When Virtual Hell Freezes Over - Reversing C++ Code

Presented at REcon Brussels 2018, Feb. 2, 2018, 11:30 a.m. (30 minutes)

The capabilities that C++ programming provides with the use of polymorphism are also obstacles when reverse engineering these programs. Dynamic reverse engineering of C++ code is potentially extremely time-consuming and resource-intensive. So, what if we could automate parts of this process and even customize it to the behavior of each individual program? C++ is known to be a knotty language, templates, lambdas, and smart and unique pointers. All of these features create a jungle of objects intended to make life easier for the programmer. But once the program is compiled, the target program is no longer what it once seemed. Reversing C++ programs is tedious and demanding, and requires rebuilding inheritance, identifying templates and tainting program flow in order to combat the ties of function overloading and class utilization. In my presentation I will show how we can use smart and automated tracing to shorten the process in reverse engineering C++ programs. Rebuilding automatic vtables and virtual function calls are strong capabilities that could be easily achieved with IDAPython, as I’ll explain in my talk, in which I will also show examples for a framework created especially for this purpose. In my presentation I present “Virtuailor”: a tailor-made framework that helps rebuild the relationships of C++ classes in the program and sew together all of the loose ends.



Similar Presentations: