Miasm IR getting higher
The Miasm intermediate representation is used for multiple task: emulation through its jitter engine, symbolic execution, DSE, program analysis, … But the intermediate representation can be a bit hard to read. We will present in this article new tricks Miasm has learnt in 2018. Among them, the SSA/Out-of-SSA transformation, expression propagation and high level operators which can be joined to “lift” Miasm IR to a more human readable language.
This article is based on Miasm version v0.1.1.
Note: We use graphviz to illustrate some graphs. Its layout does not always totally conform with a reverse engineering “ideal view”, so please be tolerant with those odd graphs.
Release v0.1.0
Overview:
Here is a short post to highlight some of the new features and main architectural changes of Miasm’s release v0.1.0. The comprehensive list of changes is available here.
Some of these recent changes will maybe be detailed later in a dedicated post.
Playing with Dynamic symbolic execution
Dynamic symbolic execution (DSE) is a powerful and trendy method. It has been used for several tasks, such as:
- Code coverage
- Input and test-case generation
- Exploit generation
- Directed fuzzing
- Out-of-bound access checking
- Automatic crackme solving
- Reconstruction of algorithm
- Deobfuscation
- …
Miasm is not the first tool to implement this feature. But, well, as the tool already had everything needed to implement DSE, it was just a matter of time before having these feature landed in the main branch.
This post is about how one can easily use DSE in his scripts through a few usage examples and a simple API:
- Recovering an algorithm from an obfuscated program
- Reusing a packer without reversing it
- Automatically breaking a crackme
Overview:
This analysis is based on Miasm revision 1fb3326.
Data flow analysis: DepGraph
Overview:
This article deals with the dataflow analysis in binary programs. There are many algorithms and articles about this vast subject, so we will only cover a sample of them, highlight their advantages and drawbacks, then we will introduce the DepGraph (for dependency graph) algorithm implemented in Miasm.
This analysis is based on Miasm revision 6fef06f. The corresponding Elfesteem revision is 1ee9171.
Some details on the implementation/examples can be found in the article/slides/video published in the SSTIC conference: Graphes de dépendances : Petit Poucet style (WARNING: French material!).
ZeusVM analysis
Overview:
In this article, we will study an old Zeus sample protected by a virtual machine. We will begin with the analysis of the VM structure, and automatize its reverse engineering using Miasm.
The sample is zeus_sample.zip. All zips in this post are protected using the password “infected”.
This analysis is based on Miasm revision f2a9a35. The corresponding Elfesteem revision is 1ee9171.
Rebuilding a cleaned & working binary (Re150 part 2)
This article is the last part of the analysis of the Re150 GreHack 2015 challenge. It will focus on how to re-assemble a cleaned up version of this challenge using Miasm.
For references, please have a look at GreHack 2015 Re150 challenge: as painless as possible.
Overview:
This analysis is based on Miasm revision 4eceb2b.
Dynamic shellcode analysis
In this article, we will study a shellcode using dynamic analysis. This analysis includes a description of Miasm internals, which explains its length. The shellcode is in the archive dyn_sc_shellcodes.zip, protected with the password infected. The final script is here: dyn_sc_run.py
This analysis is based on Miasm revision 2cf6970.
GreHack 2015 Re150 challenge: as painless as possible
In this article, we analyze a GreHack 2015 challenge: reverseMe (Re150).
This is not the purpose of this post to offer a documented write-up; one is already available here, based on an execution trace.
This is more about how we could have analyze this challenge, with the help of the Miasm framework (in addition with others tools, as IDA / radare2 / …).
Overview:
This analysis is based on Miasm revision d2588f5.
Welcome!
Welcome to the Miasm’s blog! This blog will highlight features through examples and real world cases. Miasm is hosted on GitHub.
Here are some articles related to Miasm:
- Taming a Wild Nanomite-protected MIPS Binary With Symbolic Execution: No Such Crackme
- Deobfuscation: recovering an OLLVM-protected program
- Fast DGA generation with Miasm
Your article is missing? Drop an email!