Attend onlinevia livestream
Date21-23 November 2021
Time09:00 to 17:00 PST/GMT-8
In this training, we get to know state-of-the-art code obfuscation techniques and have a look at how these complicate reverse engineering. Afterwards, we gradually become familiar with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.
First, we have a look at important code obfuscation techniques and discuss how to attack them. Afterwards, we analyze a virtual machine-based (VM-based) obfuscation scheme, learn VM hardening techniques and see how to deal with them.
In the second part, we cover SMT-based program analysis. In detail, students learn how to solve program analysis problems with SMT solvers, how to prove characteristics of code, how to deobfuscate mixed Boolean-Arithmetic and how to break weak cryptography.
Before we use symbolic execution to automate large parts of code deobfuscation, we first introduce intermediate languages and compiler optimizations to simplify industrial-grade obfuscation schemes. Following, we use symbolic execution to automate SMT-based program analysis and break opaque predicates.
The last part covers program synthesis, an approach that learns the code's semantics based on its input-output behavior. We explore how to collect input-output pairs; then, we use program synthesis to deobfuscate mixed Boolean-Arithmetic and learn the semantics of VM instruction handlers.
This class is intended for students who have basic experience in reverse engineering and have to deal with obfuscated code. Furthermore, the course is also interesting for experienced reverse engineers who aim to deepen their understanding in program analysis techniques and code (de)obfuscation.
Students should bring a notebook with 2 GB RAM (minimum) and up to 15 GB disk space. Furthermore, they should install a disassembler of their choice (e.g., IDA or Ghidra) as well as virtualization software such as Virtual Box or VMware. Students will be provided with a Linux VM containing all necessary tools and setups.
What part of this course did you find most useful and interesting?
Would you recommend this class, or attend other classes by this trainer?
From Tim’s past HITB training
– application scenarios
– program analysis techniques
– opaque predicates
– control-flow flattening
– mixed Boolean-Arithmetic
– virtual machines
– virtual machine hardening
– compiler optimizations
– reconstructing control flow
– SMT-based program analysis
– taint analysis
– symbolic execution
– program synthesis
– dead code elimination
– constant propagation/folding
– static single assignment (SSA)
– optimizing obfuscated code
– SAT and SMT solvers
– encoding programs analysis problems for SMT solvers
– proving semantic equivalence
– proving properties of a piece of code
– solving complex program constraints
– deobfuscating mixed Boolean-Arithmetic
– breaking weak cryptography
– intermediate languages for reverse engineering
– symbolic and semantic simplification of obfuscated code
– automation in reverse engineering
– deobfuscating VM-based obfuscation schemes
– interaction with SMT solvers
– breaking opaque predicates
– concept of program synthesis
– learning code semantics based on its input/output behavior
– obtaining input/output pairs from code
– deobfuscating mixed Boolean-Arithmetic
– learning semantics of VM instruction handlers
Tim Blazytko @mr_phrazer is a well-known binary security researcher and co-founder of emproof GmbH. After working on novel methods for code deobfuscation, fuzzing and root cause analysis during his PhD, Tim now builds code obfuscation schemes tailored to embedded devices. Moreover, he gives trainings on reverse engineering & code deobfuscation, analyz
This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.
This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email firstname.lastname@example.org
This class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This class also teaches you to be comfortable with Reading The Fun Manual (RTFM!) to give you self-sufficiency when seeking out the most accurate details of how things work.You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email email@example.com
This class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.
You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email firstname.lastname@example.org