SlideShare a Scribd company logo

Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation

DefconRussia
DefconRussia

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Technology
1 of 30
Download to read offline
On deobfuscation in practice Vasily Bukasov Dmitry Schelkunov
Obfuscation applications • Software protection against computer piracy • Malware protection against automatic detection and to impede analysis of a malicious code
Obfuscators and protectors • Manual obfuscation requires a lot of resources • It’s much easier to use obfuscators and protectors which promise a strong obfuscation
Common code protection techniques • Code encryption (out of scope of our report) • Code virtualization • Code morphing
Code virtualization • Converts a source assembler code to the specially generated byte-code • Inserts byte-code and byte- code interpreter into the source PE file
Code virtualization Byte-code mostly represents original assembler instructions so its execution has the same effect as from the original instructions
Code virtualization Get instruction byte-code Byte-code Get instruction arguments from VM fetching context or from another location loop Process instruction Save result into VM context or into another location
VM context • Contains variables associated with processor registers • Contains VM state • Its location can be easily found in most cases
VM context location • Dynamically allocated memory (VirtualAlloc, HeapAlloc) • Global memory (access via spinlock) • Stack
VM stack context layout 0 Not initialized VM context rSP Reserved area Stack of the protected code
«Virtualized» addition void unoptimal_addition( int a, int b, int *p ) { int u, v, t, *r; u = a; v = b; r = p; t = u + v; *r = t; }
Virtualized code execution Getting byte-code Loading from VM context This code is Instruction execution asking to be Saving to VM context Getting byte-code optimized  Loading from VM context Instruction execution Saving to VM context etc…
Code devirtualization • We can locate VM context • We can get CFG in most cases • We can use common code optimization algorithms to deobfuscate a virtualized code
Code morphing • Used to increase resistance to the static analysis • Used for the CFG obfuscation • Used to increase VM body analyzing complexity
Code morphing and CFG obfuscation It’s a difficult task to decompile a machine code Therefore protectors don’t even try to do it 
Code morphing and CFG obfuscation Data dependencies analysis is weak in protectors Therefore they are limited in choice of obfuscation techniques
Code morphing common techniques Recursive templates Template Template Instruction Instruction Template Instruction … Instruction Template
Code morphing common techniques • Dead code insertion • Garbage code insertion • Opaque predicates • Jump address calculation • Code cloning
Morphed code deobfuscation • Decompilation into IR • IR instruction emulation • Collecting variables values • Emulation-based deobfuscation techniques
Ariadne engine • An engine for RE • Can be used as IDA plugin • Enables PE format analyzing, disassembling and modifying • Supports GP, FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, VMX, SMX
Ariadne engine • Supports assembler instructions translation into Ariadne Intermediate Representation (AIR) • Supports IR instructions emulation • Contains emulator-based code tracing mechanisms
Ariadne engine • Contains built-in trace deobfuscation (AIR Wave Deobfuscation Technology)
AIR Wave Deobfuscation Technology • Static deobfuscation –based on the classical compiler theory approaches –doesn’t use emulation
AIR Wave Deobfuscation Technology • Dynamic deobfuscation –uses Ariadne IR emulator –calculates values of variables –determines in a lot of cases where a pointer points to –used for dereferenced pointers deobfuscation
AIR Wave Deobfuscation Technology • Deobfuscation techniques –dead code elimination –variables propagation –constant folding –math simplifications
AIR Wave Deobfuscation Technology • Deobfuscation techniques –loop unrolling –common subexpression elimination –pointer analysis and alias classification
Our results • Many obfuscators/protectors provide a weak obfuscation • Ariadne engine can be effectively used for deobfuscation
AIR Wave Deobfuscation Technology Tested on … See it for yourself 
And our thanks go… • To Rolf Rolles for his works about virtualization obfuscation unpacking • To Leta Group for Ariadne sponsorship
Ariadne engine http://ariadne.group-ib.ru

Recommended

On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practice
Dmitry Schelkunov
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
ReCrypt
 
JVM: A Platform for Multiple Languages
JVM: A Platform for Multiple LanguagesJVM: A Platform for Multiple Languages
JVM: A Platform for Multiple Languages
Kris Mok
 
Dependency injection
Dependency injectionDependency injection
Dependency injection
housecor
 
Smashing the stack with Hydra
Smashing the stack with HydraSmashing the stack with Hydra
Smashing the stack with Hydra
pratap21
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64
The Linux Foundation
 
The Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics DevelopmentThe Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics Development
ukdpe
 
Building a Wireless Mesh Network Temperature Sensor
Building a Wireless Mesh Network Temperature SensorBuilding a Wireless Mesh Network Temperature Sensor
Building a Wireless Mesh Network Temperature Sensor
michaelpigg
 

Recommended

On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practice
Dmitry Schelkunov
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
ReCrypt
 
JVM: A Platform for Multiple Languages
JVM: A Platform for Multiple LanguagesJVM: A Platform for Multiple Languages
JVM: A Platform for Multiple Languages
Kris Mok
 
Dependency injection
Dependency injectionDependency injection
Dependency injection
housecor
 
Smashing the stack with Hydra
Smashing the stack with HydraSmashing the stack with Hydra
Smashing the stack with Hydra
pratap21
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64
The Linux Foundation
 
The Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics DevelopmentThe Ongoing Democratization of Robotics Development
The Ongoing Democratization of Robotics Development
ukdpe
 
Building a Wireless Mesh Network Temperature Sensor
Building a Wireless Mesh Network Temperature SensorBuilding a Wireless Mesh Network Temperature Sensor
Building a Wireless Mesh Network Temperature Sensor
michaelpigg
 
OIVM
OIVMOIVM
OIVM
Adwiteeya Agrawal
 
UVM TUTORIAL;
UVM TUTORIAL;UVM TUTORIAL;
UVM TUTORIAL;
Azad Mishra
 
Hypervisors
HypervisorsHypervisors
Hypervisors
SrikantMishra12
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
OSGi Community Event 2010 - OSGi Technical Update
OSGi Community Event 2010 - OSGi Technical UpdateOSGi Community Event 2010 - OSGi Technical Update
OSGi Community Event 2010 - OSGi Technical Update
mfrancis
 
Emulation-based SW protection
Emulation-based SW protectionEmulation-based SW protection
Emulation-based SW protection
abdullah roomi
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
Kingston Smiler
 
Invoke dynamic your api to hotspot
Invoke dynamic your api to hotspotInvoke dynamic your api to hotspot
Invoke dynamic your api to hotspot
Boundary
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
Andrey Karpov
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
Ontico
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Мохачёк Сахер
 
Lec1 final
Lec1 finalLec1 final
Lec1 final
Gichelle Amon
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Server Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David DelabasseeServer Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David Delabassee
JAXLondon2014
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
Priyanka Aash
 
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
Ford AntiTrust
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
RISC-V International
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
intertelinvestigations
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 

More Related Content

Similar to Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
Invoke dynamic your api to hotspot
Invoke dynamic your api to hotspotInvoke dynamic your api to hotspot
Invoke dynamic your api to hotspot
Boundary
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
Ontico
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
Priyanka Aash
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 

Similar to Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation (20)

OIVM
OIVMOIVM
OIVM
 
UVM TUTORIAL;
UVM TUTORIAL;UVM TUTORIAL;
UVM TUTORIAL;
 
Hypervisors
HypervisorsHypervisors
Hypervisors
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
OSGi Community Event 2010 - OSGi Technical Update
OSGi Community Event 2010 - OSGi Technical UpdateOSGi Community Event 2010 - OSGi Technical Update
OSGi Community Event 2010 - OSGi Technical Update
 
Emulation-based SW protection
Emulation-based SW protectionEmulation-based SW protection
Emulation-based SW protection
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
Invoke dynamic your api to hotspot
Invoke dynamic your api to hotspotInvoke dynamic your api to hotspot
Invoke dynamic your api to hotspot
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
 
Lec1 final
Lec1 finalLec1 final
Lec1 final
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Server Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David DelabasseeServer Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David Delabassee
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
/* pOrt80BKK */ - PHP Day - PHP Performance with APC + Memcached for Windows
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 

More from DefconRussia

[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 

More from DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Recently uploaded

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation

  • 1. On deobfuscation in practice Vasily Bukasov Dmitry Schelkunov
  • 2. Obfuscation applications • Software protection against computer piracy • Malware protection against automatic detection and to impede analysis of a malicious code
  • 3. Obfuscators and protectors • Manual obfuscation requires a lot of resources • It’s much easier to use obfuscators and protectors which promise a strong obfuscation
  • 4. Common code protection techniques • Code encryption (out of scope of our report) • Code virtualization • Code morphing
  • 5. Code virtualization • Converts a source assembler code to the specially generated byte-code • Inserts byte-code and byte- code interpreter into the source PE file
  • 6. Code virtualization Byte-code mostly represents original assembler instructions so its execution has the same effect as from the original instructions
  • 7. Code virtualization Get instruction byte-code Byte-code Get instruction arguments from VM fetching context or from another location loop Process instruction Save result into VM context or into another location
  • 8. VM context • Contains variables associated with processor registers • Contains VM state • Its location can be easily found in most cases
  • 9. VM context location • Dynamically allocated memory (VirtualAlloc, HeapAlloc) • Global memory (access via spinlock) • Stack
  • 10. VM stack context layout 0 Not initialized VM context rSP Reserved area Stack of the protected code
  • 11. «Virtualized» addition void unoptimal_addition( int a, int b, int *p ) { int u, v, t, *r; u = a; v = b; r = p; t = u + v; *r = t; }
  • 12. Virtualized code execution Getting byte-code Loading from VM context This code is Instruction execution asking to be Saving to VM context Getting byte-code optimized  Loading from VM context Instruction execution Saving to VM context etc…
  • 13. Code devirtualization • We can locate VM context • We can get CFG in most cases • We can use common code optimization algorithms to deobfuscate a virtualized code
  • 14. Code morphing • Used to increase resistance to the static analysis • Used for the CFG obfuscation • Used to increase VM body analyzing complexity
  • 15. Code morphing and CFG obfuscation It’s a difficult task to decompile a machine code Therefore protectors don’t even try to do it 
  • 16. Code morphing and CFG obfuscation Data dependencies analysis is weak in protectors Therefore they are limited in choice of obfuscation techniques
  • 17. Code morphing common techniques Recursive templates Template Template Instruction Instruction Template Instruction … Instruction Template
  • 18. Code morphing common techniques • Dead code insertion • Garbage code insertion • Opaque predicates • Jump address calculation • Code cloning
  • 19. Morphed code deobfuscation • Decompilation into IR • IR instruction emulation • Collecting variables values • Emulation-based deobfuscation techniques
  • 20. Ariadne engine • An engine for RE • Can be used as IDA plugin • Enables PE format analyzing, disassembling and modifying • Supports GP, FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, VMX, SMX
  • 21. Ariadne engine • Supports assembler instructions translation into Ariadne Intermediate Representation (AIR) • Supports IR instructions emulation • Contains emulator-based code tracing mechanisms
  • 22. Ariadne engine • Contains built-in trace deobfuscation (AIR Wave Deobfuscation Technology)
  • 23. AIR Wave Deobfuscation Technology • Static deobfuscation –based on the classical compiler theory approaches –doesn’t use emulation
  • 24. AIR Wave Deobfuscation Technology • Dynamic deobfuscation –uses Ariadne IR emulator –calculates values of variables –determines in a lot of cases where a pointer points to –used for dereferenced pointers deobfuscation
  • 25. AIR Wave Deobfuscation Technology • Deobfuscation techniques –dead code elimination –variables propagation –constant folding –math simplifications
  • 26. AIR Wave Deobfuscation Technology • Deobfuscation techniques –loop unrolling –common subexpression elimination –pointer analysis and alias classification
  • 27. Our results • Many obfuscators/protectors provide a weak obfuscation • Ariadne engine can be effectively used for deobfuscation
  • 28. AIR Wave Deobfuscation Technology Tested on … See it for yourself 
  • 29. And our thanks go… • To Rolf Rolles for his works about virtualization obfuscation unpacking • To Leta Group for Ariadne sponsorship