The talk “unrubby: reversing without reversing” was part of the Troopers conference in Heidelberg, 16 March 2016. The talk was done by Richo Healey, who is currently working on the security engineering team at the Irish payment company Stripe. Richo Healey is an experienced conference speaker. Amongst other he has spoken at Kiwicon, DEF CON and 44con.
In his talk Richo Healey spoke about reverse engineering of Ruby software. First he talked about existing tools and techniques to regenerate source code from Ruby bytecode. Then he presented a new concept, which is implemented in his tool “unrubby”.
Ruby is multi paradigm programming language, which uses a “Just-in-time” – compilation approach. First, Ruby source code is translated into bytecode, then the bytecode gets interpreted by a virtual machine like YARV during the runtime. This approach provides portability as well as performance. GitHub and Metasploit belong to the biggest projects which are written in Ruby.
Software packages in Ruby are provided either in source or bytecode. For closed-source software only the bytecode gets published. To prevent the users from regenerating the source code various obfuscating techniques are used. Nevertheless there also a lot of approaches to bypass these obfuscating techniques. Most of them are based on reverse engineering of the bytecode.
Reversal is a tool which analyzes the bytecode of the YARV to recover the original source code. The tool was written by Michael Edgar from Dartmouth College. Although Reversal achieves good results, there are compatibility issues and the tool is outdated. To make Reversal work with a recent version of Ruby Richo Healey patched Reversal and added the support for new instructions. But in the end Reversal is still fragile. In Addition to that, Reversal tries to turn back the whole program into source code. But this is often too ambitious.
After describing these problems Richo Healey presented a different approach, which is not affected by these disadvantages. His tool unrubby is a hacked Ruby virtual machine. It changes the internal behavior of the virtual machine to generate the source code while the program is running. So analysis of the source code is not needed. In addition to that unrubby is able to also deliver the source code of dynamically generated methods. The code is dumped by unrubby after termination. Although this tool is for Ruby, this technique can be applied to the virtual machines used by other languages.
According to Richo Healey there is no obvious way to defeat this technique. It may be possible to use checksums or internal offsets, but the best way seems to be to put everything in statically linked libraries.
Finally Richo Healy encouraged the audience to download the tool, play with it and report bugs.
The slides for the presentation can be found at https://speakerdeck.com/richo/unrubby .
The source code for unrubby can be found at https://github.com/richo/unrubby.
Thanks for reading