ReversingLabs | Blog

ReversingLabs is giving a presentation at the Barcelona BlackHat conference in April. Here is the short description of our presentation:

"Exploiting archive formats can lead to steganographic data hiding and to processing errors with serious forensic consequences. These formats are very interesting as they are commonly found on every PC, Apple or Linux machine, and it is popularly believed that they are well understood and trusted. Can exploits ever be present in file formats that have been in use for over ten or even twenty years?

Through deep format analysis, beyond fuzzing, we look at what goes wrong when the format specifications are interpreted differently. Can you trust programs that work with archives? Can you even trust your antivirus? We will answer these questions and disclose for the first time 15 newly discovered vulnerabilities in ZIP, 7ZIP, RAR, CAB and GZIP file formats revealing the impact they have on anti-malware scanners, digital forensic, security gateways and IPS appliances.

This talk will include demo of ArchiveInsider, a new forensics tool that detects and extracts hidden data and fully validates vulnerable file formats. We will demonstrate file format steganography, file malformation, and even data "self destruction," all with tools that you use and trust."

See you there...

With over 385 functions, TitanEngine is surely overwhelming at first sight. To help you get over this initial barrier we have included many sample applications with the TitanEngine SDK. However that still involves learning the use of 20 - 30 functions and the general layout we envisioned for our dynamic unpackers. And even this can be a lot for someone who wants to perform simple tasks such as creating an unpacker for FSG packer. With that in mind, we designed a basic set of 5 functions that are simple to use, because they automate most of the steps needed to create simple dynamic unpackers. These 5 new functions create the debugging process, search for patterns, set breakpoints and handle the memory dumping and file fixing steps.

To demonstrate what is coming in the next TitanEngine 2.0.3 release we asked one of our reverse engineers to show us how he would create an unpacker for FSG using these new functions. This sngle breath video capture, which only took 16 minutes to make, shows how to create a simple FSG 2.0 unpacker from scratch, for the first time showing the entire unpacker coding process. We have accelerated the video 4x for your viewing pleasure. The final result of this exercise is a fully functional FSG 2.0 unpacker - in only 40 lines of code.

This is just one of the features that you can expect to see in the next TitanEngine major version upgrade. Stay tuned for more...