15 posts in tag Reven

Full visibility of a Windows Kernel Bug with Timeless Analysis (CVE-2018-8410)

26 Mar 2019 by Mathieu - Technical - Reverse Engineering Windows Kernel Scripts CVE Demo Reven

One of the situations where REVEN (aka Tetrane) really shines is digging into undocumented kernel mechanisms, especially in cases where WinDBG abstracts information away from the user. In the following video, we will analyze a reference counting bug in the Windows Kernel (CVE-2018-8410 published by Google Project Zero) and try...

Analysis of VLC Exploit Arbitrary Code Execution (CVE-2018-11529)

06 Mar 2019 by Mathieu - Technical - Reverse Engineering CVE Demo Reven

This is the analysis of VLC Exploit Arbitrary Code Execution (CVE-2018-11529) done REVEN v2. It leverages our timeless analysis technology and several key features: Data Tainting Memory History Backtrace etc.

Analyzing CVE-2015-0350 with REVEN

10 Dec 2018 by Luc - Technical - Reverse Engineering CVE Adobe Flash Reven

In this article we will show how we analyzed and tamper the PoC for CVE-2015-0350, an Adobe Flash vulnerability located in the parsing of JPEG-XR images, with the help of timeless analysis. With REVEN v1.5.0, from an input file causing a crash, we analyze the vulnerability by instantly time-traveling to...

Reversing DirtyC0W

10 Sep 2017 by Fred - Technical - Reverse Engineering Kernel Race-condition Reven

Everybody keeps in mind the Dirtyc0w Linux kernel bug. For those who don’t, take some time to refresh your memory here. The kernel race condition is triggered from user-space and can easily lead a random local user to write into any root owned file. In this article, we will demonstrate...

Unfolding obfuscated code with Reven (part 2)

25 Jan 2017 by tdta - Technical - Reverse Engineering Deobfuscation ctf Reven

Last time, by abstracting the runtime effect of the first virtual machine, we have reduced the challenge to a simpler but semantically equivalent program. Its control flow graph has a unique entry point as the basic block starting at 0x402048, whereas ones at 0x4023d4 and at 0x40266e are exit points...

Reversing Windows 7 BSoD display

04 Nov 2016 by Quentin - Technical - Axion BSoD Reverse Engineering Reven

In this post we’ll try to reverse Windows 7 BSoD using REVEN Axion in order to generate an image from memory and port accesses. Find which video mode is used As a first step, we will need to know which [video mode][wiki-output-caps] is used by the BSoD. To achieve this...

Unfolding obfuscated code (part 1)

01 Oct 2016 by tdta, Fred, Mathieu, Benoit - Technical - Reverse Engineering Deobfuscation ctf Reven

This article is the first one in a series of two. We present an overview of some reverse engineering capabilities of REVEN-Axion, applied to a publicly available challenge, namely F4b_XOR_W4kfu, the most valued at Grehack 2015’s CTF contest (500 points). A more detailed write-up will be published soon for those interested....

Making your own REVEN Axion plugin step by step

02 Jun 2015 by Mathieu - Reven - Reven Axion Plugin Reven

In this article we will shed light on REVEN Axion’s customisation possibilities by describing step by step how to create a simple plugin. Percent plugin in action on push edi. We will walk you through: The specification of our plugin The basics of plugin API for REVEN Axion The implementation...

SWF file unpacking with REVEN

22 Apr 2015 - Reven - Reven Flash swf

Source: wikimedia commons Recently we took a look at a new flash player exploit used by the Angler exploit kit. The sample was obfuscated using the well known ‘packing’ technique: the dropped swf file embeds a second stage swf in the form of an encrypted blob that will be decrypted...

REVEN in your toolkit

20 Feb 2015 - Reven - Reven Axion taint

Reven provides many analysis tools but still might lack some of your favorite tool features. To address this issue we created a Python API to allow you to create and share plugins. We also developed some ourselves to make REVEN’s interaction with external tools possible. Universal debugging The Gnu debugger...

Decoding function arguments

14 Jan 2015 - Reven - Axion Reven taint

Today I will show you a feature that is pretty useful when analysing an application. We call it the “arguments decoder”, and it displays the content of a function’s arguments when its prototype is known. The latter’s definition can be either extracted from the msdn function and structures, or given...

IE crash analysis

17 Dec 2014 - Reven - Axion Reven taint Reverse Engineering use after free

Today we will analyse a crash of Internet Explorer. Reven scenario generation According to Exodus Intelligence, a vulnerability was silently fixed in MS13-055 patch along with other things. They showed on their blog how to exploit it. We generated our REVEN scenario where we give an html file to Internet...

Data painting

03 Dec 2014 - Reven - Axion Reven taint

http://www.cir.uc.edu/ In this post we’ll present Reven dynamic data tainting capabilities and see some use cases of the tool. Dynamic data tainting The so called data tainting is a well known technique used to analyse the impact of data on a program. The idea is to apply a taint to a...

Exploring text strings

21 Nov 2014 by Mathieu - Reven - Axion Reven Reverse Engineering

A program’s text strings often carry a lot of information, and are a basic although essential guide while analysing binaries. In this article we’ll see how REVEN handles and presents them. We’ll also see how one can automatically use this data to gain a better understanding a program’s behavior. The...

Following memory history with REVEN-Axion

14 Nov 2014 - Reven - Axion Reven Reverse Engineering

When working on traces of millions of instructions, one of the biggest challenges can be to detect the small portions of the code that are actually interesting. In this article, we have an application that reads from the network. We will show how to quickly find where the network frames...