|23 August||Monday||09:00-17:00 SGT/GMT +8||8 Hours|
|24 August||Tuesday||09:00-17:00 SGT/GMT +8||8 Hours|
|25 August||Wednesday||09:00-17:00 SGT/GMT +8||8 Hours|
In this training, we get to know state-of-the-art code obfuscation techniques and have a look at how these complicate reverse engineering. Afterwards, we gradually become familiar with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.
First, we have a look at important code obfuscation techniques and discuss how to attack them. Afterwards, we analyze a virtual machine-based (VM-based) obfuscation scheme, learn VM hardening techniques and see how to deal with them.
In the second part, we cover SMT-based program analysis. In detail, students learn how to solve program analysis problems with SMT solvers, how to prove characteristics of code, how to deobfuscate mixed Boolean-Arithmetic and how to break weak cryptography.
Before we use symbolic execution to automate large parts of code deobfuscation, we first introduce intermediate languages and compiler optimizations to simplify industrial-grade obfuscation schemes. Following, we use symbolic execution to automate SMT-based program analysis and break opaque predicates.
The last part covers program synthesis, an approach that learns the code’s semantics based on its input-output behavior. We explore how to collect input-output pairs; then, we use program synthesis to deobfuscate mixed Boolean-Arithmetic and learn the semantics of VM instruction handlers.
This class is intended for students who have basic experience in reverse engineering and have to deal with obfuscated code. Furthermore, the course is also interesting for experienced reverse engineers who aim to deepen their understanding in program analysis techniques and code (de)obfuscation.
From Tim’s past HITB training
Would you recommend this class, or attend other classes by this trainer?
“Yes, I would definitely recommend this class to any reverse engineers wanting to advance their skills, and I would attend other classes by this trainer.”
“Absolutely recommend this class. It has met and exceed all my expectations!”
What part of this course did you find most useful and interesting?
“The latter part, dealing with the automation of analysis, [where we were] applying the theory of techniques covered earlier on”
“It is very difficult to fault any component of this course, its appears as a very mature and well refined project. Tim is clearly very passionate on the subjects and that is portrayed through the material and delivery.”
Students should bring a notebook with 2 GB RAM (minimum) and up to 15 GB disk space. Furthermore, they should install a disassembler of their choice (e.g., IDA or Ghidra) as well as virtualization software such as Virtual Box or VMware. Students will be provided with a Linux VM containing all necessary tools and setups.