, which is where your initial inputs come in. And hopefully there's nothing along the way. And what I found in the binary space was pretty interesting, is that it's a fairly technical term. It's a term that a lot of PhDs use, but it's actually something that we figured out intuitively at some point. And the key thing about this is that once you're doing code review while doing it manually is one way of doing it. Taint Analysis is this huge field that there's been so much research poured into that in the cadet space modeling code basis. So you can do it completely automatically. That's how, like, CodeQL works, and I guess Deep Semgraph works these days. But there's so much more to it as well, because then how do you quickly abstract, for example, a sanitizer, some kind of function that will break your flow, right? And you're like, okay, time to look at something else or something that can propagate your inputs, something that might not obviously look like it's going to pass your input to somewhere else in the code, but it does, and you just need to be aware of that. And so a lot of it is just really kind of exploring, unpacking this kind of academic sounding subject, but making it practical.

[00:19:51.59] - Justin Gardner
Dude, that's freaking exciting, man. I need that. That is what I need. Okay, because there is a lot of that, right? And there is a lot of, I think a lot of really positive stuff comes out of the academic research that is done into cybersecurity and I think we'd be a fool to disregard that. But I feel like there's two juxtaposed worlds, right? In security research. In a lot of ways you've got the guys that are a little scrappy like us, that prefer our little two page blog post and maybe the research is really in depth, but it's pretty to the point. It's not really necessarily sharing the journey, you know, it's not really conducted in a way that is as academic sometimes or as thorough. And then you've got these really, you know, well written, long academic papers with, you know, that may or may not have, you know, amazing takeaways buried in them. But you know, when we try to access that academic research, sometimes it's a little bit, what's the word? A little, a little bit overwhelming because it's like, I don't know how to read this. This is like its own language. So I'm really looking forward to that. And I think one of the things said there that really hit the nail on the head is input propagation. That really resounded with me and it made me think of, you know, I want to say, man. Was it earlier? No, it must have been last year. At the beginning of last year we did a little stint on the pod into WordPress security research. And you know, I have, I was a PHP dev. That was my first job. And uh, like I, I felt pretty confident. I was like, yeah, I can read PHP, like this isn't a big deal, right? But WordPress is its own thing, right? Like there, there's a lot of ways that there's hooks throughout the WordPress ecosystem that take your input and propagate it to other spaces, right? And if you don't know where those hooks are, then it's, it's very unintuitive the, the code, the flow of the code. Right. And you miss a lot of attack surface if you're not aware of those. Yeah, and, and my takeaway from that experience was, wow, whenever I'm doing source code review, I really need to understand thoroughly how input propagates through the system. So that makes a lot that really aligns with that. And yeah, I think it is a difficult thing to figure out how to do, and I'm amazed that there may be some way to do this in a more automated fashion that CodeQL or other systems would be able to trace. Pretty simple.

[00:22:27.96] - Eugene Lim
Yeah, for sure. I guess part of it is also like, you know, going beyond source code and I guess we'll talk about this in the later chapters and you know, how you just not just do this in source code, but in binaries. Kind of a gray box approach as well.

[00:22:40.83] - Justin Gardner
Yeah, yeah, let's definitely do that. So moving down through the chapter flow, the next one is automated variant analysis. So here's. Okay, let me just put my cards on the table here, Eugene. Okay, Here, here are my cards. Here they are. What I want is to go through each one of these chapters and I want you to give me a little tidbit of like what I can expect to take away from this book. Right. Because, because, and this is, this is, like I said, cards shown, mutually advantageous to everybody. Right. We get some, some, some nice tidbits for free in a two hour podcast and you know, we get to get more interested in the book. So let's go through here and take tidbits from each chapter. So tell me about automated variant analysis. What's the 80, 20 of that chapter that we need to know about?

[00:23:33.10] - Eugene Lim
Yeah, so I think one of the things is that when you look at CVEs, they don't often come in, they come in batches because obviously someone discovers a common vulnerable pattern in the code and then they just replicate that across the code. So that's one way to do automated variant analysis. You might see a new CVE come in. It might make sense to just not just dismiss it and say like, hey, it's not anymore. It takes time to break it down, understand it, and then look for other patterns in the code and you can find your own zero day from that zero day. Right. And then the second part of that is then how do you just go beyond a single target and then you go to all the targets? Right, because sometimes these patterns are replicated in Many code bases, either because they use the same library or they just use an open source piece of code and just allows you to then find serious in everything, basically. Right. I think you've done something similar. I feel like you've done something like that before, right?

[00:24:34.70] - Justin Gardner
Very much so, yes.

[00:24:36.65] - Eugene Lim
I guess it's kind of like putting to words, like things that we kind of know intuitively, we practice and then crystallizing it moving forward. Yeah.

[00:24:45.75] - Justin Gardner
Essential, man. I just wanted to say with that rip CVEs, did you see the whole, did you see the whole thing that came out? That's crazy, right? Is the CVE program just being defunded?

[00:24:57.47] - Eugene Lim
That was like a one day notice basically.

[00:24:59.19] - Justin Gardner
Right?

[00:24:59.39] - Eugene Lim
And they just sent this letter out and everyone's like, what?

[00:25:02.65] - Justin Gardner
Like that's not good. Yeah. So I hope, I guess, you know, it's currently April 17th when we're recording this and it's my buddy's birthday, He's a security researcher as well. He put in a chat and he's like, my birthday wish has come true. CVEs are being removed. I'm like, what the Frick?

[00:25:24.30] - Eugene Lim
Yeah, no CVs, no vulnerabilities. Right?

[00:25:26.61] - Justin Gardner
Yeah, but that would be such a pain if we didn't have access to that data source because like you mentioned here, it's so helpful for understanding. Okay. What kind of mistakes have. Has this target software made in the past that they might be more vulnerable to in the future? So, yeah, I hope they get that.

[00:25:46.92] - Eugene Lim
Yeah. I mean, I saw this funny tweet where I was like, now is the time to bring back like bug track. Like that mailing list where people just used to dump zero days and be.

[00:25:54.86] - Justin Gardner
Like, all right, bye, bye, bye. Full disclosure, no coordinating, nothing. Let's go. Nope, that's crazy, man.

[00:26:03.52] - Eugene Lim
Yeah.

[00:26:03.83] - Justin Gardner
I mean, hey, I would, I, if everything got full disclosed, I wouldn't complain. I probably would complain, but I would be a little bit happy too, so.

[00:26:13.23] - Eugene Lim
Right.

[00:26:13.91] - Justin Gardner
I don't know, man. I feel like, I feel like over the past couple of years, but bug bounty is an amazing thing, man. But, but it also does turn you into a little bit of a green hat. Right? Like, like I, I was at this, this Google Live hacking event a couple weeks ago and, and I was talking to a guy that was very instrumental in making a decision that makes browser exploitation very difficult from an XSS utilizing XSS perspective. And I was like, what the heck's wrong with you? Why would you do this? And he's like, dude, we're trying to make things more Secure. And I'm like, I get that, but you just made my job so much harder. And he's like, yeah, literally my job. And I'm like, fair enough. So, yeah, that makes sense. Okay, moving to chapter four. This is binary taxonomy. This is one of the ones that is available online for free now. And I told you right before we started recording that I printed this whole thing out, and I intended to sit down and read it last night before the pod in preparation, but some family stuff got in the way. But I did jump over, and it seems to be just understanding how different, you know, environments, binaries are structured and getting access to source code from different types of binaries. Like, can you. Can you tell me a little bit more about that? Like, is that explanation correct?

[00:27:41.49] - Eugene Lim
Yeah, for sure. I think part of it is also trying to write for me, like, three years ago, right, when I was doing, like, web, and you know, your friend as well, who's kind of like, hey, kind of like learned all these things in web, and I want to find something new, right? And. But how do I get there? And part of it is really just like, demystifying, like, binary foundry research. Because for a lot of us, it's like, whoa, ghidra. Like, sounds hard, man. Can't read assembly, you know?

[00:28:09.46] - Justin Gardner
Yes, that's me. Yes. Right. I'm here. I am your target audience.

[00:28:14.95] - Eugene Lim
Well, great. Yeah. So part of it is like, you know, binaries are not binary. You know, there are many things, right. They might be just.

[00:28:24.55] - Justin Gardner
Dude, what a quote. Richard said that in the beginning of the podcast. That is going to be our hook for this podcast. That's amazing. Binaries are not binary. Okay, I'm sorry, continue.

[00:28:35.18] - Eugene Lim
Yeah, I mean, some of them are literally like Node JS apps, like, bundled into Electron js, right? And you can just unpack it and read source code. Some of them are like Java, where it's pretty much like an Android app. You can again, decompile them to pretty readable source code. Yeah, you can also.

[00:28:52.50] - Justin Gardner
What a game changer, right?

[00:28:53.72] - Eugene Lim
Exactly. And of course, some of them are like compiled code, like golang, but there's still a lot more that you can do with all of that. And so part of this introductory chapter to binaries, to reverse engineering, which is the second part, is about, firstly, demystifying that to make it seem a lot more approachable. It's like, hey, there are multiple ways you can approach this target. And you and I, we've experienced this before because we have dealt with, like, hardware events and we've dealt with, you Know software events. Right. Where it wasn't just a web app anymore, it was just this scary looking. Like, I'm not even sure if it's like life hacking classified or not. Right. Desktop app. Let's just go with that. And what I found in those life hacking events was that like a lot of people actually got stuck because they tried to go back to like web a lot of time. But for those who like went a little bit further and tried to actually look at this desktop app, they got like so many bugs. So many interesting bugs. Yeah.

[00:29:46.91] - Justin Gardner
And ones that were not that far below the surface. Right. Like, I think that it was very kind of you, Eugene, to of all these chapters, disclose this chapter for free online. Because I think that this is one of the biggest game changers and one of the things that people really do shy away from. Like you're saying is like, okay, it's a binary. That's not me. I don't touch that. You know, like, like. But if it's, you know, if it's a net binary and you just drop it into peak and boom, there's the source code. It becomes much, much, much easier to find these vulnerabilities. So just having an understanding of what kind of binaries exist out there and what format you can get them to, you don't have to throw them all in Ghidra or whatever and jump through each individual bit. That is an absolute game changer. So definitely, definitely recommend to the, to the viewers. Well, first, of course, I'll recommend to the viewers, you need to go buy this right now. This book, pre order this book. And we actually have a deal for you. When do you want to do that? I guess maybe. Tell you what, Eugene, I'll put something at the beginning of this podcast actually with this, with this code. But the code is zero day deal and we get 30% off. Is that, is that right?

[00:31:00.52] - Eugene Lim
Yeah, 30%. Yeah.

[00:31:01.97] - Justin Gardner
Okay, cool. I'm going to put that at the beginning. So you know, everybody who, it doesn't take as long to be convinced. Exactly. Can go ahead and grab it. But absolutely, the binary taxonomy chapter is out there. So I'd recommend to any of the viewership to go read that and at least understand when you are approaching a binary target what your options are. Because it's so much easier to work with Java or decompiled Net than it is to deal with just black box or trying to throw all this stuff into hydro. Yeah. Okay. Moving back to chapter five. This one's titled Source and Sync Discovery. This has been a reoccurring debate on this podcast, Eugene, of what do we do? Sources to sinks or syncs to source? You've said a couple of times already that for you it seems to be a little bit more sync to source. You identified the vulnerable portion of the code and then you work back. Is that always your methodology or is there any deviation from that?

[00:32:09.93] - Eugene Lim
So I kind of think about it like this way, right, because it really depends on firstly, like source code analysis. If you have the source code, then I think sync to source makes a lot of sense because it's kind of like you have a kind of a maze, like those little mazes you used to use your pencil and try to trace it. And what's the best way? Do you start from all the outside entryways or do you start from the middle and then try to find a way out? Right. That's kind of the analogy I use in the book for source code review. But as you can tell in reverse engineering, I'm kind of like a little bit of both. Right. And I think the key thing is understanding, understanding all the sources and the syncs available to you. And part of it, what I discussed later on in the book is that before JNDI log 4J was a thing, right? No one kind of thought about JNDI exploits because it was just this thing that came up in a conference once and it kind of faded away. And only when someone actually took the time to understand this conference paper and then find an expert. In North 4J, everyone was looking for JNDI experts moving forward. And so depending on what your understanding of what sources and syncs are available to you, then there's a lot more options for you to trace back and forth. And that's what I try to bring out with this chapter in reverse engineering, is that you have to understand your target. Is it exposing a remote attack surface? Is it something like more local? And then that can give you a more informed decision of which way do you want to go?

[00:33:44.29] - Justin Gardner
Yeah, that absolutely makes sense. And I love that you said what you said there about understanding both the sources and the sinks. Right. Because I think that's where it becomes a little more nuanced. Right. Like we, we've debated on the podcast a couple times. Like, I think when Joel was on, we, we used to debate this often. But one of my approaches with all of this is like, when I'm attacking a new target, especially when I'm not time bound by a live hacking event, I want to spend some time getting intimate with the app. Right. That's one of our Little things we, we, we say here on the pod. I think that came from me like fumbling my words sometimes or something like that. But it works, right? You need to get intimate with these apps and you need to understand the nuances of how they work. For me, one of the best ways to do that is to look at the sources. Where does my data flow into the application and how does it flow through all of the different pieces? Have I observed in the front end something happening that I can't trace at the code? Okay, well my input's getting propagated somewhere that I don't understand and I need to figure that out. You know, I need to figure that out early on so that, you know, when I'm assessing the other parts of the code base I can, I can actually accurately trace what's happening, you know, and, and so that's why I always say, like, I actually spend a lot of time looking at sources in the beginning. And I think that it also informs what kind of exploit you want as well. Right. Like, not to say that AUTH bypasses don't exist. They absolutely do. But if you're looking for a unauthed rce, you probably shouldn't go look at all these AUTH routes first. Probably what you should do is focus on the unauthed portions of the code base. How do you get access to those flows? Obviously unauthed portions probably for most apps are going to be a much smaller subsection. Let's narrow it down, let's focus on those and then let's trace those from source to sync and try to figure out what kind of things we can hit. But then obviously when you're dealing with larger code bases, that gets super overwhelming. Right. Like, like what are. There's so many routes, there's so many places that this could go. You're kind of forced to do it backwards where you say, okay, well let me find some code that looks sketchy. You know, over here we're constructing an SQL statement in a little bit of a sketchy way. You know, is this, is this variable actually typed? You know, like that sort of. Right. And then, you know, tracing it back up the stack. So I think it is, you know, something that requires judgment on it on a, on a case to case basis. Right. And I think, you know, this chapter will probably add a little clarity for most people that don't know how to play that game.

[00:36:29.44] - Eugene Lim
Yeah, for sure. Especially in the context of like reverse engineering where you don't have, sometimes you don't have the source code, but you Know, it's just a big blob and it's kind of scary. But then, you know, there's actually a lot of tools that you can use dynamic analysis with debuggers to then just trace the whole flow out for you. And that's what I'm also trying to bring out again, just kind of bridging this gap.

[00:36:50.86] - Justin Gardner
Yeah, I think that is a new world for me as well in the world of binary analysis, chasing all that through. And I've often thought in the world of source code review that I should just sit down and write some tooling relating to this sometimes, because I often. It's pretty clear how all this works. You look at a. A function that is tied to a route and you trace the input through it, and then you jump to a different function and there's this path that comes. Then sometimes you need to backstep a little bit in the path and go to a different execution path. I thought that there's this VS code extension that I use called bookmarks that will allow you to bookmark specific locations in the code and jump back to that really quickly. And obviously VS code has. You can jump back to where your cursor was last and you can kind of step through the code that way. But I've always thought that there needs to be some better tooling defining vuln pathways through the code. Eugene, I just thought about this. How sick would it be if you had that and then it would automatically build out those graphs that we do in every report where it's like, okay, here's the source and then here's the middleware, and then here's the next code and then here's the next one. And then you just mark the key lines.

[00:38:08.03] - Eugene Lim
Yeah.

[00:38:08.42] - Justin Gardner
And then say export pathway. And it says, okay, code flows from here to here to here to here to here. And you get that snippet and you just paste it into the report. Right?

[00:38:16.21] - Eugene Lim
Yeah.

[00:38:17.71] - Justin Gardner
That'd be so helpful, man. Oh, my gosh.

[00:38:20.17] - Eugene Lim
I mean, that's crazy thing, right? Because, like, it's actually like such a hard problem. And when you think about like CoQL semgrep and later on Reverse Engine, I talk about this tool called Anger. They're all literally written by like, PhDs, because.

[00:38:35.36] - Justin Gardner
Right.

[00:38:35.84] - Eugene Lim
And. And part of it is interesting because obviously they have the expertise and the deep understanding to really kind of. I guess this is like computer science. Like call graphs and stuff like that.

[00:38:46.44] - Justin Gardner
Absolutely.

[00:38:47.80] - Eugene Lim
But then also it goes into the hands of researchers who have a very different take on it. It's like we want to find vulnerabilities, Right. And kind of bridging bells too, between this really complex tools and I want to find bug kind of vibe is actually part of the challenge, I think.

[00:39:05.67] - Justin Gardner
Yeah, it's a classic software problem, actually. We have the more technical author of the code and they write it, how they try to put themselves in the user's shoes and try to build a software that works for them, but then you've got the normal user. Maybe I shouldn't represent it this way, but it's a classic software engineering thing where it's like, all right, think of the user as a potato. They are going to make every possible mistake that they could possibly make. And your job is to make the UI as intuitive and as simple as possible. Right. That applies to us super technical researchers as well, that sometimes the software isn't always going to be as super intuitive. And I think that's why there's a lot of room for things like this. Right. Where you, Eugene, have taken the deep dive on some of these softwares and taken the deep dive on some of these, you know, patterns and, and make it a little bit easier for people to sort of step into that and feel like, okay, yeah, I actually do have a little bit of grip on how some of this stuff works. So that, that's great. I appreciate that. And I need to do that for some of the softwares that I've. I've written and, and stuff like that as well. Okay, Chapter six, Hybrid Binary Analysis. Hit me.

[00:40:29.01] - Eugene Lim
Yeah. So I think what I'm trying to say here is that you can use static approaches where you kind of reverse engineer something. You put in IDA or Ghidra or Dots peak or whatever, and you decompile it. And this is all this stuff that you have to go through. But like you said, there's some code bases that's so massive that it's almost impossible to do it statically. Then the other approach you have is hybrid analysis where you use Frida to write hooks to step through a program. I guess dot peek is something you can use as well in the debugger. And this gives you a pretty good understanding of the application, but it's only what you can reach in that application. What I'm trying to do is that you can actually bridge these two approaches. And I mentioned this earlier, there's some tools like Anger that do something called symbolic analysis where they try to combine both approaches, static analysis and simulated dynamic analysis, to really kind of give you the best of both worlds. What's the challenge with static analysis is that there's too many things to look at. And what's the thing about dynamic analysis is that, hey, you can only look at the things that you are stepping through at that time, which is kind of a limited functionality. You can access through the app and by combining the two, you can actually get a lot more information but also a lot more focus in understanding an application. So this is the most challenging chapter, but I think if you actually understand the tools that are explained in this chapter and you walk away with it, you can actually get really, really good binary format discovery as well.

[00:42:06.51] - Justin Gardner
Yeah, yeah, man, I hear you talk about this and I've heard lots of other people come on the POD and talk about the importance of using debuggers and sort of dynamic analysis. And I'm sitting here, you know, getting ready to ask you the question, like, how important is, is dynamic analysis really? You know, because it is a pain in the ass to get a debugger set up sometimes. Like it really is. And I'm sitting here and I'm realizing whenever I do, you know, I'm a big client side hacker, right? Whenever I do client side hacking, where do I live? I live in dev tools, man. I am constantly in dev tools, right? And like it's setting breakpoints and, and reassigning variables so I can simulate pathways through other parts of the code and quickly validate whether if I can bypass this one sketchy looking thing. Is there even a vulnerability there in the first place? That's exactly what this is on server side as well. It's extremely important. If I needed to spend a couple days getting dev tools hooked into a website, I would totally do it, you know, like 100%. Um, and so I think it, it is worth the, worth the pain. And Frida, I mean, Frida opens up a whole new world too. You know, I think I talked about this with you before, you know, at that same event where, where yeah, actually in that whole flow of that, that SIP related bug, you know, I was showing you all this like Frida hooks that I had into the application, right, that it was a mobile app at this point. And I had to essentially use the mobile app as a, as a proxy, you know, to send these requests because I didn't have a good way to send a SIP request, right. And yeah, I mean it's just absolutely essential when you're dealing with some of these protocols that aren't as built out as HTTP surrounding like tooling for that. And then, and then I remember, yeah, Eugene, the moment where you. It's all coming back to me now, where on that bug I was stuck. And then Eugene was like, dude, you should just patch the binary. And I'm like, the fu. What do you mean, patch the binary, Eugene. But this is a perfect thing, you know, Like. Like, you know, this is why I'm glad you wrote this book. Because a lot of the guys in the web world right at that live hacking event wouldn't have said, dude, just patch the binary. And you did. And that was the right choice. Right. And really all I needed to do in this specific scenario was like, flip one bit to get a header out of the way, you know, and then I can inject my own. So, yeah, dude, that was very impactful to me as a hacker.

[00:44:41.75] - Eugene Lim
Yeah. I think part of it is really, like, expanding your toolbox, right? Because, like, Frida, I think most people understand it as, like a mobile debugger, but you can actually use Frida on the operating system, right? Like Mac OS and Windows, and it actually becomes a lot more powerful for research as a whole. So that's one thing I actually demonstrate in there. We use Frida to actually find a vulnerability in a Windows desktop application, and I think that makes it so much more interesting.

[00:45:10.63] - Justin Gardner
Tell me about that a little bit. Because when I've used Frida on a mobile app, typically I'm using it on an Android mobile app, and I have access to. I decompiled the Java code. I see. Okay. This is the function I want to hook. I grab it. It's got a nice readable name, that sort of thing. Whenever I need to use Frida to hook into a native library, it's like, this is pain in gas, you know, like, and I gotta, like, figure out all this. So, I mean, is it. I don't know. That's kind of how I'm imagining it with desktop apps. I imagine there's more nuance to it.

[00:45:40.75] - Eugene Lim
Yeah, I guess. You know, obviously there's like, some apps that are, like, compiled and stripped with all the symbols, right? And then you get, like, weird function names is basically impossible to figure out unless you spend a lot of time, like, reverse engineering it. And then there's also other API calls that you can make there, like OS level, like Windows API calls that have used very common names, like how we have browser APIs, you have them for Windows and Mac OS as well. And these are also common names that they have to call regardless. And then this makes it easier for you to understand at the base layer. What is this application doing? You may not need to go all the way deep into the internals of the application. But you can understand how that application is interacting with the operating system or with the web, because these are pretty common function names that you can just hook on and understand.

[00:46:33.15] - Justin Gardner
Dude, that's pivotal. That makes so much sense. You know where you want to get, you know where you want to snag these pieces of interaction, where it's hitting pivotal pieces of the operating system or the browser, whatever. So you hook on those. That's good. That's great. Yeah. Dude, just fetch the binding, man. Dude, shut up, Eugene. I'm going to do that right now. No, that's great. That, that definitely helps. And thank you, Jane. This is exactly what I'm looking for. The, the, the. The quick and dirty tips. Okay, speaking of quick and dirty, next chapter, Quick and dirty fuzzing. Talk to me about that because. Okay, well, first I say talking about that. Let, let me, let me yap about it first and then, and then I'll, I'll let you talk about it because I feel like fuzzing is something that I've talked about on the pod a couple of times before. And I see a lot of high power hackers use it specifically. Franz is like a notorious fuzzer. He'll just like throw every character at everything. And I'm like, why are you doing that? You know, like that seems like such a, a, a time sink, right? But then he's like, yeah, you know, I knew from this $1 sign being injected into this one spot that there's like this crazy bug down, down the pathway. And I'm like, wow, okay. And, and I think it's a whole. I think it's a hole in my own methodology personally. So I'm definitely interested to hear how important this is to you and your methodology attacking not only web targets, but you know, and obviously it's more important in binary related targets.

[00:48:04.03] - Eugene Lim
Yeah. So I think again, like pretty much with the first chapter of the parts, the other parts, right? This is my first chapter to the fuzzing part. And the goal of this chapter is really to just say it's less to demystify it and also to explain why it's easy to kind of get started. And that's why I say quick and dirty. Right. Because a lot of times these days fuzzing is pretty advanced. People have attached debuggers to it. It's like basics guided fuzzing, smart fuzzing, as they say. But the old ways still work pretty well, which is dumb fuzzing. And what that means is that you have a vague understanding of the structure that the application expects or the web application and you just kind of go wild with it. You just throw everything at it, right? And my argument in this chapter is actually like, there's actually a lot of CVEs that you see out there. Like you could have found them with a dumb fuzzer, right? And so what's the gap, right? The gap is like, oh, fuzzing is this thing that seems a bit scary. I don't know where to start. And so what I do in this chapter is really introduce a couple of like, you know, fairly simpler fuzzers that you can use to then just get started right away. And you will see in a lot of the kind of pontoon write ups, they actually use dumb fuzzers to start with to kind of get the intuition of the app, like what Franz was saying, right? It's like, oh, I found out that this dollar sign was weird. And then from there they can kind of do deeper research. But the point is just get started, just fuzz it, right? And what I hope to do is that this lowers the barrier of entry to the reader and be like, hey, it's actually not that hard. I can fuzz this target. And you can actually find a lot of with just this starting point.

[00:49:45.57] - Justin Gardner
Yeah, yeah, I'm thinking through that as you're saying it. And I'm thinking, yeah, there's so many applications for that in so many ways that that makes sense even in a time bounded engagement, right? Like Ponetone or like the live hacking events where it's like, okay, I don't have time necessarily to build out this smart coverage guided or debugger utilizing fuzzing environment, right? I just got to throw everything at it and then like just give dedicate a computer to it 24,7 for the rest of this event, you know, and just grab the weird stuff that pops out and see what I can do with it, you know. And I think there's actually, you know, in the web world there's an interesting application for this as well, which is kind of where I live a little bit, which is that I've been kind of mulling over, which is I think there does need to be. And there is a possibility nowadays for a fuzzer that is a little bit more intelligent, that doesn't require a lot of configuration in the web world and that is by using LLMs to process the body of either the request body or the response body and say, okay, where are these IDs that I need. And then start using those to automatically build requests and then fuzz on top of them. Because maybe consider this situation. You have a post Request, it has three IDs in it. If the first two are valid objects, then the third one is going to be put into an SQL statement. If you just throw a random fuzzer at that, then you're just putting backtick and everything in all of those different fields. Then you're not going to catch the SQL injection in the third id. But nowadays where we can easily say, ok, we need to grab this id, this id, this id, and we have a way of really easily identifying that by looking at the JSON body and correlating those. I think it should be much easier for us to isolate each individual endpoint or each individual entry point for data and then fuzz at that specific level with valid values for all the other entry points for data. So I guess that's a little bit the opposite of what you're saying in web, but I mean it applies definitely as well that like Franz was saying, there's lots of value from just throwing a basic fuzzer at it without thinking about too much configuration and then you'll get a lot of results out of that.

[00:52:14.98] - Eugene Lim
Yeah. And obviously you're not just spamming this huge stream of random bytes, which is fine, but even just a very basic understanding of like hey, this expects JSON text or hey, this expects a Word document, and with some understanding of what that word document format should look like, then you can fast a bit smarter. But you don't have to go all the way and try to build something too complex. You can just get started right away.

[00:52:41.13] - Justin Gardner
100%. Yeah. And I was also recently talking to someone who, what information should I give about this? Let's say someone who is on the receiving side of a lot of really, really complex, extremely high impact reports to pivotal technologies. And, and one of the things they were saying was, and these are things that probably, you know, the researcher gets paid somewhere between 500,000 and a million dollars per buck. Right?

[00:53:13.76] - Eugene Lim
As one does.

[00:53:14.90] - Justin Gardner
Yeah, yeah, right. As one does. Right. You know, there's maybe like as one, literally one, you know, like. No, as a very few, you know, a handful of researchers in the world do. And one of the things that they were saying was oftentimes these, this is like a prime example of taking the application and bending it to your will. Let's say you've got a delivery mechanism, but you've got six different layers of okay, I got to break this technology, I got to break this technology, I got to break this technology along the way. If you're trying to make more complex endpoint or exploits that really get you all the way to unauthenticated rce, a lot of times you do have to address these technologies that are a little bit lower down in the stack. For example, when you're attacking iOS or something like that, I believe a lot of the bugs that have come from that are attacking the image parser, because you just send an image and a text message or something like that, and then iOS is like, oh, let me parse this image. And then they blow everything up. Right. And that's very relevant to this fuzzing piece is like, okay, you know, I have an entry point, and my gadget then becomes. Now the app is automatically parsing a JPEG file. Right. You know, how do I use that gadget to trigger a insane flow of vulnerabilities? And the answer to that has to be, you know, you've got to be a dynamic hacker that can take. Okay, now I've got this app using this parser. I need to fuzz the heck out of this JPEG file and see where I can trigger crashes and then kind of utilize that to build out the full chain. Super important fuzzing in those sort of scenarios.

[00:54:58.78] - Eugene Lim
Yeah, it's pretty insane because some of these, like you said, these complex chains, I think there was this really. I can't recall exactly which format it was, but it was this really complex one, like a year or two ago where it was like, this guy literally built like a Turing machine or Turing Complete Machine using all these little gadgets.

[00:55:14.38] - Justin Gardner
Oh, my gosh. Wasn't that crazy?

[00:55:16.13] - Eugene Lim
Yeah, that was.

[00:55:16.73] - Justin Gardner
Yeah, that was nuts.

[00:55:18.55] - Eugene Lim
And it all starts with this little overflow or integer underflow or use after free. And you just need to find that first gadget and then you can start building, because we can build that quite intuitively. Just throwing a stream of bytes sometimes might just lend you that one.

[00:55:37.92] - Justin Gardner
Yeah, man, it's crazy when you think about gadgets. We talk about gadgets a lot on the podcast as a building block of exploit development. And. And, yeah, in those conflict situations, one gadget might be. Now we're parsing a JPEG file, and I'm like, oh, my gosh, that is the shittiest gadget I've ever heard of in my life, but is absolutely essential to a lot of these exploits. Okay, chapter eight, chapter nine, coverage. Guided fuzzing and fuzzing everything. Tell me a little bit about each one of those.

[00:56:10.63] - Eugene Lim
Yeah, so for coverage guided fuzzing, I think this goes beyond what I said earlier, which is dumb fuzzing. And this goes to smart fuzzing, which actually what you described earlier with LLMs is a really interesting way of talking about smart fuzzing. Because the goal of smart fuzzing is that with each kind of new input that you fuzz, you randomize it or you send something new, you get some information that tells you a little bit more about what your input did to that application and then use that information to then smarter inputs. You might use that in the binary sense to reach more parts of the application because you're like, hey, now that my input looks a little bit like a word document, it opens up this function that calls like password document, right? It doesn't just reject it from the start. And then the fuzzer is like, okay, now I can just keep building on this initial word document and fuzz on it instead of trying to fuzz something completely new. And that's really the goal of like coverage guided fuzzing is to build a better understanding of the target and from there getting right deeper into the application. And that requires some setup. Right? It's not like dumb fuzzing where you can just get started quick and dirty. You need to write, harness, you need to like understand the application a bit more. You need to tweak your inputs. And that's what this whole chapter about, just getting you into that and understanding this critical thing. I think it's one of those things that everyone knows is now kind of close to the standard of fuzzing. Like what you need to do to get started in fuzzing, but it's always set up, is always challenging, it's always difficult. And I kind of demonstrate that through a practical example of how we can just do that right away.

[00:57:45.63] - Justin Gardner
Absolutely. Yeah. That is definitely a different layer. Right. When you're able to do it intelligently. And my mind definitely thinks that, you know, as, as it's spinning for web, that we should look at the ways that, the ways that binary researchers have taken fuzzing and utilized them because it is such a more pivotal part of binary research and how to apply that to other areas as well. You know, obviously mobile uses a lot of similar concepts as binary exploitation, but also in web, you know, how can we, how can we isolate, you know, certain paths of code and, and try to fuzz those more thoroughly? Very interesting. It's unfortunate because we don't have as much introspection in these black box context. And if we had, you know, These web apps and we hooked debuggers into it, then we could essentially do the same thing. Yeah, but not, not always the case, rarely the case. And so I guess chapter nine, fuzzing everything. Is that sort of similar to what you were saying there with. With coverage guided just kind of extending that further?

[00:58:45.76] - Eugene Lim
Yeah, I think it's kind of like blowing it up. The definition of what people typically think about fuzzing, because a lot of people think fuzzing is just like this pure binary thing, right? You just send like say jpegs or documents or something. But what I'm trying to say is that you don't just have to fuzz that you can fuzz a web application, right. You can fuzz Java application that isn't like a pure binary, but it's actually still possible to fuzz it and use coverage guided fuzzing for it with the right tooling. And you don't just have to, you know, send binary blobs. You can send text, you can send like, you know, jsons and so on and so forth that allow you to fuzz a lot more. And I think this is something that the web portion of research has been really good at in that they use that like Franz, as you said. But that's what I'm trying to encourage as well. For people who just think of fuzzing as like only for binaries is actually not the case. You can use it for everything else. Very cool.

[00:59:33.94] - Justin Gardner
Okay, chapter 10, we're closing out here beyond day zero. What does that last chapter entail?

[00:59:39.40] - Eugene Lim
So this is the be a good person chapter, right? Because it's like you've got your zero day. What are you going to do with that? So I talk about responsible disclosure. I talk about how you can utilize that. The person you talked about at the Google event, right, it was like, obviously they take the things they've learned and apply them to make it more secure. And so I kind of focus a bit on that because I think it's really important, especially in this space, as we just discussed with the CVEs. Right? It's actually, I think a lot of people think of CVEs as a collector's item, right, to, to add to the trophy case. And in some ways that's a good thing, right? Because that shows that you've found an actual vulnerability. But a lot of people also kind of take these things for granted, right? Actually the CVE system is like run by, you know, it's community based system, it's run by Mitre, but it's run by many people in the community, and it can break so easily. And so I try to kind of expand that kind of thinking. It's like, hey, it's cool to find out zero days. Cool to, like, make money from it. But just think a bit more about how you want to contribute back to the space and, you know, be a good citizen in some ways.

[01:00:43.15] - Justin Gardner
Classic. Classic space raccoon. Yeah, yeah. Now take. Now listen here, y'all. Don't take this and do anything nasty with it. I don't know why you have the Southern accent in my head. In my head in this scenario. Yeah, yeah, that makes a lot of sense, Eugene. And, you know, I don't know, there are a lot of people that are a little bit more gray hat than they should be, in my opinion. And I've always been inspired by your commitment to ethical. Ethical. Ethical hacking. Like, really, really ethical hacking. It's definitely. You're definitely a good person to have that. Write that chapter at the end and inspire you. Yeah, exactly. Take this with you. Don't go alone. Awesome, man. Well, I have to say, man, I'm pretty impressed that we just went through all of those 10 chapters and you remembered what is in each chapter and were able to succinctly represent it on the pod. Because as somebody who I guess I don't type it out and write it, and maybe I haven't reviewed it as many times, but I very much have this problem of. Especially when Joel used to be on the podcast, I would say something on the pod, and Joel was like, yeah, you said that on the pod last week. And I'm like, shit, I can't remember exactly what I said. So great job. Clearly, you spent a lot of time working on this book and ironing out all the details, and I appreciate the succinct representation of a lot of this and giving us a lot of great takeaways. So let me. Let me see. The book is not the only reason I had you on the podcast today. There's also been a lot of. A lot of other really interesting research that you put out over the past couple of years since we last interviewed you on the pod. So I definitely want to. Want to jump into that as well. But perhaps I'll start off with this, man. Like, where's the bug bounty? Have you. Have you forsaken us, space raccoon? Where have you. Are you going to. Are you going to be participating more? Do you think you see yourself more solidly in the vulnerability research realm and the other realms that you participate in?

[01:02:57.90] - Eugene Lim
Security man. Yeah. So this is like a great question, right, because, like, part of me was like that Google web guy you talked to, right? It's like coming from your fantasy space, I think we all know, like, there's some targets that are like rich veins of gold that you can keep mining again and again, and there's some targets that like, are like Terminators, right? You kind of like shoot them once and you blow them up and then they come back stronger. Right. And that's something I really admired when I first started out, Bug Bounty. And this is something that I've been spending a lot of time in, you know, obviously my day job. How do you kind of build things better each time, right, and use that offensive security to do that? So that has been a chunk of my time. And I think for me, I think the boundary research has also been super interesting because it gives me more time to just do things with less pressure. I would say I can focus on topics that are interesting to me but may not necessarily lead to a bounty. Right. And this, and I think this is something that allows me to send things for conferences and present at them and share some research and be part of the community, but also do it in my pace. And obviously a lot of that has changed in the past few years as you were there, Right. And that has given me some time to take pause. But I think one thing that's interesting about this community is that people come in and out, right? They, you know, get, you know, maybe they get a job and they have to work on a job for a while, and then after a while they're like, got this itch that I want to scratch, right? And to get back into Bug bounty and hacking. So, yeah, definitely, I see myself as like, hey, this is kind of a season of life where I'm in, but it may come, you know, a time.

[01:04:35.42] - Justin Gardner
When I'm back in the may come back round.

[01:04:38.34] - Eugene Lim
Yeah, yeah, exactly. So, yeah, definitely. I think it's just a way to keep me sharp. But I love what I'm doing. Foundry research right now.

[01:04:44.96] - Justin Gardner
And diving a little brings a little tear to the eye, Eugene. You know, like, it's the circle life cycle backup, man. It is, man. It really is. And, and, and I think you do see that often you see people cycle through and, and some of the most talented hackers I've ever met, you know, yourself included, have, have. Have come in for a stint in Bug Bounty, you know, made their appearance at the LHEs and at the top of the leaderboard and then moved on to Something that, you know, more aligns with their, their goals of, of lifestyle and, and interest and stuff like that. Um, yeah, so as a light, you know, as somebody who considers them themselves a bug bounty lifer, it's, it's sad for me because, you know, I see my, my friends come and go in the, in the, you know, in the meat of the community. Right. You know, being in the code. But you know, we always get opportunities like this to sit down and catch up. And the, the cool part of it is that, you know, as long as you are staying in offensive security research, which most everybody does at the end of the day, because it's hard to go, it's hard to go back to blue team after you've, you know, you've spent a long time in red team. Like, wow, this is so fun. You know, then we always have things to compare notes on and you know, cross disciplinary lessons learned that we can, we can share. So it is fun, man.

[01:06:02.84] - Eugene Lim
Yeah.

[01:06:03.38] - Justin Gardner
I think that for me as a, as a full time bug bounty hunter that like, I don't have a lot of aspirations besides full time bug bounty because it affords a really nice lifestyle of a lot of flexibility, you know, good income, the ability to do a fun podcast like this where you get to interview brilliant people. But I definitely understand people that have different goals. Yeah, especially your goals, you know, relating to governmental work. Right. So can you talk a little bit about that? I don't want to put you too much on the spot because. I know, yeah, but like, like how do you get fulfillment from that? Why is that something you've chosen to do?

[01:06:39.00] - Eugene Lim
So it's actually really related to my bug bounty journey as well actually, because like the first bug bounty that I did was the Singapore government bug bounty program. Right. Where they're like, heck, hack the government, like, make money. I was like, that's cool. That's really, really cool.

[01:06:54.11] - Justin Gardner
Don't mind if I do.

[01:06:55.17] - Eugene Lim
Yeah, I don't mind if I do. Right.

[01:06:56.55] - Justin Gardner
Yeah.

[01:06:56.90] - Eugene Lim
And that's what got me into this bug bounty space in the first place. But actually one of the first big bugs that I found was in Starbucks, if you recall, back then.

[01:07:06.30] - Justin Gardner
Oh, I recall, yeah.

[01:07:07.50] - Eugene Lim
I mean there was like a, oh, hey, 3,000 bucks. And you know, somehow that made headline. Like everyone's like, why did they just pay 2,000 bucks? But to me that was a lot of money. Right. But not everyone might notice but like a few years down the road there's another headline where Starbucks in Singapore was actually hacked. And you know, a lot of like People in the countries, their details were like leaked and sold online.

[01:07:30.38] - Justin Gardner
Oh, wow.

[01:07:31.61] - Eugene Lim
And that was like, actually a point of reflection to me because, like, obviously, like, I was still a very active participant in the Starbucks bug on the program. But I was a good boy. Of course, I stayed in Scope and all that, but I was like, hey, you know, this guy may. Maybe they found it in where I was looking at, or they found it somewhere else, but they made a different choice, right? And decided to like, you know, you know, basically break people's privacy and, you.

[01:07:53.46] - Justin Gardner
Know, bring out, Catch out on the situation.

[01:07:55.46] - Eugene Lim
Yeah, yeah, yeah. And to me it was like, okay, so, so how can I, like, fix this? Right? And that's what really motivates me a lot in this work. And this is an interesting work because making Google, I think they were talking about the high assurance web framework thing where they were able to eliminate XSS or bring it down to 1xss, right? That was something I observed in Meta a while ago because when we first did that event at Meta, we did find it, I think it was an SSRF or something. And then I just never found a similar one again. And to me, that was pretty interesting. So it was also intellectually challenging. How do you build this and you deal with a big organization and you try to convince people to do things. It's not all technical. So to me, that was an interesting thing. But also there's this motivation behind it as well, which I very much attribute to my start in Bug Bounty, which is why it's such a wonderful space to always come back to.

[01:08:52.93] - Justin Gardner
So what you're saying is you're inspired by that to say, to look at these systemic vulnerabilities that pop up in Bug Bounty. And in Bug Bounty, we have such a clear motivator to, you know, highlight these systemic vulnerabilities over time. Right. Financial gain. And how do you, how do you Google it? How do you Meta it and say, all right, that's never going to freaking happen again? And being on the side of how do I help eliminate entire bug classes for a specific entity as a whole.

[01:09:29.13] - Eugene Lim
Yeah. And it's a hard problem because, like, not everyone has Google budget or Meta's team, you know, engineers, like top engineers. Right. And that's the interesting part. And that's, that's what I think is interesting about public service.

[01:09:41.31] - Justin Gardner
This is exactly what I was saying before. Eugene, my green hat is screaming. Scream you. Right? No, but, but absolutely. It's a, it's a 100% fulfilling problem, you know, and to solve, right? Because you do reduce a lot of risk. And yeah, I mean, as much as I hate to say it, Google has done an excellent job with that on the XSS front. And I have spent a lot of time banging my head up against Google's XSS protections and they're rough, so I.

[01:10:13.80] - Eugene Lim
Got pretty close a month ago. But we can talk about that offline.

[01:10:17.05] - Justin Gardner
Me too. We will talk about that off air. Yeah, I have to compare some notes with you. All right, let me take a look at my notes here as we shift away from the the day zero to zero day topic. So we've got the guild by association pony millions of smart weight machines, which I do want to talk about. But actually I want to take a brief jump into source code review and we touched on this a little bit when we were going through your book, but I wanted to kind of just brainstorm with you a little bit here on how LLMs will assist source code review in the future. Because I was going through some of your blog posts. I think I noticed in one of those that you were using VS code, and I've actually started recently using Cursor and utilizing sort of Cursor's LLM integration while doing source code review. And it's been very helpful for kind of closing some of the gaps that I'm like, where does that function go? And it's like, it's over here. I'm like, okay, solid, solid. And so I'm wondering if you've played around with that at all or if you see any pathway moving forward in the source code review realm with this new tool that we've all got in our pocket.

[01:11:31.10] - Eugene Lim
Yeah, so I've definitely been playing around with a lot of these LLMs. Copilot is one of them. It's an obvious problem for LLMs, having all that context about a code base. And I think that's the most powerful thing about LLMs. That kind of represents almost like a shift from the one or two years ago when everyone's like, hey, SAMGREP CodeQL, right? Write these like hard coded rules that are fairly brittle. Either that or you can get a lot of false positives. But with LLMs, you can build a very strong context about the entire code base that you might not be able to have in your head. And I think that's the key thing that I see with LLMs, and one thing I hope that scales a lot more is that you don't just find the surface level vulnerabilities, you actually find the vulnerabilities that require deep understanding of what the code base is doing, which I actually do think that LLMs can be very good at. So in this space, I think I haven't really seen that deep understanding. In a sense, you might just need to pay for a lot more tokens, but that's what I think is the endgame there. And once you hit that, it does feel like you can rely on LLMs for a lot of these Ruby research and findings.

[01:12:46.09] - Justin Gardner
Yeah, I don't know if it'll ever get to this spot because cursor is such a new technology or whatever, or maybe it's a couple years down the line. But it would be really cool to see cursor build into their models or build into their product some security researcher oriented features where it's like agentified source and sync analysis where it's like, you know, actively navigating through the code, grabbing the pieces of snippets that it needs, correlating sources and sinks. I think that there's room for a product there for sure. And, and as I, I don't know, I've also described our tool in, in. In Kaido Shift Shift as like the cursor of this. But I think the reason why I say stuff like that is because cursor was such a mind boggling moment for me when I started using it of like, wow, this is a totally different thing than what we're currently used to and I think there's a lot of applications for that in the security realm and that is one of them. So definitely, definitely excited for that, man.

[01:13:54.31] - Eugene Lim
No, yeah, I think people should be so excited for it. It's just like you just got to try it, right? Like just sit down, use it and then you might kind of understand it and feel really both like, oof. And also like, wow. Right. And I think it's also like interesting that you mentioned that because it's true because a lot of these like enterprise tools, they're kind of meant for like, you know, companies, organizations. And the blue hat perspective is that, you know, I don't want to get a high false positive rate. I want to make it simple. I want my developers to get like a lot of signals that are like accurate. But for us boundary researchers, we are like, sure, just give me all the false positives as long as there's some gold in there because we have the patience to go through everything. Right?

[01:14:33.39] - Justin Gardner
Yeah.

[01:14:33.89] - Eugene Lim
And so it is very.

[01:14:34.81] - Justin Gardner
And otherwise we just be going through all the code, you know, like, definitely lots of room for a good product there. My brain just starts spinning every Time I, every time I think about it and I have seen some, some hackers recently that are I guess very respected source code review hackers saying I am very impressed by recent LLMs and the job that they've done in source code review when utilized properly. So that is a sign to me that we definitely need to be utilizing those when we're doing our source code review process to make ourselves more efficient. And. And I'm just coming off of a Google Live hacking event. So Gemini is like. I have a very love hate relationship with Gemini right now. But Gemini is really interesting because the context window is freaking massive. And that just allows the LLM to make a lot more human like decisions because it really does have a lot of or even superhuman decisions because it has so much context. A million tokens is like a lot of tokens.

[01:15:55.22] - Eugene Lim
I think they released like a security focused one as well. 2.5 for security.

[01:16:00.18] - Justin Gardner
Yeah.

[01:16:00.72] - Eugene Lim
I'd be interested to see what products come up based on that because there's a lot of opportunity there.

[01:16:05.26] - Justin Gardner
Me too. I need to go suss that. Okay, let's swing over to guilt by association Poning millions of smart weight machines. We covered this actually on the pod a couple weeks ago. I think we messaged you about it. But great write up, man. It's great to see this sort of thing and very interdisciplinary. Right. It shows how web and firmware devices and all of that sort of integrates together Iot. You know, of course, scale is what we're talking about here. I thought Rezo's comment about your meme potential was pretty solid of like, how to find how much your ex girlfriend weighs. That should have been the title, dude, for sure. I could see you blushing right now as we're saying it. Like you would never ever, ever name it that. So that's pretty great. But I guess as I read this, one of the things that comes to my mind is you have so many things you're doing. You're writing the book, you're doing the government stuff. Bug bounty is a thing that you've succeeded at so much. Why do you take the time to do something like this and go after a piece of IoT, a seemingly random piece of IoT just for fun or what's the root?

[01:17:24.52] - Eugene Lim
Yeah. So this is. Well, I think this is a funny story. Like what actually sparked it was that like one day, like I was actually on holiday, right? And like went to the gym in the hotel and then I. There was a weighing machine there and I looked at it. I was like, why is There. A wifi.

[01:17:38.61] - Justin Gardner
Can we pause for a second? What? What? Weighing machine?

[01:17:43.35] - Eugene Lim
Yeah, that was. Why?

[01:17:44.93] - Justin Gardner
This is a scale. This is a scale. Do you guys not say scale in Singapore?

[01:17:49.35] - Eugene Lim
Oh, yeah, we say weighing machine.

[01:17:50.71] - Justin Gardner
Sorry, you guys say weighing machine. That's so funny.

[01:17:53.18] - Eugene Lim
I'll say.

[01:17:54.02] - Justin Gardner
No, no, no, you can say, you can call it whatever you want, Eugene. Like, weighing machine gets it. It gets it across. I just, you know, I totally didn't process it in my, in my head. You know, when I read it, I was like, oh, smart weighing machines, of course, you know, like. But like Rezo, as we were talking about this on the pod a couple of weeks back, he's like, what. Why did, why is he calling it a weighing machine? Like, it's just very interesting how like Singapore, you know, uk, Australia, us, we've all, we're all speaking the same language here. But like, there'd just be some out there, random term, you know, that's like completely different. Yeah, it's very unlike other languages dialects because like, for example, in Japanese there will sometimes be, you know, different words that just totally don't make any sense at all, right? And you're like, what the heck does that word mean? And for this scenario, I totally understand weighing machine, right? But somehow the language has evolved differently. So I'm sorry to interrupt. You're in the hotel. There is a smart weighing machine there. Tell me about that.

[01:18:57.55] - Eugene Lim
And it has this WI FI symbol on it. I'm like, why is there WI FI symbol? Right? And you know, it kind of like, you know, touch the screen a little bit, figure out. Yeah, figured out it was like connected to the Internet. I was like, all right, I'm taking a picture of this. I'm going home and I'm going to like, start looking to this. But like, part of it for me was the motivation is that like, I want to kind of step up my comfort space, right? Because like last year I presented at Hardware IO, which is a hardware research conference on like monitors, like monitor research, display monitor research. And. But I realized that at that time that I was still very much stuck in like firmware, like client side software. I didn't actually like, you know, reverse engineer any of that hardware kind of hacking. And when I went there and I think, you know, you. We've also seen this, you know, when we go into like hardware hacking life, hacking events, and people are like doing crazy shit, right, that we would never do. Like, and you know, connecting wires, soldering, desoldering. You know, reading the Flash ram, I was like, that's Pretty cool that you can do that.

[01:19:58.81] - Justin Gardner
Pretty badass.

[01:19:59.69] - Eugene Lim
Yeah. You know, people are sometimes nice and they share the firmware, and that's when we can get our hands on it. But to get there, you got to, like, have those, like, hard skills, right? And so I thought this was a good opportunity to like, step a little bit out of my comfort zone to try that out. So what I did, the hardware hacking portion of this, my research was very basic, you know, just connecting to a UI port. But it got me started, right? Because it forced me to, like, buy the equipment and to, like, you know, buy the wires and try to connect it and try to solder it or whatever. And that kind of was interesting to me. What was more fun, I guess, was that it actually came out to something right? Because I just want to get shell right. But then from there on, I was like, okay, now what do I do? Because, sure, I can, like, read my own weight or change my weight, but that's not very interesting.

[01:20:45.93] - Justin Gardner
Look, honey, I lost ten pounds.

[01:20:49.21] - Eugene Lim
Yeah, exactly. What does that mean? Right?

[01:20:52.55] - Justin Gardner
I'm not. I'm not putting on that post marriage 20, you know, I'm doing great. It's all in your head.

[01:21:01.60] - Eugene Lim
Yeah. So, yeah. And that just became this whole thing where it's like, damn, wait, you can actually, like, take over everyone's weighing machines and change their weight or whatever? I guess. But like, like, some of these companies, they don't just sell weight machines. They sell, like, blood pressure machines or other, like, health devices. And that was, like, pretty crazy to me. So I actually learned a lot. So while it was this thing that I came across, it was actually something I've been meaning to do for a very long time, which is, like, try a bit more of hacking and kind of do this kind of interdisciplinary research.

[01:21:33.40] - Justin Gardner
Absolutely. And it is super fun. It is super fun to do. Approaching a target from a different direction is really cool. You went up against a lot of things in this blog post. As I'm looking through it, it's great that you were able to grab the Java source code a little bit there and have something that was a little bit more readable. But you see that. You see the SQL injection in the web, you see the firmware, you got the UART hacking part. There's even some Bluetooth in there. Like, it's definitely an eclectic hacking experience, which I think is really cool about going after some of these devices, because if you are looking for a way to, like, cut your teeth in various realms of hacking, then you can just grab a device like this and just be like, I am going to understand everything about this device. You know, which I think is something that I repeat to newer hackers time and time again is like, when you are like trying to approach a target, you, your goal, your primary goal should be, I am now the most knowledgeable person in the world on this thing. Like, like the devs walk into this room and I will, you know, it's literally been to the point sometimes where, you know, I'll meet the devs for the software that I'm doing and I'm just like, ah, you're this guy. I know what lines of code you wrote because, you know, like, I got access to these comments and these comments have your name in them. And like, that was shit. It's a blast to do that. I did want to ask. There were some Bluetooth components to this and obviously that's a really fun attack vector because it's semi remote, right. When we're on the actual physical device connecting UART cables and stuff like that, and getting a shell, it's a high and it's really helpful to have that debugging shell, but you have to be physically attached to the device. So the impact is a little bit meh. Bluetooth is sort of like that middle ground where it's like, okay, maybe I'm down the street, but I'm still popping your scale. And then obviously you went for the full remote route, which is obviously the most badass. So that makes sense. But why did you shy away from the Bluetooth realm?

[01:23:44.64] - Eugene Lim
Yeah, so I think for the Bluetooth realm there were kind of two parts to it. Firstly, there's already been a ton of research into like the Bluetooth protocols that smart sales use. And there's an open source project called OpenScale where people have kind of reverse engineered, understood all of it. And while it was, I mean, potentially possible to kind of, you know, have an exploit over Bluetooth, you know, buffer overflow, whatever, just by, you know, because some of these were pure binary API calls per mobile device. And then obviously on the machine itself it would be more binary. It would also be very challenging to kind of fully debug and build a proper exploit. Because I was like, this is bare metal arm firmware, right? I could emulate. But yeah, do I want to or do I, like, is it worth it? It's literally a weighing machine, right? It's like, I don't have like, and it's possible. Right, but do I want to? Right? And so I thought that's why I started to like shift more towards like, hey, let me get to the shell first, then I can understand this a lot better. So it really depends on like what information is available to you at the time. Do you have the firmware? How are you able to emulate it? Do you have a shell on the machine? And so for me, like Bluetooth was not a super viable path. It was a possible path. If I was like, this is a pronto own or something, I would have tried everything. Right. But for me, I was like, hey, you know, I just want to find something fun and I'm not going to like stress out too much about it. So yeah, it's part of methodology as well. Right. You got to pick and prioritize which attack vectors you're going to use.

[01:25:20.01] - Justin Gardner
Yeah. And I think at the end of the day you went for the attack vector that has the most impact, right. Which is the fully remote exploit which utilizes device to cloud communication, which is like, I think we've interviewed a couple hackers that go after IoT devices on a regular basis on this pod. And if there's like one little tidbit of advice we could give to somebody who wants to go do IOT hacking, it is do not neglect the device to cloud communication. Like that is where the meat is time and time again. Right. And so it's cool to see another example of that here that it seems to be continuously revalidated and you get maximum impact and you often get a little bit softer attack surface because the devs aren't really thinking, okay, well who's going to get in between the device in the cloud. Right. A lot of times people, they expect that APIs are going to get hammered and stuff like that, but not that extra layer there. Really cool to see, man. Yeah, I had in the notes as well, just kind of anecdotally the version version thing, I had not seen that as much before for SQL injection for WAF bypass. I think that's a, that's a cool one. So I'm definitely have that one in my pocket moving forward.

[01:26:36.68] - Eugene Lim
Yeah, that one's like. It was interesting because a whole new world because this particular WAF I was coming up against was a BT Web, right. Which is a actually Chinese waf. So no one like there's not a lot of documentation in English language about this WAF and bypasses, but you just need to enter the Chinese name of this into search and then you get like all these like posts in Chinese about like bypassing this web and that's where you get a lot more interesting gadgets so that was like an interesting thing that I learned is like, actually there's a lot more information, you know, in all these like foreign languages that would actually have pretty big nuggets that you don't get in English.

[01:27:14.10] - Justin Gardner
Yeah, yeah, I'm, I'm a little bit. It's interesting because I have had that experience like several times because there's some really like niche Japanese researchers on inclined side stuff in particular, which is cool. But I'm sure it's just so much more vast in Chinese. And for any of the people that are not, nobody's listening to this podcast, they don't speak English. Right. Because how are you however much into this? But you know, English, there is so much vast, vast amount of information and it's so pivotal for people to be, you know, had that in their, in their skill set to be able to access all that. And I'm sure that it's the same case in Chinese, like, because so much of the Internet is, is in Chinese. I'm sure I'm missing out on a bunch of really cool techniques and, and every once in a while there's something is bridged right where it's like, you know, you see this new tool pop up. It, you know, pops to the top of all the benchmarks and it's from like some Chinese researcher and you go to the GitHub and it's like all in Chinese and you're like, all right, here we go. Now I got to figure out how to use this shit. Very cool to be multilingual in that regard. I did have one other question about this write up that I wanted to run by you because it's in my mind this is one of those worst case scenarios, super frustrating things that happened. I'll read this quote. Despite correctly figuring out the right baud rate with my logic analyzer, my serial connection kept returning gibberish. After many hours of pain, I realized that my cheap CP 2102 USB to TTL converter was responsible for the issue. And using a more reliable FT232 finally got the results I needed. So what you were dealing with here was a flaw in the actual, you know, physical device that you're using to interact with the serial connection. That sounds horrible. Yeah, and like a nightmare because for me I just, you know, I'm struggling to get enough of this stuff to work in the first place and then being able to realize like, no, I am doing it right, something's wrong with that device.

[01:29:20.31] - Eugene Lim
Yeah.

[01:29:20.68] - Justin Gardner
You know, is was really, I'm sure that was a pain. Can you, can you talk about that? How did you realize that that was happening?

[01:29:28.69] - Eugene Lim
Yeah, because so, so the interesting thing with like, so so basically like I was trying to get a boundary, which is the kind of like the rate of symbols being sent over time. And it's important to get this right because you're kind of converting from like, you know, electrical signals to actual digital information. So if you get it wrong, then you just, your symbols are all going to be garbled and so on. And I had initially gotten the right number using like a multimeter, which is like, you know, a physical device. You just used to measure first. But then when I tried to enter that number, when I tried to use that connection using the USB to TKL converter, it just didn't work and it was driving me crazy. Right. And so as I mentioned in the blog post, I did kind of talk to this previous researcher who had done it and he was like, no, this seems correct, like what you found. I was like, okay. And then I read online and about the tools I was using, if I was configuring it wrong, and someone actually had a few posts on which was the best converter to use. And then they said, okay, this is pretty prone to failure. And they'd kind of be like, okay, well I've tried everything. Must as well try this thing. And it was super annoying because it actually did work. But this was like really important lesson for hardware hacking where I think we're very used in software and web for things to be consistent. You can use an emulator even, but it's supposed to work the same way because it's code. But in this case there's hardware failure which is just mind blowing to me.

[01:30:57.40] - Justin Gardner
So frustrating. Like, like, this is definitely, like I said, like a worst case scenario in my mind of like, yeah, I, there's actually something faulty with the cable that is, that is making that not happen. Um, props to you for, for getting past it. And yeah, it's always great to get that sanity check from a more experienced hacker in that realm that has a little bit of like a feel for it. Like, oh yeah, this, something's off here. Um, that, that, that, that definitely helps. Joel, Joel did that for me a couple times when in my, in my Iot hacking experience. And I, I so appreciate it that, yeah, so I guess without. Because we're already quite a bit in, in the pod, so I won't, I won't dive too far down this rabbit hole, but as far as serial communication goes, you know, in this scenario, you said you hooked up a multimeter to it, to it first. And as I understand, you know, as data is coming over these, these wires, you know, you're, you're trying to figure out, you know, the rate at which it's. The signal is sort of oscillating there. Right. And that determines the baud rate, which needs to be configured on your serial reader to make sure that you're getting, you're interpreting the correct changes in voltage as a specific character or something like that. Right. So if you see just a string of ridiculous looking characters, then it means, okay, something's probably off and the delimiter is not correct or something like that, and you're not getting that correct rate. Is that accurate?

[01:32:22.02] - Eugene Lim
Yeah, that's pretty much what it was.

[01:32:24.47] - Justin Gardner
Sounds super frustrating, man. You're just looking at a string of all sorts of random characters. You're like, I know that it's there, I know that the data is there.

[01:32:32.60] - Eugene Lim
Something's there. It's speaking to me, speaking to me.

[01:32:36.65] - Justin Gardner
Yeah, that's great. Okay, I guess I'll ask one more about this and then we'll wrap it. But how did you sort of reverse engineer the IoT authentication flow for this specific device? I mean, the write up outlines that process a little bit, but for the reader that hasn't gone through that, what would you say the TLDR on that is?

[01:33:04.47] - Eugene Lim
Yeah, I think the TLDR is that like IoT like device authentication is actually a fairly standard pattern. And the bad pattern, which is like people just hard code secrets on the device, it could be the serial number, it could be like a Mac address or then the good pattern which is like using certificates and they use the whole public key infrastructure kind of pattern to authenticate to the server. So it's actually a fairly common, simple pattern. And the end goal is that you've got to read the secret. Somehow you got to get that secret whether it's a certificate or the serial number that's stored somewhere on the device. And so once I got the shell on this device, it would just. There were various debugging tools I could use and one of them was reading from memory, reading from the database, and that's what I used to extract it and understand it. So that was the static part of it. Because now I had the certificate, I could try to authenticate to it directly myself and figure out what went wrong. And this was actually building from a long time ago at that same AWS hardware event that you and I were at. Because if you recall, I did have some of those certificates on a device back then, but I didn't really understand it, but now I do. Right. So that's, that's progress, right? That's nice. Nice to like look back and think about that.

[01:34:16.90] - Justin Gardner
Yeah, it's funny you referenced that because that's. I think you and I were both kind of sort of cutting our teeth a little bit at that event, right. And we saw some of the more experienced hackers and I think there was a cert swap that happened, you know, and then the traffic was able to be proxied. And when I saw that, I was like, wow, that is badass. I'm going to do that. And lo and behold, you had the same idea. And here we are.

[01:34:39.46] - Eugene Lim
There we go. That was a fun circle moment from there as well. Because the shell I could run debugging connections and also a lot of debugging logs that also give me a bit more information about what was going on that helped me avoid just pure bare metal arm reversing and really just do a more dynamic approach to it.

[01:35:01.52] - Justin Gardner
Yeah, dude, as I'm sitting here listening to you say that, I'm thinking, this is exactly why I made this podcast because you know, you and I had the privilege of going to that life hacking event where we learned so much about these things. And you're right, so many of these patterns are repeatable across multiple targets. And you know, you just, you go, you have a couple experiences with it, you know, through a friend or at the live hacking event competitions via the show and tell, and then you start seeing these patterns emerge and you're, you get confident doing it yourself and that's how you grow as a hacker. Right? And that's really what I credit for my rapid growth as a hacker was I was the plus one of a plus one to a live hacking event in 2017. And the things I saw at that event and the preceding event changed my mentality on hacking for a very long time because you get exposed to, especially if you dig, and you'd be like, hey, what did you find? Hey, what did you find? Hey, what did you find? You get exposed to different hackers techniques and their different knowledge base and you're able to sort of pull it all together into one. So thanks for this, Eugene. Thank you for, for taking the lessons you've learned in that regard, writing them into this blog post and then writing them further into this book that you're releasing, because that is, that is how the community grows. And you and I are in a very privileged position to have, have seen a lot of this firsthand and definitely want to help disseminate that to other hackers so that they can grow as well.

[01:36:26.19] - Eugene Lim
Yeah, for sure. Thanks for having me back on.

[01:36:28.55] - Justin Gardner
Of course, man. It's been a great pod. That's a wrap. And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end, y'all. If you want more Critical Thinking content or if you want to support the show, head over to CTVV Show Discord. You can hop in the community. There's lots of great high level hacking discussion happening there on top of masterclasses, hack alongs, exclusive content, and a full time hunters guild if you're a full time hunter. It's a great time, trust me. I'll see you there.