Home

Awesome

CodexRebirth : Taint Analysis + Trace Exploration Approach to Reverse Engineering

Introduction

The CodexRebirth project seeks to revolutionize the process of reverse engineering by introducing a Taint Analysis approach specifically designed to simplify the unraveling of obfuscated code. This method involves a comprehensive examination of all assembly instructions, tainting every memory address and register in the process. Subsequently, when an instruction relies on a tainted register, memory, or a result derived from these tainted elements, it will execute the operation and update the associated equations. This approach enables the user to easily trace the progression of equations and values, pinpointing the instruction responsible for any value change. Furthermore, the ability to color-code instructions based on their 'taint_id' or 'block similarity' adds an additional layer of clarity to the analysis.

Big Thanks to Markus Gaasedelen (@gaasedelen) because I used his Tenet IDA plugin as a base for mine, I also took a part of the code from the frinet project.

"IDA plugin"

The plugin also includes additional features, some of which have been adapted from the Tenet plugin and Frinet project, with further enhancements

Features

Library calls are also dumped during the step tracing:

"Library Calls"

How the tainted analysis works

The tainted analysis is based on the following principles:

By following these principles, we can easily track the forward propagation of the taints and the backward propagation of the equations.

Alt text

Forwards propagation of the taints is represented by the green cells, and the backward propagation of the equations is represented by the pink cells. To resume, green cells are the operation that use the current operation result, and pink cells are the operation that are used by the current operation.

Then backward propagation can be represented as a tree. On same line are represended the operations that takes a RealValue as operand (ex: Imm operand). When a operation occurs on two SymValue, the result is a tree merge of the two operands trees.

Alt text

More Features

Alt text

Alt text

Installation

Note: For IDA plugin, you need to have at least python 3.8 installed and IDA must be configured to use it.

python -m pip install -r requirements.txt

Then copy the content of the 'plugin' folder into the IDA plugin folder.(ex: C:\Program Files\IDA 7.6\plugins)

Basic Usage For Program Analysis

Basic Usage For Shellcode Analysis

Key Usage Considerations

Performance Insights (IDA Step Tracer)

The execution speed of The Step tracer is about 100 instructions per second on a local machine, about 35 instructions per second for a remote machine via adb, and 25 for a remote machine via windbg. However, the particularity of the step tracer is to exit code loops, so the number of instructions per second is not representative of the real performance of the tracer.

Tree View

The tree representation has been removed from the plugin because generating it was too slow. Previously it worked like this:

Future Work