analyse and binary transformation
play

Analyse and binary transformation Guillaume Bouffard Analyse and - PowerPoint PPT Presentation

Nov 03, 2022 •376 likes •779 views

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

  1. Analyse and binary transformation Guillaume Bouffard

  2. Analyse and binary transformation Guillaume Bouffard

  3. Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19 Limoges, September 8, 2010

  4. Outline Introduction 1 Technicolor My Internship Profiling step 2 3 Translation step 4 Binary Modification 5 Proof Of Concept Conclusion 6

  5. Technicolor Security and Content Protection Labs Technicolor Creating, managing and delivering video For the Communication, Media and Entertainment industries. Their works Cryptography Signal processing for security Content protection (DRM) Network security Tamper resistance 3 / 19 Limoges, September 8, 2010

  6. Context The Internship Context Illegal software duplication and intellectual property theft Software protection VS hardware protection Hardware protection? 4 / 19 Limoges, September 8, 2010

  7. Subject Binary executable without source code Search sensitive part of the binary application in a generic way Extract the sensitive piece of code Insert instructions to Translate the sensitive piece of code communicate to a dongle Protect the piece Modify binary ex- of code in a dongle ecutable without sensitive part 5 / 19 Limoges, September 8, 2010

  8. Motivation What was my motivation? A blend of compilation and smart card problems Discover the computer science underground Think on a research subject 6 / 19 Limoges, September 8, 2010

  9. Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6

  10. Application Profiling What do you want to find? Each executed binary piece of code Found the sensitive parts What can tools do that? OProfile Valgrind 7 / 19 Limoges, September 8, 2010

  11. Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6

  12. Translation step The Goal Protect the sensitive pieces of code in a dongle These pieces of code are executed by the dongle = > A solution: UQBT 8 / 19 Limoges, September 8, 2010

  13. Outline Introduction 1 Profiling step 2 3 Translation step 4 Binary Modification ELF Format Diablo Samples Proof Of Concept 5 Conclusion 6

  14. Executable and Linkable Format ELF header Executable and Program header table Linkable Format { Used by Unices & .text GNU/Linux Each section are .rodata linked { ... .data How can I modify this file format? Section header table 9 / 19 Limoges, September 8, 2010

  15. Executable and Linkable Format ELF header Executable and Program header table Linkable Format { Used by Unices & .text GNU/Linux Each section are .rodata linked { ... .data How can I modify this file format? Section header table 9 / 19 Limoges, September 8, 2010

  16. Diablo Linked program Map file (.map) Object files (.o) Parser Disassemble Assemble Modified binary Flowgraph Disflowgraph Some modifications 10 / 19 Limoges, September 8, 2010

  17. Brief overview of assembler #include <stdio.h> ... int main ( void ) { some value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010

  18. Brief overview of assembler #include <stdio.h> ... int main ( void ) { some value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010

  19. Brief overview of assembler #include <stdio.h> ... int main ( void ) { 0x8096188 (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010

  20. Brief overview of assembler #include <stdio.h> ... int main ( void ) { 0x8096188 (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010

  21. Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010

  22. Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010

  23. Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) 0x00 ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010

  24. Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) 0x00 ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010

  25. Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) 0x00 ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010

  26. Hello World HELL int MyFunction (char *msg) bbl at 0x80481f0 (in main at 0x80481f0) { ... FILE * file = fopen 0x8048200 : movl DWORD PTR [%esp],0x8096188 ( "output" , "w" ); 0x8048207 : call 80486c0 fprintf(file,msg); fclose(file); return EXIT_SUCCESS; } _IO_printf (0x80486c0) bbl at 0x804820c (in main at 0x80481f0) 0x804820c : movl %eax,0x0 MyFunction.o 0x8048211 : leave 0x8048212 : ret EXIT HELL 12 / 19 Limoges, September 8, 2010

  27. Hello World HELL <MyFunction>: bbl at 0x80481f0 (in main at 0x80481f0) mov DWORD PTR [esp+4],0x0 ... mov DWORD PTR [esp],0x0 0x8048200 : movl DWORD PTR [%esp],0x8096188 call 16 <MyFunction+0x16> 0x8048207 : call 80486c0 mov DWORD PTR [ebp-4],eax mov eax,DWORD PTR [ebp+8] mov DWORD PTR [esp+4],eax mov eax,DWORD PTR [ebp-4] _IO_printf (0x80486c0) mov DWORD PTR [esp],eax call 2b <MyFunction+0x2b> mov eax,DWORD PTR [ebp-4] mov DWORD PTR [esp],eax bbl at 0x804820c (in main at 0x80481f0) call 36 <MyFunction+0x36> 0x804820c : movl %eax,0x0 mov eax,0x0 0x8048211 : leave leave 0x8048212 : ret ret EXIT HELL 12 / 19 Limoges, September 8, 2010

  28. Hello World HELL <MyFunction>: bbl at 0x80481f0 (in main at 0x80481f0) mov DWORD PTR [esp+4],0x0 ... mov DWORD PTR [esp],0x0 0x8048200 : movl DWORD PTR [%esp],0x8096188 call 16 <MyFunction+0x16> 0x8048207 : call 80486c0 mov DWORD PTR [ebp-4],eax mov eax,DWORD PTR [ebp+8] mov DWORD PTR [esp+4],eax mov eax,DWORD PTR [ebp-4] _IO_printf (0x80486c0) mov DWORD PTR [esp],eax call 2b <MyFunction+0x2b> mov eax,DWORD PTR [ebp-4] mov DWORD PTR [esp],eax bbl at 0x804820c (in main at 0x80481f0) call 36 <MyFunction+0x36> 0x804820c : movl %eax,0x0 mov eax,0x0 0x8048211 : leave leave 0x8048212 : ret ret EXIT HELL 12 / 19 Limoges, September 8, 2010

  29. CouCou World HELL ELF header bbl at 0x80481f0 (in main at 0x80481f0) ... 0x8048200 : movl DWORD PTR [%esp],0x8096188 Program header table 0x8048207 : call 80486c0 .text MyFunction .rodata ... bbl at 0x804820c (in main at 0x80481f0) 0x804820c : movl %eax,0x0 .data 0x8048211 : leave 0x8048212 : ret Section header table EXIT HELL 13 / 19 Limoges, September 8, 2010

  30. CouCou World HELL ELF header bbl at 0x80481f0 (in main at 0x80481f0) ... 0x8048200 : movl DWORD PTR [%esp],0x8096188 Program header table 0x8048207 : call 80486c0 .text MyFunction .rodata ... bbl at 0x804820c (in main at 0x80481f0) 0x804820c : movl %eax,0x0 .data 0x8048211 : leave 0x8048212 : ret Section header table EXIT HELL 13 / 19 Limoges, September 8, 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

JGB71E - Bioinformatique applique Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van Helden Jacques.van-Helden@univ-amu.fr Aix-Marseille Universit, France Technological Advances for Genomics and

886 views • 75 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
CHAPTER 11: MODEL TRANSFORMATION Transformation Definition Transformation Tool 2 Agenda

CHAPTER 11: MODEL TRANSFORMATION Transformation Definition Transformation Tool 2 Agenda

Architecture and Modelling of Information Systems (D0I71A) Prof. dr. Monique Snoeck CHAPTER 11: MODEL TRANSFORMATION Transformation Definition Transformation Tool 2 Agenda Model Transformations General approach Transformation

985 views • 59 slides
5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques the Greek's used during battle L.O To analyse the main reasons for the Greek victory 5/10/20 Starter Who was Alexander the great? L.O To analyse

613 views • 40 slides
A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal Hexadecimal to binary Hexadecimal to Decimal Binary addition Binary subtraction Binary shift Decimal to Binary 146d = ????????b 146/2

91 views • 7 slides
Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents on Fun Facts Why 10 digits? Because and the 0 represents off people typically have 10 fingers and 10 toes, making it easy for counting! 2

119 views • 10 slides
Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 ` etique de lInformatique Math ematique Antoine Min e Ecole normale sup erieure 9 f evrier 2011 Perpignan 9/02/2011 Analyse

896 views • 70 slides
Composing Transformation Composing Transformation Composing Transformation the process of

Composing Transformation Composing Transformation Composing Transformation the process of

Composing Transformation Composing Transformation Composing Transformation the process of applying Matrix multiplication is associative several transformation in succession to form one M3 x M2 x M1 = (M3 x M2) x M1 = M3 x (M2 x

485 views • 9 slides
Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next assignment) DE DEPARTMENT OF OF COM OMPUTER S SCIENCE &amp; &amp; SO SOFTW TWARE RE E ENGINEERI RING PI PICN CNIC SA SATU TURD RDAY

709 views • 41 slides
On-line Multi-label Classification A Problem Transformation Approach Jesse Read Supervisors:

On-line Multi-label Classification A Problem Transformation Approach Jesse Read Supervisors:

On-line Multi-label Classification A Problem Transformation Approach Jesse Read Supervisors: Bernhard Pfahringer, Geoff Holmes Hamilton, New Zealand Outline Multi-label Classification Problem Transformation Binary Method

885 views • 51 slides
FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

Assessing Writing at FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students pieces of writing. Analyse assessment criteria and glossary. Practise assessing with samples of students work.

315 views • 27 slides
Binary Search Trees A binary search tree is a binary tree T such that - each internal node

Binary Search Trees A binary search tree is a binary tree T such that - each internal node

AVL T REES Binary Search Trees AVL Trees AVL Trees 1 Binary Search Trees A binary search tree is a binary tree T such that - each internal node stores an item (k, e) of a dictionary. - keys stored at nodes in the left subtree of

547 views • 26 slides
Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2

Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2

Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2 child elements left child sorts less, right more, than parent tree has a depth tree has a balance, comparing depths of its left and right

305 views • 5 slides
Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief -

Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief -

Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief - Unreal games Gears of War 4 - D3D12 multi-GPU support on UWP Other, more exotic D3D12 multi-GPU stuff Sony - PS4 graphics dev support

744 views • 49 slides
REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using

REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using

REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using distributed RTLSDR receivers &amp; open source software PRESENTED BY GAVIN ROZZI Cyberspectrum #23 @ DEF CON 2018 August 9th, 2018 SDR HAS THE

985 views • 22 slides
Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami)

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami)

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami) Red Team @ Snap Former Wireless Security Researcher @ Bastille Networks Wireless CVEs in products from 21 vendors Radios

755 views • 64 slides
Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On

Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On

Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On Au Automotiv omotive Lior Yaari 28/11/2019 Techy Trainer at DeepSec 7 Years In Cyber Security Vulnerability Researcher Sec-Dev CS Teacher

1.28k views • 81 slides
Reverse Engineering Outernet Daniel Estvez 27 December 2016 33rd Chaos Communication Congress,

Reverse Engineering Outernet Daniel Estvez 27 December 2016 33rd Chaos Communication Congress,

Reverse Engineering Outernet Daniel Estvez 27 December 2016 33rd Chaos Communication Congress, Hamburg Daniel Estvez Reverse Engineering Outernet 33C3 1 / 40 Brief info about speaker Currently finishing a PhD in pure Mathematics Also

673 views • 44 slides
(01204423) Sensor Node Programming II (UART and Radio) Chaiporn Jaikaeo chaiporn.j@ku.ac.th

(01204423) Sensor Node Programming II (UART and Radio) Chaiporn Jaikaeo chaiporn.j@ku.ac.th

Network Kernel Architectures and Implementation (01204423) Sensor Node Programming II (UART and Radio) Chaiporn Jaikaeo chaiporn.j@ku.ac.th Department of Computer Engineering Kasetsart University Outline UART communication Single-hop

410 views • 19 slides
Chapter 1 Welcome to Linux Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State

Chapter 1 Welcome to Linux Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State

Chapter 1 Welcome to Linux Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State University, Shreveport, LA 71115 Introducing Shells History of UNIX and GNU-Linux Heritage of Linux: UNIX What Is So Good About Linux? Overview

336 views • 15 slides
RUNNING SvSAN ON THE NEW CISCO ISR 4461 AND UCS E-SERIES With Craig Collier and Ian McLaughlin

RUNNING SvSAN ON THE NEW CISCO ISR 4461 AND UCS E-SERIES With Craig Collier and Ian McLaughlin

RUNNING SvSAN ON THE NEW CISCO ISR 4461 AND UCS E-SERIES With Craig Collier and Ian McLaughlin Hosted by Kelynn Renals MAKING THE COMPLEX SIMPLE CONFIDENTIAL ENTERPRISES FACE DIFFICULTIES IN EDGE DEPLOYMENT 2 CONFIDENTIAL CISCO AND STORMAGIC

366 views • 8 slides

More recommend