hashdays 2011: ange albertini - such a weird processor - messing with x86 opcodes (and pe files...
DESCRIPTION
Whether it's for malware analysis, vulnerability research or emulation, having a correct disassembly of a binary is the essential thing you need when you analyze code. Unfortunately, many people are not aware that there are a lot of opcodes that are rarely used in normal files, but valid for execution, but also several common opcodes have rarely seen behaviours, which could lead to wrong conclusions after an improper analysis.For this research, I decided to go back to the basics and study assembly from scratch, covering all opcodes, whether they're obsolete or brand new, common or undocumented. This helped me to find bugs in all the disassemblers I tried, including the most famous ones. This presentation introduces the funniest aspects of the x86 CPUs, that I discovered in the process, including unexpected or rarely known opcodes and undocumented behavior of common opcodes.The talk will also cover opcodes that are used in armored code (malware/commercial protectors) that are likely to break tools (disassemblers, analyzers, emulators, tracers,...), and introduce some useful tools and documents that were created in the process of the research.Bio: Ange Albertini is a reverse-engineering and assembly language enthusiast for around 20 years, and malware analyst for 6 years. He has a technical blog, where he shares experimental sources files, and some infographics that are useful in his daily work.TRANSCRIPT
![Page 1: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/1.jpg)
1
Such a weird processormessing with opcodes
(...and a little bit of PE)
Ange Albertini28th October 2011
@ange4771@corkami (news only)Creative Commons BY
![Page 2: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/2.jpg)
presented by...● a reverse-engineering enthusiast
● ...since dos 3.21● Corkami.com● Mame (the arcade emulator)
● a malware analyst
![Page 3: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/3.jpg)
Corka-what ?● RCE project, only technical stuff● free to:
● browse, download● test, modify, compile
● updated● useful daily
● but.... only a hobby !
![Page 4: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/4.jpg)
what is in Corkami ?● wiki pages, cheat sheets● many PoCs
● hand-written (not generated), minimalists● binaries available
● on PDF, x86, PE...● 100% open
● BSD, CC BY– sources, images, docs
![Page 5: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/5.jpg)
Story
0.CPU are electronic, thus perfect1.tricked by a malware2.back to the basics 3.documented on Corkami
4.this presentation
![Page 6: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/6.jpg)
“Achievement unlocked”
WinDbg 6.12.0002.633
Odbg 2.1a4
Hiew 8.15
IDA 6.1
(Authors notified, and most bugs already fixed)
![Page 7: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/7.jpg)
Agenda
I. why does it matter ?(an easy introduction, for everybody)
II.a bunch of tricks (technical stuff starts now, for technical people)
III.CoSTIV.a bit more of PE
![Page 8: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/8.jpg)
![Page 9: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/9.jpg)
from C to binary
![Page 10: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/10.jpg)
inside the binary
![Page 11: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/11.jpg)
our code, 'translated'
![Page 12: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/12.jpg)
opcodes <=> assembly
![Page 13: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/13.jpg)
![Page 14: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/14.jpg)
Assembly● generated by the compiler● executed directly by the CPU● the only code information in a standard binary
● what 'we' (analysts, hackers...) read
● disassembly is only for humans● no text code in the final binary
![Page 15: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/15.jpg)
let's mess a bit now...
![Page 16: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/16.jpg)
let's insert 'something'
![Page 17: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/17.jpg)
![Page 18: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/18.jpg)
What did we do?● Inserting an unrecognized byte
● directly in the binary● not even documented nor identified !!
it could only crash...
![Page 19: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/19.jpg)
the CPU doesn't care
![Page 20: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/20.jpg)
what happened ?● D6 = S[ET]ALC
● Set AL on Carry● AL = CF ? -1 : 0
● trivial, but not documented● unreliable or shameful ?
![Page 21: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/21.jpg)
Intel: 'do what I do...'
Intel's XEDF1 int1D6 salcF7C890909090 test eax, 0x909090900F1E84C090909090 nop dword ptr [eax+eax*8-0x6f6f6f70], eax0F2090 mov eax, cr2660FC8 bswap ax
MS' WinDbg??????????bswap eax
![Page 22: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/22.jpg)
the problem● the CPU does its stuff● if we/our tools don't know what's next, we're blind.
● no exhaustive or clean test set● deep into malwares or packers● scattered
![Page 23: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/23.jpg)
let's start the real stuff...
![Page 24: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/24.jpg)
a multi-generation CPU: standard...
Englishlet's go!you winsandwichhellof*ck
Assemblypushmovcallretnjmp
![Page 25: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/25.jpg)
...old-style...
thouporpentineenmityhitherunkennel
aaaxlatverrsmswlsl
![Page 26: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/26.jpg)
![Page 27: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/27.jpg)
...newest generation
tweetpokegooglepwnapps
crc32aesencpcmpistrmvfmsubadd132psrcpss
and MOVBE, the rejected offspring
![Page 28: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/28.jpg)
registers● Initial values (Windows)
● eax = <your OS generation>version = (eax != 0) ? Vista_or_later : XP
● gs = <number of bits>bits = (gs == 0) ? 32 : 64
● Complex relations● FPU changes FST, STx, Mmx (ST0 overlaps MM7)
– changes CR0, under XP
![Page 29: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/29.jpg)
smsw
● CR0 access, from user-mode● 286 opcode
● higher word of reg32 'undefined'● under XP
● influenced by FPU● eventually reverts
![Page 30: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/30.jpg)
GS● reset on thread switch (Windows 32b)● eventually reset
● debugger stepping● wait● timings
![Page 31: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/31.jpg)
nop
● nop is xchg *ax, *ax● but xchg *ax, *ax can do something, in 64b !
87 c0: xchg eax, eax.. .. .. .. 01 23 45 67 => 00 00 00 00 01 23 45 67
● hint nop 0F1E84C090909090 nop dword ptr [eax+eax*8-0x6f6f6f70], eax● partially undocumented, actually 0f 18-1f● can trigger exception
![Page 32: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/32.jpg)
mov
● documented, but sometimes tricky● mov [cr0], eax mov cr0, eax
– mod/RM is ignored● movsxd eax, ecx mov eax, ecx
– no REX prefix● mov eax, cs movzx eax,cs
– 'undefined' upper word
![Page 33: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/33.jpg)
bswap
rax12 34 56 78 90 ab cd ef => ef cd ab 90 78 56 34 12
eax.. .. .. .. 01 23 45 67 => 00 00 00 00 67 45 23 01
ax.. .. .. .. .. .. 01 23 => .. .. .. .. .. .. 00 00
![Page 34: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/34.jpg)
push+ret
![Page 35: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/35.jpg)
![Page 36: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/36.jpg)
...and so on...● much more @ http://x86.corkami.com
● also graphs, cheat sheet...
● too much theory for now...
![Page 37: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/37.jpg)
Corkami Standard Test
![Page 38: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/38.jpg)
CoST● http://cost.corkami.com● testing opcodes● in a hardened PE
● available in easy mode
![Page 39: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/39.jpg)
more than 150 tests● classic, rare● jumps (JMP to IP, IRET, …)● undocumented (IceBP, SetALc...)● cpu-specific (MOVBE, POPCNT,...)● os-dependant, anti-VM/debugs● exceptions triggers, interrupts, OS bugs,...● ...
![Page 40: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/40.jpg)
a documented binary
exports + VEH = self commented assembly
a lot of DbgOutput
![Page 41: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/41.jpg)
32+64 = ...
![Page 42: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/42.jpg)
same opcodes, different code
![Page 43: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/43.jpg)
CoST vs WinDbg & HiewWinDbg 6.12.0002.633
Hiew 8.15
![Page 44: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/44.jpg)
a hardened PE
Top PE 'footer'
![Page 45: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/45.jpg)
CoST vs IDA
![Page 46: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/46.jpg)
a bit more of PE...
![Page 47: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/47.jpg)
PE on corkami● some graphs● a wiki page
● http://pe.corkami.com● not “finished”● more than 100 PoCs● good enough to break <you name it>
![Page 48: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/48.jpg)
virtual section table vs Hiew
![Page 49: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/49.jpg)
Folded header
![Page 50: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/50.jpg)
Weird export names● exports = <anything non null>, 0
![Page 51: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/51.jpg)
65535 sections vs OllyDbg
![Page 52: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/52.jpg)
one last...● TLS AddressOfIndex is overwritten on loading● Import are parsed until Name is 0
● under XP, overwritten after imports● imports are fully parsed
● under W7, before● truncated
same PE, loaded differentlyunder different Windows
![Page 53: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/53.jpg)
conclusion● x86 and PE are far from perfectly documented ● still some gray areas of PE or x86
● but a bit less, every day
official documentations lead to FAILURE1. visit Corkami.com2. download the PoCs3. fix the bugs ;)
![Page 54: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/54.jpg)
Thanks● Peter Ferrie● Candid Wüest
Adam Błaszczyk, BeatriX, Bruce Dang, Cathal Mullaney, Czerno, Daniel Reynaud, Elias Bachaalany, Ero Carrera, Eugeny Suslikov, Georg Wicherski, Gil Dabah, Guillaume Delugré, Gunther, Igor Skochinsky, Ilfak Guilfanov, Ivanlef0u, Jean-Baptiste Bédrune, Jim Leonard, Jon Larimer, Joshua J. Drake, Markus Hinderhofer, Mateusz Jurczyk, Matthieu Bonetti, Moritz Kroll, Oleh Yuschuk, Renaud Tabary, Rewolf, Sebastian Biallas, StalkR, Yoann Guillot,...
Questions ?
![Page 55: hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...)](https://reader034.vdocuments.net/reader034/viewer/2022052621/558561a1d8b42a4c298b4936/html5/thumbnails/55.jpg)
Such a weird processormessing with opcodes
(...and a little bit of PE)
Ange Albertini28th October 2011
@ange4771@corkami (news only)Creative Commons BY