Hi! The slides for my talk today at RE//verse 2025 (@REverseConf), "Reconstructing Rust Types: A Practical Guide for Reverse Engineers", are now published: https://github.com/cxiao/reconstructing-rust-types-talk-re-verse-2025
It's been great to catch up with so many folks - if you're at the conference, come by and say hi!
The presentation was recorded, and the video will be published at a future date!
#reverseengineering #rust #rustlang #malware #infosec #REverse2025
This talk addresses challenges related to cartography and executable interdependencies often encountered in firmware analysis or in structured formats like the MacOS/iOS dylib shared cache. We introduce the term "inter-image" call graph, representing the calls relationship across an entire filesystem as a single graph. Instead of relying on the import/export relationships in dynamically linked binaries, we use the call graph obtain by disassembly, mapping precisely which functions call others. This graph, enables more efficient testing and resolution of graph-reachability queries across binaries. We show how to compute this graph using several open-source libraries we've developed such as Quokka for exporting disassembly data in an easy-to-process structure and Numbat, which interfaces with Sourcetrail's graph database. Originally developed for source code navigation, Sourcetrail's database can be adapted to accommodate various graph structures. We further illustrate how to integrate decompiled code for enhanced navigation. However, adding the entire decompiled code from each firmware executable into a single database is not scalable due to Sourcetrail's underlying SQLite limitations. To address this, we present a "fractal firmware analysis" methodology. This approach allows for traversal of the inter-image call graph, then zooming into a specific executable to explore decompiled code (still represented as a graph), and finally, accessing more detailed information through preferred disassemblers for data structure and everything that can't fit in a graph database. Finally, we provide a glimpse into bridging the gap between binary/assembly and source code tools by assembling open-source libraries. We conclude with an open discussion showing that there are rooms for more advanced analyses and data representations that could ease reverser's life.
Have you ever wondered how the firmware running in the ECUs (Electronic Control Units) of your car works? Have you ever dared to investigate one of these firmware files? Were you scared by the sheer number of functions for a seemingly simply device? Welcome in the AUTOSAR world, a “standard“ for building software that runs in your car. A software that you trust to protect your life every day. This talk will guide you through a process of reverse engineering a firmware file that was built using the AUTOSAR Classic standard. The talk will start by explaining what the AUTOSAR platform is, and it will leverage live demonstrations performed on a real-life example file to demonstrate techniques that can be used to identify points of interest inside the firmware running in every car that you can meet on the street. You will learn about some purely manual techniques as well as points that can be fully automated (plugin for Binary Ninja will be released as part of this talk so you don’t have to bother automating these yourself). At the end of this session, you should be equipped with a tools and techniques that will lower the pain and suffering that you may have felt while diving into the secrets of the automotive industry.
Java bytecode programs on the JVM have been the target of obfuscation for decades. In the early days, tools like Mocha and Jad were used for decompilation, followed by many generations of similar tools. However, static decompilation has its limits. Runtime code generation, custom classloaders, and language features like lambda expressions make it challenging for static tools to capture the entire picture. This presentation enhances the analyst’s viewpoint by introducing concepts on how classic developer tools can improve reversing efficiency through dynamic tooling, such as custom event recording or writing agent hooks with the new ClassFile API. The presentation delves into the inner workings of the JVM and bytecode execution to uncover hidden gems within a large pile of compilation artifacts.
Are you a security researcher eager to expand beyond disassemblers, program analysis scripts, and software reverse engineering? Do you believe a smidge of computer systems engineering, high-speed signals, or invasive hardware research could change the way you reason about software runtimes? What really happens when your exploits meet the metal? Are you ready to tumble all the way down the rabbit hole? Two decades after the original Microsoft Xbox hit store shelves, one researcher revisits the iconic 2001 game console in a sprawling journey of hardware and software reverse engineering to probe at its deepest secrets. From hacking on the Xbox kernel, designing PCB interposers for Intel CPUs, whispering bespoke secrets into IDE interfaces, tuning RAM signals, manipulating bond wires, X-Rays, emulation, acid, overclocking, silicon attacks, and more -- this archeological dig spanning three years leaves no stone unturned, as success, failure, and steadfast passion converge to forge a software researcher into a full-stack reverse engineer.
WebAssembly (Wasm) is an increasingly popular compilation target, offering compact representation, efficient validation and compilation, and safe low to no-overhead execution. Wasm is popular not only on the browsers but finding adoption across various platforms. As its popularity grows for various applications, so does the need to obfuscate it, subsequently raising the necessity to de-obfuscate. In this talk we will discuss how to de-obfuscate Wasm code using LLVM compiler infrastructure. There is extensive literature available on security of Wasm from exploitation perspective, i.e. finding vulnerabilities, writing exploits and secure coding practices. In this work we discuss Wasm security from reverse engineering perspective, specifically how to deal with obfuscate and de-obfuscate Wasm. Broadly we will be covering following topics in this presentation: - Essential Wasm internals from reverse-engineering perspective. - Brief introduction to obfuscation techniques. - How to perform compiler-based obfuscation of Wasm code using various open-source tooling. - The core idea - how to de-obfuscate Wasm code using LLVM compiler infrastructure. LLVM implements extensive code optimisation techniques that can be harnessed to simplify diverse obfuscation techniques. We will use this very idea in our de-obfuscation journey, commencing with simple obfuscation scenarios and progressively ratcheting up the complexity level to demonstrate the effectiveness of our approach. We will also show application of our learning on some real world scenarios. The final takeaway for the audience will be an understanding of how to obfuscate and de-obfuscate Wasm code. Moreover, they will gain confidence to tackle obfuscated code without writing pattern-based simplification rules. The ideas and techniques discussed are not limited to Wasm, in fact they are language and platform agnostic, and can be applied to any obfuscated code.
Dynamic instrumentation frameworks such as Frida, Intel PIN, and DynamoRIO allow reverse-engineers to observe and modify program behaviors at runtime, but are difficult for non-experts to use. This talk introduces Pyda — a framework for writing dynamic instrumentation tools in a few short lines of Python. Pyda extends the familiar pwntools-style interface with runtime “hooks” that can modify registers and memory or redirect execution. We describe how we built performant and user-friendly dynamic instrumentation on top of DynamoRIO — and how you can use it to analyze complex, multithreaded applications on X86 and ARM64. We show how to replace existing debugging (e.g. GDB scripting) and instrumentation workflows with Pyda scripts, and how we used Pyda to solve a recent CTF challenge. Finally, we show how Pyda’s built-in compiler can inline complex, performance-sensitive instrumentation.
The Apple ecosystem continues to be an elusive yet coveted target of research. The closed nature of the ecosystem poses a high barrier to entry where even basic app analysis requires a jailbroken device. Once you are in, you are faced with a data-formats and languages used by no-one else, for which public tooling is sparse or non-existent. In this talk, we will dissect how Objective-C and Swift trip up decompilers and the analysts alike during static analysis, and how many of the encountered challenges are surprisingly easy to solve, if you know the right APIs. We will present our Ghidra Plugin where we are combining program analysis research, approximations and heuristics into a static analysis toolbox for interactive decompilation and research into the Apple ecosystem. We will discuss the technical analysis, but will also cover an often neglected facet: The UX of the actual plugin. In the end we will look at the future: What challenges still need to be solved and what features would we need from our SRE tools to more easily build solutions?
Rehosting, the art of running the firmware in a virtualized environment, rather than on the original hardware platform, is the de-facto standard for fuzzing embedded firmware. Off-the-shelf solutions for emulation such as QEMU were not designed with fuzzing in mind, where we want to optimize for as many executions per second as feasible. We showcase near-native rehosting: running embedded firmware as a Linux userspace process on a high-performance system that shares the instruction set family with the targeted device. After discussing the intricacies of lifting and rewriting ARM instructions, we fuzz ARM Cortex-M firmware and show that our framework, SAFIREFUZZ, can provide a 690x throughput increase on average during 24-hour fuzzing campaigns while covering up to 30% more basic blocks.
Firmware threats such as bootkits and implants have become increasingly prevalent due to their persistence and ability to evade detection compared to traditional OS-level malware. Attackers favor these threats because they can remain undetected even when conventional security measures are in place, especially if UEFI Secure Boot is disabled through physical access or UEFI exploits. Detecting unknown bootkits under these circumstances is a critical challenge in cybersecurity. Mostly, all the publicly known UEFI implants and bootkits have been detected after successful deployment, which points to the limitations of the existing security solutions. This presentation introduces a novel methodology for detecting UEFI bootkits by analyzing their unique code behaviors. We conducted an in-depth study of existing bootkits—including Lojax, MosaicRegressor, MoonBounce, CosmicStrand, ESPecter, and BlackLotus. During our REsearch we identified common code characteristics such as hook chains, persistence mechanisms, and other distinctive features. Leveraging these insights, we developed the methodology for generic detection techniques based on code similarity. In addition, we crafted Yara and FwHunt rules focusing on the OS kernel and driver hooks implemented by bootkits. Applying our approach through VirusTotal retrohunts and Binarly Risk Hunt telemetry data led to the discovery of six previously unidentified bootkit samples. Notably, three of these samples were entirely undetected by existing security tools, while the others had minimal detections but were not recognized as bootkits. These findings not only validate the effectiveness of our detection strategy but also highlight the ongoing challenges in bootkit detection within threat intelligence. By shedding light on these elusive threats, our research advances firmware security and underscores the necessity for continued efforts to enhance detection capabilities against sophisticated bootkits.
Cindʎ Xiao 🍉
RE//verse Conference