HITB-Invoice-Logo

deep knowledge technical trainings

AUGUST 22 / 23 / 24 / 25 @ INTERCONTINENTAL SINGAPORE

An Analytical Approach to Modern Binary Deobfuscation

This is a curated training that provides an intensive jump-start into the field of code (de)obfuscation. Over the course of this training, students will receive a comprehensive introduction to the most relevant software obfuscation mechanisms as well as existing deobfuscation techniques to analyze, confront and defeat obfuscated code.

$4,299.00

Duration

4-day

Delivery Method

In-Person

Level

intermediate

Seats Available

20

REGISTRATION CLOSED

DATE: 22-25 August 2022

TIME: 09:00 to 17:00 SGT/GMT +8

Date Day Time Duration
22 Aug Monday 0900-17:00 SGT/GMT +8 8 Hours โ€“ Presentations & Hands-on exercises
23 Aug Tuesday 0900-17:00 SGT/GMT +8 8 Hours โ€“ Presentations & Hands-on exercises
24 Aug Wednesday 0900-17:00 SGT/GMT +8 8 Hours โ€“ Presentations & Hands-on exercises
25 Aug Thursday 0900-17:00 SGT/GMT +8 8 Hours โ€“ Presentations & Hands-on exercises

Code obfuscation has become one of the most prevalent mechanisms aiming to complicate the process of software reverse engineering. It plays a major role on a wide range of domains: from malware threats to protection of intellectual property and digital rights management.

An Analytical approach to Modern Binary Deobfuscationย is a curated training that provides an intensive jump-start into the field of code (de)obfuscation. Over the course of this training, students will receive a comprehensive introduction to the most relevant software obfuscation mechanisms as well as existing deobfuscation techniques to analyze, confront and defeat obfuscated code.

Teaching Methodology

Live classes are designed to be dynamic and engaging, making the students get the most out of the training materials and instructor expertise. A clear presentation of the concepts, accompanied by illustrative examples and demos. For each section, there will be practice time allocated. The students will be provided with several exercises and projects to work on, with the continuous support of the instructor.

 

Students will be provided with
  • Access to a VM with all tools, examples and exercises
  • Access to a private chat with instructor and other students

 

Agenda

Day 1


  • Introduction, context and motivation
  • Data-flow based obfuscation
    • Constant unfolding
    • Dead code insertion
    • Encodings
    • Pattern-based obfuscation
  • Control-flow based obfuscation
    • Function inlining/outlining
    • Opaque predicates
    • Control-flow flattening
  • Mixing data-flow and control-flow obfuscation
    • VM-based obfuscation
    • Hardening VM-based obfuscation

 

Exercises
Project – Manually craft a custom obfuscation VM

 


Day 2


  • SMT-based analysis
    • A primer on SMT solvers
    • Translate code conditions into SMT solver constraints
    • Program analysis with SMT solvers
  • Mixed Boolean-Arithmetic
    • Preliminary concepts
    • MBA rewriting
    • Insertion of identities
    • Opaque constants

 

Exercises
Project – Applied MBA to obfuscate the semantics of VM-handlers

 


Day 3


  • Symbolic execution
    • Reasoning about code in a symbolic way
    • Working with native code
    • Working with intermediate representations
    • Data-flow analysis and compiler optimizations
    • Extract symbolic formulas
    • Extract path constraints
    • Plugging an SMT solver
    • Attacking obfuscation schemes

 

Guided project – Build your own (toy) symbolic execution engine

Exercises
Project – Attack obfuscated VM and explore symbolic execution limits

 


Day 4


  • Program synthesis
    • Code syntax VS Code semantics
    • Specifying program behavior
    • Oracle-based program synthesis
    • Describing semantics through I/O behavior
    • Generating I/O pairs
    • Different synthesis flavors
    • Practical considerations
    • Attacking obfuscation schemes

 

  • Conclusions and research directions

 

Guided project – Build your own code semantics synthesizer

Exercises
Project – Recover the semantics of MBA-obfuscated VM-handlers

 

Tools used
  • Disassemblers
    • IDA Free/Home/Pro
    • Ghidra
    • Radare2
  • Obfuscation
    • Manual obfuscation
    • O-LLVM
    • Tigress
  • Symbolic execution
    • Miasm
    • Triton
  • Program synthesis
    • Syntia
    • Msynth
    • Custom tooling
  • Other tools
    • Z3
    • Other custom tooling

Researcher

National University Singapore

Dr. Wang Kailong is currently a research fellow at National University of Singapore (NUS). He received his PhD degree from School of Computing NUS in 2022. He has worked as a Research Assistant in NUS while pursuing his PhD degree from 2016 to 2021. His research interests include mobile and web security and privacy, and protocol verification. His works have appeared in the top conferences such as WWW and MobiCom.

Co-Founder & CTO

Authomize

Mr. Gal Diskin is a cybersecurity and AI researcher. He was previously the VP & head of Palo Alto Networks’ Israeli site, and is a serial entrepreneur. Mr. Diskin’s research has been featured in HITB, Defcon, Black Hat, CCC, and other conferences, spanning fields from low level security research such as hardware vulnerabilities, binary instrumentation, and car hacking to high level research on AI detection methods, Enterprise security, and Identity security. Mr. Diskin was also the technical lead and co-founder of Intel’s software security organization, as well as the CTO of Cyvera and HeXponent (co-founder) before their acquisition.

Senior Security Researcher

Huajiang โ€œKevin2600โ€ Chen (Twitter: @kevin2600) is a senior security researcher. He mainly focuses on vulnerability research in wireless and Vehicle security. He is a winner of GeekPwn 2020 and also made to the Tesla hall of fame 2021. Kevin2600 has spoken at various conferences including KCON; DEFCON and CANSECWEST.

Why You Should Take This Course

This is a curated training that provides an intensive jump-start into the field of code (de)obfuscation. Over the course of this training, students will receive a comprehensive introduction to the most relevant software obfuscation mechanisms as well as existing deobfuscation techniques to analyze, confront and defeat obfuscated code.

Who Should Attend

Reverse engineers, malware analysts and folks within the anti-cheating and software protection industry. It can also be really beneficial for bug hunters, vulnerability researchers, exploit developers and enthusiast security researchers in general.

Key Learning Objectives

[“Obtain a high-level overview of the context and scenarios where code obfuscation is used”,”Gain an in-depth understanding of code obfuscation mechanisms”,”Build obfuscated code, both from scratch and through available tooling”,”Develop an understanding of the main code deobfuscation techniques”,”Learn tooling for analyzing obfuscated code and apply deobfuscation techniques”,”Become familiar with state of the art (de)obfuscation research literature”]

Prerequisite Knowledge

  • Understanding of basic programming concepts
  • Familiarity with x86 assembly, C and Python
  • Knowledge of reverse engineering fundamentals

Hardware / Software Requirements

  • A working desktop/laptop capable of running virtual machines
  • 40 GB free hard disk space