All right.  So this is put on your ten foT hat.  I'm Miaubiz and this talk is going to be about templates and scripting et por or IDA as we call it.  They look like this, basically they solve the problem that we have this function max and the code is equally have lid for cars and valid 32 bits signs in so we don't want to write the code over and over so we have this expression and then type and there is a place by the compiler whatever type you're using and then bindery you will end up with this.  And this for whatever types are actually use.  And then eventually your C plus templates look like this but is fine when you're programming C plus then you have some binary.  You can put what's in there and there is bad decoration and says near something or where the problem is where you have that angle bract.  I didn't get too far.  So when you have seize C plus templates.  Which are character that IDA doesn't accept so we still want to get them in there so there is 3 ways we can do it and we're going to use python.  That's a Texas or raddle snake.  So the -- the first one is typical version and we're going to look at -- 10 foes and then we give it -- it works out.  And this is the type part of it.  So the first the stuff in black we're going to focus on the red and green part.  And so they both start the same slash end or the ten.  And there is the pointer at the star.  Can you have several in a roll.  Then you have the length and then have you the pound sign which means -- there is two different 0 -- when you go to local types.  You see the -- and then you decode them there is math involved.  Somewhat and then we figure out that is 1645 and 1398.  That was the types.  You can do the reverse operation and then you can replace then those in that string you have and then apply type and now it works again.  So if say for PDB into your local types you gotten already types that have templates in them, now you can just replace the O and O in that in that string you got from ADA and it still works you magically get the proper types in there.  And then that's one way of doing it.  Sometimes that's a good way.  Meeting this actually classes and types of whatever and they are generated into the binary.  The whole thing is just a string.  Is just like type with a weird name.  That happens to have those symbols in them.  So you can actually rename types to anything and so one way to get around the problem.  So basically when you go to venue try to enter a type and when you try to apply a type to a function it pauses the -- poises your type declaration and also any type declaration that has been reference by that type and so if anywhere in that type that -- these bad character then it will fail.  So you can just -- whatever types are in there you rename them to something like temp 1 or 2.  Whatever.  And then we name to them back and achieve the same result.  And APA that's call rename maim the type.  And unlike IDIPI this one actually does what it says.  So then you call it original name and then you do the opposite operation after the setting the type.  Okay.  So then the T foe TIPI.  So you create a 10 foe T.  So 10 foe is type in foe underscore B is just something that's on all of those types.  And then you can call, get name type on that 10 toe T and where it says some crazy name you can actually put any string and it will create a 10 foe T that has that name.  A name with that I mean -- the local type with that name then when you apply the 10 foe you get different results.  But then so the VDUI is because much of this scripping for x-rays is intended so that when are you decompiler window and user interface you can use what's visible in the window.  So you have to then jump to the screen EA and open or whatever and then you're able to get this IU object.  And then change the type of your function argument then you actually change the types L bar here is local variable so the you change the type of local variable that are in arguments and when you do that it then changes the type of the function itself.  And there is a the L bar object itself has also a set type method which would seem to be the same operation as going through the UI and then changes the L bar type but that other set type actually that's a different thing or nothing and that's why you need to go through this DUI.  So here's the whole thing.  You have to decompile it and there is just to get it to open decompile window for you otherwise you can't get the DBUI.  And wow so then there is the return type of the function and so right there I was all I was changing the arguments the local variable that are the arguments of the function.  The return type doesn't have.  Even though there is a return.  There is a local variable for the return.  Variable or whatever, but if it changes that type it won't actually let you do it.  The return type of the function and also when are you exchanging the when you're doing this calling set L bar type.  You can actually add or remove argument.  Something you might be interested in.  So then to create a complete arbitrary type.  But also the number of arguments you can do that all in.  So has it has these simple types.  And order type and maybe some other types and simple types there is like one byte numeration and 80% of them are weird stuff that you will never use like the static pillar or this other one which obviously is not actually a type -- double that's on.  And so then you can create this your string that where you place this place holder into your string or the return type and then for argument types how many you want and you give them different simple types and then make put in as many pointers as you want.  Eventually and then you actually so your first type returns the same type of the magic string that was on solution 1.  So then you can then do the replace thing you can replace the however is encoded by -- into the string.  The simple types then you can replace them how the O -- are encode and had the early example I showed -- it was always 2 bytes for the length for like the first 1 thousand order -- will it actually be like 3 bytes so the -- beyond 4 thousand or 8 thousand the ordinal when it goes above that is slightly different but you can bend.  Put in whatever you want and then so these you can get create a T 4 T and when you call -- on it and give it whatever the IDC -- so is another way creating a 104 that certain type.  Because there is several functions in there.  Create function type and is like 40 of them and if you look into them there is isn't any -- only -- mirrors of the header file so there is no public usage of these -- actually that's what you want on if you have that type of string that you get from get 10 foe or type from IDC.  So then there is a function call applying 10 foes 2.  Because apply 10 foe was taken so applies 10 foe and now it does the same as -- whatever I did.  First one let me see where it was.  Apply type from IDC.  Okay.  The whole thing.  And then I don't know what I have to say about this topic.  And wow.  I went fast for 20 minutes.  
[ APPLAUSE ]

>> Any questions? You.  So the question is like when you would end up with these types that can now be partner.  So basically let say you have binary and that includes -- C plus and then you built plus and then with symbol then you will have those symbols in there and you want to transfer those symbols into your unknown binary because these are normal.  That's the common situation you'll end up with this.  You know something about the types that's not in the binary and is C plus templates.  Yeah.  Ask basically for IDA as I mention somewhere in there.  All though they're template types.  IDA doesn't really care what the members of the templates are or how is structure.  
>> If you have more questions I have an mic that makes it easier for you to hear.  So you have more questions? Anybody did it go over your head? Only 2 smart guys in the room.  
>> All right, thank you, guys.