This repository contains slides, samples and code of the 2h code deobfuscation workshop at HITBSecConf2021 AMSTERDAM. In the first part, we use Miasm
to automatically identify opaque predicates in the X-Tunnel
APT128-malware using symbolic execution and SMT solving. Afterward, we remove the opaque predicates via patching. In the second part, we use msynth
to simplify Mixed Boolean-Arithmetic (MBA) expressions. In combination with symbolic execution, we explore and simplify expressions in the FinSpy
malware.
The recording will be available soon.
# on debian/ubuntu based systems:
sudo apt-get install python-dev
# clone repository and init submodules
git clone https://github.com/mrphrazer/hitb2021ams_deobfuscation.git
cd hitb2021ams_deobfuscation
git submodule update --init --rebase --recursive
# on windows systems (from a Visual Studio 2019 command prompt):
cd msynth\miasm
python setup.py build
cd ..\..
# install dependencies
pip install -r requirements.txt
For more information, contact Tim Blazytko (@mr_phrazer).