This year edition GreHack will be held during two days:


UTC+01:00Friday November 18thWho
9:00am Custom php Introspection applied to 0-Day Research Louka JACQUES-CHEVALLIER and Maxime Coutant
9:45am Generic remote exploit techniques for the PHP allocator, and 0days Charles Fol
11:00am WHID Elite II - Keystroke injection over GPRS Cyprien de la Vergne de Cerval
11:30am Reverse Engineering of advanced RISC-V MCU with USB3 & High Speed peripherals Benjamin Vernoux
12:00amLunch break-
2:00pm Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew James Niven and Lindsay Kaye
2:30pm Quokka: A Fast and Accurate Binary Exporter Alexis Challande, Robin David and Guénaël Renault
3:30pm Online voting system used for primary elections for the French Presidential, must be secure, right ? Emmanuel Leblond
4:00pmRump session-
8:00pmChiptune party-
UTC+01:00Saturday November 19th
10:00amCTF start
6:00pmCTF end


Custom php Introspection applied to 0-Day Research

- by Louka Jacques-Chevallier @TheLaluka and Maxime Coutant

Php-internalog is the 5th iteration of a new approach for php introspection applied to 0day research. During this talk, the 5 iterations will be introduced with their pros & cons, and in the end, why there is yet another approach that seems to be better in pretty much every aspect. Long story short, today we break PHP apps!

Hey, Laluka here! You might have already heard of me for web exploitation research, frameworks like Guacamole, Spip, and Jolokia; tools like "bypass-url-parser", or during talks... Maybe "1001 RCE"? :D Anyway, just a simple man that likes exploiting weird web issues and chaining tons of small bugs to make cool exploit chains, sharing knowledge & making friends on the way!

Generic remote exploit techniques for the PHP allocator, and 0days

- by Charles Fol @cfreal_

Although PHP has always been deemed insecure, finding and remotely exploiting binary bugs in its core is not a well documented subject. Through this talk, I will aim to (partially, at least) solve this problem, by describing the internals of the PHP allocator and unraveling reusable, generic exploitation techniques for PHP’s heap. I’ll illustrate these techniques through the exploitation of a remote code execution 0-day targeting PHP.

Charles Fol, also known as cfreal, is a security researcher at LEXFO / AMBIONICS. He has discovered remote code execution vulnerabilities targeting renowned CMS and frameworks such as Drupal, Magento, Symfony or Laravel, but also enjoys binary exploitation, to escalate privileges (Apache, PHP-FPM) or compromise security solutions (DataDog’s Sqreen, Watchguard). He is the creator for PHPGGC, the go-to tool to exploit PHP deserialization.

WHID Elite II - Keystroke injection over GPRS

- by Cyprien de la Vergne de Cerval

The WHID elite is an open-source keystroke injection and air gap crossing device made by the WHID team. This device which can be hidden in any USB peripherals, emulates a keyboard at the air gaped computer and then uses SMS to inject commands and export outputs to the attacker. From this basis, we will speak about new firmwares that were developed for the WHID to enable TCP over cellular connection (GPRS) and write payloads to an air gaped computer. A first firmware was developed to transmit a reverse shell through the GPRS connection of the WHID. A second firmware aimed for more flexibility and was design to configure the WHID to write the payload and then only act like a serial to TCP tunnel. A proxy which redirects localhost TCP connections to the WHID device via serial was developed in this firmware. This combination allows the usage of regular payloads on air gaped computers which are completely isolated from any network and don’t have any networking interface.

Cyprien de Cerval is a member of the French Institute for radiation protection and nuclear safety's Cybersecurity and Protection System research Office (BCyP). He works on the security of connected devices, air gap crossing and the security of bus CAN. With a background in electronics, he continues his studies at CentraleSupelec engineering school in networking and cybersecurity.

Reverse Engineering of advanced RISC-V MCU with USB3 & High Speed peripherals

- by Benjamin Vernoux @bvernoux

The talk will present all aspects of Reverse Engineering of RISC-V MCU WCH CH569 and will include following parts Design of schematic / PCB of WCH CH569 chipset with KiCad v6 Challenges related to routing High Speed SerDes, USB2 HS & USB3 SS 5Gbps... Reverse Engineering and Open Source related to WCH CH569 peripherals... Creation of fully open source (blob free) Firmware & Host Tools...

Creator of AirSpy R0-R2/Mini (HW / FW / HostTools) ( Creator of HydraBus v1 / HydraNFC v1&v2… ( Creator of HydraUSB3 v1 (

Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew

- James Niven @stuffedinlocker and Lindsay Kaye @TheQueenofELF

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as well as interview the ransomware operators themselves. We will take you through our discovery of the BlackMatter ransomware group, provide a technical deep dive on the ransomware itself and talk about how the group evolved into ALPHV ransomware. We will also address how this evolution trend shows up in the larger ransomware operator landscape, especially among sophisticated actors.

Lindsay Kaye is the Senior Director of Advanced Reversing, Malware, Operations and Reconnaissance (ARMOR) for Insikt Group at Recorded Future. Her primary focus is driving the creation of actionable technical intelligence - providing endpoint, network and other detections that can be used to detect technical threats to organizational systems. Lindsay’s technical specialty and passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College. James Niven is a Principal Threat Researcher at Recorded Future focused on Russian ransomware. Previously, James was a Red Teamer and now uses his knowledge and skills to develop defensive approaches to detecting malicious behavior employed by threat actors.

Quokka: A Fast and Accurate Binary Exporter

- by Alexis Challande @DarkaMaul, Robin David @RobinDavid1 and Guénaël Renault

Disassembling is the backbone for multiple workflows in binary analysis and offloaded to specialized tools. However, programmatically manipulating the dissembler’s results is cumbersome. In this talk, we present [Quokka](, a binary exporter helping to reuse the disassembler results in an offline context. We then discuss some of its functionalities and provide some examples to demonstrate its potential.

Alexis Challande (@DarkaMaul) is a Software Security Researcher at Quarkslab in the Automated Analysis team. He loves to create tools solving annoying and repetitive problems, mostly around binary code representation. He is also a trainer for university, where he shares his knowledge about reverse engineering. Robin is a software security researcher working at Quarkslab. He is leading the automated analysis that works on various tools to improve reverse engineering and vulnerability research capabilities.

Online voting system used for primary elections for the French Presidential, must be secure, right ?

- by Emmanuel Leblond @touilleMan

Since its inception, online voting has been an appealing but controversial technology. Indeed, what seems like a modern way of making voting cheaper and more convenient is often considered by activists and researchers as a pandora box unleashing never-ending privacy and authenticity concerns. However with Covid 19 shrinking our public interaction, many have considered the benefits to overcome the theoretical issues and the online voting system has skyrocketed like never before... The Neovote voting system has been massively used in France: tenths of universities, hundreds of private companies and, more importantly, it was chosen to organise 3 of the 5 main primary elections for the French Presidential election of 2022 (Primaires de l'Écologie, Les Républicains and Primaire Populaire). Neovote claims to have the highest possible level of security, the voter being even able to access the final ballot box to do the recount by himself and ensure his own vote has been taken into account ! So challenge accepted, this talk will walk you through the Neovote voting system to understand why their claims are "slightly" exaggerated 😉

Emmanuel Leblond is the CTO of Scille, a software editor developing Parsec ( an open-source zero-trust data sharing solution with full end-to-end encryption and ANSSI CSPN. As a hobby he is also a long time core contributor of the Godot game engine and involved in the Python community.