Reversing NIM binaries: the easy way

Presented at REcon 2023, June 11, 2023, 1 p.m. (60 minutes)

For a reverse engineer one of the first steps is to differentiate between library code and code the author wrote. This can be especially hard depending on how the compiler has optimized the code. This research’s objective is to make life easier for analysts and reverser engineers while analyzing NIM based binaries. The evolution of programming languages has created more portable languages that can be compiled for different platforms with little or no changes, without the recourse to virtual machines. This comes at the cost of a lot of boilerplate code which is added by the compiler or the Intermediate code translator. These languages often have their own definition of strings, calling convention and in some cases the intermediate code translator can implement different optimizations which in the end results in very complex executables. The NIM compiler has several optimization options, it can be optimized for speed or size for example, which will result in dramatically different binaries. This presentation starts to demonstrate these differences and their impact on the final binary. Then it moves to show how an analyst can identify the non-library code, so that she can focus her efforts on analyzing the logic of the executable, instead of getting lost in library code. To help out in this task we will present IDAPro scripts that will do part of the binary analysis and identify imported library or boilerplate code and create well known structures for language specific objects like strings. The presentation ends with a demonstration of the IDA scripts and the help it provides for analyzing NIM binaries.

Presenters:

• Vitor Ventura
  Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Most of the day Vitor is hunting for threats, reversing them but also looking for their geopolitical and/or economic context. Vitor has been a speaker in conferences, like VirusBulletin, NorthSec, Recon, Defcon’s Crypto and Privacy Village, among others. Prior to that he was IBM X-Force IRIS European manager where he was lead responder on several high profile organizations affected by the WannaCry and NotPetya infections. Before that he did penetration testing at IBM X-Force Red, where Vitor led flagship projects like Connected Car assessments and ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds a Bsc in Computer Science and multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).
• Holger Unterbrink
  Holger is a longtime security enthusiast, with more than 25 years of experience in the information security industry. He started his career as a penetration tester and is now working for Cisco Talos as technical leader in the malware and threat hunting sector. He finds new, cutting-edge security threats and analyzes their components. Holger is a frequent speaker at international security conferences such as BlackHat, HackInTheBox, Internet Security Conference, NorthSec, CiscoLive and others. He is also the author of several offensive and defensive security tools and won the IDA plugin contest with his Dynamic Data Resolver (DDR) IDA plugin in 2020.

Links:

• https://cfp.recon.cx/2023/talk/L9JECH/

Similar Presentations:

• BSidesLV 2017 / Extreme Mobile Application Exploitation
• AppSec USA 2017 / Mobile App Attack (2 of 2 days)
• AppSec USA 2017 / Mobile App Attack (1 of 2 days)