Holger Unterbrink
Holger is a longtime security enthusiast, with more than 25 years of experience in the information security industry. He started his career as a penetration tester and is now working for Cisco Talos as technical leader in the malware and threat hunting sector. He finds new, cutting-edge security threats and analyzes their components. Holger is a frequent speaker at international security conferences such as BlackHat, HackInTheBox, Internet Security Conference, NorthSec, CiscoLive and others. He is also the author of several offensive and defensive security tools and won the IDA plugin contest with his Dynamic Data Resolver (DDR) IDA plugin in 2020.
Sessions
For a reverse engineer one of the first steps is to differentiate between library code and code the author wrote. This can be especially hard depending on how the compiler has optimized the code. This research’s objective is to make life easier for analysts and reverser engineers while analyzing NIM based binaries.
The evolution of programming languages has created more portable languages that can be compiled for different platforms with little or no changes, without the recourse to virtual machines. This comes at the cost of a lot of boilerplate code which is added by the compiler or the Intermediate code translator. These languages often have their own definition of strings, calling convention and in some cases the intermediate code translator can implement different optimizations which in the end results in very complex executables.
The NIM compiler has several optimization options, it can be optimized for speed or size for example, which will result in dramatically different binaries. This presentation starts to demonstrate these differences and their impact on the final binary. Then it moves to show how an analyst can identify the non-library code, so that she can focus her efforts on analyzing the logic of the executable, instead of getting lost in library code. To help out in this task we will present IDAPro scripts that will do part of the binary analysis and identify imported library or boilerplate code and create well known structures for language specific objects like strings.
The presentation ends with a demonstration of the IDA scripts and the help it provides for analyzing NIM binaries.