Mohamad Mokbel

Senior Security Researcher @ Trend Micro

An Exploratory Endeavor in the Reverse Engineering of a Multi-platform Compiler

Reverse engineering software written in a native programming language requires the understanding of different phases of the compilation process in addition to the libraries involved, code optimizations, language standards, file format, generated code, and other intricacies. For malware, they are mostly written in a native programming language such as x86 Assembly, C, C++, Objective-C, Delphi and other similar languages.
In the last couple of years, malware authors started using another native programming language called PureBasic. This language is very powerful and produces native code with extensive library support. Moreover, the compiler generates code for all major platforms including Windows, Linux and MacOS. In this talk, we’ll delve into the inner workings of how the language works, the compiler architecture, reverse engineering of the language libraries, and more importantly, the release of a complete parser for the libraries, IDA FLIRT signatures, and an IDA plugin. This all for the purpose of making reverse engineering of this language easier.