Abstract image of a woman sitting on books and studying on a laptop

DEF CON 23 - CHRIS DOMAS - REpsych

Felipe Prado, profile picture
Felipe Prado

The document discusses reverse engineering techniques and obfuscation using only the mov instruction. It describes how an experienced reverse engineer would approach analyzing code that has been obfuscated to only use mov instructions by tracking data flows and values. An example of obfuscated mov-only code is provided.

Technology
Related topics:
Information Security
1 of 125
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
REpsych : psycholigical warfare in reverse engineering def con 2015 // domas{
This serves no purpose Warning
Taking something apart … … to figure out how it works With software… Interfacing Documentation Obsolescence Bug fixing Academic Reverse Engineering?
Taking something apart … … to figure out how it works With software… Military/commercial espionage Unauthorized duplication Security analysis Vulnerability analysis Malware analysis Reverse Engineering?
Whenever we write something awesome… Video game Encryption algorithm Malware 0-Day RAT … someone, at some point, is going to … Capture it Dissect it Reverse it Reverse Engineering?
If you don’t want your work destroyed … … it pays to plan ahead Anti-RE
Encryption Obfuscation Anti-debugging Anti-RE
objdump –d –Mintel a.out Reverse Engineering.
4004e9: mov DWORD PTR [rbp-0x8],0x0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add DWORD PTR [rbp-0x8],0x1 400500: cmp DWORD PTR [rbp-0x8],0x100 400507: jle 4004f2 <main+0xb>
mov is Turing-complete Stephen Dolan http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf mov
mov destination, source mov
Any code we write … … can be written as a set of movs instead … and nothing else Really? That’d be tough to reverse engineer, wouldn’t it? Turing Complete?
4004e9: mov DWORD PTR [rbp-0x8],0x0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add DWORD PTR [rbp-0x8],0x1 400500: cmp DWORD PTR [rbp-0x8],0x100 400507: jle 4004f2 <main+0xb>
80515bc: mov eax,ds:0x835d81a 80515c1: mov ebx,DWORD PTR [eax+0x835d6fc] 80515c7: mov edx,DWORD PTR ds:0x835d7da 80515cd: mov eax,0x0 80515d2: mov al,BYTE PTR [ebx+edx*1] 80515d5: mov al,BYTE PTR [eax+0x835dc7e] 80515db: mov BYTE PTR [ebx+edx*1],al 80515de: mov eax,ds:0x835d81a 80515e3: mov ebx,DWORD PTR [eax+0x835d6fc] 80515e9: mov edx,DWORD PTR ds:0x835d7da 80515ef: mov eax,0x0 80515f4: mov al,BYTE PTR [ebx+edx*1]
mov-only C Compiler https://github.com/xoreaxeaxeax First single instruction C compiler! The M/o/Vfuscator
factor 20460 prime decss Lost M/o/Vfuscator The M/o/Vfuscator
Crackmes The M/o/Vfuscator
How would an experienced reverse engineer approach this?
mov [dword 0x80a0451],edx mov eax,0x0 mov ax,[0x80a0451] mov byte [eax+0x80e17bc],0x0 mov al,[eax+0x80e17bc] mov [0x80a0451],al mov eax,[0x80a0556] mov edx,[eax+0x80a058e] mov eax,[0x80a0451] mov eax,[eax+edx] mov [0x80a044d],eax mov eax,[0x80a044d] mov eax,[eax+0x80a054e] mov dword [eax],0x139 mov eax,[0x80a044d] mov eax,[eax+0x80a055e] mov dword [eax],0x0 mov eax,[0x80a044d] mov eax,[eax+0x80a056e] mov dword [eax],0x4 mov eax,[0x80a0556] mov eax,[eax+0x80a05a6] mov [0x80a0451],eax mov eax,0x0 mov ax,[0x80a0546] mov byte [eax+0x80e17bc],0x0 mov al,[eax+0x80e17bc] mov [0x80a044d],al mov eax,[0x80a044d] mov edx,[eax+0x80a058e] mov eax,[0x80a0451] mov eax,[eax+edx] mov [0x80a044d],eax mov eax,[0x80a0566] mov eax,[eax+0x80a05a6] mov [0x80a0451],eax mov eax,[0x80a044d] mov edx,[eax+0x80a058e] mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a0438] mov edx,[dword 0x80a0516] mov eax,0x0 mov al,[ebx+edx] mov al,[eax+0x80a09ba] mov edx,[eax+0x80a058e] mov eax,[0x80a0451]
mov [dword 0x80a0451],edx mov eax,0x0 mov ax,[0x80a0451] mov byte [eax+0x80e17bc],0x0 mov al,[eax+0x80e17bc] mov [0x80a0451],al mov eax,[0x80a0556] mov edx,[eax+0x80a058e] mov eax,[0x80a0451] mov eax,[eax+edx] mov [0x80a044d],eax mov eax,[0x80a044d] mov eax,[eax+0x80a054e] mov dword [eax],0x139 mov eax,[0x80a044d] mov eax,[eax+0x80a055e] mov dword [eax],0x0 mov eax,[0x80a044d] mov eax,[eax+0x80a056e] mov dword [eax],0x4 mov eax,[0x80a0556] mov eax,[eax+0x80a05a6] mov [0x80a0451],eax mov eax,0x0 mov ax,[0x80a0546] mov byte [eax+0x80e17bc],0x0 mov al,[eax+0x80e17bc] mov [0x80a044d],al mov eax,[0x80a044d] mov edx,[eax+0x80a058e] mov eax,[0x80a0451] mov eax,[eax+edx] mov [0x80a044d],eax mov eax,[0x80a0566] mov eax,[eax+0x80a05a6] mov [0x80a0451],eax mov eax,[0x80a044d] mov edx,[eax+0x80a058e] mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a0438] mov edx,[dword 0x80a0516] mov eax,0x0 mov al,[ebx+edx] mov al,[eax+0x80a09ba] mov edx,[eax+0x80a058e] mov eax,[0x80a0451]
Anti-RE Code doesn’t have to be hard to reverse Just need to make the reverser give up Realization
Demoralization Break down the reverser Psychological Warfare
How else can we make a reverser quit? Psychological Warfare
DEF CON 23 - CHRIS DOMAS - REpsych
Sending messages…
..cantor.dust..
Visualize data patterns Default: entropy distribution ..cantor.dust..
..cantor.dust..
Send a message? Run a message through an inverse Hilbert transform Rebuild program to match desired entropy ..cantor.dust..
..cantor.dust..
Strings? Sending messages
These are horrible… No one will ever see the message And if they do, they won’t care Need something better… Sending messages
IDA
IDA
Control flow graphs…
IDA…
Hopper…
BinNavi…
Radare…
We’ll look at IDA But the algorithm will work on anything IDA
If you stare at these control graphs long enough… … they almost start to look like things Idea…
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
Could we send a message through a CFG? Reverse engineer IDA? Yep! Drawing with CFGs
Draw horizontal lines: Switch “Orphan” jumps jmp a jmp a jmp a jmp a jmp a jmp a a: Idea 1
DEF CON 23 - CHRIS DOMAS - REpsych
Draw vertical lines: Non-branching code nop nop nop nop nop nop Idea 1
DEF CON 23 - CHRIS DOMAS - REpsych
Combining the two Etch-a-sketch, in IDA! Idea 1
top: jmp left jmp top_end … ; repeat jmp right_side top_end: jmp $ left_side: nop … ; repeat jmp bottom_left right_side: nop … ; repeat jmp bottom_right bottom: botton_left: jmp bottom_end … ; repeat bottom_right: bottom_end: ret
DEF CON 23 - CHRIS DOMAS - REpsych
IDA tries to align blocks in a given row Observation
top: jmp left jmp top_end … ; repeat jmp right_side top_end: jmp $ left_side: jmp $+2 … ; repeat jmp bottom_left right_side: jmp $+2 … ; repeat jmp bottom_right bottom: botton_left: jmp bottom_end … ; repeat bottom_right: bottom_end: ret
DEF CON 23 - CHRIS DOMAS - REpsych
IDA tries to keep rows/columns together But minimize branching distance Observation
Hour of tinkering Couldn’t make it work Try something else Separating the columns
We have some control over how rows are arranged Depends on nodes between IDA has all the control over columns Can rearrange parent nodes and branches to keep columns close together R.I.P. Idea 1
Force IDA to keep things in order Tie nodes together as tightly as possible Prevent rearranging Idea 2
A node
A tightly woven CFG
x: a0: je b1 b0: je c1 c0: je d1 d0: jmp F a1: je b2 b1: je c2 c1: je d2 d1: jmp F a2: je b3 b2: je c3 c2: je d3 d2: jmp F a3: b3: c3: d3: jmp F F:
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
%macro column 3-4 "nonempty" %assign r 0 %assign c %1 %rep %2-1 %assign nr r+1 %assign nc c+1 e_%+r%+_%+c: %ifidn %4, "empty" %else je e_%+nr%+_%+nc %endif %assign r r+1 %endrep e_%+r%+_%+c: jmp %3 %endmacro
DEF CON 23 - CHRIS DOMAS - REpsych
“Weave” the CFG together Turn “pixel” off by removing node? Idea 2, continued
A tightly woven CFG
DEF CON 23 - CHRIS DOMAS - REpsych
A tightly woven CFG
A tightly woven CFG, II
x: e_0_0: je e_1_1 jmp done e_0_1: je e_2_1 e_1_0: je e_2_1 jmp done e_0_2: je e_1_3 e_1_1: je e_2_2 e_2_0: je e_3_1 jmp done e_0_3: je done e_1_2: je e_2_3 e_2_1: je e_3_2 e_3_0: jmp done e_1_3: je done e_2_2: je e_3_3 e_3_1: jmp done e_2_3: je done e_3_2: jmp done e_3_3: jmp done done: ret ; e_0_0 e_0_1 e_0_2 e_0_3 ; e_1_0 e_1_1 e_1_2 e_1_3 ; e_2_0 e_2_1 e_2_2 e_2_3 ; e_3_0 e_3_1 e_3_2 e_3_3
DEF CON 23 - CHRIS DOMAS - REpsych
; row, column, width, height, done %macro diag 5 %assign r %1 %assign c %2 %assign width %3 %assign height %4 %rep 256 ; max size %assign nr r+1 %assign nc c+1 e_%+r%+_%+c: %if nr >= height %elif nc >= width je e_%+nr%+_%+c %else %if c == 0 jmp e_%+nr%+_%+nc %exitrep %else je e_%+nr%+_%+nc %endif %endif %assign r r+1 %assign c c-1 %if r>=width jmp %5 %exitrep %endif %endrep %endmacro
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
We still can’t remove a node R.I.P. Idea 2
Leave all nodes Fill with code if “on” Leave empty if “off” Idea 3
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
“Empty” pixel still needs 2 lines Increase contrast by reducing impact of those 2 Reduce impact by increasing height Increase height by increasing width vfmaddsub132ps xmm0, xmm1, xmmword ptr cs:[edi+esi*4+8068860h] Enhance contrast
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
Insert always on column Almost there
DEF CON 23 - CHRIS DOMAS - REpsych
Add a junk code generator Almost there
movzx eax, bh movzx ecx, dh dec ecx xor ebx, ecx lea ebx, [ebp+1*4] mov eax, 3526025642 or eax, 188401817 mov ah, 4 lea eax, [ecx+4*edx] test edx, eax mov cl, 2 add ebx, ecx shr eax, 21 movzx ecx, dl add ebx, ecx shr eax, 25 mov ah, 4 test edx, eax shr ecx, 19 movzx eax, bh or eax, 2742937504 mov ah, 4 and edx, eax
BMP to %assign converter Almost there
%assign pixel_13_5 1 %assign pixel_14_5 1 %assign pixel_15_5 0 %assign pixel_16_5 1 %assign pixel_17_5 0 %assign pixel_18_5 1 %assign pixel_19_5 1 %assign pixel_20_5 0 %assign pixel_21_5 1 %assign pixel_22_5 0 %assign pixel_23_5 0 %assign pixel_24_5 0 %assign pixel_25_5 1 %assign pixel_0_6 1 %assign pixel_1_6 1 %assign pixel_2_6 1 %assign pixel_3_6 1 %assign pixel_4_6 1 %assign pixel_5_6 1 %assign pixel_6_6 1 %assign pixel_7_6 1
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
REpsych Toolchain Generates assembly … … to form images through CFGs (Demo) REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
Reverser is forced to sit and stare at whatever message you embed Use it to your advantage, crush their soul Psychological Warfare
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
(Draw an assembly selfie) Grayscale
DEF CON 23 - CHRIS DOMAS - REpsych
Stego
the_interview.exe More ideas
DEF CON 23 - CHRIS DOMAS - REpsych
QR a.k.a. the ultimate CTF problem More ideas
DEF CON 23 - CHRIS DOMAS - REpsych
Creepiest malware ever Scans your hard disk Rewrites itself to match your personal images (Demo) More ideas
14 lines of assembly 328 lines of preprocessor macros
github.com/xoreaxeaxeax REpysch M/o/Vfuscator 2.0 x86 0-day POC Etc. Feedback? domas @xoreaxeaxeax xoreaxeaxeax@gmail.com
DEF CON 23 - CHRIS DOMAS - REpsych

More Related Content

PDF
20120822 joxa
ericbmerritt
 
PDF
Texconf11
fusion2011
 
PDF
Recentrer l'intelligence artificielle sur les connaissances
Mathieu d'Aquin
 
PDF
reductio [ad absurdum]
Shakacon
 
PPTX
17
dano2osu
 
PDF
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
Hackito Ergo Sum
 
PDF
BlueTeam-RedTeam Exercise - Backdoor containment
giacomo83m
 
PPTX
Basic ASM by @binaryheadache
camsec
 
20120822 joxa
ericbmerritt
 
Texconf11
fusion2011
 
Recentrer l'intelligence artificielle sur les connaissances
Mathieu d'Aquin
 
reductio [ad absurdum]
Shakacon
 
17
dano2osu
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
Hackito Ergo Sum
 
BlueTeam-RedTeam Exercise - Backdoor containment
giacomo83m
 
Basic ASM by @binaryheadache
camsec
 

Similar to DEF CON 23 - CHRIS DOMAS - REpsych (20)

PDF
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
PPTX
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
corehard_by
 
PPTX
Protecting C++
Pavel Filonov
 
PPTX
Examining Malware with Python
mrphilroth
 
PPTX
Microcontroller Introduction and the various features
vipulkondekar
 
PDF
Memory management
Rajni Sirohi
 
PDF
Stale pointers are the new black
Vincenzo Iozzo
 
PPTX
C++ and Assembly: Debugging and Reverse Engineering
corehard_by
 
PPT
Advance ROP Attacks
n|u - The Open Security Community
 
PDF
Microprocessor 8086-lab-mannual
yeshwant gadave
 
PPT
8051assembly language
Hisham Mat Hussin
 
PDF
Chapter1c
MaeEstherMaguadMaralit
 
PDF
Lenguaje ensamblador EMU8086
Santy Bolo
 
PDF
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Asuka Nakajima
 
PDF
Instalación de emu8086 y compilados
Diego Erazo
 
PDF
Qemu JIT Code Generator and System Emulation
National Cheng Kung University
 
PPTX
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
PDF
台科逆向簡報
耀德 蔡
 
PDF
The walking 0xDEAD
Carlos Garcia Prado
 
PPT
C for Microcontrollers
LloydMoore
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
corehard_by
 
Protecting C++
Pavel Filonov
 
Examining Malware with Python
mrphilroth
 
Microcontroller Introduction and the various features
vipulkondekar
 
Memory management
Rajni Sirohi
 
Stale pointers are the new black
Vincenzo Iozzo
 
C++ and Assembly: Debugging and Reverse Engineering
corehard_by
 
Advance ROP Attacks
n|u - The Open Security Community
 
Microprocessor 8086-lab-mannual
yeshwant gadave
 
8051assembly language
Hisham Mat Hussin
 
Chapter1c
MaeEstherMaguadMaralit
 
Lenguaje ensamblador EMU8086
Santy Bolo
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Asuka Nakajima
 
Instalación de emu8086 y compilados
Diego Erazo
 
Qemu JIT Code Generator and System Emulation
National Cheng Kung University
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
台科逆向簡報
耀德 蔡
 
The walking 0xDEAD
Carlos Garcia Prado
 
C for Microcontrollers
LloydMoore
 
Ad

More from Felipe Prado (20)

PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
PDF
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 
PDF
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
 
PDF
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
 
PDF
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
PDF
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
 
PDF
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
 
PDF
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Felipe Prado
 
PDF
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
PDF
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
PDF
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
PDF
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
 
PDF
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
PDF
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
 
PDF
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
PDF
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
 
PDF
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
PDF
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
 
PDF
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 
Ad

Recently uploaded (20)

DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
What is a Computer? Input Devices /output devices
GulJan8
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 

DEF CON 23 - CHRIS DOMAS - REpsych

  • 1. REpsych : psycholigical warfare in reverse engineering def con 2015 // domas{
  • 2. This serves no purpose Warning
  • 3. Taking something apart … … to figure out how it works With software… Interfacing Documentation Obsolescence Bug fixing Academic Reverse Engineering?
  • 4. Taking something apart … … to figure out how it works With software… Military/commercial espionage Unauthorized duplication Security analysis Vulnerability analysis Malware analysis Reverse Engineering?
  • 5. Whenever we write something awesome… Video game Encryption algorithm Malware 0-Day RAT … someone, at some point, is going to … Capture it Dissect it Reverse it Reverse Engineering?
  • 6. If you don’t want your work destroyed … … it pays to plan ahead Anti-RE
  • 8. objdump –d –Mintel a.out Reverse Engineering.
  • 9. 4004e9: mov DWORD PTR [rbp-0x8],0x0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add DWORD PTR [rbp-0x8],0x1 400500: cmp DWORD PTR [rbp-0x8],0x100 400507: jle 4004f2 <main+0xb>
  • 10. mov is Turing-complete Stephen Dolan http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf mov
  • 12. Any code we write … … can be written as a set of movs instead … and nothing else Really? That’d be tough to reverse engineer, wouldn’t it? Turing Complete?
  • 13. 4004e9: mov DWORD PTR [rbp-0x8],0x0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add DWORD PTR [rbp-0x8],0x1 400500: cmp DWORD PTR [rbp-0x8],0x100 400507: jle 4004f2 <main+0xb>
  • 14. 80515bc: mov eax,ds:0x835d81a 80515c1: mov ebx,DWORD PTR [eax+0x835d6fc] 80515c7: mov edx,DWORD PTR ds:0x835d7da 80515cd: mov eax,0x0 80515d2: mov al,BYTE PTR [ebx+edx*1] 80515d5: mov al,BYTE PTR [eax+0x835dc7e] 80515db: mov BYTE PTR [ebx+edx*1],al 80515de: mov eax,ds:0x835d81a 80515e3: mov ebx,DWORD PTR [eax+0x835d6fc] 80515e9: mov edx,DWORD PTR ds:0x835d7da 80515ef: mov eax,0x0 80515f4: mov al,BYTE PTR [ebx+edx*1]
  • 15. mov-only C Compiler https://github.com/xoreaxeaxeax First single instruction C compiler! The M/o/Vfuscator
  • 18. How would an experienced reverse engineer approach this?
  • 19. mov [dword 0x80a0451],edx mov eax,0x0 mov ax,[0x80a0451] mov byte [eax+0x80e17bc],0x0 mov al,[eax+0x80e17bc] mov [0x80a0451],al mov eax,[0x80a0556] mov edx,[eax+0x80a058e] mov eax,[0x80a0451] mov eax,[eax+edx] mov [0x80a044d],eax mov eax,[0x80a044d] mov eax,[eax+0x80a054e] mov dword [eax],0x139 mov eax,[0x80a044d] mov eax,[eax+0x80a055e] mov dword [eax],0x0 mov eax,[0x80a044d] mov eax,[eax+0x80a056e] mov dword [eax],0x4 mov eax,[0x80a0556] mov eax,[eax+0x80a05a6] mov [0x80a0451],eax mov eax,0x0 mov ax,[0x80a0546] mov byte [eax+0x80e17bc],0x0 mov al,[eax+0x80e17bc] mov [0x80a044d],al mov eax,[0x80a044d] mov edx,[eax+0x80a058e] mov eax,[0x80a0451] mov eax,[eax+edx] mov [0x80a044d],eax mov eax,[0x80a0566] mov eax,[eax+0x80a05a6] mov [0x80a0451],eax mov eax,[0x80a044d] mov edx,[eax+0x80a058e] mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a0438] mov edx,[dword 0x80a0516] mov eax,0x0 mov al,[ebx+edx] mov al,[eax+0x80a09ba] mov edx,[eax+0x80a058e] mov eax,[0x80a0451]
  • 20. mov [dword 0x80a0451],edx mov eax,0x0 mov ax,[0x80a0451] mov byte [eax+0x80e17bc],0x0 mov al,[eax+0x80e17bc] mov [0x80a0451],al mov eax,[0x80a0556] mov edx,[eax+0x80a058e] mov eax,[0x80a0451] mov eax,[eax+edx] mov [0x80a044d],eax mov eax,[0x80a044d] mov eax,[eax+0x80a054e] mov dword [eax],0x139 mov eax,[0x80a044d] mov eax,[eax+0x80a055e] mov dword [eax],0x0 mov eax,[0x80a044d] mov eax,[eax+0x80a056e] mov dword [eax],0x4 mov eax,[0x80a0556] mov eax,[eax+0x80a05a6] mov [0x80a0451],eax mov eax,0x0 mov ax,[0x80a0546] mov byte [eax+0x80e17bc],0x0 mov al,[eax+0x80e17bc] mov [0x80a044d],al mov eax,[0x80a044d] mov edx,[eax+0x80a058e] mov eax,[0x80a0451] mov eax,[eax+edx] mov [0x80a044d],eax mov eax,[0x80a0566] mov eax,[eax+0x80a05a6] mov [0x80a0451],eax mov eax,[0x80a044d] mov edx,[eax+0x80a058e] mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a051e] mov eax,[ebx] mov edx,0x0 mov dx,[eax+eax+0x80c0bba] mov [ebx],edx mov eax,[0x80a0556] mov ebx,[eax+0x80a0438] mov edx,[dword 0x80a0516] mov eax,0x0 mov al,[ebx+edx] mov al,[eax+0x80a09ba] mov edx,[eax+0x80a058e] mov eax,[0x80a0451]
  • 21. Anti-RE Code doesn’t have to be hard to reverse Just need to make the reverser give up Realization
  • 22. Demoralization Break down the reverser Psychological Warfare
  • 23. How else can we make a reverser quit? Psychological Warfare
  • 27. Visualize data patterns Default: entropy distribution ..cantor.dust..
  • 29. Send a message? Run a message through an inverse Hilbert transform Rebuild program to match desired entropy ..cantor.dust..
  • 32. These are horrible… No one will ever see the message And if they do, they won’t care Need something better… Sending messages
  • 33. IDA
  • 34. IDA
  • 40. We’ll look at IDA But the algorithm will work on anything IDA
  • 41. If you stare at these control graphs long enough… … they almost start to look like things Idea…
  • 45. Could we send a message through a CFG? Reverse engineer IDA? Yep! Drawing with CFGs
  • 46. Draw horizontal lines: Switch “Orphan” jumps jmp a jmp a jmp a jmp a jmp a jmp a a: Idea 1
  • 48. Draw vertical lines: Non-branching code nop nop nop nop nop nop Idea 1
  • 51. top: jmp left jmp top_end … ; repeat jmp right_side top_end: jmp $ left_side: nop … ; repeat jmp bottom_left right_side: nop … ; repeat jmp bottom_right bottom: botton_left: jmp bottom_end … ; repeat bottom_right: bottom_end: ret
  • 53. IDA tries to align blocks in a given row Observation
  • 54. top: jmp left jmp top_end … ; repeat jmp right_side top_end: jmp $ left_side: jmp $+2 … ; repeat jmp bottom_left right_side: jmp $+2 … ; repeat jmp bottom_right bottom: botton_left: jmp bottom_end … ; repeat bottom_right: bottom_end: ret
  • 56. IDA tries to keep rows/columns together But minimize branching distance Observation
  • 57. Hour of tinkering Couldn’t make it work Try something else Separating the columns
  • 58. We have some control over how rows are arranged Depends on nodes between IDA has all the control over columns Can rearrange parent nodes and branches to keep columns close together R.I.P. Idea 1
  • 59. Force IDA to keep things in order Tie nodes together as tightly as possible Prevent rearranging Idea 2
  • 62. x: a0: je b1 b0: je c1 c0: je d1 d0: jmp F a1: je b2 b1: je c2 c1: je d2 d1: jmp F a2: je b3 b2: je c3 c2: je d3 d2: jmp F a3: b3: c3: d3: jmp F F:
  • 65. %macro column 3-4 "nonempty" %assign r 0 %assign c %1 %rep %2-1 %assign nr r+1 %assign nc c+1 e_%+r%+_%+c: %ifidn %4, "empty" %else je e_%+nr%+_%+nc %endif %assign r r+1 %endrep e_%+r%+_%+c: jmp %3 %endmacro
  • 67. “Weave” the CFG together Turn “pixel” off by removing node? Idea 2, continued
  • 71. A tightly woven CFG, II
  • 72. x: e_0_0: je e_1_1 jmp done e_0_1: je e_2_1 e_1_0: je e_2_1 jmp done e_0_2: je e_1_3 e_1_1: je e_2_2 e_2_0: je e_3_1 jmp done e_0_3: je done e_1_2: je e_2_3 e_2_1: je e_3_2 e_3_0: jmp done e_1_3: je done e_2_2: je e_3_3 e_3_1: jmp done e_2_3: je done e_3_2: jmp done e_3_3: jmp done done: ret ; e_0_0 e_0_1 e_0_2 e_0_3 ; e_1_0 e_1_1 e_1_2 e_1_3 ; e_2_0 e_2_1 e_2_2 e_2_3 ; e_3_0 e_3_1 e_3_2 e_3_3
  • 74. ; row, column, width, height, done %macro diag 5 %assign r %1 %assign c %2 %assign width %3 %assign height %4 %rep 256 ; max size %assign nr r+1 %assign nc c+1 e_%+r%+_%+c: %if nr >= height %elif nc >= width je e_%+nr%+_%+c %else %if c == 0 jmp e_%+nr%+_%+nc %exitrep %else je e_%+nr%+_%+nc %endif %endif %assign r r+1 %assign c c-1 %if r>=width jmp %5 %exitrep %endif %endrep %endmacro
  • 81. We still can’t remove a node R.I.P. Idea 2
  • 82. Leave all nodes Fill with code if “on” Leave empty if “off” Idea 3
  • 88. “Empty” pixel still needs 2 lines Increase contrast by reducing impact of those 2 Reduce impact by increasing height Increase height by increasing width vfmaddsub132ps xmm0, xmm1, xmmword ptr cs:[edi+esi*4+8068860h] Enhance contrast
  • 95. Insert always on column Almost there
  • 97. Add a junk code generator Almost there
  • 98. movzx eax, bh movzx ecx, dh dec ecx xor ebx, ecx lea ebx, [ebp+1*4] mov eax, 3526025642 or eax, 188401817 mov ah, 4 lea eax, [ecx+4*edx] test edx, eax mov cl, 2 add ebx, ecx shr eax, 21 movzx ecx, dl add ebx, ecx shr eax, 25 mov ah, 4 test edx, eax shr ecx, 19 movzx eax, bh or eax, 2742937504 mov ah, 4 and edx, eax
  • 99. BMP to %assign converter Almost there
  • 100. %assign pixel_13_5 1 %assign pixel_14_5 1 %assign pixel_15_5 0 %assign pixel_16_5 1 %assign pixel_17_5 0 %assign pixel_18_5 1 %assign pixel_19_5 1 %assign pixel_20_5 0 %assign pixel_21_5 1 %assign pixel_22_5 0 %assign pixel_23_5 0 %assign pixel_24_5 0 %assign pixel_25_5 1 %assign pixel_0_6 1 %assign pixel_1_6 1 %assign pixel_2_6 1 %assign pixel_3_6 1 %assign pixel_4_6 1 %assign pixel_5_6 1 %assign pixel_6_6 1 %assign pixel_7_6 1
  • 108. REpsych Toolchain Generates assembly … … to form images through CFGs (Demo) REpsych
  • 111. Reverser is forced to sit and stare at whatever message you embed Use it to your advantage, crush their soul Psychological Warfare
  • 115. (Draw an assembly selfie) Grayscale
  • 117. Stego
  • 120. QR a.k.a. the ultimate CTF problem More ideas
  • 122. Creepiest malware ever Scans your hard disk Rewrites itself to match your personal images (Demo) More ideas
  • 123. 14 lines of assembly 328 lines of preprocessor macros
  • 124. github.com/xoreaxeaxeax REpysch M/o/Vfuscator 2.0 x86 0-day POC Etc. Feedback? domas @xoreaxeaxeax xoreaxeaxeax@gmail.com