Training at CanSecWest 2011: Advanced binary deobfuscation

Thu 03 February 2011 by jj

Yoann 'jj' Guillot will also be giving a course about advanced binary deobfuscation, during the next CanSecWest Dojo session in Vancouver (March 7th/8th).

The course will teach you how to overcome state-of-the-art binary obfuscation.

You will see, and learn to defeat :

  • traditional junk,
  • arithmetic code hiding,
  • code flattening,
  • and virtual-machine based obfuscation schemes.

This will be accomplished using the metasm framework, which is already known in this field.Yoann, as the main developper of the framework, will teach you the most efficient ways to reach your goals.

The course is a reedition of last year's dojo, improved based on students feedback.It now fits in one day, with only the most relevant parts kept in, for an even more didactic training session.

In the end of the day, you'll be well armed to face heavily protected binaries, and pierce through their various obfuscation layers.

Register now ! monday 3/7 | tuesday 3/8

Agenda

(one day course)

  • Quick introduction to the framework, core classes/methods
  • Disassembly & debugging overview
  • Plugin architecture
  • Static deobfuscation, using advanced pattern matching
  • Graph manipulation to counter code flow obfuscation
  • Reversing a virtual machine interpreter using instruction semantics
  • Disassembling the virtual opcodes directly

Requirements :

You'll need a laptop running either Windows or Linux.If you have ruby pre-installed, a 32-bit, 1.8 version is preferred.You should also be already familiar with x86 assembly code, and have already worked on obfuscated code, either real-world or custom challenges.

If you have any question, check out the irc channel #metasm on the freenode network, or ask @metasm on twitter