Software Deobfuscation Techniques
3-Day Training | Virtual
| 21-23 November 2021

Software Deobfuscation Techniques

This class is intended for students who have basic experience in reverse engineering and have to deal with obfuscated code. Furthermore, the course is also interesting for experienced reverse engineers who aim to deepen their understanding in program analysis techniques and code (de)obfuscation.
Binary Security Researcher, Co-Founder of emproof GmbH

Available seats

TBA

Difficulty

Advanced
US$ 3,299

Attend in-person

TBA

Attend online

via livestream

Date

21-23 November 2021

Time

09:00 to 17:00 PST/GMT-8
Code obfuscation has become a vital tool to protect, for example, intellectual property against competitors. In general, it attempts to impede program understanding by making the to-be-protected program more complex. As a consequence, a human analyst who still aims to reason about the obfuscated code has to overcome this barrier by transforming it into a representation that is easier to understand.

In this training, we get to know state-of-the-art code obfuscation techniques and have a look at how these complicate reverse engineering. Afterwards, we gradually become familiar with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.

First, we have a look at important code obfuscation techniques and discuss how to attack them. Afterwards, we analyze a virtual machine-based (VM-based) obfuscation scheme, learn VM hardening techniques and see how to deal with them.

In the second part, we cover SMT-based program analysis. In detail, students learn how to solve program analysis problems with SMT solvers, how to prove characteristics of code, how to deobfuscate mixed Boolean-Arithmetic and how to break weak cryptography.

Before we use symbolic execution to automate large parts of code deobfuscation, we first introduce intermediate languages and compiler optimizations to simplify industrial-grade obfuscation schemes. Following, we use symbolic execution to automate SMT-based program analysis and break opaque predicates.

The last part covers program synthesis, an approach that learns the code's semantics based on its input-output behavior. We explore how to collect input-output pairs; then, we use program synthesis to deobfuscate mixed Boolean-Arithmetic and learn the semantics of VM instruction handlers.

  • Basic reverse engineering skills
  • Familiarity with x86 assembly and Python

This class is intended for students who have basic experience in reverse engineering and have to deal with obfuscated code. Furthermore, the course is also interesting for experienced reverse engineers who aim to deepen their understanding in program analysis techniques and code (de)obfuscation.

  • Get to know the state-of-the-art of code obfuscation and deobfuscation techniques
  • Learn compiler optimizations, SMT-based program analysis, symbolic execution and program synthesis
  • Apply all techniques to break obfuscation schemes in various hands-on sessions

Students should bring a notebook with 2 GB RAM (minimum) and up to 15 GB disk space. Furthermore, they should install a disassembler of their choice (e.g., IDA or Ghidra) as well as virtualization software such as Virtual Box or VMware. Students will be provided with a Linux VM containing all necessary tools and setups.

+Testimonials

What part of this course did you find most useful and interesting?

  • “Everything”
  • “The latter part, dealing with the automation of analysis, [where we were] applying the theory of techniques covered earlier on”
  • “It is very difficult to fault any component of this course, its appears as a very mature and well refined project. Tim is clearly very passionate on the subjects and that is portrayed through the material and delivery.”

Would you recommend this class, or attend other classes by this trainer?

  • “Yes!”
  • “Yes, I would definitely recommend this class to any reverse engineers wanting to advance their skills, and I would attend other classes by this trainer.”
  • “Absolutely recommend this class. It has met and exceed all my expectations!”

From Tim’s past HITB training

  • Trainer’s Overall Score: 96%

+agenda

Title

Details

Date

Introduction to Code (De)obfuscation

– motivation
– application scenarios
– program analysis techniques

21-23 November 2021
Code Obfuscation Techniques

– opaque predicates
– control-flow flattening
– mixed Boolean-Arithmetic
– virtual machines
– virtual machine hardening

21-23 November 2021
Code Deobfuscation Techniques

– compiler optimizations
– reconstructing control flow
– SMT-based program analysis
– taint analysis
– symbolic execution
– program synthesis

21-23 November 2021
Compiler Optimizations

– dead code elimination
– constant propagation/folding
– static single assignment (SSA)
– optimizing obfuscated code

21-23 November 2021
SMT-based Program Analysis

– SAT and SMT solvers
– encoding programs analysis problems for SMT solvers
– proving semantic equivalence
– proving properties of a piece of code
– solving complex program constraints
– deobfuscating mixed Boolean-Arithmetic
– breaking weak cryptography

21-23 November 2021
Symbolic Execution

– intermediate languages for reverse engineering
– symbolic and semantic simplification of obfuscated code
– automation in reverse engineering
– deobfuscating VM-based obfuscation schemes
– interaction with SMT solvers
– breaking opaque predicates

21-23 November 2021
Program Synthesis

– concept of program synthesis
– learning code semantics based on its input/output behavior
– obtaining input/output pairs from code
– deobfuscating mixed Boolean-Arithmetic
– learning semantics of VM instruction handlers

21-23 November 2021

Book your spot for this training

+TRAINERS

Tim Blazytko
Binary Security Researcher, Co-Founder of emproof GmbH

Tim Blazytko @mr_phrazer is a well-known binary security researcher and co-founder of emproof GmbH. After working on novel methods for code deobfuscation, fuzzing and root cause analysis during his PhD, Tim now builds code obfuscation schemes tailored to embedded devices. Moreover, he gives trainings on reverse engineering & code deobfuscation, analyz

+OTHER COURSES YOU MIGHT BE INTERESTED IN

x86-64 All You Can Learn Buffet!
US$ 4,299
x86-64 All You Can Learn Buffet!

This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.


Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 Reset Vector Firmware class.
4-Day Training Hybrid
x86-64 Reset Vector Firmware
US$ 2,299
x86-64 Reset Vector Firmware

This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 OS Internals
US$ 2,299
x86-64 OS Internals

This class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This class also teaches you to be comfortable with Reading The Fun Manual (RTFM!) to give you self-sufficiency when seeking out the most accurate details of how things work.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 Assembly
US$ 2,299
x86-64 Assembly

This class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.

 

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

 
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.  
2-Day Training Hybrid