HITB LAB 002: Semi-Automatic Code Deobfuscation

Code obfuscation has become a vital tool to protect sensitive code against reverse engineering. In general, it impedes analysis by making the to-be-protected program more complex. In this hands-on lab, we have a look at two common code obfuscation techniques (opaque predicates and mixed Boolean-Arithmetic) deployed in APT malware and build tools to automatically break their protections.

To this end, we first analyze the protections on the binary level, before we introduce the core concepts of symbolic execution & SMT solvers. In the main part, students learn how to use these techniques to automatically remove opaque predicates from binaries and simplify complex mixed Boolean-Arithmetic operations.

The lab is suitable for anyone who wants to deepen knowledge in program analysis or code obfuscation techniques. Since the hands-on sessions are built on top of the Miasm reverse engineering framework, a basic proficiency in Python is recommended but not mandatory. Questions will be answered along the lab.

Topics Covered

* Obfuscation Techniques

– What are they used for?
– Opaque Predicates
– Mixed Boolean-Arithmetic
– Analysis of APT malware using such techniques

* Symbolic Execution and SMT Solving

– Core concepts
– How to use them in Miasm

* Automatic Removal of Opaque Predicates

– Detection via symbolic execution and SMT solving
– Patching the binary

* Automatic simplification of Mixed Boolean-Arithmetic

– Identification and simplification
– Verifying the correctness of simplifications

Register for this session!

Location: Track 3 / HITB Labs Date: May 28, 2021 Time: 5:00 pm - 7:00 pm Tim Blazytko