This year’s BlackHoodie workshop rolled out with 28 amazing women from all parts of the world. It was a very vibrant group with students, professionals, engineers, researchers, physicists and what not. This is the second year that Marion Marschalek is running this reverse engineering workshop exclusively for women. There were a variety of topics that were covered. This includes anti emulation tricks, anti debuggers, packers, obfuscation, encryption/decryption functions, and a lot of fun with IDA.
We played with about 3 different binaries. The first one was a packed binary that contained a piece of code that performed the unpacking within. After we played with IDA for a while, we got into the task of unpacking the binary. It was a PE file made for demonstration. Placing the right breakpoints and synchronizing with the destination register (SDI), we could see the binary unfolding itself. Once the decompression function was called, we had to instruct IDA to remove the previous definitions it had (undefine -u) and treat the new piece of binary as code (C) and finally use the procedure (P) command to recognize the code as a method. It was very interesting to generate the graph view for a piece of code that was just a bunch of junk bytes few seconds before we ran the decompression function.
The second binary we worked with dealt with how to tackle anti analysis tricks. We worked with the binary Upatre which had a couple of very interesting anti analysis features in it. As soon as we ran the binary, it failed with an unhandled exception. This is a very expected scenario with any sophisticated malware when run within an emulator (like AV) or a debugging tool. Malware tries its best to avoid getting detected. The first trick was anti-emulation trick that the binary used. It calls a function like acmMetrics() (audio compression module) which is usually not found in light weight simulation engines like an AV scanner. As soon as the call returns error, the malware stops running as it recognize that the callee is not genuine. The next trick was implicit breakpoint detection. The code performed minor decryption of its own code in such a manner that if there is a breakpoint present, the decryption fails.We spent some more time in analyzing such interesting tricks used by malwares.
Marion did a great job in getting into every minute details. The ladies were all proactive in performing the analysis in parallel. I just loved the energy and enthusiasm. Reverse engineering is indeed so much fun staring at a piece of code and trying to make sense about the weird behaviors of the code. The final binary we worked with was an IRC bot. We started with it on the first day and extended the analysis for the whole of next day. We analyzed the bot in high detail. The bot tried to add itself in the registry key, create connection to the server, parse commands that it receives. Sometimes, it got so hard when the piece of code didn’t make any sense. There were loops that ran forever and true conditions that never took its course. It could be a software bug, or the author trying to obfuscate code. That gave an idea on how hard things can get when you have no idea whether your analysis is even relevant. Anyhow we almost made it analyzing more than 80% of the binary.
Two days of reverse engineering was a lot of learning. It was not just only the x86 code that we stared at. We learned about stack structure, function calling conventions, network protocol analysis, obfuscation techniques, object oriented concepts in minute details. I felt that reverse engineering is not just a field in security. It is more about learning programming in high depth. This field opens a new dimension on looking at programming. I really loved the workshop. I would like to express my sincere gratitude to Marion.
Looking forward for more such workshops!