SlideShare a Scribd company logo
On deobfuscation  in practice Vasily Bukasov Dmitry Schelkunov
Obfuscation applications Software protection against computer piracy Malware protection against automatic detection and to impede analysis of a malicious code
Obfuscators and protectors Manual obfuscation requires a lot of resources It’s much easier to use obfuscators and protectors which promise a strong obfuscation
Common code protection techniques Code encryption (out of scope of our report) Code virtualization Code morphing
Code virtualization Converts a source assembler code to the specially generated byte-code Inserts byte-code and byte-code interpreter into the source PE file
Code virtualization Byte-code mostly represents original assembler instructions so its execution has the same effect as from the original instructions
Code virtualization Get instruction byte-code Byte-code  fetching loop Get instruction arguments from VM context or from another location Process instruction Save result into VM context or into another location
VM context Contains variables associated with processor registers Contains VM state Its location can be easily found in most cases
VM context location Dynamically allocated memory (VirtualAlloc, HeapAlloc) Global memory (access via spinlock) Stack
VM stack context layout Stack of the  protected code Reserved area VM context rSP 0 Not initialized
« Virtualized »  addition void  unoptimal_addition(  int  a,  int  b,  int  *p ) { int  u, v, t, *r; u = a;  v = b; r = p;   t = u + v; *r = t; }
Virtualized code execution Getting byte-code Loading from VM context Instruction execution Saving to VM context  Getting byte-code Loading from VM context Instruction execution Saving to VM context  This code is asking to be optimized   etc…
Code devirtualization We can locate VM context We can get CFG in most cases We can use common code optimization algorithms to deobfuscate a virtualized code
Code morphing Used to increase resistance to the static analysis Used for the CFG obfuscation Used to increase VM body analyzing complexity
Code morphing and CFG obfuscation Therefore protectors don’t even try to do it   It’s a difficult task to decompile a machine code
Code morphing and CFG obfuscation Data dependencies analysis is weak in protectors Therefore they are limited in choice of obfuscation techniques
Code morphing common techniques Recursive templates Instruction Instruction Instruction … Instruction Template Template Template Template
Code morphing common techniques Dead code insertion Garbage code insertion Opaque predicates Jump address calculation Code cloning
Morphed code deobfuscation Decompilation into IR IR instruction emulation Collecting variables values Emulation-based deobfuscation techniques
Ariadne engine An engine for RE Can be used as IDA plugin Enables PE format analyzing, disassembling and modifying Supports GP, FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, VMX, SMX
Ariadne engine Supports assembler instructions translation into  Ariadne Intermediate Representation (AIR) Supports IR instructions emulation Contains emulator-based code tracing mechanisms
Ariadne engine Contains built-in trace deobfuscation ( AIR Wave Deobfuscation Technology )
AIR Wave Deobfuscation Technology Static deobfuscation based on the classical compiler theory approaches doesn’t use emulation
AIR Wave Deobfuscation Technology Dynamic deobfuscation uses  Ariadne IR emulator calculates values of variables determines in a lot of cases where a pointer points to used for dereferenced pointers deobfuscation
AIR Wave Deobfuscation Technology Deobfuscation techniques dead code elimination variables propagation constant folding math simplifications
AIR Wave Deobfuscation Technology Deobfuscation techniques loop unrolling common subexpression elimination pointer analysis and alias classification
Our results Many obfuscators/protectors provide a weak obfuscation Ariadne engine  can be effectively used for deobfuscation
AIR Wave Deobfuscation Technology Tested on … See it for yourself  
And our thanks go… To  Rolf Rolles  for his works about virtualization obfuscation unpacking To  Leta Group  for  Ariadne  sponsorship
Ariadne engine http://ariadne.group-ib.ru

More Related Content

What's hot

Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
Analysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodeAnalysis of Godot Engine's Source Code
Analysis of Godot Engine's Source Code
PVS-Studio
 
Hidden Truths in Dead Software Paths
Hidden Truths in Dead Software PathsHidden Truths in Dead Software Paths
Hidden Truths in Dead Software Paths
Ben Hermann
 
Handling Exceptions In C & C++ [Part B] Ver 2
Handling Exceptions In C & C++ [Part B] Ver 2Handling Exceptions In C & C++ [Part B] Ver 2
Handling Exceptions In C & C++ [Part B] Ver 2
ppd1961
 
Python Programming Essentials - M31 - PEP 8
Python Programming Essentials - M31 - PEP 8Python Programming Essentials - M31 - PEP 8
Python Programming Essentials - M31 - PEP 8
P3 InfoTech Solutions Pvt. Ltd.
 
From V8 to Modern Compilers
From V8 to Modern CompilersFrom V8 to Modern Compilers
From V8 to Modern Compilers
Min-Yih Hsu
 
Arduino C maXbox web of things slide show
Arduino C maXbox web of things slide showArduino C maXbox web of things slide show
Arduino C maXbox web of things slide show
Max Kleiner
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
The Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics DevelopmentThe Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics Development
ukdpe
 
Runtime Bytecode Transformation for Smalltalk
Runtime Bytecode Transformation for SmalltalkRuntime Bytecode Transformation for Smalltalk
Runtime Bytecode Transformation for Smalltalk
Marcus Denker
 
Intro dotnet
Intro dotnetIntro dotnet
Erlang For Five Nines
Erlang For Five NinesErlang For Five Nines
Erlang For Five Nines
Barcamp Cork
 
Python and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error densityPython and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error density
PVS-Studio
 
Metrics ekon 14_2_kleiner
Metrics ekon 14_2_kleinerMetrics ekon 14_2_kleiner
Metrics ekon 14_2_kleiner
Max Kleiner
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
Positive Hack Days
 
Python Programming Essentials - M5 - Variables
Python Programming Essentials - M5 - VariablesPython Programming Essentials - M5 - Variables
Python Programming Essentials - M5 - Variables
P3 InfoTech Solutions Pvt. Ltd.
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
guest9f4856
 

What's hot (18)

Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 
Analysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodeAnalysis of Godot Engine's Source Code
Analysis of Godot Engine's Source Code
 
Hidden Truths in Dead Software Paths
Hidden Truths in Dead Software PathsHidden Truths in Dead Software Paths
Hidden Truths in Dead Software Paths
 
Handling Exceptions In C & C++ [Part B] Ver 2
Handling Exceptions In C & C++ [Part B] Ver 2Handling Exceptions In C & C++ [Part B] Ver 2
Handling Exceptions In C & C++ [Part B] Ver 2
 
Python Programming Essentials - M31 - PEP 8
Python Programming Essentials - M31 - PEP 8Python Programming Essentials - M31 - PEP 8
Python Programming Essentials - M31 - PEP 8
 
From V8 to Modern Compilers
From V8 to Modern CompilersFrom V8 to Modern Compilers
From V8 to Modern Compilers
 
Arduino C maXbox web of things slide show
Arduino C maXbox web of things slide showArduino C maXbox web of things slide show
Arduino C maXbox web of things slide show
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 
The Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics DevelopmentThe Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics Development
 
Runtime Bytecode Transformation for Smalltalk
Runtime Bytecode Transformation for SmalltalkRuntime Bytecode Transformation for Smalltalk
Runtime Bytecode Transformation for Smalltalk
 
Intro dotnet
Intro dotnetIntro dotnet
Intro dotnet
 
Erlang For Five Nines
Erlang For Five NinesErlang For Five Nines
Erlang For Five Nines
 
Python and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error densityPython and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error density
 
Metrics ekon 14_2_kleiner
Metrics ekon 14_2_kleinerMetrics ekon 14_2_kleiner
Metrics ekon 14_2_kleiner
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
 
Python Programming Essentials - M5 - Variables
Python Programming Essentials - M5 - VariablesPython Programming Essentials - M5 - Variables
Python Programming Essentials - M5 - Variables
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
 

Viewers also liked

Under the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanismsUnder the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanisms
ReCrypt
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
guest66dc5f
 
Welcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation ConversationWelcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation Conversation
Suzanne M. Sullivan
 
The (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksThe (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined Networks
Talal Alharbi
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
Chad Loeven
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
Mattias Geniar
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...
eSAT Journals
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?
Cyber Security Alliance
 
blur-me-recsystalk
blur-me-recsystalkblur-me-recsystalk
blur-me-recsystalk
Smriti Bhagat
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
Nasir Bhutta
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
Nick Galbreath
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testing
Haydn Johnson
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCESENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
Sangeetha Sankaramahadev
 
Web attacks using obfuscated script
Web attacks using  obfuscated scriptWeb attacks using  obfuscated script
Web attacks using obfuscated script
Amol Kamble
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
Haydn Johnson
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscation
Amol Kamble
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 

Viewers also liked (20)

Under the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanismsUnder the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanisms
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
 
Welcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation ConversationWelcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation Conversation
 
The (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksThe (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined Networks
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?
 
blur-me-recsystalk
blur-me-recsystalkblur-me-recsystalk
blur-me-recsystalk
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testing
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCESENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
 
Web attacks using obfuscated script
Web attacks using  obfuscated scriptWeb attacks using  obfuscated script
Web attacks using obfuscated script
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscation
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 

Similar to On deobfuscation in practice

Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Virtualization summary b.docx
Virtualization summary b.docxVirtualization summary b.docx
Virtualization summary b.docx
shruti533256
 
OIVM
OIVMOIVM
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
Ontico
 
07 140430-ipp-languages used in llvm during compilation
07 140430-ipp-languages used in llvm during compilation07 140430-ipp-languages used in llvm during compilation
07 140430-ipp-languages used in llvm during compilation
Adam Husár
 
Working Effectively With Legacy Perl Code
Working Effectively With Legacy Perl CodeWorking Effectively With Legacy Perl Code
Working Effectively With Legacy Perl Code
erikmsp
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
Y25124127
Y25124127Y25124127
Y25124127
IJERA Editor
 
What the CRaC - Superfast JVM startup
What the CRaC - Superfast JVM startupWhat the CRaC - Superfast JVM startup
What the CRaC - Superfast JVM startup
Gerrit Grunwald
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Security Bootcamp
 
Cpcs302 1
Cpcs302  1Cpcs302  1
Cpcs302 1
guest5de1a5
 
Reverse code engineering
Reverse code engineeringReverse code engineering
Reverse code engineering
Krishs Patil
 
Copper: A high performance workflow engine
Copper: A high performance workflow engineCopper: A high performance workflow engine
Copper: A high performance workflow engine
dmoebius
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMMODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
Alexandre Borges
 
Profiling distributed Java applications
Profiling distributed Java applicationsProfiling distributed Java applications
Profiling distributed Java applications
Constantine Slisenka
 
Hadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault Injection
Cloudera, Inc.
 
complete_thesis
complete_thesiscomplete_thesis
complete_thesis
Mohammed Aldod
 
Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it
Prakashchand Suthar
 
Programming by imitation
Programming by imitationProgramming by imitation
Programming by imitation
Mario Sangiorgio
 

Similar to On deobfuscation in practice (20)

Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Virtualization summary b.docx
Virtualization summary b.docxVirtualization summary b.docx
Virtualization summary b.docx
 
OIVM
OIVMOIVM
OIVM
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
 
07 140430-ipp-languages used in llvm during compilation
07 140430-ipp-languages used in llvm during compilation07 140430-ipp-languages used in llvm during compilation
07 140430-ipp-languages used in llvm during compilation
 
Working Effectively With Legacy Perl Code
Working Effectively With Legacy Perl CodeWorking Effectively With Legacy Perl Code
Working Effectively With Legacy Perl Code
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Y25124127
Y25124127Y25124127
Y25124127
 
What the CRaC - Superfast JVM startup
What the CRaC - Superfast JVM startupWhat the CRaC - Superfast JVM startup
What the CRaC - Superfast JVM startup
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
 
Cpcs302 1
Cpcs302  1Cpcs302  1
Cpcs302 1
 
Reverse code engineering
Reverse code engineeringReverse code engineering
Reverse code engineering
 
Copper: A high performance workflow engine
Copper: A high performance workflow engineCopper: A high performance workflow engine
Copper: A high performance workflow engine
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMMODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
 
Profiling distributed Java applications
Profiling distributed Java applicationsProfiling distributed Java applications
Profiling distributed Java applications
 
Hadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault Injection
 
complete_thesis
complete_thesiscomplete_thesis
complete_thesis
 
Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it
 
Programming by imitation
Programming by imitationProgramming by imitation
Programming by imitation
 

Recently uploaded

Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Comparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdfComparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdf
Andrey Yasko
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Bert Blevins
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
The Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdfThe Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdf
paysquare consultancy
 
The Evolution of Remote Server Management
The Evolution of Remote Server ManagementThe Evolution of Remote Server Management
The Evolution of Remote Server Management
Bert Blevins
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
kumarjarun2010
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 

Recently uploaded (20)

Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Comparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdfComparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdf
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
The Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdfThe Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdf
 
The Evolution of Remote Server Management
The Evolution of Remote Server ManagementThe Evolution of Remote Server Management
The Evolution of Remote Server Management
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 

On deobfuscation in practice

  • 1. On deobfuscation in practice Vasily Bukasov Dmitry Schelkunov
  • 2. Obfuscation applications Software protection against computer piracy Malware protection against automatic detection and to impede analysis of a malicious code
  • 3. Obfuscators and protectors Manual obfuscation requires a lot of resources It’s much easier to use obfuscators and protectors which promise a strong obfuscation
  • 4. Common code protection techniques Code encryption (out of scope of our report) Code virtualization Code morphing
  • 5. Code virtualization Converts a source assembler code to the specially generated byte-code Inserts byte-code and byte-code interpreter into the source PE file
  • 6. Code virtualization Byte-code mostly represents original assembler instructions so its execution has the same effect as from the original instructions
  • 7. Code virtualization Get instruction byte-code Byte-code fetching loop Get instruction arguments from VM context or from another location Process instruction Save result into VM context or into another location
  • 8. VM context Contains variables associated with processor registers Contains VM state Its location can be easily found in most cases
  • 9. VM context location Dynamically allocated memory (VirtualAlloc, HeapAlloc) Global memory (access via spinlock) Stack
  • 10. VM stack context layout Stack of the protected code Reserved area VM context rSP 0 Not initialized
  • 11. « Virtualized » addition void unoptimal_addition( int a, int b, int *p ) { int u, v, t, *r; u = a; v = b; r = p;   t = u + v; *r = t; }
  • 12. Virtualized code execution Getting byte-code Loading from VM context Instruction execution Saving to VM context Getting byte-code Loading from VM context Instruction execution Saving to VM context This code is asking to be optimized  etc…
  • 13. Code devirtualization We can locate VM context We can get CFG in most cases We can use common code optimization algorithms to deobfuscate a virtualized code
  • 14. Code morphing Used to increase resistance to the static analysis Used for the CFG obfuscation Used to increase VM body analyzing complexity
  • 15. Code morphing and CFG obfuscation Therefore protectors don’t even try to do it  It’s a difficult task to decompile a machine code
  • 16. Code morphing and CFG obfuscation Data dependencies analysis is weak in protectors Therefore they are limited in choice of obfuscation techniques
  • 17. Code morphing common techniques Recursive templates Instruction Instruction Instruction … Instruction Template Template Template Template
  • 18. Code morphing common techniques Dead code insertion Garbage code insertion Opaque predicates Jump address calculation Code cloning
  • 19. Morphed code deobfuscation Decompilation into IR IR instruction emulation Collecting variables values Emulation-based deobfuscation techniques
  • 20. Ariadne engine An engine for RE Can be used as IDA plugin Enables PE format analyzing, disassembling and modifying Supports GP, FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, VMX, SMX
  • 21. Ariadne engine Supports assembler instructions translation into Ariadne Intermediate Representation (AIR) Supports IR instructions emulation Contains emulator-based code tracing mechanisms
  • 22. Ariadne engine Contains built-in trace deobfuscation ( AIR Wave Deobfuscation Technology )
  • 23. AIR Wave Deobfuscation Technology Static deobfuscation based on the classical compiler theory approaches doesn’t use emulation
  • 24. AIR Wave Deobfuscation Technology Dynamic deobfuscation uses Ariadne IR emulator calculates values of variables determines in a lot of cases where a pointer points to used for dereferenced pointers deobfuscation
  • 25. AIR Wave Deobfuscation Technology Deobfuscation techniques dead code elimination variables propagation constant folding math simplifications
  • 26. AIR Wave Deobfuscation Technology Deobfuscation techniques loop unrolling common subexpression elimination pointer analysis and alias classification
  • 27. Our results Many obfuscators/protectors provide a weak obfuscation Ariadne engine can be effectively used for deobfuscation
  • 28. AIR Wave Deobfuscation Technology Tested on … See it for yourself 
  • 29. And our thanks go… To Rolf Rolles for his works about virtualization obfuscation unpacking To Leta Group for Ariadne sponsorship