The Reverse Engineering Language REIL and its applications · The Reverse Engineering Language REIL...

Post on 07-Oct-2020

0 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of The Reverse Engineering Language REIL and its applications · The Reverse Engineering Language REIL...

The Reverse Engineering Language REILand its applications

Sebastian Porst (sebastian.porst@zynamics.com)zynamics GmbH

I write code for

... sometimes I debug other people‘s code

We love graphsWe love static analysis

We want to improve binary code RE

Reverse Engineering Intermediate Language

Three Good Reasons for REIL

Simple

Free of side-effects

Platform-Independent

988

1000+

17

PowerPC x86

Fewer Instructions

REIL

X86 Code PowerPC Code ARM Code

X86 Translator PowerPC Translator ARM Translator

REIL Code

MonoREIL Other AnalysisAlgorithms

Close to the original architecture

Infinite amount of memory

Infinite number of registers

Register-based Virtual Machine

REIL VMArchitecture

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Instructions

1 REIL AddressNative PartREIL Part

1 REIL Mnemonic3 Operands∞ Metadata

1 REIL Operand2 (really 3) Pieces of Information3 Operand Types7 Operand Sizes∞ Operand Values

40131A.07 add (t0, b4), (t1, b4), (t2, b8), [(foo, bar)]

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Six Arithmetic Instructions

AdditionLogical ShiftUnsigned DivisionUnsigned ModuloUnsigned MultiplicationSubtraction

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Three Bitwise Instructions

Bitwise ANDBitwise ORBitwise XOR

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Three Data Transfer Instructions

Load MemoryStore MemoryTransfer Register Content

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Two Logical Instructions

Compare to ZeroJump Conditional

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Three Other Instructions

No OperationUndefine RegisterUnknown Mnemonic

All Instructions are equal ...

... but some instructions aremore equal than others

add t0, t1, t2

and t0, t1, t2

bsh t0, t1, t2

div t0, t1, t2

mod t0, t1, t2

mul t0, t1, t2

or t0, t1, t2

sub t0, t1, t2

xor t0, t1, t2

bisz t0, , t2

jcc t0, , t2

ldm t0, , t2

nop , ,

stm t0, , t2

str t0, , t2

undef , , t2

unkn , ,

What REIL can‘t do

FPU Instructions

System Instructions

Weird Instructions

fadd

...

int

...

setend

...

More Architectures (x64, MIPS, ...)

More Instructions

More Operand Information

So ...

... what is it all good for?

Register Tracking

Follow the effectsof a register

on the program state

DemoRegister Tracking

Negative Array Access

MS08-67

DemoMS08-67

... but aren‘t those really difficult to implement?

NO!

MonoREIL

Create an Instruction Graph

Define a Lattice

Define Transformations

Define a Graph Walker

Define a Start Vector

Create an Instruction Graph

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

int t4 = t0 == -15 ? 32 : 16

Define Lattice Elements

B

T

Define Transformations

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

Define a Join function

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

Define a Graph Walker

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

Define a Start Vector

node1 → initialState1

node2 → initialState2

node3 → initialState3

node4 → initialState4

node5 → initialState5

...noden → initialStaten

Running MonoREIL

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

initialState1400 → finalState1400

initialState1401 → finalState1401

initialState1402 → finalState1402

initialState1406 → finalState1406

initialState1407 → finalState1407

initialState1405 → finalState1405

initialState1403 → finalState1403

initialState1404 → finalState1404

The Result

node1 → finalState1

node2 → finalState2

node3 → finalState3

node4 → finalState4

node5 → finalState5

...noden → finalStaten

LOC? 14 + n

Lattice

8 + n

TransformationsGraph

1

12 + n

Start VectorWalker

1 + n

Register Tracking120

Lattice

120

TransformationsGraph

1

90

Start VectorWalker

1

MS08-67

500

Lattice

1700

TransformationsGraph

1

150

Start VectorWalker

1

Deobfuscating Optimizer

Type Reconstruction

BinAudit

Related Work

ELIR (ERESI Project)

Vine (BitBlaze)

Silvio Cesare

Hex-Rays

Thank You!

Questions?

Top related

2012 ASIS&T Lecture...Adscape Media (in-game advertising) Katango (social circles) Zynamics (info security) Punchd (loyalty program) Google Video Clever Sense (mobile app) Trendanalyzer
 Documents
SMART MILK MANAGEMENT SOFTWARE (SMMS) Ver 2 · REIL, JAIPUR User Manual Rev. 1.1, 20/02/2008 REIL/UM/ Page 2 of 69 Document Revision Control A1. Document Revision Sno Revision Date
 Documents
ADE Global Design Authority Project Review SCQA Format MCESA DSRS/DVT REIL Program January 8, 2013.
 Documents
REIL-TNG Score & Salary Schedule Model
 Documents
REIL, solar panel production & LG Electronics
 Education
prod002 · 2018. 9. 14. · Michel Berger De New Yorkà To—kyo 2. Mi —ra— bel ou Rois—sy pa— pa— tout est par—tout tout est par—tout reil reil G 7sus4 ters G7 On prend
 Documents
Structuring Reverse and Forward Triangular Mergersmedia.straffordpub.com/products/structuring-reverse-and-forward... · Structuring Reverse and Forward Triangular ... Reverse and
 Documents
2013-1 Machine Learning Lecture 04 - Torsten Reil - Artificial Neural Netw…
 Education
IN LOVING MEMORY OF Loren Henry Reil - Microsoft...oren Henry Reil was born on September 29, 1935, in Ortonville, MN. He was the son of Henry and Freida (Minder) Reil. He grew up on
 Documents
REIL training Power point presentation
 Engineering
Everybody be cool, this is a roppery! - … · Everybody be cool, this is a roppery! Vincenzo Iozzo (vincenzo.iozzo@zynamics.com) zynamics GmbH Tim Kornau (tim.kornau@zynamics.com)
 Documents
(algorithms) - OCAD Universityblog.ocad.ca/wordpress/digf6l01-fw201302-01/files/2013/...TORSTen Reil BiOlOGiCAl/ MODUlAR neURAl neTWORkS ...
 Documents
p api property line reil roadways rotating beacon survey monument threshold lights ... rp-z oh revisions as-built rl yukon rpz rpz river ofa ofz ofz ofa ofz reil (ultimate) ofa ofz
 Documents
zynamics BinDiff 3
 Documents
DOCUMENT RESUME ED 360 706 AUTHOR Reil, David; …AUTHOR Reil, David; Soderman, John D. TITLE Decisions! Decisions! Decisions! Shared Governance: A. Blessing for Implementing Year-Round
 Documents
180 Degree rule, Reverse shot reverse
 Education
doi:10.1093/cercor/bhr104 The Insula of Reil Revisited ... · The Insula of Reil Revisited: Multiarchitectonic Organization in Macaque Monkeys D. S. Gallay 1, M. N. Gallay1,4, D.
 Documents
Reforming an Unsustainable Public Pension System: The German Case Anette Reil-Held
 Documents
Artificial Neural Networks Torsten Reil torsten.reil@zoo.ox.ac.uk.
 Documents
Applications of the Reverse Engineering Language REIL
 Technology

Copyright © 2022 FDOCUMENTS