Recon2013-Christopher Domas-The Future of RE-Dy..
Download
Report
Transcript Recon2013-Christopher Domas-The Future of RE-Dy..
The Future of RE:
Dynamic Binary Visualization
{
christopher.domas // REcon 2013 // 22.06.2013
Myself
Chris Domas
Embedded Systems Engineer
Cyber Innovation Unit
National Security Division
The Battelle Memorial Institute
Battelle
Myself
World’s largest non-profit R&D organization
Manages leading national laboratories
Awesome
Information Analysis
Reverse Engineering
48
15
48
85
8B
00
BF
48
FE
8B
22
1C
00
0D
C7
E7
00
00
00
00
5B
8D
E9
83
F8
90
80
CB
00
8C
00
F8
05
64
00
6C
00
85
45
3C
49
90
00
48
00
3B
EB
8B
96
44
45
00
3B
00
64
8B
46
B9
66
05
BD
3B
00
00
FF
38
94
D1
45
FF
90
04
FF
00
24
4C
06
73
BB
00
02
48
C0
33
7C
8B
90
41
8B
33
C3
81
C6
30
24
33
00
C3
00
24
CF
66
04
89
0A
00
F3
44
33
15
49
24
EB
33
0F
90
00
15
48
80
8D
0F
BB
00
C7
00
8D
0F
C9
00
73
90
B9
74
DB
74
00
48
00
40
C9
FF
0F
66
78
90
41
01
02
BE
00
0F
8B
D2
01
8B
A0
FF
C9
84
90
00
F9
8D
04
2D
85
00
00
44
00
8C
84
45
00
20
90
01
24
41
2A
00
89
00
EB
45
15
84
39
EB
90
83
00
48
00
02
85
CA
44
82
73
03
FF
BA
F0
90
44
82
54
00
88
C3
00
48
24
00
24
2A
33
8B
49
90
00
48
FF
4C
EB
44
41
00
33
7F
47
06
00
90
3E
00
83
00
0F
88
48
8D
00
40
00
48
00
18
90
0F
00
24
00
C6
D2
48
8B
30
FF
D0
0B
C0
54
8B
90
00
48
C9
89
00
24
BF
44
C0
84
32
0F
48
90
2E
48
C2
01
84
33
8B
42
00
49
00
8B
00
00
90
B7
00
20
48
00
FF
33
0D
A0
15
00
00
48
24
E3
90
00
83
44
6C
48
40
01
3B
BA
00
00
85
8D
90
0F
8D
02
00
50
00
0D
01
B8
8B
48
D6
00
00
90
02
3B
48
33
00
FF
C4
9D
00
6D
00
00
89
20
5F
90
8D
C4
8B
24
8B
45
00
FB
B1
00
00
37
44
90
84
15
48
00
33
00
DC
48
01
E3
8B
48
80
8B
48
33
C7
8B
CC
44
E9
48
BB
00
7F
00
48
5C
EB
C3
48
44
30
D3
20 45
0D 82
3B E3
00 00
0F 84
00 00
8D 57
48 8B
33 00
24 50
90 90
AE 33
53 C9
83 E9
00 45
00 00
45
33
BD 00
8B 0D
00 00
41 5F
D8 48
8D 35
48 8B
15 6E
89 5C
FF 48
48 8D
CF FF
E8 6A
89 3D
1F 0C
89 84
00 00
00 48
00 00
FF 15
8D 8C
24 5C
00 8B
FF 15
89 5C
00 02
5F C3
EB 00
33
C0
0F
44
98
00
01
C8
00
48
90
00
00
01
33
89
C9
00
C1
00
41
83
C1
CE
BC
24
8B
3D
15
CD
8D
00
24
48
89
85
31
24
FF
C2
A9
24
45
1B
66
C9
00
85
89
32
48
48
FF
44
3B
90
00
00
75
C9
1D
BA
FF
BD
EB
5E
F8
C7
45
00
08
DA
F8
30
FF
BB
00
D0
89
44
C0
7C
D0
15
48
7B
08
33
C0
44
45
00
D5
7C
00
8B
03
15
8B
F0
90
8B
4D
DD
4C
DB
15
15
00
00
41
FF
00
8B
00
48
48
C6
7D
FF
00
90
08
44
24
0F
00
00
67
8B
00
48
C0
83
39
33
FF
31
24
00
0D
D2
56
C7
74
90
F3
8B
48
8B
BD
01
16
00
48
5D
0F
00
C4
48
89
8B
00
00
4C
00
90
00
24
70
84
00
00
81
8C
00
89
48
D8
19
C0
15
00
48
45
C5
45
80
4D
09
90
EB
C4
3B
05
00
00
81
FF
8B
41
84
44
44
8B
6C
EA
00
00
8D
49
90
00
34
48
6F
B9
00
00
24
90
74
8B
FF
74
41
DC
00
45
33
BF
8D
00
03
48
66
00
4C
CB
A4
00
00
00
15
8C
5C
D4
8B
89
CE
24
66
0F
48
9C
8B
90
48
48
89
0B
40
44
00
D0
E9
24
D7
E9
24
8D
81
0F
8B
C9
00
46
00
C0
8B
39
4C
2B
0F
BE
45
44
00
F3
24
5F
12
C3
6C
E8
18
41
85
83
24
CD
90
8B
8D
4C
00
00
8B
8B
08
DA
10
89
13
45
What IS this?
51
00
B7
E7
45
00
F7
4C
48
CE
18
8B
C2
84
00
33
8D
45
80
10
C3
00
48
24
3A
57
83
A2
F8
90
48
90
F9
05
24
00
00
CE
4C
00
D0
57
44
D0
3B
04
00
0E
44
33
FF
48
8B
8D
FF
0F
AC
48
8B
00
C9
42
33
00
03
48
00
8B
28
FB
48
F8
13
FF
04
0F
90
48
01
3C
48
00
4C
24
00
FF
48
24
FF
D1
FF
49
BA
89
C0
15
8B
F0
56
15
84
24
8D
33
BA
45
A9
C9
00
00
8D
48
CE
44
FF
81
22
00
0F
00
45
48
8D
89
C7
85
8D
8B
20
48
FF
83
28
FF
73
15
83
EF
7C
45
97
0D
48
02
77
BD
90
81
00
BC
33
48
41
48
00
54
8D
E8
89
FF
EC
0F
00
84
00
0D
89
4C
00
44
FF
74
C0
BA
33
FF
EC
48
90
1F
In other words
F6
CB
BB
24
8D
84
DE
89
49
7F
33
00
FA
00
00
C0
8B
8D
8B
48
24
4C
66
64
90
90
84
45
8B
49
66
5C
24
00
24
0F
18
48
06
CC
15
30
8B
90
0F
80
FF
00
34
71
00
BF
84
8B
00
00
00
FE
66
00
BA
0D
51
0D
33
50
24
00
24
E9
04
72
33
13
8B
BE
24
34
4C
48
84
01
8B
00
E8
9D
48
CE
90
B7
00
4C
00
49
0B
00
00
24
CE
00
00
00
FF
89
00
C5
04
0B
B4
CC
48
7C
00
20
D7
00
13
C9
00
5B
00
10
33
8D
08
5F
48
D7
00
CC
7B
8B
48
90
01
00
89
3B
8B
41
45
00
80
E8
4C
48
49
7F
1A
48
00
BE
45
BD
E8
8B
FF
00
FF
E8
00
00
4C
00
10
00
48
D2
84
00
0B
63
E8
00
CB
00
F1
89
90
41
48
1D
CA
C5
8B
33
FF
00
4E
3B
83
8B
48
49
8B
00
00
8D
00
EA
CF
15
41
15
FF
48
00
8B
48
49
E8
89
41
24
00
00
D6
EE
85
FF
00
49
5C
90
FF
8B
71
0F
48
D6
C9
15
00
F3
F3
C0
CD
3B
8B
0D
00
00
41
00
CE
FF
11
BD
89
FF
8B
66
C7
8B
8B
1D
74
B8
D0
00
00
48
00
C0
FF
90
8B
24
90
C2
F0
C0
84
D1
48
45
F0
00
FF
0F
02
FF
C3
CC
50
48
FF
01
FF
FF
15
83
80
7E
90
05
41
BA
C8
6B
00
24
9C
00
48
48
03
00
0F
4C
E9
C8
20
48
66
48
00
D0
E8
8B
33
7F
44
FF
84
48
15
74
E8
BE
8B
15
48
15
FF
5F
00
00
00
90
6F
83
04
FF
20
00
18
00
00
C7
8B
D2
00
48
8D
DE
49
FF
89
41
89
00
30
48
0D
C0
00
3B
EB
17
83
9E
17
6E
00
0D
D6
8B
EE
4C
7E
00
00
00
90
BC
F8
01
15
49
00
57
00
00
44
CF
FF
48
CA
9C
D0
8B
15
5C
89
44
48
00
FF
DD
BA
00
FB
00
34
E9
7F
41
EC
00
25
82
0D
80
8D
00
48
00
48
90
00
27
00
0D
8B
89
48
00
41
24
FF
15
8D
89
24
FF
D8
4D
24
00
24
3B
00
C8
BF
B7
48
0F
44
00
01
00
0F
FF
FF
BE
00
D4
00
9C
00
8B
48
89
90
00
0F
00
7D
E3
1D
81
E8
B9
4C
15
3C
54
4C
E0
FF
48
79
08
0F
68
F3
81
8B
00
00
89
84
89
00
75
00
B7
FF
15
00
00
BD
00
24
41
CB
89
05
90
48
84
48
00
5F
77
EC
03
00
B8
43
7C
24
24
08
90
8B
00
44
B7
48
0F
F9
F8
00
00
84
BD
25
49
ED
4C
04
89
22
00
4C
00
48
20
B8
FF
7C
FA
90
33
67
8B
00
C3
BB
E0
CD
04
0B
7C
00
20
20
00
90
FA
00
0F
01
8B
84
FF
89
FF
00
24
33
21
8B
8B
89
10
1D
83
FF
8B
00
8B
03
04
15
24
BC
90
C4
13
CB
48
39
00
08
FF
00
00
00
00
48
48
00
90
FF
48
B7
49
4C
A7
FE
44
15
48
90
00
BF
C6
C7
2D
66
E0
00
15
C0
FF
0D
00
01
20
30
00
90
48
00
FF
8B
1D
00
00
FF
00
00
00
48
8D
8B
49
90
15
8B
1D
83
24
30
00
24
AF
8B
00
00
00
3B
66
07
3B
BD
00
E7
BA
15
E7
00
00
7E
45
00
90
89
00
15
C5
5F
8B
00
48
BA
C7
8B
8B
4C
CB
8B
90
4F
5C
27
C0
58
00
00
30
84
0D
00
B8
00
FB
41
BF
C3
00
83
82
01
A6
BD
49
00
00
8D
48
90
84
48
06
48
BB
E8
48
8B
B9
44
D8
D8
24
FF
5B
90
7B
24
B9
02
FF
00
0F
48
00
AD
00
FF
4C
76
89
00
74
00
3D
00
00
82
00
8B
48
00
65
83
90
24
8B
7D
8B
00
83
8B
05
0B
24
EB
48
30
15
18
90
00
40
00
48
How we conceptualize binary information
How we use our conceptualization for analysis
The ever-present issues
66
66
74
8A
86
66
86
06
66
86
C3
CB
FF
76
50
52
D1
08
E6
C4
50
C4
86
5A
C4
66
66
02
EE
66
Flexible
Exact
Complex
66
C8
86
66
B4
8A
E6
C4
C3
E6
9C
33
D8
66
53
8B
E6
C4
5A
1B
E0
75
E6
E6
72
66
DB
80
59
80
D0
74
E6
C3
D0
8A
66
74
72
86
50
8A
D7
66
E4
FA
E4
74
66
C0
C2
58
E4
E4
C4
66
C1
00
58
80
B4
75
E4
52
66
86
F6
75
73
E6
51
E8
FE
66
B3
1B
F6
75
66
D1
C4
C4
66
C3
73
FA
87
C1
9D
10
D0
C4
86
8B
C8
E6
80
8B
66
66
66
FF
38
C3
0A
C0
80
C4
D0
FA
74
74
C2
50
58
8B
FF
E9
66
DC
push
mov
cli
mov
rol
ror
out
in
test
jz
xchg
out
in
xchg
mov
dx
dx, ax
ah, 1Bh
al, 1
ax, 1
74h, al
al, 75h
ah, 80h
$+0x0A
al, ah
74h, al
al, 75h
al, ah
ah, dh
Rigid
Rules
Succinct
The RE Dichotomy
xor
lea
mov
lea
call
xor
call
mov
cmp
jz
lea
mov
mov
mov
mov
mov
call
mov
mov
mov
call
mov
xor
neg
mov
mov
mov
call
call
cmp
jz
mov
call
mov
call
mov
cmp
jz
mov
call
mov
mov
mov
mov
mov
edx, edx
; int
rcx, [rsp+78h] ; void *
[rsp+arg_68], ebx
r8d, [rdx+60h] ; size_t
memset
ecx, ecx
; hWnd
cs:GetDC
rdi, rax
rax, rbx
loc_1000015A4
rsi, stru_1000101A0
edx, 5Ah
; int
rcx, rax
; HDC
[rsp+arg_68], 68h
[rsp+78h], rbp
[rsp+88h], rsi
cs:GetDeviceCaps
ecx, cs:nNumber
r8d, 2D0h
edx, eax
cs:MulDiv
rdx, rdi
; hDC
ecx, ecx
; hWnd
eax
dword ptr [rsp+94h], 1000041h
eax, 2000h
[rsp+0C8h], ax
cs:ReleaseDC
cs:ChooseFontW
eax, ebx
loc_1000015A4
rcx, cs:hCursor ; hCursor
cs:SetCursor
rcx, rsi
; LOGFONTW *
cs:CreateFontIndirectW
rdi, rax
rax, rbx
short loc_100001B8C
rcx, cs:wParam ; HGDIOBJ
cs:DeleteObject
rcx, cs:qword_1000100A0 ; hWnd
r9, r14
; lParam
r8, rdi
; wParam
edx, 30h
; Msg
cs:wParam, rdi
What does this do?
Where’s the vulnerability?
Reverse engineering as an art
Investigating the concept
Let’s fix this.
Bridge the analysis gap
Change RE from an ART to a SCIENCE
Reverse Engineering
Visual RE
Address the conceptualization
Statistical Exploration
How?
Address the analysis
Idea:
Take a computationally difficult task
Translate it to a problem our brains do
naturally
Visual RE
48
4C
3B
84
49
C0
BF
48
00
39
8B
C6
01
FF
FF
33
A4
1D
00
CA
00
0D
9C
15
7C
CE
89
00
48
44
CB
FF
7D
6B
00
48
48
89
00
00
00
3B
24
F3
D0
8B
45
00
03
48
06
64
3B
75
15
7F
00
BE
DB
45
48
00
E7
24
5F
FF
E8
6C
00
89
0F
FF
15
00
20
00
89
8B
44
00
FF
48
C3
58
0F
30
C5
8D
00
D2
8B
0F
24
FB
ED
9E
48
00
00
BD
33
8B
33
BD
20
7E
15
66
24
48
5C
B7
15
06
00
49
E8
5C
F9
24
48
15
8D
74
FF
84
00
48
71
FF
45
C8
85
78
76
8B
7F
3B
66
00
00
C9
0D
D2
00
03
00
11
00
28
8B
24
02
F9
7D
48
8B
1D
24
48
34
89
6D
8C
2A
15
A7
00
D1
0B
15
8D
FF
37
EB
22
C7
00
C3
89
BA
00
BA
DC
44
00
00
00
83
00
44
CE
08
33
82
00
8B
E3
00
10
8D
48
44
7F
24
4C
EB
30
81
E8
41
97
46
15
33
00
8B
66
00
74
1A
BC
45
15
BD
8D
FF
00
41
00
00
89
E8
48
FF
00
00
C5
5F
00
48
4C
8D
24
00
D0
89
81
00
F9
48
8B
84
F7
56
00
48
CF
41
4C
17
49
00
33
01
00
42
15
49
B8
00
41
64
3A
89
48
00
48
48
C3
00
89
24
05
70
00
00
6C
00
00
FF
FF
D6
00
48
80
00
8D
90
89
89
41
8B
00
C9
00
00
01
01
8B
04
48
BD
24
FB
6C
8B
3B
8D
8B
39
89
74
34
01
48
85
00
24
00
48
FE
C8
48
00
8B
00
44
44
90
1C
2D
0F
CC
00
45
00
FF
48
82
5B
01
8B
80
20
FF
24
DA
C7
54
8C
1D
1D
24
33
89
89
C0
00
20
EB
8B
00
8B
8B
45
0D
00
8B
24
90
46
07
B7
E8
48
33
44
15
8B
00
38
00
CB
00
FF
FF
18
48
48
24
24
5F
77
18
D2
00
4C
0F
FF
45
00
C6
00
F8
0D
33
DE
4C
C7
50
90
66
BF
04
6E
8B
C0
8D
16
0D
00
49
00
FF
00
15
90
57
8B
8D
20
80
BB
BB
57
41
00
24
84
15
33 C9 45 33 C0 41 8D 51 04 FF 15 F6 80 00 00 48 8B F0
48 8B 0D 82 C0 00 00 FF 15 DC 81 00 00 49 83 CB FF 4C
48 89 44 24 40 45 3B E3 0F 85 D5 31 00 00 0F B7 0E BA
0F 85 96 30 00 00 41 BF 01 00 00 00 44 89 7C 24 48 45
89 44 24 30 48 8B 44 24 40 EB 00 44 3B FB 0F 84 98 32
DD BF 00 00 FF 15 AF 84 00 00 45 33 C9 45 33 C0 BA B1
C9 45 33 C0 BA B7 00 00 00 48 8B 0D AD BF 00 00 FF 15
BF 00 00 FF 15 F0 7F 00 00 48 89 84 24 90 00 00 00 48
8B F0 48 89 84 24 80 00 00 00 44 3B FB 0F 84 BD 33 00
4D03how
C0 48to8D
56 02 49a8B
CE E8 4E thousand
F3 FF FF EBpages
00 44
traverse
hundred
48 3B F0 74 09 48 8B CE FF 15 77 7F 00 00 4C 3B F3 0F
90 90 90 90 90 90 90 90 90 66 39 18 0F 84 BD 33 00 00
41 83 3E 2E 0F 84 AE 33 00 00 8B F3 EB 00 4C 8B AC 24
00 00 B9 04 01 00 00 48 8D 15 53 C9 00 00 4D 8B C4 4C
10 66 3B C3 74 0D 66 89 02 48 83 C2 02 48 83 E9 01 75
EC FF FF 89 1D E0 BD 00 00 C7 05 0A BE 00 00 01 00 00
0D 50 BE 00 00 FF 15 22 83 00 00 83 3D E7 BD 00 00 02
BA C5 00 00 00 48 8B 0D 25 BE 00 00 FF 15 E7 82 00 00
42 A9 48 8B 0D 04 BE 00 00 FF 15 D6 82 00 00 4C 8B C0
81 00 00 45 33 C9 41 8D 51 0B 45 8D 41 01 48 8B 0D D4
C1 BD 00 00 FF 15 F3 80 00 00 48 8B 0D B4 BD 00 00 FF
B8 01 00 00 00 EB 00 48 8B 8C 24 10 03 00 00 48 33 CC
8B 73 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5F C3 48 8D
48 8D 94 24 A0 03 00 00 48 8B D8 48 83 F8 FF 0F 84 D4
15 20 7E 00 00 E9 D1 EB FF FF 48 8B D6 48 8D 35 C1 C7
00 48 89 7C 24 30 45 8D 65 83 45 33 C9 BA 00 00 00 80
89 7E 00 00 48 89 05 FA BC 00 00 48 83 F8 FF 0F 84 F0
E9 D7 E8 FF FF 90 90 90 90 90 90 90 90 90 90 90 90 90
48 81 EC 90 04 00 00 48 8B 05 6F BC 00 00 48 33 C4 48
EA 66 41 83 F8 22 0F 84 72 13 00 00 66 41 83 F8 27 0F
3D F8 C6 00 00 0F 85 A2 13 00 00 45 33 C9 4C 8B C7 BA
48 8B CF FF 15 30 7D 00 00 48 83 F8 FF 0F 84 8B 13 00
04 00 00 48 33 CC E8 6A CD FF FF 4C 8D 9C 24 90 04 00
00 00 4C 8D 2D 88 C6 00 00 44 89 3D 8D BB 00 00 49 8B
00 00 8B E8 83 F8 06 0F 85 C3 D2 FF FF E9 1F 0C 00 00
48 81 EC E0 08 00 00 48 8B 05 73 BB 00 00 48 33 C4 48
B8 9C 00 00 00 E8 03 CD FF FF 48 8B 05 64 BB 00 00 48
4C 8D 84 24 D0 00 00 00 41 B9 00 04 00 00 BA B9 0B 00
3C C7 44 24 48 08 00 00 00 48 C7 44 24 4C B8 0B 00 00
6F 0B 00 00 48 85 FF 0F 84 5F 0B 00 00 48 8B CF FF 15
31 7C 00 00 B9 40 00 00 00 8D 74 18 01 48 63 D6 48 03
In other words
in 20 seconds
…what?
48
89
EF
8B
00
00
7F
3B
00
89
of
84
48
90
2B
DD
00
0F
3B
BA
BD
15
E8
54
12
00
48
18
90
89
84
04
00
00
CD
90
89
8B
00
C7
43
D2
89
1D
BB
E7
00
00
84
C3
B8
25
17
83
00
C2
48
45
84
F3
01
00
EE
EA
24
00
00
8B
00
90
84
67
01
48
49
48
90
84
0D
C7
44
7C
FF
44
71
00
44
45
00
00
0F
FF
21
34
C0
00
48
3B
33
50
0F
00
00
80
CE
50
00
44
CE
00
90
24
13
00
8B
8B
0F
90
24
9D
44
24
00
15
24
C0
00
89
33
48
00
84
FE
BF
00
02
00
8D
CB
C9
33
85
00
FF
00
FF
48
48
8B
45
8B
90
80
00
00
C8
5B
45
90
D0
BB
24
6C
00
3C
68
00
3B
7C
C9
8B
8D
47
00
00
00
48
49
81
0F
4C
00
88
00
15
00
FF
8B
8D
C3
8B
15
90
04
00
48
FF
10
0D
90
08
00
30
02
8B
7C
48
00
CA
24
45
0D
57
32
00
00
49
83
8B
FA
84
8B
00
33
44
A6
48
4C
CF
4C
48
C4
6E
90
00
48
8B
15
49
66
90
00
00
A0
00
D8
00
8B
48
0F
34
33
C5
01
00
66
4C
8B
E9
CD
FE
8B
05
89
00
8B
82
8B
8D
FF
24
8B
44
BC
90
00
8B
CB
0D
8B
BE
90
00
48
00
00
EB
00
If we change the way we
process binary information…
… we find unexpected ways
of making sense of it.
obfuscated file headers
no headers
multiple binaries embedded in a single blob
unique instruction sets
proprietary data formats
overwhelming complexity
steganography
memory dumps
rapid RE
triage
firmware
forensics
Why bother?
Our best RE tools are completely dependent on
known structure
Information is evolving faster than our tools can
keep up
Gate’s Law
Software is getting slower more rapidly than
hardware becomes faster
The amount of information we need to analyze is
growing exponentially
Why bother?
Greg Conti
United States Military Academy
Black Hat 2010
Aldo Cortesi
Nullcube
corte.si
Some interesting ideas
Idea:
Even in unstructured data, there is structure
Sequential bytes have an implicit relationship
Digraphs (conti)
recon
re
ec
co
on
(72,65)
(65,72)
(63,6F)
(6F,6E)
Digraphs (conti)
(0x20, 0x20)
(0x20, 0x35 )
Digraphs (conti)
ASCII
Digraphs (conti)
Image
Digraphs (conti)
Audio
Digraphs (conti)
Introducing the Hilbert Curve
Continuous fractal space filling curve
Maps 1D space to an alternate dimensional space
Preserves Locality
Unexpected utility in computer science
Hilbert Translation (cortesi)
Traditional byte plot “Zig-Zag” order on left
Hilbert byte plot on right
Shaded by Byte Class
Hilbert Translation (cortesi)
Build on these concepts
Goal
understand data
independent of format
Unknown code
Format deviations
Proprietary structure
a priori
Our software
..cantor.dust..
Named after this guy →
Illustrating concepts
Doesn’t need to be this software
Introducing ..cantor.dust..
An embarrassing mistake
..cantor.dust.. // background
66
C4
E6
C3
E8
80
E6
E0
C3
66
50
80
C8
66
51
58
74
1B
86
50
66
8B
C3
F6
66
52
8A
74
66
87
B3
74
8A
E6
33
66
74
FA
8B
FA
66
E4
D0
C4
8A
5A
CB
66
C4
D1
66
E6
86
50
FF
10
E4
C2
72
DB
53
08
66
C2
66
9D
75
C0
E6
E0
C3
66
50
80
C8
8B
66
C4
86
FF
0A
75
86
E4
8A
80
86
50
66
8B
C3
F6
66
74
8A
E6
33
66
74
FA
D0
5A
E6
C4
FF
DC
86
C4
73
C1
E4
C4
8A
5A
CB
66
C4
D1
E4
C2
72
DB
53
08
66
FA
C3
75
E6
02
66
C4
E6
C3
E8
80
E6
E0
C3
66
50
80
C8
75
86
E4
8A
80
86
50
B4
66
66
72
D8
52
8A
74
66
87
B3
74
8A
E6
33
66
74
FA
86
C4
73
C1
E4
C4
8A
1B
52
58
86
80
66
E6
86
50
FF
10
E4
C2
72
DB
53
08
66
C4
E6
C3
E8
80
E6
E0
D0
66
F6
C4
D7
8B
66
C4
86
FF
0A
75
86
E4
8A
80
86
52
8A
74
66
87
B3
74
8A
C0
8B
C4
E6
00
D0
5A
E6
C4
FF
DC
86
C4
73
C1
E4
C4
66
E6
86
50
FF
10
E4
C2
66
D0
80
73
FE
FA
C3
75
E6
02
66
C4
E6
C3
E8
80
E6
8B
66
C4
86
FF
0A
75
86
D1
86
74
66
C1
B4
66
66
72
D8
52
8A
74
66
87
B3
74
D0
5A
E6
C4
FF
DC
86
C4
C8
C4
06
58
38
1B
52
58
86
80
66
E6
86
50
FF
10
E4
FA
C3
75
E6
02
66
C4
E6
E6
B4
86
C3
E9
D0
66
F6
C4
D7
8B
66
C4
86
FF
0A
75
B4
66
66
72
D8
52
8A
74
74
1B
C4
66
76
C0
8B
C4
E6
00
D0
5A
E6
C4
FF
DC
86
1B
52
58
86
80
66
E6
86
E4
D0
E6
9C
EE
66
D0
80
73
FE
FA
C3
75
E6
02
66
C4
D0
66
F6
C4
D7
8B
66
C4
75
C0
74
66
66
D1
86
74
66
C1
B4
66
66
72
D8
52
8A
C0
8B
C4
E6
00
D0
5A
E6
F6
66
E4
50
59
C8
C4
06
58
38
1B
52
58
86
80
66
E6
66
D0
80
73
FE
FA
C3
75
C4
D1
75
66
66
E6
B4
86
C3
E9
D0
66
F6
C4
D7
8B
66
D1
86
74
66
C1
B4
66
66
80
C8
66
51
58
74
1B
C4
66
76
C0
8B
C4
E6
00
D0
5A
C8
C4
06
58
38
1B
52
58
74
FA
8B
FA
66
E4
D0
E6
9C
EE
66
D0
80
73
FE
FA
C3
E6
B4
86
C3
E9
D0
66
F6
08
66
C2
66
9D
75
C0
74
66
66
D1
86
74
66
C1
B4
66
74
1B
C4
66
76
C0
8B
C4
86
50
66
8B
C3
F6
66
E4
50
59
C8
C4
06
58
38
1B
52
E4
D0
E6
9C
EE
66
D0
80
C4
8A
5A
CB
66
C4
D1
75
66
66
E6
B4
86
C3
E9
D0
66
75
C0
74
66
66
D1
86
74
E6
E0
C3
66
50
80
C8
66
51
58
74
1B
C4
66
76
C0
8B
F6
66
E4
50
59
C8
C4
06
74
8A
E6
33
66
74
FA
8B
FA
66
E4
D0
E6
9C
EE
66
D0
C4
D1
75
66
66
E6
B4
86
E4
C2
72
DB
53
08
66
C2
66
9D
75
C0
74
66
66
D1
86
80
C8
66
51
58
74
1B
C4
75
86
E4
8A
80
86
50
66
8B
C3
F6
66
E4
50
59
C8
C4
74
FA
8B
FA
66
E4
D0
E6
86
C4
73
C1
E4
C4
8A
5A
CB
66
C4
D1
75
66
66
E6
B4
08
66
C2
66
9D
75
C0
74
..cantor.dust.. // background
An embarrassing mistake
Spare time
..cantor.dust.. // background
Interface
Patterns
..cantor.dust.. // demo
Visualizations
Tuple systems
Why
Time/Space
Coordinate Systems
Fun
..cantor.dust.. // demo
Visualizations
Metric map
Entropy
Uses
Encryption Keys
Packing
Obfuscation
Examples
Malware
Key check
..cantor.dust.. // demo
Notepad.exe dissection
..cantor.dust.. // demo
Binary region
identification through
statistical analysis
Naïve Bayes classification
of n-gram models
Identify regions of an
object based on supplied
templates
Uses:
Custom/proprietary
formats
Unique Instruction Sets
Data/code features
..cantor.dust.. // classificaton
Conventional parsing
Recursive descent
Linear sweep
A new approach?
“Probabilistic parsing”
Identify structure based
on statistical patterns,
not grammar definitions
..cantor.dust.. // parsing
“Attacking Intel BIOS”
Invisible Things Lab
Rafal Wojtczuk and Alexander Tereshkin
Black Hat 2009
..cantor.dust.. // case study
Goal:
Bypass EFI signing protection
..cantor.dust.. // case study
Background:
EFI is a BIOS replacement
Update images can be signed and
checked before they are flashed
..cantor.dust.. // case study
Background
Update image “envelope”
Signed module
Signed module
Signed module
Unsigned module
..cantor.dust.. // case study
Background
Update image “envelope”
Signed module
Signed module
Signed module
Unsigned module ← Attack Vector!
..cantor.dust.. // case study
Why have an unsigned module?
Boot Splash Logo
Can be changed by the OEMs
..cantor.dust.. // case study
Exploit!
Goal: Unsigned Code Execution
Vulnerability identified in bitmap parser for
splash screen
In EFI template code used by most IBVs
Flash the bitmap with an invalid image
Can’t update code, can update bitmap
Overflow with width & height
Cause an overflow, get execution
..cantor.dust.. // case study
Observations
No one is really “EFI”
There’s just “more” or “less” EFI for now
This means
Less structure
More headache
..cantor.dust.. // case study
ITL covered the exploit
Let’s figure out everything else
..cantor.dust.. // case study
Choose a victim
Targeting my junk laptop
Don’t care if I brick it
Grab the update
executable from vendor’s
website
case study // step 1
Quick RE to extract the
firmware image
Ultra-secret secure flags
have been encrypted by
adding 1 to each
character
We’re looking for
“WRITEROMFILE”
a.k.a. “XSJUFSPNGJMF”
case study // step 2
RE image
Find a custom
decompression routine
But only one module
Where are the others?
case study // step 3
Use ..cantor.dust..
Crop out the known module
Use as a template for
statistical analysis
Identify regions of the binary
image with patterns that
match the template
case study // step 4
Decompress the located modules
Use Chris Eagle’s x86emu
No need to understand the algorithm
case study // step 5
Modules contain
proprietary headers
case study // step 6
How do we find the
splash screen?
Too time consuming at
a binary level!
Use visual abstractions
to locate the “bitmap
data” fingerprint
case study // step 6
Examine in a hex
editor – follows the
bitmap format,
minus the ‘BM’
signature
Easy to find
width/height
case study // step 7
Repackage the splash screen with
modified information
case study // step 8
Try to flash
Image is not accepted
Modules are signed
Bitmap is not
“Envelope” is checksum’d
Need to fix the checksum
Drop first module into IDA
There’s no known structure to this module
IDA tells us nothing
case study // step 9
Use probabilistic parsing
to identify key functions
Find debug_printf
Find calls to debug_printf
Isolate CRC checksum
routine
Identify CRC algorithm
Locate checksum position in
image
case study // step 10
Repackage the image
with proper checksum
Success!
case study // step X
Without ..cantor.dust..?
Took me 37 hours
case study // results
Hope I’ve shown…
case study // results
Useful:
User interface
..cantor.dust.. // future
Useful:
Complete integration
..cantor.dust.. // future
..cantor.dust.. // future
..cantor.dust.. // future
..cantor.dust.. // future
Pointless:
Hands free
..cantor.dust.. // future
..cantor.dust.. // future
..cantor.dust.. // future
..cantor.dust.. // future
..minority.report..
We need new ways to understand
and analyze information
Otherwise RE will stagnate
Conclusions
We need new ways to understand
and analyze information
Otherwise RE will stagnate
Use this software
Start thinking differently
Conclusions
Getting a copy
sites.google.com/site/xxcantorxdustxx/home
[email protected]
[email protected]
We’ve just gotten started
Thank you
..cantor.dust.. // redux