Virtual Deobfuscator - A DARPA Cyber Fast Track Funded Effort

Presented at Black Hat USA 2013, Aug. 1, 2013, 3:30 p.m. (60 minutes)

While there has been a lot research done on automatically reverse engineering of virtualization obfuscators, there has been no approach that did not require a lot of man-hours identifying the bytecode (static approaches) or a complete recreation of the bytecode back to original source form (dynamic approaches). The tool I created, Virtual Deobfuscator, will require no static man-hours reversing for the bytecode location or how the VM interpreter works, and will recreate instructions nearly equivalent to the original instructions.

Presenters:

• Jason Raber - HexEffect, LLC
  Jason Raber is the founder of HexEffect, LLC, which focuses on creating novel tools and techniques for automatically reverse engineering malware and software. He enjoys bodybuilding (Yeah Buddy!), fishing, and reversing! He has presented at Black Hat 4x -Hades, Deobfuscator, QuietRIATT, and RE with hardware emulators; and at REcon twice, about a custom Linux debugger and RE with hardware emulators

Links:

• https://www.blackhat.com/us-13/archives.html#Raber
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Virtual Deobfuscator - A DARPA Cyber Fast Track Funded Effort.mp4
• https://www.youtube.com/watch?v=hoda99l5y_g
• https://media.blackhat.com/us-13/US-13-Raber-Virtual-Deobfuscator-A-DARPA-Cyber-Fast-Track-Funded-Effort-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Raber-Virtual-Deobfuscator-A-DARPA-Cyber-Fast-Track-Funded-Effort-WP.pdf
• https://media.blackhat.com/us-13/US-13-Raber-Virtual-Deobfuscator-A-DARPA-Cyber-Fast-Track-Funded-Effort-Code.zip

Similar Presentations:

• REcon 2008 / The Deobfuscator
• TROOPERS16 (2016) / unrubby: reversing without reversing