• Untangling Exotic Architectures with Binary Ninja

    Supplementing Flare-On 2017 with some sanity


    October 13th marked the conclusion of FireEye’s fourth annual Flare-On Challenge. Every year the Flare-On challenge attracts thousands of hackers, security researchers, and enthusiasts alike in a race to solve a diverse suite of increasingly difficult reverse engineering challenges.

    The eleventh challenge (second to last) presented itself as a single PE32 with a subleq based virtualized obfuscator, an architecture consisting of only a single instruction.

    Dumping the subleq assembly for the challenge

    Some of you will find this eerily reminiscent of movfuscator, a toy compiler by domas which implements a subset of the x86 instruction set using only the mov instruction.

    In this post I’ll detail a practical approach towards untangling this challenge. We will implement a custom architecture plugin for Binary Ninja, and then proceed to augment it with some basic reasoning to de-obfuscate the challenge.

    Continue Reading →

  • What's New in Lighthouse v0.6

    Intel pintool, cyclomatic complexity, batch load, bugfixes


    Lighthouse is a code coverage plugin for IDA Pro. Last week I promoted the github development branch to master and tagged the release as Lighthouse v0.6. This post details some of its noteworthy changes.

    Highlights for this release include a Lighthouse compatible Intel pintool, cyclomatic complexity metrics, batch loading, and a number of important bugfixes.

    Lighthouse is a plugin to explore and visualize externally collected code coverage in IDA Pro

    Continue Reading →

  • Hello World

    Compiling Executables for the Classic POSIX Subsystem on Windows


    /SUBSYSTEM:POSIX

    You’ve seen it before, haven’t you? It’s strange. It’s like a face you passed on the street but can’t quite place. Was it déjà vu? A doppelganger? Maybe the first time you saw it it was in a sea of linker flags on MSDN, or perhaps when fumbling around with the project settings in Visual Studio some years ago.

    You lingered for an extra second thinking “What on earth…?” while your eyes glazed over in reverie.

    POSIX Subsystem Linker Flag in Visual Studio 2015

    An artifact of evolution and monument to supporting legacy software. It was built by the ancients, forgotten, and left for new generations to rediscover.

    No, this isn’t the new Windows Subsystem for Linux. Beneath this flag lay the classic POSIX Subsystem on Windows.

    Continue Reading →