_____  .__                                    .___               
  /  _  \ |  |   ____ ___  ________    ____    __| _/______   ____  
 /  /_\  \|  | _/ __ \\  \/  /\__  \  /    \  / __ |\_  __ \_/ __ \ 
/    |    \  |_\  ___/ >    <  / __ \|   |  \/ /_/ | |  | \/\  ___/ 
\____|__  /____/\___  >__/\_ \(____  /___|  /\____ | |__|    \___  >
        \/          \/      \/     \/     \/      \/             \/ 
            _____       .___                      __   .__          
           /  _  \    __| _/____    _____   _____|  | _|__|         
          /  /_\  \  / __ |\__  \  /     \ /  ___/  |/ /  |         
         /    |    \/ /_/ | / __ \|  Y Y  \\___ \|    <|  |         
         \____|__  /\____ |(____  /__|_|  /____  >__|_ \__|         
                 \/      \/     \/      \/     \/     \/            

Reverse engineering, exploitation and tools development.


Grab my PGP key and send me an e-mail at neat@neat.sh.



GDB plug-in that makes it easier to develop Linux kernel exploits targeting the SLUB allocator. It displays the content of slab caches and allows to set breakpoints on allocation/free operations.

View on GitHub


Python version of the Microcode Explorer plug-in created by Rolf Rolles. It allows to generate Hex-Rays's micro-code at different maturity levels, as well as listing and graphing it.

View on GitHub


AMIE is a Python rework of FRIEND that focuses solely on the ARM architecture (both AArch32 and AArch64 are supported). It is lightweight and dependency-free, and provides relevant and up-to-date information about the ARM system registers and instructions.

View on GitHub


IDArling is a collaborative reverse engineering plug-in for IDA Pro and Hex-Rays. It allows to synchronize in real-time the changes made to a database by multiple users, by connecting together different instances of IDA Pro (locally or remotely).

View on GitHub


Breaking Samsung's ARM TrustZone

Talk given at BlackHat USA 2019

The increasing popularity of connected devices in recent years has led manufacturers to put a greater emphasis on security, finding themselves in need of robust designs that would protect their users.

From these requirements emerged the ARM TrustZone, a system-wide hardware isolation technology. It introduces a trusted Secure World that can process code and data while ensuring their integrity and confidentiality. This Secure World can also watch over the user-controlled (and therefore untrusted) Normal World to verify its integrity, similarly to the mechanism implemented in Samsung's TIMA.

It can also access hardware peripherals, such as keyboards, screens, or crypto-processors in a secure and isolated manner to create trusted UIs, implement DRMs, etc. All the sensitive data and the critical interruptions are directly handled by the Secure World without ever passing through the Normal World.

However, the usage of this technology comes at a cost. By widening the attack surface and exposing privileged components, TrustZone can potentially introduce a single point of failure that allows the compromission of the entire system.

Using Samsung's TrustZone implementation as a target, this presentation explains and demonstrates how this new attack surface can be leveraged to hijack and exploit trusted components. After explaining the internals and interactions of these components developed by Samsung, different vulnerabilities will be detailed and exploited to execute code at EL3, the highest privilege level on an ARM-based system.

Download the slides

IDArling, Collaborative Reverse Engineering

Talk given at SSTIC 2019

At REcon 2016 was presented a collaborative Reverse Engineering plugin for IDA called Sol[IDA]rity. It looked awesome, so everyone was excited to try it out! But months passed, then years, without any release or source code.

Tired of waiting, IDArling's authors decided they wanted to develop this tool, see for themselves if it was really worth it, while open-sourcing the project from the very beginning. This process proved more difficult than expected.

This presentation aims to explain the plugin functionalities, the reasons behind the choices that were made, the major difficulties encountered, the workarounds that were found, and finally discuss when alternatives like the well-known YaCo plugin are more appropriate.

Download the slides