Romain THOMAS

from September 2015

My works are focus on:

• Code obfuscation
• Reverse engineering
• Android
• Software protections (Packing...)

Engineering Studies

Engineering student in fourth year

The purpose of this project is to provide a cross platform library which can parse, modify and abstract ELF, PE and MachO formats.

Main features:

• Parsing: LIEF can parse ELF, PE, MachO and provides an user-friendly API to access to format internals.
• Modify: LIEF enables to modify some parts of these formats
• Abstract: Three formats have common features like sections, symbols, entry point... LIEF factors them.
• API: LIEF can be used in C, C++ and Python

During the three months project, we studied the studied the quantum eraser experiment which include :

• Quantum spin
• Ramsey interferometry
• Entangled states

We implemented the One-Wire protocol designed by Dallas Semiconductor to communicate between thermometers.

We programmed the Dijkstra’s algorithm in C then we optimized it by using :

• A* search algorithm
• Binary heap

When analyzing executable, the first layer of information is the format in which the executable is wrapped. It turns out that a lot of tools and libraries exist to analyze and instrument machine code wrapped by the format, but there is not such library to handle the three mainstream executable formats and to both read and modify these formats. LIEF has been developed to that end.

In the talk we will explain the rationale behind LIEF architecture choices, what LIEF allows to do and have a look at use cases.

LIEF is a cross platform library and it can be used through a Python, C++ and C API. The library enables to parse standard structures as well as more complex ones like PE Signature (Authenticode) and ELF hash table. As use cases we can inject code into a binary or a library, we can also redirect the control flow to hook functions and it can be used to obfuscate some parts of a binary. Another feature of LIEF is that common characteristics of these formats are factorized so that we can develop a single script which works for the three formats.

With Jonathan Salwan

The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.

With Jonathan Salwan

At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.

With Jonathan Salwan

Binary obfuscation is used to protect software's intellectual property. There exist different kinds of obfucation but roughly, it transforms a binary structure into another binary structure by preserving the same semantic. The aim of obfuscation is to ensure that the original information is "drown" in useless information that will make reverse engineering harder. In this article we will show how we can analyse an ofbuscated program and break some obfuscations using the Triton framework