HitB2012AMS: SSEXY: Binary Obfuscation the SSE Way

Luna in denial, ringing out the old Year of the Dog and in the New Year of the White Tiger 2010 a CC image by Beverly & Pack
By Jurriaan Bremer (Independent Researcher / Member of HITB.nl CTF Crew)

The SSE Instruction Set is a special instruction set provided by the CPU for heavy math operations, it performs really well for 3D graphics (such as used in games and rendering engines) and bruteforcing hashes (md5 etc.)

Since a lot of security tools (e.g. Anti-Virus) is based on pattern recognition, replacing normal x86 instruction with SSE instructions can alter the pattern of the file and thus fool these security tools.

Jurriaan wrote a tool called SSEXY, that converts a normal PE executable to an obfuscated executable. The tool takes a PE binary as input, disassembles it, modifies the source and then uses gcc to create a new binary.

In his talk Jurriaan highlighter how he created this tool and some obstacles that had to be overcome.

SSEXY will be available soon in Jurriaans Github space

Presentation materials available from http://conference.hitb.org/hitbsecconf2012ams/materials/

ABOUT JURRIAAN BREMER

Jurriaan is an independent security researcher from the Netherlands who has been interested in the development and analysis of low-level software, their algorithms and new ways to bypass existing security measures. He is also a member of “De Eindbazen” (a dutch team that plays CTFs) and one of the people behind the HITB.nl CTF.

0 Comments


Not Published

0/1000 characters
Go Top