Unveiling Secrets in Binaries using Code Detection Strategies
06-10, 17:30–18:00 (America/New_York), Grand Salon

Our talk addresses the challenges faced by reverse engineers in navigating and exploring large, unknown binaries. We introduce a range of efficient, architecture-agnostic heuristics to quickly detect intriguing code locations in real-world applications. This ranges from the detection of cryptographic algorithms and complex state machines in firmware to string decryption routines in malware. Then, we use these techniques to identify API functions in statically-linked executables and pinpoint obfuscated code in commercial applications. Attendees will gain valuable insights and tools to enhance their reverse engineering workflows and discover new code detection strategies applicable to a wide array of scenarios.

Navigating and exploring large binaries poses significant challenges for reverse engineers, no matter if the goal is to discover vulnerabilities, analyze malware or bypass protections in commercial applications. With the increasing complexity of software, traditional reverse engineering strategies often fall short in efficiently uncovering secrets within these binaries. In this talk, we address these challenges by introducing various techniques and heuristics for analyzing and navigating complex binaries.

Our presentation dives into a range of efficient, architecture-agnostic heuristics based on code complexity metrics and statistical analysis to identify potentially insightful code locations. These heuristics encompass the detection of complex functions and basic blocks, uncommon instruction sequences, frequently called functions, and overlapping instructions.

Throughout our talk, we examine the advantages and disadvantages of these heuristics, along with their potential applications. By employing these strategies, we tackle various use cases, such as identifying cryptographic algorithms, state machines and complex protocol logic, C&C server communication and string decryption routines in malware. Furthermore, we dive the detection of API functions in statically-linked executables as well as obfuscated code in commercial applications.

Tim Blazytko is a well-known binary security researcher and co-founder of emproof. After working on novel methods for code deobfuscation, fuzzing and root cause analysis during his PhD, Tim now builds code obfuscation schemes tailored to embedded devices. Moreover, he gives trainings on reverse engineering & code deobfuscation, analyzes malware and performs security audits.