Towards *Ultimate* Deobfuscation

wail.ly/secday-2015-slides.html

Who I am ?

Aurélien Wailly
Security engineer @ Orange Labs
- Virtualization
- Audits
- Reverse
- Obfuscation

Plan

Introduction
Related Work
Approach
Implementation
Future
Conclusion

What is obfus cation ?

Main strcmp

With OLLVM

Protect code and data

Code impénétrable as Jiss

Code
- CFG flattening
- Instruction substitution
Data
- WhiteBox
- Mixed Boolean Arithmetic MBA

Code protection example

Data protection example

Reverse Engineering

Find the functional equivalent

Use a paper like @pinkflawd

Basic RE algo [2]

How to slow a reverse engineer ?

Multiple techniques [1]

Jump chains
Split calculations
Dead code
Self-modifying code
Control flow flattening
Opaque predicates
Parallel code
Virtual machines (previous talk)

How to deob fuscate ?

Idea

Find the high-level semantic (pseudo-code)

Language ?
Automated ?
Generic ?
- Meaning support multiple architectures

Goal

We need an automated tool easily supporting new architectures

Bad idea #1: Reimplement the assembly semantic

Create your own translator

Reimplement the semantic

BAP (Binary Analysis Platform)http://bap.ece.cmu.edu/
- OCaml?
OptiCode Direct LLVM
- No release, I will force you to :)
MCSema, Dagger
They all have reimplemented the same engine
- Error-prone
- Enough testers for corner cases ?

BAP add rax, rbx

addr 0x0 @asm "add    %rax,%rbx"
label pc_0x0
T_t1:u64 = R_RBX:u64
T_t2:u64 = R_RAX:u64
R_RBX:u64 = R_RBX:u64 + T_t2:u64
R_CF:bool = R_RBX:u64 < T_t1:u64
R_OF:bool = high:bool((T_t1:u64 ^ ~T_t2:u64) & (T_t1:u64 ^ R_RBX:u64))
R_AF:bool = 0x10:u64 == (0x10:u64 & (R_RBX:u64 ^ T_t1:u64 ^ T_t2:u64))
R_PF:bool =
  ~low:bool(let T_acc:u64 := R_RBX:u64 >> 4:u64 ^ R_RBX:u64 in
            let T_acc:u64 := T_acc:u64 >> 2:u64 ^ T_acc:u64 in
            T_acc:u64 >> 1:u64 ^ T_acc:u64)
R_SF:bool = high:bool(R_RBX:u64)
R_ZF:bool = 0:u64 == R_RBX:u64

Solution

What is THE generic program that convert ASM to atomic operations ?

The T iny C ode G enerator

Example with Qemu

ret
Getting target map
000000: \xc3                                              .
 qemu_ld_i64 tmp0,rsp,leq,$0x0
 movi_i64 tmp11,$0x8
 add_i64 tmp3,rsp,tmp11
 mov_i64 rsp,tmp3
 st_i64 tmp0,env,$0x80
 exit_tb $0x0
 end

Why ?

Huge community
Support multiple architectures
- aarch64, arm, hppa, i386, ia64, mips, ppc, s390, sparc

But

Code templating in C (ugly but needed for performances)
Need some time before hacking/using it

Bad idea #2: Intermediate Representation IR

Create your own IR

REIL Reverse Engineering Intermediate Language
miasm Read it somewhere, not sure

And reimplement compiler optimizations

metasm
- Constant propagation/folding
- Dead code/branch/store elimination

Why ?

You will be faced with ancient compilers problems

Code integrity checking
…

Bad idea #3: Optimize with Regexp

Pattern matching

Nice for quick and dirty
- QuarksLab http://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html
- metasm samples/dasm-plugins/deobfuscate.rb
You will have a bad time with huge MBA
- Check Camille slides from SSTIC’14

Solution

Use a supported IR with native optimizations: LLVM

LLVM ret

  %Lgv1 = load i64* @rsp
  %Ildq = inttoptr i64 %Lgv1 to i64*
  %Ldq = load i64* %Ildq
  %Oarith = add i64 %Lgv1, 8
  store i64 %Oarith, i64* @rsp
  store i64 %Ldq, i64* @rip
  ret i64 0

Bad idea #42

!

So ?

We all waited it :

Is it possible ?

Panda @moyix

All the madness started here

Based on S2E (Selective Symbolic Execution Framework) EFPL
- Qemu TCG → LLVM (cannot be optimized)
Very nice code usage by @moyix
- #panda-re @ freenode
- https://twitter.com/moyix
- https://github.com/moyix/panda
- http://recon.cx/2014/slides/PANDA%20REcon.pdf

But

Based on a very specific version of Qemu, updating will be hard (Aarch64 and Cpp)

Idea

Our engine

Low qemu footprint about 50 lines
- Export the TCG ask 0vercl0k :)
Object-oriented C, clean APIs
- Easier to understand
Docker VM available! thx antho

About the source code

Engine used for Return Oriented Programming
- http://github.com/awailly/nrop

nROP cons

Panda way to use globals prevent some LLVM optimizations
- But hard to represent a register
Basic block level
- May need some polishing
- Will use merge BB from LLVM

nROP cons 2

Hard to build Qemu on Windows
- Do not prevent the PE to be used on Linux
- And Docker is coming on Windows

Demo time

Still a long way to go

Robust → Increase time
Time versus Complexity
- Multiple layers of obfuscation on embedded devices
Moving Target Defense
- What is the effective time added by each layer ? (hard problem)

Future work

Going symbolic
- Find that 2 codes are equal
Think about VM obfuscation
- I am sure that something can be done
IDA plugin
Another talk for nROP

Interested ?

aurelien.wailly () orange.com

Conclusion

Merci!

Resources

1
2
ISBN-13: 9780321486813[3]
4
http://www.h2hc.org.br/repositorio/2009/files/Sebastian.en.pdf

Towards Ultimate Deobfuscation

wail.ly/secday-2015-slides.html

Who I am ?

Plan

What is obfus cation ?

Main strcmp

With OLLVM

Protect code and data

Code protection example

Data protection example

Reverse Engineering

Basic RE algo [2]

How to slow a reverse engineer ?

Multiple techniques [1]

How to deob fuscate ?

Idea

Goal

Bad idea #1: Reimplement the assembly semantic

Create your own translator

BAP add rax, rbx

Solution

The T iny C ode G enerator

Example with Qemu

Why ?

Bad idea #2: Intermediate Representation IR

Create your own IR

Why ?

Bad idea #3: Optimize with Regexp

Pattern matching

Solution

LLVM ret

Bad idea #42

!

So ?

Is it possible ?

Panda @moyix

But

Idea

Our engine

About the source code

nROP cons

nROP cons 2

Demo time

Still a long way to go

Future work

Interested ?

Conclusion

Merci!

Resources