Token capture via an llvm-based analysis pass
Introduction
About three years ago, the LLVM framework started to pique my interest for a lot of different reasons. This collection of industrial strength compiler technology, as Latner said in 2008, was designed in a very modular way. It also looked like it had a lot of interesting features that …
more ...Spotlight on an unprotected AES128 white-box implementation
Introduction
I think it all began when I've worked on the NSC2013 crackme made by @elvanderb, long story short you had an AES128 heavily obfuscated white-box implementation to break. The thing was you could actually solve the challenge in different ways:
- the first one was the easiest one: you didn't …
Dissection of Quarkslab's 2014 security challenge
Introduction
As the blog was a bit silent for quite some time, I figured it would be cool to put together a post ; so here it is folks, dig in!
The French company Quarkslab recently released a security challenge to win a free entrance to attend the upcoming HITBSecConf conference …
more ...Deep dive into Python's VM: Story of LOAD_CONST bug
Introduction
A year ago, I've written a Python script to leverage a bug in Python's virtual machine: the idea was to fully control the Python virtual processor and after that to instrument the VM to execute native codes. The python27_abuse_vm_to_execute_x86_code.py script wasn't really self-explanatory, so I believe only a …
more ...Breaking Kryptonite's obfuscation: a static analysis approach relying on symbolic execution
Introduction
Kryptonite was a proof-of-concept I built to obfuscate codes at the LLVM intermediate representation level. The idea was to use semantic-preserving transformations in order to not break the original program. One of the main idea was for example to build a home-made 32 bits adder to replace the add …
more ...Pinpointing heap-related issues: OllyDbg2 off-by-one story
Introduction
Yesterday afternoon, I was peacefully coding some stuff you know but I couldn't make my code working. As usual, in those type of situations you fire up your debugger in order to understand what is going on under the hood. That was a bit weird, to give you a …
more ...Some thoughts about code-coverage measurement with Pin
Introduction
Sometimes, when you are reverse-engineering binaries you need somehow to measure, or just to have an idea about how much "that" execution is covering the code of your target. It can be for fuzzing purpose, maybe you have a huge set of inputs (it can be files, network traffic …
more ...Regular expressions obfuscation under the microscope
Introduction
Some months ago I came across a strange couple of functions that was kind of playing with a finite-state automaton to validate an input. At first glance, I didn't really notice it was in fact a regex being processed, that's exactly why I spent quite some time to understand …
more ...