top of page
Search

REpsych: Playing Mind Games with Reverse Engineers

Updated: Jul 16

Hey everyone I'm excited to share some of the unconventional ideas I presented at DEF CON 23 regarding "Repsych: Psychological Warfare in Reverse Engineering." For too long, anti-reverse engineering has focused on making code impossible to reverse. But what if we shifted our goal? What if we aimed to make the reverse engineer give up? That's where psychological warfare comes in.



The "Move is Turing Complete" Revelation


My journey into this began with a seemingly simple, yet profound, idea: what if "move is Turing complete"? This means that, theoretically, any computational task can be performed using only data movement instructions. It sounds crazy, right? To prove this, I developed a "move-only C compiler" called mafoscator. This tool takes ordinary C source code and transforms it into thousands upon thousands of unconditional move instructions.


Imagine looking at a binary where every instruction is a move. All the familiar patterns, the function calls, the loops – they vanish. Reverse engineers rely heavily on these patterns to understand program logic. When everything looks the same, it becomes an incredibly demoralizing and difficult task. It strips away all the common cues, forcing a completely different, and far more arduous, approach to analysis.



Embedding Messages in the Control Flow Graph


But I wanted to go deeper than just obfuscation. I wanted to directly mess with the reverse engineer's head. That's where manipulating the Control Flow Graph (CFG) comes in. CFGs are the bread and butter of reverse engineering tools like IDA Pro. They visually represent the flow of execution in a program, making complex logic understandable at a glance.


My idea was to embed messages or even images directly into these CFGs. Think about it: a reverse engineer opens a binary, expecting to see logical control flow, and instead, they're greeted by a skull, or a message telling them to "GIVE UP." That's psychological warfare.


The technical challenges were significant. My initial attempts to draw lines using switch statements and NOPs were frustrating because IDA Pro's automatic layout algorithms would constantly re-arrange everything, breaking the image. I needed to force IDA to respect my layout.


The breakthrough came with a technique to force node placement using a matrix formation. By carefully crafting conditional jumps, I could "tie" nodes together, creating a rigid grid structure that IDA couldn't easily break. Once I had a uniform grid, the next challenge was how to "turn pixels on or off." Simply removing nodes would destroy the image. Instead, I found that I could "paint" pixels by filling nodes with junk code for "on" pixels, making them visually denser in the CFG, and leaving "off" pixels with minimal instructions. To enhance contrast, I increased the height and width of the "on" nodes by using longer assembly instructions.

To automate this process, I developed a bitmap-to-NASM pre-processor converter. This allowed me to take a simple bitmap image and automatically generate the assembly code required to render it within the CFG.


Demonstrations and Future Applications

The results were incredibly satisfying. I demonstrated rendering various images, from a simple skull to the adorable Pusheen the cat, and even a grayscale "assembly selfie" directly within the CFGs.


The applications for this "repsych" technique are broad and, frankly, a bit mischievous:

  • Trolling reverse engineers: Just for the sheer fun of it.

  • Demoralizing them: With clear messages like "FUTILE" or "GIVE UP" embedded in the very structure they're trying to analyze.

  • "Interview" malware: Imagine malware that, when reversed, reveals information about its origin or purpose through embedded images.

  • Challenging CTF problems: Creating incredibly difficult and visually unique reverse engineering challenges.

  • The "Creepiest Malware Ever": This is where it gets really interesting. Imagine malware that scans a victim's hard drive for personal images, then dynamically rewrites its own control flow graph to display those very images to the reverse engineer during dynamic analysis. Talk about a mind trip!


Ultimately, my aim with Repsych is to shift our perspective on anti-reverse engineering. It's not just about making the code harder; it's about making the reverse engineer quit. The repsych tool chain is available on GitHub, and I'm always looking for feedback and new ideas for how we can continue to play these psychological games.


Christopher Domas (@xoreaxeaxeax)


Materials

Recent Posts

See All
bottom of page