hitb 2009
play

HITB 2009 Metasm Debugger Analysis of a protection Compiler - PowerPoint PPT Presentation

Mar 11, 2023 •167 likes •767 views

Binary deprotection with metasm and stuff Alexandre Gazet Yoann Guillot Sogeti / ESEC R&D Sogeti / ESEC R&D alexandre.gazet(at)sogeti.com yoann.guillot(at)sogeti.com HITB 2009 Metasm Debugger Analysis of a protection Compiler

  1. Binary deprotection with metasm and stuff Alexandre Gazet Yoann Guillot Sogeti / ESEC R&D Sogeti / ESEC R&D alexandre.gazet(at)sogeti.com yoann.guillot(at)sogeti.com HITB 2009

  2. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan Metasm 1 Debugger Compiler Disassembler Binding Backtracking Analysis of a protection 2 Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 2/55

  3. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Metasm a pure ruby opensource framework assembler/dissassembler Ia32 (16/32/64bits), mips Even supports cr7 debugger linux, windows, remote compiler/decompiler (more or less :) GUI included ! A. Gazet, Y. Guillot Binary deprotection with metasm 3/55

  4. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan Metasm 1 Debugger Compiler Disassembler Binding Backtracking Analysis of a protection 2 Breaking obfuscation Breaking code virtualization Putting the pieces together Conclusion(s) Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 4/55

  5. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Debugger A. Gazet, Y. Guillot Binary deprotection with metasm 5/55

  6. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Debugger A. Gazet, Y. Guillot Binary deprotection with metasm 6/55

  7. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Features Direct manipulation of the OS primitives sys ptrace WaitForDebugEvent Very fine & low-level control Unified high-level interface Linux, Windows, GDBserver Conditionnal breakpoints, callback. . . A. Gazet, Y. Guillot Binary deprotection with metasm 7/55

  8. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan Metasm 1 Debugger Compiler Disassembler Binding Backtracking Analysis of a protection 2 Breaking obfuscation Breaking code virtualization Putting the pieces together Conclusion(s) Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 8/55

  9. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler C Compiler Rudimentary C compiler x86 only Framework integration easy to leverage Easy to customize e.g. dynamic symbol resolution A. Gazet, Y. Guillot Binary deprotection with metasm 9/55

  10. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan Metasm 1 Debugger Compiler Disassembler Binding Backtracking Analysis of a protection 2 Breaking obfuscation Breaking code virtualization Putting the pieces together Conclusion(s) Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 10/55

  11. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Disassembler A. Gazet, Y. Guillot Binary deprotection with metasm 11/55

  12. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Disassembly The reference: IDA Pro Excellent on unobfuscated binaries Not so useful on protected code No code interpretation Strong hypothesis Hypothesis Both branches are taken on a conditionnal jump Two instructions never overlap A subfunction call returns A. Gazet, Y. Guillot Binary deprotection with metasm 12/55

  13. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Disassembly The reference: IDA Pro Excellent on unobfuscated binaries Not so useful on protected code No code interpretation Strong hypothesis Hypothesis Both branches are taken on a conditionnal jump Two instructions never overlap A subfunction call returns A. Gazet, Y. Guillot Binary deprotection with metasm 12/55

  14. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Hypothesis: all call returns . t e x t :00403 E9F loc 403E9F : ; CODE XREF: .text: loc_40CDEF . t e x t :00403 E9F push ebp . t e x t :00403 EA0 push ecx . t e x t :00403 EA1 push ebp . t e x t :00403 EA2 c a l l sub 40BECD . t e x t :00403 EA7 outsb . t e x t :00403 EA8 edx , cmp esp . t e x t :00403 EAA push esp . t e x t :00403 EAB i n c e s i A. Gazet, Y. Guillot Binary deprotection with metasm 13/55

  15. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Failure . t e x t :0040 BECD sub 40BECD proc near ; CODE XREF: .text :00 . t e x t :0040 BECD cmp eax , ebp . t e x t :0040 BECF [ esp +0] , 1 add dword ptr . t e x t :0040 BED4 t e s t ebx , 1 E2h . t e x t :0040 BEDA 0 Ch retn . t e x t :0040 BEDA sub 40BECD endp A. Gazet, Y. Guillot Binary deprotection with metasm 14/55

  16. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Our solution: Express instruction effects through symbolic expressions. This associates semantics to each instruction. Instruction ADD : r e s = Expression [ [ a [ 0 ] , :& , mask ] , :+ , [ a [ 1 ] , :& , mask ] ] binding [ a [ 0 ] ] = r e s binding [ : e f l a g z ] = Expression [ [ res , :& , mask ] , :==, 0] binding [ : e f l a g s ] = s i g n [ r e s ] binding [ : e f l a g c ] = Expression [ res , : > , mask ] binding [ : e f l a g o ] = Expression [ [ s i g n [ a [ 0 ] ] , :==, s i g n [ a [ 1 ] ] ] , : ’&&’ , [ s i g n [ a [ 0 ] ] , : ’!=’ , s i g n [ r e s ] ] ] A. Gazet, Y. Guillot Binary deprotection with metasm 15/55

  17. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Our solution: Express instruction effects through symbolic expressions. This associates semantics to each instruction. Instruction ADD : r e s = Expression [ [ a [ 0 ] , :& , mask ] , :+ , [ a [ 1 ] , :& , mask ] ] binding [ a [ 0 ] ] = r e s binding [ : e f l a g z ] = Expression [ [ res , :& , mask ] , :==, 0] binding [ : e f l a g s ] = s i g n [ r e s ] binding [ : e f l a g c ] = Expression [ res , : > , mask ] binding [ : e f l a g o ] = Expression [ [ s i g n [ a [ 0 ] ] , :==, s i g n [ a [ 1 ] ] ] , : ’&&’ , [ s i g n [ a [ 0 ] ] , : ’!=’ , s i g n [ r e s ] ] ] A. Gazet, Y. Guillot Binary deprotection with metasm 15/55

  18. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Instruction CALL : binding [ : esp ] = Expression [ : esp , : − , opsz ] binding [ I n d i r e c t i o n [ : esp , 4] ] = d i . next addr For exemple: dword ptr [ esp ] = 0 x403EA7 esp = esp − 4 Instruction RDTSC : binding [ : eax ] = Expression : : Unknown binding [ : edx ] = Expression : : Unknown A. Gazet, Y. Guillot Binary deprotection with metasm 16/55

  19. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Instruction CALL : binding [ : esp ] = Expression [ : esp , : − , opsz ] binding [ I n d i r e c t i o n [ : esp , 4] ] = d i . next addr For exemple: dword ptr [ esp ] = 0 x403EA7 esp = esp − 4 Instruction RDTSC : binding [ : eax ] = Expression : : Unknown binding [ : edx ] = Expression : : Unknown A. Gazet, Y. Guillot Binary deprotection with metasm 16/55

  20. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Instruction CALL : binding [ : esp ] = Expression [ : esp , : − , opsz ] binding [ I n d i r e c t i o n [ : esp , 4] ] = d i . next addr For exemple: dword ptr [ esp ] = 0 x403EA7 esp = esp − 4 Instruction RDTSC : binding [ : eax ] = Expression : : Unknown binding [ : edx ] = Expression : : Unknown A. Gazet, Y. Guillot Binary deprotection with metasm 16/55

  21. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Backtracking, the theory Definition Symbolic emulation by walking the instruction flow backwards. A. Gazet, Y. Guillot Binary deprotection with metasm 17/55

  22. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Backtracking, the facts Execution flow: c a l l loc 40becdh ; @403ea2h e826800000 [ . . . ] cmp eax , ebp ; @40becdh 39e8 [ esp +0] , 1 add dword ptr ; @40becfh 8344240001 t e s t ebx , 1 e2h ; @40bed4h f7c3e2010000 0 ch r e t ; @40bedah c20c00 Backtracing x dword ptr [esp] for 40bedah ret 0ch backtrace 40becfh dword ptr [esp] => dword ptr [esp]+1 1 backtrace up 40becdh->403ea2h dword ptr [esp]+1 2 backtrace 403ea2h dword ptr [esp]+1 => 403ea8h 3 backtrace result: 403ea8h 4 A. Gazet, Y. Guillot Binary deprotection with metasm 18/55

  23. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Metasm Result: loc 403e9fh : push ebp ; @403e9fh 55 push ecx ; @403ea0h 51 push ebp ; @403ea1h 55 c a l l loc 40becdh ; @403ea2h e826800000 noreturn db 6 eh ; @403ea7h // Xrefs : 40 bedah loc 403ea8h : cmp edx , esp ; @403ea8h 39e2 push esp ; @403eaah 54 [ . . . ] // Xrefs : 403 ea2h loc 40becdh : cmp eax , ebp ; @40becdh 39e8 add dword ptr [ esp +0] , 1 ; @40becfh 8344240001 t e s t ebx , 1 e2h ; @40bed4h f7c3e2010000 r e t 0 ch ; @40bedah c20c00 x: loc_403ea8h A. Gazet, Y. Guillot Binary deprotection with metasm 19/55

  24. Breaking obfuscation Metasm Breaking code virtualization Analysis of a protection Putting the pieces together Decompilation Conclusion(s) Plan Metasm 1 Analysis of a protection 2 Breaking obfuscation Breaking code virtualization Putting the pieces together Conclusion(s) Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 20/55

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution 4-way handshake Handling Crypto

1.17k views • 88 slides
Platinum Platinum 2009 2009 th May 2009 18 18 th May 2009 Good morning to everyone, and

Platinum Platinum 2009 2009 th May 2009 18 18 th May 2009 Good morning to everyone, and

Platinum Platinum 2009 2009 th May 2009 18 18 th May 2009 Good morning to everyone, and welcome again to Platinum 2009. As usual, Im going to concentrate on whats been happening in the Pt and Pd markets, and finish with a couple of

707 views • 39 slides
First Quarter 2009 - A Good Start 1Q 2009 Results Presentation - 29 April 2009 Agenda 1Q 2009

First Quarter 2009 - A Good Start 1Q 2009 Results Presentation - 29 April 2009 Agenda 1Q 2009

First Quarter 2009 - A Good Start 1Q 2009 Results Presentation - 29 April 2009 Agenda 1Q 2009 Results Back Up Commenting 1Q 2009 Results Strong trend with 60k net adds Customer Base Growth Significant improvement vs 4Q 2008

573 views • 16 slides
Presentation 4 th Quarter 2009 22 F b 22. February 2009 2009 Jon A. Elde CFO CFO 1 Highlights

Presentation 4 th Quarter 2009 22 F b 22. February 2009 2009 Jon A. Elde CFO CFO 1 Highlights

Presentation 4 th Quarter 2009 22 F b 22. February 2009 2009 Jon A. Elde CFO CFO 1 Highlights 4th quarter 2009 The Board of Directors will propose to the Annual General Meeting a dividend of NOK 3.5 per share after issued guarantees are

369 views • 12 slides
2009 Half Year Results Presentation 6 months to 30 June 2009 13 August 2009 2009 Half Year

2009 Half Year Results Presentation 6 months to 30 June 2009 13 August 2009 2009 Half Year

2009 Half Year Results Presentation 6 months to 30 June 2009 13 August 2009 2009 Half Year Results Presentation Terry Davis Group Managing Director 13 August 2009 First half 2009 major highlights 1. Double-digit EBIT, NPAT and EPS growth

735 views • 54 slides
CO CO 2 fixation by mineral matter; fixation by mineral matter; the potential of different the

CO CO 2 fixation by mineral matter; fixation by mineral matter; the potential of different the

Climate Change: Global Risks, Challenges and Decisions Copenhagen (Denmark) March 10-12, 2009 S17 09 11 3 2009 11:45 S17.09, 11.3.2009 S17.09, 11.3.2009 11:45 S17 09 11 3 2009 11:45-12:05 11:45-12:05 12:05 12:05 CO CO 2

702 views • 12 slides
Earnings Presentation First Quarter 2009 May 1, 2009 February 6, 2009: Preliminary &

Earnings Presentation First Quarter 2009 May 1, 2009 February 6, 2009: Preliminary &

1 Earnings Presentation First Quarter 2009 May 1, 2009 February 6, 2009: Preliminary & Unaudited Safe Harbor Statement under the Private Securities Litigation Reform Act of 1995 Statements made in this presentation that relate to future

534 views • 34 slides
1 Worldwide locations of Trtzschler Germany BR/BH/Hof 2009/D/11.11.2009 Subsidiaries:

1 Worldwide locations of Trtzschler Germany BR/BH/Hof 2009/D/11.11.2009 Subsidiaries:

BR/BH/Hof 2009/D/11.11.2009 1 Worldwide locations of Trtzschler Germany BR/BH/Hof 2009/D/11.11.2009 Subsidiaries: Production factories: Turkey Mexico Italia Germany USA Spain Uzbekistan Brazil India China 2

1.39k views • 82 slides
Fronteers 2009 , 2009

Fronteers 2009 , 2009

Fronteers 2009 , 2009 Molly Holzschlag Peter-Paul Koch Whats New With The The Mobile Web, Or The Mobile Web Masochist's Guide To Gleeful Self-flagellation Chris

1.28k views • 86 slides
My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy

My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy

My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy Researcher at DEVCORE CTF Player HITCON / 217 Chroot Co-founder of pwnable.tw Speaker HITB GSEC 2018/AVTokyo 2018/VXCON Outline

1.35k views • 107 slides
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $1,000,000 FY 2009

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $1,000,000 FY 2009

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $1,000,000 FY 2009 $800,000 Median $765,916 $ in thousands $600,000 FY 2006 FY 2007 FY 2008 $400,000 FY 2009 $200,000 $0 Texas University UC Michigan

1.4k views • 84 slides
Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher at DEVCORE Speaker at Black Hat US/ASIA , DEFCON , HITB , CODEBLUE CTF player (Captain of HITCON CTF team and member of 217 ) Bounty

1.32k views • 103 slides
Budget Curtailment Plan January 26, 2009 PHASE I: January, 2009 thru June 30, 2009 1 Implement

Budget Curtailment Plan January 26, 2009 PHASE I: January, 2009 thru June 30, 2009 1 Implement

Budget Curtailment Plan January 26, 2009 PHASE I: January, 2009 thru June 30, 2009 1 Implement hiring restrictions and limits: Replace only essential positions. Change policy to permit physical education credit (via waiver) for

839 views • 4 slides
PSYCHOTRONICA nitesh dhanjani july 2009 black hat briefings 2009 (las vegas) Sunday, June 28,

PSYCHOTRONICA nitesh dhanjani july 2009 black hat briefings 2009 (las vegas) Sunday, June 28,

PSYCHOTRONICA nitesh dhanjani july 2009 black hat briefings 2009 (las vegas) Sunday, June 28, 2009 PSYCHOTRONIC Sunday, June 28, 2009 MySpace: 100 million users [january 2008] 1,400,000+ tweets [march 2009] generation y genuine data

768 views • 43 slides
Swedbank Q3 Results 2009 Q3 Results 2009 Swedbank 2073075 CEO Michael Wolf October 20, 2009

Swedbank Q3 Results 2009 Q3 Results 2009 Swedbank 2073075 CEO Michael Wolf October 20, 2009

Swedbank Q3 Results 2009 Q3 Results 2009 Swedbank 2073075 CEO Michael Wolf October 20, 2009 9:00 am Greenwich Mean Time Operator: Good morning, ladies and gentlemen, and welcome to the Q3 Results 2009 Conference Call. At this time, all

550 views • 17 slides
PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda Workshop presentation Black box audit Source code audit samedi 25 juillet 2009 2 Who speaks? Philippe Gamache Parler Haut, Interagir

848 views • 73 slides
Ruby Control Structures Venkat Subramaniam svenkat@cs.uh.edu 1 Statements Statements

Ruby Control Structures Venkat Subramaniam svenkat@cs.uh.edu 1 Statements Statements

Ruby Control Structures Venkat Subramaniam svenkat@cs.uh.edu 1 Statements Statements dont need ; You write one statement per line (like you normally do anyways) If you want to put multiple statements on a line, you may use

408 views • 3 slides
Amazing SQL your ORM can (or cant) do Louise Grandjonc - pgconfEU 2019 @louisemeta About me

Amazing SQL your ORM can (or cant) do Louise Grandjonc - pgconfEU 2019 @louisemeta About me

Amazing SQL your ORM can (or cant) do Louise Grandjonc - pgconfEU 2019 @louisemeta About me Software Engineer at Citus Data / Microsoft Python developper Postgres enthusiast @louisemeta and @citusdata on twitter www.louisemeta.com

888 views • 72 slides
DESIGNING WITH RUBY by Alexander C. Schreyer Lecturer, University of Massachusetts, Amherst

DESIGNING WITH RUBY by Alexander C. Schreyer Lecturer, University of Massachusetts, Amherst

DESIGNING WITH RUBY by Alexander C. Schreyer Lecturer, University of Massachusetts, Amherst 2012 SketchUp Basecamp, Boulder, CO WHAT WERE GOING TO DO How can we use Ruby for Design? Editing code in SketchUp What can Ruby do

445 views • 19 slides
Safe Programming in Dynamic Languages Jeff Foster University of Maryland, College Park Joint

Safe Programming in Dynamic Languages Jeff Foster University of Maryland, College Park Joint

Safe Programming in Dynamic Languages Jeff Foster University of Maryland, College Park Joint work with David An, Avik Chaudhuri, Mike Furr, Mike Hicks, Brianna Ren, T. Stephen Strickland, and John Toman Dynamic Languages Dynamic languages

528 views • 33 slides
DASH: Making Data Sharing Easier Marisa Strong University of California Cura;on Center (UC3)

DASH: Making Data Sharing Easier Marisa Strong University of California Cura;on Center (UC3)

DASH: Making Data Sharing Easier Marisa Strong University of California Cura;on Center (UC3) California Digital Library University of California Cura;on Center Research Lifecycle Dash helps researchers in six ways: Prepare Select

506 views • 15 slides
Running Ruby and Rails, purely serverless on AWS Paul & James Ridgway The Speakers Paul

Running Ruby and Rails, purely serverless on AWS Paul & James Ridgway The Speakers Paul

Running Ruby and Rails, purely serverless on AWS Paul & James Ridgway The Speakers Paul Ridgway James Ridgway CEO of The Curve CTO of The Curve Work across the entire tech stack Cross-language expert Management

844 views • 71 slides
FourD: Do Developers Discuss Design? Revisited Abbas Shakiba Robert Green Rob ober ert

FourD: Do Developers Discuss Design? Revisited Abbas Shakiba Robert Green Rob ober ert

FourD: Do Developers Discuss Design? Revisited Abbas Shakiba Robert Green Rob ober ert Dyer er Bowling Green State University supported in part by the US National Science Foundation under CCF-15-18776 and CNS-15-12947 Do developers

387 views • 20 slides
RUBY-I Pockros PJ, Gastroenterology. 2016;150:1590-8. Hepatitis Hepatitis web study web study

RUBY-I Pockros PJ, Gastroenterology. 2016;150:1590-8. Hepatitis Hepatitis web study web study

Phase 3b Treatment-Naive Ombitasvir-Paritaprevir-Ritonavir and Dasabuvir in GT1 and Renal Disease RUBY-I Pockros PJ, Gastroenterology. 2016;150:1590-8. Hepatitis Hepatitis web study web study Ombitasvir-Paritaprevir-Ritonavir and Dasabuvir

417 views • 7 slides

More recommend