SlideShare a Scribd company logo
On deobfuscation
   in practice
    Vasily Bukasov
   Dmitry Schelkunov
Obfuscation applications
• Software protection against
  computer piracy

• Malware protection against
  automatic detection and to
  impede analysis of a
  malicious code
Obfuscators and protectors
• Manual obfuscation requires a lot
  of resources

• It’s much easier to use
  obfuscators and protectors which
  promise a strong obfuscation
Common code protection
     techniques
• Code encryption (out of
  scope of our report)
• Code virtualization
• Code morphing
Code virtualization
• Converts a source assembler
  code to the specially generated
  byte-code
• Inserts byte-code and byte-
  code interpreter into the source
  PE file
Code virtualization
 Byte-code mostly represents
original assembler instructions
 so its execution has the same
  effect as from the original
          instructions
Code virtualization
                   Get instruction byte-code

Byte-code
              Get instruction arguments from VM
 fetching      context or from another location
   loop
                      Process instruction

              Save result into VM context or into
                       another location
VM context

• Contains variables associated
  with processor registers
• Contains VM state
• Its location can be easily found in
  most cases
VM context location
• Dynamically allocated memory
  (VirtualAlloc, HeapAlloc)
• Global memory (access via
  spinlock)
• Stack
VM stack context layout
                      0
    Not initialized
     VM context       rSP

    Reserved area

    Stack of the
   protected code
«Virtualized» addition
void unoptimal_addition( int a, int b, int *p )
{
    int u, v, t, *r;


    u = a;
    v = b;
    r = p;


    t = u + v;
    *r = t;
}
Virtualized code execution
   Getting byte-code
Loading from VM context   This code is
  Instruction execution   asking to be
 Saving to VM context
   Getting byte-code
                          optimized 
Loading from VM context
  Instruction execution
 Saving to VM context
         etc…
Code devirtualization
• We can locate VM context
• We can get CFG in most cases
• We can use common code
  optimization algorithms to
  deobfuscate a virtualized code
Code morphing
• Used to increase resistance to
  the static analysis
• Used for the CFG obfuscation
• Used to increase VM body
  analyzing complexity
Code morphing and CFG
       obfuscation
It’s a difficult task to decompile
a machine code

Therefore protectors don’t even
try to do it 
Code morphing and CFG
       obfuscation
Data dependencies analysis is
weak in protectors


Therefore they are limited in
choice of obfuscation techniques
Code morphing common
      techniques
              Recursive templates
                 Template      Template
                 Instruction
                 Instruction   Template
Instruction
                     …
                 Instruction
                               Template
Code morphing common
         techniques
• Dead code insertion
• Garbage code insertion
• Opaque predicates
• Jump address calculation
• Code cloning
Morphed code deobfuscation

• Decompilation into IR
• IR instruction emulation
• Collecting variables values
• Emulation-based deobfuscation
  techniques
Ariadne engine
• An engine for RE
• Can be used as IDA plugin
• Enables PE format analyzing,
  disassembling and modifying
• Supports GP, FPU, MMX, SSE,
  SSE2, SSE3, SSSE3, SSE4.1,
  SSE4.2, SSE4a, VMX, SMX
Ariadne engine
• Supports assembler instructions
  translation into Ariadne
  Intermediate Representation
  (AIR)
• Supports IR instructions
  emulation
• Contains emulator-based code
  tracing mechanisms
Ariadne engine

• Contains built-in trace
  deobfuscation (AIR Wave
  Deobfuscation Technology)
AIR Wave Deobfuscation
       Technology
• Static deobfuscation
 –based on the classical compiler
  theory approaches
 –doesn’t use emulation
AIR Wave Deobfuscation
       Technology
• Dynamic deobfuscation
 –uses Ariadne IR emulator
 –calculates values of variables
 –determines in a lot of cases where a
  pointer points to
 –used for dereferenced pointers
  deobfuscation
AIR Wave Deobfuscation
      Technology
• Deobfuscation techniques
 –dead code elimination
 –variables propagation
 –constant folding
 –math simplifications
AIR Wave Deobfuscation
      Technology
• Deobfuscation techniques
 –loop unrolling
 –common subexpression
  elimination
 –pointer analysis and alias
  classification
Our results
• Many obfuscators/protectors
  provide a weak obfuscation
• Ariadne engine can be
  effectively used for
  deobfuscation
AIR Wave Deobfuscation
       Technology
Tested on …

See it for yourself 
And our thanks go…
• To Rolf Rolles for his works
  about virtualization
  obfuscation unpacking
• To Leta Group for Ariadne
  sponsorship
Ariadne engine
http://ariadne.group-ib.ru

More Related Content

Similar to Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation

OIVM
OIVMOIVM
UVM TUTORIAL;
UVM TUTORIAL;UVM TUTORIAL;
UVM TUTORIAL;
Azad Mishra
 
Hypervisors
HypervisorsHypervisors
Hypervisors
SrikantMishra12
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
OSGi Community Event 2010 - OSGi Technical Update
OSGi Community Event 2010 - OSGi Technical UpdateOSGi Community Event 2010 - OSGi Technical Update
OSGi Community Event 2010 - OSGi Technical Update
mfrancis
 
Emulation-based SW protection
Emulation-based SW protectionEmulation-based SW protection
Emulation-based SW protection
abdullah roomi
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
Kingston Smiler
 
Invoke dynamic your api to hotspot
Invoke dynamic your api to hotspotInvoke dynamic your api to hotspot
Invoke dynamic your api to hotspot
Boundary
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
Andrey Karpov
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
Ontico
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Мохачёк Сахер
 
Lec1 final
Lec1 finalLec1 final
Lec1 final
Gichelle Amon
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Server Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David DelabasseeServer Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David Delabassee
JAXLondon2014
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
Priyanka Aash
 
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
Ford AntiTrust
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
RISC-V International
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
intertelinvestigations
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 

Similar to Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation (20)

OIVM
OIVMOIVM
OIVM
 
UVM TUTORIAL;
UVM TUTORIAL;UVM TUTORIAL;
UVM TUTORIAL;
 
Hypervisors
HypervisorsHypervisors
Hypervisors
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
OSGi Community Event 2010 - OSGi Technical Update
OSGi Community Event 2010 - OSGi Technical UpdateOSGi Community Event 2010 - OSGi Technical Update
OSGi Community Event 2010 - OSGi Technical Update
 
Emulation-based SW protection
Emulation-based SW protectionEmulation-based SW protection
Emulation-based SW protection
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
Invoke dynamic your api to hotspot
Invoke dynamic your api to hotspotInvoke dynamic your api to hotspot
Invoke dynamic your api to hotspot
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
 
Lec1 final
Lec1 finalLec1 final
Lec1 final
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Server Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David DelabasseeServer Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David Delabassee
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 

More from DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков -  Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков -  Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
DefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
DefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
DefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
DefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
DefconRussia
 
static - defcon russia 20
static  - defcon russia 20static  - defcon russia 20
static - defcon russia 20
DefconRussia
 
Zn task - defcon russia 20
Zn task  - defcon russia 20Zn task  - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing  - defcon russia 20Vm ware fuzzing  - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 

More from DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков -  Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков -  Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static  - defcon russia 20static  - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task  - defcon russia 20Zn task  - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing  - defcon russia 20Vm ware fuzzing  - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Recently uploaded

Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
DianaGray10
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
FIDO Alliance
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
Alison B. Lowndes
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
OnBoard
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Zilliz
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 

Recently uploaded (20)

Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 

Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation

  • 1. On deobfuscation in practice Vasily Bukasov Dmitry Schelkunov
  • 2. Obfuscation applications • Software protection against computer piracy • Malware protection against automatic detection and to impede analysis of a malicious code
  • 3. Obfuscators and protectors • Manual obfuscation requires a lot of resources • It’s much easier to use obfuscators and protectors which promise a strong obfuscation
  • 4. Common code protection techniques • Code encryption (out of scope of our report) • Code virtualization • Code morphing
  • 5. Code virtualization • Converts a source assembler code to the specially generated byte-code • Inserts byte-code and byte- code interpreter into the source PE file
  • 6. Code virtualization Byte-code mostly represents original assembler instructions so its execution has the same effect as from the original instructions
  • 7. Code virtualization Get instruction byte-code Byte-code Get instruction arguments from VM fetching context or from another location loop Process instruction Save result into VM context or into another location
  • 8. VM context • Contains variables associated with processor registers • Contains VM state • Its location can be easily found in most cases
  • 9. VM context location • Dynamically allocated memory (VirtualAlloc, HeapAlloc) • Global memory (access via spinlock) • Stack
  • 10. VM stack context layout 0 Not initialized VM context rSP Reserved area Stack of the protected code
  • 11. «Virtualized» addition void unoptimal_addition( int a, int b, int *p ) { int u, v, t, *r; u = a; v = b; r = p; t = u + v; *r = t; }
  • 12. Virtualized code execution Getting byte-code Loading from VM context This code is Instruction execution asking to be Saving to VM context Getting byte-code optimized  Loading from VM context Instruction execution Saving to VM context etc…
  • 13. Code devirtualization • We can locate VM context • We can get CFG in most cases • We can use common code optimization algorithms to deobfuscate a virtualized code
  • 14. Code morphing • Used to increase resistance to the static analysis • Used for the CFG obfuscation • Used to increase VM body analyzing complexity
  • 15. Code morphing and CFG obfuscation It’s a difficult task to decompile a machine code Therefore protectors don’t even try to do it 
  • 16. Code morphing and CFG obfuscation Data dependencies analysis is weak in protectors Therefore they are limited in choice of obfuscation techniques
  • 17. Code morphing common techniques Recursive templates Template Template Instruction Instruction Template Instruction … Instruction Template
  • 18. Code morphing common techniques • Dead code insertion • Garbage code insertion • Opaque predicates • Jump address calculation • Code cloning
  • 19. Morphed code deobfuscation • Decompilation into IR • IR instruction emulation • Collecting variables values • Emulation-based deobfuscation techniques
  • 20. Ariadne engine • An engine for RE • Can be used as IDA plugin • Enables PE format analyzing, disassembling and modifying • Supports GP, FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, VMX, SMX
  • 21. Ariadne engine • Supports assembler instructions translation into Ariadne Intermediate Representation (AIR) • Supports IR instructions emulation • Contains emulator-based code tracing mechanisms
  • 22. Ariadne engine • Contains built-in trace deobfuscation (AIR Wave Deobfuscation Technology)
  • 23. AIR Wave Deobfuscation Technology • Static deobfuscation –based on the classical compiler theory approaches –doesn’t use emulation
  • 24. AIR Wave Deobfuscation Technology • Dynamic deobfuscation –uses Ariadne IR emulator –calculates values of variables –determines in a lot of cases where a pointer points to –used for dereferenced pointers deobfuscation
  • 25. AIR Wave Deobfuscation Technology • Deobfuscation techniques –dead code elimination –variables propagation –constant folding –math simplifications
  • 26. AIR Wave Deobfuscation Technology • Deobfuscation techniques –loop unrolling –common subexpression elimination –pointer analysis and alias classification
  • 27. Our results • Many obfuscators/protectors provide a weak obfuscation • Ariadne engine can be effectively used for deobfuscation
  • 28. AIR Wave Deobfuscation Technology Tested on … See it for yourself 
  • 29. And our thanks go… • To Rolf Rolles for his works about virtualization obfuscation unpacking • To Leta Group for Ariadne sponsorship