“Adventures in Reversing Streaming DRM Systems”
Hendi;
Short Talk
DRM systems for content protection are ubiquitous nowadays. Neraly all subscription-based streaming providers mandate their use, and implementations can be found in both software (such as browsers and operating systems) and firmware (for devices like TVs, PC motherboards and graphics cards).
DRM implementations can be an intimidating target for reverse engineering. They tend to be well-protected by making use of obfuscation and whitebox cryptography, making it hard to understand the internal workings of the system, and harder yet to get hold of its cryptographic secrets. But is everything truly as it seems? In this talk, we'll explore how a series of operational security failures over the years have exposed detailed insights into systems like PlayReady and Widevine. We'll also uncover how, under the right conditions, obtaining hardware DRM keys may be easier than one might expect.
In specific, the talk will cover vulnerabilities and screw-ups in the following devices/platforms:
* DRM libraries on an ancient Android version
* An Android app embedding a vendor-customized DRM SDK
* A Smart TV platform utilizing ARM TrustZone
* Windows 10/11 software DRM implementation
* Intel Management Engine PAVP (Protected Audio Video Path)
The goal of the talk is not to convey in-depth details about any one system/exploit, but to present some ideas of approaching the topic of reversing DRM systems and to show that it is possible to get a handle on them even without an advanced background in cryptanalysis or exploitation.
“Attacking modern software protection with Dynamic Binary Instrumentation”
Holger Unterbrink;
Talk
Once confined to advanced malware, modern software protections—such as anti-debugging routines, anti-tamper mechanisms, and aggressive obfuscation—are now commonplace in commercial DRM and even in standard malware by using commercial protectors. These defenses significantly hinder traditional static analysis and debugger-based approaches, often concealing critical behavioral logic deep within runtime layers.
Dynamic Binary Instrumentation (DBI) offers a compelling alternative by enabling real-time observation and manipulation of program execution. Unlike static techniques, DBI frameworks can bypass or neutralize many anti-analysis tricks by instrumenting instructions at runtime, providing unmatched visibility into program behavior and bypass some of the anti-analyzing techniques.
This talk opens with a focused introduction to DBI concepts, exploring its architectural model, strengths, and where it best complements reverse-engineering workflows. We’ll then dive into DynamoRIO, a powerful open-source DBI framework supporting IA-32, AMD64, ARM, and AArch64 on Windows, Linux, and Android. Through practical examples, we’ll demonstrate how to develop a custom tracer and dumper capable of:
- Capturing instruction-level execution (code trace)
- Inspecting memory-resident objects and runtime data
- Dumping unpacked code segments for offline analysis
Attendees will gain hands-on insights into dealing with real-world complexities like multithreaded execution, process spawning, and anti-debugging countermeasures. We’ll also show how to feed collected runtime data back into tools like IDA Pro to enrich static analysis with dynamic context.
This talk is a hands-on, experience-driven walkthrough by someone who has spent over seven years building tools with DynamoRIO—including the now-archived DDR tool, which won the IDA Plugin Contest in 2020. Attendees will learn how to develop a DynamoRIO client from scratch.
The session concludes with the public release of a DynamoRIO-based tracer, giving participants a practical foundation and template for integrating DBI into their own analysis pipelines.
Talk Outline
- Introduction to DBI concepts
- DBI in malware analysis
- Intro to DynamoRIO and its position in Dynamic Binary Instrumentation (DBI)
- Architecture and execution model
- Building a minimal but extensible client
- Instruction-level tracing and manipulation
- Runtime memory inspection and string/object extraction
- Dumping memory and reconstructing PE files
- Running your client against real-world malware
- Enrich IDA IDB with DBI collected information
- Tips for extending your tool further
- Where to find help for own projects
“Beyond decompilation: multi-level lifting for automatic software understanding”
Sergey Bratus;
Panel
Last year we celebrated 30 years of decompilation. The idea that lifting a binary into a well-structured source-level form could be done algorithmically was so hugely powerful that it arguably obscured other worthwhile questions: into what other useful representations could a binary be lifted? Could these lifted forms enable some kinds of automated software understanding better than source-like representations? Could such representations be mathematically defined and "baked to order" for a particular kind of automated program analyses?
Various research efforts over the years provided partial answers to these questions. This year's panel will revisit these questions and these answers, and will try to map out promising practical directions of lifting for program analysis.
“Breaking Mixed Boolean-Arithmetic Obfuscation in Real-World Applications”
Tim Blazytko, Nicolò Altamura;
Short Talk
From gaming anti-cheat and DRM solutions to malware, Mixed Boolean-Arithmetic (MBA) obfuscation hides critical computations behind intricate Boolean and arithmetic transformations. In this talk, we demystify how these transformations are constructed and why they turn even simple code into a reverse-engineering nightmare. We then examine recent breakthroughs in algebraic and synthesis-based methods—--like QSynthesis, msynth, and Goomba---revealing both their strengths and shortcomings for real-world deobfuscation scenarios. Next, we introduce a new Binary Ninja plugin that uses a combination of SSA-based slicing & synthesis to systematically simplify MBA computations, showcasing its reliability and effectiveness in real-world protection scenarios. Finally, we discuss the future of MBA research, highlighting how these emerging techniques continue to dismantle once-impenetrable defenses.
“Coverage-Guided Fuzzing of Rehosted Network Services from Firmware Images”
Marc "vanHauser" Heuse;
Workshop (3hr)
In this 3-hour hands-on workshop, you'll dive deep into a real-world example of how to perform coverage-guided fuzzing of network services extracted directly from ARM,/MIPS/... firmware images. Learn to unleash a range of advanced techniques—fuzzing live over TCP, mocking network interactions, preloading libraries, or applying binary patches. By the end of this session, you'll have mastered effective strategies to uncover hidden vulnerabilities in embedded network services—all directly on your laptop and applicable to any embedded hacking.
“Cubesat hacking for non-space engineers”
Jahaziel Leon;
Workshop (3hr)
Space is not just the final frontier—it’s also a critical cybersecurity battlefield. With the increasing number of commercial, governmental, and academic satellites, securing these systems has become essential.
In this workshop, participants will gain essential knowledge about satellite fundamentals, radio frequency communications and hacking. We will explore OSINT techniques to gather information about space missions and analyze the most relevant cybersecurity attacks on satellite systems. Finally, attendees will engage in a hands-on Capture The Flag (CTF) lab, applying their skills to analyze, compromise, and control simulated flatsat systems.
“Extracting Antifuse Secrets from the DEF CON 32 badge (RP2350)”
Andrew D. Zonenberg;
Talk
CMOS one-time programmable (OTP) memories based on antifuses are widely used for storing small amounts of data (such as serial numbers, keys, and factory trimming) in integrated circuits because they are inexpensive and require no additional mask steps to fabricate. The RP2350 uses an off-the-shelf Synopsys antifuse memory block for storing secure boot keys and other sensitive configuration data.
Despite antifuses being widely considered a "high security" memory - which means they are significantly more difficult for an attacker to extract data from than other types of memory, such as Flash or mask ROM, - we have demonstrated that data bits stored in the RP2350 antifuse memory can be extracted using a well-known semiconductor failure analysis technique: passive voltage contrast (PVC) with a focused ion beam (FIB).
The simple form of the attack demonstrated here recovers the bitwise OR of two physically adjacent memory bitcell rows sharing common metal 1 contacts, however, we believe it is possible for an attacker to separate the even/odd row values with additional effort.
Furthermore, it is highly likely that all products using the Synopsys dwc_nvm_ts40* family of memory IPs on the TSMC 40nm node are vulnerable to the same attack, since the attack is not specific to the RP2350 but rather against the memory itself. We have not yet tested our technique against other vendors' antifuse IP blocks or on other process node, but we assess it to have broad applicability to antifuse-based memories.
“Guerilla Reversing: Runtime Shenanigans”
Gabi Cirlig, Lindsay Kaye;
Workshop (3hr)
In an ever evolving arms race against the Google Play Store, threat actors increasingly capitalise on advanced malware capabilities to target smartphones. Yet, with modern malicious APKs deploying sophisticated obfuscation and anti-analysis tactics, static analysis alone often falls short. In this workshop, we’ll demystify how Android threats operate—from a broad threat-landscape overview down to the nitty-gritty of dynamic analysis on malicious code in action.
By reverse engineering real-world Android malware samples and monitoring their runtime behavior, participants will gain the cutting-edge skills necessary to detect, dissect, and defend against these attacks. Whether you’re a beginner or a seasoned analyst, you’ll walk away with hands-on experience in the nuances of Android malware and the practical know-how to stay one step ahead.
“.NET Exploitation Workshop”
Sina Kheirkhah (@SinSinology);
Workshop (3hr)
This workshop is all about .NET Reverse engineering and exploitation for vulnerability researcher
“Offensive Security Tool Development with Ghidra: From Custom CLI Tools to a MCP Server”
John McIntosh;
Workshop (3hr)
Elevate your cybersecurity workflow with Ghidra’s robust support for command line tools in this immersive, hands-on workshop. Tailored for developers and security analysts, you'll be guided through setting up a high-performance development environment using the Ghidra Python VSCode Devcontainer. Learn how to automate repetitive tasks, create custom analysis scripts, and integrate Ghidra's cutting-edge decompilation and disassembly features—complete with full debugging support right in VS Code.
The session begins with the fundamentals, introducing you to custom CLI tool development through simple, practical examples. As you build on this foundation, the workshop culminates in a hands-on exercise where you will develop a Python3 Model Context Protocol (MCP) server compatible with Claude AI and other LLM clients. This dynamic MCP server acts as an interface for automating Ghidra tasks via natural language commands, paving the way for LLM-assisted reverse engineering. By the end of this workshop, you'll have firsthand experience building an MCP server, working with Ghidra's powerful program API, and gaining a deeper understanding of how LLMs can streamline automation and enhance your reverse engineering processes.
“QuickShell: Sharing is caring about an RCE attack chain on Quick Share”
Or Yair;
Talk
Quick Share (formerly Nearby Share) allows Android users to easily share files for four years now. A year ago, Google has introduced a Windows version.
Google's promotion of Quick Share for preinstallation on Windows, alongside the limited recent research, ignited our curiosity about its safety, leading to an investigation that uncovered more than we had imagined.
We studied its Protobuf-based protocol using hooks, built tools to communicate with Quick Share devices, and a fuzzer that found non-exploitable crashes in the Windows app. We then diverted to search for logic vulnerabilities, and boy oh boy, we regretted we hadn’t done it sooner.
We found 10 vulnerabilities both in Windows & Android allowing us to remotely write files into devices without approval, force the Windows app to crash in additional ways, redirect its traffic to our WiFi AP, traverse paths to the user’s folder, and more. However, we were looking for the holy grail, an RCE. Thus, we returned to the drawing board, where we realized that the RCE is already in our possession in a form of a complex chain.
In this talk, we’ll introduce QuickShell - An RCE attack chain on Windows combining 5 out of 10 vulnerabilities in Quick Share. We’ll provide an overview about Quick Share’s protocol, present our fuzzer, the found vulnerabilities, a new HTTPS MITM technique, and finally the RCE chain.
“Reverse Engineering Patch Tuesday”
John McIntosh;
Short Talk
Patch Tuesday has been reversed engineered. Automated CVE diffing is here. Don't guess what next month's security updates contain, just see them. In this talk, we are going to show you how to pry open the black box of Patch Tuesday.
“Reversing Warbird for no fun and no profit >:[”
Philippe Laulheret;
Short Talk
Have you ever spent countless hours working on a project and persevered only through grit just to prove a point? This talk is about one of such projects; in order to marginally improve the working of proof of concept, we had to reverse engineer an obfuscated Warbird VM meant to protect the inner working of a cryptographic algorithm. Juggling with basic blocks and transforming them like there's no tomorrow, to finally grasp how the algorithm works. At the end of the tunnel no new exploit or incredible riches, just the self-actualization of the non-sequitur sentence "assuming an attacker has enough time and resources, they could forge a valid file"
“The Finer Details of LSA Credential Recovery”
Evan McBroom;
Talk
LSA has been at the heart of user credential recovery efforts on Windows. The root of much of these efforts is in the design of LSA’s authentication packages. Public knowledge on these packages has largely been derived from reverse engineering work, aided by public symbols and often older source code leaks. That knowledge is incredibly valuable but has not always held true with newer Windows releases.
Newer private symbol leaks for Windows 10 have made it possible to perform a fresh investigation of these packages with close to accurate type information. The presentation is the result of such an investigation, performed with a focus on user credential recovery techniques. Insights gained for both memory scanning and logical abuse techniques will be shown. The goal is to leave audience members with a better understanding of the feasibility and limitations of these techniques on newer releases of Windows.
“Unveiling RIFT: Advanced Pattern Matching for Rust Libraries”
Andreas Klopsch;
Short Talk
Malware analysts alike agree: Rust reverse engineering is hard.
Several skilled researchers shared their difficulties in reverse engineering Rust at RECON and other technical conferences. Consequently, it is time to join the effort and contribute to the ongoing challenges in the world of Rust malware. In particular, our research efforts focused on identifying and annotating library code in real-world rust malware.
In our talk, we begin by building a common ground knowledge by summarizing existing rust reverse engineering research and share insights of how rust crates are compiled and linked into binaries.
Next, we introduce our tool suite, RIFT, designed to aid reverse engineers in pinpointing library code within Rust binaries.
This suite comprises a collection of scripts and IDA plugins that streamline the library identification process. We cover how RIFT extracts static information and processes it to compile corresponding libraries and their optimal matching versions as COFF files. Following this, we explore the final stage of the pipeline, where we batch diff the targeted files using Diaphora and visualize the results through an IDA Plugin.
To conclude, we assess our approach by comparing the advantages and disadvantages of the binary diffing approach alongside the application and generation of FLIRT signatures, specifically for Rust binaries. Lastly, we provide links to the open source tool RIFT, share ideas for future research and invite researchers to collaborate with us.
“WinpMem: Volatility’s driver that lets malware volatilize”
DAVID Baptiste;
Talk
Which forensic enthusiast has never used Volatility or Velociraptor? Typically, those are the first software deployed on an infected machine to recover all data in memory, for subsequent analysis. Under the hood, software rely on a driver called WinPmem to capture the relevant information.
The problem? This driver used by many experts is obsolete and has some serious vulnerabilities. For example, CVE-2024-10972 allows you to effortlessly perform a BSOD on the target machine, effectively stopping any forensic procedure. The perfect illustration of the time-to-check-time-to-use (TOCTOU) technique. But there is more, the CVE-2024-12668 allows a malware in memory to erase itself from that memory! A paradox when considering that a forensic tool offers sufficient capabilities to escape that same forensic tool. As an additional bonus specific to WinPmem, the driver allows malware to load any unsigned drivers of their choice. Not only does this undermine any forensic analysis, but it also provides an elegant means of achieving privilege escalation for administrator to execute unsigned drivers. In fact, WinPmem can easily be included in the list “bring your own vulnerable driver” (BYOVD).
This talk explains in detail the two CVEs we found on this driver. More than that, we provide concise and illustrated explanations about how a driver works in Windows and the main steps involved in finding vulnerabilities in it. Enough to enrich the list of “loldrivers” for everyone in the room. More generally, the talk aims to present the difficulties of kernel development (that we could observe with CrowdStrike’s BSOD), discuss the future of third-party access to the kernel (spoiler: yes, the access should be kept), the possibility to prevent BSOD or exploits, and the complexity of fixing vulnerable drivers. From code quality to specific driver designs, the subject of driver development will be covered with several examples, accessible to anyone.
Finally, the talk is going to discuss these security tools using drivers, used by everyone in cybersecurity but implemented with a serious lack of quality and dangerous features for some of them. In the end, WinPmem is just the tip of the iceberg of highly privileged security products that are not secure.