2026-06-20 –, Soprano A Language: English
Curious about expanding your reverse engineering skills to another architecture? Lets go learn MIPS! Both x86-64 and ARM reverse engineering knowledge transfer really well to MIPS, and with some basics and an instruction cheat sheet we're on our way in no time. We'll analyze AcidRain, a piece of MIPS-32 malware, a Russian wiper malware none the less. The sample is stripped, and we'll learn how to quickly recover essential libc functions, to then reconstruct the malware's code flow.
Workshop outline (45 min lecture / 45 min lab / 30 min discussion of solutions):
- MIPS architecture 101 and a brief history
- The MIPS pipeline
- Delay slots
- Instruction categories
- MIPS registers and their purpose
- The MIPS stack
- The O32 calling convention
- Syscall calling convention and numbering
- Function prologues/epilogues
- Other MIPS architectures and their calling conventions, briefly
- Hands on: AcidRain
-- Challenge 1: Understand daemonization
-- Challenge 2: Reconstruct wiping code flow
Marion Marschalek is an independent security consultant and trainer with her consulting company Hack & Cheese. Prior to that she held senior positions at AWS and Intel, and different roles in the threat detection industry, as a malware reverse engineer and incident responder. Marschalek is a frequent speaker at major security conferences, including Black Hat, Defcon, HITB, RSA, and SyScan, among others. She used to teach malware analysis and reverse engineering classes at University of Applied Sciences St. Poelten, from where she graduated in 2011 with a Master's Degree in Information Security. In 2015 she started a hacker bootcamp for women titled BlackHoodie, which over the years established itself as a global initiative to attract more diverse talent to the security industry. In her spare time she enjoys long distance running.