00:00:00.901,00:00:05.906
>>Good morning Defcon! Yeah! Uh
how many of you guys went to the
Demonsal party last night?

00:00:08.675,00:00:14.715
Anybody? Yeah? One guy. Uh the
fact that you're here means that
you didn't do it quite right. I

00:00:14.715,00:00:19.720
was expecting no hands. Um did
did you see McCaffey last night?
Yeah? I'm sorry. [pause] Uh

00:00:23.924,00:00:28.929
alright so uh one quick
announcement uh we going to get
started uh pretty shortly. Uh

00:00:31.198,00:00:36.203
about 2 minutes we're gonna get
this fine gentleman going. Uh
when you leave the room uh

00:00:36.203,00:00:41.208
please use the back doors not
either side. They're pretty well
marked. Um but backdoors. Uh we

00:00:44.144,00:00:49.316
had we had some issues
yesterday. Uh the other
announcement uh is uh yesterday

00:00:49.316,00:00:54.321
uh we were told by hotel staff
uh that uh there was some
unusual traffic on their point

00:00:58.825,00:01:03.764
of sale network. [laughter]
Alright they have paid for a
very very high class monitorring

00:01:06.934,00:01:11.939
solution uh just for DefCon. And
we have a very very superb I
mean I know it's DefCon but we

00:01:15.309,00:01:21.214
have a very very good uh
standing with all the hotels and
conference centers in the area

00:01:21.214,00:01:26.219
for not messing with them too
hard. Um POS system not cool.
Please do not mess conference

00:01:30.958,00:01:37.731
center's or hotel's network um
at all please. Uh if you really
feel like uh flexing some

00:01:37.731,00:01:42.736
particular uh gray or black hat
muscles uh DefCon network is
there for a reason. Bring it on!

00:01:46.373,00:01:52.546
Alright. Uh so we are right
about we are right on time. That
is amazing. Uh so without

00:01:52.546,00:01:57.250
further ado uh Benjamin Hollins
our first speaker of the day.
Let's give a round of applause.

00:01:59.286,00:02:05.559
[applause] Yes! Alright.
>>[Thank you off mic] Thank you
everyone for coming today. Uh so

00:02:05.559,00:02:11.098
my name's Ben. And um today
we're going to talk about eh a
way to develop managed code root

00:02:11.098,00:02:15.869
kits for the for the java run
time environment. Um so just a
little background who I am. Uh I

00:02:15.869,00:02:20.307
guess I would describe myself as
a student. I've been a student
for a really long time. And

00:02:20.307,00:02:26.613
probably will be for a little
while longer. Um so uh I've
worked a few places um and I I

00:02:26.613,00:02:30.917
come from Iowa State University.
I see a few other people form
Iowa State here. So yeah!

00:02:30.917,00:02:37.491
Represent! Alright. Um okay! So
a little background. Um first I
just kind of want to show you a

00:02:37.491,00:02:42.329
little a little taste of what's
to come. So here's our our
simple hello world program.

00:02:42.329,00:02:47.801
Everyone's probably written this
program before. Right? Um so
let's let's go ahead and run it

00:02:47.801,00:02:52.806
on um on our victim machine and
see what happens. So let's go
ahead. [pause] Okay! So we've

00:02:56.410,00:03:03.183
got our just uh just a windows 7
latest java update. Um as of
just Java 8 as of like a week

00:03:03.183,00:03:07.654
ago. Um we go ahead and run
hello world. It just prints
hello world. Um but we've got a

00:03:07.654,00:03:11.992
session on this machine. Um
we've got an interpreter
running. And we're going to load

00:03:11.992,00:03:17.798
up this custom post module.
Whoa. Okay. And uh we're going
to go ahead and run this custom

00:03:17.798,00:03:22.302
host module. I've got a uh a
dropper here we'll explain what
that is here. We're going to go

00:03:22.302,00:03:27.374
ahead and manipulate the run
time a little bit. Uh and then
go back over to the victim

00:03:27.374,00:03:32.379
machine and see what happens. So
now when we run hello world, it
prints backwards. Right? So we

00:03:32.379,00:03:36.349
have the ability to manipulate
the run time. And what are we
going to do with that? Well we

00:03:36.349,00:03:41.354
can talk about that today.
[pause] Okay. [pause] Okay! So
first of all um we should

00:03:47.627,00:03:51.898
probably understand a little
something about what the you
know the run time looks like at

00:03:51.898,00:03:56.803
least from a high level. Um so
we take the Java code um just
plain Java source files. We feed

00:03:56.803,00:04:00.874
that into the compiler. We spit
our class files. We could run
those. Uh or if we have a bunch

00:04:00.874,00:04:05.345
of class files we just zip them
up and because we're Java we
call it a jar. Um so that's just

00:04:05.345,00:04:11.518
a jar zip file. Uh we take that
jar file and we run it on our on
our host operating system so

00:04:11.518,00:04:15.489
that Windows Mac Linux. And it
seems to run the same on each
one. Right? So it's cross

00:04:15.489,00:04:18.959
platform and that's really nice
but how do we how do we do that
right? If you write a C program

00:04:18.959,00:04:22.395
you might have to change things
a little bit. But with Java at
least it's you know it's

00:04:22.395,00:04:27.901
standard. So the way we do this
is we create a custom virtual
machine for each uh host

00:04:27.901,00:04:34.207
operating system. And that
interprets the the standard Java
bite code and then runs it on

00:04:34.207,00:04:39.346
the host operating system. So
let's take a look inside those.
Uh we have the the virtual

00:04:39.346,00:04:43.383
machine and then we have the
standard library. Right? We have
the definition of what's an

00:04:43.383,00:04:49.356
object. What's a link list. All
the different um primitives. Um
in stored inside this uh run

00:04:49.356,00:04:54.928
time jar. And what we're going
to do today is actually just
mess with that run time jar.

00:04:54.928,00:05:00.133
Right? And because this run time
jar is actually just Java bite
code itself uh at least for the

00:05:00.133,00:05:05.138
most part. Um that also has this
nice property of being cross
platform. Right? So we can write

00:05:07.574,00:05:14.447
one x plate and then run it
everywhere. Okay, so there's a
few advantages. Um first of all

00:05:14.447,00:05:19.219
I just want to make it clear
that this is a post exploitation
activity. So you've already um

00:05:19.219,00:05:24.658
gained uh per mission on the
box. You can write to usually
these kind of protected

00:05:24.658,00:05:29.563
directories. So program files on
Windows is where they store the
Java run time. Of course if you

00:05:29.563,00:05:33.600
didn't store it in a good place
someone can just manipulate it
without having administrator

00:05:33.600,00:05:39.773
priv privileges. Um but the
important part is that we're not
manipulating the program itself.

00:05:39.773,00:05:44.945
We're manipulating the run time.
So actually we uh can affect
every program that's running. So

00:05:44.945,00:05:49.349
any that that hello world
program? We didn't touch that
program at all. We touched the

00:05:49.349,00:05:53.019
run time and the hello world
program behaved differently
because we modified the run

00:05:53.019,00:05:58.658
time. So um you know there's
some nice benefits of this.
Typically we audit the the

00:05:58.658,00:06:04.564
application code. We don't audit
the run time. Um so you know
someone might overlook this. Uh

00:06:04.564,00:06:07.801
and we have a lot of contextual
information about the
application. Right? So if we

00:06:07.801,00:06:12.272
wanted to do something like grab
the password field uh we don't
have to write an entire key

00:06:12.272,00:06:16.843
logger. We can just key log
maybe just password fields of
applications. So we have some

00:06:16.843,00:06:22.415
more contextual information at
the application level. Um and of
course uh since we're

00:06:22.415,00:06:27.053
manipulating the run time and
we're doing it you know at an
object oriented language these

00:06:27.053,00:06:31.524
are full featured libraries. So
we can write object oriented rip
kits. We can use the standard

00:06:31.524,00:06:36.696
library. Um we have lots of
access to kind of some low level
things that you might not think

00:06:36.696,00:06:41.601
are in there. So we can mess
with key events, networking, all
sorts of things. Okay! So

00:06:41.601,00:06:44.904
there's been some pioneering
work. Um I'm not the first to do
this and I'm not really

00:06:44.904,00:06:50.343
expanding on kind of on the the
main technique. I'm just wanted
to expand on the new way to do

00:06:50.343,00:06:56.783
this. Um and so Eris Mitchela uh
gave me this book. Um and he's
done a lot a lot of work on this

00:06:56.783,00:07:01.321
already. Um so if you're curious
about you know kind of all the
things you can do. You can check

00:07:01.321,00:07:06.359
out his book. Uh it's called
Man's Code Rip Kits. Um and he
also released a tool called

00:07:06.359,00:07:12.465
Reframe Worker. Uh it worked on
dot net run times. Uh it's able
to kind of specify x and o uh

00:07:12.465,00:07:17.871
tasks of how to manipulate the
run time. Uh and this uses an
assembler and disassembler pair

00:07:17.871,00:07:21.841
to make the modifications. And
has some deployment scripts. So
really kind of laid the

00:07:21.841,00:07:28.481
framework um the ground work for
how how we're going to do these.
Um but uh when I started

00:07:28.481,00:07:33.586
thinking about this um I wanted
to do this for for Java. Um
because I'm kind of a Java nut.

00:07:33.586,00:07:39.592
As some of my friends know. And
um well this uh the the previous
tool was for dot net. So I

00:07:39.592,00:07:44.931
thought I'll have to extend this
but I have an opportunity to to
think about um you know how am I

00:07:44.931,00:07:49.169
going to modify the run time? Um
so there's a couple of different
um ways you can approach this

00:07:49.169,00:07:54.841
from. We have uh byte code. Um
we could just try to manipulate
the byte code right away. Um but

00:07:54.841,00:07:59.546
this is this is pretty difficult
right? Uh it would work but say
you change a variable name or a

00:07:59.546,00:08:03.416
method name. Well that has lots
of references in the code. So we
have to uh kind of change all

00:08:03.416,00:08:08.321
those those little references
and the butterfly effect gets
kind of a pain to manipulate.

00:08:08.321,00:08:14.027
Also we you know most people
don't speak raw Java byte code
code. So um that's just kind of

00:08:14.027,00:08:19.799
a pain. Um you know ideally we
could just decompile this. Get
the source. Edit the source.

00:08:19.799,00:08:26.005
Recompile it and we're done. But
if anyone's decompiled apps
before um if you're lucky it

00:08:26.005,00:08:30.443
that it even compiles it's
probably not even right to start
with. Um so decompiling things

00:08:30.443,00:08:36.049
is definitely a hard problem. Um
very hard and we're not going to
have perfect decompilers. Um so

00:08:36.049,00:08:39.219
people come up this things that
are kind of in between. So we
have these intermediate

00:08:39.219,00:08:45.125
representations. They are used a
lot in compiler optimizations.
Um for Java you can think about

00:08:45.125,00:08:50.230
small E or uh [indiscernible]
any of those representations if
you've played with those. Um but

00:08:50.230,00:08:54.200
this is nice because we can
decompile it to this kind of
half way point. It's not quite

00:08:54.200,00:09:00.073
source code. Uh but it is text
it is like it is the source code
but it's now Java source. Um and

00:09:00.073,00:09:04.477
we can edit that and then we can
recompile it. And we and we we
come to this half way point

00:09:04.477,00:09:09.682
because we can guarantee that we
can go um back-n-forth between
uh decompiled and compiled

00:09:09.682,00:09:14.687
[indiscernible]. Um so you know
these the editing the byte code
works. It's it's a huge pain. Um

00:09:17.891,00:09:23.396
we can't really rely on
decompiled source although we'd
really like to work with that.

00:09:23.396,00:09:27.901
Uh and then working with
intermediate representations was
kind of my first approach. Um

00:09:27.901,00:09:32.505
and you know it it has been kind
of proven. People have done
this. Um but it's still tricky.

00:09:32.505,00:09:38.378
Um you know we we learn to write
code at the normal source level.
We don't write code at an

00:09:38.378,00:09:42.682
intermediate level. Um it's just
kind of you know it's just
something we can we can write

00:09:42.682,00:09:47.687
tools for but um yeah but it's
still tricky. So I thought I
really really want to to just be

00:09:49.789,00:09:55.361
able to you know lower the bar
the barrier to entry so that uh
if you know how to write basic

00:09:55.361,00:10:01.568
Java programs then you can write
a man's code for pit too. Um so
that's kind of the new the new

00:10:01.568,00:10:05.405
goals of the framework. Right? I
want to support the Java run
time environment. And I want

00:10:05.405,00:10:11.711
this just really low um
knowledge prerequisite. So uh
just quick a show of hands like

00:10:11.711,00:10:17.217
who has ever written just a
basic Java program? Okay! Yeah
so you guys can all write man's

00:10:17.217,00:10:22.222
code rip kit now. So that's fun
and also terrifying. Um alright!
So the other thing is we want

00:10:24.424,00:10:27.494
kind of this natural development
environment. If you've written a
Java program you've probably

00:10:27.494,00:10:33.700
used Eclipse. Right? You you at
least whether or not you like it
maybe maybe you like another uh

00:10:33.700,00:10:39.572
IDE. But um it's it's familiar.
Right? You how to debug your
program. You know how to um how

00:10:39.572,00:10:44.310
to easily deploy your program.
And again if we can write
something from high level and

00:10:44.310,00:10:48.615
source we don't we can strive
towards this portability. Um and
we don't have to worry about

00:10:48.615,00:10:53.620
kind of low level details in the
run time. So um I want to oh
yeah right I had this slide.

00:10:57.123,00:11:01.694
Okay so we want to write rip
kits and Java source. This is
the tool itself. I called it JRE

00:11:01.694,00:11:08.234
Reframe Worker. Or um and that's
kind of a ripoff of Eris uh
Mitchela's reframe worker. Um

00:11:08.234,00:11:13.406
just because kind of a a common
pattern is just to add J in
front of a Java project. But

00:11:13.406,00:11:20.213
then I noticed oh J JRE that's
nice. So I I kept it and I kind
of attached the name. Um so uh

00:11:20.213,00:11:24.584
it's an Eclipse plugin. So you
can work right inside of
Eclipse. Um we have uh an

00:11:24.584,00:11:29.589
ability to uh to export a way to
drop the payload on the on the
victim machine. Um so that's

00:11:31.691,00:11:36.429
that's all kind of abstract in a
way for me. It's open source.
Free. So you can play with it.

00:11:36.429,00:11:42.969
Hack on it. Um and uh have fun
with it. So um there's some been
some uh early feedback on on

00:11:42.969,00:11:47.340
Twitter. Um so some guys that
just what the internet's in dire
need of a well engineered

00:11:47.340,00:11:52.345
malware development tool set. Um
I think he was being uh
sarcastic but I'm going to take

00:11:52.345,00:11:59.085
that as a compliment because I
like the idea of of a well
engineered uh tool um for me. So

00:11:59.085,00:12:03.890
um I want to revisit that hello
world program. So this is this
is all the code that you have to

00:12:03.890,00:12:08.962
write. Uh and the idea is what
we'll do is we'll ext since it's
object oriented we'll extend the

00:12:08.962,00:12:13.533
object that we want to
manipulate. Um and for now just
assume that you can extend any

00:12:13.533,00:12:18.972
object. Uh so here I'm extending
the print stream. [inaudible]
Yeah okay so I'm extending the

00:12:18.972,00:12:23.610
print stream. And we have these
little annotations that define
how we want to manipulate the

00:12:23.610,00:12:27.580
run time. Uh and these are
basically just notes to the
tool. They won't end up in the

00:12:27.580,00:12:31.951
final source. Um so we're going
to say that we want to merge
these two types. So we're

00:12:31.951,00:12:35.421
creating a new class called
backwards print stream. We're
extended the print stream. And

00:12:35.421,00:12:38.958
we're going to merge this new
behavior in. And what we're
going to do is actually uh is

00:12:38.958,00:12:43.930
override the printalin method to
just create a new stream.
Reverse it and print that

00:12:43.930,00:12:50.470
stream. Okay um and so we have
quite a few uh different
annotations. Not not too many I

00:12:50.470,00:12:56.509
guess actually. There's two main
types. There's define and merge.
Um so a define type basically

00:12:56.509,00:13:01.514
inserts or replaces the old
behavior. Um because sometimes
you just want to completely blow

00:13:01.514,00:13:05.385
it away and replace it with
something new. But sometimes you
want to preserve that old

00:13:05.385,00:13:11.791
behavior and then you know maybe
just hook into it or um or add a
subtle difference to it. But

00:13:11.791,00:13:15.695
then behave like normal in other
cases. Uh so that's what the
merge type is. And you can put

00:13:15.695,00:13:19.499
these on each thing. You can put
it on a class you can put it on
method you can put it on field.

00:13:19.499,00:13:23.369
Um and then we'll get to why we
need these later but we can also
control the qualifiers on

00:13:23.369,00:13:28.041
things. So if the class is final
and you can't extend it well you
can basically just say nope. No

00:13:28.041,00:13:33.046
it's not. And then extend it.
Alright? Okay so uh I gonna do
just a quick demo here of of how

00:13:35.114,00:13:41.287
to use the tool. Um so that if
you want to play with it um that
you can. Okay. So let's go over

00:13:41.287,00:13:46.893
here um so I have a little bit
of test code here. Uh it creates
a new file called secret file.

00:13:46.893,00:13:50.863
It writes to that file. It just
write the word blah to it. And
then it checks to see if that

00:13:50.863,00:13:57.170
files exists or not. And then
just to clean it up we delete
it. So if I go ahead and run

00:13:57.170,00:14:02.108
this um of course it works. Um I
just ran it with the normal run
time. Nothing's changed. Um but

00:14:04.977,00:14:09.982
what we can do is actually
override this. So I'm going to
extend the um [pause] file

00:14:13.319,00:14:18.091
class. And um okay so we've
extended. We can use Eclipse to
kind of help us out here. We

00:14:18.091,00:14:23.129
need a constructor. Okay no
problem. Eclipse you can
generate that for us. Um I want

00:14:23.129,00:14:29.669
to merge this. Let's see here
merge type. Okay. I want to
merge this into the file class.

00:14:29.669,00:14:34.707
And that what I want to do is
override the exist method. So
that if the file name is secret

00:14:34.707,00:14:38.177
file I'll just tell you it
doesn't exist. Even though it
does we can still write to it

00:14:38.177,00:14:42.915
and we can still read from it.
Okay so I'm going to use another
annotation. This is just a a

00:14:42.915,00:14:46.719
basic Java annotation. Checks to
make sure that the the method we
say we're overwriting is

00:14:46.719,00:14:52.258
actually a method that we're
going to override. Um and this
is the exist method. So public

00:14:52.258,00:14:54.260
boolean exits. And uh we have to
return something. So I'm just
going to return false for now.

00:14:54.260,00:14:56.262
Okay. And um so let's let's
check to see if the file name is
uh secret file. So let's say uh

00:14:56.262,00:14:58.264
let's let's first say if it's a
file um and not a directory for
instance. Um and the name is

00:14:58.264,00:15:04.637
[pause] secret file. And we'll
just say nope. No it doesn't
exist. Trust me. Um otherwise

00:15:04.637,00:15:09.642
let's just use the default
behavior. Right? So the default
behavior um is the method that

00:15:32.298,00:15:37.403
we're going to replace. So I'm
just going to return the
original method. So I'm going to

00:15:37.403,00:15:41.641
use the super call for that. Um
so this will later get
re-written so that um all of

00:15:41.641,00:15:46.646
this works. Okay! Uh and the we
also have to say I want to merge
this method into the uh [pause]

00:15:50.283,00:15:55.288
there we go. Okay! Um now
there's an eclipse builder built
into it. Um so yeah I guess I

00:15:58.124,00:16:03.563
should first say you'll create a
new project. So you can do new
uh other and then there's a

00:16:03.563,00:16:07.633
[indiscernible] reframe work for
project. There's some sup
support for other things too. Um

00:16:07.633,00:16:11.938
and uh that whole setup the
class path everything like that.
So as you're developing here

00:16:11.938,00:16:15.975
you're not actually er you'll be
manipulating your run time but
you're not going to actually

00:16:15.975,00:16:19.278
affect it. We're just going to
do it locally and then we'll
just kind of hotspot it at run

00:16:19.278,00:16:23.583
time. Um so I'm going to go
ahead and build this project
here. Um don't have a an

00:16:23.583,00:16:28.254
incremental builder yet. So you
have to do a build clean but
things are coming. It's a work

00:16:28.254,00:16:33.659
in progress. Okay so um we're
building down here the progress
um we'll hope it works here. Uh

00:16:33.659,00:16:39.866
pray to the demo gods. Okay! So
we run it uh with the normal run
time that says true. But now

00:16:39.866,00:16:45.304
we're going to run it with our
manipulated run time. And it
says false. So it worked. Okay.

00:16:45.304,00:16:50.309
Um but we know that that file
exists because we wrote to it.
Right? So weird. Okay. Um now

00:16:50.309,00:16:55.748
let's take a look at what
happened under the hood. So I'm
going to load up uh just uh a jd

00:16:55.748,00:17:01.120
gooey. Just an easy java
decompiler here. Um and let's
decompile the modified run time.

00:17:01.120,00:17:06.125
Just to see what's in there. So
I"m going to go to Java file IO
um go down to file. And I will

00:17:08.694,00:17:13.699
search for let's search for the
exist method. Exists [pause]
nope [pause] Okay. So here's the

00:17:20.106,00:17:26.546
original method. Um and all we
did was rename it. So that we
can call it later. And then if

00:17:26.546,00:17:31.550
we can find the other exists
[pause] Okay. So here's our new
one. It's the code that we just

00:17:37.189,00:17:42.862
wrote. And the recall to super
now just calls our other method
which we um made private so that

00:17:42.862,00:17:48.901
nobody can see it anymore. Okay.
So I'm going to quit that. We'll
go back to the slides here. Um

00:17:48.901,00:17:53.506
so really easy right? We can
test this. We can run it. Oh I
guess I could say um if we don't

00:17:53.506,00:17:59.278
want if we want to actually
debug this uh in our test code,
we can go back over here instead

00:17:59.278,00:18:03.716
of invoking the file we could
just try our our normal one. So
if we want to set break points,

00:18:03.716,00:18:06.886
stuff like that, we can just
debug it locally without
actually manipulating the run

00:18:06.886,00:18:12.692
time. Uh and then um once we're
confident with it we just change
the target manipulate the run

00:18:12.692,00:18:18.798
time and everything will work
fine. Okay. So now we have a
little bit of fun right? We have

00:18:18.798,00:18:23.603
a framework. We can just start
manipulating things. So this is
um this is just kind of a fun

00:18:23.603,00:18:28.874
one. Um what I'm doing is
overriding the print stream
object uh yet again. Uh this

00:18:28.874,00:18:35.615
time we defined a new field. Um
it's a integer called
Beetlejuice. And um every time

00:18:35.615,00:18:40.653
the print l n method is called
we look at the stack trace. So
we're looking to see who called

00:18:40.653,00:18:46.892
us. Right? Um and if there was a
method named Beetlejuice we
increment that counter. And if

00:18:46.892,00:18:51.897
the counter is 3 then we call
this call. And we'll see what
that call does in a minute.

00:18:58.771,00:19:03.242
[pause] So we have to now think
about what would trigger this
code. Right? So we have um a

00:19:03.242,00:19:08.014
method named Beetlejuice. And
we're going to uh invoke it 3
times. And uh we're going inside

00:19:08.014,00:19:10.016
Beetlejuice there's a call to
print l n. So we'll trigger that
code. And uh it'll go

00:19:10.016,00:19:15.021
Beetlejuice Beetlejuice
Beetlejuice. Um if we run this
normally it's not very

00:19:20.359,00:19:26.699
interesting um because [pause]
let me skip forward just a
little bit since I already

00:19:26.699,00:19:31.370
explained all that. Okay. Uh if
we run this normally uh it's not
very interesting. It just prints

00:19:31.370,00:19:37.877
the hash code of the Tim Burton
object. Um I'm a fan of
Beetlejuice. Anyway. Um but if

00:19:37.877,00:19:42.882
we run this with our modified
framework [pause] [music] yeah
so someone has [indiscernible]

00:19:45.418,00:19:50.423
uh all of the doom uh to pure
Java. And uh just as um just as
you know a test um of how much

00:19:54.660,00:19:59.265
complexity we can shove into the
run time, why not just shove the
whole video game in there? Um so

00:19:59.265,00:20:05.938
it it about doubles the size of
your run time but that's okay.
Um but what's fun is um you know

00:20:05.938,00:20:11.744
our client can have kind of fun
little triggers. You know what
of what we want it to um how we

00:20:11.744,00:20:14.346
want to trigger it. So here's
another one. Um oh okay. I'm
gonna I uh reordered my examples

00:20:14.346,00:20:16.348
here. Okay. So um this on is
just kind of to show off the
other things. So normally if you

00:20:16.348,00:20:18.350
called the string replace method
it doesn't modify the variable
that it is operating on. Uh so

00:20:18.350,00:20:20.352
the receiver variable. It
doesn't modify that. So in this
case demand replace sacrifice

00:20:20.352,00:20:24.290
with puppy. Then um you know it
wouldn't do anything. So the the
the normal behavior was you know

00:20:24.290,00:20:28.260
it was just say satan demands a
puppy. Or sorry demand's a
sacrifice. But if we make

00:20:28.260,00:20:30.262
strings mutable. And we make
this actually modify the
behavior. Then string replace

00:20:30.262,00:20:32.264
works like how some people think
string replace works. Uh and
actually prints satan demands a

00:20:32.264,00:20:34.467
puppy. So um this one's tricky.
Um because a string is sometimes
treated like a primitive object.

00:20:34.467,00:20:37.236
So you shouldn't have to extend
the string class. So they make
it a final class. Um and do you

00:20:37.236,00:20:39.438
want to build a treat it as
mutable so you can make those
assumptions when you're

00:20:39.438,00:20:42.775
programming. Um so they actually
make the the value of the string
a protected er sorry a private

00:20:42.775,00:20:44.810
field. And and a final field
itself uh so that you can't
change it. But of course we

00:20:44.810,00:20:46.946
control the run time. So we can
easily uh update that. We just
say nope strings not final. Nope

00:20:46.946,00:20:50.916
the value field is not final.
And hey let's make it protected
so that we can actually

00:20:50.916,00:20:53.419
manipulate it and play with it.
Um okay. So uh we can do all
sorts of fun things. Like just

00:20:53.419,00:20:57.556
kind of went crazy there's a
whole bunch of modules that I
had to cut from this talk. Just

00:20:57.556,00:21:02.495
for time reasons. Um but I'll
release them all on the the get
hub info right after this. Um so

00:21:19.979,00:21:24.984
this one uh is takes whenever
someone loads an image like a
jpeg or something in the in a

00:21:54.013,00:21:59.585
Java gooey uh they have to
access the raw data the image.
So just basically adds a hook

00:21:59.585,00:22:04.523
that says um before you access
that image why don't you
pixelate for us? Um and why

00:22:06.525,00:22:11.330
would we want to do that? Well
for the glory of satan of
course. Um and of course we

00:22:11.330,00:22:17.403
control the pixellation so we
can just make this as pixellated
as we want. Um here's another

00:22:17.403,00:22:23.108
fun one that I really like. Um
so this was this came from a
talk and it was partially the

00:22:23.108,00:22:28.214
inspiration for this talk. Um
was I was trying to to say you
know what's the different

00:22:28.214,00:22:33.686
between you know how how do we
detect malware if we don't have
a def definition of malware. Um

00:22:33.686,00:22:38.224
so in this case I wrote a spell
checker. And the spell checker
was just a normal spell checker.

00:22:38.224,00:22:41.627
And then I went through and I
inverted all the logic. Right?
So what do we have now?

00:22:41.627,00:22:45.664
Something that creates typos.
Right? It just creates kind of
realistic typos. Follows the

00:22:45.664,00:22:50.169
same sort of rules. They're just
all backwards. Um and then what
we can do is we can put this

00:22:50.169,00:22:56.075
into a key event. Um so that the
faster you type the more typos
we create. And then as you slow

00:22:56.075,00:23:01.313
down we start to behave again.
Right? So it's just kind of
killing your productivity. Um

00:23:01.313,00:23:07.920
and it's really annoying. Um in
fact the first I I tested this
uh I didn't realize that Windows

00:23:07.920,00:23:12.958
has 2 different run times. A 64
bit and a 32 bit. And um I was
trying this. I was trying this.

00:23:12.958,00:23:16.795
And I I just couldn't get it to
work. Uh and I was running out
of command line. Uh and then I

00:23:16.795,00:23:22.001
went back to Eclipse and I
realized um it's working. It
just working on the run wrong

00:23:22.001,00:23:28.741
wrong run time. Okay so I have I
have a demo that's um so you can
you can tweak the parameters

00:23:28.741,00:23:33.979
This one actually better to run
um in some sort of test harness
so you know what typo is mine

00:23:33.979,00:23:37.616
and which one's not cause I'm
trying to type as fast as I can.
So when it turns red it's typing

00:23:37.616,00:23:43.923
it. It's putting in typos. Uh
and as I slow down it starts to
behave again. Um and uh and

00:23:43.923,00:23:49.895
everything's fine. So um you can
kind of play with you know with
the sliding average to see how

00:23:49.895,00:23:54.900
devious you want be. There's
lots of parameter there. Um so
that one's kind of fun. [pause]

00:23:54.900,00:23:59.905
whoops okay back to slides Okay
um so now um I really liked this
idea. Um so people will think

00:24:05.878,00:24:10.883
about um you know we we have a
CBE. And um you know we want to
create anti virus to detect the

00:24:12.985,00:24:19.892
CBE or to detect the malware.
Right? But what is malware? Um
so I like I like the CBE I I

00:24:19.892,00:24:24.029
I've gone through this a few
times now. And and I really
recommend if if anyone hasn't

00:24:24.029,00:24:29.468
just pick a CBE and just try to
understand as much about that
CBE as you can. And you know go

00:24:29.468,00:24:33.806
up through try to recreate it
yourself. Um it's a lot of fun
and you learn a lot thing. So

00:24:33.806,00:24:38.644
this one was um really popular.
There was a nose plate model. It
worked on basically every

00:24:38.644,00:24:45.417
platform. Um the original bug
was in Oracle itself. So people
like Apple uh copied it into

00:24:45.417,00:24:50.556
their run times. Uh and uh you
know it was exploited in the
wild and people are just having

00:24:50.556,00:24:54.860
all sorts of fun with this. Um I
think that's you know probably
one of the reasons Chrome

00:24:54.860,00:25:00.466
doesn't ever let you run an
applet anymore. But um so we
have an existing exploit for

00:25:00.466,00:25:06.038
this. Um and and I wanted you
know I did an experiment a
little while ago uh about 2

00:25:06.038,00:25:10.009
years ago just to see you know
how could I you know just change
this a little bit just to get

00:25:10.009,00:25:14.713
past AB. So we all know what AB
is bad. Right? You know it's
it's hard to write good AB. I've

00:25:14.713,00:25:20.052
tried. Um but anyway. So let's
just see you know what are all
the different anti viruses

00:25:20.052,00:25:25.791
doing. So I created um you know
I took the original proof of
concept um that was reversed

00:25:25.791,00:25:31.397
engineered from the from the the
malware in the wild. Um I
[indiscernible] this was 2014. I

00:25:31.397,00:25:37.202
uploaded it to virus total and
um you know 30 out of 55 people
detected this. And this is 2

00:25:37.202,00:25:43.308
years after you know after the
exploit was out. So you know not
not great. Um but then let's

00:25:43.308,00:25:48.981
just start refactoring a little
bit. So start changing the class
names, the variable names, and

00:25:48.981,00:25:53.018
we we lose 2 people right off
the bat. Right? We lose 2 AB
right off the bat. Uh we start

00:25:53.018,00:25:57.790
just [indiscernible] strings. So
if you know we have a string we
just break it up and concatenate

00:25:57.790,00:26:02.127
it. So you know now the AB kind
of has to reassemble that or do
some symbolic execution.

00:26:02.127,00:26:06.131
Something like that. We can
change the control flows. We can
start merging methods. Splitting

00:26:06.131,00:26:12.838
things into multiple methods at
dummy um if branches. Stuff like
that. Um and that one didn't

00:26:12.838,00:26:17.476
seem to do too much so nobody
was really looking too hard at
control flow. Um but then what

00:26:17.476,00:26:23.081
we can do is start looking at
okay well what are the key APIs
that people are um you know that

00:26:23.081,00:26:27.453
people are keying off of and
let's just use reflection or
another layer of indirection to

00:26:27.453,00:26:32.958
call those. Um so that um you
know so we throw them off. And
and we lose a bunch of people

00:26:32.958,00:26:39.231
right away. But of course we we
can do way better. We could just
um you know put the whole class

00:26:39.231,00:26:45.304
into a string x or with just a
simple key. Just a 1 bite key.
Uh and then load it with a class

00:26:45.304,00:26:51.176
loader at run time and run it.
And so nobody gets that. Um
okay. So not a big deal. Uh if

00:26:51.176,00:26:54.813
you guys want to play with this
yourself the all the source
there for for all the different

00:26:54.813,00:26:59.952
versions is online. Um so I did
this 2 year ago which was 2
years after the exploit came

00:26:59.952,00:27:05.824
out. I decided let's just do it
again one more time. Um so I run
it again. And uh well we got a

00:27:05.824,00:27:11.063
new antivirus in the game. Um
and 6 more people found it but
it's there's still you know like

00:27:11.063,00:27:16.702
20 people out there that that
can't find this. Um changing the
class names so we actually got a

00:27:16.702,00:27:20.539
little bit better. Right? Um
things like changing the class
names. Nobody is keying off of

00:27:20.539,00:27:25.978
those sort of things anymore.
Obfuscating strings still works
a little bit. Um the reflective

00:27:25.978,00:27:30.616
invocation still helps but still
nobody can get the X O thing.
And that's that's a hard

00:27:30.616,00:27:35.621
problem. I don't blame them. Um
but it's just that easy. Right?
Anyway um so why don't you know

00:27:38.156,00:27:42.494
I was kind of bummed out. This
this this bug doesn't exist
anymore. It was used lots in

00:27:42.494,00:27:48.033
Java 1 7. Um they fixed it but
hey we control the run time so
let's just put it back in.

00:27:48.033,00:27:53.038
Alright? And so I call this the
reverse bug patch. Um so yeah so
I I I'd love to uh to automate

00:27:56.408,00:28:01.346
this. Um and so someday. Anyway!
Um so the the fix was really
really easy. Um so I I started

00:28:04.950,00:28:09.788
first I started to um
downloading all the versions of
Java. Um and then uh started

00:28:09.788,00:28:14.793
doing differencing on them. And
you see the fix is um they just
add uh 2 calls in um in the

00:28:18.497,00:28:24.703
class finder uh object to check
package access. And this was
because um basically someone was

00:28:24.703,00:28:31.343
able to use reflection to avoid
a security check by um kind of
tricking um tricking the run

00:28:31.343,00:28:35.147
time into thinking that the call
was coming from a different
origin. So we just add this

00:28:35.147,00:28:39.651
check. And we're fixed. Um
there's another another check
that was added to method finder.

00:28:39.651,00:28:44.256
This this CBE actually consisted
of 2 different vulnerabilities
that were used together. So we

00:28:44.256,00:28:49.261
have 2 separate bug patches. Um
and then they uh removed a field
uh I think this was just a case

00:28:51.530,00:28:56.401
of refactoring later. They
removed uh another method we
were using for the exploit. Um

00:28:56.401,00:29:01.640
so no big deal. We'll just put
them back in for ya. Uh and uh
of course you know if you want

00:29:01.640,00:29:07.312
to upload malware to a target eh
it's fine but why not just
upload the vulnerability and

00:29:07.312,00:29:11.049
then come back and exploit it
again later. Right? Because if
if we know we can't detect the

00:29:11.049,00:29:16.421
vulnerability then we've left
ourselves kind of a nice back
door. Uh and we have lots of

00:29:16.421,00:29:20.559
examples of great
vulnerabilities that nobody's
looking for um so of course I

00:29:20.559,00:29:24.696
mean this is expected. You
upload this virus total. They
you know this modified run time

00:29:24.696,00:29:27.933
and and nobody's going to detect
this. So we're not looking for
the vulnerabilities. We're

00:29:27.933,00:29:32.938
looking for the exploits. Um
okay! So maybe some good uses um
for this. So this was a uh um a

00:29:37.242,00:29:43.682
masters project that um I helped
a a student with Iowa State. Um
so he was looking at things like

00:29:43.682,00:29:50.155
can I take old uh skated HDMI
applications and secure them
somehow? Um and so if we have a

00:29:50.155,00:29:54.393
skated HDMI application a lot of
these happen to be Java applets
which would communicate with

00:29:54.393,00:29:59.898
some backend server. Um so he
started creating things like a a
kind of a smart intelligent

00:29:59.898,00:30:05.270
firewall. Application level
firewall. Um that would wrap the
wrap the server. But then we

00:30:05.270,00:30:09.007
need a way to if you know we
want to do something like
support 2 factor authe

00:30:09.007,00:30:15.180
authentication we need a way to
um get some sort of feedback to
the application so that the

00:30:15.180,00:30:20.018
application can prompt the user
for their their token and then
lead that back to the firewall.

00:30:20.018,00:30:23.722
Um and we can also do some
things like add some profiling
logic so we can do something

00:30:23.722,00:30:29.361
kind of like active defense. So
um we can we can of course those
could be disabled uh but it's

00:30:29.361,00:30:33.765
just nice to be able to to add
another layer of of
authentication. So in this case

00:30:33.765,00:30:38.537
um we have this this skit
application we don't have the
source code to it. Um but that's

00:30:38.537,00:30:43.241
not too hard cause we can just
find the object you know maybe
that controls this alarms list.

00:30:43.241,00:30:48.180
And say we want to add
additional security around this
alarms list. We can um we can

00:30:48.180,00:30:55.153
add you know um the 2 factor
authentication which uh lets you
through the firewall uh just to

00:30:55.153,00:31:01.460
access the alarms list data. Um
so this case um it's just a real
simple couple lines of code. Um

00:31:01.460,00:31:05.864
with some J-sum that passes the
the result back-n-forth. Um but
we can add this prompt and

00:31:05.864,00:31:12.204
secure this this um this
application. So uh I added
support to jerry reframe worker

00:31:12.204,00:31:17.709
to modify applications as well.
Um there's some really early
basic support for Android stuff.

00:31:17.709,00:31:23.115
Um that one's really early cause
you have to though some
additional tool chains. Um but

00:31:23.115,00:31:27.786
let's talk a little bit about
the mitigation. So how gonna you
know I'm I'm trying to make this

00:31:27.786,00:31:31.890
project I'm I'm making things a
little bit worse by making it
easy for everyone to write

00:31:31.890,00:31:37.996
these. So let's talk about the
mitigations. Um okay so does
anybody see anything wrong with

00:31:37.996,00:31:43.001
this picture? This is our file
example before. [pause] Okay! So
um if we look at the line

00:31:46.171,00:31:51.610
numbers. These are these are
added by the compiler for things
like decompilers or debugging um

00:31:51.610,00:31:56.148
adding to the stack trace. You
know what line you crashed on.
Um but you can see in my

00:31:56.148,00:32:00.185
framework I wasn't too too
worried about being super
stealthy. I just wanted it to

00:32:00.185,00:32:06.591
work. Um but when I inserted the
new the new method you know I
didn't go back and recalculate

00:32:06.591,00:32:11.463
the line numbers. So you can see
at the end or at the end of the
file and it's like line 2000

00:32:11.463,00:32:17.569
something. And now we go on to
18 19 21 and then we're back to
2000 something again right? So

00:32:17.569,00:32:22.974
there's lots of fingerprints
that um the run time's gonna get
add uh you know if you're if

00:32:22.974,00:32:28.180
you're not manipulating bite at
the bite level some tool is
going to add some fingerprints

00:32:28.180,00:32:34.786
um as a as a result of its
manipulation. Um so we can start
to look through these things. Um

00:32:34.786,00:32:39.691
so these easiest way is probably
you know have a baseline of all
the files on your system. And

00:32:39.691,00:32:44.095
know when they should be
changing. Did you run Java
update? No? Then why the pass

00:32:44.095,00:32:49.134
change? Right? Um but of course
we can you know we've routed the
box so it's kind of game over

00:32:49.134,00:32:54.172
for you anyway. Um because maybe
I'll just back door the Java
updater and after you update

00:32:54.172,00:32:59.845
Java I'll re-manipulate things
again. Right? Um so we can we
can have a lot of fun with this.

00:32:59.845,00:33:04.783
Um another kind of fun indicator
was um the Java run time has
about 50 megabytes. But after I

00:33:07.886,00:33:13.925
manipulate it it's about 25
megabytes. Which is weird. But
it's just because I'm using a

00:33:13.925,00:33:17.696
different compression ratio. So
I could try to match the
compression ratio of the

00:33:17.696,00:33:23.335
original library. Um but it
doesn't matter. The jar causes
zip files so it still works. Um

00:33:23.335,00:33:28.240
but those these are some of the
indicators you can look for. Um
when you rename the the methods

00:33:28.240,00:33:34.079
uh to to kind of preserve the
old behavior right? Just
renaming methods so um you could

00:33:34.079,00:33:38.650
just look for that easy prefix.
Uh I have a preferences menu if
you want to change that prefix

00:33:38.650,00:33:44.489
and not use uh this default J
ref underscore. Um that's up to
you. But you know there's still

00:33:44.489,00:33:47.959
going to be kind of a pattern.
You could count the number of
methods and know the number of

00:33:47.959,00:33:53.098
methods in each class file. And
expect you know it's kind of
going to grow at the rate with

00:33:53.098,00:33:59.037
each update. Um and if you see a
huge spike then you should know
why right? Um okay and of course

00:33:59.037,00:34:04.743
we can use all sorts of code
complexity metrics. Um but yeah.
We'll have fun with that later.

00:34:04.743,00:34:10.382
So the biggest thing is being
aware of it right? So if your
friend's like an investigator um

00:34:10.382,00:34:15.220
and things are behaving weirdly
you might want to look at
something like this. Um and this

00:34:15.220,00:34:20.692
is generally an awareness
project. Um you know Eris talked
about this about 6 years ago.

00:34:20.692,00:34:27.098
And I was really surprised that
nobody else had really done
anything with this since. Um so

00:34:27.098,00:34:31.369
hopefully by you know by
lowering the barrier to entry
people can play with this more.

00:34:31.369,00:34:36.374
Uh and and will be more aware of
it as a as a community. Um
[pause] so my biggest point was

00:34:40.512,00:34:44.950
you know if I could do this as
an evening hobby. Anybody could
be doing this. Right? And if

00:34:44.950,00:34:50.789
we're not thinking about it
that's a problem. Okay so I have
some Q&A. Um and if I have tons

00:34:50.789,00:34:56.428
of time left I have more modules
I can go through. Um but I'm
happy to take questions. Um I

00:34:56.428,00:35:01.166
just have this this kind of
closing poem by Robert Frost
which basically is my way of

00:35:01.166,00:35:06.037
saying um there's a lot of work
left to do on this. Um I'd like
to support quite a few more

00:35:06.037,00:35:10.942
things. I'd like to look at
other languages. Um so the Java
virtual machine itself I'll come

00:35:10.942,00:35:16.848
back to this but the Java
virtual machine itself um isn't
just for Java. It supports lots

00:35:16.848,00:35:21.920
of languages. In fact there's
you know um invoke dynamic was
uh kind of originally added uh

00:35:21.920,00:35:28.727
to support things like J thon.
Um with all their kind of uh
dispatching. But um if we can

00:35:28.727,00:35:32.864
manipulate the Java run time
itself. We can start to kind of
branch out and start to consider

00:35:32.864,00:35:38.670
other things. So things like J
ruby will just call into the the
Java run time jars to kind of

00:35:38.670,00:35:43.975
reuse those languages. So you
can mix-n-match things. So if
you have um a J ruby web site

00:35:43.975,00:35:49.381
you can start to manipulate it
that way. Um and so I just want
to say that it's now just about

00:35:49.381,00:35:54.352
Java. Um there's lots of managed
languages out there and they're
all going to have the same sort

00:35:54.352,00:36:00.158
of issue. Okay um so the source
code's out there. Um if you're
interested please play with it.

00:36:00.158,00:36:06.064
Make feature requests. I'm happy
to support it. Um and I'd like
to keep working on this. Um so

00:36:06.064,00:36:11.069
thank you very very much for
coming. I'm happy to take any
questions you have. Um thank

00:36:14.939,00:36:19.944
you! [applause] [pause 36:19
until 36:40] Yeah that's fine
[pause] >>Hello >>Hi >>So if

00:36:46.371,00:36:51.376
you're modifying skated devices
perhaps to improve the security
by playing with the Java run

00:36:51.376,00:36:56.381
time libraries. Then the
opposite question comes up. How
in the world do you discover

00:36:59.417,00:37:04.355
whether somebody else did it?
[laugh] >>Yeah um so ya you're
asking whether or not um [pause]

00:37:08.560,00:37:14.666
so so if if if you modify the
the application how we know if
it was modified for good reasons

00:37:14.666,00:37:21.473
or for bad reasons? >>Well um
[pause] just arguing that the
number one rule of security is

00:37:21.473,00:37:26.544
that it's easier for the good
guy than the bad guy? >>Yeah. Um
so I think this would be

00:37:26.544,00:37:31.316
something you would want to do I
mean you would do this in house.
Right? You would have a specific

00:37:31.316,00:37:35.253
need for this application that
you you don't have the source
code to this for whatever

00:37:35.253,00:37:40.291
reason. And you want to you want
to add this feature. Or add this
new m building. This is a way

00:37:40.291,00:37:46.698
that you could [clears throat]
sorry. You could modify that
binary. And then sign it and you

00:37:46.698,00:37:52.003
know keep track of that hash and
your and your deployment system.
So it's I mean it's just it's

00:37:52.003,00:37:55.907
I'm I'm not necessarily
advocating that you should do
this. It's just that you could

00:37:55.907,00:38:00.845
use it for this purpose. >>Okay
so I have to have like um a a
standardized deployment. >>Yeah.

00:38:03.314,00:38:08.987
I mean you if if your deploying
this [clears throat] if you're
deploying this this already you

00:38:08.987,00:38:13.992
should have some some system in
place for how you're going to
deploy it. Um you know of course

00:38:13.992,00:38:18.129
if if the application's signed
you're going to have to re-sign
it with your own your own

00:38:18.129,00:38:22.133
application key. And keep track
of that. Because you're not I
mean you're not going you're

00:38:22.133,00:38:28.706
going to violate the the hashes
and the manifest by doing this.
>>Thank you. [pause] >>Have you

00:38:28.706,00:38:33.711
tried to circumvent the the
requirement the cryptic graphic
providers be signed? So you put

00:38:36.748,00:38:43.288
in your own like key generator
class and the uh JRE? Have you
tried to do anything like that?

00:38:43.288,00:38:47.892
>>No I haven't played with that
too much. I I basically just got
it working and played with a few

00:38:47.892,00:38:54.666
modules. Um are you talking
about like the the class loader
stuff or applet security? Um

00:38:54.666,00:38:56.935
where are you talking about with
the key the key [indiscernible]
>>Okay if you're if you're

00:38:56.935,00:39:03.074
creating a uh security provider
that provides like key generator
>>Yep >>And you want to use it

00:39:03.074,00:39:08.079
that has to be uh signed by Sun
Oracle. >>Right. >>And so you
have that jar in the JRE libby

00:39:11.316,00:39:15.820
XT directory. You have it in
Java dot security. >>Yeah. No I
I haven't tried to you know

00:39:15.820,00:39:20.758
bypass like the key signing on
the manifest or anything like
that. Um what I did was if it

00:39:20.758,00:39:25.563
was signed basically I just blow
away the manifest re-sign it
with my own key. >>Yeah now

00:39:25.563,00:39:29.267
you're modifying the JRE and not
the the application
[indiscernible] >>Yeah the JRE

00:39:29.267,00:39:34.439
is actually not signed. >>Right.
>>Yeah. >>So you could patch
that and if key generator

00:39:34.439,00:39:39.978
there's key and key generator
spy >>Ah I see >>Which the
security provider provides.

00:39:39.978,00:39:44.048
>>Yeah that would be
interesting. I haven't tried
that. Yeah that's a good idea.

00:39:44.048,00:39:49.053
>>Hopefully not. >>[laugh]
[pause until 40:00] >>Do you
provide a way to um modify the

00:39:53.424,00:39:58.429
static um part of the code? >>To
modify the stack? So underneath
it's using ASM. So um if there's

00:40:06.304,00:40:11.309
things like uh say you add a a
parameter to a method? You've
changed the the stack size and

00:40:17.148,00:40:22.487
the call. So in that case you
have to it recomputes the stack
when it makes the modifications.

00:40:22.487,00:40:27.592
So that part is handled by the
ASM library. It's a pretty
pretty robust library. It's used

00:40:27.592,00:40:32.597
in a lot of things. >>I mean the
uh static um matter. >>Sorry can
you ask it again? >>The static

00:40:36.668,00:40:41.673
matter of the class. Not you
cannot extend them. >>So oh if
you can't extend it because it's

00:40:45.109,00:40:50.014
marked final. Yeah so in that
case there's an adaptation
[clears throat] I used to just

00:40:50.014,00:40:55.453
call it [clears throat] sorry
I'm losing my voice. Um I used
to just call it not final. Um

00:40:55.453,00:41:01.159
but in this case it's just uh
defined finality true or false.
So in that case like string was

00:41:01.159,00:41:06.164
marked final. You can't extend
the class. But now you've first
run you first mark it [clears

00:41:08.299,00:41:14.572
throat] as uh not final. And
then uh compile it once. Now you
can compile it against it again.

00:41:14.572,00:41:18.543
Uh and extend it add your
feature and then compile it one
more time. So there's you can

00:41:18.543,00:41:25.083
have multiple passes if you
want. >>It's not final it is
only static so it's >>Oh yeah

00:41:25.083,00:41:30.521
you can you can change the
whether or not something's
static. Um [pause] oh actually

00:41:30.521,00:41:34.792
no you can't. Um because if it's
not static you've changed quite
a few things. You've if you want

00:41:34.792,00:41:39.797
it to not be static I would
either just declare a member
variable um that you're going to

00:41:39.797,00:41:45.036
use for that. Uh if you make
something not static you're
going to impact quite a few

00:41:45.036,00:41:50.041
things. Um not sure I'm actually
not sure what the use case for
that would be. Um but if you

00:41:52.443,00:41:57.448
have one I can I can look in to
to making that. Yeah. >>Make
certain initialization

00:41:59.484,00:42:06.224
[inaudible] >>Yeah so right now
I don't handle um the static
initializers. So um you can it

00:42:06.224,00:42:11.462
just gets kind of tricky when
you start playing with the super
calls. Um it's it's something

00:42:11.462,00:42:16.367
there's there's actually this
white paper right here um talks
about a one way that you can do

00:42:16.367,00:42:21.539
that. If you want to merge say 2
constructors or um merge the
static initializers of 2

00:42:21.539,00:42:26.344
different block uh 2 different
classes. Um that's something
that has been done before. Um I

00:42:26.344,00:42:31.349
just haven't I didn't need it
for any of the the examples I
did today. >>Okay thank you.

00:42:47.165,00:42:52.170
>>Yep. [pause until 42:49] Okay.
Well thanks you guys for coming.
I appreciate it. [applause]