Abstract

What do vulnerability research and malware analysis have in common? Reverse engineering is the most fun but time-consuming part of it. While analyzing binaries, reverse engineers often have to handle lots of routine yet tedious problems: performing virtual function analysis, handling data encryption, fighting code obfuscation and so on. To solve these problems that we face in our daily work, we have developed a plugin for IDA Pro called 'hrtng'. It's our secret sauce for reverse engineering , which won first place at the Hex-Rays annual plugin contest this year and has more than 1000 stars on GitHub. It works as a multi-tool, implementing more than 40 features useful in reverse engineering – whether it is malware dissection or vulnerability analysis, 'hrtng' comes in handy in all kinds of reverse engineering tasks.

In this presentation, we will demonstrate the capabilities of 'hrtng' by analyzing a sample of FinSpy, a highly obfuscated and difficult to reverse engineer commercial spyware. With the help of this plugin, we will be quickly solving challenges such as shellcode decryption, control flow deobfuscation, hidden functions resolution and structure recognition. You will see how much time could be saved when you have the right tools!

The source code of the 'hrtng' plugin, as well as its compiled versions, are available for free under the GPLv3 license. They can be downloaded from the following link: https://github.com/KasperskyLab/hrtng.