Language: English
Curious about expanding your reverse engineering skills to another architecture? Lets go learn MIPS! Both x86-64 and ARM reverse engineering knowledge transfer really well to MIPS, and with some basics and an instruction cheat sheet we're on our way in no time. We'll analyze AcidRain, a piece of MIPS-32 malware, a Russian wiper malware none the less. The sample is stripped, and we'll learn how to quickly recover essential libc functions, to then reconstruct the malware's code flow.
Workshop outline (45 min lecture / 45 min lab / 30 min discussion of solutions):
- MIPS architecture 101 and a brief history
- The MIPS pipeline
- Delay slots
- Instruction categories
- MIPS registers and their purpose
- The MIPS stack
- The O32 calling convention
- Syscall calling convention and numbering
- Function prologues/epilogues
- Other MIPS architectures and their calling conventions, briefly
- Hands on: AcidRain
-- Challenge 1: Understand daemonization
-- Challenge 2: Reconstruct wiping code flow