the context of reverse engineering
play

the context of Reverse Engineering Sebastian Porst - PowerPoint PPT Presentation

Aug 27, 2023 •557 likes •1.04k views

Automated static deobfuscation in the context of Reverse Engineering Sebastian Porst (sebastian.porst@zynamics.com) Christian Ketterer (cketti@gmail.com) Sebastian Christian zynamics GmbH Student Lead Developer University of

  1. Automated static deobfuscation in the context of Reverse Engineering Sebastian Porst (sebastian.porst@zynamics.com) Christian Ketterer (cketti@gmail.com)

  2. Sebastian Christian • zynamics GmbH • Student • Lead Developer • University of Karlsruhe – BinNavi • Deobfuscation – REIL/MonoREIL

  3. This talk Obfuscated Code Readable Code (mysterious things happen here) 20% 40% 40%

  4. Motivation • Combat common obfuscation techniques • Can it be done? • Will it produce useful results? • Can it be integrated into our technology stack?

  5. Examples of Obfuscation Simple • Jump chains • Splitting calculations • Garbage code insertion • Predictable branches • Self-modifying code • Control-flow flattening • Opaque predicates • Code parallelization • Virtual Machines • ... Tricky

  6. Our Deobfuscation Approach I. Copy ancient algorithms from compiler theory books II. Translate obfuscated assembly code to REIL III. Run algorithms on REIL code IV. Profit (?)

  7. We‘re late in the game ... 2007 2008 2009 199X 2000 2001 2002 2003 2004 2005 2006 U of Auckland zynamics U of Wisc + F. Perriot TU Munich Mathur U of Ghent M. Mohammed Mathur Christodorescu (see end of this presentation for proper source references) Bruschi

  8. ... but 2007 2008 2009 199X 2000 2001 2002 2003 2004 2005 2006 Malware Research Defensive Reverse Engineering Offensive Reverse Engineering

  9. REIL • Reverse Engineering Intermediate Language • Specifically designed for Reverse Engineering • Design Goal: As simple as possible, but not simpler • In use since 2007

  10. Uses of REIL Register Tracking : Helps Reverse Engineers follow data flow through code (Never officially presented) Index Underflow Detection : Automatically find negative array accesses (CanSecWest 2009, Vancouver) Automated Deobfuscation : Make obfuscated code more readable (SOURCE Barcelona 2009, Barcelona) ROP Gadget Generator : Automatically generates return-oriented shellcode (Work in progress; scheduled for Q1/2010)

  11. The REIL Instruction Set Arithmetical Bitwise Data Transfer Logical Other ADD AND STR BISZ NOP SUB OR LDM JCC UNDEF MUL XOR STM UNKN DIV MOD BSH

  13. Why REIL? • Simplifies input code • Makes effects obvious • Makes algorithms platform-independent

  14. MonoREIL • Monotone Framework for REIL • Based on Abstract Interpretation • Used to write static code analysis algorithms http://www.flickr.com/photos/wedrrc/3586908193/

  15. Why MonoREIL? • In General: Makes complicated algorithms simple (trade brain effort for runtime) • Deobfuscator: Wrong choice really, but we wanted more real-life test cases for MonoREIL

  16. Building the Deobfuscator • Java • BinNavi Plugin • REIL + MonoREIL http://www.flickr.com/photos/mattimattila/3602654187/

  17. Block Merging • Long chains of basic blocks ending with unconditional jumps • Confusing to follow in text-based disassemblers • Advantage of higher abstraction level in BinNavi – Block merging is purely cosmetic

  18. Block Merging Before After

  19. Constant Propagation and Folding • Two different concepts • One algorithm in our implementation • Partial evaluation of the input code

  20. Constant Propagation and Folding Before After

  21. Dead Branch Elimination • Removes branches that are never executed – Turns conditional jumps into unconditional jumps – Removes code from unreachable branch • Requires constant propagation/folding

  22. Dead Branch Elimination Before After

  23. Dead Code Elimination • Removes code that computes unused values • Gets rid of inserted garbage code • Cleans up after constant propagation/folding

  24. Dead Code Elimination Before After

  25. Dead Store Elimination • Comparable to dead code elimination • Removes useless memory write accesses • Limited to stack access in our implementation • Only platform-specific part of our optimizer

  26. Dead Store Elimination Before After

  27. Suddenly it dawned us: Deobfuscation for RE brings new problems which do not exist in other areas

  28. Let‘s get some help

  29. Problem: Side effects push 10 mov eax, 10 pop eax Removed code was used • in a CRC32 integrity check • as key of a decryption routine • as part of an anti-debug check • ...

  30. Problem: Code Blowup mov eax, 20 mov eax, 10 clc add eax, 10 ... Good luck setting • AF • CF • OF • PF • ZF

  31. Problem: Moving addresses 0000: jmp ecx 0000: jmp ecx 0002: push 10 0002: mov eax, 10 0003: pop eax ecx is 0003 but we just missed the pop instruction static analysis can not know this

  32. Problem: Inability to debug mov eax, 10 Deobfuscated list of Executable Input File Instructions but no executable file

  33. The only way to solve all* problems: A full-blown native code compiler with an integrated optimizer Too much work, maybe we can approximate ... * except for the side-effects issue

  34. Only generate optimized REIL code Before After

  35. Only generate optimized REIL code • Produces excellent input for • Side effects problem remains • Pretty much unreadable for other analysis algorithms • Code blow-up solved human reverse engineers • Keeps address/instruction mapping • Code can not be debugged natively but interpreted

  36. Effect comments Before After

  37. Effect comments • Results can easily be used by • Side effects problem remains • Address mapping problem human reverse engineers • Code blow-up solved • Code can not be debugged • Comments have semantic meaning

  38. Extract formulas from code Before After

  39. Extract formulas from code • Results can easily be used by • Not really deobfuscation (but human reverse engineers produces similar result?) • No code generation necessary, only extraction of semantic information • Solves all problems because original program remains unchanged

  40. Implement a small pseudo-compiler Before After

  41. Implement a small pseudo-compiler • This is what we did • Side effects problem remains • Closest thing to the real deal • Address mapping problem • Code blow-up is solved remains • Partially • Why not go for a complete • Natively debug the output compiler? • not in our case • pseudo x86 instructions

  42. Economic value in creating a complete optimizing compiler for RE? Not for us • Small company • Limited market • Wrong approach?

  43. Alternative Approaches • Deobfuscator built into disassembler • REIL-based formula extraction • Hex-Rays Decompiler • Code optimization and generation based on LLVM • Emulation / Dynamic deobfuscation

  44. Conclusion • The concept of static deobfuscation is sound – Except for things like side-effects, SMC, ... • A lot of work • Expression reconstruction might be much easier and still produce comparable results

  45. Related work • A taxonomy of obfuscating transformations • Defeating polymorphism through code optimization • Code Normalization for Self-Mutating Malware • Software transformations to improve malware detection • Zeroing in on Metamorphic Computer Viruses • ...

  46. http://www.flickr.com/photos/marcobellucci/3534516458/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse-Engineering of Personal and Inter- personal Work Practices: A context-based Approach

Reverse-Engineering of Personal and Inter- personal Work Practices: A context-based Approach

Reverse-Engineering of Personal and Inter- personal Work Practices: A context-based Approach Marielba Zacarias, H. Sofia Pinto, Jos Tribolet CEO/ALGOS (INESC-INOV)/IST, Lisboa Universidade do Algarve, Faro - Portugal Summary Introduction

543 views • 26 slides
Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

856 views • 18 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de la A N S S I scurit des systmes dinformation Introduction Forensics: context Forensics: memory Forensics: filesystem Reverse

545 views • 36 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

751 views • 31 slides
Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for .NET are easy to reverse engineer. This is not in any way a fault in the design of .NET; it is simply a reality of modern, intermediate-compiled

132 views • 10 slides
assembly language source assembler code "machine code" 1 These slides may be

assembly language source assembler code "machine code" 1 These slides may be

assembly language source assembler code "machine code" 1 These slides may be freely used, distributed, and incorporated into other works. To execute a program: 1 put the "machine code" into memory 2 jal __start (the OS

798 views • 66 slides
Constructions of Codes with the Locality Property Alexander Barg University of Maryland DIMACS

Constructions of Codes with the Locality Property Alexander Barg University of Maryland DIMACS

Constructions of Codes with the Locality Property Alexander Barg University of Maryland DIMACS Workshop Network Coding: The Next 15 years A. Barg (UMD) LRC codes 1 / 30 Acknowledgment Based on joint works with Itzhak Tamo Alexey

803 views • 30 slides
Toric ideals of neural codes Elizabeth Gross San Jos e State University Joint work with Nida

Toric ideals of neural codes Elizabeth Gross San Jos e State University Joint work with Nida

Toric ideals of neural codes Elizabeth Gross San Jos e State University Joint work with Nida Obatake (SJSU) Nora Youngs (Harvey Mudd) Elizabeth Gross, SJSU Toric ideals of neural codes Neural activity and place fields The freely moving

831 views • 18 slides
Space-Code Bloom Filter for Efficient Traffic Flow Measurement Abhishek Kumar, Jun (Jim) Xu

Space-Code Bloom Filter for Efficient Traffic Flow Measurement Abhishek Kumar, Jun (Jim) Xu

Space-Code Bloom Filter for Efficient Traffic Flow Measurement Abhishek Kumar, Jun (Jim) Xu Networking and Telecommunications Group College of Computing Georgia Institute of Technology {akumar,jx}@cc.gatech.edu Li (Erran) Li Bell Laboratories

281 views • 15 slides
Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde <nico@comsecuris.com> @iamnion Daniel Komaromy <daniel@comsecuris.com> @kutyacica Motivation All your baseband Reverse engineering a Baseband

585 views • 55 slides
Creating slides Marco Pessotto 2016 Contents Full example 6 Activate 7 Explanation . . . .

Creating slides Marco Pessotto 2016 Contents Full example 6 Activate 7 Explanation . . . .

Creating slides Marco Pessotto 2016 Contents Full example 6 Activate 7 Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Syntax 8 Explanation . . . . . . . . . . . . . . . . . .

132 views • 9 slides
CODE REVIEW SKILLS FOR PYTHONISTAS @NNJA bit.ly/ codereviewpy LIVETWEET USE #EUROPYTHON

CODE REVIEW SKILLS FOR PYTHONISTAS @NNJA bit.ly/ codereviewpy LIVETWEET USE #EUROPYTHON

NINA ZAKHARENKO CODE REVIEW SKILLS FOR PYTHONISTAS @NNJA bit.ly/ codereviewpy LIVETWEET USE #EUROPYTHON @NNJA WHAT WE'LL LEARN TODAY [ 1/2 ] > What are the proven benefits of review? > Setting standards > Time saving tools and

1.24k views • 108 slides
FUNCTIONS (download slides and .py files follow along!) 6.0001 LECTURE 4 1

FUNCTIONS (download slides and .py files follow along!) 6.0001 LECTURE 4 1

DECOMPOSITION, ABSTRACTION, FUNCTIONS (download slides and .py files follow along!) 6.0001 LECTURE 4 1 6.0001 LECTURE 4 LAST TIME while loops vs for loops should know how to write both kinds should know when to

501 views • 35 slides

More recommend