Software Deobfuscation Techniques [HITB+ CYBERWEEK 2021]

This class is intended for students who have basic experience in reverse engineering and have to deal with obfuscated code. Furthermore, the course is also interesting for experienced reverse engineers who aim to deepen their understanding in program analysis techniques and code (de)obfuscation.

$3,299.00

Duration

3 days

Delivery Method

virtual

Level

advanced

Seats Available

20

Duration

3 days

Delivery Method

virtual

Level

advanced


 

ATTEND ONLINE: Virtual via Zoom and LMS

DATE: 21-23 November 2021

TIME: 09:00 to 17:00 PST/GMT-8

Date Day Time Duration
21 Nov Sunday 0900-17:00 PST/GMT-8 8 Hours
22 Nov Monday 0900-17:00 PST/GMT-8 8 Hours
23 Nov Tuesday 0900-17:00 PST/GMT-8 8 Hours

 


Code obfuscation has become a vital tool to protect, for example, intellectual property against competitors. In general, it attempts to impede program understanding by making the to-be-protected program more complex. As a consequence, a human analyst who still aims to reason about the obfuscated code has to overcome this barrier by transforming it into a representation that is easier to understand.

 

In this training, we get to know state-of-the-art code obfuscation techniques and have a look at how these complicate reverse engineering. Afterwards, we gradually become familiar with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.

First, we have a look at important code obfuscation techniques and discuss how to attack them. Afterwards, we analyze a virtual machine-based (VM-based) obfuscation scheme, learn VM hardening techniques and see how to deal with them.

In the second part, we cover SMT-based program analysis. In detail, students learn how to solve program analysis problems with SMT solvers, how to prove characteristics of code, how to deobfuscate mixed Boolean-Arithmetic and how to break weak cryptography.

Before we use symbolic execution to automate large parts of code deobfuscation, we first introduce intermediate languages and compiler optimizations to simplify industrial-grade obfuscation schemes. Following, we use symbolic execution to automate SMT-based program analysis and break opaque predicates.

The last part covers program synthesis, an approach that learns the code’s semantics based on its input-output behavior. We explore how to collect input-output pairs; then, we use program synthesis to deobfuscate mixed Boolean-Arithmetic and learn the semantics of VM instruction handlers.

Agenda

  • Introduction to Code (De)obfuscation

    - motivation - application scenarios - program analysis techniques

  • Code Obfuscation Techniques

    - opaque predicates - control-flow flattening - mixed Boolean-Arithmetic - virtual machines - virtual machine hardening

  • Code Deobfuscation Techniques

    - compiler optimizations - reconstructing control flow - SMT-based program analysis - taint analysis - symbolic execution - program synthesis

  • Compiler Optimizations

    - dead code elimination - constant propagation/folding - static single assignment (SSA) - optimizing obfuscated code

  • SMT-based Program Analysis

    - SAT and SMT solvers - encoding programs analysis problems for SMT solvers - proving semantic equivalence - proving properties of a piece of code - solving complex program constraints - deobfuscating mixed Boolean-Arithmetic - breaking weak cryptography

  • Symbolic Execution

    - intermediate languages for reverse engineering - symbolic and semantic simplification of obfuscated code - automation in reverse engineering - deobfuscating VM-based obfuscation schemes - interaction with SMT solvers - breaking opaque predicates

  • Program Synthesis

    - concept of program synthesis - learning code semantics based on its input/output behavior - obtaining input/output pairs from code - deobfuscating mixed Boolean-Arithmetic - learning semantics of VM instruction handlers

Why You Should Take This Course

This class is intended for students who have basic experience in reverse engineering and have to deal with obfuscated code. Furthermore, the course is also interesting for experienced reverse engineers who aim to deepen their understanding in program analysis techniques and code (de)obfuscation.

Who Should Attend

TBA

Key Learning Objectives

  • Get to know the state-of-the-art of code obfuscation and deobfuscation techniques

  • Learn compiler optimizations, SMT-based program analysis, symbolic execution and program synthesis

  • Apply all techniques to break obfuscation schemes in various hands-on sessions
  • Prerequisite Knowledge

    • Basic reverse engineering skills
    • Familiarity with x86 assembly and Python

    Hardware / Software Requirements

    Students should bring a notebook with 2 GB RAM (minimum) and up to 15 GB disk space. Furthermore, they should install a disassembler of their choice (e.g., IDA or Ghidra) as well as virtualization software such as Virtual Box or VMware. Students will be provided with a Linux VM containing all necessary tools and setups.

    Your Instructor

    No data was found