hitb 2009
play

HITB 2009 Metasm Debugger Analysis of a protection Compiler - PowerPoint PPT Presentation

Mar 11, 2023 •167 likes •767 views

Binary deprotection with metasm and stuff Alexandre Gazet Yoann Guillot Sogeti / ESEC R&D Sogeti / ESEC R&D alexandre.gazet(at)sogeti.com yoann.guillot(at)sogeti.com HITB 2009 Metasm Debugger Analysis of a protection Compiler

  1. Binary deprotection with metasm and stuff Alexandre Gazet Yoann Guillot Sogeti / ESEC R&D Sogeti / ESEC R&D alexandre.gazet(at)sogeti.com yoann.guillot(at)sogeti.com HITB 2009

  2. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan Metasm 1 Debugger Compiler Disassembler Binding Backtracking Analysis of a protection 2 Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 2/55

  3. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Metasm a pure ruby opensource framework assembler/dissassembler Ia32 (16/32/64bits), mips Even supports cr7 debugger linux, windows, remote compiler/decompiler (more or less :) GUI included ! A. Gazet, Y. Guillot Binary deprotection with metasm 3/55

  4. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan Metasm 1 Debugger Compiler Disassembler Binding Backtracking Analysis of a protection 2 Breaking obfuscation Breaking code virtualization Putting the pieces together Conclusion(s) Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 4/55

  5. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Debugger A. Gazet, Y. Guillot Binary deprotection with metasm 5/55

  6. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Debugger A. Gazet, Y. Guillot Binary deprotection with metasm 6/55

  7. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Features Direct manipulation of the OS primitives sys ptrace WaitForDebugEvent Very fine & low-level control Unified high-level interface Linux, Windows, GDBserver Conditionnal breakpoints, callback. . . A. Gazet, Y. Guillot Binary deprotection with metasm 7/55

  8. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan Metasm 1 Debugger Compiler Disassembler Binding Backtracking Analysis of a protection 2 Breaking obfuscation Breaking code virtualization Putting the pieces together Conclusion(s) Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 8/55

  9. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler C Compiler Rudimentary C compiler x86 only Framework integration easy to leverage Easy to customize e.g. dynamic symbol resolution A. Gazet, Y. Guillot Binary deprotection with metasm 9/55

  10. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan Metasm 1 Debugger Compiler Disassembler Binding Backtracking Analysis of a protection 2 Breaking obfuscation Breaking code virtualization Putting the pieces together Conclusion(s) Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 10/55

  11. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Disassembler A. Gazet, Y. Guillot Binary deprotection with metasm 11/55

  12. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Disassembly The reference: IDA Pro Excellent on unobfuscated binaries Not so useful on protected code No code interpretation Strong hypothesis Hypothesis Both branches are taken on a conditionnal jump Two instructions never overlap A subfunction call returns A. Gazet, Y. Guillot Binary deprotection with metasm 12/55

  13. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Disassembly The reference: IDA Pro Excellent on unobfuscated binaries Not so useful on protected code No code interpretation Strong hypothesis Hypothesis Both branches are taken on a conditionnal jump Two instructions never overlap A subfunction call returns A. Gazet, Y. Guillot Binary deprotection with metasm 12/55

  14. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Hypothesis: all call returns . t e x t :00403 E9F loc 403E9F : ; CODE XREF: .text: loc_40CDEF . t e x t :00403 E9F push ebp . t e x t :00403 EA0 push ecx . t e x t :00403 EA1 push ebp . t e x t :00403 EA2 c a l l sub 40BECD . t e x t :00403 EA7 outsb . t e x t :00403 EA8 edx , cmp esp . t e x t :00403 EAA push esp . t e x t :00403 EAB i n c e s i A. Gazet, Y. Guillot Binary deprotection with metasm 13/55

  15. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Failure . t e x t :0040 BECD sub 40BECD proc near ; CODE XREF: .text :00 . t e x t :0040 BECD cmp eax , ebp . t e x t :0040 BECF [ esp +0] , 1 add dword ptr . t e x t :0040 BED4 t e s t ebx , 1 E2h . t e x t :0040 BEDA 0 Ch retn . t e x t :0040 BEDA sub 40BECD endp A. Gazet, Y. Guillot Binary deprotection with metasm 14/55

  16. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Our solution: Express instruction effects through symbolic expressions. This associates semantics to each instruction. Instruction ADD : r e s = Expression [ [ a [ 0 ] , :& , mask ] , :+ , [ a [ 1 ] , :& , mask ] ] binding [ a [ 0 ] ] = r e s binding [ : e f l a g z ] = Expression [ [ res , :& , mask ] , :==, 0] binding [ : e f l a g s ] = s i g n [ r e s ] binding [ : e f l a g c ] = Expression [ res , : > , mask ] binding [ : e f l a g o ] = Expression [ [ s i g n [ a [ 0 ] ] , :==, s i g n [ a [ 1 ] ] ] , : ’&&’ , [ s i g n [ a [ 0 ] ] , : ’!=’ , s i g n [ r e s ] ] ] A. Gazet, Y. Guillot Binary deprotection with metasm 15/55

  17. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Our solution: Express instruction effects through symbolic expressions. This associates semantics to each instruction. Instruction ADD : r e s = Expression [ [ a [ 0 ] , :& , mask ] , :+ , [ a [ 1 ] , :& , mask ] ] binding [ a [ 0 ] ] = r e s binding [ : e f l a g z ] = Expression [ [ res , :& , mask ] , :==, 0] binding [ : e f l a g s ] = s i g n [ r e s ] binding [ : e f l a g c ] = Expression [ res , : > , mask ] binding [ : e f l a g o ] = Expression [ [ s i g n [ a [ 0 ] ] , :==, s i g n [ a [ 1 ] ] ] , : ’&&’ , [ s i g n [ a [ 0 ] ] , : ’!=’ , s i g n [ r e s ] ] ] A. Gazet, Y. Guillot Binary deprotection with metasm 15/55

  18. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Instruction CALL : binding [ : esp ] = Expression [ : esp , : − , opsz ] binding [ I n d i r e c t i o n [ : esp , 4] ] = d i . next addr For exemple: dword ptr [ esp ] = 0 x403EA7 esp = esp − 4 Instruction RDTSC : binding [ : eax ] = Expression : : Unknown binding [ : edx ] = Expression : : Unknown A. Gazet, Y. Guillot Binary deprotection with metasm 16/55

  19. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Instruction CALL : binding [ : esp ] = Expression [ : esp , : − , opsz ] binding [ I n d i r e c t i o n [ : esp , 4] ] = d i . next addr For exemple: dword ptr [ esp ] = 0 x403EA7 esp = esp − 4 Instruction RDTSC : binding [ : eax ] = Expression : : Unknown binding [ : edx ] = Expression : : Unknown A. Gazet, Y. Guillot Binary deprotection with metasm 16/55

  20. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Binding Instruction CALL : binding [ : esp ] = Expression [ : esp , : − , opsz ] binding [ I n d i r e c t i o n [ : esp , 4] ] = d i . next addr For exemple: dword ptr [ esp ] = 0 x403EA7 esp = esp − 4 Instruction RDTSC : binding [ : eax ] = Expression : : Unknown binding [ : edx ] = Expression : : Unknown A. Gazet, Y. Guillot Binary deprotection with metasm 16/55

  21. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Backtracking, the theory Definition Symbolic emulation by walking the instruction flow backwards. A. Gazet, Y. Guillot Binary deprotection with metasm 17/55

  22. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Backtracking, the facts Execution flow: c a l l loc 40becdh ; @403ea2h e826800000 [ . . . ] cmp eax , ebp ; @40becdh 39e8 [ esp +0] , 1 add dword ptr ; @40becfh 8344240001 t e s t ebx , 1 e2h ; @40bed4h f7c3e2010000 0 ch r e t ; @40bedah c20c00 Backtracing x dword ptr [esp] for 40bedah ret 0ch backtrace 40becfh dword ptr [esp] => dword ptr [esp]+1 1 backtrace up 40becdh->403ea2h dword ptr [esp]+1 2 backtrace 403ea2h dword ptr [esp]+1 => 403ea8h 3 backtrace result: 403ea8h 4 A. Gazet, Y. Guillot Binary deprotection with metasm 18/55

  23. Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Metasm Result: loc 403e9fh : push ebp ; @403e9fh 55 push ecx ; @403ea0h 51 push ebp ; @403ea1h 55 c a l l loc 40becdh ; @403ea2h e826800000 noreturn db 6 eh ; @403ea7h // Xrefs : 40 bedah loc 403ea8h : cmp edx , esp ; @403ea8h 39e2 push esp ; @403eaah 54 [ . . . ] // Xrefs : 403 ea2h loc 40becdh : cmp eax , ebp ; @40becdh 39e8 add dword ptr [ esp +0] , 1 ; @40becfh 8344240001 t e s t ebx , 1 e2h ; @40bed4h f7c3e2010000 r e t 0 ch ; @40bedah c20c00 x: loc_403ea8h A. Gazet, Y. Guillot Binary deprotection with metasm 19/55

  24. Breaking obfuscation Metasm Breaking code virtualization Analysis of a protection Putting the pieces together Decompilation Conclusion(s) Plan Metasm 1 Analysis of a protection 2 Breaking obfuscation Breaking code virtualization Putting the pieces together Conclusion(s) Decompilation 3 A. Gazet, Y. Guillot Binary deprotection with metasm 20/55

Recommend

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution 4-way handshake Handling Crypto

1.17k views • 88 slides
Platinum Platinum 2009 2009 th May 2009 18 18 th May 2009 Good morning to everyone, and

Platinum Platinum 2009 2009 th May 2009 18 18 th May 2009 Good morning to everyone, and

Platinum Platinum 2009 2009 th May 2009 18 18 th May 2009 Good morning to everyone, and welcome again to Platinum 2009. As usual, Im going to concentrate on whats been happening in the Pt and Pd markets, and finish with a couple of

707 views • 39 slides
First Quarter 2009 - A Good Start 1Q 2009 Results Presentation - 29 April 2009 Agenda 1Q 2009

First Quarter 2009 - A Good Start 1Q 2009 Results Presentation - 29 April 2009 Agenda 1Q 2009

First Quarter 2009 - A Good Start 1Q 2009 Results Presentation - 29 April 2009 Agenda 1Q 2009 Results Back Up Commenting 1Q 2009 Results Strong trend with 60k net adds Customer Base Growth Significant improvement vs 4Q 2008

573 views • 16 slides
Presentation 4 th Quarter 2009 22 F b 22. February 2009 2009 Jon A. Elde CFO CFO 1 Highlights

Presentation 4 th Quarter 2009 22 F b 22. February 2009 2009 Jon A. Elde CFO CFO 1 Highlights

Presentation 4 th Quarter 2009 22 F b 22. February 2009 2009 Jon A. Elde CFO CFO 1 Highlights 4th quarter 2009 The Board of Directors will propose to the Annual General Meeting a dividend of NOK 3.5 per share after issued guarantees are

369 views • 12 slides
2009 Half Year Results Presentation 6 months to 30 June 2009 13 August 2009 2009 Half Year

2009 Half Year Results Presentation 6 months to 30 June 2009 13 August 2009 2009 Half Year

2009 Half Year Results Presentation 6 months to 30 June 2009 13 August 2009 2009 Half Year Results Presentation Terry Davis Group Managing Director 13 August 2009 First half 2009 major highlights 1. Double-digit EBIT, NPAT and EPS growth

735 views • 54 slides
CO CO 2 fixation by mineral matter; fixation by mineral matter; the potential of different the

CO CO 2 fixation by mineral matter; fixation by mineral matter; the potential of different the

Climate Change: Global Risks, Challenges and Decisions Copenhagen (Denmark) March 10-12, 2009 S17 09 11 3 2009 11:45 S17.09, 11.3.2009 S17.09, 11.3.2009 11:45 S17 09 11 3 2009 11:45-12:05 11:45-12:05 12:05 12:05 CO CO 2

702 views • 12 slides
Earnings Presentation First Quarter 2009 May 1, 2009 February 6, 2009: Preliminary &

Earnings Presentation First Quarter 2009 May 1, 2009 February 6, 2009: Preliminary &

1 Earnings Presentation First Quarter 2009 May 1, 2009 February 6, 2009: Preliminary & Unaudited Safe Harbor Statement under the Private Securities Litigation Reform Act of 1995 Statements made in this presentation that relate to future

534 views • 34 slides
1 Worldwide locations of Trtzschler Germany BR/BH/Hof 2009/D/11.11.2009 Subsidiaries:

1 Worldwide locations of Trtzschler Germany BR/BH/Hof 2009/D/11.11.2009 Subsidiaries:

BR/BH/Hof 2009/D/11.11.2009 1 Worldwide locations of Trtzschler Germany BR/BH/Hof 2009/D/11.11.2009 Subsidiaries: Production factories: Turkey Mexico Italia Germany USA Spain Uzbekistan Brazil India China 2

1.39k views • 82 slides
Fronteers 2009 , 2009

Fronteers 2009 , 2009

Fronteers 2009 , 2009 Molly Holzschlag Peter-Paul Koch Whats New With The The Mobile Web, Or The Mobile Web Masochist's Guide To Gleeful Self-flagellation Chris

1.28k views • 86 slides
My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy

My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy

My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy Researcher at DEVCORE CTF Player HITCON / 217 Chroot Co-founder of pwnable.tw Speaker HITB GSEC 2018/AVTokyo 2018/VXCON Outline

1.35k views • 107 slides
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $1,000,000 FY 2009

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $1,000,000 FY 2009

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $1,000,000 FY 2009 $800,000 Median $765,916 $ in thousands $600,000 FY 2006 FY 2007 FY 2008 $400,000 FY 2009 $200,000 $0 Texas University UC Michigan

1.4k views • 84 slides
Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher at DEVCORE Speaker at Black Hat US/ASIA , DEFCON , HITB , CODEBLUE CTF player (Captain of HITCON CTF team and member of 217 ) Bounty

1.32k views • 103 slides
Budget Curtailment Plan January 26, 2009 PHASE I: January, 2009 thru June 30, 2009 1 Implement

Budget Curtailment Plan January 26, 2009 PHASE I: January, 2009 thru June 30, 2009 1 Implement

Budget Curtailment Plan January 26, 2009 PHASE I: January, 2009 thru June 30, 2009 1 Implement hiring restrictions and limits: Replace only essential positions. Change policy to permit physical education credit (via waiver) for

839 views • 4 slides
PSYCHOTRONICA nitesh dhanjani july 2009 black hat briefings 2009 (las vegas) Sunday, June 28,

PSYCHOTRONICA nitesh dhanjani july 2009 black hat briefings 2009 (las vegas) Sunday, June 28,

PSYCHOTRONICA nitesh dhanjani july 2009 black hat briefings 2009 (las vegas) Sunday, June 28, 2009 PSYCHOTRONIC Sunday, June 28, 2009 MySpace: 100 million users [january 2008] 1,400,000+ tweets [march 2009] generation y genuine data

768 views • 43 slides
Swedbank Q3 Results 2009 Q3 Results 2009 Swedbank 2073075 CEO Michael Wolf October 20, 2009

Swedbank Q3 Results 2009 Q3 Results 2009 Swedbank 2073075 CEO Michael Wolf October 20, 2009

Swedbank Q3 Results 2009 Q3 Results 2009 Swedbank 2073075 CEO Michael Wolf October 20, 2009 9:00 am Greenwich Mean Time Operator: Good morning, ladies and gentlemen, and welcome to the Q3 Results 2009 Conference Call. At this time, all

550 views • 17 slides
PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda Workshop presentation Black box audit Source code audit samedi 25 juillet 2009 2 Who speaks? Philippe Gamache Parler Haut, Interagir

848 views • 73 slides
Year-end report 2009 Jan Johansson, President and CEO SCA Interim Report Q4 2009 Full year 2009

Year-end report 2009 Jan Johansson, President and CEO SCA Interim Report Q4 2009 Full year 2009

Year-end report 2009 Jan Johansson, President and CEO SCA Interim Report Q4 2009 Full year 2009 General market update Hygiene businesses Stable demand in mature markets Continued growth in emerging markets Packaging and Forest

389 views • 19 slides
Bank of Georgia Q3 2009 & YTD 2009 financials January 2010 Bank of Georgia consolidated

Bank of Georgia Q3 2009 & YTD 2009 financials January 2010 Bank of Georgia consolidated

Bank of Georgia Q3 2009 & YTD 2009 financials January 2010 Bank of Georgia consolidated Income Statement Q3 2009 Period ended Q3 2009 Q2 2009 Q3 2008 US$ 1 US$ 2 US$ 3 Consolidated, IFRS Based GEL GEL Growth GEL Growth (Unaudited)

310 views • 14 slides
SSTIC 2012 Jean-Baptiste Bdrune Jean Sigwald Analyses forensiques de terminaux iOS Apple

SSTIC 2012 Jean-Baptiste Bdrune Jean Sigwald Analyses forensiques de terminaux iOS Apple

SSTIC 2012 Jean-Baptiste Bdrune Jean Sigwald Analyses forensiques de terminaux iOS Apple Travaux prcdents iPhone data protection in depth, HITB, mai 2011 Outils open-source Document Apple iOS Security , mai 2012

848 views • 46 slides
Earnings Conference Call 2 nd Quarter 2009 July 24, 2009 July 24, 2009 Forward-Looking

Earnings Conference Call 2 nd Quarter 2009 July 24, 2009 July 24, 2009 Forward-Looking

Earnings Conference Call 2 nd Quarter 2009 July 24, 2009 July 24, 2009 Forward-Looking Statements This press release includes forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995, that are

601 views • 38 slides
CUG 2009 May 7, 2009 * National Center for Computational Sciences + Center for Transportation

CUG 2009 May 7, 2009 * National Center for Computational Sciences + Center for Transportation

Solution of Mixed-Integer Programming Problems on the XT5 Rebecca J. Hartman-Baker * Ingrid K. Busch + Michael R. Hilliard + Richard S. Middleton + Michael S. Schultze + Oak Ridge National Laboratory CUG 2009 May 7, 2009 * National Center for

701 views • 27 slides
1st Quarter 2009 Financial Results Oslo, April 30th 2009 Highlights first quarter 2009

1st Quarter 2009 Financial Results Oslo, April 30th 2009 Highlights first quarter 2009

1st Quarter 2009 Financial Results Oslo, April 30th 2009 Highlights first quarter 2009 Improved operational performance before value adjustments Profit before value adjustments stable and growing Vacancy at 0.8 per cent,

861 views • 30 slides
Company Presentation Company Presentation May 2009 May 2009 QLI - An Emerging Markets Casino

Company Presentation Company Presentation May 2009 May 2009 QLI - An Emerging Markets Casino

Company Presentation Company Presentation May 2009 May 2009 QLI - An Emerging Markets Casino Operator 2009 Q1 Overview Global economic crisis impacting gaming Decrease in consumer spending QLI remains relatively well

894 views • 24 slides
Business Results Fiscal Year Ended March 31, 2009 May 8, 2009 Minebea Co., Ltd. 0 1. Financial

Business Results Fiscal Year Ended March 31, 2009 May 8, 2009 Minebea Co., Ltd. 0 1. Financial

Business Results Fiscal Year Ended March 31, 2009 May 8, 2009 Minebea Co., Ltd. 0 1. Financial Results 2. Policy and Strategy 1 May 8, 2009 1 Financial Results Hiroharu Katogi Director, Senior Managing Executive Officer 2 May 8, 2009

840 views • 44 slides

More recommend