I got back from REcon 2015 a week ago and I’m well and truly over the jet lag at last. As usual, it was a great conference with many interesting talks and people. It is always great to meet other reverse engineers from all over the world and discuss new techniques, tools and research.
Tradition dictates that the event starts with training sessions, and I gave my usual four-day training on malware reverse engineering. During that time we covered all sorts of topics such as how to unpack/decrypt malware, analyze APT and so on.
I even got an award to mark 10 years of teaching Reverse Engineering class at REcon. Time flies 🙂
The conference was great. There were several interesting talks, more or less related to malware research. Here are the summaries of a few of them:
- Introducing Dynamic IDA Enrichment framework (a.k.a DIE):
DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives researchers access to runtime values from within their standard disassembler screen.
As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.
With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more.
After the framework was explained, 3 live demos showed how to use the tool.
The slides are available here: http://fr.slideshare.net/ynvb/0x3e9-waystodie
The framework can be downloaded here: https://github.com/ynvb/DIE - Totally Spies!
This presentation covered research done into the AnimalFarm operation as well as technical details of their various pieces of malware. The presentation also highlighted connections between samples as well as technical hints found regarding attribution.
- The M/o/Vfuscator
Based on a paper that proves that the “mov” instruction is Turing complete, the M/o/Vfuscator takes the source code and compiles it into a program that uses *only* mov instructions – no comparisons, no jumps, no math (and definitely no SMC cheating).
The talk demonstrated how it is possible to write programs with only mov instructions as a way to obfuscate code. I asked the author of the presentation to make a crackme using the obfuscator, which he kindly made.
Crackme: https://github.com/xoreaxeaxeax/movfuscator/tree/master/poc/crackme
Obfuscator: https://github.com/xoreaxeaxeax/movfuscator
Other interesting talks included:
- This Time Font can hunt you down in 4 bytes
- Hooking Nirvana
- One font vulnerability to rule them all
- Reversing the Nintendo 64 CIC
You can find the full conference schedule at http://recon.cx/2015/schedule/
Slides and the videos from every talk will be uploaded soon on the REcon website.
See you next year at REcon 2016!
Long live REcon – my 10th REcon anniversary