SlideShare une entreprise Scribd logo

Demystifying Binary Reverse Engineering - Pixels Camp

André Baptista
André Baptista

Reverse engineering is not just about uncovering the hidden behaviour of a given technology, system, program or device. It's actually an art and a mindset. Reversing is used by some government agencies, secret services, antivirus software companies, hackers and students. It can be used for many purposes: cracking/bypassing software, botnet analysis, finding 0day exploits, interpreting unknown protocols, understanding malware or finding bugs in apps.

Ingénierie
1  sur  45
Télécharger pour lire hors ligne
André Baptista @0xACB
Reverse Engineering • Uncovering the hidden behaviour of a given technology, system, program, protocol or device, by analysing the structure and operation of its components • Extracting knowledge about any unknown engineering invention
Reverse Engineering “Is biology reverse engineering?”
History
Reverse Engineering
 History • Reversing was used to copy inventions from other countries or business competitors • Frequently used in the WW2 and Cold war: • Jerry can • Panzerschreck • Tupolev Tu-4 / B-29
Binary Reverse Engineering Motivation • Software and hardware cracking • Malware analysis - botnets, spyware, ransomware • Finding bugs and developing 0day exploits • Creating or improving docs • Interpreting unknown protocols • Academic purposes • Industrial or military espionage • Software interoperability
Who knows how to do this stuff? • Hackers in general • Intelligence agencies / cybercrime divisions • Antivirus companies • Students and curious people
Binary Reverse Engineering • It’s the process of getting knowledge about compiled software, in order to understand how it works and how it was originally implemented.
Binary Reverse Engineering • It’s the process of getting knowledge about compiled software, in order to understand how it works and how it was originally implemented. Without the source code???
• It’s the process of getting knowledge about compiled software, in order to understand how it works and how it was originally implemented. WTF? WTF?WTF? Without the source code???Binary Reverse Engineering WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF?
Binary Reverse Engineering Formats of compiled software • ELF (Linux & UNIX like) • Mach-O (OSX) • PE (Windows) • Class (Java bytecode) • DEX (Android - Dalvik bytecode) • PYC (Python bytecode) • …
• Debugging (GDB, Valgrind, WinDbg) • Assembly (x86, x64, ARM, MIPS and many others) • Programming (C, C++, Java, etc) • Software architecture • Logic, math, crypto, protocols, networks • Don’t giving up Required skills
Awesome tools • Disassemblers • Debuggers • Decompilers • Patchers
Disassemblers These programs translate machine code to assembly.
Debuggers These programs are used to test other programs. Debuggers allow us to inspect memory and CPU registers, modify of variables in runtime, set breakpoints and call functions outside the program flow. In reverse engineering we usually use them for dynamic analysis.
Decompilers These programs try to achieve the near-impossible task of translating compiled software to the original source code. Sometimes, the generated code is more than enough to perform reversing tasks

Patchers A patcher is very useful for changing binary code in order to modify the software behaviour. Hex editors can be used as patchers, but there are better tools in the wild, that allow us to patch assembly instructions.
Badass tools • Disassemblers, debuggers and patchers • IDA Pro - https://www.hex-rays.com/products/ida • Hopper Disassembler - http://www.hopperapp.com • binary.ninja - https://binary.ninja • Radare 2 - http://rada.re • ODA - http://www.onlinedisassembler.com • OllyDbg - http://www.ollydbg.de • ILSpy - http://ilspy.net • Linux tools: objdump, ltrace, strace, readelf, gdb • Apktool - https://ibotpeaches.github.io/Apktool
Badass tools • Decompilers • IDA Pro - https://www.hex-rays.com/products/ida (x86, x64, ARM, MIPS, Gameboy, etc) • Hopper Disassembler - http://www.hopperapp.com (x86, x64, ARM) • Retargetable Decompiler (AVG) - https://retdec.com (x86, ARM, MIPS, Power PC) • JADX - https://github.com/skylot/jadx (DEX) • Online android decompilers: http://www.javadecompilers.com/apk | http:// www.decompileandroid.com • JetBrains dotPeek - https://www.jetbrains.com/decompiler (.NET) • ILSpy - http://ilspy.net (.NET) • uncompyle2 - https://github.com/Mysterie/uncompyle2 (Python bytecode)
Static Analysis • Do not execute the program • Read the spooky assembly/decompiled code • Inspect flow charts • Take lots of notes • Translate procedures to the programming language of your choice • It’s a pain in the ass to reverse obfuscated of very complex programs
Dynamic Analysis • Execute the program • Inspect the program behaviour • Use a debugger to understand the values of the CPU registers, memory (stack, heap) and the guessed arguments for functions calls in a specific state of execution • It’s difficult to achieve if any anti-debugging protections exist (Some even crash IDA PRO)
Binary RE https://github.com/RPISEC/MBE
Binary RE https://github.com/RPISEC/MBE
Demo 1 - Dynamic analysis https://goo.gl/XXoPCV
Cracking • This demo was a very simple cracking scenario • The real stuff involves a much more complex task (static analysis, dynamic analysis, concolic analysis) • E.g. If you want to create a keygen you need to understand the serial number validation algorithm • You need to be a patching ninja to remove anti- cracking protections (usually triggered in runtime)
Cracking • In the good old times: to crack a game you just needed to patch code to bypass PC-CDROM ID or Integrity checks • Reverse engineering is one of the main categories in Security CTFs • In CTFs, the contestants are typically challenged to solve cracking problems • The simplest case is just like the last demo. Find the correct input
Cracking Advanced techniques 🤔
Cracking Advanced techniques • Timing attacks • When a char is correct: one more cycle is executed, i.e. more instructions • It’s possible to launch a timing attack, char by char • The attack complexity is reduced from to • How can we prevent this kind of attacks? • Tools for local binary timing attacks: Pin tool, GDB scripts
Cracking Advanced techniques • Solvers • Serial number validation algorithms are usually composed by complex verifications, whose components are the values of certain indexes of the serial number. 
 
 E.g. • These verifications can be translated to systems of equations, that can be easily solved by powerful tools like Z3 Theorem Prover, Sage, Maple, Matlab • Z3 supports both arithmetic and bitwise operators, and custom functions as well.
Cracking Advanced techniques - Z3 Python script Solutions
What about the future? Predicting the future using Naive Mayes
Let’s get to the powerful stuff
DARPA CGC • A very important mark in the history of infosec • It was the first-ever all-machine hacking tournament • These machines were able to automatically find and patch vulnerabilities in binaries • The Mechanical Phish project, from the Shellphish team, was able to identify vulnerabilities using both fuzzing and symbolic execution techniques.
DARPA CGC Mechanical Phish - Driller
DARPA CGC Mechanical Phish - ANGR • ANGR is a very powerful binary analysis framework. It was implemented mostly by the Shellphish team and is one of the main components of Driller • It’s one of the most recent open source technologies to perform reversing/cracking tasks • We can easily accomplish control-flow analysis, i.e., realize the damn conditions that make the program reach a specific state of execution • First, it translates the binary in VEX Intermediate Representation. Then, simulates instructions in a simulation engine: SimuVEX • Finally, they use a custom Z3 wrapper. It is called claripy: “a abstracted constraint-solving wrapper”
Demo 2 - Angr https://goo.gl/42T4mi
Ponce IDA plugin contest - 2016 • Taint analysis: this mode is used to understand and track where a user input occurs inside a program • Symbolic analysis: in this mode, the plugin maintains a symbolic state of registers and memory at each step in a binary’s execution path, allowing the user to solve user-controlled conditions to do manually guided execution
RGAT An instruction trace visualisation tool
Useful links to fry your brain (Over 1337 ºC) • Chill • https://github.com/RPISEC/MBE (lectures 2 and 3) • Reddit • https://reddit.com/r/reverseengineering • https://reddit.com/r/netsec • Practice • http://reversing.kr • https://ringzer0team.com • http://crackmes.de • https://ctftime.org (Read CTF writeups and try to solve some challenges) • Play CTFs (Hackover CTF just started and HITCON CTF starts in 7 hours)
The end Why secure
 my code…
 I’ll just hide it! Security through obscurity

Recommandé

Introduction to Complexity Science, by Antonio Caperna
Introduction to Complexity Science, by Antonio CapernaIntroduction to Complexity Science, by Antonio Caperna
Introduction to Complexity Science, by Antonio CapernaInternational Society of Biourbanism
 
TRIZ introduction.pdf
TRIZ introduction.pdfTRIZ introduction.pdf
TRIZ introduction.pdfmiaoli35
 
Trunk-Based Development
Trunk-Based DevelopmentTrunk-Based Development
Trunk-Based DevelopmentBryan Liu
 
Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)ShudipPal
 
Design Patterns
Design PatternsDesign Patterns
Design PatternsAnuja Arosha
 
The Software Development Process
The Software Development ProcessThe Software Development Process
The Software Development ProcessCesar Augusto Nogueira
 
Maintenance management
Maintenance managementMaintenance management
Maintenance managementImplement Consulting Group
 
Scrum metrics
Scrum metricsScrum metrics
Scrum metricsAndoni Gonzalo
 

Recommandé

Introduction to Complexity Science, by Antonio Caperna
Introduction to Complexity Science, by Antonio CapernaIntroduction to Complexity Science, by Antonio Caperna
Introduction to Complexity Science, by Antonio CapernaInternational Society of Biourbanism
 
TRIZ introduction.pdf
TRIZ introduction.pdfTRIZ introduction.pdf
TRIZ introduction.pdfmiaoli35
 
Trunk-Based Development
Trunk-Based DevelopmentTrunk-Based Development
Trunk-Based DevelopmentBryan Liu
 
Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)Software Engineering (Software Quality Assurance)
Software Engineering (Software Quality Assurance)ShudipPal
 
Design Patterns
Design PatternsDesign Patterns
Design PatternsAnuja Arosha
 
The Software Development Process
The Software Development ProcessThe Software Development Process
The Software Development ProcessCesar Augusto Nogueira
 
Maintenance management
Maintenance managementMaintenance management
Maintenance managementImplement Consulting Group
 
Scrum metrics
Scrum metricsScrum metrics
Scrum metricsAndoni Gonzalo
 
Software Engineering Lab Manual
Software Engineering Lab ManualSoftware Engineering Lab Manual
Software Engineering Lab ManualNeelamani Samal
 
Software reverse engineering
Software reverse engineeringSoftware reverse engineering
Software reverse engineeringParminder Singh
 
Maintenance management
Maintenance managementMaintenance management
Maintenance managementAnupam Kumar
 
Pressman ch-21-project-management-concepts
Pressman ch-21-project-management-conceptsPressman ch-21-project-management-concepts
Pressman ch-21-project-management-conceptsseethaveera
 
Software design patterns ppt
Software design patterns pptSoftware design patterns ppt
Software design patterns pptmkruthika
 
List of Software Development Model and Methods
List of Software Development Model and MethodsList of Software Development Model and Methods
List of Software Development Model and MethodsRiant Soft
 
Software Project Management
Software Project ManagementSoftware Project Management
Software Project ManagementAyaz Shariff
 
Theory of Constraints and Lean
Theory of Constraints and LeanTheory of Constraints and Lean
Theory of Constraints and Leantavantoan
 
Maintenance strategy
Maintenance strategyMaintenance strategy
Maintenance strategygumma alsgier
 
R.A.D. - Rapid Application Development
R.A.D. - Rapid Application DevelopmentR.A.D. - Rapid Application Development
R.A.D. - Rapid Application DevelopmentMediotype .
 
Code Refactoring
Code RefactoringCode Refactoring
Code RefactoringHarbinger Systems - HRTech Builder of Choice
 
Function Oriented and Object Oriented Design,Modularization techniques
Function Oriented and Object Oriented Design,Modularization techniquesFunction Oriented and Object Oriented Design,Modularization techniques
Function Oriented and Object Oriented Design,Modularization techniquesnimmik4u
 
Introduction to Extreme Programming
Introduction to Extreme ProgrammingIntroduction to Extreme Programming
Introduction to Extreme ProgrammingNaresh Jain
 
Uml difference faqs- 1
Uml difference faqs- 1Uml difference faqs- 1
Uml difference faqs- 1Umar Ali
 
Spm tutorials
Spm tutorialsSpm tutorials
Spm tutorialsVinod Kumar
 
Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻
Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻
Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻小林 信行
 
Preventive / Autonomous Maintenance - Beginners Guide - Tamil
Preventive / Autonomous Maintenance - Beginners Guide - TamilPreventive / Autonomous Maintenance - Beginners Guide - Tamil
Preventive / Autonomous Maintenance - Beginners Guide - TamilAnanth Palaniappan
 
OEE-Practical-1.pptx
OEE-Practical-1.pptxOEE-Practical-1.pptx
OEE-Practical-1.pptxShreyanshiYadav
 
Unified process Model
Unified process ModelUnified process Model
Unified process ModelUniversity of Haripur
 
そうだPostProcess Materialで見た目を変えよう
そうだPostProcess Materialで見た目を変えようそうだPostProcess Materialで見た目を変えよう
そうだPostProcess Materialで見た目を変えようItsuki Inoue
 
6 MONTH INTERNSHIP AT
6 MONTH INTERNSHIP AT6 MONTH INTERNSHIP AT
6 MONTH INTERNSHIP ATAditya Thombare
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 

Contenu connexe

Tendances

Software Engineering Lab Manual
Software Engineering Lab ManualSoftware Engineering Lab Manual
Software Engineering Lab ManualNeelamani Samal
 
Software reverse engineering
Software reverse engineeringSoftware reverse engineering
Software reverse engineeringParminder Singh
 
Maintenance management
Maintenance managementMaintenance management
Maintenance managementAnupam Kumar
 
Pressman ch-21-project-management-concepts
Pressman ch-21-project-management-conceptsPressman ch-21-project-management-concepts
Pressman ch-21-project-management-conceptsseethaveera
 
Software design patterns ppt
Software design patterns pptSoftware design patterns ppt
Software design patterns pptmkruthika
 
List of Software Development Model and Methods
List of Software Development Model and MethodsList of Software Development Model and Methods
List of Software Development Model and MethodsRiant Soft
 
Software Project Management
Software Project ManagementSoftware Project Management
Software Project ManagementAyaz Shariff
 
Theory of Constraints and Lean
Theory of Constraints and LeanTheory of Constraints and Lean
Theory of Constraints and Leantavantoan
 
Maintenance strategy
Maintenance strategyMaintenance strategy
Maintenance strategygumma alsgier
 
R.A.D. - Rapid Application Development
R.A.D. - Rapid Application DevelopmentR.A.D. - Rapid Application Development
R.A.D. - Rapid Application DevelopmentMediotype .
 
Function Oriented and Object Oriented Design,Modularization techniques
Function Oriented and Object Oriented Design,Modularization techniquesFunction Oriented and Object Oriented Design,Modularization techniques
Function Oriented and Object Oriented Design,Modularization techniquesnimmik4u
 
Introduction to Extreme Programming
Introduction to Extreme ProgrammingIntroduction to Extreme Programming
Introduction to Extreme ProgrammingNaresh Jain
 
Uml difference faqs- 1
Uml difference faqs- 1Uml difference faqs- 1
Uml difference faqs- 1Umar Ali
 
Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻
Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻
Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻小林 信行
 
Preventive / Autonomous Maintenance - Beginners Guide - Tamil
Preventive / Autonomous Maintenance - Beginners Guide - TamilPreventive / Autonomous Maintenance - Beginners Guide - Tamil
Preventive / Autonomous Maintenance - Beginners Guide - TamilAnanth Palaniappan
 
そうだPostProcess Materialで見た目を変えよう
そうだPostProcess Materialで見た目を変えようそうだPostProcess Materialで見た目を変えよう
そうだPostProcess Materialで見た目を変えようItsuki Inoue
 

Tendances (20)

Software Engineering Lab Manual
Software Engineering Lab ManualSoftware Engineering Lab Manual
Software Engineering Lab Manual
 
Software reverse engineering
Software reverse engineeringSoftware reverse engineering
Software reverse engineering
 
Maintenance management
Maintenance managementMaintenance management
Maintenance management
 
Pressman ch-21-project-management-concepts
Pressman ch-21-project-management-conceptsPressman ch-21-project-management-concepts
Pressman ch-21-project-management-concepts
 
Software design patterns ppt
Software design patterns pptSoftware design patterns ppt
Software design patterns ppt
 
List of Software Development Model and Methods
List of Software Development Model and MethodsList of Software Development Model and Methods
List of Software Development Model and Methods
 
Software Project Management
Software Project ManagementSoftware Project Management
Software Project Management
 
Theory of Constraints and Lean
Theory of Constraints and LeanTheory of Constraints and Lean
Theory of Constraints and Lean
 
Maintenance strategy
Maintenance strategyMaintenance strategy
Maintenance strategy
 
R.A.D. - Rapid Application Development
R.A.D. - Rapid Application DevelopmentR.A.D. - Rapid Application Development
R.A.D. - Rapid Application Development
 
Code Refactoring
Code RefactoringCode Refactoring
Code Refactoring
 
Function Oriented and Object Oriented Design,Modularization techniques
Function Oriented and Object Oriented Design,Modularization techniquesFunction Oriented and Object Oriented Design,Modularization techniques
Function Oriented and Object Oriented Design,Modularization techniques
 
Introduction to Extreme Programming
Introduction to Extreme ProgrammingIntroduction to Extreme Programming
Introduction to Extreme Programming
 
Uml difference faqs- 1
Uml difference faqs- 1Uml difference faqs- 1
Uml difference faqs- 1
 
Spm tutorials
Spm tutorialsSpm tutorials
Spm tutorials
 
Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻
Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻
Unity道場08 Unityとアセットツールで学ぶ 「絵づくり」の基礎 ライティング 虎の巻
 
Preventive / Autonomous Maintenance - Beginners Guide - Tamil
Preventive / Autonomous Maintenance - Beginners Guide - TamilPreventive / Autonomous Maintenance - Beginners Guide - Tamil
Preventive / Autonomous Maintenance - Beginners Guide - Tamil
 
OEE-Practical-1.pptx
OEE-Practical-1.pptxOEE-Practical-1.pptx
OEE-Practical-1.pptx
 
Unified process Model
Unified process ModelUnified process Model
Unified process Model
 
そうだPostProcess Materialで見た目を変えよう
そうだPostProcess Materialで見た目を変えようそうだPostProcess Materialで見た目を変えよう
そうだPostProcess Materialで見た目を変えよう
 

En vedette

Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
Alphorm.com Formation SOPHOS XG FIREWALL, Administration
Alphorm.com Formation SOPHOS XG FIREWALL, AdministrationAlphorm.com Formation SOPHOS XG FIREWALL, Administration
Alphorm.com Formation SOPHOS XG FIREWALL, AdministrationAlphorm
 
Alphorm.com Formation Excel 2016 Expert I - partie 1
Alphorm.com Formation Excel 2016 Expert I - partie 1Alphorm.com Formation Excel 2016 Expert I - partie 1
Alphorm.com Formation Excel 2016 Expert I - partie 1Alphorm
 
Nouveaux outils et dérives de la communication politique : interview exclusiv...
Nouveaux outils et dérives de la communication politique : interview exclusiv...Nouveaux outils et dérives de la communication politique : interview exclusiv...
Nouveaux outils et dérives de la communication politique : interview exclusiv...Damien ARNAUD
 
Fortinet UTM - les Fonctionnalités avancéese
Fortinet UTM - les Fonctionnalités avancéeseFortinet UTM - les Fonctionnalités avancéese
Fortinet UTM - les Fonctionnalités avancéeseAlphorm
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 

En vedette (9)

6 MONTH INTERNSHIP AT
6 MONTH INTERNSHIP AT6 MONTH INTERNSHIP AT
6 MONTH INTERNSHIP AT
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
Alphorm.com Formation SOPHOS XG FIREWALL, Administration
Alphorm.com Formation SOPHOS XG FIREWALL, AdministrationAlphorm.com Formation SOPHOS XG FIREWALL, Administration
Alphorm.com Formation SOPHOS XG FIREWALL, Administration
 
Alphorm.com Formation Excel 2016 Expert I - partie 1
Alphorm.com Formation Excel 2016 Expert I - partie 1Alphorm.com Formation Excel 2016 Expert I - partie 1
Alphorm.com Formation Excel 2016 Expert I - partie 1
 
Nouveaux outils et dérives de la communication politique : interview exclusiv...
Nouveaux outils et dérives de la communication politique : interview exclusiv...Nouveaux outils et dérives de la communication politique : interview exclusiv...
Nouveaux outils et dérives de la communication politique : interview exclusiv...
 
Fortinet UTM - les Fonctionnalités avancéese
Fortinet UTM - les Fonctionnalités avancéeseFortinet UTM - les Fonctionnalités avancéese
Fortinet UTM - les Fonctionnalités avancéese
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 

Similaire à Demystifying Binary Reverse Engineering - Pixels Camp

Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptxSameer Sapra
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Mapping Detection Coverage
Mapping Detection CoverageMapping Detection Coverage
Mapping Detection CoverageJared Atkinson
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP StackLorna Mitchell
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guideintertelinvestigations
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxShivashankarHR1
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBISunil Kumar
 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationn|u - The Open Security Community
 

Similaire à Demystifying Binary Reverse Engineering - Pixels Camp (20)

Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptx
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Mapping Detection Coverage
Mapping Detection CoverageMapping Detection Coverage
Mapping Detection Coverage
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
 
Tool up your lamp stack
Tool up your lamp stackTool up your lamp stack
Tool up your lamp stack
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptx
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBI
 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
 

Dernier

Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxStephen Sitton
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxLina Kadam
 
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...IJAEMSJORNAL
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
Module-1-Building Acoustics(Introduction)(Unit-1).pdf
Module-1-Building Acoustics(Introduction)(Unit-1).pdfModule-1-Building Acoustics(Introduction)(Unit-1).pdf
Module-1-Building Acoustics(Introduction)(Unit-1).pdfManish Kumar
 
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Amil baba
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...Erbil Polytechnic University
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxRomil Mishra
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Sumanth A
 
Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackinghadarpinhas1
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSsandhya757531
 
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...shreenathji26
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptxmohitesoham12
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTSneha Padhiar
 

Dernier (20)

Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptx
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptx
 
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
 
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptxDesigning pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
 
ASME-B31.4-2019-estandar para diseño de ductos
ASME-B31.4-2019-estandar para diseño de ductosASME-B31.4-2019-estandar para diseño de ductos
ASME-B31.4-2019-estandar para diseño de ductos
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
Module-1-Building Acoustics(Introduction)(Unit-1).pdf
Module-1-Building Acoustics(Introduction)(Unit-1).pdfModule-1-Building Acoustics(Introduction)(Unit-1).pdf
Module-1-Building Acoustics(Introduction)(Unit-1).pdf
 
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...
 
Versatile Engineering Construction Firms
Versatile Engineering Construction FirmsVersatile Engineering Construction Firms
Versatile Engineering Construction Firms
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
 
Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and tracking
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
 
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptx
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
 

Demystifying Binary Reverse Engineering - Pixels Camp

  • 2.
  • 3. Reverse Engineering • Uncovering the hidden behaviour of a given technology, system, program, protocol or device, by analysing the structure and operation of its components • Extracting knowledge about any unknown engineering invention
  • 4. Reverse Engineering “Is biology reverse engineering?”
  • 6. Reverse Engineering
 History • Reversing was used to copy inventions from other countries or business competitors • Frequently used in the WW2 and Cold war: • Jerry can • Panzerschreck • Tupolev Tu-4 / B-29
  • 7. Binary Reverse Engineering Motivation • Software and hardware cracking • Malware analysis - botnets, spyware, ransomware • Finding bugs and developing 0day exploits • Creating or improving docs • Interpreting unknown protocols • Academic purposes • Industrial or military espionage • Software interoperability
  • 8. Who knows how to do this stuff? • Hackers in general • Intelligence agencies / cybercrime divisions • Antivirus companies • Students and curious people
  • 9. Binary Reverse Engineering • It’s the process of getting knowledge about compiled software, in order to understand how it works and how it was originally implemented.
  • 10. Binary Reverse Engineering • It’s the process of getting knowledge about compiled software, in order to understand how it works and how it was originally implemented. Without the source code???
  • 11. • It’s the process of getting knowledge about compiled software, in order to understand how it works and how it was originally implemented. WTF? WTF?WTF? Without the source code???Binary Reverse Engineering WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF? WTF?
  • 12. Binary Reverse Engineering Formats of compiled software • ELF (Linux & UNIX like) • Mach-O (OSX) • PE (Windows) • Class (Java bytecode) • DEX (Android - Dalvik bytecode) • PYC (Python bytecode) • …
  • 13.
  • 14. • Debugging (GDB, Valgrind, WinDbg) • Assembly (x86, x64, ARM, MIPS and many others) • Programming (C, C++, Java, etc) • Software architecture • Logic, math, crypto, protocols, networks • Don’t giving up Required skills
  • 15. Awesome tools • Disassemblers • Debuggers • Decompilers • Patchers
  • 16. Disassemblers These programs translate machine code to assembly.
  • 17. Debuggers These programs are used to test other programs. Debuggers allow us to inspect memory and CPU registers, modify of variables in runtime, set breakpoints and call functions outside the program flow. In reverse engineering we usually use them for dynamic analysis.
  • 18. Decompilers These programs try to achieve the near-impossible task of translating compiled software to the original source code. Sometimes, the generated code is more than enough to perform reversing tasks

  • 19. Patchers A patcher is very useful for changing binary code in order to modify the software behaviour. Hex editors can be used as patchers, but there are better tools in the wild, that allow us to patch assembly instructions.
  • 20. Badass tools • Disassemblers, debuggers and patchers • IDA Pro - https://www.hex-rays.com/products/ida • Hopper Disassembler - http://www.hopperapp.com • binary.ninja - https://binary.ninja • Radare 2 - http://rada.re • ODA - http://www.onlinedisassembler.com • OllyDbg - http://www.ollydbg.de • ILSpy - http://ilspy.net • Linux tools: objdump, ltrace, strace, readelf, gdb • Apktool - https://ibotpeaches.github.io/Apktool
  • 21. Badass tools • Decompilers • IDA Pro - https://www.hex-rays.com/products/ida (x86, x64, ARM, MIPS, Gameboy, etc) • Hopper Disassembler - http://www.hopperapp.com (x86, x64, ARM) • Retargetable Decompiler (AVG) - https://retdec.com (x86, ARM, MIPS, Power PC) • JADX - https://github.com/skylot/jadx (DEX) • Online android decompilers: http://www.javadecompilers.com/apk | http:// www.decompileandroid.com • JetBrains dotPeek - https://www.jetbrains.com/decompiler (.NET) • ILSpy - http://ilspy.net (.NET) • uncompyle2 - https://github.com/Mysterie/uncompyle2 (Python bytecode)
  • 22. Static Analysis • Do not execute the program • Read the spooky assembly/decompiled code • Inspect flow charts • Take lots of notes • Translate procedures to the programming language of your choice • It’s a pain in the ass to reverse obfuscated of very complex programs
  • 23. Dynamic Analysis • Execute the program • Inspect the program behaviour • Use a debugger to understand the values of the CPU registers, memory (stack, heap) and the guessed arguments for functions calls in a specific state of execution • It’s difficult to achieve if any anti-debugging protections exist (Some even crash IDA PRO)
  • 26. Demo 1 - Dynamic analysis https://goo.gl/XXoPCV
  • 27. Cracking • This demo was a very simple cracking scenario • The real stuff involves a much more complex task (static analysis, dynamic analysis, concolic analysis) • E.g. If you want to create a keygen you need to understand the serial number validation algorithm • You need to be a patching ninja to remove anti- cracking protections (usually triggered in runtime)
  • 28. Cracking • In the good old times: to crack a game you just needed to patch code to bypass PC-CDROM ID or Integrity checks • Reverse engineering is one of the main categories in Security CTFs • In CTFs, the contestants are typically challenged to solve cracking problems • The simplest case is just like the last demo. Find the correct input
  • 30. Cracking Advanced techniques • Timing attacks • When a char is correct: one more cycle is executed, i.e. more instructions • It’s possible to launch a timing attack, char by char • The attack complexity is reduced from to • How can we prevent this kind of attacks? • Tools for local binary timing attacks: Pin tool, GDB scripts
  • 31. Cracking Advanced techniques • Solvers • Serial number validation algorithms are usually composed by complex verifications, whose components are the values of certain indexes of the serial number. 
 
 E.g. • These verifications can be translated to systems of equations, that can be easily solved by powerful tools like Z3 Theorem Prover, Sage, Maple, Matlab • Z3 supports both arithmetic and bitwise operators, and custom functions as well.
  • 32. Cracking Advanced techniques - Z3 Python script Solutions
  • 33. What about the future? Predicting the future using Naive Mayes
  • 34. Let’s get to the powerful stuff
  • 35.
  • 36.
  • 37. DARPA CGC • A very important mark in the history of infosec • It was the first-ever all-machine hacking tournament • These machines were able to automatically find and patch vulnerabilities in binaries • The Mechanical Phish project, from the Shellphish team, was able to identify vulnerabilities using both fuzzing and symbolic execution techniques.
  • 39. DARPA CGC Mechanical Phish - ANGR • ANGR is a very powerful binary analysis framework. It was implemented mostly by the Shellphish team and is one of the main components of Driller • It’s one of the most recent open source technologies to perform reversing/cracking tasks • We can easily accomplish control-flow analysis, i.e., realize the damn conditions that make the program reach a specific state of execution • First, it translates the binary in VEX Intermediate Representation. Then, simulates instructions in a simulation engine: SimuVEX • Finally, they use a custom Z3 wrapper. It is called claripy: “a abstracted constraint-solving wrapper”
  • 40. Demo 2 - Angr https://goo.gl/42T4mi
  • 41. Ponce IDA plugin contest - 2016 • Taint analysis: this mode is used to understand and track where a user input occurs inside a program • Symbolic analysis: in this mode, the plugin maintains a symbolic state of registers and memory at each step in a binary’s execution path, allowing the user to solve user-controlled conditions to do manually guided execution
  • 42.
  • 43. RGAT An instruction trace visualisation tool
  • 44. Useful links to fry your brain (Over 1337 ºC) • Chill • https://github.com/RPISEC/MBE (lectures 2 and 3) • Reddit • https://reddit.com/r/reverseengineering • https://reddit.com/r/netsec • Practice • http://reversing.kr • https://ringzer0team.com • http://crackmes.de • https://ctftime.org (Read CTF writeups and try to solve some challenges) • Play CTFs (Hackover CTF just started and HITCON CTF starts in 7 hours)
  • 45. The end Why secure
 my code…
 I’ll just hide it! Security through obscurity