10-17, 09:00–12:00 (Europe/Luxembourg), Hollenfels
On basis of a proprietary crypto library that was used for "securely" storing medical history, I like to give an introduction into reverse engineering cryptographic functions by three different approaches: Blackbox, dynamic instrumentation with Frida and static analysis with Ghidra.
Environment: We have an encryption tool, some libraries an already encrypted, secret file.
Black box: Just by using the encryption tool, what can we infer about the used primitives, keys, IVs etc.? Misusing the issues and stream cipher properties, we can even get parts of the keystream and start decrypting content.
Dynamic analysis with Frida: By hooking the right OLE functions, we understand what library calls are used and what the obfuscated static passphrase is, that the application uses.
Static analysis with Ghidra: To confirm our assumptions about the primitives and to understand the key derivation, we dive into the libraries with Ghidra, detect indicators for common crypto and reconstruct what they do.
In the end, we can implement a version of the cryptographic function including the key derivation in python, and reverse it to decrypt the secret file.
Software requirements: Windows (VM) with admin rights, python, Frida and Ghidra installed
-- or --
VirtualBox and about 50 GB of free space to use a provided VM
Finn Steglich works as penetration tester for 12 years now, currently with ETAS (Bosch Group) in Stuttgart, Germany for Bosch in-house projects. He is usually working on mobile apps, Windows privilege escalation, strange binary protocols and very old client applications in an attempt to decrypt company secrets. He did live hacking presentations on several not-so-technical events, held some corporate workshops about AD and Windows security and likes to do actual live demos a lot. When he started with reverse engineering, he really would have preferred to have attended a workshop like this but couldn't find any.