hitbd09
TRANSCRIPT
![Page 1: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/1.jpg)
The Reverse Engineering Language REILand its applications
Sebastian Porst ([email protected])zynamics GmbH
![Page 2: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/2.jpg)
I write code for
... sometimes I debug other people‘s code
![Page 3: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/3.jpg)
We love graphsWe love static analysis
We want to improve binary code RE
![Page 4: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/4.jpg)
Reverse Engineering Intermediate Language
![Page 5: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/5.jpg)
Three Good Reasons for REIL
Simple
Free of side-effects
Platform-Independent
![Page 6: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/6.jpg)
988
1000+
17
PowerPC x86
Fewer Instructions
REIL
![Page 7: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/7.jpg)
X86 Code PowerPC Code ARM Code
X86 Translator PowerPC Translator ARM Translator
REIL Code
MonoREIL Other AnalysisAlgorithms
![Page 8: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/8.jpg)
Close to the original architecture
Infinite amount of memory
Infinite number of registers
Register-based Virtual Machine
REIL VMArchitecture
![Page 9: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/9.jpg)
addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor
Instructions
![Page 10: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/10.jpg)
1 REIL AddressNative PartREIL Part
1 REIL Mnemonic3 Operands∞ Metadata
1 REIL Operand2 (really 3) Pieces of Information3 Operand Types7 Operand Sizes∞ Operand Values
40131A.07 add (t0, b4), (t1, b4), (t2, b8), [(foo, bar)]
![Page 11: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/11.jpg)
addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor
Six Arithmetic Instructions
AdditionLogical ShiftUnsigned DivisionUnsigned ModuloUnsigned MultiplicationSubtraction
![Page 12: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/12.jpg)
addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor
Three Bitwise Instructions
Bitwise ANDBitwise ORBitwise XOR
![Page 13: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/13.jpg)
addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor
Three Data Transfer Instructions
Load MemoryStore MemoryTransfer Register Content
![Page 14: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/14.jpg)
addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor
Two Logical Instructions
Compare to ZeroJump Conditional
![Page 15: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/15.jpg)
addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor
Three Other Instructions
No OperationUndefine RegisterUnknown Mnemonic
![Page 16: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/16.jpg)
All Instructions are equal ...
... but some instructions aremore equal than others
add t0, t1, t2
and t0, t1, t2
bsh t0, t1, t2
div t0, t1, t2
mod t0, t1, t2
mul t0, t1, t2
or t0, t1, t2
sub t0, t1, t2
xor t0, t1, t2
bisz t0, , t2
jcc t0, , t2
ldm t0, , t2
nop , ,
stm t0, , t2
str t0, , t2
undef , , t2
unkn , ,
![Page 17: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/17.jpg)
What REIL can‘t do
FPU Instructions
System Instructions
Weird Instructions
fadd
...
int
...
setend
...
![Page 18: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/18.jpg)
More Architectures (x64, MIPS, ...)
More Instructions
More Operand Information
![Page 19: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/19.jpg)
So ...
... what is it all good for?
![Page 20: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/20.jpg)
Register Tracking
Follow the effectsof a register
on the program state
![Page 21: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/21.jpg)
DemoRegister Tracking
![Page 22: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/22.jpg)
Negative Array Access
MS08-67
![Page 23: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/23.jpg)
DemoMS08-67
![Page 24: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/24.jpg)
... but aren‘t those really difficult to implement?
NO!
![Page 25: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/25.jpg)
MonoREIL
![Page 26: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/26.jpg)
Create an Instruction Graph
Define a Lattice
Define Transformations
Define a Graph Walker
Define a Start Vector
![Page 27: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/27.jpg)
Create an Instruction Graph
1400: add t0, 15, t1
1401: bisz t1, , t2
1402: jcc t2, , 1405
1403: str 8, , t3 1405: str 16, , t3
1406: add t3, t3, t4
1407: jcc 1, , 1420
1404: jcc t2, , 1406
int t4 = t0 == -15 ? 32 : 16
![Page 28: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/28.jpg)
Define Lattice Elements
B
T
![Page 29: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/29.jpg)
Define Transformations
1400: add t0, 15, t1
1401: bisz t1, , t2
1402: jcc t2, , 1405
1403: str 8, , t3 1405: str 16, , t3
1406: add t3, t3, t4
1407: jcc 1, , 1420
1404: jcc t2, , 1406
![Page 30: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/30.jpg)
Define a Join function
1400: add t0, 15, t1
1401: bisz t1, , t2
1402: jcc t2, , 1405
1403: str 8, , t3 1405: str 16, , t3
1406: add t3, t3, t4
1407: jcc 1, , 1420
1404: jcc t2, , 1406
![Page 31: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/31.jpg)
Define a Graph Walker
1400: add t0, 15, t1
1401: bisz t1, , t2
1402: jcc t2, , 1405
1403: str 8, , t3 1405: str 16, , t3
1406: add t3, t3, t4
1407: jcc 1, , 1420
1404: jcc t2, , 1406
![Page 32: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/32.jpg)
Define a Start Vector
node1 → initialState1
node2 → initialState2
node3 → initialState3
node4 → initialState4
node5 → initialState5
...noden → initialStaten
![Page 33: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/33.jpg)
Running MonoREIL
1400: add t0, 15, t1
1401: bisz t1, , t2
1402: jcc t2, , 1405
1403: str 8, , t3 1405: str 16, , t3
1406: add t3, t3, t4
1407: jcc 1, , 1420
1404: jcc t2, , 1406
initialState1400 → finalState1400
initialState1401 → finalState1401
initialState1402 → finalState1402
initialState1406 → finalState1406
initialState1407 → finalState1407
initialState1405 → finalState1405
initialState1403 → finalState1403
initialState1404 → finalState1404
![Page 34: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/34.jpg)
The Result
node1 → finalState1
node2 → finalState2
node3 → finalState3
node4 → finalState4
node5 → finalState5
...noden → finalStaten
![Page 35: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/35.jpg)
LOC? 14 + n
Lattice
8 + n
TransformationsGraph
1
12 + n
Start VectorWalker
1 + n
![Page 36: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/36.jpg)
Register Tracking120
Lattice
120
TransformationsGraph
1
90
Start VectorWalker
1
![Page 37: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/37.jpg)
DemoRegister Tracking Code
![Page 38: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/38.jpg)
MS08-67
500
Lattice
1700
TransformationsGraph
1
150
Start VectorWalker
1
![Page 39: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/39.jpg)
DemoMS08-67
![Page 40: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/40.jpg)
Deobfuscating Optimizer
Type Reconstruction
![Page 41: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/41.jpg)
Related Work
ERESI
Vine (BitBlaze)
Silvio Cesare
Hex-Rays
![Page 42: hitbd09](https://reader033.vdocuments.site/reader033/viewer/2022052705/577cc9d81a28aba711a4c9e0/html5/thumbnails/42.jpg)
Thank You!
Questions?