NorthSec 2020 (Online Edition)

Advanced Binary Analysis
2020-05-15, 10:00–13:00, Workshop Track 2

Discover practical advanced binary analysis techniques like code emulation, symbolic execution and dynamic instrumentation to help dealing with and understanding obfuscated and packed executables.


This workshop introduces advanced binary analysis concepts that are often required when reverse engineering executables protected by digital rights management (DRM) solutions or malicious software that attempts to hide behavior through code obfuscation and various indirections.

Participants will work on a tailor-made binary that simulates a packed and obfuscated malware dropper and apply the techniques presented to defeat its obfuscation and unpack each stage in order to recover and analyze the final payload. The solution to each stage will be shown and explained in detail. At the end of the workshop, attendees will be able to write emulation scripts using Python and Unicorn engine, use dynamic instrumentation to automate unpacking and perform selective symbolic execution and constraint solving to analyze program behavior.

The workshop will cover the following topics:

  • A brief introduction to the tools and frameworks
  • Overview of common obfuscation techniques
    • Metamorphic Code
    • Opaque Predicates
    • Virtualization
    • In-memory decryption
    • In-memory packing
  • Analysis Techniques
    • Code Emulation
    • Symbolic Execution
    • Dynamic Instrumentation
  • Exercises
    • Emulating a shellcode decryption routine and dropper using Unicorn
    • Dynamic Instrumentation to retrieve unpacked payload
    • Partial symbolic execution to solve metamorphic transformations

Workshops only: What materials (if any) should participants bring to the workshop? – A laptop running Linux and the following software is recommended for participants who wish to attempt the workshop exercises: - [Ghidra](https://ghidra-sre.org/) - [Python 3.8](https://python.org) - [Unicorn Engine (with Python package)](https://www.unicorn-engine.org/) - [Capstone Engine (with Python package)](https://www.capstone-engine.org/) - [Intel PIN](https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool) - [Z3](https://github.com/Z3Prover/z3) - [angr](https://angr.io/) A Virtualbox image containing all the required tools will be provided at the start of the workshop. If planning to use the VM, it is recommended to arrive early to allow time for copying the files and setting up the computer. Workshops only: What level of knowlegde or prerequisites should participants have? – Participants should have a basic knowledge of x86-64 assembly and be comfortable reading C code. Experience in reverse engineering is recommended but not necessary and no prior experience with the presented techniques is required.