DEF CON 23 - Chris Domas - Repsych: Psychological Warfare in Reverse Engineering

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

That guy is freaking nuts.

👍︎︎ 3 👤︎︎ u/collegeprepkid 📅︎︎ Apr 22 2017 🗫︎ replies

Rewriting GIMP in Assembly: not what you might think

👍︎︎ 3 👤︎︎ u/v_fv 📅︎︎ Apr 22 2017 🗫︎ replies

I think this talk has been done before. Like almost point by point.

👍︎︎ 1 👤︎︎ u/[deleted] 📅︎︎ Apr 25 2017 🗫︎ replies

Captions

all right good morning everyone thanks for being here my name is Christopher Domus I work for this R&D company called the Battelle Memorial Institute it's a pretty neat place to work if me a chance to look at a lot of the fringe areas of cybersecurity uh which keeps things entertaining but important disclaimer before I begin everything I'm going to show is just my own work in my own opinions second important disclaimer everything I'm going to show serves absolutely no purpose whatsoever so if you're really interested in a practical talk this is probably not the right place to be but I think it's still going to be really entertaining and hopefully see some interesting stuff so what I really want to talk to you about today is reverse engineering because I do a lot of reverse engineering I take software apart and figure out basically how it works but for whatever reason I also spend a tremendous amount of time trying to think about how I can make my life more difficult in other words how can I make it harder to take software apart and figure out how it works so there's a couple of basic ways people normally approach that problem of making things more difficult to reverse engineer to take apart encryption is a pretty common one to make things harder to understand obfuscation of code is another technique people use to make things harder to understand an entity bugging tricks are yet another tool that people commonly use for anterior versus engineering again to make things harder to understand there's kind of a theme and all the approaches people normally take for anterior reverse engineering you're just trying to make things more difficult to decipher so I was tinkering around with that over the last few months and I kind of came up with this neat way that incorporates all of those things at once as a revert anterior reverse engineering technique and the idea behind this whole thing is that for the most part in reverse engineering we're going to look at the individual pieces inside of a program in order to try to understand what that program is doing so using a tool like abdu peer we can look at the individual instructions inside of some unknown file and we can figure out exactly how that file is going to work we can take it apart and figure out what it's doing so if I ran abdu on some file I might get something like this so an experienced reverse engineer could tell exactly what this was doing in a couple of seconds even somebody with no reverse engineering background can actually pick this apart and tell what it's doing with almost no time at all so starting out I'm just looking mostly at the mnemonics that are going on here it's moving zero into memory that's going to be initializing a local variable it's pushing something out of the stack as an argument and then it's calling a function to print that argument out there removes that thing from the stack and it adds one to its local variable it then compares the local variable to one hundred and if that is less than or equal to one hundred it jumps back to the beginning here so basically it's just going to sit in a loop a hundred times printing something out and no time at all really just by looking at the instructions being used we can understand exactly what this program was trying to do but a few months ago I was reading this paper that I found really really interesting it was just called move is turning complete by a guy named Steven Dolan so really really simple concept if you're not familiar with the move instruction it's a comment on instruction basically the simplest instruction in all of x86 it just moves data from one location to another nothing more involved in it so what about that turing-complete part well that means that any code that we write in any language could really just be written as a set of these unconditional data transfers instead and absolutely nothing else and when you think about everything you do in a program that's actually kind of mind-boggling it's hard to believe when you think that we're doing arithmetic in comparisons and jumps and function calls and exception handling in our program theoretically all we need to implement all of that stuff is just a bunch of move instructions and as I thought about that more and more I thought well that would be really really hard to reverse engineer wouldn't it because we would go from something like this where we've got all these instructions that perfectly tell us what's going on inside of the program where we can instantly understand what this program is doing so just a whole bunch of unconditional data transfers instead so all of a sudden all the cues we use for reverse engineering have just been removed from the program we've got nothing to go off of anymore every instruction looks exactly like every other instruction it is really really hard to reverse engineer this kind of thing so I took that idea and I've been running with it over the last few months and at the beginning of Def Con on Thursday I released a move on the C compiler that will take C source code and translate it into only move instructions so this is pretty fun as far as I know this is the first single instruction C compiler ever mostly because I don't think anybody's ever wanted to create such a thing before but it's it turns out to be kind of neat so I call this thing on the Mafia skater because it turns programs into moves as an obfuscation technique and we can really do anything with it so for example I've got this a really simple little C program that prints out prime numbers so not much involve there and I could compile this with a traditional compiler like GCC and look at the instructions it gives me and that's great but if I look at these instructions it takes almost no time at all for an experienced reverse engineer to pick this thing apart and understand exactly how it's working but on the other hand if we use the mob the skater the mob CC compiler I do the exact same thing all of a sudden we've got nothing but thousands and thousands of unconditional move instructions implementing this thing but the cool part is if we run this it just calculated 10,000 prime numbers using nothing but unconditional data transfers but that is a nightmare to try to reverse engineer that kind of thing but it's not limited to simple little examples like this if you go onto that github page it'll include this little check script so what the check script is going to do is it's going to automatically download an open-source AES implementation in C it's going to run that through the move compiler as soon as it's finished compiling the thing it's going to dump out the move instructions associated with that you'll see that with just a couple million move instructions you can implement AES so this is not fun to work with as a reverse engineer but it's really really neat to think about that just by moving data from one place to another we can do really really complex complex computations so I sort of meant this as like a thought experiment in anti reverse engineering but mostly I just thought it is funny that you could have move instructions doing really really complicated things so it finally finished running that and will actually run our a es algorithm and encrypt and decrypt some data using only move instructions but we can make it more complicated I wrote a little nibbles game if we link that so we can play video games now with only move instructions we can take it a step further my or that move compiler we created actually contains a complete move only floating-point emulator so you can do floating point math with only move instructions so since I could do that I decided well what's the best demonstration of floating point math I could come up with I figured I could make a 3d engine which is a lot of floating point math like trigonometric functions and matrix transforms and then I could compile at with the maava skater so we've got a completes a little 3d program here written with only move instructions we can now do incredibly complicated 3d calculations I even took this as bad as far as I could possibly conceive and actually MIFA skated the Moff ascator so I've got a program written and only move instructions that compiles other programs and to only move instructions so that's a couple so this is a couple million lines and we're not going to sit around waiting for that to to finish dumping so I thought this is a really cool technique if you actually like reverse engineering you can check out some crack knees on that github page and see a move on the reverse engineering for yourself but after I finished this I started giving this some serious thought as from a reverse engineering perspective I thought how would an experienced reverse engineer approach reverse engineering something like this what would I do if I looked at a program and I opened it up and all I saw were hundreds of thousands of unconditional data transfers well realistically I'd go find something else to do I I reverse engineer because I think it's fun and this does not look like fun to me but I had a big realization at that moment from an anti reverse engineering perspective code doesn't really have to be hard to reverse engineer all we really need to succeed an anterior reverse engineering is none of the things we've traditionally been using we don't need encryption we don't need obfuscation or anti debugging all we really need at the end of the day is we need to make the reverse engineer give up that's not necessarily the same as making code hard to reverse so I started thinking how else could we make a reverse ER quit if we don't want them to reverse engineer our code how could we stop them from looking at it in the first place and I thought the obvious thing solution was psychological warfare we could demoralize the reverse engineer and try to break down their spirit until they had no more will to continue reverse engineering our code so I started thinking how how could we actually accomplish that though it seemed clear that if we wanted to somehow demoralize a reverse engineer we needed some way to to influence them we needed a way to influence the reverse engineer through our code all they're going to get is some compiled binary and I need some way to have that binary then influence the person looking at it to try to get them to stop looking at it so it seemed clear to me if I wanted up my binary to influence a reverse engineer I needed some way to send them messages through that compiled code so there's some easy ways we could try to send a reverse engineer messages we could just embed a string in our program like stop looking at my code would reverse engineer when they're dissecting our program we'll probably eventually see that string but that's not a very good technique I'm a reverse engineer if I saw somebody put a string in their binary saying stop reverse engineering me I'd probably laugh at that that's just that's silly that's not going to be effective so strings not a really good solution then I thought entropy a lot of modern programs are starting to look at entropy distributions as a reliable way of some types of reverse engineering so like if you download the latest version of hopper a reverse engineering tool for the Mac they actually have entropy visually shape visualizations through hilbert curves inside of hopper so I thought well maybe if I ran my message to an invert inverse Hilbert transform and adjusted the entropy inside of my program I could then send in reverse engineer messages through the entropy distribution of my program but so it works you can do this but again not the most effective technique somebody's going to see this and then just move on to reverse engineer in your code so still not going to really accomplish what we want all these are horrible solutions for sending a message to a reverse engineer at the end of the day no one's going to see the message if they do they just won't care they're going to move on keep reverse engineering so we need something better if we really want to be able to send a message to reverse engineers so I started thinking about the tools that I use for reverse engineering so if you're not familiar this is Ida Pro this is probably the de facto standard in static reverse engineering any professional reverse engineer is going to be using Ida Pro that I set to your code so I really wanted to focus on Ida as a means for sending messages to reverse engineers and I they can do some basic things for us like it can show us the code inside of a program just like we were doing with object on before but either has a more powerful capability and that's control flow graphs so the idea behind control flow graphs is something like this we've got these basic blocks that do simple things and then at the end of a basic block the program makes some kind of determination and it's going to go down one path if it decided that thing was true or a different path to the side of that thing was false so we've got a whole bunch of these basic blocks that are all connected by decisions inside of the program the nice thing about these control flow graphs is in just a couple of seconds I can tell at a high level exactly what this program is going to be doing so for example this branch here is going to be if statement this arrow going back here that's a loop happening inside of the code so at the end of the day most reverse engineering is going to be done at this level looking at control flow graphs to quickly get an idea of what's inside of assembly so almost every major at least static reverse engineering tool is going to have control flow graph support and anybody doing static reverse engineering they spend a lot of time looking at this so the hopper reverse engineering tool for Mack has control flow graph in Nabby control flow graphs Rodari has control flow graphs this is the thing to use for reverse engineering so for this presentation we're going to look at Ida a little bit but the algorithm itself will work on pretty much any of these tools that you look at so the idea behind this was sort of spawn from a lot of late nights of reverse engineering so when it's 3:00 a.m. and you're looking at assembly code and control flow graphs and you haven't slept for 30 hours because you're just staring at this thing you're not entirely with it at some point so if you stare these control flow graphs long enough what I found is eventually they start to look like things so this is a very very simple control flow graph in Ida but a lot of professional reverse engineers are dealing with very very complicated control flow graphs and Ida and when when you're dozing off at 3 a.m. once in awhile you'll start to see things inside of these images so I felt like this was a Tyrannosaurus Rex at 4:00 in the morning but but that gave me an idea maybe we could send a reverse engineer a message through control flow graphs because that's something they can't look away from that's exactly what they're looking at in our program so if we could send them a message to the control flow graph they've got to stare at our message which is exactly what we want so maybe a good like draw pictures with the control flow graph maybe we could send them texts through the control flow graphs of our program but in order to do that we need to understand exactly how our reverse engineering tools are rendering these control flow graphs in other words we kind of need to be able to reverse engineer HIDA to figure out how it works so it's a little bit of a daunting prospect to reverse engineer a reverse engineering tool but it actually turns out to be fairly straightforward if you just tinker with it for long enough so my first idea for how we could draw pictures or send messages through control flow graphs was was pretty simple I've stared at meThe assembly and control flow graphs to know exactly how to draw a horizontal line if you have a switch statement and like see it'll draw a horizontal line when you're looking at a control flow graph what I call orphan jumps will also do that so let's say you've got a whole bunch of jumps that all jump to exactly one location it's not really clear how the program got to this jump here because the instruction right before it didn't go to this jump so we've got all these jumps that didn't seem to come from anywhere and when you have that situation it turns into basically a horizontal line in the control flow graph so I can draw a horizontal lines using that technique you draw a border vertical lines in a much easier way basically any non-branching code in a control flow graph will create a vertical line so a whole bunch of knobs that don't do anything creates a nice solid vertical line when looked at in a control flow graph so I thought well I've got horizontal lines I've got vertical lines I can make an etch-a-sketch in Ida so that seems easy enough all I wanted to do was start out by drawing a square so here's how I thought you would draw a square with these techniques all we're going to do at the top is have a bunch of jumps that all jump to one location to draw a horizontal line then we need that horizontal line to connect to both sides of the square so on the Left we're going to have a jump to the left vertical line and on the right we're going to jump to the right vertical line so let's slides just going to be a whole bunch of knobs that don't do anything to draw that vertical line then we're going to tie it to the bottom line with a jump and on the right side a whole bunch of knots that don't do anything to create a vertical line we're going to tie it to the bottom horizontal line same thing for the bottom we're just going to draw a horizontal line easy enough but when we drop this into Ida to look at the control flow graph we're not quite to a square just yet we need to make some modifications to this but this tells us a little bit about how it is trying to lay out these control flow graphs so if we look at this piece here this tells us a little bit that is actually trying to combine or trying to line up a bunch of our nodes trying to align the blocks and a given row so we need Ida to not do that if I want that horizontal line to move back to the bottom of the square so instead of using knops for my vertical lines I decided we could use this jump plus 2 all that is is a jump to the instruction immediately following it what that's going to do is it's going to break those vertical lines up into a whole bunch of little nodes so that when we try to draw this again lines our bottom line with the last set of little nodes in our vertical line so I at least got the bottom line moved to the bottom here we're getting a little bit closer to actually being able to etch a sketch inside of IDA but obviously there's still an issue I've still got my vertical lines right next to each other I wanted those to be on opposite ends of the square so we kind of see that I just trying to keep rows and columns together it's squeezing all of our control flow graph into a small and area as possible and it does in order to sort of minimize the branching distance inside of this thing so I spent a couple hours tinkering with this and really could never find a way to get those horizontal or those of vertical lines to separate from each other so that's sort of the death of my first idea for how we could draw through control flow graphs but we learned a lot along the way we learned about how rows and columns are arranged in Ida namely that we have control over how the rows are arranged but I just going to have control over all of those columns so we need some way to fight back against Ida if I just trying to rearrange our stuff I need to have some way to stop Ida from changing my stuff around some ideas was to force Ida to keep all these nodes in place I could sort of tie the nodes together as tightly as possible to prevent Ida from trying to rearrange them so if we look at what a basic node and assembly looks like it's pretty much always like this it's a bunch of assembly instructions that do something and then at the end it branches to either one location or another so I thought what if we had a whole bunch of these nodes and we tied them together like this then I couldn't really move any one node because it's going to be trying to pull all the other nodes with it so this will force Ida to try to keep everything in place for us so the assembly to accomplish that looks something like this all we have is a conditional jump at this instruction down to either this place or it's going to fall through to the node below this one will jump over here or will fall through the node below so we've got a whole bunch of instructions that are all tightly tied together in this sort of matrix formation when we look at what that looks like in a control flow graph view this is what we end up with it's actually not that bad we have defined structure that was somewhat close to what we expected to accomplish so we can touch this up a little bit first we've got this giant block here that seems to be raising the nodes around it so we can cut that giant block in half by adding a jump into the middle of that um so we need some way to create a whole bunch of these I don't want to create a whole bunch of these by hand NASM personally fortunately has some really really powerful preprocessor macros so this is just all the code we need to create NASM macros to generate one of these matrix or one of these layouts for us so that's that lets us create a whole bunch of these nodes very very quickly so that we can begin looking at more complex patterns through the control flow graph but I've got kind of an issue here right I want to draw something with this but I got this like lopsided rhombus it's going to be hard to draw with a lopsided Rob it's what I really wanted was like this perfect grid of assembly nodes that I could work with so we just need to change a little bit about the way we're we're building this graph what we're all Tamayo draw with these nodes by turning pixels on off by removing or adding those in exactly the right location so I thought something like this if I wanted to have this pixel off I'm just going to remove this node and I could draw that way so first we're going to try to get this into a non rhombus shape we're just going to rearrange our control flow graph by tying the nodes together a little bit differently we take them with the assembly a little bit it's a little bit trickier to write things this way and when we drop that insider this is what we end up with them it looks like a garbled mess that doesn't at all accomplish what we want but if we look really carefully there's four nodes there that are perfectly arranged in a grid pattern so I can work with that if we've got four nodes in a grid pattern we can get more nodes in a grid pattern so back to Nasim's preprocessor we can use a preprocessor to generate a whole bunch of these and this is what we end up with we're getting almost to a perfectly well-defined structure that we actually have some decent control over and maybe we could start using this then to send some messages to the reverse engineer we've got a few things to touch up here first we've got this weird line on top again we're going to cut that big node in half by adding an unconditional jump in the middle of that we've got some nodes escaping from us on the right I decided I could push those back into the rest of the image by having a bunch of orphan jumps to each of the nodes on the right now we've got another issue we've got a rectangle here it's not a square so all we really need to do to make this into a square is that a whole bunch of jump instructions and each individual node and we'll make this thing a little bit taller once again though we've got some nodes trying to escape from us this was a little bit difficult to figure out what was going on here it turns out that NASM the assembler we're using to do this uses two different forms of jump instructions depending on how far you have to jump these nodes down here I had to jump a little bit further than the rest of these nodes up here which essentially made them wider than the other nodes inside of IO all we have to do is turn off optimizations and NASM in order to use the same jump instruction for every node and we finally have it perfect grid that we can actually start trying to draw on so we're finally ready to implement our idea maybe we can start drawing on this by turning these nodes on and off by simply removing a node so I try to remove a single node from this and the entire thing breaks Ida tries to squeeze all the nodes around that thing together so we can't really get a nice image by trying to delete nodes from this graph so that was the death of a very long idea - but maybe maybe we can resurrect it I didn't take you this far for nothing we can still well we can't remove a node from this but maybe we could do something similar maybe we could leave all the nodes in place and then fill a node with code if we want it to be on or leave it empty if we wanted it to be off so something like this the nodes that I actually want to look like they're on are going to have a bunch of no-ops inside of them in the nodes that are all aren't deleted they still exist and they're still tied to the nodes around them with a jump instruction but they don't have any dummy code inside of them in order to fill up that node so now when we try that we almost get the effect we want we can see this looks like a pixel that's been turned off inside of our control flow graph so with that we can extend the idea and begin actually drawing some things inside of the control flow graph so this is what's the first thing I ever drew was a circle inside of this programs control flow graph there a few things I wanted to touch up here I decided to get rid of this giant node at top that's actually caused because this is the first function in the program and I it is adding a whole bunch of additional information to that node so we just make this thing not the first function we get rid of that we've got these funny little orphan jumps on top we'll just add some dummy code to get rid of those I really wanted to enhance the contrast in this if I go back a slide you'll notice that these look white but these two look kind of white these know are supposed to be off so how do we enhance the contrast for the image that we're trying to draw well the idea is that an empty pixel here still use two lines it had that jump instruction and a label or we really want to do to enhance contrast is reduce the impact of those two lines and you can reduce the impact of those two lines by increasing the height of the overall node that way those two lines won't matter that much in comparison to everything else but in order to increase the height of the node we'd need to also increase the width of the node since they're supposed to be square so in order to increase the width of the node what we need is a really really long assembly instruction in order to make that node take up as wide a space as possible so there might be longer assembly instructions in x86 but this was the longest one I could think of off the top of my head that's vector fused multiply alternating added subtract from packed single precision floating point data using the EXA member as it registers with a CS override in a very complex addressing mode so this is a weird architecture that lets you do insanely long instructions like that which is really convenient because it let me get the enhanced contrast that I was after making each node really really wide so we've introduced new issues we've still got nodes trying to escape again so every time these nodes try to escape we've got to push them back in place the reason these nodes are trying to escape because we made this node really really wide but now the jumps that I was using to push all those nodes over to the left those nodes are really really small compared to these really really wide nodes all we have to do to fix that is add one of those really really wide instructions to those jumps that push everything in place so after we do that we've got this nice perfect grid with a circle drawn in the middle so we're getting we're getting there there's a few more things to tweak along the way there's an issue where if we had all the pixels in our row turned off the entire image would collapse on itself so we keep the column on the far left always on to prevent the image from collapsing I didn't like the idea of having knobs filling up these these nodes knobs are very clearly not code so I added a junk code generator that would add some dummy instructions I don't really do anything but they also don't fault the program so they can actually run finally I didn't want to have to draw this thing by hand every time I had to draw that stupid circle by hand so I created a bitmap to NASM preprocessor assign directive converter so that we could actually take bitmap images and convert those into and azzam constants that lets us take a bitmap image convert it into these pixel values that we can feed to NASM in order to generate the code for us so finally we can take a bitmap image like a smiley face run it through this entire process and create a control flow graph for the smiley face so so we're getting a little bit further um there's still some things I didn't really like about this I'm a little anal retentive I didn't like the fact that there's a blue line on the bottom but not a blue line on the top so I fixed that by opening the whole thing with a switch statement I was going to tie all the top notes together once I did that I figured out that all the work I really went through to tie all these things carefully together wasn't really necessary as long as you tie the top and bottom together like that you don't need to tie the individual nodes together quite so tightly they'll stay in place as long as the top and bottom are in place in other words whereas before we had this node tied to this node and this node we no longer need that we can just have this node fall directly into the node right below it so that forms what I call the recycled chain reverse engineering psychological warfare tool chain I'll show exactly how we can use this for some interesting applications coming up but what this does is it gives us a way to generate assembly instructions such that they form images in their control flow graphs so collectively if I go into my recycle what I've got here is a bitmap image that I want to render and it's really really small but it's just a skull and that's what I want to turn into assembly instructions to manipulate the control flow graph of my program so what we're going to do is run me to turn that image you can see some assembly code and all it's going to do is turn that into a bunch of preprocessor directives so now that we've got that as preprocessor directives we're going to go ahead and make an executable whose control flow graph will mimic that image so we run make run it through this whole thing and it will generate some functioning executables you can make these executables do whatever you want for these purposes I decided to make them render pushing the cat so they actually run they're not they're not fake executables they run but if a reverse engineer wanted to approach this and figure out exactly what this program did they're going to have to go over to their trusty tool Ida and pull in this executable and examine the control flow graph so when they do that they then see the image that we just created always using a lavalier thank you go what an optimum time for a tiny break in the action how is he doing I think you all know about our little tradition new speaker welcome to all the new attendees at Def Con this year here's you good job right all right thanks guys huh all right give me a second to I get back on track now so I was trying to think of where else we could take this thing what can we actually do with these images we're trying to let the reverse engineer know what we think of of their work so we can let them know that maybe our code doesn't even do anything anything useful you know maybe this this whole time we're just trolling them or we could let them know what we really think about them poking around and the code that we work really really hard to create I don't like people poking around in the code that I worked hard to create but but ultimately the goal wasn't just to send them amusing pictures it was psychological warfare we wanted them to stop reverse engineering our code but I think this opens up a neat opportunity namely that as a reverse engineer I have to sit and look at those control flow graphs the reversers forced to sit and stare at whatever message you embed inside of this program so you can use this to your advantage crush their soul basically make them abandon hope and not want to reverse engineer your code anymore so what else could we put in here in order to accomplish that task well we could let them know that the entire situation's futile right just just remind them constantly this isn't going to turn out in your favor we could remind them that if we're good enough to to send them messages in our control flow graphs they're never going to successfully reverse engineer our program so they might as well just give up now or we could just really go all out and um I think this one's over the top beam and just remind them that they're really no good at life in general and should should quit altogether so I was having fun with this I didn't want to just call it quits at this point I kind of realized that we're not limited to a black-and-white images here you know the way we have it we sort of got these nodes either on or off but we could sort of make them gray or not gray by adding more or fewer instructions to this thing so I took that opportunity to add grayscale support to this so that we could actually render grayscale images of course that opened up a really important opportunity in cybersecurity history I decided to take the first as far as I know assembly selfie so that is from back from when I had hair so I look a little bit different but it is completely functioning a assembly code so what I what I really like about the group I work in is I can take something stupid that I made like this and show it to to everyone and they'll have 100 good ideas for how to actually use this so one of my co-workers suggested well you should have a piece of malware and call it the interview and when you drop it into Ida you'll find out where your malware came from it was North Korea or another co-worker recommended the ultimate CTF problem which you could spend hundreds of hours reversing but all you really needed to do was zoom out and figure out that they are descending you on the wrong path so some of the objectors work here that's a real QR code it'll really take you somewhere home but you can check that out later on the slides if you have a chance but that's one type of CTF problem but I felt like if this for the DEFCON CTF they probably wouldn't embed a QR code inside of this thing no DEFCON CTF seems to be complete without goatse so so for DEFCON CTF I felt like it'd be goatse but I wasn't really going to show you guys goatse so you're welcome but my my favorite of all friend of mine proposed what could be the creepiest malware of of all time what if we had a piece of malware that would actually scan your hard disk retrieve your personal images and then rewrite its code based on the images it was collecting so this took a quite a bit of modifications that is fairly different from what I originally wrote but I threw together this little C program that would do exactly that so we go ahead and run this little piece of malware it doesn't seem to do anything it just just sits there nothing important but I do have some vacation pictures on here these are stock photos those are not my feet and this is not my dog but if I were curious about what this malware we're doing I would toss this inside ax I get rid of that folder accidentally created so first an Ida after i2 process it's really not anything interesting there's nothing in the control flow graph at first so I'd analyze this a little bit as a reverse engineer I wouldn't see anything interesting at some point I'm going to have to do dynamic analysis I'm going to actually run this thing and see what it's doing it's going to change my debugger here and I'm going to go ahead and run this program so the propria begin to run but the first thing it does is it triggers a software breakpoint it does that because it wants the the reverse engineering tool to stop it wants you to see what it's actually doing so I'm going to follow this in my reverse engineering tool and pull out the control flow graph so I can figure out what this malware is doing and we zoom out a little bit here Ida doesn't like doing this so much when other programs actually running but it just huh those were those are my feet and if I keep running this you know maybe it's just a fluke no the malware is going to stop me again it's got something new well what's it this time oh that's my dog what why is my dog in the malware I'm always a little worried to get this demo because I hope it's going to find those two pictures but I never know what it's really going to go out and collect but but as a reverse engineer when malware starts rewriting itself based on my personal information that's probably when I'm going to call it quits so I feel like this this would successfully implement what we originally after other ways of getting the reverse engineer to stop looking at our code so there might be other ways to accomplish that I think it's neat to keep your mind open and realize it's not just about making things harder to reverse but overall this was a really really fun thing to just tinker with it was a grand total of 14 lines of assembly in order to accomplish this and 328 lines of preprocessor macros but not not too shabby and if you're interested in this it's on my github at github comics or EA XCX y ax that is the reset tool chain is what I call that I would love to get feedback in ideas on other applications for this maybe it's just a fun toy or maybe there's actually something useful we could do with this if you're interested in the Mafia skater thing that's the single instruction C compiler that's also on github as of a Thursday morning if you call me a blackhead I released an architectural vulnerability built into the x86 processor itself some proof of concept code for that also on github but I'd love to discuss this more with anybody who has some interesting ideas for what we could do through control flow graphs I might keep tinkering with this over the upcoming week so if you're interested in tracking progress you can follow me on Twitter that's X or e ax e IX II IX or same thing at gmail.com if you want to discuss further thanks for your time everyone this was a fun project I really appreciate everyone turning up for it so if anyone has questions you can talk you

Info

Channel: DEFCONConference

Views: 130,239

Rating: undefined out of 5

Keywords: DEF CON 23, DEFCON, DEF CON, DC 23, DC23, DC-23, hack, hacking, hacker, computer security, security research, security conference, speeches

Id: HlUe0TUHOIc

Channel Id: undefined

Length: 38min 48sec (2328 seconds)

Published: Fri Dec 25 2015