Goods morning everyone. Thanks for being here my name is Christopher Domes, I work for this company called the Battelle Memorial Institute -- what's so ever if are you really interesting in a practical talk this is not a right place for you. This is going to be really interesting and see some interesting stuff. What I want to talk to you is reverse engineering. I take software apart and figure out how it works but for whatever reason I spend a tremendous amount of time trying to figure out how I can make my life more difficult. So there is a couple basic ways people normally approach that problem. Encrypt -- tool to people to anterior reverse engineering. There is a theme in all the approaches. You're just trying to make things for difficult. So I was thinking around. Reverse engineering. Techic and the idea behind this for the most part. We are going to look at the individual pieces inside that program so. Using the tool like -- unknown file. We can figure out it out. Take it apart. So experience reverse engineer could take exactly what this is doing. Tell what is doing without almost no time at all. So starting out imlooking at the no maddic setters is moving 0. Is initially a local variable. Pushing something out of the stack as an argument and calling a function to -- remove that. It adds 1. Then compare the local variable to 100 and if it islesser or equals is going to jump out. But a few months ago I was reading this paper I found really interesting. Is called move stirring complete. If you are not familiar with the prove instruction. Moves data from unlocation to another. Any code you write in any language would be written as a set and absolutely nothing else and when you think about everything you do in the program is hard to believe. When you think that are you doing a -- all we need to impliment all of that stuff is just a bunch of move instructions. As I thought about that more and more that would be really, really hard. Because we would go from something like this where we have all the instructions that tells was what is going on on the program. All of the sudden all of the queues we use have been removed are the program. We have nothing to go off. Every instruction likes like every other instruction. It is really hard reverse engineer -- and at the beginning of DEFCON on Thursday. I release a move on the C compiler. C source code and translate only move instruction. C compiler every. I don't think anybody is every want -- before. But is it turns out to be neat. It turns program into moves as of indication tech nick. So for example -- I got this really little simple program that prints out prime numbers and I compile this with a tradition compiler BCC and look at the instructions that gives me that's great be but if you look at this instruction it takes no time at all to -- engineer to pick this up and understand what is happening. On the other hand if we use the -- thousands of uncondition movering instructions. But the cool part is if we run this it just calculated -- but that is nightmare to try to reverse engineer -- get hub page. It will include. So what the check -- compiling the thing is going to dump out the move. You'll see that with just a couple million -- so this is not fun to work with as a reverse engineer. But is really need to think about that just by moving data to one place to another we can really complex computation. So assort met this as a thought experience in anterior reverse engineering. So finally finish running that and it will run our AES and encrypt data using only move instruction but we can make it more complicated I rote a little nibbles came we link that. We can play video games now with instruction. We can take it a step further -- so since I could do that I decided what's the illustration of flooding point -- and matrix trance form and I could compile that with the moth skater. So we have a little 3 D program here. Written with on move instruction now we can do incredible complicated 3 D. And we I think took as far as I could possible conceive. So I got a program written in only move instruction. So that's a couple -- [ APPLAUSE ] >> So this is a couple million lines we are not going to sit around and wait for this. Finish dumping. So I thought this was a cool engineer. I'm at get hub page and see move only reverse engineering for yourself. But after this I -- how an ex -- and open it up and all I saw were hundreds of thousands unconditional data transfer. I'll go find something else to do. I reverse engineer because I think is fun and this does not look like fun to me but I had a big realization at that moment from an anti reverse engineering perspective a code doesn't have to be hard to reverse engineer. All it has to to be is none of the things we don't need -- all we need is to make reverse engineer give up and that's not nessessary as making hard to reverse. So I started to think how else could we make a reverse quick. If we don't want to -- how can with stop them from looking at it in the first place. I thought psychology warfare -- and our code. So I started thinking how could we accomplish that. It seemed clear we needed some one to influence them. We needed a way to influence the reverse engineer through our code. I need to have that binary. So it seemed clear if I wanted any binary to influence them to send that message. So there is an easy way. We is just embed a string in our program. Like stop looking at my code. Or -- die seccing our program you'll see that string. But that's not a good technique. I'm a reverse engineer if I put a string in their binary saying stop looking -- they'll laugh at that. And a lot of modern programs are started to look at entry -- distribution -- hopper and they have entry visuallation inside of hop per so I thought if I ran my message -- high program I can send the reverse engineer of my program. But so it works. You can do this. But again not the most affected technique, somebody is going to see this and move on. And still not going to really accomplish what we want. All of these horrible decision. At the end of the day nobody is going to see the message. If we really want to be able to see the message. This is idea pro. Reverse everything near, any professional is going to be using IDoe pro. To reverse engineering for sending message. IDoe has a more powerful capable. So the idea of control graph is something like this. We have basic blocks that do simple things. Is going to go down one path if it decided that thing was true or different path if it decided that thing was false. So the nice these about this these flow graphs I can tell at the high level when this program is going to be doing. That's the loop happening inside of the code. So at the end of the day looking at the control flow graph to quickly get an add of what's inside. So almost ever major static reverse engineering is going to have -- so the hopper reverse engineer has control flow graphs. This is the thing to use for reverse engineering. So for this presenation we are going look at IDoe. So reverse -- so when is 3 a.m. and you are looking at a -- with it. And if you stair at these control flow graphs long enough they start to look like things. Very simple control flow graph in IDo but a lot of professional are dwellig with very complicated control flow graph and when you're dozing off at 3 a.m. once in a while you'll start to see things inside of these imagines. Maybe we can send the reverse engineer a message through control flow graph because that'some they cannot look away from. So if we mend -- what we want. So maybe we can draw pictures send them text through the control of our program but in order to do that we need to understand exactly how our reverse engineering -- to figure out how it works. So is a little bit -- for long enough. So my first idea for how we can draw picture or send messages was pretty simple. To know -- flow graph. Or fan jumps will do that. Is not really clear how the program got though this jump here. So we got all these jumped that didn't seem to come from any where. It basically -- horizontal lines using technique -- so a whole bunch of knobs that don't do anything converts into a nice so lid line. I can make an sketch in IDoe. So that seems easy enough. So heres I how thought you would draw a scare. We would have a bunch of jump and we need that horizontal line to connect in both sides of the scare. And then jump to right. So the next slide is going to be a whole bunch of knobs to don't do anything. And whole bunch of knob to create a vertical line we going to tie at the bottom. Same thing fort the bottom easy enough. Not quite to a scare just yet. But this tells us a little bit abhow IDo is trying to lay out these control graphs. So line up a bunch of -- try together line the blocks in a given road so we need IDoe to not do that so instead of using knobs for any vertical line we can use this jump plus two. And what that is going to do is break those vertical lines so when we try to draw this again, so at least got the bottom line to move to the bottom here and then a little bit closer to being about sketch inside of IDoe. But there is still an issue. I still got my verticals line right next to each other. I want them in opposite lines of the scare. Is squeezing all of our control lean -- vertical lines to separate from each other. So that's sort of the depth of my first idea. But we learn allot along the way. How row and columns and domain how the rows are arrange but Idoe is going to have control of all of those columns so we need a way to fight back. -- need -- I need to have some way to stop IDoe from changing that stuff around so my idea was to force IDoe to keep those notes in place. So we look at what a basic node -- is bunch of instruction that branch to one location or another. So I said what if we have a bunch of those. Is going to trying to be pulling the other nodes with it so this will force IDo to keep everything in place. So it will look something like this. All we have a conditional jump. Like this place or is going to fall the node below. So we look at what that looks like in a control flow graph view. This is what we enup. Not that bad. Define structure so we can touch this up a little bit. First -- giant block here. We can cut that block by the middle. We need to create a whole bunch of these by hand. -- this is just all the code we need to generate one of these matrix or lay outs for us. That lets us create a whole bunch of these nodes very quickly to begin looking at more complex pattern. But I got kind of an issue here. I wan to draw something but is going to be hard to draw with lopsided. I really wanted a perfectly grid. So we need to change a little bit. Is a way to draw with these nodes by turning pix -- so I thought something like this. If I wanted to have this pix sell off I will remove this nodes. So first we are going to try to get this into a nonram bow shape. We take an assemble a little bit. It looks like a mess that -- there is 4 nodes there that are per if he cannily arrange there. Perfectly -- and so back to preprocesser to again rate a whole bunch of these. We are getting almost to perfectly well define structure that we have deep control over and maybe we can started using this to send messagings. We are going to cut that big node in half. We got some -- node escaping I decided I can push those back into the rest of the imagine by having a bunch or -- we have a reck tang here not a scare. And to each individual node and make this a little bit taller. Once again we have some nodes trying escape at once. Turns out that some of the assemble we are using to do this using 2 different forms depending on how far have you to jump. These nodes have to jump higher than the other ones -- same jump instruction for every node and we finally have the perfect grid that we can actually start try together draw on. So we can finally start drawing on them. I try to remauve a singling node from there. IDoe tries to squeeze -- that was the depth of a very long idea. But maybe we can resue reck it. Maybe we can leave all the nodes in place and fill a node with code if we want it to be on or empty if we want it off. Sosome like this, the ones that are on this have bunch no app inside of them -- and in order to fill up this node. So no when we try that we bet if affect we wan. We can see this looks like the pixel that look like it has been turn off. So this was the first thing I ever drew circle. There is a few things I wanted to touch up. Because this the first function in the program and IDoe is adding a whole bunch of additional information. We get rid of that. Dumb my code to get rid of those. If I go back a slide you notice that these look back and these look kind of white. The nodes that we supposed to -- well they're still use two lines instruction in a label. What you wan to do is reduce the impact of those two line and reduce the imfact of those two lines by increasing the height of the over all node. So those two lines doesn't matter too much. But we also need the increase the the -- from single -- that I long instructions like that which is really convenient -- [ APPLAUSE ] >> So we have introduce new issues. So every time these nodes try to escape we need the put them back in place. Is trying to escape because we made it really wide. Compare to these really wide nodes all we have to do to fix that is add those wide instructions. So after we do that we have this nice perfect grid with a circle on in the middle. There is an issue if we have all the pixel ins the row turn off the entire imagine will colaps on its. I did not like the idea of having knobs -- so I added a junk code generates that will add dumb instruction so they can run. So I had to draw that stupid circle by hand so I created a preprocesser. And in order to generate the code for us and we can take a bit map imagine like the smiley face and create control flow map with a smiley face [ APPLAUSE ] >> So we are getting a little further. So there is a few things I did not like about this. So I don like the new line at the -- blue line at the bottom. All the work I really went through to tie all these things together was not really necessary. As long as you tie the top and bottom like that they'll stay in place. Well before we had this node tied to this node we no longer need that. We have this node following directly. So that form -- tool change I'll show exactly how I can use this. Coming up but what this does generate assemble instruction to form imagines and they control flowchart. So what I have here is a bit map imagine that I want to render. Is really small is just a skull. Manipulate the control flow mark so what we want to do is run me to turn that imagine into some assembly code. And all is going to do is turn that imagine into a bunch of preprocesser directives. So we are going to go head and make executable who's control flow graph will mimic that imagine. And it will generate some functional executable to do whatever you want for these purposes and decided to make them render so they actually run they're not fake executable but if a reverse engineer wanted to 'approach this and figure out what it did they're going to have to go to their ado and pull this executable and examine the control flow graph and when they do that they then see the imagine that was created. [ APPLAUSE ] >> Thank you. What an optimal time. How is he doing? I think you all know better about our little tradition new speaker. Welcome to all the new attendees to DEFCON this year. [ APPLAUSE ] >> Good job. >> Thanks guys. All right. Give a second to get back on track now. So I'm trying to think of where else we can take this thing. What can we do with these imagines. We're trying to let the reverse engineer know what we think of their work so we can let them know that our code doesn't even do anything useful. Maybe this whole time we're just trolling them. Or we can let them know what we really think about and poking around that we work really, really hard and I don't like people poking around in the code that I work hard on. But -- the goal was not just to send them amusing picture. We wan them to stop poking -- control flow graph. Whatever message you embed inside of this program. So you can use this to their advantage. Crush their sole, abandon hope and not want to reverse engineer anymore. So what -- remind them this is not going to turn on in your favor. We can remind them -- to send them messages in our control flow graph, our program -- reverse engineer our program. No life in general and should quit all together. [ APPLAUSE ] >> So I was having fun with this I did not want to call it quits at this point. I realize we are not limbed to black and white. We can make them gray by adding more or fewer instructions. Really important opportunity and cyber security history. I decided to take the first as far as I know assemble self'. So that is back when I had hair. It is completely functional assemble code. So what I really like about the group I work with make something stupid like this and they'll have a hundred new ideas to use this. Piece of malware and call it the interview. And when you drop it into IDoe you'll find out where you are -- came from. There's north Korea. And another coworker recommend the -- UTC problem where you can stand hundreds of hours reversing but when you needed to do is zoom out and realize they were sending you on the wrong path. So that's a real QR code and it will take you some where. And you can check that out later. Onslide if you have a chance but that's one CPA problem. I felt like toward the DEFCON CTF they would not -- used to be complete without goat see so for DEFCON CTF I felt like it would be goat see so I was not going to show you. You're welcome. My favor rot of all. What could be the creepest malware of all time. Retrieve your personal imagine and then rewrite its code based on the imagines it was collecting. So this took a quite a bid of modification. Very different of what I wrote. Exactly that. So we have go ahead and hundred this malware, just sits there nothing important but I do have some vacationsphotos. Those are not my feet or my dog but if I was curious I would you say throw this into IDoe. After IDoe processes is really not interesting nothing in the control flow graph so I'll analyze that a little bit. I would not see anything interesting. I'm going to have to run this thing and see what is doing. I'm going to change my debugger here and run this program. So the program begins to run the first thing it does it trigger a software break. It wants you to see what is doing. So I'm going to follow this and any reversion engineer tool and pull up my reverse program. IDoe doesn't like to do this much when is program is running, to reverse over here. But those are my feet and if I keep running make is a fluke. No the malware is going to stop me again it has something new. What's it this time? That's my dog. My is my dog in the malware. I was a little worry to get this demo I hope for it to get those two picture I don't know what is going to go collect. So I feel like this impliment what we were after. Other ways to get the reverse engineer to stop looking. I think is neat to keep your mind open and is not to make things harder to reverse but over all is a really fun thing to thinker with. Is a total line of 15 lines and 128 lines preprocesser ma -- for this. I'm on -- if you are interesting in the -- get hub as of Thursday morning. XADC processer itself. Some proof of processer. But I would love to discus more with anybody that has ideas. I will thinker with this on the upcoming week. So you with follow me on twitter. If you want to discus further. Thanks very much. This was a fun project. [ APPLAUSE ] >> So if anyone has questions you can talk to me offline.