playing with binary analysis
play

Playing with Binary Analysis Deobfuscation of VM based software - PowerPoint PPT Presentation

Apr 23, 2023 •198 likes •933 views

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

  1. Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sébastien Bardin and Marie-Laure Potet SSTIC 2017

  2. Topic Binary protection ● Virtualization-based software protection ○ Automatic deobfuscation, our approach ● The Tigress challenges ● Limitations ● ● What next? Conclusion ●

  3. Binary Protection

  4. Binary Protection Goal ● Turn your program to make it hard to analyze ○ Protect your software against reverse engineering ■ P Transformation P’

  5. Binary Protection There are several kinds of protection ● [...] ○ Virtualization-based software protection ○

  6. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ●

  7. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ● long secret(long x) { [transformations on x] return x; } bool auth(long user_input) { long h = secret(user_input); return (h == 0x9e3779b97f4a7c13); }

  8. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ● long secret(long x) { [transformations on x] Bytecodes - Custom ISA return x; } bool auth(long user_input) { long h = secret(user_input); return (h == 0x9e3779b97f4a7c13); }

  9. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ● long secret(long x) { [transformations on x] Bytecodes - Custom ISA return x; } bool auth(long user_input) { long h = 0; VM(opcodes, &h, user_input); return (h == 0x9e3779b97f4a7c13); }

  10. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ● Removed long secret(long x) { [transformations on x] Bytecodes - Custom ISA return x; } bool auth(long user_input) { long h = 0; VM(opcodes, &h, user_input); return (h == 0x9e3779b97f4a7c13); }

  11. Binary Protection - VM Design (a simple one) Fetching Decoding Dispatcher Close to a CPU design ● Operator 1 Operator 2 Operator 3 a. Fetch the opcode pointed via the virtual IP b. Decode the opcode - mnemonic / operands c. Dispatch to the appropriate semantics handler d. Execute the semantics Terminator e. Go to the next instruction or terminate

  12. Binary Protection - VM Design (a simple one) Fetching long secret(long x) { Decoding [transformations on x] Bytecodes - Custom ISA return x; } Dispatcher Close to a CPU design ● Operator 1 Operator 2 Operator 3 a. Fetch the opcode pointed via the virtual IP b. Decode the opcode - mnemonic / operands c. Dispatch to the appropriate semantics handler d. Execute the semantics Terminator e. Go to the next instruction or terminate

  13. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : Operator 1 Operator 2 Operator 3 Terminator

  14. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0xaabbccdd Dispatcher Decode : Code : Operator 1 Operator 2 Operator 3 Terminator

  15. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0xaabbccdd Dispatcher Decode : mov r/r Code : Operator 1 Operator 2 Operator 3 Terminator

  16. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0xaabbccdd Dispatcher Decode : mov r/r Code : Operator 1 Operator 2 Operator 3 Terminator

  17. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0xaabbccdd Dispatcher Decode : mov r/r Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  18. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  19. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x11223344 Dispatcher Decode : Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  20. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x11223344 Dispatcher Decode : mov r/i Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  21. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x11223344 Dispatcher Decode : mov r/i Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  22. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x11223344 Dispatcher Decode : mov r/i Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  23. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  24. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x5577aabb Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  25. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x5577aabb Dispatcher Decode : mul r/r/r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  26. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x5577aabb Dispatcher Decode : mul r/r/r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  27. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x5577aabb Dispatcher Decode : mul r/r/r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  28. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  29. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x1337dead Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  30. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x1337dead Dispatcher Decode : ret r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  31. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x1337dead Dispatcher Decode : ret r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  32. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x1337dead Dispatcher Decode : ret r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 ret r3 Terminator

  33. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 ret r3 Terminator

  34. Virtual Machine - Standard Reverse Process Reverse and understand the virtual machine’s structure / components ● Create a disassembler and then reverse the bytecodes ● ? Bytecodes ? Create a disassembler ? Disassembly ? ? ? Start Reversing ?

  35. Our Approach Automatic Deobfuscation

  36. Our Approach - Automatic Deobfuscation We don’t care about reconstructing a disassembler ● Our goal: ●

  37. Our Approach - Automatic Deobfuscation We don’t care about reconstructing a disassembler ● Our goal: ● ○ Directly reconstruct a devirtualized binary from the obfuscated one

  38. Our Approach - Automatic Deobfuscation We don’t care about reconstructing a disassembler ● Our goal: ● ○ Directly reconstruct a devirtualized binary from the obfuscated one The crafted binary must have a control flow graph close to the original one ○

  39. Our Approach - Automatic Deobfuscation We don’t care about reconstructing a disassembler ● Our goal: ● ○ Directly reconstruct a devirtualized binary from the obfuscated one The crafted binary must have a control flow graph close to the original one ○ ○ The crafted binary must have instructions close to the original ones

  40. Our Approach - Automatic Deobfuscation Removed long secret(long x) { [transformations on x] Bytecodes return x; } FROM bool auth(long user_input) { long h = 0; VM(opcodes, &h, user_input); return (h == 0x9e3779b97f4a7c13); }

  41. Our Approach - Automatic Deobfuscation TO Obfuscated Traces

  42. Our Approach - Automatic Deobfuscation THEN FROM Simplified Traces

  43. Our Approach - Automatic Deobfuscation long secret_prime(long x) { [transformations on x] return x; } TO bool auth(long user_input) { long h = secret(user_input); return (h == 0x9e3779b97f4a7c13); }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete ->

963 views • 77 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson Department of Statistics University of Washington This is joint work with James Robins (Harvard). Outline 1. The binary IV potential outcomes model

156 views • 15 slides
Game Playing Game playing AI Class 8 Ch. 5.1-5.3, 5.4.1, 5.5 State of the art and

Game Playing Game playing AI Class 8 Ch. 5.1-5.3, 5.4.1, 5.5 State of the art and

Todays Class Game Playing Game playing AI Class 8 Ch. 5.1-5.3, 5.4.1, 5.5 State of the art and resources Framework Weve seen multi-agent Game trees systems, and search problems Minimax where another agents moved

234 views • 6 slides
Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed 1-2 pm ENS 31NR Forsyth and Ponce book Binary images Two pixel values Foreground and background Regions of interest

1.13k views • 78 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David <rdavid@quarkslab.com> Luigi Coniglio <luigi.coniglio@studenti.unitn.it> Mariano Ceccato <mariano.ceccato@univr.it>

1.12k views • 82 slides
How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

1.06k views • 67 slides
Playing with Time and Playing in Time Valentin Goranko Stockholm University Joint work with Antti

Playing with Time and Playing in Time Valentin Goranko Stockholm University Joint work with Antti

Playing with Time and Playing in Time Valentin Goranko Stockholm University Joint work with Antti Kuusisto and Raine Rnnholm Lauri Hella 60 Fest Murikanranta, July 6, 2018 V Goranko 1 of 38 10 sec trailer Two main story lines: 1. Playing

614 views • 38 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform gray-level each region is a binary image ( 0 : background, 1 : object or the reverse) more intensity values for overlapping regions

875 views • 30 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network

R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network

R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network security researcher IPv6, DNS, TLS, BGP, DDoS mitigation, ... Scapy co-maintainer Python-based packet manipulation program & library neither

1.1k views • 61 slides
USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart fuzzer that uses code coverage needs an initial corpus ~20 different mutations strategies only keep mutated inputs that modify coverage source

868 views • 29 slides
Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie

Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie

Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie atomique et aux nergies alternatives June 17, 2017 Summary 1 Introduction 2 Use case: Shellcode Use case: EquationDrug from EquationGroup 3 Use

1.66k views • 143 slides
1.2 What Exactly is Economics? ECON 452 History of Economic Thought Fall 2020 Ryan

1.2 What Exactly is Economics? ECON 452 History of Economic Thought Fall 2020 Ryan

1.2 What Exactly is Economics? ECON 452 History of Economic Thought Fall 2020 Ryan Safner Assistant Professor of Economics safner@hood.edu ryansafner/thoughtF20 thoughtF20.classes.ryansafner.com Outline Interpretations

885 views • 46 slides
Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent MONJALET Commissariat lnergie Atomique et aux nergies alternatives Direction des Applications Militaires 17 novembre 2017 Guidelines :

672 views • 49 slides
An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

Background Evaluation An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle Malte Helmert University of Basel Switzerland June 15, 2016 Background Evaluation Outline Background 1 Evaluation 2

413 views • 23 slides
Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017 Introduction Merge-and-Shrink Evaluation of Merge Strategies Implementation Conclusion Motivation An important factor for the performance of

489 views • 22 slides
From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

89 views • 7 slides

More recommend