Vitor Ventura

Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Most of the day Vitor is hunting for threats, reversing them but also looking for their geopolitical and/or economic context. Vitor has been a speaker in conferences, like VirusBulletin, NorthSec, Recon, Defcon’s Crypto and Privacy Village, among others.
Prior to that he was IBM X-Force IRIS European manager where he was lead responder on several high profile organizations affected by the WannaCry and NotPetya infections. Before that he did penetration testing at IBM X-Force Red, where Vitor led flagship projects like Connected Car assessments and ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds a Bsc in Computer Science and multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).

The speaker's profile picture

Sessions

06-11
13:00
60min
Reversing NIM binaries: the easy way
Vitor Ventura, Holger Unterbrink

For a reverse engineer one of the first steps is to differentiate between library code and code the author wrote. This can be especially hard depending on how the compiler has optimized the code. This research’s objective is to make life easier for analysts and reverser engineers while analyzing NIM based binaries.

The evolution of programming languages has created more portable languages that can be compiled for different platforms with little or no changes, without the recourse to virtual machines. This comes at the cost of a lot of boilerplate code which is added by the compiler or the Intermediate code translator. These languages often have their own definition of strings, calling convention and in some cases the intermediate code translator can implement different optimizations which in the end results in very complex executables.

The NIM compiler has several optimization options, it can be optimized for speed or size for example, which will result in dramatically different binaries. This presentation starts to demonstrate these differences and their impact on the final binary. Then it moves to show how an analyst can identify the non-library code, so that she can focus her efforts on analyzing the logic of the executable, instead of getting lost in library code. To help out in this task we will present IDAPro scripts that will do part of the binary analysis and identify imported library or boilerplate code and create well known structures for language specific objects like strings.
The presentation ends with a demonstration of the IDA scripts and the help it provides for analyzing NIM binaries.

Grand Salon