playing with binary analysis
play

Playing with Binary Analysis Deobfuscation of VM based software - PowerPoint PPT Presentation

Apr 23, 2023 •198 likes •933 views

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

  1. Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sébastien Bardin and Marie-Laure Potet SSTIC 2017

  2. Topic Binary protection ● Virtualization-based software protection ○ Automatic deobfuscation, our approach ● The Tigress challenges ● Limitations ● ● What next? Conclusion ●

  3. Binary Protection

  4. Binary Protection Goal ● Turn your program to make it hard to analyze ○ Protect your software against reverse engineering ■ P Transformation P’

  5. Binary Protection There are several kinds of protection ● [...] ○ Virtualization-based software protection ○

  6. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ●

  7. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ● long secret(long x) { [transformations on x] return x; } bool auth(long user_input) { long h = secret(user_input); return (h == 0x9e3779b97f4a7c13); }

  8. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ● long secret(long x) { [transformations on x] Bytecodes - Custom ISA return x; } bool auth(long user_input) { long h = secret(user_input); return (h == 0x9e3779b97f4a7c13); }

  9. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ● long secret(long x) { [transformations on x] Bytecodes - Custom ISA return x; } bool auth(long user_input) { long h = 0; VM(opcodes, &h, user_input); return (h == 0x9e3779b97f4a7c13); }

  10. Binary Protection - Virtualization Also called Virtual Machine (VM) ● Virtualize a custom Instruction Set Architecture (ISA) ● Removed long secret(long x) { [transformations on x] Bytecodes - Custom ISA return x; } bool auth(long user_input) { long h = 0; VM(opcodes, &h, user_input); return (h == 0x9e3779b97f4a7c13); }

  11. Binary Protection - VM Design (a simple one) Fetching Decoding Dispatcher Close to a CPU design ● Operator 1 Operator 2 Operator 3 a. Fetch the opcode pointed via the virtual IP b. Decode the opcode - mnemonic / operands c. Dispatch to the appropriate semantics handler d. Execute the semantics Terminator e. Go to the next instruction or terminate

  12. Binary Protection - VM Design (a simple one) Fetching long secret(long x) { Decoding [transformations on x] Bytecodes - Custom ISA return x; } Dispatcher Close to a CPU design ● Operator 1 Operator 2 Operator 3 a. Fetch the opcode pointed via the virtual IP b. Decode the opcode - mnemonic / operands c. Dispatch to the appropriate semantics handler d. Execute the semantics Terminator e. Go to the next instruction or terminate

  13. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : Operator 1 Operator 2 Operator 3 Terminator

  14. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0xaabbccdd Dispatcher Decode : Code : Operator 1 Operator 2 Operator 3 Terminator

  15. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0xaabbccdd Dispatcher Decode : mov r/r Code : Operator 1 Operator 2 Operator 3 Terminator

  16. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0xaabbccdd Dispatcher Decode : mov r/r Code : Operator 1 Operator 2 Operator 3 Terminator

  17. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0xaabbccdd Dispatcher Decode : mov r/r Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  18. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  19. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x11223344 Dispatcher Decode : Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  20. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x11223344 Dispatcher Decode : mov r/i Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  21. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x11223344 Dispatcher Decode : mov r/i Code : mov r1, input Operator 1 Operator 2 Operator 3 Terminator

  22. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x11223344 Dispatcher Decode : mov r/i Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  23. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  24. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x5577aabb Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  25. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x5577aabb Dispatcher Decode : mul r/r/r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  26. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x5577aabb Dispatcher Decode : mul r/r/r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 Terminator

  27. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x5577aabb Dispatcher Decode : mul r/r/r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  28. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  29. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x1337dead Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  30. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x1337dead Dispatcher Decode : ret r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  31. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x1337dead Dispatcher Decode : ret r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 Terminator

  32. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : 0x1337dead Dispatcher Decode : ret r Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 ret r3 Terminator

  33. Binary Protection - VM Design (a simple one) Fetching Bytecodes - Custom ISA Decoding Fetch : Dispatcher Decode : Code : mov r1, input mov r2, 2 Operator 1 Operator 2 Operator 3 mul r3, r1, r2 ret r3 Terminator

  34. Virtual Machine - Standard Reverse Process Reverse and understand the virtual machine’s structure / components ● Create a disassembler and then reverse the bytecodes ● ? Bytecodes ? Create a disassembler ? Disassembly ? ? ? Start Reversing ?

  35. Our Approach Automatic Deobfuscation

  36. Our Approach - Automatic Deobfuscation We don’t care about reconstructing a disassembler ● Our goal: ●

  37. Our Approach - Automatic Deobfuscation We don’t care about reconstructing a disassembler ● Our goal: ● ○ Directly reconstruct a devirtualized binary from the obfuscated one

  38. Our Approach - Automatic Deobfuscation We don’t care about reconstructing a disassembler ● Our goal: ● ○ Directly reconstruct a devirtualized binary from the obfuscated one The crafted binary must have a control flow graph close to the original one ○

  39. Our Approach - Automatic Deobfuscation We don’t care about reconstructing a disassembler ● Our goal: ● ○ Directly reconstruct a devirtualized binary from the obfuscated one The crafted binary must have a control flow graph close to the original one ○ ○ The crafted binary must have instructions close to the original ones

  40. Our Approach - Automatic Deobfuscation Removed long secret(long x) { [transformations on x] Bytecodes return x; } FROM bool auth(long user_input) { long h = 0; VM(opcodes, &h, user_input); return (h == 0x9e3779b97f4a7c13); }

  41. Our Approach - Automatic Deobfuscation TO Obfuscated Traces

  42. Our Approach - Automatic Deobfuscation THEN FROM Simplified Traces

  43. Our Approach - Automatic Deobfuscation long secret_prime(long x) { [transformations on x] return x; } TO bool auth(long user_input) { long h = secret(user_input); return (h == 0x9e3779b97f4a7c13); }

Recommend

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete ->

963 views • 77 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson Department of Statistics University of Washington This is joint work with James Robins (Harvard). Outline 1. The binary IV potential outcomes model

156 views • 15 slides
Game Playing Game playing AI Class 8 Ch. 5.1-5.3, 5.4.1, 5.5 State of the art and

Game Playing Game playing AI Class 8 Ch. 5.1-5.3, 5.4.1, 5.5 State of the art and

Todays Class Game Playing Game playing AI Class 8 Ch. 5.1-5.3, 5.4.1, 5.5 State of the art and resources Framework Weve seen multi-agent Game trees systems, and search problems Minimax where another agents moved

234 views • 6 slides
Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed 1-2 pm ENS 31NR Forsyth and Ponce book Binary images Two pixel values Foreground and background Regions of interest

1.13k views • 78 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David <rdavid@quarkslab.com> Luigi Coniglio <luigi.coniglio@studenti.unitn.it> Mariano Ceccato <mariano.ceccato@univr.it>

1.12k views • 82 slides
How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

1.06k views • 67 slides
Playing with Time and Playing in Time Valentin Goranko Stockholm University Joint work with Antti

Playing with Time and Playing in Time Valentin Goranko Stockholm University Joint work with Antti

Playing with Time and Playing in Time Valentin Goranko Stockholm University Joint work with Antti Kuusisto and Raine Rnnholm Lauri Hella 60 Fest Murikanranta, July 6, 2018 V Goranko 1 of 38 10 sec trailer Two main story lines: 1. Playing

614 views • 38 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform gray-level each region is a binary image ( 0 : background, 1 : object or the reverse) more intensity values for overlapping regions

875 views • 30 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije Universiteit Amsterdam Reverse engineering Hardening programs/anti-exploitation Malware analysis ... Attack developer in GameOver Zeus

532 views • 15 slides
Methods for Modeling Realistic Methods for Modeling Realistic Playing in Plucked-String

Methods for Modeling Realistic Methods for Modeling Realistic Playing in Plucked-String

DAFX00, Verona, Italy, December 2000 HELSINKI UNIVERSITY OF TECHNOLOGY Methods for Modeling Realistic Methods for Modeling Realistic Playing in Plucked-String Synthesis: Playing in Plucked-String Synthesis: Analysis, Control and Synthesis

468 views • 20 slides
Playing for Keeps INJURY PREVENTION FOR MUSICIANS Content of Agenda Playing for Keeps Scope of

Playing for Keeps INJURY PREVENTION FOR MUSICIANS Content of Agenda Playing for Keeps Scope of

Playing for Keeps INJURY PREVENTION FOR MUSICIANS Content of Agenda Playing for Keeps Scope of the Problem Types of Injuries Causes Solutions Tools How big is the Problem? What do we know from research? 60% of professional orchestra

612 views • 22 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal Hexadecimal to binary Hexadecimal to Decimal Binary addition Binary subtraction Binary shift Decimal to Binary 146d = ????????b 146/2

91 views • 7 slides
Binary Numbers Calculate your age Binary & decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary & decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary & decimal differences In binary 1 represents on Fun Facts Why 10 digits? Because and the 0 represents off people typically have 10 fingers and 10 toes, making it easy for counting! 2

119 views • 10 slides
HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, UC Berkeley Recovering Information Knowledge of information (data) flow and

694 views • 32 slides
BEOWULF STRUCTURAL ANALYSIS I. BINARY STRUCTURE J.R.R. Tolkien The poem is essentially

BEOWULF STRUCTURAL ANALYSIS I. BINARY STRUCTURE J.R.R. Tolkien The poem is essentially

BEOWULF STRUCTURAL ANALYSIS I. BINARY STRUCTURE J.R.R. Tolkien The poem is essentially balance, an opposition of endings and beginnings. In simple terms, it is a contrasted description of two moments in a great life, rising and

359 views • 7 slides

More recommend