De-Virtualizing the Dragon: Automated Unpacking and Deobfuscation of Nested VM-Based Protectors using Symbolic Execution and Taint Tracking

Presented at DEF CON 33 (2025), Aug. 9, 2025, 4:30 p.m. (45 minutes).

Modern software protectors increasingly rely on complex, often nested, virtualization techniques (VMProtect, Themida, custom solutions) which significantly hinder static and dynamic analysis. This talk introduces DragonSlayer, an automated framework combining symbolic execution with fine-grained dynamic taint tracking to systematically lift obfuscated bytecode from these protectors. Our approach precisely identifies VM handlers, recovers original instruction semantics, automatically unpacks multiple virtualization layers, and reconstructs analyzable representations of protected code. We demonstrate DragonSlayer's effectiveness against the latest commercial VM protectors and custom obfuscation solutions, significantly reducing analysis time from weeks to hours. This presentation includes technical deep-dives into our methodology, real-world case studies, and a demonstration of our tooling that helps reverse engineers slay the virtualization dragon. References: 1. Blazytko, T., Contag, M., Aschermann, C., & Holz, T. (2017). Syntia: Synthesizing the semantics of obfuscated code. In 26th USENIX Security Symposium. 2. Yadegari, B., Johannesmeyer, B., Whitely, B., & Debray, S. (2015). A Generic Approach to Automatic Deobfuscation of Executable Code. In IEEE Symposium on Security and Privacy. 3. Ming, J., Xu, D., & Wu, D. (2017). VMHunt: A Verifiable Approach to Partially-Virtualized Binary Code Simplification. In ACM Conference on Computer and Communications Security (CCS). 4. Rolf, R., Luk, C.-K., & Debray, S. (2008). Symbolic/Concrete Execution to Find Bugs in Binary Programs. In IEEE/ACM International Conference on Automated Software Engineering. 5. Coogan, K., Lu, G., & Debray, S. (2011). Deobfuscation of Virtualization-Obfuscated Software. In ACM Conference on Computer and Communications Security (CCS). 6. Kinder, J. (2012). Towards Static Analysis of Virtualization-Obfuscated Binaries. In Working Conference on Reverse Engineering (WCRE).

Presenters:

• Agostino "Van1sh" Panico
  Dr. Agostino "van1sh" Panico is a seasoned offensive security expert with over 15 years of experience specializing in advanced red teaming, exploit development, product security testing, and deception tactics. He is one of the few hundred globally to hold the prestigious GSE (GIAC Security Expert) certification. Driven by a passion for uncovering vulnerabilities, Agostino actively contributes to the security community as an organizer for BSides Italy, fostering collaboration and innovation.

Similar Presentations:

• VB2017 / Malware deobfuscation: symbolic analysis to the rescue!
• Black Hat Europe 2016 / Code Deobfuscation: Intertwining Dynamic, Static and Symbolic Approaches
• REcon 2022 / Under the hood of Wslink’s multilayered virtual machine