Skip to content

mrphrazer/hitb2021ams_deobfuscation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
msynth @ c14a81a
msynth @ c14a81a
 
 
samples
samples
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
oracle.pickle
oracle.pickle
 
 
remove_opaque.py
remove_opaque.py
 
 
requirements.txt
requirements.txt
 
 
simplify_finspy.py
simplify_finspy.py
 
 
simplify_mba.py
simplify_mba.py
 
 
slides.pdf
slides.pdf
 
 
symbolic_execution.py
symbolic_execution.py
 
 

Repository files navigation

Semi-Automatic Code Deobfuscation

This repository contains slides, samples and code of the 2h code deobfuscation workshop at HITBSecConf2021 AMSTERDAM. In the first part, we use Miasm to automatically identify opaque predicates in the X-Tunnel APT128-malware using symbolic execution and SMT solving. Afterward, we remove the opaque predicates via patching. In the second part, we use msynth to simplify Mixed Boolean-Arithmetic (MBA) expressions. In combination with symbolic execution, we explore and simplify expressions in the FinSpy malware.

The recording will be available soon.

Installation

# on debian/ubuntu based systems:
sudo apt-get install python-dev

# clone repository and init submodules
git clone https://github.com/mrphrazer/hitb2021ams_deobfuscation.git
cd hitb2021ams_deobfuscation
git submodule update --init --rebase --recursive

# on windows systems (from a Visual Studio 2019 command prompt):
cd msynth\miasm
python setup.py build
cd ..\..

# install dependencies
pip install -r requirements.txt

Contact

For more information, contact Tim Blazytko (@mr_phrazer).

About

No description, website, or topics provided.

Resources

Readme

License

GPL-2.0 license
Activity

Stars

72 stars

Watchers

8 watching

Forks

15 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages