This document discusses reverse engineering a binary program for an unknown custom virtual machine. Through analyzing byte frequencies and instruction patterns, the authors were able to deduce key aspects of the virtual machine's architecture like the calling convention, return instruction, jump instructions, register usage, and arithmetic operations. Their approach involved heuristics-based searching to find common instruction encodings without any prior knowledge of the processor. While limited to simple analysis, this showed it is possible to gain a high-level understanding and decompose a binary without documentation. The authors develop the SmartDec decompiler to help with further reverse engineering virtual machine binaries.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
Latin America Tour 2019 - 10 great sql featuresConnor McDonald
By expanding our knowledge of SQL facilities, we can let all the boring work be handled via SQL rather than a lot of middle-tier code, and we can get performance benefits as an added bonus. Here are some SQL techniques to solve problems that would otherwise require a lot of complex coding, freeing up your time to focus on the delivery of great applications.
In this laboratory we explore how to create a custom instruction for the UoS educational processor. The first instruction is a purely combinational one; the second one is a "tick" instruction involving a separate circuit counting the number of clock cycles since reset.
Unit duration: 120mn.
License: LGPL 2.1
Brief Introduction to Deep Learning + Solving XOR using ANNsAhmed Gad
This presentation gives a very simple introduction to deep learning in addition to a step-by-step example showing how to solve the XOR non-linear problem using multi-layer artificial neural networks that has both input, hidden, and output layers.
Deep learning is based on artificial neural networks and it aims to analyze large amounts of data that are not easily analyzed using conventional models. It creates a large neural network with several hidden layers and several neurons within each layer and usually may take days for its learning.
Many beginners in artificial neural networks have a problem in understanding how hidden layers are useful and what is the best number of hidden layers and best number of neurons or nodes within each layer.
أحمد فوزي جاد Ahmed Fawzy Gad
قسم تكنولوجيا المعلومات Information Technology (IT) Department
كلية الحاسبات والمعلومات Faculty of Computers and Information (FCI)
جامعة المنوفية, مصر Menoufia University, Egypt
Teaching Assistant/Demonstrator
ahmed.fawzy@ci.menofia.edu.eg
:
AFCIT
http://www.afcit.xyz
YouTube
https://www.youtube.com/channel/UCuewOYbBXH5gwhfOrQOZOdw
Google Plus
https://plus.google.com/u/0/+AhmedGadIT
SlideShare
https://www.slideshare.net/AhmedGadFCIT
LinkedIn
https://www.linkedin.com/in/ahmedfgad/
ResearchGate
https://www.researchgate.net/profile/Ahmed_Gad13
Academia
https://menofia.academia.edu/Gad
Google Scholar
https://scholar.google.com.eg/citations?user=r07tjocAAAAJ&hl=en
Mendelay
https://www.mendeley.com/profiles/ahmed-gad12/
ORCID
https://orcid.org/0000-0003-1978-8574
StackOverFlow
http://stackoverflow.com/users/5426539/ahmed-gad
Twitter
https://twitter.com/ahmedfgad
Facebook
https://www.facebook.com/ahmed.f.gadd
Pinterest
https://www.pinterest.com/ahmedfgad/
Не всегда задачи решаются в терминах языка программирования. И когда дело доходит до реализации, иногда "волосы становятся дыбом" от мысли, как это придется делать на конкретном языке. В данном докладе автор "изольет душу" на тему идиом в языках программирования, чем они отличаются от паттернов проектирования, рассмотрит преимущества и недостатки их использования, а также подробно рассмотрит несколько наиболее популярных идиом для C++.
Метод анализа C/C++ программ. Использование LLVM и декомпиляции в таком анализе. Проблемы декомпиляции и возможные способы применения анализа. Примеры.
The method of analysis of C/C++ programms. The usage of LLVM and decompilation in this analysis. Problems of decompilation. Possible ways of usage of analysis. Examples.
Latin America Tour 2019 - 10 great sql featuresConnor McDonald
By expanding our knowledge of SQL facilities, we can let all the boring work be handled via SQL rather than a lot of middle-tier code, and we can get performance benefits as an added bonus. Here are some SQL techniques to solve problems that would otherwise require a lot of complex coding, freeing up your time to focus on the delivery of great applications.
In this laboratory we explore how to create a custom instruction for the UoS educational processor. The first instruction is a purely combinational one; the second one is a "tick" instruction involving a separate circuit counting the number of clock cycles since reset.
Unit duration: 120mn.
License: LGPL 2.1
Brief Introduction to Deep Learning + Solving XOR using ANNsAhmed Gad
This presentation gives a very simple introduction to deep learning in addition to a step-by-step example showing how to solve the XOR non-linear problem using multi-layer artificial neural networks that has both input, hidden, and output layers.
Deep learning is based on artificial neural networks and it aims to analyze large amounts of data that are not easily analyzed using conventional models. It creates a large neural network with several hidden layers and several neurons within each layer and usually may take days for its learning.
Many beginners in artificial neural networks have a problem in understanding how hidden layers are useful and what is the best number of hidden layers and best number of neurons or nodes within each layer.
أحمد فوزي جاد Ahmed Fawzy Gad
قسم تكنولوجيا المعلومات Information Technology (IT) Department
كلية الحاسبات والمعلومات Faculty of Computers and Information (FCI)
جامعة المنوفية, مصر Menoufia University, Egypt
Teaching Assistant/Demonstrator
ahmed.fawzy@ci.menofia.edu.eg
:
AFCIT
http://www.afcit.xyz
YouTube
https://www.youtube.com/channel/UCuewOYbBXH5gwhfOrQOZOdw
Google Plus
https://plus.google.com/u/0/+AhmedGadIT
SlideShare
https://www.slideshare.net/AhmedGadFCIT
LinkedIn
https://www.linkedin.com/in/ahmedfgad/
ResearchGate
https://www.researchgate.net/profile/Ahmed_Gad13
Academia
https://menofia.academia.edu/Gad
Google Scholar
https://scholar.google.com.eg/citations?user=r07tjocAAAAJ&hl=en
Mendelay
https://www.mendeley.com/profiles/ahmed-gad12/
ORCID
https://orcid.org/0000-0003-1978-8574
StackOverFlow
http://stackoverflow.com/users/5426539/ahmed-gad
Twitter
https://twitter.com/ahmedfgad
Facebook
https://www.facebook.com/ahmed.f.gadd
Pinterest
https://www.pinterest.com/ahmedfgad/
Не всегда задачи решаются в терминах языка программирования. И когда дело доходит до реализации, иногда "волосы становятся дыбом" от мысли, как это придется делать на конкретном языке. В данном докладе автор "изольет душу" на тему идиом в языках программирования, чем они отличаются от паттернов проектирования, рассмотрит преимущества и недостатки их использования, а также подробно рассмотрит несколько наиболее популярных идиом для C++.
Метод анализа C/C++ программ. Использование LLVM и декомпиляции в таком анализе. Проблемы декомпиляции и возможные способы применения анализа. Примеры.
The method of analysis of C/C++ programms. The usage of LLVM and decompilation in this analysis. Problems of decompilation. Possible ways of usage of analysis. Examples.
А давайте будем многопоточить и масштабировить! - записки сумасшедшего №0COMAQA.BY
Хочешь, чтобы веб-сервисы работали быстрее? Тогда используй Add to dictionary и масштабируемость в "облаке". В докладе кратко представлен проектный опыт сокращения времени тестирования SOAP+REST WS на основе multithreading и возможности масштабируемости в Azure.
В топку Postman - пишем API автотесты в привычном стекеCOMAQA.BY
Postman - отличный инструмент для автоматизации тестирования API, но он требует дополнительного софта, дополнительных навыков и дополнительных настроек. Есть ли способ обойти эти ограничения и перейти сразу к автоматизации API-тестов в привычной среде, если вы уже разрабатываете автотесты на Java? Конечно! Давайте поговорим о способах автоматизации API-тестов с использованием Java
Автоматизация тестирования API для начинающихCOMAQA.BY
Потенциальные сложности в тестировании веб-сервисов. Мы поговорим об основах тестирования API, докладчик поделится опытом создания фреймворка для эффективной организации автоматизации регрессионного тестирования с нулся и в сжатые сроки. Уверен: идеи и практический опыт докладчика будет небесполезен слушателям, особенно тем, кому предстоит заняться автоматизацией тестирования веб-сервисов «на голом месте».
Career boost: как джуниору случайно стать лидом и не получить от этого удовол...COMAQA.BY
Мы поговорим о неоправданно быстром карьерном росте тестировщика и потенциальных проблемах, которые могут встретиться на его пути, проговорим личный опыт докладчика и, по возможности, сделаем выводы: как остаться единственным тестировщиком – «выжившим», получить крупный проект из моря сервисов и не сойти с ума; как совмещать тестирование нового функционала, поддержку билдов, тестового окружения и контроль релизного процесса; как за год не найти опытного тестировщика в команду и успешно взять не-айтишника и «интегрировать» его.
Slides from my presentation on ARM Shellcode at #44CON 2018, London.
In this talk, we explore ARM egghunting and "Quantum Leap" code - polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques.
like our page for more updates:
https://www.facebook.com/Technogroovyindia
With Best Regard's
Technogroovy Systems India Pvt. Ltd.
www.technogroovy.com
Call- +91-9582888121
Whatsapp- +91-8800718323
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.
In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques.
Buy Embedded Systems Projects Online,Buy B tech Projects OnlineTechnogroovy
like our page for more updates:
https://www.facebook.com/Technogroovyindia
With Best Regard's
Technogroovy Systems India Pvt. Ltd.
www.technogroovy.com
Call- +91-9582888121
Whatsapp- +91-8800718323
Embedded Systems,Embedded Systems Project,Winter training,Technogroovy
like our page for more updates:
https://www.facebook.com/Technogroovyindia
With Best Regard's
Technogroovy Systems India Pvt. Ltd.
www.technogroovy.com
Call- +91-9582888121
Whatsapp- +91-8800718323
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
The Linux kernel is a very complex beast living in millions of households and data centers around the world. Normally, you’re not supposed to notice its presence but when it gets cranky because of something not suiting it, it spits crazy messages called colloquially
oopses and panics.
In this talk, we’re going to try to understand how to read those messages in order to be able to address its complaints so that it can get back to work for us.
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.
In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques
In this unit we introduce interrupts in processors and microcontrollers. We explain how the UoS processor (which doesn't support interrupts currently) could be extended to support interrupts.
Unit duration: 50mn.
License: LGPL 2.1
"HHVM is a high-performance, open source PHP execution engine developed at Facebook. It’s the fastest PHP runtime in the world, with support for PHP5, PHP7, and Hack—the programming language used for Facebook’s web server application logic. In addition to powering Facebook’s web tier, HHVM has also been adopted by other major services such as Wikipedia, Baidu, and Box.
HHVM uses just-in-time compilation to transform PHP and Hack source code into optimized machine code. Thanks to contributions from developers across the ARM community, HHVM can now target AArch64 in addition to x86-64 and successfully runs open source PHP frameworks like WordPress. Join us for an overview of HHVM, a quick demo, and some thoughts on where optimization efforts can go from here."
Аварийный дамп – чёрный ящик упавшей JVM. Андрей Паньгинodnoklassniki.ru
Crash dump as the block box of crashed JVM by Andrey Pangin. A talk from jokerconf.com.
Виртуальная машина Java способна отловить широкий спектр ошибок программирования. Результат она выдаст в виде исключения со стек-трейсом. Но что делать, если падает сама JVM, оставив лишь предсмертную записку под именем hs_err.log с загадочным содержимым?
В докладе я расскажу, что же зашифровано в аварийном дампе, и как эту информацию можно использовать для анализа проблемы и поиска причины. Мы рассмотрим ситуации, в которых JVM может сломаться, и в режиме живой демонстрации разберем примеры реальных падений, случившихся при разработке высоконагруженных приложений.
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Reverse engineering of binary programs for custom virtual machines
1. Reverse engineering of binary
programs for custom virtual
machines
Alexander Chernov, PhD
Katerina Troshina, PhD
Moscow, Russsia
SmartDec.net
2. About us
• SmartDec decompiler
• Academic background
• Defended Ph.D.
• Industry
3. Once upon a time…
• In a country far far away…
• Reverse engineering of binary code
– No datasheet
– Very poor documentation
High-level representation for engineers
4. Once upon a time…
High-level representation for engineers
• Call graph
• Flow-chart
• C code
5. Approaches to the analysis
• First thought: to search the code and
data for clues about processor type
• To try different disassemblers and
check if the disassembled listing looks
like a program
– IDA Pro supports above 100 “popular”
processors (no luck)
– Download and try disassemblers for other
processors (no luck)
6. Approaches to the analysis
• Fallback: to try to go as far as possible
in binary analysis collecting
information about processor
• Initial information:
– Rough separation of code and data
(based on pieces of documentation and
“look” of data)
– Enough code for statistics to be
meaningful (some 30 KiB )
7. Search space
• Architecture search space:
– Word byte order: LE, BE
– Instruction encoding: byte stream/WORD
stream/DWORD stream…
– Code/data address space: uniform (von
Neumann), separate (Harvard)
– Code addressing: byte, WORD, …
– Register based, stack based
[WORD – 2 bytes, DWORD – 4 bytes]
8. RET instruction
• Possible instruction encoding: fixed-
width WORD
• Expected “Return from subroutine”
(RET) instruction properties:
– RET instruction has a single fixed opcode
and no arguments
– RET instruction opcode is statistically
among the most frequent 16-bit values in
code
10. Possible code structure
sub1: …
CALL subn # absolute address
…
RET
sub2: … # follows RET
RET
subn: … # follows RET
RET
11. CALL heuristics
• Assumption 1: there exists a CALL
instruction taking the absolute address
of a subroutine
• Assumption 2: a considerable number
of subroutines start immediately after
RET instruction
12. CALL search
• Search space: for each candidate for RET,
try all possible CALL candidates with
addresses as 16-bit bitmask in 32-bit
words, LE/BE, 16-bit/byte addressing
• Example:
– 4 bytes: 12 34 56 78
– Address bitmask: 00 00 ff ff (4057 different)
– Opcode: 12 34 XX XX
– Address: 56 78
• LE: 7856 (byte addr), F0AC (WORD addr)
• BE: 5678 (byte addr) , ACF0 (WORD addr)
13. CALL search results
• Only one match!
Trying 8c0d as RET
After-ret-addr-set-size: 430
Matching call opcodes for 1, ff00ff00, 1: 000b003d: total: 1275, hits: 843 (66%),
misses: 432 (33%), coverage: 76%
• 430 – number of positions after RET
candidate
• 1275 – total DWORDs with mask 00ff00ff
• 843 – calls to addresses right after RET
• 432 – calls to somewhere else
• 76% positions after RET are covered
14. RET search results
• RET: 8c0d (WORD LE)
• Absolute call to HHLL:
0bHH 3dLL (2 WORD LE)
• Confirmation: code areas end with RET:
0000de30 3d88 8c0d 3901 0b24 3daf 2b00 a942 2b00
0000de40 b961 8c0d ???? ???? ???? ???? ???? ????
15. JMP search heuristics
• Assumption 1: absolute unconditional
JMP has structure similar to call: XXHH
YYLL
• Assumption 2: there must be no JMP’s
to outside of code
• Assumption 3: there may be JMP’s to
addresses following RETs
• Assumption 4: absolute JMPs are not
rare
17. Rel. JMP search heuristics
• Set of target addresses: addresses after RET
and JMP and first addresses of code segments
• Assumption 1: offset occupies one byte
• Assumption 2: offset is added to the address
of the next instruction
• Assumption 3: code is WORD-addressed
• Assumption 4: relative jumps rarely cross RET
instructions
• Assumption 5: no relative jumps to outside of
code
• Search produces 32 candidates
18. Rel. JMP search first results
• Candidate opcode 0cXX - Similar to
absolute unconditional JMP 0bHH
0cXX
• Assumption 1: 0bHH – prefix
instruction making jump (or call)
absolute
• Assumption 2: 0cXX – unconditional
relative jump
• Redo relative jump instruction search
with two new assumptions
21. Intermediate results
• Instructions identified:
– CALL
– RET
– JMP
– Conditional JMPs
• High-byte extenstion prefix is
identified
• Control-flow graph can be built and
the general structure can be identified
22. Cond. arithmetics heuristics
• Assumption 1: there are instructions
like AND and CMP with immediate
arguments preceding conditional
jumps
• Assumption 2: the opcodes are XXLL or
0bHH XXLL (byte or WORD values)
• Build the set of opcodes and the
corresponding values
30. Register structure
• Instruction 08RR changes the active
accumulator (0800, 0801 … 080f)
• Arithmetics: one operand is explicit,
another is active accumulator
• The processor has at least 16
arithmetic registers 0 - F
32. Top values
0b01 PREFIX
0800 MOV AP, 0 # change the current accumulator
8c0d RET
2b00 PREFIX
4e1c ?
0801 MOV AP, 1 # change the current accumulator
890f MOV R0, @DPO # load from data memory
8f09 MOV @DP0, R0 # store to data memory
0f00 MOV @DP0, 0 # store 0 to data memory
0b00 PREFIX
0b8f PREFIX
4a01 ADD ACC, 1
0b36 PREFIX
0802 MOV AP, 1
3ddc CALL ...
0b80 PREFIX
990f MOV R1, @DP0
8afa ?
1aff AND ACC, ff
0900 MOV R0, 0
33. Lessons learned
• It is possible to discover
– Subroutine structure
– Unconditional and conditional jumps
– Some arithmetic instructions
– Rough register structure
• Only by binary analysis of the code
without virtual machine (processor)
data sheets
36. annotations
• Opcode specifications
• Specification of code and data areas
• Entry points
• Symbolic cell names
• Subroutine range and description
• Inline and outline specifications
37. SmartDec decompiler
• Demo version is free available at
decompilation.info
• Current state:
– Alpha-version
– Supports limited set of x86/x64 assembly
instructions
– Supports objdump/dumpbin disassembly
backbends
– Initial support for C++ exceptions and
class hierarchy recovery
38. Thank you for your
attention
Questions?
info@decompilation.info