BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.recon.cx//recon-2026//talk//V3THYR
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-recon-2026-V3THYR@cfp.recon.cx
DTSTART;TZID=EST:20260620T110000
DTEND;TZID=EST:20260620T120000
DESCRIPTION:Prism is Microsoft's binary translator on Windows on ARM\, JIT-
 compiling x86 and x64 to ARM64 at runtime. Five binaries\, ~11K functions\
 , no symbols. We reversed the full JIT pipeline\, the CHPE/ARM64X hybrid l
 oading mechanism\, and the undocumented `.jc` translation cache format. Al
 ong the way we found that the x64se variant runs CRC32C integrity verifica
 tion on translated code while x86 does not. The cache has no integrity che
 cks on x86 translations: four structural checks\, then arbitrary ARM64 exe
 cutes verbatim. We release `prism-cache-parser` and demonstrate cache pois
 oning on Snapdragon X: drop a crafted `.jc` file\, hijack translations for
  any DLL\, survive reboots\, invisible to every default detection layer.
DTSTAMP:20260612T170857Z
LOCATION:Grand Salon Opera
SUMMARY:Prism Internals: Reversing Microsoft's x86-to-ARM64 Binary Translat
 or - Hugo
URL:https://cfp.recon.cx/recon-2026/talk/V3THYR/
END:VEVENT
END:VCALENDAR