0x3E9 Ways to DIE

Video in TIB AV-Portal: 0x3E9 Ways to DIE

Formal Metadata

0x3E9 Ways to DIE
Introducing Dynamic IDA Enrichment framework (a.k.a DIE)
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only. For many years, this lack of integration and mental passing of data between static and dynamic tools has caused lot of frustration among researchers. This was the main motivation in creating DIE. DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives the researcher access to runtime values from within his standard dissembler screen. As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values. With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more (and the list keeps on growing). All of this happens without the researcher ever leaving his comfortable dissembler screen. Even better, as DIE is tightly coupled with IDA, it will basically support any architecture, data type or signature supported by IDA. DIE currently has a small but well-respected community of contributors. Starting with the alpha version, DIE users have been able to cut their research time by 20%-40%. As complex reverse engineering tasks may take several weeks or even several months to complete, DIE has already proved to be a valuable resource and a prominent part of the researcher`s toolkit. My talk introduces DIE for the very first time to the research community. I explain the basic idea behind DIE, describe its architecture, and show live examples of how to use its extensive plugin framework to speed up the research process. The talk includes *live examples* which have been carefully selected from real research projects in various security fields and demonstrate how DIE can be used to speed up bypassing software protections, unpack malware, and super-quickly locate a malware de-obfuscation functions.
Presentation of a group Assembly language Multiplication sign Binary code Bit Information security Binary file 10 (number) Reverse engineering
Functional programming Multiplication sign Decision theory Online help Streaming media Parameter (computer programming) Disk read-and-write head Binary file Hypothesis Fluid statics Strategy game Causality Data structure System dynamics Form (programming) Debugger Mathematical analysis System call Fisher information Category of being Arithmetic mean Process (computing) Personal digital assistant Numerical analysis Right angle Resultant Reverse engineering
Point (geometry) Windows Registry Functional programming Statistics Parsing Computer file Code Multiplication sign Electronic program guide 1 (number) Branch (computer science) Parameter (computer programming) Streaming media Computer font Tracing (software) Power (physics) Operator (mathematics) Energy level Software framework Functional programming Data structure Plug-in (computing) Mathematical optimization User interface Personal identification number Binary code Debugger Data storage device Digital divide Basis <Mathematik> System call Personal digital assistant Order (biology) Statement (computer science) Right angle Data type
Point (geometry) Area Functional programming Complex analysis Implementation Interactive television Plastikkarte Bit Parameter (computer programming) System call Fisher information Fluid statics Computer animation Calculation Software framework Object (grammar) Functional programming Data type Fiber (mathematics) Position operator Plug-in (computing) System dynamics
Point (geometry) Functional programming Run time (program lifecycle phase) Sound effect Bit Parameter (computer programming) Function (mathematics) Magnetic stripe card Parsing Number Array data structure Process (computing) Computer animation Object (grammar) Data type
Functional programming Circle Multiplication sign Parameter (computer programming) Function (mathematics) Mereology Event horizon Robotics Different (Kate Ryan album) String (computer science) Core dump Integer Genetic programming Software framework Functional programming Plug-in (computing) Boolean algebra User interface Assembly language Software developer Constructor (object-oriented programming) Debugger Database Bit System call Parsing Arithmetic mean Message passing Computer animation Personal digital assistant output Right angle Object (grammar) Data type Disassembler
Functional programming Implementation Run time (program lifecycle phase) Multiplication sign 1 (number) Cyberspace Parameter (computer programming) Food energy Wave packet Video game String (computer science) Functional programming Module (mathematics) User interface Uniqueness quantification Model theory Debugger Bit Parsing Message passing Process (computing) Pointer (computer programming) Computer animation Query language Buffer solution Object (grammar) Data type
Point (geometry) Demo (music) Different (Kate Ryan album) Code Network topology Password Projective plane Cartesian coordinate system Reverse engineering Utility software
Functional programming Multiplication sign Execution unit Set (mathematics) Parameter (computer programming) Computer programming Message passing Array data structure Computer animation Computer configuration Personal digital assistant Password String (computer science) Mathematical optimization
Point (geometry) Functional programming Code Confidence interval Multiplication sign View (database) Binomial coefficient Constructor (object-oriented programming) Keyboard shortcut Control flow Bit Cartesian coordinate system Entire function Number Password Functional programming
Point (geometry) Functional programming Graph (mathematics) Code Multiplication sign Maxima and minima Instance (computer science) Parameter (computer programming) System call Heegaard splitting Mathematics Loop (music) Computer animation Personal digital assistant String (computer science) Right angle Genetic programming Musical ensemble Position operator
Functional programming Complex analysis Computer configuration Multiplication sign View (database) Bit Integer Data structure Data type Resultant Entire function
Module (mathematics) Dataflow Functional programming Frequency Run time (program lifecycle phase) Password String (computer science) Boom (sailing) Right angle Functional programming Parameter (computer programming) Software bug
Functional programming Boss Corporation Presentation of a group Software developer Set (mathematics) Bit Cartesian coordinate system System call Discounts and allowances Pointer (computer programming) Video game Computer configuration Quicksort Functional programming
Functional programming Debugger 1 (number) System call Affine geometry
Presentation of a group Shift operator Demo (music) Hooking String (computer science) Videoconferencing Bit Computational intelligence
Computer animation Database Special unitary group
User interface Functional programming Fluid statics Process (computing) Computer file Structural load Model theory Mathematical analysis Bit Abstract machine Function (mathematics) Functional programming
Functional programming State of matter Bit Functional programming Quicksort Open set Cursor (computers)
Functional programming Presentation of a group Implementation Computer file View (database) Model theory Open set Function (mathematics) Computer animation String (computer science) Universe (mathematics) Special functions Functional programming Form (programming)
Computer animation
Web page Area Functional programming Boss Corporation Multiplication sign Constructor (object-oriented programming) Skewness Database Branch (computer science) Line (geometry) Parameter (computer programming) Food energy Video game Personal digital assistant output Software framework Functional programming Series (mathematics) Position operator Rhombus
Presentation of a group Multiplication sign Modal logic Physical law Debugger Mathematical analysis Sound effect Parameter (computer programming) System call Food energy Right angle Functional programming Abstract machine Identity management Social class
Computer animation
hi guys so my presentation is called 1 thousand while 1 way the ways to die and just a bit about me my name is
you need and I water a security researcher at checkpoints offered acknowledges uh during my day where practice mainly model research and what do the research for this practically means that I spend most of my there staring at the assembly code and by binary codes and next and all kinds of other fun things like that although it couldn't you know quite finally to do inside a binary file here but you have something to look over here forward for Edward you know during the all the years of England reverse-engineering this seems to be 1 problem that seems to be popping up again and again and it's really irritating me and I'm I have to deal with that at least know tens uh or maybe even hundred times a day and I'm sure you all share the same problem as me and you hold it to encounter it as well and this
problem is that you know what we're doing reverse engineering and then basically we have 2 main metals right so we have static analysis and forced other causes we just opened our binary find side some kind of this is similar to what is Idaho the other or whatever you prefer and we actually have a lot of information there I mean those tools are really involved evolved that quite well you know 12 years and for me personally if I could I would never leave my my i the screen I will do all my reverses in new session just within my either because I just feel so comfortable with it but all right that's very rarely the case I mean at most times we have to resort to the help of the borders because well static analysis tools they have like an integral integral problems in with them because you know they're static and they just like all the dynamic data so how many times have you been faced with this problem you know that you're you're doing some kind of a static analysis you get sound function call and you just wish you would know the value of the argument passed to this function because well you could that yourself and trace back it would just take you a lot of time it would be much easier to just look at the values of the debugger so what you do is go to another screen over the border with a binary file place the right breakpoints he break bones watch the role values and then all of a sudden your then you look at some kind of structure so again you go back to your either the screen and you define this strategy will that a debugger and there's a lot of information going back and forth back and brought form from the static tools for that dynamic tools and all of this has been best mentally right through your head and that is very error-prone I think well as smart as we think we are and as good as we did we are we can make mistakes here and those mistakes can be revealed only much later on in this in the in the reverse decision and it could be it could have catastrophic results and the other thing is that it takes a lot of time and it's really really frustrating mean for me it takes all the fun out of reverse engineering because this is such a specific job that I would really like to have already inside my i the screen so it seems trivial to me this should be some kind of solution to bridge this gap and bring us all the dynamic data right inside our either streams now
that's not a new problem and looking the first one moves ever come up with this or was come up with some kind of solution there's been numerous solutions in the past and I like the categorized into 2 main categories 1 category is like stand-alone tools and those stand-alone tools do a great job but again since their stand-alone then once they have to leave my thesis and screen and go to these tools then again I have to mentally does the database and for and a although they are really cool that they just don't solve the problem they are just considered to me like next-generation debuggers and they don't solve this specific problem the tools I'm talking about the actually i'd up not being is that knows how to bring dynamic data right inside your either screen and we just you know briefly go over 2 of the best emotions that I could find and we're going to discuss their advantages and disadvantages of each 1 of them so the 1st 1 is called either spilled
it was developed by in 2014 by that critical and forwarded statement framework it uses the evil pin framework which is a binary system and so the thing is it's really you have to write your binary-file inside the with provided the tool and then you get some kind of trace file which you lay their loading to IDA and then I'd that takes as many either spilled takes all this data and presented to you so that's really nice and it has a very extensive tracing and the user's being and P. lets you put public functions a lot of interesting places in execution so you can see all memory reads right you can see function calls function returns because the branch instructions that's really cool editing his his breast statistics like whenever you start you we would you stand on any jump instruction then you see there are many times was this branch they can how many times was they can really insightful and really helps you out however there are some uh comes about this and 1 is that all data as you've seen before the stored inside your IDB fire would that this could you rectricted purity to be fixed but it's not fixed yet and for me personally I don't like other people people touching my IDB file let alone other plug-ins and when I have so much data stored as common sense and IDB 5 I just can't find my hands and my legs and I just I just From this but away immediately and another thing is that it only works on Intel-based architectures Wilson's p is an encode based is the designed by itself and another thing as far as I could see this tool is really good for in design for Windows OS so if furor looking into working with Linux or some other kind of lawyers then you need to modify their uh accordingly and it's not going to support the sold out until there was actually presented here if I'm not mistaken last year skull found that it was written in 2013 by guide which name I but you're of pronounced uh and residents those notes those Austin operator right sorry for it in any way for their dynamic framework it actually uses either debugging API and that seems to be really cool because at you'd never have to leave your eye the screen just run the debugger in which every debugger is supported by I that is also supported by font up that's really cool what it does the places breakpoints using the debugger at function calls and function returns and when breakpoints are heat he just didn't contacts they try to look at argument values the so that's how it looks like and it's a very intuitive solution and it looks like a really simple solution or go it's not extensive as the other 1 because it only traces function calls the function returns but I think that only you know the same function call the function returns of should give you a great insight about what these binaries doing and that's like uh on the uh good a good uh on optimization of tracing algorithms because if we actually want raise everything would take forever and another thing it does it takes a step forward and tries looks to look at those arguments and see if there might be you know ask your unique of strings and if they are the just places the asking those inside your IDB so all of the sudden inside you IDB you kinds of registry keys you know and and I could receive and that's really cool it's really nice nice thing to have the columns about it that it doesn't really follow any new tracts of your executable is creating any you tread then and funk up will be completely blind to it and that could be actually a problem when dealing with you know almost every every binary we would we walking with and another thing is that argument offsets are actually calculated manually so what it does is it goes to and you looks the value of this or R is the order of the truth about and takes that looks at the uh how many arguments should be the divide that by 4 answers OK so this should be the offset of the 1st argument is the 2nd is the 3rd and this could work that of cases but of course it could also not of cases and it seems to be like not the right thing to do because of all these data is actually already stored inside either so why do I have to calculate the manually and it really makes it uh like not really useable so you know I I I was sitting down and thinking I mean those are obviously great tools and why are and a lot of people using them 1 day to day basis because they really in order to solve a very very important problem so I tried to think of the reasons and the ones I came up with his 1st of all as you've seen before all the data that the brain from the from the debuggers or the whatever then dynamic framework using is actually stored inside IDB also stored inside text files in front of case but still it's not that I can't do any cross-references between them and it seems really logical know because there's that that does all of linear of logic that I can do that on those their role rho values and using the stores it's just simply can't do it because all I have is like a text search and that's really not enough now another thing is that entry level for adding any custom functionality is relatively high and they look at from cups case they do stream passing but if I wanted to do any other kind of passing that that would be really difficult I mean I need to go over the cold do it myself my take me hours days maybe even weeks but the thing is that pull wasn't really designed for that and you know everybody has its own parsing uh requirements and it seems reasonable that there should be some kind of uh you know something that will let me do that now the most important point that I could think of is that both of these tools for any of the polls that I could find as any reference to value types and what I mean by that think about fund cup places breakpoints on function calls then goes and bring you the argument role value but if this value is for example destructive than what I get I only get the 1st member of the structure and this is completely unusable to me because I actually wanna see the power struggle I have to do is open my debugger again and see the fact and so why do did they need this plug in the 1st place I mean these types thing is is that is the whole point of making this kind of plug-ins the In my opinion 1st
so I hope you are prepared to die an so
dying is light plug-in that I designed to solve this problem and its skull there because it's a dynamic Heidenreich fret framework and what it does is it takes a very similar approach to the 1 found a bit it collect contact and function calls and function returns and once those role values come back to me I try to parse them in some kind of human readable way and that's the best definition fiber and other thing is that I tried to read to design some kind of smart interaction between static and dynamic data so you can move back and forth from steady get other than any data and over and over again and it could be very very usable and that the last point is that I wanted to use knives is much ABI and API magic as a could I don't wanna calculate anything myself not the arguments nodded types not their positions nothing I want all the data that is stored and I have to be available to me the use of inside my 2 so there are some implementation challenges here I would just briefly go over them so the first one is OK so you wanna collect function arguments and types and everything but how exactly do you do it and United API is not exactly the most easy thing to to reality is that the thing is once we did manage to get those all values how we and which passes should leave it with me what is important what is important and another point is OK so let's say we could use somehow would you know bully the other easy types like that but what do we do with it when we encounter structs unions the references I don't know whatever complex we have so let us those 1 by 1 just quickly so for function arguments I had always of fun with either API was really I recommend to everyone not really uh anyway they didn't that I could find some kind of object called the for the object which is the typing for any told area decay this amount of information about types this is just there's small small spatial all their of all the functions that go for all of this functionality is and it's really cool and the thing is that digging even deeper into this thing for the object that I find those objects which are found by the the the found out the hard look the which actually gives me all the data about function arguments I absolutely have everything here I mean I I I that tells me how many arguments as a function has and when I know that the argument for a specific argument would it would then be whether it was best by stack and if so what is offset and whether it was best by register and if so what the register and it tells me that type and the name of this argument and it also tells me this argument is guessed I mean by that doesn't know the type and just this there is reflects and this really cool I can really use that inside my plug
so the other thing is that know that I have the role values then how of body parts and I mean I have my own the 1 that I need for my work but it's impossible to think of all the scenario so it really makes more sense to make some kind of plug-in framework which ever would rev everyone anyone could write isn't that images but in the uh the framework and start parsing his own values so this all works
something like this you make up your own logic you're passing logic here and your value parser gets to be with arguments 1 would be the argument type and other would be the actual value now remember that this thing is actually running in runtime so these has actual access to all memory at the point of execution so the output will be spent of human readable value you decide what you read about it but we want what is human readable value and some kind of score and I get to the score in the 2nd so let's look at the example for example we have a boolean value I that tells us this is a boolean value and the value is the role of the role is 1 then we just output troops and can't because we're sure that this is a boolean value because I know so uh but if I that doesn't know the type of its guest then we can still say hey this is 1 so if it was a boolean value so the value will be true however I'm guessing so the score is a bit lower and you consider scorers however you like it depends on your logic so that's basically value passes and now for complex other types of those value process could walk really good when talking about you know strains of William values but what we do when we get to those stripes unions references so that's pretty simple we just break them up until we get to the simple types so that the for use Wikinews the same for the object show you before to just a number at all its members and the same goes for arrays and the same goes for reference as we actually
have a function to do with all that the effect the dereferencing stuff so we don't really have to do anything no self everything is already done with deny idea that school so I am
I I prepared is nice illustration to show you how exactly work so this is our either and inside I that we have our disassembler and we have already butter and probable of these we have died API which lets us access everything of course is seen for so now we have died and i is a plugin for either and this is the core which all's all the all the logic and it also has 2 very important parts 1 would be divided pauses this is the plug-in framework was talking about and another will read IDB will all we're all of the past values will be actually stored so this is our example cohere events and we see reversing the colder at 2 function calls 1 2 from 1 and the other to an unknown function from 1 gets to input arguments 1 would be a string with a value is still 1 other would be just the value 1 and the unknown function gets it gets just 1 input argument and a string with a gain of all US 1 the difference between the functions is that for function 1 I don't knows all the types because the symbols on the right and somehow it actually knows the types for the unknown function i . knows nothing about so let's see how it works when you 1st start by the 1st thing that will happen that the this under will look for any call instructions inside the function your only standing on and we place breakpoints on these these functions and then we get a debugger the debugger gets to the 1st function and then we issue has that been command and we step into that function no once we've stepped into the function we just start to take the function arguments so using this assembler that the 1st argument which is the cost of a and this this is now pass through uh parser plug-in framework and since we know the type and the poses no the types so this string passes pulled out and the use of this value and the output of this would be F 0 1 and if the R 1 will be stored in the database now the 2nd argument is an integer and 2 will be best developers is over we don't have a parser for integer so we just simply stored the robot inside I now after we did that there's nothing the another thing we do and that's walked through this function again for constructions and now we continue the debugging and yet to string compared us recovers the library function and for I library function it's like it's a case you know you can either do this again and again inside library functions and if we're talking about Windows you probably end up in somewhere like and uh but you don't have to do that so that's the question is is reconfigurable you can choose what you want to do not that if if not it would just go 1 step and by the side after compare and give you all the arguments that the gap and that it go but whether or not we like to do that let's just continue and say we got out of the circle there and we could use ecution stepping out of the functional once we've stepped out of the function and the the main function there's 1 more thing we need to do which is to pass the return value and again we know it's a boolean value that's the body poses and the truth about the now we get to the unknown function so we step into the unknown function and in this case you see that the arguments about means and so that side as way of telling us that they I don't know what types are uh but we have a better way to do it because we look at the input the object and we actually see the flexible when we take this argument now and that's at the value closest they will know that this is a guest type so they have no way of putting out that the correct bloody so they were just try all the plug-ins and it's plug-in can actually guess that value will do so in this case is 1st of all we stored the role value inside IDB and then the string that was say hey that could be a strain so let's stored there and IDB and now it's up to you to choose which 1 is correct you just look at that as at that the function calls this can be a role at this must be a string in use at the time was Frank so that's basically that's how by works and now let's talk a bit about the value poses no no diet will only be as good as it's funny passes and as many as is much value passes there will be an as he has many values will pass and I will get better and better and what you have to understand what I did up to now only in a small community that uses died that is just right up passes a for our specific needs and whatever we got to something went to Boston we just wrote apostle for it so let me show you what we have up to now so let's start with
a simple body poses which are extreme
possibilities in before now uh we actually use the ITC gets train which helps us to pass pass histories unique oats rings a skull strings and hold other bonds of strings they really don't know anything about but we do watch that and would positive seen this true
zeros falls really and energy thing is a function
parser so when you get a role value this process actually checks if that role value references any the beginning of function and it does it will actually give you the functioning so when the function is being passed as an argument to another function is that of seeing the role value will actually see the functioning which is really useful and other thing is a model parser
which just does the same thing only would model so if you're 32 for example will be passed as an argument that function the we see the strength and the 32 and we really know the into modules so it would be really easy to work with them so it's a bit more advanced courses Is there a hand now we're all these bonds pulsar to handle uh Windows handles and it works only on local debugger but it could directly walkin remote ones and what he does is he takes 0 value and it uses duplicate handle to try and duplicate it and if it succeeds it uses in the query object to get the handle type and names of think about it's really cool I can actually see all the runtime handles so when the function is best to handle I can see that handle what is type and what this name that's really super useful and this is also another another good example of of a parser which is as it is string that I came up with a molar that users as to the strings but I don't know why it's the first one i've so and I read it a I was so familiar with the implementation of a city strength which is like basic string and so for those of you are to unfamiliar with that that's that's like how basic street works I mean at offset 4 of these complex object there the union which all 3 members 1 the buffer others a pointer industry can be either stored in the buffer as string or it can be stored as a pointer to the string so also for I just so the string or that of the string and why why's that I mean I'm not really sure if if if genius or stupid anyway that's how it works and what we debugging this it really makes our life hard because whenever we get the basic string with the goal of inject is saying that is the reference and it takes a lot of time so writing a parser for this is actually pretty easy we don't need to know anything about almost anything about the implementation we just go to this also for NCAA is is a string of cool if not is this a reference to his friend cool then we have a basic strain L 1 more thing we have to know that the you know if also for this thing and we might also want check that off 0 string with the just looking of substring but if we just implement this logic and we have a positive for basic space and all of a sudden we can see all runtime executed basic strains so that's basically it
and I'm kind of finish talking and I have tree demos for you of diet and I chose this demos was really really carefully and there from you know different worlds in reverse engineering solar just go to the 1st 1 so the
first one is actually another research project that they're working on and during this project that I came up with this application it's an 8 and to more of the utility and it has some kind of password protection very stupid possible to in and we need to bypass that and we need to do it quickly so that thing is that when opening this in in either these colonies in really ugly C + + code and it to me I actually did it would have died and he took me and I'm pretty experienced it took me about 15 minutes to get to the point where it worked what where could bypass this protection of 15 minutes now look at how quickly can I do it without so the Democrats and everything reward
tha so this this the it looks something like this can you see well but there's a password so and there's some
kind of buzz word here and here OK and of course it's invalid password and that's what we have to bypass so let's look it up in Canada article so that a node i also
and the 1st thing you notice when you want when you load dying and I would I plug is this nice Scott scare which is a really you 1 of the best features we have and then you will know this little many here which is by an open it up you will see all kinds of the options like to load the previously stored IDB or to say that I the and setting is about and we we we would quickly going over the over all of them so in this setting is 1 has you actually see that you have here and option to step into the mother is a just told you before and 2 other options I'm gonna show you in the next example and of this Arab but if you use for debugging it's in his whether you want to actually pass arrays and containers just structure units 2 references arguments or whatever and the 2 values there at the top of the screen are actually used for optimization so not similar function calls me is that when die will encounter the same function it's being executed more than this amount of time it will stop wondering it so it's really useful and when talking about like you I cases where the function with executive like thousands of times and you don't really care about it but device we just exclude them by doing this and other things that match the reference that because we must have some kind of you know to stop somewhere would win dereferencing stuff otherwise we will never stop probably and so that's basically it's pretty simple and this is our program and we have 3 options to start by that 1 will be to the body of the cost and scope and that
means that we can just choose to the body of you know somewhere between this function this function we can actually choose functions and that would be the only scope being being about and another thing is that we could like that divide the entire code and that means we came before we even start execution we browse through the entire code phrase break break points on each construction that could be a bit slower and the other thing is just example that I showed you which is go from complications so we just wanna start in this case from we we make because we don't care about this year's the stuff and everything that's going on before we mean so they just
stand on we mainly here and keep f which is a shortcut and I would start so this takes a while but but remember that it took me like 15 minutes before so it's not enough it hopefully but OK cool without the screen that is the password so that just entered known any password that saying recon 2 thousand and 15 that's a bit slow because confident of that it's now actually tracing everything in the background now so that it becomes a thousand 15 that's it OK here and see what happens maybe it's a password they're no such to that is now the applications stops and trying out and everything returns to normal now di has 2 main views 1 is the function view and other is the value so let's start by looking the functions you so function you without giving this nice screen here show you all the upon the functions being executed that from time so all of this kind has had actually been executed and this is the number of times have been actually seen so let's take a look at the
first one ouch also if you have an interest then you can see them here in this case which is the single trip but you can you know split up I travel see all the trades so the 1st 1 will be a fixed get following and it's been called by here this is the point in the in the cold winds music also if without heat that we can see that they that's where called since the call so when we open that we can see appearing 0 because you know for each point in the code were with the the call instruction could be called a several times for instance if it's like inside some kind of loop so for this season's we just have 1 occurrence and when we open it up we can actually see all that there you go here
sorry so we can actually see all the arguments being passed function the this a strain its name is Islam is the string of history what I'm much them and these are the call of all users of the values that were present at function call and other 1 shows you all the values that are present when the function returns so if you change you can see the change and that's that's pretty much it now for this function we did know the symbols that you see when all the names and everything but let's say for the other function and right here you see all the values are written as genes because we don't really know them and died places this I believe the question mark because just the right near them which means that these are actually guest and the value positive against those values and look we who can see everything I mean it makes sense that it's best you know a string valuable body or another is an extreme value and the return on argument down there is true so its bullion so it it really helps us a lot and just some more most features before I go on um for instance if you stand here and this appearance and just by clicking it you can actually she sees in the call graph showing you the exact path of execution that led up to this function which could come in really handy
sometimes and let's just browse down here a bit until we get 2 of our results but there is WC stopover known function and it's over now and
we see this functional and it has 3 elements work so that the W S that and then integer and this LP W . is actually a complex data type and that's a pointer and if we open it up then we do reference that and we find that we a structure and we when we open that struck then we actually see all the members of the structure and all their values
so we actually just you know I took a look at all this structure the data at some time and that's that's really cool that could be really really helpful in my opinion so all OK so that was the function view all you have a couple of more options Black-Scholes 50 would show you the entire city it's public kickable so if you wanna know going through 1 function with if it helps and we have another thing that will uh like market unlock
Executive executive flow so we can actually mark the functions being executed which could come in and then we can of course they get off if we
so the other of a few I've been talking about is called value you know values you will give you a totally different view of of the of their execution you will not see the functions but you would actually see the past values here so those are those are all the possibilities and I have encountered during the institution and you can feel them out by you know just look at let's see all the modules being executed so there's been only 1 of you here and you see its role value was no OK and instead of just sorry showing you the role value that you see them on you name so this could be really helpful and the same goes for functions for example here we have another functions the and also same goes for strings 4 strings if you remember was quite a long time ago but I want the recall in 2015 as a possible here so let's look up of frequency recount 2015 here and if you see it but it is so using the recount 2015 so that actually is so so that value because we entered at runtime and what we can do now is just double-click this value and boom with a function where that value was actually enter and let's look at which function it is there is str compared and which is the uh what what is the other argument being best here well it's a 10 2015 0 6 20 which it might be the password right so just look at this is a step in the and now I actually have the password so do you remember it because I keep forgetting the password there was so a and 2015 0 6 so I just good as they can 2 thousand 15 0 6 20 and we just by press the button protection they just to me like 2 minutes to do this is that the 15 minutes think about how useful in this big so that was my 1st example I have 2 more the home known
all that the presentation and 2nd 1 OK so the 2nd 1 is actually Fisher future again talk to you about I considered like side feature of the I but the thing is that you know when we're eventually like a superstar school for example we got a lot of indirect calls and the neighbors all this other kind of stuff that makes our life really hard now the thing is that 1 guy wards so when it steps into a function so it makes sense that we we can look back at where we came from and say paper was there any expressed coming from the and if not we can display because we know which is came from there so by just doing this we just sold all indirect calls because everything they record we now have an integrated expressed in through the place it's been called another thing we do is that when we step into a function which would of this function is actually defined fine and if it's not defined we can trying to fund so whenever we have some kind of you know uh undefined blobs inside inside either than would simply reducing died without even using anybody bosses then we can actually get a complete and called on a sort of evidence you know not not complete but more complete it was before so let us see how we do that so the application as i said Gordon didn't say it's said 760 aligned between bit work with and that's somewhere over here yeah so let's open 11 development and the discounting but then could so considers good not OK so here I've set up a few pointers here to just show you what's going on with application so we have a couple of undefined function couple of miracles is to show you this so that step on this undefined function and that it's an undefined function that's a function and we don't have any interest this function nothing at all so we we can define ourselves but the let's not do it and so on we have a couple of those here's another 1 and another 1
it cool now we have a few indirect calls here so images simon this miracle for example and see what we don't have any pictures of course and and 1 here that stand here that sort again no it's worth nothing absolutely nothing so we just want quickly solve these issues so just stand here and now we go to die settings and I told you before I will talk about those are the 2 features that I mentioned 1 is new functionalities which will actually try to define a function the other would be and expressed if they're missing so just like you know checking those 2 options
and running die let's see what happens the so the debuggers no stolen stake in while the the and and it can do it but called that it is done so let's look what what happened so that affine function yeah well defined the and all the fuzzy it on here everything is cool so other ones another undefined function defined and another undefined function also define now as for the indirect calls let's go to the 1st miracle where now here is that
standard and with J. hey no we have an extra and when they serve to this function and 1 standing on this function function and its the then had a we now got that big threat to indirect which is Freddie pretty useful at and the same
goes for this in the coal and and we go picture goal and the other 1 somewhere over here this 1 this 1 called here for the personal thank you thank you the OK so
now this is like word the demo God's really hit me because I need either 64 bit run this them all and it seems like minus 4 beta stressed this my and so I do have a video presentation and I can try using another computer in shift would like to try and hook it up I hope it works if not I would show you that the demo anyway just a few words about this all you didn't think I let you off here without doing in analyzing of any and Trojan 0 my work so this is going to be yeah I think so this is gonna be the
explosive presented suppression that with the mole complained that we just recently uncovered and the thing here is that you know once we have died at the that's so the end of it I mean there's a whole lot of
logic we can actually implement on the diver database itself so we can just with what's wrong I can't believe it is important for I couldn't go OK so there's a whole lot of logic we can implement on the database itself I mean just you know think of all the users on automated automated tools and stuff like that now what do you see what I did here and the known the sun beginning the well that's really small
total so this is my i just have the died file here and I'm not going run the model from my friends machine and so what I'm gonna do here but this is really small so I'm gonna show you how I know that previously for the so I just go here and load IDB and you know choose my my body B which is named the for accordingly and it takes a while to close everything up how can you guys see that the the output window In the back of this good no I have assume it's over tritheism much as I can so was loaded their that interest no take it up with it OK so that's what you see when you know that the bases as there were 449 functions loaded and was values and France in whatever so the thing is our
mission here now is to find find this this model has some kind of the obfuscation function text the obfuscation function which is very common for every mole and no O job here is to try and find that the obfuscation function using nothing but died not in not in a bit of static analysis so let's see how we do that with prisoner or and I just know the be so we do have some kind of API lets you xis all there and itd stuff so well that's really really useful so what I do now is just load load up this
API so here it's important in glider and next thing I'm going to be used OK so I give a command to ruled out all functions that it has stored inside did so how many functions do I have think
of and then a function so uh as it said before we now have 449 they could functions so that's not enough but was so we're talking
about A. D. obfuscation function then we would like to rule out library functions of the signal is because obviously a devastation function will want the library function open letters where's my cursor OK they're just figure out and OK so now I give a command and I have been known lead functions which are just the the dataset without the library functions so all again letter functions now I only 158 functions that still not good enough so what I wanna do now is actually try and take out all the functions that that I noticed are returning because if this cation function must demonstrate right so this OK so now we have all of those functions uh no we're up with only 17 functions state that's great right but uh let's to the other bit more and say OK I wanna see only that a top 10 functions of this that the 1 that was called the most because of this the differs cation function would be called a lot during the execution by and so now we have that for the few that out and just 1 more fear there would be like to sort them out according to the amount of expressed they have because whether or not it was not executed is still at the obfuscation function must have a lot of its 1st coming out from all over the court will not was executed so now we have everything sort of here
and next or is it OK so let's iterate through through this and print out cool now we're left with only with this function here OK 1 of those functions must be that the obfuscation function this we hope so so let's take a look at the first one it is a form output can find it so let's open function view here our function you yeah that's a problem but here no who so what this is her pretty small it I can OK just as I was with friends so this is the function that we found this is the 1st 1 that was returned see down here let's look at its
appearances and see what it actually returned so that's new open up just a few of those so you have to give this doesn't really look like the which be right so this this this question marketing is that you return value and a skate can be give special function because judgment returns gibberish so that that's not it that's not it so if we actually go to this function implementation this is my actual and the IDB file so we can see that this is the that substring function OK which actually you know matches all this are adjusted so it makes sense that would be the first one but let's look at the 2nd 1 and that it just up in function you you from have you for so it's supposed to be somewhere in here and the 9 7 it but it is so that's open up some of their appearances here so 1 utterance to appearance returns for humans 5 minutes the we get this kind of you know who what looks like a you know the basics of 4 on the on the on the runway and the output values are actually strays and those who are actually doing obfuscated strings so here we just found and you know it we did absolutely nothing that would take the university says incision like uh at least about you know half an hour to get to that and I just did that now practically automatically so that's really useful when doing model such a thing and that's like the presentation we we just flows was that my presentation just a few more slides
left the the West the to I just wrote down here OK so I got to know them was well it was really
fun so at a few things that we still have to do in and 1 of them is a handling functions outbound functions actually break up a lot logic because for a time function there what happens is that when we step into a function which is of a series of instructions that end up in some kind of jump instruction so we don't actually pretty this the breakpoint the construction and I would be absolutely blind to what's whatever is going on there and they're always for either no pun functions and actually if legs then yeah but it doesn't know about all time functions and we have to find some kind of solution to that so had that in mind when when using died another thing is complex final bosses because what we do now is just take the function arguments and pass them 1 by 1 but that could be uh and not the necessary cases there could be another case when we would like to take the value of 1 argument and use that value as an input to another argument like if we're talking about you know we have some kind of size argument and we won the best that size to another argument that this must be implemented some kind of a complex function positive so the other thing is better good well I'm not really your your your energy is going i and i didn't specify as I could and I really struggled with skew the thing that that but it's for walking and if somebody wants you know is really good repute in once the design and you wouldn't please feel free to approach me and tell me about it another thing is a much better dollar-based Cozumel much database diamond is the what but the other thing is to solve some very dramatic precious and we're is experiencing him here and there and we actually have a case opened with its traceable of all that and we really hope we can fix that but if anyone can somehow replicated this issue or come up with good examples of precious then please let me know about that and we would we best approaches rays and otherwise you've seen it's working with just here and there there are precious and so it looks cool in other yes you can the and I is a completely open-source tool and you can find that it might be updates which was that just made public to their economic down an really the most important point and if you like it to please configured by own bosses they take them up into the page and you know in which the community and just 1
more thing I have to say before I finish it is the stock this is actually a framework made my by my colleague from your behalf and it's really making life much easier when working with either pipe I recommend you all to try this this thing uh and because you know I don't like them can be an idea can be quite complex that sometimes so it's critical area recommended
that is because there's been so many questions thank thank thank you it is very cool thing I just
would question the question on this will work Reiter of energy just there's kind of hectic at the moment but in my experience I had a hard time with functions that pass arguments the registers right like this call fast called it will pick those up a lot of the time I is dying because of its dynamic analysis is easy for define those resul that no locally they all the value they can from either so if I go up what's up by 4 it's up to you thank your a effects to tidy so there have a class of 40 will I have seen your their presentation and I was wondering the EFA when you have done they lost the more you have run a day in to lucky not differ machine not or not there's the like it means that you have to he stellar tie-dyed not being the infected that that's the upon machine right and you could use the remote by the debugger uh that would work just takes a lot of time usually I just like to install my own identity only in that machine but that's not necessary law book and thank you the or not no thank have and so