Rolf Rolles
@RolfRolles
Followers
14,004
Following
361
Media
76
Statuses
2,267
Static reverse engineering, deobfuscation, program analysis and formal verification, training, mathematics, compilers, functional programming, etc.
Berkeley, California
Joined July 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Colorado
• 122080 Tweets
Notre Dame
• 108861 Tweets
Garcia
• 59851 Tweets
Kentucky
• 57243 Tweets
#precure
• 52679 Tweets
#仮面ライダーガヴ
• 46175 Tweets
The Weeknd
• 39975 Tweets
プリキュア
• 38565 Tweets
Anita
• 35227 Tweets
Northern Illinois
• 34752 Tweets
Iowa
• 34120 Tweets
#AEWAllOut
• 31594 Tweets
Nebraska
• 29323 Tweets
Abel
• 24136 Tweets
Carti
• 24078 Tweets
Auburn
• 23005 Tweets
#ブンブンジャー
• 21156 Tweets
#UFCVegas97
• 16195 Tweets
Talleres
• 11455 Tweets
ひろプリ
• 10529 Tweets
Today I discovered Hex-Rays "Maximum commas" option, and I'm glad I did!
16
201
902
Today I discovered my best C++ RE automation technique yet, which is alarmingly simple. Every name and type in this screenshot was applied automatically, no manual work. Details eventually when I finish my research binge.
22
111
789
New blog entry: An Exhaustively-Analyzed IDB for ComRAT V4. This is one of the most thorough analyses I've ever done; certainly the largest.
16
254
602
Here are the slides for my RECON and BlackHat presentation, "Automation Techniques in C++ Reverse Engineering":
5
252
563
New blog entry: Automation in Reverse Engineering C++ STL/Template Code
4
157
485
New blog entry: An Exhaustively Analyzed IDB for FlawedGrace. This is part two in my C++ static reverse engineering series, after ComRAT v4.
9
149
418
Today I learned that disabling Hex-Rays "fast structural analysis" can clean up some common patterns where it generates suboptimal control flow structure.
3
74
390
1250 lines of Java later, I ported one of my abstract interpretation-based deobfuscation tools () to Ghidra:
1
120
358
New blog entry: An Abstract Interpretation-Based Deobfuscation Plugin for Ghidra
1
175
356
Video for my RECON 2019 talk, "Automation Techniques in C++ Reverse Engineering", is now available:
4
144
348
Ghidra's extensibility is jaw-dropping. Today I needed the pcode to model the x86 parity flag, which it doesn't do by default. 30 minutes and a 35-line patch to ia.sinc later, I can proceed. No other tool even comes close to how easy that was. (diff: …)
5
99
345
It kind of sucks, but I finally implemented something I've wanted for a while, MSVC/x64 exception support in Hex-Rays.
8
39
336
New blog entry: A Walk-Through Tutorial, with Code, on Statically Unpacking the FinSpy VM: Part One, x86 Deobfuscation:
5
177
305
New blog entry: C++ Unwind Metadata: A Hidden Reverse Engineering Bonanza
0
113
308
I finally found a good use for Hex-Rays "Decompile as call", albeit a pretty niche one.
5
40
272
Research went better than expected. No manual work was involved in creating this screenshot. All type information was automatically generated and automatically applied to a freshly-created database.
10
50
258
Recent results: generic detection of STL code in stripped binaries, with automatic commenting. Still a work in progress -- the internals keep evolving -- but so far, so good.
2
26
242
My full-binary, static type reconstruction toolkit is becoming increasingly robust. Pictured are fully-automated results from RPCRT4/x64, an experiment to see if public PDBs make the problem any easier than the stripped case (answer: not by much). Bootleg private PDBs!
4
52
238
Hex-Rays just published my guest blog entry, "Hex-Rays Microcode API vs. Obfuscating Compiler", w/plugin source code
5
108
207
New blog entry: An Exhaustively Analyzed IDB for ComLook. This is part 3 in my series on static reverse engineering of C++ binaries.
4
80
201
New blog entry: Solving the Atredis BlackHat 2018 CTF Challenge
1
104
187
Spent the evening reading Ghidra's control flow structuring subsystem. That is a very unique, well thought-out, and well-designed piece of code. Recommended reading for binary analysis aficionados.
2
37
183
Short new blog entry: A Compiler Optimization Involving Speculative Execution of Function Pointers
2
66
176
Looks like my reverse engineering skills are not totally obsolete just yet.
7
16
177
I pushed a prototype of some white-box cryptography stuff for Ghidra (differential computation analysis/correlation power analysis for DES): (example script )
1
78
175
While researching C++/STL reverse engineering, I collected a list every MSVC CRT version I could find on github: It helps you narrow down the compiler version from the disassembly, which lets you see code for a version of the STL close to your binary's.
4
46
173
Recently playing with Hex-Rays microcode plugins to remove optimizations related to enums and switch statements. Satisfying to see it working!
3
16
171
New blog entry: FinSpy VM Part 2: VM Analysis and Bytecode Disassembly
2
143
172
New blog entry: FinSpy VM Unpacking Part 3 of 3: Devirtualizing FinSpy VM Programs
2
117
169
A recent result: deobfuscation via relational abstract interpretation
4
29
167
A recent result: navigable cross-reference browsing for outgoing C++ virtual function destinations
5
28
168
I had been skeptical of Hex-Rays 7.6's new automatic variable renaming, but no more. I did not manually name any of the variables in these screenshots. Great time-saving feature.
6
29
171
Short new blog entry: Hex-Rays, GetProcAddress, and Malware Analysis
4
68
167
New publication: Concrete and Abstract Interpretation, Explained through Chess (math)
0
87
157
Ghidra's, and IDA 7.5's new, "folders" feature is incredibly useful for large-scale reverse engineering. I've found it especially provides clarity when organizing reconstructed data structures.
4
22
159
Despite how agonizing LaTeX often is, I still think its typesetting is the prettiest.
4
10
157
Brief new blog entry: What is a while(2) loop in Hex-Rays?
5
41
147
Happy 100,000 subscriber anniversary to the reverse engineering reddit!
1
9
142
This is a great book. I've been recommending it to the students in my SMT class, as it's (by far) the largest compendium of constraint satisfaction problems/solutions that I'm aware of, including tons of unique and obscure ones. Good work, Dennis!
0
38
139
I recently discovered
@ModernVintageG
's channel on YouTube. A lot of stuff about old video game copy protections (arcade, console, PC), emulation, game development, etc. Good production values, too. Great stuff for reverse engineering enthusiasts.
3
25
136
New research is going well. Hex-Rays microcode API plugin vs. obfuscating compiler, from an in-the-wild malware sample. Pictorially, obfuscated and deobfuscated versions:
1
33
138
Today is the 10th birthday of my research publications on unpacking VMProtect:
0
50
134
Today is the 25th anniversary of the first time I ever reverse engineered a piece of software. It's been gratifying and rewarding, but I hope to retire from public life before it's time to celebrate the 30th.
8
4
137
Starting work on a C++ reverse engineering training class. Please point me to malware families that make heavy use of C++. The more the better -- STL (w/customized template parameters), exceptions, placement new, multiple/virtual inheritance, dynamic_cast, C++11/C++17, etc
13
40
136
Outside of my upcoming new C++ class, I'm pondering a class just on Hex-Rays. Potential topics include: all UI/type system features, RE strategies, selected Hex-Rays internals, and the SDK. Is there public interest in that? If so, how interesting to you is the SDK vs. the others?
13
9
134
I uploaded my old OCaml-based binary analysis framework to Github since I'm no longer using or developing it. (Abandoned, no support, has obsolete dependencies, is difficult to build, for educational purposes only, etc.)
5
40
132
Weekend project: a custom IDA loader module for the Hidden Bee malware family cc
@hasherezade
4
79
130
Short new blog entry: Removing an annoying compiler optimization with a Hex-Rays Microcode plugin
3
59
132
This book was great: It's a short, to-the-point, practical, hands-on, tutorial introduction to a sizeable research area. The references are good, too.
4
14
129
Short new blog entry: A Quick Solution to an Ugly Reverse Engineering Problem
3
63
126
Slides (and soon, code) for my recent talk on automated shellcode generation with encoding restrictions:
2
107
120
Current experiment: replacing the control-flow structuring algorithms in Hex-Rays with my own. (Actually, this is a very small tweak to the existing code -- basically reversing the order of a single list.)
4
3
125
What would you like to see in a C++ reverse engineering training class, beyond: structures/classes, templates/STL, inheritance (incl. multiple/virtual), and polymorphism? (As in, any particular libraries, features, or technologies, e.g. <atomic>/<thread>, lambdas, or COM/Qt/ATL?)
14
13
115
New blog entry: The Synesthesia Shellcode Generator: Code Release and Future Directions
1
100
105
Video of two-thirds of my talk on automated shellcode synthesis is now online: (slides here )
2
70
107
Some initial experiences with Ghidra's decompiler on x86/Windows vs. Hex-Rays:
0
42
106
Somehow I missed there's a whole Ph.D. thesis on symbolic abstraction: Looks pretty readable, too.
3
35
104
Before reverse engineering modern C++ binaries, I wrongly thought move/forwarding/etc. would eliminate copies. There are more copies than ever. In this function, appending a string onto a vector involves five full copies, and a partial one just for laughs:
3
28
101
IDA 7.2's shifted pointers make easy work of MSVC's recent adjustor thunk-less compilation techniques for multiple inheritance!
4
22
101
Today marks the 20th-year anniversary of my involvement in reverse engineering. Been a long road since that first 200-byte DOS .COM crackme
8
12
99
Short new blog entry: Hex-Rays CTREE API Scripting: Automated Contextual Function Renaming
1
48
96
I realized this was a good use-case for a small Hex-Rays GUI plugin, so I threw one together quickly. The code is on GitHub:
Short new blog entry: Hex-Rays, GetProcAddress, and Malware Analysis
4
68
167
0
29
95
Today's experiment: targeting common array access patterns on x64, via graph theory and microcode patching, to coax Hex-Rays into generating more for loops.
4
8
89
Mobius Strip Reverse Engineering is announcing public sessions for its Static Reverse Engineering and SMT-Based Binary Program Analysis training classes in April/May 2023 in Manassas, VA. More details can be found on our website:
2
29
90
@arnaugamez
@mr_phrazer
Don't waste your time attempting to publish real-world deobfuscation research in academic venues. That corner of academia is divorced from reality. None of them have ever reverse engineered or deobfuscated anything. They are not your peers. They cannot evaluate your work.
5
17
89
There's so much math to learn and retain, it's hopeless. I remember the stuff I use regularly, but forget everything else and have to relearn it every time, and I expect it'll always be this way
5
19
88
@johnregehr
I maintain a list of my favorite resources for people wanting to get into program analysis: Also covers background material
2
25
84
I just learned that Patrick Cousot himself wrote a book about abstract interpretation, out last month: Seems about as dense as his articles -- no reprieve there, sadly -- but centralized and with redundancy removed, at least. Ordered!
2
19
85
Happy 10th anniversary to the reverse engineering reddit!
2
19
83
Five years later, I worked through SysK's article on WhiteBox DES: (my DLL-injection sol'n: )
3
47
81
If not for a deadly virus outbreak, I likely would've been having beers with my reverse engineering friends on the Hilton Montreal terrace right now. Lamentable! Stay safe and brilliant until we meet again.
7
7
78
Z3 is such great software. I had to ask nicely, but I just convinced it to solve a pseudo-Boolean optimization instance with 160,000 variables. (It took 35 minutes, but I can live with that.)
2
3
81
Looking for new research topics, hence re-upping my periodic question: Which modern malware families have the most difficult custom (non-commercial) obfuscation? Not FinSpy or Obfuscator-LLVM, as I already broke them. [Feel free to email me if new ones arise in the future.]
8
17
80
.
@offensive_con
is a great conference -- the hard-core technical content we all crave, a great audience (a different mixture than North American conferences), and very professional and friendly organizers. You should definitely go if it aligns with your interests.
0
7
78
Promptly delivered and as advertised, A+++, would win contest again
We have a winner!
@RolfRolles
work on deobfuscating control flows along with a tool release (and promise of more to follow). Very cool!
1
31
121
4
4
74
Cool post on extending my Hex-Rays microcode API plugin from last year to deal with a different obfuscating compiler
New Blog from CB TAU: Defeating Compiler-Level Obfuscations Used in APT10 Malware -
#infosec
via
@cci_forensics
0
48
36
0
38
76
I'll be presenting my talk, "Automation Techniques in C++ Reverse Engineering", at BlackHat on Thursday at 2:30
1
13
76
@netspooky
For MSVC-compiled C++ binaries, the PE header's linker version is generally accurate and reliable as to which version of the C++ standard library it will contain. Combine that with to get an accurate idea of what the inlined STL functions will look like.
0
19
75
Just signed up for my first Github sponsorship to
@awesomekling
and SerenityOS. I like the project and want to see it/him succeed! Check out his YouTube content if you haven't; I've been coding for 26 years and still find it valuable (and humbling) e.g.
3
6
73
I would like to give a talk related to some pure reverse engineering research I did this year, but haven't been paying attention to industry conferences for a while. Apart from next year's RECON, which venues might accept such a talk?
15
8
72
Just got my first shot of Pfizer. It was quick, painless, and professional. I hope your country soon overflows with supply so you can get yours, too, and we can get back to normal. Stay safe!
2
1
72
Just spent an hour and a half badgering the Ghidra developers. That thing has a flabbergasting amount of great features; I'm sure I haven't even scratched the surface. Looking forward to getting to know it better.
2
14
69
ComRAT v4 is a large, sophisticated backdoor that uses many C++ features: polymorphism, templates, multiple/virtual inheritance, many parts of the STL, etc. This is the result of six weeks of static RE, with no symbols/RTTI. Every developer-written function in the IDB is analyzed
1
14
68
This book is good; at least, having no background in electronics/microarchitecture, I feel less ignorant after reading it:
1
6
68
That feeling when you know a project is finally done, because you just closed 100+ tabs of miscellaneous, unsaved, scribbling gibberish in Notepad++
0
6
67
@0xrepnz
Good explanation! Hacker's Delight by Warren is a great book that explains a lot of these low-level tricks . Also you may be interested in my slides entitled "Compiler Optimizations for Reverse Engineers"
2
16
68
It's too bad there aren't more industry publications on Hex-Rays scripting/plugins. The more I use it, the more I enjoy it. It opens up new vistas in day-to-day reverse engineering automation, and the results are more easily reusable than ad hoc IDA scripts
3
13
64
Today is the first time I ever reverse engineered MSVC to figure out how an optimization works. It took about an hour, thanks to the public PDB for c2.dll. Note to self: try that sooner next time.
3
3
65
Public service announcement: almost every reverse engineer who with whom I've discussed it confuses "virtual inheritance" with "virtual functions". They are not the same thing. If that's news to you, read up on virtual inheritance:
1
7
64
My first real foray into GUI programming is making me hate users. And I'm the only user!
3
7
62
Fred from
@tetrane
just gave me an exciting demo of their product REVEN (e.g. ). It seems extremely useful for dynamic analysis (particularly vulnerability analysis). I look forward to playing with it more in the future and I hope they succeed!
3
23
60
Just spent an hour looking at MBA obfuscation for the first time. At first glance it seems pretty trivial to break with some abstract algebra. (This was done automatically, based on black-box dynamic analysis, not using a SAT/SMT solver or any third-party libraries):
6
10
59
Just wrote my first Java class with "factory" in the name. I'm... conflicted by this turn of events.
4
0
58
Writing Hex-Rays plugins is much more challenging than IDA plugins - with many fewer existing plugins to crib from, both times I wound up reverse engineering hexrays.dll and _ida_hexrays.pyd for examples of how the APIs are used in practice
2
4
59
The class is now sold out.
🫣 Let's be honest: nobody likes to look at C++ code. Except every reverser had to audit a C++ binary at least once in his/her career.
At
#HEXACON2023
,
@RolfRolles
will give a good deal of tools to help you analyze C++ codebases, more inforation here:
0
9
61
2
4
56
Nothing satisfies me more as an instructor than when students spontaneously come up with, and succeed at, new project ideas in class! The 2.5 years of work that went into creating the course were all worth it (as grueling and miserable as they were at times).
I am by no means a vuln hunter, but during day 4 of
@RolfRolles
’ SMT Analysis Training, I wrote a program using Z3’s SMT python api to find a new integer overflow vuln in some firmware. 😎
1
0
19
0
2
58
This blog entry (by two talented authors) breaks new ground by being the first foray into applying equality saturation to deobfuscation. Definitely give it a look if that overlaps with your interests!
1
9
54
Folderization was the missing piece for large-scale reverse engineering. I put the target's 2761 functions into folders, and I don't feel overwhelmed by it anymore; I feel like I understand the entire program now.
0
3
55