Dynamic Binary Instrumentation Techniques to Address Native Code Obfuscation

Presented at Black Hat Asia 2020 Virtual, Oct. 1, 2020, 12:30 p.m. (40 minutes)

Android applications are becoming more and more obfuscated to prevent reverse engineering. While obfuscation can be applied on both, the Dalvik bytecode and the native code, the former is more challenging to analyze due to the structure of the bytecode as well as the API provided by Android Runtime.

The purpose of this talk is to present dynamic binary instrumentation techniques that can help reverse engineers to deal with obfuscated codes.

These techniques aim to be obfuscator resilient so that it does not rely on a special kind of obfuscation neither a specific obfuscator.

Presenters:

• Romain Thomas - Security Engineer, Quarkslab
  Romain Thomas is a security engineer working on the development of new tools to assist security researchers. Author of LIEF, a library to parse and manipulate executable file formats (ELF, PE, Mach-O), he enjoys going back and forth between reverse engineering and tool development to see which part of the process can be automated. He is also interested in (de)obfuscation, software protections and packer. He contributed in the past to the Triton project, especially on de-obfuscation based on symbolic execution.

Links:

• https://www.blackhat.com/asia-20/briefings/schedule/#dynamic-binary-instrumentation-techniques-to-address-native-code-obfuscation-18309

Similar Presentations:

• Kernelcon 2023 / The ART of Runtime-Based Obfuscation in Android
• Black Hat USA 2016 / Next-Generation of Exploit Kit Detection by Building Simulated Obfuscators
• Black Hat USA 2015 / API Deobfuscator: Resolving Obfuscated API Functions in Modern Packers