Data

Tools

Indexes

Applications

Experiments

Open Source Science

trex

Toolbox for Reverse Engineering

https://github.com/csl-ugent/trex

Science Score: 39.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
    Found 4 DOI reference(s) in README
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.1%) to scientific vocabulary

Scientific Fields

Mathematics Computer Science - 84% confidence
Artificial Intelligence and Machine Learning Computer Science - 83% confidence
Last synced: 4 months ago · JSON representation

Repository

Toolbox for Reverse Engineering

Basic Info
  • Host: GitHub
  • Owner: csl-ugent
  • License: other
  • Language: Jupyter Notebook
  • Default Branch: main
  • Size: 128 MB
Statistics
  • Stars: 2
  • Watchers: 2
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created over 1 year ago · Last pushed 11 months ago
Metadata Files
Readme License Citation

README.md

TREX: A Toolbox for Reverse Engineering

This repository contains the source code of TREX, a toolbox containing reusable software analysis tools to mimick real-world reverse engineering attacks.

Use cases

The toolbox is described in the paper Thomas Faingnaert, Tab Zhang, Willem Van Iseghem, Gertjan Everaert, Bart Coppens, Christian Collberg, and Bjorn De Sutter. 2024. Tools and Models for Software Reverse Engineering Research. In Proceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks (CheckMATE 24), October 1418, 2024, Salt Lake City, UT, USA.. ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/3689934.3690817. It contains three use cases: cryptographic key localisation, license key localisation, and game resource hacking.

Cryptographic key localisation

This use case localises cryptographic keys and encryption/decryption algorithms in binaries. It is a reimplementation and extension of the state-of-the-art technique K-Hunt. This use case is described in the paper Thomas Faingnaert, Willem Van Iseghem, and Bjorn De Sutter. 2024. K- Hunt++: Improved Dynamic Cryptographic Key Extraction. In Proceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks (CheckMATE 24), October 1418, 2024, Salt Lake City, UT, USA.. ACM, New York, NY, USA, 8 pages. https://doi.org/10.1145/3689934.3690818.

This use case is implemented in the Jupyter notebook notebooks/evaluate-localisation.ipynb and its corresponding Python files in notebooks/evaluate_localisation/. To run this use case, follow the instructions in Set-up instructions, and the Notebooks section for instructions on how to run the Jupyter notebooks. More information on this specific use case is embedded in the notebook file itself.

License key localisation

This use case focuses on localisating a simple license key check. The use case is implemented in the demo demos/license-key/demo.py. To run this use case, first perform the initial setup by following Set-up instructions, and then the Demos section.

Game resource hacking

This use case largely automates the localisation of instructions modifying a certain resource in a game. This use case is implemented in the demo demos/supertux/demo.py. To run this use case, first perform the initial setup by following Set-up instructions, and then the Demos section. Further, you will also need to follow the instructions outlined in the demo's README.

Set-up instructions

Base requirements

First, install the following packages using your package manager: - binutils - Docker. Also make sure that you can access the Docker socket as your currently logged in user, e.g. by adding yourself to the docker group. - Python 3.6 or newer (don't forget to install the -dev version as well!) - virtualenv (optional) - libffi-dev (for cffi), libjpeg-dev (for pillow)

To (optionally) create a virtual environment for development, run: bash cd TREX/ virtualenv virtualenv source virtualenv/bin/activate

Then install the framework's dependencies with pip install -r requirements.txt.

Integration with external tools

TREX integrates with a variety of external reverse engineering tools. If you want to use these, you will need to perform some additional steps for each tool.

LLDB

To use LLDB, you need to install LLDB and its Python bindings via your package manager, e.g. using sudo apt install -y lldb-11. This is because LLDB's Python interface is shipped with LLDB itself, and thus cannot be installed in a virtual environment via pip. You also need to store the path to LLDB's Python files (e.g. /usr/lib/python3/dist-packages) in the LLDB_PYTHON_MODULE_PATH environment variable. You can find this path by running the following in a system Python REPL: python import os import lldb os.path.abspath(os.path.join(os.path.dirname(lldb.__file__), '../'))

Binary Ninja

For integration with Binary Ninja, see the respective README.

IDA Pro

If use of IDA is desired, place the installer into the correct folder (refer to IDA's pre-installation section for more information).

Intel SDE

If you want to use SDE (required for all use cases), you will need to download Intel SDE 9.38 from Intel's website (https://www.intel.com/content/www/us/en/download/684897/823664/intel-software-development-emulator.html), and place the resulting .tar.xz file at containers/pin/container/sde-external-9.38.0-2024-04-18-lin.tar.xz.

Usage instructions

There are two ways to instantiate attacks in TREX: either using a demo.py script, or using a Jupyter notebook if more interactivity is required.

Demos

You can find several examples of demos in demos/*/demo.py. In order to run a demo, pass its path to the main.py script as follows:

python python3 main.py demos/memorycopy/demo.py

Notebooks

The notebooks/ subdirectory contains Jupyter notebooks containing different use cases of the framework. You can open a notebook by running jupyter-lab in your Python virtual environment, and opening the corresponding file in Jupyter Lab in your browser.

Instructions for Developers

Project layout

containers/ Dockerfiles for the modules and plugins. <tool>/ Dockerfile(s) and configuration for <tool>. pin/ Dockerfile for Intel SDE (Pin), and Pintools. sources/ The source code of the Pintools. core/ Framework kernel classes providing intialisation, access to the database, and workspaces. data/ Used by the database container for storage. demos/ Contains the example use case applications. graph_models/ OGM classes for defining some of the analysis structures in the DB. import/ Used by the DB container for I/O. integration/ Plugins for integration with external software. KNOWN-ISSUES.md File containing known issues. main.py Main entry point to run demos (cfr. supra). modules/ Python classes that implement a particular software analysis. notebooks/ Jupyter notebooks with examples of different use cases of the framework. plugins/ Python classes providing reusable functionality for analyses. query_language/ Python implementation of the query language. workspaces/ Folder for analysis I/O and where temporary files are generated, seperated by project.

LICENSE

TREX is available under the licensing terms specified in LICENSE. The code in the demos/ subdirectory is licensed under the terms specified in the respective subdirectory.

Owner

  • Name: csl-ugent
  • Login: csl-ugent
  • Kind: organization
  • Location: Ghent University

Diablo is a retargetable link-time binary rewriting framework

GitHub Events

Total
  • Watch event: 1
  • Push event: 2
  • Create event: 1
Last Year
  • Watch event: 1
  • Push event: 2
  • Create event: 1

Issues and Pull Requests

Last synced: 5 months ago

All Time
  • Total issues: 0
  • Total pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Total issue authors: 0
  • Total pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Issue authors: 0
  • Pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
Pull Request Authors
Top Labels
Issue Labels
Pull Request Labels

Dependencies

containers/generic_deobfuscation/container/Dockerfile docker
  • debian bullseye-slim build
containers/grap/container/Dockerfile docker
  • debian stretch-slim build
containers/ida/container/Dockerfile docker
  • debian buster-slim build
containers/lldb/container/Dockerfile docker
  • ubuntu 20.04 build
containers/pin/container/Dockerfile docker
  • ubuntu 24.04 build
demos/coreutils/Dockerfile docker
  • debian buster-slim build
demos/curl/Dockerfile docker
  • debian buster-slim build
demos/gpg/Dockerfile docker
  • ubuntu 20.04 build
demos/sevenzip/Dockerfile docker
  • ubuntu 18.04 build
demos/sevenzip-x64/Dockerfile docker
  • ubuntu 18.04 build
requirements.txt pypi
  • Babel ==2.10.3
  • Jinja2 ==3.1.2
  • MarkupSafe ==2.1.1
  • Pillow ==9.2.0
  • Pygments ==2.12.0
  • Send2Trash ==1.8.0
  • anyio ==3.6.1
  • argon2-cffi ==21.3.0
  • argon2-cffi-bindings ==21.2.0
  • asttokens ==2.0.7
  • async-generator ==1.10
  • attrs ==22.1.0
  • backcall ==0.2.0
  • beautifulsoup4 ==4.11.1
  • bleach ==5.0.1
  • certifi ==2022.6.15
  • cffi ==1.15.1
  • chardet ==5.0.0
  • charset-normalizer ==2.1.0
  • cryptography ==37.0.4
  • cxxfilt ==0.3.0
  • cycler ==0.11.0
  • debugpy ==1.6.2
  • decorator ==5.1.1
  • defusedxml ==0.7.1
  • deprecation ==2.1.0
  • docker ==5.0.3
  • english ==2020.7.0
  • entrypoints ==0.4
  • executing ==0.9.1
  • fastjsonschema ==2.16.1
  • fonttools ==4.34.4
  • heatmapz ==0.0.4
  • idna ==3.3
  • interchange ==2021.0.4
  • ipykernel ==6.15.1
  • ipython ==8.4.0
  • ipython-genutils ==0.2.0
  • ipywidgets ==7.7.1
  • jedi ==0.18.1
  • joblib ==1.2.0
  • json5 ==0.9.9
  • jsonschema ==4.9.1
  • jupyter-client ==7.3.4
  • jupyter-core ==4.11.1
  • jupyter-packaging ==0.12.2
  • jupyter-server ==1.18.1
  • jupyterlab ==3.4.4
  • jupyterlab-pygments ==0.2.2
  • jupyterlab-server ==2.15.0
  • jupyterlab-widgets ==1.1.1
  • kiwisolver ==1.4.4
  • lxml ==5.3.0
  • matplotlib ==3.5.2
  • matplotlib-inline ==0.1.3
  • mistune ==0.8.4
  • monotonic ==1.6
  • nbclassic ==0.4.3
  • nbclient ==0.6.6
  • nbconvert ==6.5.1
  • nbformat ==5.4.0
  • neo4j ==5.25.0
  • neotime ==1.7.4
  • nest-asyncio ==1.5.5
  • notebook ==6.4.12
  • notebook-shim ==0.1.0
  • numpy ==2.1.1
  • packaging ==21.3
  • pandas ==2.2.3
  • pandocfilters ==1.5.0
  • pansi ==2020.7.3
  • parso ==0.8.3
  • pexpect ==4.8.0
  • pickleshare ==0.7.5
  • prometheus-client ==0.14.1
  • prompt-toolkit ==2.0.10
  • psutil ==5.9.1
  • ptyprocess ==0.7.0
  • pure-eval ==0.2.2
  • pycparser ==2.21
  • pyelftools ==0.29
  • pyparsing ==3.0.9
  • pyrsistent ==0.18.1
  • python-dateutil ==2.8.2
  • pytz ==2022.1
  • pyzmq ==26.2.0
  • requests ==2.28.1
  • scikit-learn ==1.5.2
  • scipy ==1.13.1
  • seaborn ==0.11.2
  • setuptools ==75.1.0
  • six ==1.16.0
  • sniffio ==1.2.0
  • soupsieve ==2.3.2.post1
  • stack-data ==0.3.0
  • terminado ==0.15.0
  • testpath ==0.6.0
  • threadpoolctl ==3.1.0
  • tinycss2 ==1.1.1
  • tomlkit ==0.11.3
  • tornado ==6.2
  • traitlets ==5.3.0
  • tzdata ==2024.2
  • urllib3 ==1.26.11
  • wcwidth ==0.2.5
  • webencodings ==0.5.1
  • websocket-client ==1.3.3
  • wheel ==0.44.0
  • widgetsnbextension ==3.6.1
  • yara-python ==4.2.3