Such a weird processor         messing with opcodes                (...and a little bit of PE)                    Ange Alb...
presented by...●   a reverse-engineering enthusiast    ●   ...since dos 3.21    ●   Corkami.com    ●   Mame (the arcade em...
Corka-what ?●   RCE project, only technical stuff●   free to:    ●   browse, download    ●   test, modify, compile●   upda...
what is in Corkami ?●   wiki pages, cheat sheets●   many PoCs    ●   hand-written (not generated), minimalists    ●   bina...
Story0.CPU are electronic, thus perfect1.tricked by a malware2.back to the basics3.documented on Corkami4.this presentation
“Achievement unlocked”Odbg 2.1a4                    IDA 6.1Hiew 8.15                             WinDbg 6.12.0002.633     ...
AgendaI. why does it matter ?     (an easy introduction, for everybody)II.a bunch of tricks     (technical stuff starts no...
from C to binary
inside the binary
our code, translated
opcodes <=> assembly
Assembly●   generated by the compiler●   executed directly by the CPU●   the only code information in a standard binary   ...
lets mess a bit now...
lets insert something
What did we do?●   Inserting an unrecognized byte    ●   directly in the binary    ●   not even documented nor identified ...
the CPU doesnt care
what happened ?●   D6 = S[ET]ALC    ●   Set AL on Carry    ●   AL = CF ? -1 : 0●   trivial, but not documented    ●   unre...
Intel: do what I do...                   Intels XED                                 MS WinDbgF1                 int1      ...
the problem●   the CPU does its stuff●   if we/our tools dont know whats next, were blind.●   no exhaustive or clean test ...
lets start the real stuff...
a multi-generation CPU: standard...       English     Assembly       lets go!   push       you win     mov       sandwich ...
...old-style...thou                 aaaporpentine           xlatenmity               verrhither               smswunkennel...
...newest generationtweet            crc32poke             aesencgoogle           pcmpistrmpwn              vfmsubadd132ps...
registers●   Initial values (Windows)    ●   eax = <your OS generation>             version = (eax != 0) ? Vista_or_later ...
smsw●   CR0 access, from user-mode    ●   286 opcode●   higher word of reg32 undefined●   under XP    ●   influenced by FP...
GS●   reset on thread switch (Windows 32b)●   eventually reset    ●   debugger stepping    ●   wait    ●   timings
nop●   nop is xchg *ax, *ax     ●   but xchg *ax, *ax can do something, in 64b !            87 c0: xchg eax, eax    .. .. ...
mov●   documented, but sometimes tricky    ●   mov [cr0], eax           mov cr0, eax         –   mod/RM is ignored    ●   ...
bswaprax 12 34 56 78 90 ab cd ef => ef cd ab 90 78 56 34 12eax .. .. .. .. 01 23 45 67 => 00 00 00 00 67 45 23 01ax .. .. ...
push+ret
...and so on...●   much more @ http://x86.corkami.com    ●   also graphs, cheat sheet...●   too much theory for now...
Corkami Standard Test
CoST●   http://cost.corkami.com●   testing opcodes●   in a hardened PE    ●   available in easy mode
more than 150 tests●   classic, rare●   jumps (JMP to IP, IRET, …)●   undocumented (IceBP, SetALc...)●   cpu-specific (MOV...
a documented binaryexports + VEH = self commented assemblya lot of DbgOutput
32+64 = ...
same opcodes, different code
CoST vs WinDbg & HiewWinDbg 6.12.0002.633Hiew 8.15
a hardened PETop            PE footer
CoST vs IDA
a bit more of PE...
PE on corkami●   some graphs●   a wiki page    ●   http://pe.corkami.com    ●   not “finished”    ●   more than 100 PoCs  ...
virtual section table vs Hiew
Folded header
Weird export names●   exports = <anything non null>, 0
65535 sections vs OllyDbg
one last...●   TLS AddressOfIndex is overwritten on loading●   Import are parsed until Name is 0●   under XP, overwritten ...
conclusion●   x86 and PE are far from perfectly documented●   still some gray areas of PE or x86    ●   but a bit less, ev...
Thanks ●   Peter Ferrie ●   Candid WüestAdam Błaszczyk, BeatriX, Bruce Dang, Cathal Mullaney, Czerno, Daniel Reynaud, Elia...
Such a weird processor         messing with opcodes                (...and a little bit of PE)                    Ange Alb...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)
Upcoming SlideShare
Loading in …5
×

hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)

987 views

Published on

Whether it's for malware analysis, vulnerability research or emulation, having a correct disassembly of a binary is the essential thing you need when you analyze code. Unfortunately, many people are not aware that there are a lot of opcodes that are rarely used in normal files, but valid for execution, but also several common opcodes have rarely seen behaviours, which could lead to wrong conclusions after an improper analysis.
For this research, I decided to go back to the basics and study assembly from scratch, covering all opcodes, whether they're obsolete or brand new, common or undocumented. This helped me to find bugs in all the disassemblers I tried, including the most famous ones. This presentation introduces the funniest aspects of the x86 CPUs, that I discovered in the process, including unexpected or rarely known opcodes and undocumented behavior of common opcodes.
The talk will also cover opcodes that are used in armored code (malware/commercial protectors) that are likely to break tools (disassemblers, analyzers, emulators, tracers,...), and introduce some useful tools and documents that were created in the process of the research.
Bio: Ange Albertini is a reverse-engineering and assembly language enthusiast for around 20 years, and malware analyst for 6 years. He has a technical blog, where he shares experimental sources files, and some infographics that are useful in his daily work.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
987
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)

  1. 1. Such a weird processor messing with opcodes (...and a little bit of PE) Ange Albertini 28th October 2011@ange4771@corkami (news only) 1Creative Commons BY
  2. 2. presented by...● a reverse-engineering enthusiast ● ...since dos 3.21 ● Corkami.com ● Mame (the arcade emulator)● a malware analyst
  3. 3. Corka-what ?● RCE project, only technical stuff● free to: ● browse, download ● test, modify, compile● updated● useful daily● but.... only a hobby !
  4. 4. what is in Corkami ?● wiki pages, cheat sheets● many PoCs ● hand-written (not generated), minimalists ● binaries available● on PDF, x86, PE...● 100% open ● BSD, CC BY – sources, images, docs
  5. 5. Story0.CPU are electronic, thus perfect1.tricked by a malware2.back to the basics3.documented on Corkami4.this presentation
  6. 6. “Achievement unlocked”Odbg 2.1a4 IDA 6.1Hiew 8.15 WinDbg 6.12.0002.633 (Authors notified, and most bugs already fixed)
  7. 7. AgendaI. why does it matter ? (an easy introduction, for everybody)II.a bunch of tricks (technical stuff starts now, for technical people)III.CoSTIV.a bit more of PE
  8. 8. from C to binary
  9. 9. inside the binary
  10. 10. our code, translated
  11. 11. opcodes <=> assembly
  12. 12. Assembly● generated by the compiler● executed directly by the CPU● the only code information in a standard binary ● what we (analysts, hackers...) read● disassembly is only for humans ● no text code in the final binary
  13. 13. lets mess a bit now...
  14. 14. lets insert something
  15. 15. What did we do?● Inserting an unrecognized byte ● directly in the binary ● not even documented nor identified !! it could only crash...
  16. 16. the CPU doesnt care
  17. 17. what happened ?● D6 = S[ET]ALC ● Set AL on Carry ● AL = CF ? -1 : 0● trivial, but not documented ● unreliable or shameful ?
  18. 18. Intel: do what I do... Intels XED MS WinDbgF1 int1 ??D6 salc ??F7C890909090 test eax, 0x90909090 ??0F1E84C090909090 nop dword ptr [eax+eax*8-0x6f6f6f70], eax ??0F2090 mov eax, cr2 ??660FC8 bswap ax bswap eax
  19. 19. the problem● the CPU does its stuff● if we/our tools dont know whats next, were blind.● no exhaustive or clean test set ● deep into malwares or packers ● scattered
  20. 20. lets start the real stuff...
  21. 21. a multi-generation CPU: standard... English Assembly lets go! push you win mov sandwich call hello retn f*ck jmp
  22. 22. ...old-style...thou aaaporpentine xlatenmity verrhither smswunkennel lsl
  23. 23. ...newest generationtweet crc32poke aesencgoogle pcmpistrmpwn vfmsubadd132psapps rcpssand MOVBE, the rejected offspring
  24. 24. registers● Initial values (Windows) ● eax = <your OS generation> version = (eax != 0) ? Vista_or_later : XP ● gs = <number of bits> bits = (gs == 0) ? 32 : 64● Complex relations ● FPU changes FST, STx, Mmx (ST0 overlaps MM7) – changes CR0, under XP
  25. 25. smsw● CR0 access, from user-mode ● 286 opcode● higher word of reg32 undefined● under XP ● influenced by FPU ● eventually reverts
  26. 26. GS● reset on thread switch (Windows 32b)● eventually reset ● debugger stepping ● wait ● timings
  27. 27. nop● nop is xchg *ax, *ax ● but xchg *ax, *ax can do something, in 64b ! 87 c0: xchg eax, eax .. .. .. .. 01 23 45 67 => 00 00 00 00 01 23 45 67● hint nop 0F1E84C090909090 nop dword ptr [eax+eax*8-0x6f6f6f70], eax ● partially undocumented, actually 0f 18-1f ● can trigger exception
  28. 28. mov● documented, but sometimes tricky ● mov [cr0], eax mov cr0, eax – mod/RM is ignored ● movsxd eax, ecx mov eax, ecx – no REX prefix ● mov eax, cs movzx eax,cs – undefined upper word
  29. 29. bswaprax 12 34 56 78 90 ab cd ef => ef cd ab 90 78 56 34 12eax .. .. .. .. 01 23 45 67 => 00 00 00 00 67 45 23 01ax .. .. .. .. .. .. 01 23 => .. .. .. .. .. .. 00 00
  30. 30. push+ret
  31. 31. ...and so on...● much more @ http://x86.corkami.com ● also graphs, cheat sheet...● too much theory for now...
  32. 32. Corkami Standard Test
  33. 33. CoST● http://cost.corkami.com● testing opcodes● in a hardened PE ● available in easy mode
  34. 34. more than 150 tests● classic, rare● jumps (JMP to IP, IRET, …)● undocumented (IceBP, SetALc...)● cpu-specific (MOVBE, POPCNT,...)● os-dependant, anti-VM/debugs● exceptions triggers, interrupts, OS bugs,...● ...
  35. 35. a documented binaryexports + VEH = self commented assemblya lot of DbgOutput
  36. 36. 32+64 = ...
  37. 37. same opcodes, different code
  38. 38. CoST vs WinDbg & HiewWinDbg 6.12.0002.633Hiew 8.15
  39. 39. a hardened PETop PE footer
  40. 40. CoST vs IDA
  41. 41. a bit more of PE...
  42. 42. PE on corkami● some graphs● a wiki page ● http://pe.corkami.com ● not “finished” ● more than 100 PoCs ● good enough to break <you name it>
  43. 43. virtual section table vs Hiew
  44. 44. Folded header
  45. 45. Weird export names● exports = <anything non null>, 0
  46. 46. 65535 sections vs OllyDbg
  47. 47. one last...● TLS AddressOfIndex is overwritten on loading● Import are parsed until Name is 0● under XP, overwritten after imports ● imports are fully parsed● under W7, before ● truncated same PE, loaded differently under different Windows
  48. 48. conclusion● x86 and PE are far from perfectly documented● still some gray areas of PE or x86 ● but a bit less, every day official documentations lead to FAILURE 1. visit Corkami.com 2. download the PoCs 3. fix the bugs ;)
  49. 49. Thanks ● Peter Ferrie ● Candid WüestAdam Błaszczyk, BeatriX, Bruce Dang, Cathal Mullaney, Czerno, Daniel Reynaud, Elias Bachaalany, EroCarrera, Eugeny Suslikov, Georg Wicherski, Gil Dabah, Guillaume Delugré, Gunther, Igor Skochinsky, IlfakGuilfanov, Ivanlef0u, Jean-Baptiste Bédrune, Jim Leonard, Jon Larimer, Joshua J. Drake, Markus Hinderhofer,Mateusz Jurczyk, Matthieu Bonetti, Moritz Kroll, Oleh Yuschuk, Renaud Tabary, Rewolf, Sebastian Biallas,StalkR, Yoann Guillot,... Questions ?
  50. 50. Such a weird processor messing with opcodes (...and a little bit of PE) Ange Albertini 28th October 2011@ange4771@corkami (news only)Creative Commons BY

×