Analyse and binary transformation Guillaume Bouffard
Analyse and binary transformation Guillaume Bouffard
Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19 Limoges, September 8, 2010
Outline Introduction 1 Technicolor My Internship Profiling step 2 3 Translation step 4 Binary Modification 5 Proof Of Concept Conclusion 6
Technicolor Security and Content Protection Labs Technicolor Creating, managing and delivering video For the Communication, Media and Entertainment industries. Their works Cryptography Signal processing for security Content protection (DRM) Network security Tamper resistance 3 / 19 Limoges, September 8, 2010
Context The Internship Context Illegal software duplication and intellectual property theft Software protection VS hardware protection Hardware protection? 4 / 19 Limoges, September 8, 2010
Subject Binary executable without source code Search sensitive part of the binary application in a generic way Extract the sensitive piece of code Insert instructions to Translate the sensitive piece of code communicate to a dongle Protect the piece Modify binary ex- of code in a dongle ecutable without sensitive part 5 / 19 Limoges, September 8, 2010
Motivation What was my motivation? A blend of compilation and smart card problems Discover the computer science underground Think on a research subject 6 / 19 Limoges, September 8, 2010
Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6
Application Profiling What do you want to find? Each executed binary piece of code Found the sensitive parts What can tools do that? OProfile Valgrind 7 / 19 Limoges, September 8, 2010
Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6
Translation step The Goal Protect the sensitive pieces of code in a dongle These pieces of code are executed by the dongle = > A solution: UQBT 8 / 19 Limoges, September 8, 2010
Outline Introduction 1 Profiling step 2 3 Translation step 4 Binary Modification ELF Format Diablo Samples Proof Of Concept 5 Conclusion 6
Executable and Linkable Format ELF header Executable and Program header table Linkable Format { Used by Unices & .text GNU/Linux Each section are .rodata linked { ... .data How can I modify this file format? Section header table 9 / 19 Limoges, September 8, 2010
Executable and Linkable Format ELF header Executable and Program header table Linkable Format { Used by Unices & .text GNU/Linux Each section are .rodata linked { ... .data How can I modify this file format? Section header table 9 / 19 Limoges, September 8, 2010
Diablo Linked program Map file (.map) Object files (.o) Parser Disassemble Assemble Modified binary Flowgraph Disflowgraph Some modifications 10 / 19 Limoges, September 8, 2010
Brief overview of assembler #include <stdio.h> ... int main ( void ) { some value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010
Brief overview of assembler #include <stdio.h> ... int main ( void ) { some value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010
Brief overview of assembler #include <stdio.h> ... int main ( void ) { 0x8096188 (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010
Brief overview of assembler #include <stdio.h> ... int main ( void ) { 0x8096188 (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010
Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010
Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) some value ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010
Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) 0x00 ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010
Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) 0x00 ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010
Brief overview of assembler #include <stdio.h> ... int main ( void ) { printf return value (%esp) ⇒ printf("hello world\n"); ⇒ return EXIT_SUCCESS ; (%eax) 0x00 ⇒ } ... <main >: ⇒ mov DWORD PTR [esp],0 x8096188 ⇒ call $ ./hello_world 80486 c0 <_IO_printf > ⇒ mov eax ,0x0 hello world ⇒ leave ⇒ ret 11 / 19 Limoges, September 8, 2010
Hello World HELL int MyFunction (char *msg) bbl at 0x80481f0 (in main at 0x80481f0) { ... FILE * file = fopen 0x8048200 : movl DWORD PTR [%esp],0x8096188 ( "output" , "w" ); 0x8048207 : call 80486c0 fprintf(file,msg); fclose(file); return EXIT_SUCCESS; } _IO_printf (0x80486c0) bbl at 0x804820c (in main at 0x80481f0) 0x804820c : movl %eax,0x0 MyFunction.o 0x8048211 : leave 0x8048212 : ret EXIT HELL 12 / 19 Limoges, September 8, 2010
Hello World HELL <MyFunction>: bbl at 0x80481f0 (in main at 0x80481f0) mov DWORD PTR [esp+4],0x0 ... mov DWORD PTR [esp],0x0 0x8048200 : movl DWORD PTR [%esp],0x8096188 call 16 <MyFunction+0x16> 0x8048207 : call 80486c0 mov DWORD PTR [ebp-4],eax mov eax,DWORD PTR [ebp+8] mov DWORD PTR [esp+4],eax mov eax,DWORD PTR [ebp-4] _IO_printf (0x80486c0) mov DWORD PTR [esp],eax call 2b <MyFunction+0x2b> mov eax,DWORD PTR [ebp-4] mov DWORD PTR [esp],eax bbl at 0x804820c (in main at 0x80481f0) call 36 <MyFunction+0x36> 0x804820c : movl %eax,0x0 mov eax,0x0 0x8048211 : leave leave 0x8048212 : ret ret EXIT HELL 12 / 19 Limoges, September 8, 2010
Hello World HELL <MyFunction>: bbl at 0x80481f0 (in main at 0x80481f0) mov DWORD PTR [esp+4],0x0 ... mov DWORD PTR [esp],0x0 0x8048200 : movl DWORD PTR [%esp],0x8096188 call 16 <MyFunction+0x16> 0x8048207 : call 80486c0 mov DWORD PTR [ebp-4],eax mov eax,DWORD PTR [ebp+8] mov DWORD PTR [esp+4],eax mov eax,DWORD PTR [ebp-4] _IO_printf (0x80486c0) mov DWORD PTR [esp],eax call 2b <MyFunction+0x2b> mov eax,DWORD PTR [ebp-4] mov DWORD PTR [esp],eax bbl at 0x804820c (in main at 0x80481f0) call 36 <MyFunction+0x36> 0x804820c : movl %eax,0x0 mov eax,0x0 0x8048211 : leave leave 0x8048212 : ret ret EXIT HELL 12 / 19 Limoges, September 8, 2010
CouCou World HELL ELF header bbl at 0x80481f0 (in main at 0x80481f0) ... 0x8048200 : movl DWORD PTR [%esp],0x8096188 Program header table 0x8048207 : call 80486c0 .text MyFunction .rodata ... bbl at 0x804820c (in main at 0x80481f0) 0x804820c : movl %eax,0x0 .data 0x8048211 : leave 0x8048212 : ret Section header table EXIT HELL 13 / 19 Limoges, September 8, 2010
CouCou World HELL ELF header bbl at 0x80481f0 (in main at 0x80481f0) ... 0x8048200 : movl DWORD PTR [%esp],0x8096188 Program header table 0x8048207 : call 80486c0 .text MyFunction .rodata ... bbl at 0x804820c (in main at 0x80481f0) 0x804820c : movl %eax,0x0 .data 0x8048211 : leave 0x8048212 : ret Section header table EXIT HELL 13 / 19 Limoges, September 8, 2010
Recommend
More recommend