[00:00.000 --> 00:09.040]  All right. So, it's two minutes early,
[00:09.040 --> 00:12.800]  but I have a tendency to speak and not stop,
[00:12.800 --> 00:15.160]  so we better get the start in here.
[00:15.160 --> 00:21.920]  So, I am so tired of doing introductory talks to poke.
[00:21.920 --> 00:25.280]  So, I have decided that this is the last one I'm going to do.
[00:25.280 --> 00:27.640]  So, but let's see.
[00:27.640 --> 00:31.240]  Is anyone here familiar with this program somehow?
[00:31.240 --> 00:34.160]  Yes? Okay.
[00:34.160 --> 00:37.440]  So, yeah, we need to do an introductory talk.
[00:37.440 --> 00:43.400]  So, GNU-Poke is an Extensible Editor for Structure Binary Data.
[00:43.400 --> 00:46.200]  So, it is a program that you can actually expand.
[00:46.200 --> 00:51.440]  We will see how, and you can expand it actually quite to a very high degree.
[00:51.440 --> 00:56.600]  And we will see that it's a program that is used to poke,
[00:56.600 --> 01:03.120]  or to mess, to edit data which is encoded in binary.
[01:03.120 --> 01:05.520]  We will see what is this thing about binary.
[01:05.520 --> 01:08.000]  Everything is binary at the end of the day, right?
[01:08.000 --> 01:11.360]  So, first, I'm going to do a very small introduction,
[01:11.360 --> 01:13.320]  an abstract one, right?
[01:13.320 --> 01:15.680]  I mean, why would you use such a program?
[01:15.680 --> 01:19.720]  Then, we will see how we are actually integrating poke in
[01:19.720 --> 01:24.080]  other programs via a shared object, a library.
[01:24.080 --> 01:27.440]  Then, I will basically talk a little bit about the project itself,
[01:27.440 --> 01:28.720]  the current status.
[01:28.720 --> 01:32.760]  We just made a major release that we are very happy about it,
[01:32.760 --> 01:36.320]  and we are very busy because the project is getting a lot of,
[01:36.320 --> 01:38.000]  we have a lot of things to do.
[01:38.000 --> 01:39.720]  It's getting very fun actually.
[01:39.720 --> 01:44.000]  And then, finally, an invitation to you to actually join us in,
[01:44.000 --> 01:46.440]  you know, in hacking this program.
[01:46.440 --> 01:50.360]  So, let's start with a very small introduction.
[01:50.360 --> 01:57.040]  I mean, when it comes to edit binary data, well, what do you use?
[01:57.040 --> 01:59.080]  You use a binary editor, right?
[01:59.080 --> 02:05.560]  If you go around and then you look around, you know,
[02:05.560 --> 02:10.120]  in internet about binary editors, you have, you know,
[02:10.120 --> 02:14.160]  the simplest kind, what I call like simple binary editors,
[02:14.160 --> 02:17.920]  which is, you know, your garden, garden variety, you know,
[02:17.920 --> 02:21.200]  programs which show you a byte dump.
[02:21.200 --> 02:24.920]  And then, a lot of them also show you the ASCII representation
[02:24.920 --> 02:26.400]  of the same bytes.
[02:26.400 --> 02:28.080]  What do you see in the screen?
[02:28.080 --> 02:30.000]  How many of those programs are around?
[02:30.000 --> 02:31.200]  Quite a lot of them.
[02:31.200 --> 02:32.240]  And they are nice.
[02:32.240 --> 02:35.520]  I mean, they are nice, they are useful, they are small,
[02:35.520 --> 02:37.040]  they are very easy to use.
[02:37.040 --> 02:40.520]  There is nothing mysterious about them.
[02:40.520 --> 02:42.360]  They are interactive, usually.
[02:42.360 --> 02:44.600]  The ones that allow you to actually change the value
[02:44.600 --> 02:46.360]  of those bytes in the files.
[02:46.360 --> 02:49.040]  You just go to the byte you want to change,
[02:49.040 --> 02:53.040]  you put in, you know, the new value for the bytes, ta-da.
[02:53.040 --> 02:55.480]  If you want to change, you know, based on some string,
[02:55.480 --> 02:57.840]  you go to the ASCII column there,
[02:57.840 --> 03:00.760]  you go to the position you want to edit, you change it,
[03:00.760 --> 03:02.960]  ba, you know, the file gets updated.
[03:02.960 --> 03:04.480]  Very nice, they are interactive.
[03:04.480 --> 03:06.440]  They support immediate editing.
[03:06.440 --> 03:09.800]  Like you go, you change here, and it immediately gets reflected
[03:09.800 --> 03:13.800]  in the file that you are editing, for example.
[03:13.800 --> 03:15.280]  What do they let you edit?
[03:15.280 --> 03:16.920]  In terms of what?
[03:16.920 --> 03:17.880]  Well, it depends.
[03:17.880 --> 03:19.680]  But on those simple binary editors,
[03:19.680 --> 03:22.320]  they let you operate in terms of bytes,
[03:22.320 --> 03:26.480]  in terms of strings, like we just mentioned.
[03:26.480 --> 03:28.800]  And sometimes, this is not often,
[03:28.800 --> 03:30.920]  but sometimes in terms of bits as well.
[03:30.920 --> 03:33.120]  Some of those basic binary editors,
[03:33.120 --> 03:36.080]  they support, you know, down to the bit level too.
[03:39.000 --> 03:41.000]  And that's it.
[03:41.000 --> 03:42.480]  That's the thing, right?
[03:42.480 --> 03:45.920]  You can edit in terms of those entities, of those concepts,
[03:45.920 --> 03:49.720]  bytes, bits, strings sometimes, sometimes numbers.
[03:49.720 --> 03:52.240]  Then the editor is not so simple anymore, but you see.
[03:52.240 --> 03:55.400]  But it's always, you know, like a fixed list of abstractions
[03:55.400 --> 03:56.360]  that you can edit.
[03:56.360 --> 04:01.080]  You manipulate your data using those abstractions, right?
[04:01.080 --> 04:02.560]  And then they give you, you know,
[04:02.560 --> 04:06.560]  byte dumps, the ASCII views, and they have fixed capabilities,
[04:06.560 --> 04:09.600]  depending on how nice the particular editor is.
[04:09.600 --> 04:11.920]  Some of them allow you to search for patterns
[04:11.920 --> 04:15.440]  from others, you know, to search and replace,
[04:15.440 --> 04:17.640]  to make byte divs, right?
[04:17.640 --> 04:19.040]  That kind of things.
[04:19.040 --> 04:22.840]  Measure entropy to search for frame buffers,
[04:22.840 --> 04:23.880]  that kind of things, right?
[04:23.880 --> 04:25.840]  Simple binary editors, they are useful.
[04:28.520 --> 04:31.760]  But then sometimes you have to edit,
[04:31.760 --> 04:34.520]  or you want to edit your data in terms not just of bytes
[04:34.520 --> 04:37.880]  or bits, but in terms of more abstract entities,
[04:37.880 --> 04:43.440]  like MP3 headers, or else relocations,
[04:43.440 --> 04:46.400]  or list of numbers, or whatever.
[04:46.400 --> 04:50.320]  And then for that, you have traditionally
[04:50.320 --> 04:53.520]  specialized binary editors, which are editors,
[04:53.520 --> 04:57.320]  like the two that you can see here,
[04:57.320 --> 05:00.360]  that know about some particular format.
[05:00.360 --> 05:02.840]  Like some of them, the one on the left knows about the L
[05:02.840 --> 05:06.440]  format, so you can see a tree view, which is quite nice.
[05:06.440 --> 05:09.520]  You know, with the different sections in the L.
[05:09.520 --> 05:13.840]  And the one at the right, which is small, but it's nice,
[05:13.840 --> 05:17.280]  is a very small MP3 editor to edit MP3 files.
[05:17.280 --> 05:19.360]  Actually, the metadata associated with the MP3,
[05:19.360 --> 05:23.320]  like the title of the song, the name of the singer,
[05:23.320 --> 05:25.240]  or whatever, right?
[05:25.240 --> 05:27.920]  Those specialized binary editors, they are nice too.
[05:27.920 --> 05:30.200]  They are useful.
[05:30.200 --> 05:32.520]  But they are not extensible, usually.
[05:32.520 --> 05:34.880]  I mean, you cannot go and say, oh, well, you know,
[05:34.880 --> 05:38.640]  I mean, in the ELF program here, you know,
[05:38.640 --> 05:41.480]  you know that ELF sections can contain arbitrary data, right?
[05:41.480 --> 05:44.400]  So you say, well, I want to use the same editor
[05:44.400 --> 05:47.040]  to edit the contents of one of the ELF sections.
[05:47.040 --> 05:50.760]  Usually, they don't let you do that.
[05:50.760 --> 05:52.320]  So they are not extensible.
[05:52.320 --> 05:54.640]  They also, they are not quite good at dealing
[05:54.640 --> 05:56.080]  with incorrect data.
[05:56.080 --> 05:59.320]  So if you get a corrupted ELF file,
[05:59.320 --> 06:03.840]  or some MP3 file that has problems in it,
[06:03.840 --> 06:05.840]  those editors probably are going to refuse
[06:05.840 --> 06:08.680]  to actually open them, open those files.
[06:08.680 --> 06:10.240]  And if they do, they are probably
[06:10.240 --> 06:12.760]  going to show you garbage, right?
[06:12.760 --> 06:14.680]  So they are not good at that.
[06:14.680 --> 06:18.680]  And you know, it's the typical situation.
[06:18.680 --> 06:22.240]  Exactly what you need is what they don't implement, right?
[06:22.240 --> 06:23.720]  It's always like that.
[06:23.720 --> 06:27.160]  So those are the specialized binary editors.
[06:27.160 --> 06:30.840]  And then we have K-Ti extract and friends,
[06:30.840 --> 06:34.080]  which is they implement this paradigm of, as you know,
[06:34.080 --> 06:36.320]  we got a nice presentation before.
[06:36.320 --> 06:39.920]  The first, you decode the data, like with one of the parsers
[06:39.920 --> 06:41.800]  of K-Ti extract, for example.
[06:41.800 --> 06:44.360]  Then you do your computation with the data.
[06:44.360 --> 06:47.760]  And then maybe you use an encoder, right,
[06:47.760 --> 06:49.960]  to write back the modified data.
[06:49.960 --> 06:53.720]  This is what I call the code, compute and code.
[06:53.720 --> 06:56.720]  Programs like these are also useful.
[06:56.720 --> 06:59.760]  Those are extensible, like we have seen with K-Ti extract.
[06:59.760 --> 07:03.800]  You can define your own structures.
[07:03.800 --> 07:07.320]  They use, usually, you know, some sort of declarative way
[07:07.320 --> 07:09.680]  of describing the layout of those data structures.
[07:12.320 --> 07:15.320]  They generate code in several target languages.
[07:15.320 --> 07:17.800]  I don't know why K-Ti extract does not generate C. I mean,
[07:17.800 --> 07:23.320]  to me, I'm so puzzled about that, but OK.
[07:23.320 --> 07:25.080]  Usually, those are non-interactive.
[07:25.080 --> 07:26.320]  They are not interactive.
[07:26.320 --> 07:29.240]  Like, you generate a parser that generates, you know,
[07:29.240 --> 07:31.760]  that parser in some programming language that then you
[07:31.760 --> 07:35.480]  incorporate in your program, and then you run, right?
[07:35.480 --> 07:38.240]  Usually, they are not that good to dealing with incorrect data
[07:38.240 --> 07:40.960]  either, right?
[07:40.960 --> 07:44.360]  Because the parser that they generate expects correct data.
[07:44.360 --> 07:48.840]  And they are either bit oriented, which is not common.
[07:48.840 --> 07:52.680]  I don't know if K-Ti extract can deal a little bit level.
[07:52.680 --> 07:53.720]  Good.
[07:53.720 --> 07:55.320]  Also, not aligned stuff.
[07:55.320 --> 08:01.600]  And all byte oriented.
[08:01.600 --> 08:03.160]  And often, there are no encoders.
[08:03.160 --> 08:06.640]  I know that K-Ti extract now they are starting to add support
[08:06.640 --> 08:10.160]  for actually writing data back to the file.
[08:10.160 --> 08:10.960]  This is nice, too.
[08:13.640 --> 08:18.400]  And then you have the poke approach, which is circular,
[08:18.400 --> 08:21.200]  right?
[08:21.200 --> 08:23.480]  What we wanted with this was the following.
[08:23.480 --> 08:28.640]  We wanted the immediate aspect of the simple binary editors.
[08:28.640 --> 08:31.080]  Like, OK, I go to this byte, and then I change it.
[08:31.080 --> 08:32.120]  Now, you know?
[08:32.120 --> 08:34.880]  I mean, now change it immediately.
[08:34.880 --> 08:37.600]  But also, we wanted the extensibility and the ability
[08:37.600 --> 08:39.520]  of working with higher abstractions
[08:39.520 --> 08:41.720]  like you have with the parser generator,
[08:41.720 --> 08:43.480]  like K-Ti extract, for example.
[08:43.480 --> 08:45.280]  We wanted everything together.
[08:45.280 --> 08:50.000]  And that is what poke is in few words.
[08:50.000 --> 08:53.640]  Basically, you describe your data structures,
[08:53.640 --> 08:55.920]  like in abstract type, for example,
[08:55.920 --> 08:58.040]  and you can immediately poke at it.
[08:58.040 --> 09:01.360]  You can immediately update it, edit it, write to it.
[09:01.360 --> 09:03.160]  And if you are not satisfied with that,
[09:03.160 --> 09:05.680]  you can, on the fly, using the same program in the prompt,
[09:05.680 --> 09:10.720]  you can redefine your data structure and do it again.
[09:10.720 --> 09:13.880]  This is good for also discovering the format of what
[09:13.880 --> 09:17.680]  you are editing, like in reverse engineering and whatnot.
[09:17.680 --> 09:20.160]  And when you are developing a new format,
[09:20.160 --> 09:21.960]  you know, that kind of use cases.
[09:21.960 --> 09:26.440]  So it is interactive with the poke application.
[09:26.440 --> 09:28.800]  It allows immediate editing.
[09:28.800 --> 09:31.080]  It allows data integrity.
[09:31.080 --> 09:33.520]  You can define your own complex structure,
[09:33.520 --> 09:35.760]  quite complex ones.
[09:35.760 --> 09:39.520]  And then it supports a very powerful and, to the point,
[09:39.520 --> 09:41.280]  domain-specific language.
[09:41.280 --> 09:43.280]  I'm a big fan of domain-specific languages
[09:43.280 --> 09:46.080]  because we have the ability and the brains to actually,
[09:46.080 --> 09:47.880]  you know, talk in several languages
[09:47.880 --> 09:50.200]  and write in several programming languages.
[09:50.200 --> 09:52.880]  And it is so great when a tool actually gives you,
[09:52.880 --> 09:54.640]  you know, the way of expressing things
[09:54.640 --> 10:00.000]  that are most suitable for the task at hand.
[10:00.000 --> 10:02.280]  The DSL is called poke as well, like the program,
[10:02.280 --> 10:04.960]  but with a big P to distinguish the programming language
[10:04.960 --> 10:06.800]  from the program itself.
[10:06.800 --> 10:10.480]  It is interactive, aesthetically typed, in purpose.
[10:10.480 --> 10:14.080]  It is garbage collected.
[10:14.080 --> 10:16.600]  It has some very interesting features, this programming
[10:16.600 --> 10:18.600]  language, because it's designed to, you know,
[10:18.600 --> 10:20.360]  to the point, to the task at hand.
[10:20.360 --> 10:22.640]  So for example, it's not bit-oriented
[10:22.640 --> 10:24.360]  and it's not byte-oriented.
[10:24.360 --> 10:27.720]  It is unit-oriented.
[10:27.720 --> 10:31.000]  So in poke, when you start talking about offset sizes
[10:31.000 --> 10:34.040]  in memory and so on, you don't talk in bytes or in bits.
[10:34.040 --> 10:37.960]  You talk in terms of arbitrary units that you can define.
[10:37.960 --> 10:38.720]  Right?
[10:38.720 --> 10:41.720]  I'm sorry I cannot get in detail because this is,
[10:41.720 --> 10:44.920]  you know, like a fast pitch, but you have all the information,
[10:44.920 --> 10:47.000]  you know, in internet and so on.
[10:47.000 --> 10:50.000]  And also, it works in bit-addressable IOS spaces.
[10:50.000 --> 10:53.320]  It can work within correct data because you
[10:53.320 --> 10:55.840]  can do non-strict mapping, saying, OK,
[10:55.840 --> 10:57.600]  I want to disable the constraints,
[10:57.600 --> 11:00.520]  that integrity constraints, so you can actually discover
[11:00.520 --> 11:02.680]  the, you know, what you have in front of you
[11:02.680 --> 11:05.560]  and adapt your own definitions to it and so on.
[11:05.560 --> 11:07.800]  You can define several versions of the same structure
[11:07.800 --> 11:12.320]  very easily to be more strict, less strict.
[11:12.320 --> 11:13.880]  And it is extensible.
[11:13.880 --> 11:17.400]  We will see that notebook is not just a binary editor.
[11:17.400 --> 11:20.640]  It is a full infrastructure to write binary utilities as well.
[11:20.640 --> 11:21.140]  Right?
[11:24.920 --> 11:27.120]  And then, similarly to what KITI extract
[11:27.120 --> 11:28.600]  is aspiring to do, for example, when
[11:28.600 --> 11:31.080]  it comes to document formats, you
[11:31.080 --> 11:34.520]  can use poke also to document formats and protocols
[11:34.520 --> 11:36.720]  in a functional way because your same documentation,
[11:36.720 --> 11:40.960]  you can use it, you know, to actually operate with the data.
[11:40.960 --> 11:43.680]  To do prototyping, to write binary utilities,
[11:43.680 --> 11:46.360]  to implement filters, and so on.
[11:46.360 --> 11:49.000]  And then, to integrate in other programs, which is very cool.
[11:49.000 --> 11:51.880]  I will show you in five minutes one example with the debugger,
[11:51.880 --> 11:52.440]  with GDB.
[11:55.800 --> 12:01.400]  Now, poke operates in, it can operate some files, memory
[12:01.400 --> 12:05.920]  buffers, you know, the memory of running processes.
[12:05.920 --> 12:09.760]  There is a collection of IOD devices, right,
[12:09.760 --> 12:12.000]  which are what you are editing.
[12:12.000 --> 12:15.080]  But what a poke program or what you have access
[12:15.080 --> 12:18.520]  from the command line is to a bit addressable IOS space.
[12:18.520 --> 12:23.280]  We call those IOS spaces in which you can actually map
[12:23.280 --> 12:26.080]  or, you know, manipulate different kind of entities,
[12:26.080 --> 12:29.000]  which are integers and same integers are strings, right,
[12:29.000 --> 12:30.000]  from the poke language.
[12:30.000 --> 12:36.000]  OK.
[12:36.000 --> 12:38.000]  We all know what bytes are, right?
[12:38.000 --> 12:39.760]  You will be surprised many people don't.
[12:39.760 --> 12:42.840]  They are just little numbers in a certain range, right,
[12:42.840 --> 12:43.840]  from 0 to 255.
[12:49.080 --> 12:50.400]  So this is the way, you know, in poke,
[12:50.400 --> 12:51.520]  you have to refer to bytes.
[12:51.520 --> 12:53.560]  But what I wanted to show you, because I think
[12:53.560 --> 12:57.720]  it's the interesting part, is that it's the way that you go,
[12:57.720 --> 13:00.400]  that in poke you have from going from bytes
[13:00.400 --> 13:03.560]  to actually encode in integers, right?
[13:03.560 --> 13:06.760]  So you see here, I don't know if you can see,
[13:06.760 --> 13:10.160]  you see here the IOD bytes there, which is the underlying
[13:10.160 --> 13:12.880]  device that you are editing, like the file, right?
[13:12.880 --> 13:15.360]  And then it has bytes, which are little numbers, right,
[13:15.360 --> 13:18.400]  from 0 to 255 in the range.
[13:18.400 --> 13:23.400]  And then the IOS space, which is on top of each byte of the bytes,
[13:23.400 --> 13:26.200]  is the bit addressable IOS space that your poke programs
[13:26.200 --> 13:27.920]  actually see.
[13:27.920 --> 13:30.440]  But we all know that bits are actually
[13:30.440 --> 13:31.680]  a very interesting thing.
[13:31.680 --> 13:35.560]  Bits exist usually at the hardware level,
[13:35.560 --> 13:40.400]  then they disappear until you will recreate them virtually
[13:40.400 --> 13:43.160]  on top of those byte numbers, right?
[13:43.160 --> 13:44.240]  It's very interesting.
[13:44.240 --> 13:49.240]  But so from poke what you see is the bits that are conceptually
[13:49.240 --> 13:51.040]  on top of the bytes.
[13:51.040 --> 13:54.320]  And that's the poke type, for example.
[13:54.320 --> 13:57.880]  This is a very, this is an unsigned 16 bits integer
[13:57.880 --> 14:02.040]  mapped in the IOD device at the first byte.
[14:02.040 --> 14:05.680]  But this is a boring example, it gets even more interesting.
[14:05.680 --> 14:09.520]  Like what we call wired integers, weird integers, right?
[14:09.520 --> 14:12.840]  So for example, in poke you can operate with 12 bits
[14:12.840 --> 14:15.080]  unsigned integers, as naturally as you
[14:15.080 --> 14:17.800]  will do with the 32 bits unsigned integer.
[14:17.800 --> 14:23.280]  This is quite cool actually, and useful, believe it or not.
[14:23.280 --> 14:27.000]  Then we have some conventions to refer to the bits and everything.
[14:27.000 --> 14:31.840]  But this integer actually occupies one full byte
[14:31.840 --> 14:33.200]  and then half of the next one.
[14:37.480 --> 14:41.640]  But also you can go to less than one byte, right?
[14:41.640 --> 14:42.720]  Like in this case.
[14:42.720 --> 14:45.400]  So you can actually operate with an unsigned integer of five
[14:45.400 --> 14:51.160]  bits, and then it doesn't feel like a complete byte.
[14:51.160 --> 14:54.800]  Obviously, since everything that there is in a computer is actually
[14:54.800 --> 14:57.880]  bytes, the drivers level, hardware level, you know,
[14:57.880 --> 15:01.640]  and everywhere, this is an artifact.
[15:01.640 --> 15:03.920]  But it's a useful one.
[15:03.920 --> 15:10.720]  And poke also has full support for unaligned stuff too, right?
[15:10.720 --> 15:13.840]  So you can work with actually a 16 unsigned integer,
[15:13.840 --> 15:16.640]  shift to bits in the IOD space.
[15:16.640 --> 15:20.120]  Can Kaitai extract do that?
[15:20.120 --> 15:22.000]  Yes, we will have to see.
[15:26.480 --> 15:29.680]  So yeah, so you could also skate your file just by shifting
[15:29.680 --> 15:32.440]  that three bits to the right, for example.
[15:32.440 --> 15:33.120]  Why not?
[15:33.120 --> 15:33.720]  Maybe fun.
[15:36.600 --> 15:40.080]  I included this here not to impress the cat.
[15:40.080 --> 15:42.360]  But to give you an impression, you know the impression that
[15:42.360 --> 15:45.080]  actually poke whether it's a serious problem.
[15:45.080 --> 15:48.480]  I mean, it's not just a stupid problem that poking at bytes
[15:48.480 --> 15:49.600]  here and there.
[15:49.600 --> 15:51.760]  We actually take it very seriously.
[15:51.760 --> 15:53.720]  And you can do this kind of stuff.
[15:53.720 --> 15:56.800]  And believe it or not, people need this kind of stuff.
[15:56.800 --> 16:00.320]  The other day in the IRC, we met the multicians, which is a
[16:00.320 --> 16:03.640]  community of people who are dealing with multics.
[16:03.640 --> 16:06.600]  And you will not believe what they need.
[16:06.600 --> 16:09.320]  Really, right?
[16:09.320 --> 16:12.880]  Like nine-bit bytes, you know how it's unbelievable.
[16:12.880 --> 16:16.160]  And we are struggling to actually give that people what
[16:16.160 --> 16:18.480]  they need, because they have rights too.
[16:18.480 --> 16:20.360]  The multics people have rights too.
[16:22.960 --> 16:28.400]  Anyway, so the poker sphere, poke is growing and growing.
[16:28.400 --> 16:30.200]  This started when simple.
[16:30.200 --> 16:34.760]  It was always a little bit special, but a little program.
[16:34.760 --> 16:37.080]  But it's getting out of hands at the moment.
[16:37.080 --> 16:40.760]  And in the sense that we have leap poke, which is a
[16:40.760 --> 16:42.360]  sered object.
[16:42.360 --> 16:46.160]  Obviously, first I made it in a prong, but then dodgy in one
[16:46.160 --> 16:49.160]  called an asshole, put it in a library.
[16:49.160 --> 16:50.440]  So I did.
[16:50.440 --> 16:54.560]  And then leap poke is a sered object that has the poke
[16:54.560 --> 16:57.880]  incremental compiler, the IOS page support, and everything.
[16:57.880 --> 17:00.840]  We will see now with GDBS an example how you can actually
[17:00.840 --> 17:03.480]  make use of it in your own programs.
[17:03.480 --> 17:08.080]  Then poke is the command line application, which uses leap
[17:08.080 --> 17:08.760]  poke.
[17:08.760 --> 17:11.920]  But it's just a program, a very small program, with a
[17:11.920 --> 17:13.280]  prompt.
[17:13.280 --> 17:21.960]  Like being a less load elf, you can dump bytes, right?
[17:21.960 --> 17:23.000]  Oh, sorry, here.
[17:23.000 --> 17:34.840]  And bar elf, elf64 file at serobytes, stuff like this.
[17:34.840 --> 17:35.920]  The command line application.
[17:35.920 --> 17:39.520]  But all of the logic is actually in the sered object.
[17:39.520 --> 17:42.640]  Then you have other applications like GDB, which
[17:42.640 --> 17:43.600]  is not upstream yet.
[17:43.600 --> 17:45.640]  It's in a branch upstream, but not in master.
[17:45.640 --> 17:48.760]  But they can actually use leap poke to give you poke
[17:48.760 --> 17:49.400]  capabilities.
[17:49.400 --> 17:53.600]  I will show you now in a two-minute little demo.
[17:53.600 --> 17:57.000]  There is a poke demon 2 that Mohammed will talk about.
[17:57.000 --> 17:58.760]  They have 10 minutes.
[17:58.760 --> 18:02.600]  Utilities, the pickles, which are the poke programs that
[18:02.600 --> 18:05.840]  give you the support for some particular format or for
[18:05.840 --> 18:08.080]  a particular domain.
[18:08.080 --> 18:10.720]  Then there is an emacs interface, of course.
[18:10.720 --> 18:13.760]  Then there is an emacs mode for the poke program, Veeam,
[18:13.760 --> 18:19.080]  for unholy people, for editing the poke code in Veeam, in
[18:19.080 --> 18:23.120]  VI, and something called pokelets, and so on, and so
[18:23.120 --> 18:24.240]  on, and so on.
[18:24.240 --> 18:27.080]  So it's getting fun.
[18:27.080 --> 18:28.320]  And then the integration.
[18:28.320 --> 18:30.600]  I'm very like this.
[18:36.320 --> 18:38.640]  You know, there is one problem when people write a
[18:38.640 --> 18:42.600]  program, they want it to do everything very well.
[18:42.600 --> 18:44.120]  And that does not work.
[18:44.120 --> 18:46.960]  So for example, in poke, we have some support for editing
[18:46.960 --> 18:48.520]  the memory of running processes.
[18:48.520 --> 18:49.720]  We do.
[18:49.720 --> 18:51.160]  We do.
[18:51.160 --> 18:53.720]  Well, I could show you, but I don't have time for that.
[18:53.720 --> 18:56.840]  Because we have an IOD, which is you can specify the process
[18:56.840 --> 19:00.200]  ID of a process, and then you can edit the running memory of
[19:00.200 --> 19:02.240]  the memory of the running process.
[19:02.240 --> 19:04.400]  But poke is not a debugger.
[19:04.400 --> 19:05.400]  It's not.
[19:05.400 --> 19:08.400]  I mean, there is a dwarf pickle, but you
[19:08.400 --> 19:10.320]  know, not to the same extent as a debugger.
[19:10.320 --> 19:12.240]  You cannot set breakpoints.
[19:12.240 --> 19:17.080]  It cannot use ptrace to command a process.
[19:17.080 --> 19:18.960]  But gdb is a debugger.
[19:18.960 --> 19:22.600]  So gdb is good at debugging, at running processes, and so on.
[19:22.600 --> 19:25.720]  And poke is good at poking the data.
[19:25.720 --> 19:27.840]  So let's put them together.
[19:27.840 --> 19:30.120]  So then the combination is good at both.
[19:30.120 --> 19:35.720]  And this can be achieved by using live poke.
[19:35.720 --> 19:39.480]  So I can show you very fast.
[19:39.480 --> 19:42.840]  So I have this C file.
[19:42.840 --> 19:44.080]  You see the C file?
[19:44.080 --> 19:47.080]  I have a C extract from with an intact.
[19:47.080 --> 19:49.360]  Can you see it properly there?
[19:49.360 --> 19:51.360]  Yes?
[19:51.360 --> 19:52.760]  Which one?
[19:52.760 --> 19:55.640]  Which one?
[19:55.640 --> 19:58.840]  No, I'm not going to address this.
[19:58.840 --> 19:59.760]  Trust me.
[19:59.760 --> 20:01.200]  OK.
[20:01.200 --> 20:03.640]  So there is this extract type, and then there is this
[20:03.640 --> 20:06.920]  buffer, there is this db global variable here, and so on,
[20:06.920 --> 20:07.840]  and so on, right?
[20:07.840 --> 20:10.360]  And an int main, int main.
[20:10.360 --> 20:18.560]  So then I compile that into an aout, and then I do home.
[20:18.560 --> 20:26.320]  This is the poke capable gdb, a dot out, break main, run.
[20:26.320 --> 20:28.680]  Now I am in main, right here.
[20:28.680 --> 20:32.640]  And then I can use gdb to look at the database here.
[20:32.640 --> 20:35.600]  You know this db global variable, and so on.
[20:35.600 --> 20:38.760]  Now this gdb is extended with poke.
[20:38.760 --> 20:41.560]  So you have a poke command where you can execute any poke
[20:41.560 --> 20:44.280]  code, like this, like 2 plus 2 equals 4.
[20:44.280 --> 20:46.360]  Brilliant.
[20:46.360 --> 20:51.000]  But here you can do anything that you can do with poke.
[20:51.000 --> 20:55.080]  So for example, you could say, and poke, in this case, it
[20:55.080 --> 20:58.200]  has access to the memory of the inferior that you are debugging
[20:58.200 --> 20:59.720]  with gdb.
[20:59.720 --> 21:02.840]  So even if it's multi-process or multi-thread, you
[21:02.840 --> 21:05.120]  switch in gdb, and then poke has access to the memory of
[21:05.120 --> 21:06.320]  the inferior, right?
[21:06.320 --> 21:13.040]  So what kind of things you can do?
[21:13.040 --> 21:14.240]  Well, anything.
[21:14.240 --> 21:19.480]  I mean, what is the address in gdb of this global variable
[21:19.480 --> 21:20.280]  here?
[21:20.280 --> 21:22.200]  Sorry.
[21:22.200 --> 21:23.680]  That is the address, right?
[21:23.680 --> 21:26.800]  So with poke, you could access to that address.
[21:26.800 --> 21:31.520]  But you have a command which is poke at types, right?
[21:31.520 --> 21:36.120]  Which is you are telling gdb to make poke aware of all the
[21:36.120 --> 21:40.360]  types known to gdb at this point in time, right?
[21:40.360 --> 21:43.440]  So the type char, the char type int, the struct
[21:43.440 --> 21:50.240]  prop that we saw before, and then this translated into poke
[21:50.240 --> 21:53.400]  type definitions for the keyvalent gdb types.
[21:53.400 --> 21:56.040]  This means that you can go from btf, from ctf, from
[21:56.040 --> 21:58.720]  door, from any debugging format that gdb understands to
[21:58.720 --> 22:02.360]  poke types, what you are using gdb in this way.
[22:02.360 --> 22:07.920]  Now, poke now has access to the memory of the inferior.
[22:07.920 --> 22:11.840]  So we could do, for example, these, and those are poke
[22:11.840 --> 22:13.000]  expressions, right?
[22:13.000 --> 22:16.480]  Struct prop at where?
[22:16.480 --> 22:19.120]  And you can use something we call alien tokens, which is
[22:19.120 --> 22:23.320]  the address of the gdb symbol db, which is the variable,
[22:23.320 --> 22:24.320]  right?
[22:24.320 --> 22:26.120]  And this is the poke struct.
[22:26.120 --> 22:28.400]  This is not a gdb value.
[22:28.400 --> 22:33.800]  This is a poke struct, which is poking at inferior memory.
[22:33.800 --> 22:35.000]  And you, of course, can write.
[22:35.000 --> 22:36.640]  You can do whatever you want.
[22:36.640 --> 22:38.200]  You can load pickles.
[22:38.200 --> 22:40.000]  Why is this useful for?
[22:40.000 --> 22:43.040]  Well, imagine you are debugging a program that is some
[22:43.040 --> 22:45.440]  sort of router for TCP.
[22:45.440 --> 22:48.000]  So the program itself, you know, you have TCP packets and
[22:48.000 --> 22:49.240]  some buffers in the program.
[22:49.240 --> 22:51.520]  But the program itself doesn't need to understand the
[22:51.520 --> 22:54.440]  payload of what it is transporting.
[22:54.440 --> 22:56.840]  But imagine that you want to take a look at what is going
[22:56.840 --> 22:58.800]  on there, right?
[22:58.800 --> 23:01.440]  So then, you don't have the dwarf definitions of the
[23:01.440 --> 23:05.160]  structures that are in the buffer, in the payload.
[23:05.160 --> 23:07.080]  But with poke, you just load your pickle or you
[23:07.080 --> 23:10.680]  write your own, and you can poke at it from gdb in the
[23:10.680 --> 23:14.240]  buffer of the running process, for example, right?
[23:14.240 --> 23:16.160]  So this is one example of application.
[23:16.160 --> 23:20.560]  This is 400 lines of C, the integration, using live poke.
[23:20.560 --> 23:22.840]  It's very nice, and, you know, it's easy.
[23:22.840 --> 23:25.600]  Another example, which is work in progress, and it can't
[23:25.600 --> 23:29.200]  wait to get this finished, is basically to add to the
[23:29.200 --> 23:32.440]  assembler a.poke directive.
[23:32.440 --> 23:38.560]  Because you know those.war,.bite, and so on directives in
[23:38.560 --> 23:39.800]  the assembler?
[23:39.800 --> 23:42.160]  They are not portable.
[23:42.160 --> 23:45.920]  And this is a very, very, very, very, very, very, very,
[23:45.920 --> 23:47.160]  pain in the ass.
[23:47.160 --> 23:49.760]  Because when you have to, actually, for example, test
[23:49.760 --> 23:53.320]  door for tests, you know, that kind of things, then they
[23:53.320 --> 23:54.880]  are not portable.
[23:54.880 --> 23:58.520]  I know it's amazing, but they are not portable.
[23:58.520 --> 24:00.720]  So see, for example, that.
[24:00.720 --> 24:03.360]  This is a real example of something I found.
[24:03.360 --> 24:09.480]  I will not tell where, of some people who are actually
[24:09.480 --> 24:13.800]  embedding some sort of executables inside other
[24:13.800 --> 24:15.120]  sections of some of the stuff.
[24:15.120 --> 24:19.240]  This is Sony computer, this is video games, you know, kids.
[24:19.240 --> 24:20.920]  They do these kind of things.
[24:20.920 --> 24:28.520]  And that is a struct in theory of what, of some header, right,
[24:28.520 --> 24:30.680]  for the PlayStation or whatever.
[24:30.680 --> 24:33.360]  Well, compare.
[24:33.360 --> 24:34.400]  You see?
[24:34.400 --> 24:38.600]  So once we have the integration in the assembler, then you
[24:38.600 --> 24:41.960]  will be able to load the PSXX pickle.
[24:41.960 --> 24:44.920]  It will be a small one where you define the structure of
[24:44.920 --> 24:48.840]  the PSXX executable, and then you could poke at assembly
[24:48.840 --> 24:50.560]  time, you know, like that, too.
[24:50.560 --> 24:54.080]  And accessing gas assembler symbols, you know, using
[24:54.080 --> 24:57.920]  alien tokens, like we saw you could do with GBB as well.
[24:57.920 --> 24:59.960]  So this is another example of integration.
[25:03.520 --> 25:04.240]  Yeah.
[25:04.240 --> 25:06.440]  So and we are on these kind of things now.
[25:06.440 --> 25:10.280]  We are looking into parasiting other programs, you know,
[25:10.280 --> 25:13.360]  and incorporating live poking them.
[25:13.360 --> 25:17.760]  So they do all the boring work, and we do the fun one.
[25:17.760 --> 25:20.360]  OK.
[25:20.360 --> 25:22.800]  So what's the current status of the program?
[25:22.800 --> 25:28.760]  We just released the POC 3.0 a few days ago.
[25:28.760 --> 25:32.520]  Up to now, we were doing one major release every year.
[25:32.520 --> 25:36.640]  And we had a maintenance branch.
[25:36.640 --> 25:38.480]  But people are not happy.
[25:38.480 --> 25:39.320]  Why?
[25:39.320 --> 25:45.120]  Because it was too long, and the difference between POC 2
[25:45.120 --> 25:48.120]  and POC 3, it was too big, it was too much.
[25:48.120 --> 25:52.240]  And actually, we released the POC 2.0, for example, and in
[25:52.240 --> 25:54.560]  two weeks, we have forgotten about it already.
[25:54.560 --> 25:58.000]  Because we are so happy, you know, and so excited with the
[25:58.000 --> 25:59.120]  main branch.
[25:59.120 --> 26:02.560]  So now we are committing to release two big, major
[26:02.560 --> 26:04.080]  releases every year.
[26:04.080 --> 26:05.720]  Let's see if we can actually do that.
[26:05.720 --> 26:14.640]  So the development, we are old, new peace pods, right?
[26:14.640 --> 26:18.360]  So we don't use GitHub or anything like that.
[26:18.360 --> 26:21.720]  So we use a mailing list, and you send your patch to the
[26:21.720 --> 26:26.320]  mailing list in Unity format, and so on, and so on, right?
[26:26.320 --> 26:29.840]  And well, that is the website of the project.
[26:29.840 --> 26:32.400]  We have a Git repository, obviously.
[26:32.400 --> 26:34.880]  We have a mailing list, a development mailing list.
[26:34.880 --> 26:39.040]  We have a very nice build box at Sourceware.
[26:39.040 --> 26:42.800]  Thank you very much to the Sourceware Oversers.
[26:42.800 --> 26:45.080]  They are doing a great job maintaining the
[26:45.080 --> 26:48.040]  infrastructure of many new pack programs, including POC and
[26:48.040 --> 26:50.920]  also the Toolchain, GCC and Ellipse, and so on, for many
[26:50.920 --> 26:51.960]  years.
[26:51.960 --> 26:56.480]  And also, we have a pipeline hosted at GitLab that Bruno
[26:56.480 --> 27:00.280]  Hibel maintains, and I have no idea how it works.
[27:00.280 --> 27:02.600]  It's not clear to me what even a paper line is in that
[27:02.600 --> 27:03.920]  context, but it's green.
[27:03.920 --> 27:05.360]  So I guess it's good.
[27:08.160 --> 27:11.800]  We have a community website.
[27:11.800 --> 27:15.840]  It's called Pocology, and we try to get practical
[27:15.840 --> 27:19.280]  information there, like how can you write your pickles, and
[27:19.280 --> 27:20.160]  so on.
[27:20.160 --> 27:26.720]  And also, I have a blog in my website where I sometimes
[27:26.720 --> 27:30.840]  publish small articles with practical stuff.
[27:30.840 --> 27:34.240]  So how can you do, for example, implementing Spark stables
[27:34.240 --> 27:38.480]  using POC, or accessing them stuff?
[27:38.480 --> 27:43.560]  We want to be friendly to users.
[27:43.560 --> 27:48.640]  And now, starting now, in POC, we had in the POC
[27:48.640 --> 27:55.360]  source distribution, GNU Hacks POC, we had a pickles
[27:55.360 --> 27:59.960]  directory with a lot of pickles.
[27:59.960 --> 28:07.680]  Like for P, for L, for DOR, for BTF, for this, for that.
[28:07.680 --> 28:13.440]  Some instructions, set RISC-5, BPF, but this is getting
[28:13.440 --> 28:14.480]  crowded.
[28:14.480 --> 28:18.200]  And actually, some pickles are big and complex enough to
[28:18.200 --> 28:22.800]  actually need their own releases, so you can have
[28:22.800 --> 28:24.880]  several versions that work with the same version of POC.
[28:24.880 --> 28:28.800]  So we are basically putting some of the pickles in
[28:28.800 --> 28:30.920]  separated packages.
[28:30.920 --> 28:32.960]  And that's the case of the elf pickle and the
[28:32.960 --> 28:34.360]  dwarf pickle.
[28:34.360 --> 28:37.920]  So for example, the elf pickles, now they are distributed
[28:37.920 --> 28:40.400]  like separately, have not made the first release yet, but
[28:40.400 --> 28:42.960]  they are in the Git repository.
[28:42.960 --> 28:45.720]  They have their own manual, and so on.
[28:45.720 --> 28:48.360]  And the dwarf pickles, as well.
[28:48.360 --> 28:50.080]  Those are the first ones.
[28:50.080 --> 28:54.000]  We want to get the peak of support, because it's a huge
[28:54.000 --> 28:55.400]  fat monster, that one.
[28:55.400 --> 29:00.160]  We want to put it also in its own package.
[29:00.160 --> 29:03.800]  And also, with nice manuals, I have to show you this,
[29:03.800 --> 29:07.520]  because it is such a pain to do it that you
[29:07.520 --> 29:10.080]  have to brag about it.
[29:10.080 --> 29:14.360]  This is the POC manual, the new POC manual.
[29:14.360 --> 29:17.760]  And then, when you install the pickles packages, like POC
[29:17.760 --> 29:22.880]  dwarf and POC elf, and here, you have a nicely
[29:22.880 --> 29:28.760]  documented, you know, the pickles and everything.
[29:28.760 --> 29:32.400]  And the source distribution, sorry?
[29:32.400 --> 29:35.440]  Use man pages, not the menu.
[29:35.440 --> 29:37.960]  Well, well.
[29:37.960 --> 29:39.560]  Oh, well.
[29:39.560 --> 29:43.080]  We are generating man pages from the info.
[29:48.520 --> 29:51.520]  Then, actually, the idea is to use the elf pickle, because
[29:51.520 --> 29:55.080]  we are new writing pickles, because POC is sort of new.
[29:55.080 --> 30:02.720]  So we are trying to discover our way forward, but the POC
[30:02.720 --> 30:07.320]  elf pickles is sort of the canonical example.
[30:07.320 --> 30:09.400]  We are using it that way.
[30:09.400 --> 30:11.040]  We are writing it very carefully.
[30:11.040 --> 30:13.680]  So if you want to write a complex pickle, you can look at
[30:13.680 --> 30:17.600]  it, but, well.
[30:17.600 --> 30:22.200]  And this is it.
[30:22.200 --> 30:24.680]  I am so sorry that they could not give you, you know, an
[30:24.680 --> 30:28.840]  actually taste of how this program is.
[30:28.840 --> 30:30.200]  But there is no time for that.
[30:30.200 --> 30:32.720]  And there are other videos in the internet that they have
[30:32.720 --> 30:34.480]  done already.
[30:34.480 --> 30:39.080]  But, and then, if you want to join the development, please
[30:39.080 --> 30:40.440]  read the hacking file.
[30:40.440 --> 30:42.000]  Because we took the effort of writing it.
[30:42.000 --> 30:42.880]  It's huge.
[30:42.880 --> 30:44.760]  It has a lot of good information.
[30:44.760 --> 30:49.480]  And absolutely, no one reads it.
[30:49.480 --> 30:51.080]  So thank you very much.
[30:51.080 --> 31:18.080]  Thanks.