Transcript Recon2013-Christopher Domas-The Future of RE-Dy..

The Future of RE:
Dynamic Binary Visualization
{
christopher.domas // REcon 2013 // 22.06.2013

Myself






Chris Domas
Embedded Systems Engineer
Cyber Innovation Unit
National Security Division
The Battelle Memorial Institute
Battelle



Myself
World’s largest non-profit R&D organization
Manages leading national laboratories
Awesome

Information Analysis
Reverse Engineering
48
15
48
85
8B
00
BF
48
FE
8B
22
1C
00
0D
C7
E7
00
00
00
00
5B
8D
E9
83
F8
90
80
CB
00
8C
00
F8
05
64
00
6C
00
85
45
3C
49
90
00
48
00
3B
EB
8B
96
44
45
00
3B
00
64
8B
46
B9
66
05
BD
3B
00
00
FF
38
94
D1
45
FF
90
04
FF
00
24
4C
06
73
BB
00
02
48
C0
33
7C
8B
90
41
8B
33
C3
81
C6
30
24
33
00
C3
00
24
CF
66
04
89
0A
00
F3
44
33
15
49
24
EB
33
0F
90
00
15
48
80
8D
0F
BB
00
C7
00
8D
0F
C9
00
73
90
B9
74
DB
74
00
48
00
40
C9
FF
0F
66
78
90
41
01
02
BE
00
0F
8B
D2
01
8B
A0
FF
C9
84
90
00
F9
8D
04
2D
85
00
00
44
00
8C
84
45
00
20
90
01
24
41
2A
00
89
00
EB
45
15
84
39
EB
90
83
00
48
00
02
85
CA
44
82
73
03
FF
BA
F0
90
44
82
54
00
88
C3
00
48
24
00
24
2A
33
8B
49
90
00
48
FF
4C
EB
44
41
00
33
7F
47
06
00
90
3E
00
83
00
0F
88
48
8D
00
40
00
48
00
18
90
0F
00
24
00
C6
D2
48
8B
30
FF
D0
0B
C0
54
8B
90
00
48
C9
89
00
24
BF
44
C0
84
32
0F
48
90
2E
48
C2
01
84
33
8B
42
00
49
00
8B
00
00
90
B7
00
20
48
00
FF
33
0D
A0
15
00
00
48
24
E3
90
00
83
44
6C
48
40
01
3B
BA
00
00
85
8D
90
0F
8D
02
00
50
00
0D
01
B8
8B
48
D6
00
00
90
02
3B
48
33
00
FF
C4
9D
00
6D
00
00
89
20
5F
90
8D
C4
8B
24
8B
45
00
FB
B1
00
00
37
44
90
84
15
48
00
33
00
DC
48
01
E3
8B
48
80
8B
48
33
C7
8B
CC
44
E9
48
BB
00
7F
00
48
5C
EB
C3
48
44
30
D3
20 45
0D 82
3B E3
00 00
0F 84
00 00
8D 57
48 8B
33 00
24 50
90 90
AE 33
53 C9
83 E9
00 45
00 00
45 
33
BD 00
8B 0D
00 00
41 5F
D8 48
8D 35
48 8B
15 6E
89 5C
FF 48
48 8D
CF FF
E8 6A
89 3D
1F 0C
89 84
00 00
00 48
00 00
FF 15
8D 8C
24 5C
00 8B
FF 15
89 5C
00 02
5F C3
EB 00
33
C0
0F
44
98
00
01
C8
00
48
90
00
00
01
33
89
C9
00
C1
00
41
83
C1
CE
BC
24
8B
3D
15
CD
8D
00
24
48
89
85
31
24
FF
C2
A9
24
45
1B
66
C9
00
85
89
32
48
48
FF
44
3B
90
00
00
75
C9
1D
BA
FF
BD
EB
5E
F8
C7
45
00
08
DA
F8
30
FF
BB
00
D0
89
44
C0
7C
D0
15
48
7B
08
33
C0
44
45
00
D5
7C
00
8B
03
15
8B
F0
90
8B
4D
DD
4C
DB
15
15
00
00
41
FF
00
8B
00
48
48
C6
7D
FF
00
90
08
44
24
0F
00
00
67
8B
00
48
C0
83
39
33
FF
31
24
00
0D
D2
56
C7
74
90
F3
8B
48
8B
BD
01
16
00
48
5D
0F
00
C4
48
89
8B
00
00
4C
00
90
00
24
70
84
00
00
81
8C
00
89
48
D8
19
C0
15
00
48
45
C5
45
80
4D
09
90
EB
C4
3B
05
00
00
81
FF
8B
41
84
44
44
8B
6C
EA
00
00
8D
49
90
00
34
48
6F
B9
00
00
24
90
74
8B
FF
74
41
DC
00
45
33
BF
8D
00
03
48
66
00
4C
CB
A4
00
00
00
15
8C
5C
D4
8B
89
CE
24
66
0F
48
9C
8B
90
48
48
89
0B
40
44
00
D0
E9
24
D7
E9
24
8D
81
0F
8B
C9
00
46
00
C0
8B
39
4C
2B
0F
BE
45
44
00
F3
24
5F
12
C3
6C
E8
18
41
85
83
24
CD
90
8B
8D
4C
00
00
8B
8B
08
DA
10
89
13
45
What IS this?
51
00
B7
E7
45
00
F7
4C
48
CE
18
8B
C2
84
00
33
8D
45
80
10
C3
00
48
24
3A
57
83
A2
F8
90
48
90
F9
05
24
00
00
CE
4C
00
D0
57
44
D0
3B
04
00
0E
44
33
FF
48
8B
8D
FF
0F
AC
48
8B
00
C9
42
33
00
03
48
00
8B
28
FB
48
F8
13
FF
04
0F
90
48
01
3C
48
00
4C
24
00
FF
48
24
FF
D1
FF
49
BA
89
C0
15
8B
F0
56
15
84
24
8D
33
BA
45
A9
C9
00
00
8D
48
CE
44
FF
81
22
00
0F
00
45
48
8D
89
C7
85
8D
8B
20
48
FF
83
28
FF
73
15
83
EF
7C
45
97
0D
48
02
77
BD
90
81
00
BC
33
48
41
48
00
54
8D
E8
89
FF
EC
0F
00
84
00
0D
89
4C
00
44
FF
74
C0
BA
33
FF
EC
48
90
1F
In other words
F6
CB
BB
24
8D
84
DE
89
49
7F
33
00
FA
00
00
C0
8B
8D
8B
48
24
4C
66
64
90
90
84
45
8B
49
66
5C
24
00
24
0F
18
48
06
CC
15
30
8B
90
0F
80
FF
00
34
71
00
BF
84
8B
00
00
00
FE
66
00
BA
0D
51
0D
33
50
24
00
24
E9
04
72
33
13
8B
BE
24
34
4C
48
84
01
8B
00
E8
9D
48
CE
90
B7
00
4C
00
49
0B
00
00
24
CE
00
00
00
FF
89
00
C5
04
0B
B4
CC
48
7C
00
20
D7
00
13
C9
00
5B
00
10
33
8D
08
5F
48
D7
00
CC
7B
8B
48
90
01
00
89
3B
8B
41
45
00
80
E8
4C
48
49
7F
1A
48
00
BE
45
BD
E8
8B
FF
00
FF
E8
00
00
4C
00
10
00
48
D2
84
00
0B
63
E8
00
CB
00
F1
89
90
41
48
1D
CA
C5
8B
33
FF
00
4E
3B
83
8B
48
49
8B
00
00
8D
00
EA
CF
15
41
15
FF
48
00
8B
48
49
E8
89
41
24
00
00
D6
EE
85
FF
00
49
5C
90
FF
8B
71
0F
48
D6
C9
15
00
F3
F3
C0
CD
3B
8B
0D
00
00
41
00
CE
FF
11
BD
89
FF
8B
66
C7
8B
8B
1D
74
B8
D0
00
00
48
00
C0
FF
90
8B
24
90
C2
F0
C0
84
D1
48
45
F0
00
FF
0F
02
FF
C3
CC
50
48
FF
01
FF
FF
15
83
80
7E
90
05
41
BA
C8
6B
00
24
9C
00
48
48
03
00
0F
4C
E9
C8
20
48
66
48
00
D0
E8
8B
33
7F
44
FF
84
48
15
74
E8
BE
8B
15
48
15
FF
5F
00
00
00
90
6F
83
04
FF
20
00
18
00
00
C7
8B
D2
00
48
8D
DE
49
FF
89
41
89
00
30
48
0D
C0
00
3B
EB
17
83
9E
17
6E
00
0D
D6
8B
EE
4C
7E
00
00
00
90
BC
F8
01
15
49
00
57
00
00
44
CF
FF
48
CA
9C
D0
8B
15
5C
89
44
48
00
FF
DD
BA
00
FB
00
34
E9
7F
41
EC
00
25
82
0D
80
8D
00
48
00
48
90
00
27
00
0D
8B
89
48
00
41
24
FF
15
8D
89
24
FF
D8
4D
24
00
24
3B
00
C8
BF
B7
48
0F
44
00
01
00
0F
FF
FF
BE
00
D4
00
9C
00
8B
48
89
90
00
0F
00
7D
E3
1D
81
E8
B9
4C
15
3C
54
4C
E0
FF
48
79
08
0F
68
F3
81
8B
00
00
89
84
89
00
75
00
B7
FF
15
00
00
BD
00
24
41
CB
89
05
90
48
84
48
00
5F
77
EC
03
00
B8
43
7C
24
24
08
90
8B
00
44
B7
48
0F
F9
F8
00
00
84
BD
25
49
ED
4C
04
89
22
00
4C
00
48
20
B8
FF
7C
FA
90
33
67
8B
00
C3
BB
E0
CD
04
0B
7C
00
20
20
00
90
FA
00
0F
01
8B
84
FF
89
FF
00
24
33
21
8B
8B
89
10
1D
83
FF
8B
00
8B
03
04
15
24
BC
90
C4
13
CB
48
39
00
08
FF
00
00
00
00
48
48
00
90
FF
48
B7
49
4C
A7
FE
44
15
48
90
00
BF
C6
C7
2D
66
E0
00
15
C0
FF
0D
00
01
20
30
00
90
48
00
FF
8B
1D
00
00
FF
00
00
00
48
8D
8B
49
90
15
8B
1D
83
24
30
00
24
AF
8B
00
00
00
3B
66
07
3B
BD
00
E7
BA
15
E7
00
00
7E
45
00
90
89
00
15
C5
5F
8B
00
48
BA
C7
8B
8B
4C
CB
8B
90
4F
5C
27
C0
58
00
00
30
84
0D
00
B8
00
FB
41
BF
C3
00
83
82
01
A6
BD
49
00
00
8D
48
90
84
48
06
48
BB
E8
48
8B
B9
44
D8
D8
24
FF
5B
90
7B
24
B9
02
FF
00
0F
48
00
AD
00
FF
4C
76
89
00
74
00
3D
00
00
82
00
8B
48
00
65
83
90
24
8B
7D
8B
00
83
8B
05
0B
24
EB
48
30
15
18
90
00
40
00
48


How we conceptualize binary information
How we use our conceptualization for analysis
The ever-present issues
66
66
74
8A
86
66
86
06
66
86
C3
CB
FF
76
50
52
D1
08
E6
C4
50
C4
86
5A
C4
66
66
02
EE
66

Flexible
Exact
Complex


66
C8
86
66
B4
8A
E6
C4
C3
E6
9C
33
D8
66
53
8B
E6
C4
5A
1B
E0
75
E6
E6
72
66
DB
80
59
80
D0
74
E6
C3
D0
8A
66
74
72
86
50
8A
D7
66
E4
FA
E4
74
66
C0
C2
58
E4
E4
C4
66
C1
00
58
80
B4
75
E4
52
66
86
F6
75
73
E6
51
E8
FE
66
B3
1B
F6
75
66
D1
C4
C4
66
C3
73
FA
87
C1
9D
10
D0
C4
86
8B
C8
E6
80
8B
66
66
66
FF
38
C3
0A
C0
80
C4
D0
FA
74
74
C2
50
58
8B
FF
E9
66
DC
push
mov
cli
mov
rol
ror
out
in
test
jz
xchg
out
in
xchg
mov



dx
dx, ax
ah, 1Bh
al, 1
ax, 1
74h, al
al, 75h
ah, 80h
$+0x0A
al, ah
74h, al
al, 75h
al, ah
ah, dh
Rigid
Rules
Succinct
The RE Dichotomy
xor
lea
mov
lea
call
xor
call
mov
cmp
jz
lea
mov
mov
mov
mov
mov
call
mov
mov
mov
call
mov
xor
neg
mov
mov
mov
call
call
cmp
jz
mov
call
mov
call
mov
cmp
jz
mov
call
mov
mov
mov
mov
mov
edx, edx
; int
rcx, [rsp+78h] ; void *
[rsp+arg_68], ebx
r8d, [rdx+60h] ; size_t
memset
ecx, ecx
; hWnd
cs:GetDC
rdi, rax
rax, rbx
loc_1000015A4
rsi, stru_1000101A0
edx, 5Ah
; int
rcx, rax
; HDC
[rsp+arg_68], 68h
[rsp+78h], rbp

[rsp+88h], rsi
cs:GetDeviceCaps

ecx, cs:nNumber
r8d, 2D0h
edx, eax

cs:MulDiv
rdx, rdi
; hDC
ecx, ecx
; hWnd
eax
dword ptr [rsp+94h], 1000041h
eax, 2000h
[rsp+0C8h], ax
cs:ReleaseDC
cs:ChooseFontW
eax, ebx
loc_1000015A4
rcx, cs:hCursor ; hCursor
cs:SetCursor
rcx, rsi
; LOGFONTW *
cs:CreateFontIndirectW
rdi, rax
rax, rbx
short loc_100001B8C
rcx, cs:wParam ; HGDIOBJ
cs:DeleteObject
rcx, cs:qword_1000100A0 ; hWnd
r9, r14
; lParam
r8, rdi
; wParam
edx, 30h
; Msg
cs:wParam, rdi
What does this do?
Where’s the vulnerability?
Reverse engineering as an art
Investigating the concept

Let’s fix this.


Bridge the analysis gap
Change RE from an ART to a SCIENCE
Reverse Engineering

Visual RE


Address the conceptualization
Statistical Exploration

How?
Address the analysis

Idea:
Take a computationally difficult task
 Translate it to a problem our brains do
naturally

Visual RE
48
4C
3B
84
49
C0
BF
48
00
39
8B
C6
01
FF
FF
33
A4
1D
00
CA
00
0D
9C
15
7C
CE
89
00
48
44
CB
FF
7D
6B
00
48
48
89
00
00
00
3B
24
F3
D0
8B
45
00
03
48
06
64
3B
75
15
7F
00
BE
DB
45
48
00
E7
24
5F
FF
E8
6C
00
89
0F
FF
15
00
20
00
89
8B
44
00
FF
48
C3
58
0F
30
C5
8D
00
D2
8B
0F
24
FB
ED
9E
48
00
00
BD
33
8B
33
BD
20
7E
15
66
24
48
5C
B7
15
06
00
49
E8
5C
F9
24
48
15
8D
74
FF
84
00
48
71
FF
45
C8
85
78
76
8B
7F
3B
66
00
00
C9
0D
D2
00
03
00
11
00
28
8B
24
02
F9
7D
48
8B
1D
24
48
34
89
6D
8C
2A
15
A7
00
D1
0B
15
8D
FF
37
EB
22
C7
00
C3
89
BA
00
BA
DC
44
00
00
00
83
00
44
CE
08
33
82
00
8B
E3
00
10
8D
48
44
7F
24
4C
EB
30
81
E8
41
97
46
15
33
00
8B
66
00
74
1A
BC
45
15
BD
8D
FF
00
41
00
00
89
E8
48
FF
00
00
C5
5F
00
48
4C
8D
24
00
D0
89
81
00
F9
48
8B
84
F7
56
00
48
CF
41
4C
17
49
00
33
01
00
42
15
49
B8
00
41
64
3A
89
48
00
48
48
C3
00
89
24
05
70
00
00
6C
00
00
FF
FF
D6
00
48
80
00
8D
90
89
89
41
8B
00
C9
00
00
01
01
8B
04
48
BD
24
FB
6C
8B
3B
8D
8B
39
89
74
34
01
48
85
00
24
00
48
FE
C8
48
00
8B
00
44
44
90
1C
2D
0F
CC
00
45
00
FF
48
82
5B
01
8B
80
20
FF
24
DA
C7
54
8C
1D
1D
24
33
89
89
C0
00
20
EB
8B
00
8B
8B
45
0D
00
8B
24
90
46
07
B7
E8
48
33
44
15
8B
00
38
00
CB
00
FF
FF
18
48
48
24
24
5F
77
18
D2
00
4C
0F
FF
45
00
C6
00
F8
0D
33
DE

4C
C7
50
90
66
BF
04
6E
8B
C0
8D
16
0D
00
49
00
FF
00
15
90
57
8B
8D
20
80
BB
BB
57
41
00
24
84
15
33 C9 45 33 C0 41 8D 51 04 FF 15 F6 80 00 00 48 8B F0
48 8B 0D 82 C0 00 00 FF 15 DC 81 00 00 49 83 CB FF 4C
48 89 44 24 40 45 3B E3 0F 85 D5 31 00 00 0F B7 0E BA
0F 85 96 30 00 00 41 BF 01 00 00 00 44 89 7C 24 48 45
89 44 24 30 48 8B 44 24 40 EB 00 44 3B FB 0F 84 98 32
DD BF 00 00 FF 15 AF 84 00 00 45 33 C9 45 33 C0 BA B1
C9 45 33 C0 BA B7 00 00 00 48 8B 0D AD BF 00 00 FF 15
BF 00 00 FF 15 F0 7F 00 00 48 89 84 24 90 00 00 00 48
8B F0 48 89 84 24 80 00 00 00 44 3B FB 0F 84 BD 33 00
4D03how
C0 48to8D
56 02 49a8B
CE E8 4E thousand
F3 FF FF EBpages
00 44
traverse
hundred
48 3B F0 74 09 48 8B CE FF 15 77 7F 00 00 4C 3B F3 0F
90 90 90 90 90 90 90 90 90 66 39 18 0F 84 BD 33 00 00
41 83 3E 2E 0F 84 AE 33 00 00 8B F3 EB 00 4C 8B AC 24
00 00 B9 04 01 00 00 48 8D 15 53 C9 00 00 4D 8B C4 4C
10 66 3B C3 74 0D 66 89 02 48 83 C2 02 48 83 E9 01 75
EC FF FF 89 1D E0 BD 00 00 C7 05 0A BE 00 00 01 00 00
0D 50 BE 00 00 FF 15 22 83 00 00 83 3D E7 BD 00 00 02
BA C5 00 00 00 48 8B 0D 25 BE 00 00 FF 15 E7 82 00 00
42 A9 48 8B 0D 04 BE 00 00 FF 15 D6 82 00 00 4C 8B C0
81 00 00 45 33 C9 41 8D 51 0B 45 8D 41 01 48 8B 0D D4
C1 BD 00 00 FF 15 F3 80 00 00 48 8B 0D B4 BD 00 00 FF
B8 01 00 00 00 EB 00 48 8B 8C 24 10 03 00 00 48 33 CC
8B 73 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5F C3 48 8D
48 8D 94 24 A0 03 00 00 48 8B D8 48 83 F8 FF 0F 84 D4
15 20 7E 00 00 E9 D1 EB FF FF 48 8B D6 48 8D 35 C1 C7
00 48 89 7C 24 30 45 8D 65 83 45 33 C9 BA 00 00 00 80
89 7E 00 00 48 89 05 FA BC 00 00 48 83 F8 FF 0F 84 F0
E9 D7 E8 FF FF 90 90 90 90 90 90 90 90 90 90 90 90 90
48 81 EC 90 04 00 00 48 8B 05 6F BC 00 00 48 33 C4 48
EA 66 41 83 F8 22 0F 84 72 13 00 00 66 41 83 F8 27 0F
3D F8 C6 00 00 0F 85 A2 13 00 00 45 33 C9 4C 8B C7 BA
48 8B CF FF 15 30 7D 00 00 48 83 F8 FF 0F 84 8B 13 00
04 00 00 48 33 CC E8 6A CD FF FF 4C 8D 9C 24 90 04 00
00 00 4C 8D 2D 88 C6 00 00 44 89 3D 8D BB 00 00 49 8B
00 00 8B E8 83 F8 06 0F 85 C3 D2 FF FF E9 1F 0C 00 00
48 81 EC E0 08 00 00 48 8B 05 73 BB 00 00 48 33 C4 48
B8 9C 00 00 00 E8 03 CD FF FF 48 8B 05 64 BB 00 00 48
4C 8D 84 24 D0 00 00 00 41 B9 00 04 00 00 BA B9 0B 00
3C C7 44 24 48 08 00 00 00 48 C7 44 24 4C B8 0B 00 00
6F 0B 00 00 48 85 FF 0F 84 5F 0B 00 00 48 8B CF FF 15
31 7C 00 00 B9 40 00 00 00 8D 74 18 01 48 63 D6 48 03
In other words
in 20 seconds
…what?
48
89
EF
8B
00
00
7F
3B
00
89
of
84
48
90
2B
DD
00
0F
3B
BA
BD
15
E8
54
12
00
48
18
90
89
84
04
00
00
CD
90
89
8B
00
C7
43
D2
89
1D
BB
E7
00
00
84
C3
B8
25
17
83
00
C2
48
45
84
F3
01
00
EE
EA
24
00
00
8B
00
90
84
67
01
48
49
48
90
84
0D
C7
44
7C
FF
44
71
00
44
45
00
00
0F
FF
21
34
C0
00
48
3B
33
50
0F
00
00
80
CE
50
00
44
CE
00
90
24
13
00
8B
8B
0F
90
24
9D
44
24
00
15
24
C0
00
89
33
48
00
84
FE
BF
00
02
00
8D
CB
C9
33
85
00
FF
00
FF
48
48
8B
45
8B
90
80
00
00
C8
5B
45
90
D0
BB
24
6C
00
3C
68
00
3B
7C
C9
8B
8D
47
00
00
00
48
49
81
0F
4C
00
88
00
15
00
FF
8B
8D
C3
8B
15
90
04
00
48
FF
10
0D
90
08
00
30
02
8B
7C
48
00
CA
24
45
0D
57
32
00
00
49
83
8B
FA
84
8B
00
33
44
A6
48
4C
CF
4C
48
C4
6E
90
00
48
8B
15
49
66
90
00
00
A0
00
D8
00
8B
48
0F
34
33
C5
01
00
66
4C
8B
E9
CD
FE
8B
05
89
00
8B
82
8B
8D
FF
24
8B
44
BC
90
00
8B
CB
0D
8B
BE
90
00
48
00
00
EB
00
If we change the way we
process binary information…
… we find unexpected ways
of making sense of it.












obfuscated file headers
no headers
multiple binaries embedded in a single blob
unique instruction sets
proprietary data formats
overwhelming complexity
steganography
memory dumps
rapid RE
triage
firmware
forensics
Why bother?

Our best RE tools are completely dependent on
known structure


Information is evolving faster than our tools can
keep up
Gate’s Law


Software is getting slower more rapidly than
hardware becomes faster
The amount of information we need to analyze is
growing exponentially
Why bother?

Greg Conti



United States Military Academy
Black Hat 2010
Aldo Cortesi


Nullcube
corte.si
Some interesting ideas

Idea:


Even in unstructured data, there is structure
Sequential bytes have an implicit relationship
Digraphs (conti)
recon
re
ec
co
on
(72,65)
(65,72)
(63,6F)
(6F,6E)
Digraphs (conti)
(0x20, 0x20)
(0x20, 0x35 )
Digraphs (conti)

ASCII
Digraphs (conti)

Image
Digraphs (conti)

Audio
Digraphs (conti)

Introducing the Hilbert Curve

Continuous fractal space filling curve
Maps 1D space to an alternate dimensional space
Preserves Locality
Unexpected utility in computer science



Hilbert Translation (cortesi)



Traditional byte plot “Zig-Zag” order on left
Hilbert byte plot on right
Shaded by Byte Class
Hilbert Translation (cortesi)


Build on these concepts
Goal


understand data
independent of format




Unknown code
Format deviations
Proprietary structure
a priori
Our software
..cantor.dust..
 Named after this guy →
 Illustrating concepts


Doesn’t need to be this software
Introducing ..cantor.dust..

An embarrassing mistake
..cantor.dust.. // background
66
C4
E6
C3
E8
80
E6
E0
C3
66
50
80
C8
66
51
58
74
1B
86
50
66
8B
C3
F6
66
52
8A
74
66
87
B3
74
8A
E6
33
66
74
FA
8B
FA
66
E4
D0
C4
8A
5A
CB
66
C4
D1
66
E6
86
50
FF
10
E4
C2
72
DB
53
08
66
C2
66
9D
75
C0
E6
E0
C3
66
50
80
C8
8B
66
C4
86
FF
0A
75
86
E4
8A
80
86
50
66
8B
C3
F6
66
74
8A
E6
33
66
74
FA
D0
5A
E6
C4
FF
DC
86
C4
73
C1
E4
C4
8A
5A
CB
66
C4
D1
E4
C2
72
DB
53
08
66
FA
C3
75
E6
02
66
C4
E6
C3
E8
80
E6
E0
C3
66
50
80
C8
75
86
E4
8A
80
86
50
B4
66
66
72
D8
52
8A
74
66
87
B3
74
8A
E6
33
66
74
FA
86
C4
73
C1
E4
C4
8A
1B
52
58
86
80
66
E6
86
50
FF
10
E4
C2
72
DB
53
08
66
C4
E6
C3
E8
80
E6
E0
D0
66
F6
C4
D7
8B
66
C4
86
FF
0A
75
86
E4
8A
80
86
52
8A
74
66
87
B3
74
8A
C0
8B
C4
E6
00
D0
5A
E6
C4
FF
DC
86
C4
73
C1
E4
C4
66
E6
86
50
FF
10
E4
C2
66
D0
80
73
FE
FA
C3
75
E6
02
66
C4
E6
C3
E8
80
E6
8B
66
C4
86
FF
0A
75
86
D1
86
74
66
C1
B4
66
66
72
D8
52
8A
74
66
87
B3
74
D0
5A
E6
C4
FF
DC
86
C4
C8
C4
06
58
38
1B
52
58
86
80
66
E6
86
50
FF
10
E4
FA
C3
75
E6
02
66
C4
E6
E6
B4
86
C3
E9
D0
66
F6
C4
D7
8B
66
C4
86
FF
0A
75
B4
66
66
72
D8
52
8A
74
74
1B
C4
66
76
C0
8B
C4
E6
00
D0
5A
E6
C4
FF
DC
86
1B
52
58
86
80
66
E6
86
E4
D0
E6
9C
EE
66
D0
80
73
FE
FA
C3
75
E6
02
66
C4
D0
66
F6
C4
D7
8B
66
C4
75
C0
74
66
66
D1
86
74
66
C1
B4
66
66
72
D8
52
8A
C0
8B
C4
E6
00
D0
5A
E6
F6
66
E4
50
59
C8
C4
06
58
38
1B
52
58
86
80
66
E6
66
D0
80
73
FE
FA
C3
75
C4
D1
75
66
66
E6
B4
86
C3
E9
D0
66
F6
C4
D7
8B
66
D1
86
74
66
C1
B4
66
66
80
C8
66
51
58
74
1B
C4
66
76
C0
8B
C4
E6
00
D0
5A
C8
C4
06
58
38
1B
52
58
74
FA
8B
FA
66
E4
D0
E6
9C
EE
66
D0
80
73
FE
FA
C3
E6
B4
86
C3
E9
D0
66
F6
08
66
C2
66
9D
75
C0
74
66
66
D1
86
74
66
C1
B4
66
74
1B
C4
66
76
C0
8B
C4
86
50
66
8B
C3
F6
66
E4
50
59
C8
C4
06
58
38
1B
52
E4
D0
E6
9C
EE
66
D0
80
C4
8A
5A
CB
66
C4
D1
75
66
66
E6
B4
86
C3
E9
D0
66
75
C0
74
66
66
D1
86
74
E6
E0
C3
66
50
80
C8
66
51
58
74
1B
C4
66
76
C0
8B
F6
66
E4
50
59
C8
C4
06
74
8A
E6
33
66
74
FA
8B
FA
66
E4
D0
E6
9C
EE
66
D0
C4
D1
75
66
66
E6
B4
86
E4
C2
72
DB
53
08
66
C2
66
9D
75
C0
74
66
66
D1
86
80
C8
66
51
58
74
1B
C4
75
86
E4
8A
80
86
50
66
8B
C3
F6
66
E4
50
59
C8
C4
74
FA
8B
FA
66
E4
D0
E6
86
C4
73
C1
E4
C4
8A
5A
CB
66
C4
D1
75
66
66
E6
B4
08
66
C2
66
9D
75
C0
74
..cantor.dust.. // background


An embarrassing mistake
Spare time
..cantor.dust.. // background


Interface
Patterns
..cantor.dust.. // demo

Visualizations

Tuple systems




Why
Time/Space
Coordinate Systems
Fun
..cantor.dust.. // demo

Visualizations

Metric map

Entropy

Uses




Encryption Keys
Packing
Obfuscation
Examples


Malware
Key check
..cantor.dust.. // demo

Notepad.exe dissection
..cantor.dust.. // demo

Binary region
identification through
statistical analysis



Naïve Bayes classification
of n-gram models
Identify regions of an
object based on supplied
templates
Uses:



Custom/proprietary
formats
Unique Instruction Sets
Data/code features
..cantor.dust.. // classificaton

Conventional parsing



Recursive descent
Linear sweep
A new approach?


“Probabilistic parsing”
Identify structure based
on statistical patterns,
not grammar definitions
..cantor.dust.. // parsing

“Attacking Intel BIOS”
Invisible Things Lab
 Rafal Wojtczuk and Alexander Tereshkin
 Black Hat 2009

..cantor.dust.. // case study

Goal:

Bypass EFI signing protection
..cantor.dust.. // case study

Background:
 EFI is a BIOS replacement
 Update images can be signed and
checked before they are flashed
..cantor.dust.. // case study

Background

Update image “envelope”
 Signed module
 Signed module
 Signed module
 Unsigned module
..cantor.dust.. // case study

Background

Update image “envelope”
 Signed module
 Signed module
 Signed module
 Unsigned module ← Attack Vector!
..cantor.dust.. // case study

Why have an unsigned module?

Boot Splash Logo

Can be changed by the OEMs
..cantor.dust.. // case study

Exploit!

Goal: Unsigned Code Execution


Vulnerability identified in bitmap parser for
splash screen


In EFI template code used by most IBVs
Flash the bitmap with an invalid image


Can’t update code, can update bitmap
Overflow with width & height
Cause an overflow, get execution
..cantor.dust.. // case study

Observations

No one is really “EFI”


There’s just “more” or “less” EFI for now
This means


Less structure
More headache
..cantor.dust.. // case study
ITL covered the exploit
 Let’s figure out everything else

..cantor.dust.. // case study

Choose a victim



Targeting my junk laptop
Don’t care if I brick it
Grab the update
executable from vendor’s
website
case study // step 1

Quick RE to extract the
firmware image



Ultra-secret secure flags
have been encrypted by
adding 1 to each
character
We’re looking for
“WRITEROMFILE”
a.k.a. “XSJUFSPNGJMF”
case study // step 2

RE image



Find a custom
decompression routine
But only one module
Where are the others?
case study // step 3

Use ..cantor.dust..



Crop out the known module
Use as a template for
statistical analysis
Identify regions of the binary
image with patterns that
match the template
case study // step 4

Decompress the located modules


Use Chris Eagle’s x86emu
No need to understand the algorithm
case study // step 5

Modules contain
proprietary headers
case study // step 6

How do we find the
splash screen?


Too time consuming at
a binary level!
Use visual abstractions
to locate the “bitmap
data” fingerprint
case study // step 6
Examine in a hex
editor – follows the
bitmap format,
minus the ‘BM’
signature
 Easy to find
width/height

case study // step 7

Repackage the splash screen with
modified information
case study // step 8
Try to flash
 Image is not accepted


Modules are signed
Bitmap is not
“Envelope” is checksum’d

Need to fix the checksum



Drop first module into IDA


There’s no known structure to this module
IDA tells us nothing
case study // step 9
Use probabilistic parsing
to identify key functions
 Find debug_printf
 Find calls to debug_printf
 Isolate CRC checksum
routine



Identify CRC algorithm
Locate checksum position in
image
case study // step 10


Repackage the image
with proper checksum
Success!
case study // step X

Without ..cantor.dust..?

Took me 37 hours
case study // results

Hope I’ve shown…
case study // results

Useful:

User interface
..cantor.dust.. // future

Useful:

Complete integration
..cantor.dust.. // future
..cantor.dust.. // future
..cantor.dust.. // future
..cantor.dust.. // future

Pointless:

Hands free
..cantor.dust.. // future
..cantor.dust.. // future
..cantor.dust.. // future
..cantor.dust.. // future
..minority.report..

We need new ways to understand
and analyze information

Otherwise RE will stagnate
Conclusions

We need new ways to understand
and analyze information

Otherwise RE will stagnate
Use this software
 Start thinking differently

Conclusions

Getting a copy




sites.google.com/site/xxcantorxdustxx/home
[email protected]
[email protected]
We’ve just gotten started
Thank you
..cantor.dust.. // redux