Black Hat - Reversing Labs, Reverse Engineering & Software Protection

Fast & Furious
Reverse Engineering with TitanEngine

A great challenge of modern reverse engineering is taking apart and analyzing binary protections. During the last decade, vast number of shell modifiers has appeared. At the same time protection tools have evolved from encryption that protects executable and data parts to sophisticated protections that are "packed" with tricks that are specifically tasked to slow down the reversing process. As the number of such techniques increase, we need to ask ourselves, can we keep up with the tools that we have?

Come to this talk to learn the most optimal strategies in dealing with complex binary code and to see in action the new open source framework, the TitanEngine, addressing advanced file analysis. Today reverse engineers are limited to writing their own code for every new scenario that they encounter or to using outdated solutions that do not cover all the needed aspects. Yet when the speed is of essence, as in dealing with new outbreaks or Botnet infections, new tools are necessary to deal with the large volume of incoming samples. Accurate detection, relevant data extraction and fast decomposition in a safe and controlled manner are critical requirements.

TitanEngine has been designed so that writing unpackers would mimic the manual unpacking process. Guided execution with the set of callbacks simulates the presence of a reverse engineer. This is done by creating an execution timeline equal to the one used by reverse engineers to unpack the file. Information is gathered as the execution is led to the point from where the protection passes the control to the original code. At that point we have all the data we need to create a sample valid for execution and further analysis. During the talk, a new open source project, the TitanEngine, will be introduced and discussed in detail. Special attention will be given to addressing automation problems when writing unpackers. We will cover the following topics:

• In-depth description of integrated x86/x64 debugger
• Debugger: software, hardware, memory, library and flex breakpoints
• Dumping memory and loaded modules
• Comprehensive description of integrated import resolving module
• Repairing import table with a simple data gathering
• Automatic scan for all known import redirections and eliminations
• In-depth description of integrated PE file manipulation module
• Working with PE header, imports, exports, relocations, resources
• Complete description on how to use the engine to write an unpacker
• Making an executable unpacker
• Making a library unpacker

The talk will conclude with demos of two new tools that are based on the TitanEngine:

• RL!dePacker - generic PE x86 unpacker which supporting over 100 formats
• ImportStudio - OllyDBG plugin which provides an interface for easily fixing imports

This talk will be a Black Hat exclusive; a launch and demonstration of the major version upgrades of RL!dePacker, ImportStudio that are based on the new open source project titled "The TitanEngine." All components will be available for distribution with the conference materials.