Ange Profile picture
File Formats for ever! Corkami, CPS2Shock, PoC||GTFO, Sha1tered. Security engineer @ Google/Mandiant/Flare. He/him.
Sep 23, 2022 4 tweets 3 min read
ICYDK the issue 0x14 of PoC or GTFO has articles about PostScript, GIF, PDF and NES (code) hashquines by @teh_gerg, @__spq__ , @makomk, @ESultanik and @evan_teran.
github.com/angea/pocorgtf…
The issue itself is a PDF/NES hashquine. And @doegox’s small article about putting the MD5 on the front cover of the PDF via PDFLaTeX.
Sep 9, 2020 5 tweets 1 min read
From a file format perspective, it's pretty cool to get different payloads - both authenticated - from the same ciphertext with different keys.

It's a neat way to exploit key rotation: clean now, malicious tomorrow. Naturally, from a format perspective, it was always doable with any form of polyglots, as both formats typically don't overlap.
However, it's even more powerful: when one format is decrypted, the other format is garbled, which bypasses polyglot blacklisting (easy PDF polyglots).
Aug 8, 2020 5 tweets 1 min read
When people ask me about the French language,
I tell them about "99 birds".

Why... what could go wrong?... We read 99 as 'quatre vingt dix neuf' (4 20 10 9),
because 4*20=80 and 80+10+9 = 99 ;)

yes, '4 20' is the official way in France to read "80".

In other countries, they sometimes say "80" huitante (8 = huit),
which makes sense since 60 is soixante, even in France (6 = six).
Aug 2, 2020 4 tweets 2 min read
MP3 players... Cubic Players ImageImage DOSAmp ImageImage
Jul 28, 2020 5 tweets 2 min read
Recap thread on files set I've contributed to depending on your needs.

Mocks to understand magic signatures
A polymock to demonstrate magic abuse
github.com/corkami/pocs/t… Image
Jul 27, 2020 5 tweets 2 min read
FWIW I made a set of minimal but self-descriptive pics of common file formats.
github.com/corkami/pocs/t… Image PoCs, not pics.
Jul 9, 2020 5 tweets 2 min read
Another trick with `file` is that the types are checked by category, so some lesser known types will be checked before the classic exploitable ones (and not in the offset order either)

check the list:
github.com/file/file/tree… Image The Allegro magic is first,
But the Acorn one is scanned first. (Acorn < Allegro in the alpha order) Image
Jul 9, 2020 4 tweets 1 min read
I made a file that is wrongly detected with 29 different formats.
It's mostly empty: just a collection of magic signatures at the right offsets, no format is valid. Image virustotal.com/gui/file/10a3e…
May 30, 2020 14 tweets 3 min read
The evolution of my PE101 poster. 2012/04/08
started as a hex coloring test Image
May 26, 2020 14 tweets 2 min read
A thread on file abuses:
the typical goal of file abuse is to make space for your foreign data, and optionally put in another header for a different file type if you want a polyglot. A polyglot is a file containing 2+ valid formats.
If the different formats share some data (for example, a disk image with 2 different file systems for the same files), it's a chimera.
May 21, 2020 4 tweets 1 min read
FWIW I've been using Hiew for 20+ years (at least since I worked in CPS2shock and I made CallusPatch) - speakerdeck.com/ange/preservin…
As a hex viewer, with a lot of block manipulations, macros, some scripting, plugins, higlighting... as a [fast] disassembler - by the time you release the key to launch it, you'll get a disassembly of the entry point and you can easily navigate, search string, asm patterns, swap between files.
Mar 6, 2020 7 tweets 3 min read
I wanted to introduce my son to real examples from my past that have a good lesson value...
Of course, since it's about my past or their present, the only thing that has any interest are video games... So of course, we needs to understand how computer store data:
we have 5 fingers per hand, computers have 8.
github.com/corkami/pics/b… ImageImageImage
Feb 19, 2020 4 tweets 2 min read
バイナリかるた - Binary Karuta
A card game where you have to guess formats / protocols / architectures:
kozos.jp/binary-karuta/ Also a book:
amazon.co.jp/dp/4839951020/
Feb 15, 2020 5 tweets 2 min read
I pushed some drawings about charsets and encodings
github.com/corkami/pics/b… ASCII (printable & full) ImageImage
Jan 8, 2020 5 tweets 2 min read
ICYDK I wrote an article about making SHA-1 colliding PDFs via PDFLaTeX in PoC or GTFO 18 Image It's readable online on the internet archive:
archive.org/stream/pocorgt…
Dec 31, 2019 4 tweets 2 min read
Someone ripped the prefixes from the 'Shattered' SHA1 collision computation of 2017.
The resulting files are colliding, but aren't valid. Image ICYDK I provide on my collision repository a set of small colliding PoCs that you can freely re-use.
github.com/corkami/collis…
Nov 14, 2019 7 tweets 2 min read
Why do I care about researching about hash collisions with MD5?
Because it's still used, and usable in sane cases. It's important to know the true impact of its attacks, and there are only 3 of them for MD5, which is not too much.
You can understand the impact without the crypto. The fastest of them gives you instantly different files with same hash, but these files won't be valid. So to get instantly a pair of valid and colliding files, you need to combine with file format tricks. And these formats tricks will likely be reusable for SHA2 or whatever.
Nov 12, 2019 11 tweets 6 min read
ICYDK I made a slide deck about the basics of PDF structures.
speakerdeck.com/ange/lets-writ… Once you know the basics, you might appreciate
speakerdeck.com/ange/an-overvi…
Oct 17, 2019 4 tweets 3 min read
It took a bit less than 2h to compute an MD5 hash collision on Megadrive via @makomk's Toy Collider.
(tested on MegaSg and BlastEm) ImageImageImageImage @makomk FTR that's the first rom I ran on that MegaSg and that Everdrive - kids were expecting Sonic or Shinobi ;)
Oct 14, 2019 4 tweets 1 min read
Thanks everyone for your moral support. I'm now doing sport daily to sleep correctly, very happy to have good moments with the kids, and actively working on our future.

My underflow certainly hurt, but now I am doing OK. One thing I learned: keeping secrets fosters manipulation and bad behavior.
I learned that myself years ago when discussing with someone external about how I was handling kids: the instant surprise made me realize that I should soften my own ways.
Sep 23, 2019 7 tweets 3 min read
Explaining hacking to kids ideas...

First, you can introduce yourself.

Then point out that some first names are super short (Yu, Tim, Ed) while some are much longer (Jean-Jacques, Seraphina...) and then hint at buffer overflows. Then ask if anyone has an uncommon character in their first names... Théo, François, Iñigo, Jörg, Rafał, Øivind, Þórður...
and discuss about encodings...