{"guid":"5cf8c222-47d3-4741-9324-be182b4d0fb8","title":"Lets break modern binary code obfuscation","subtitle":"A semantics based approach","slug":"34c3-8789-lets_break_modern_binary_code_obfuscation","link":"https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8789.html","description":"Do you want to learn how modern binary code obfuscation and deobfuscation works? Did you ever encounter road-blocks where well-known deobfuscation techniques do not work? Do you want to see a novel deobfuscation method that learns the code's behavior without analyzing the code itself? Then come to our talk and we give you a step-by-step guide.\n\nThis talk might be interesting for you if you love reverse engineering or binary security analysis. We present you modern code obfuscation techniques, such as opaque predicates, arithmetic encoding and virtualization-based obfuscation. Further, we explain state-of-the-art methods in (automated) deobfuscation [1] as well as how to break these [2]. Finally, we introduce a novel  approach [3] that learns the code's semantics and demonstrate how this can be used to deobfuscate real-world obfuscated code.\n\n[1] https://www.ieee-security.org/TC/SP2015/papers-archived/6949a674.pdf\n[2] https://mediatum.ub.tum.de/doc/1343173/1343173.pdf\n[3] https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-blazytko.pdf","original_language":"eng","persons":["Tim Blazytko","Moritz Contag"],"view_count":2782,"promoted":false,"date":"2017-12-27T00:00:00.000+01:00","release_date":"2017-12-28T01:00:00.000+01:00","updated_at":"2026-04-21T10:45:06.493+02:00","tags":["34c3","8789","Security"],"length":3602,"duration":3602,"thumb_url":"https://static.media.ccc.de/media/congress/2017/8789-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/2017/8789-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2017/5cf8c222-47d3-4741-9324-be182b4d0fb8-timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2017/5cf8c222-47d3-4741-9324-be182b4d0fb8-thumbnails.vtt","frontend_link":"https://media.ccc.de/v/34c3-8789-lets_break_modern_binary_code_obfuscation","url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_title":"34C3: TUWAT","conference_url":"https://api.media.ccc.de/public/conferences/34c3","related":[{"event_id":4763,"event_guid":"2ef3b60f-6e5c-4c23-a145-d263685ec13e","weight":72},{"event_id":4766,"event_guid":"19b7e5d7-bba7-46da-afbc-f16d43fe395f","weight":77},{"event_id":4781,"event_guid":"44e7cb13-011e-4242-b26a-1edf4ac15b83","weight":67},{"event_id":4784,"event_guid":"65a25dfd-56dd-4e87-a910-334e2dc25a9c","weight":94},{"event_id":4785,"event_guid":"4c4af291-e9ed-4dc9-8b2e-9062db9924fa","weight":67},{"event_id":4790,"event_guid":"edd02e52-28f8-4f3e-8b17-75cffecb6d7f","weight":63},{"event_id":4791,"event_guid":"8d29d28d-a222-4731-bdfc-fde590385cae","weight":65},{"event_id":4794,"event_guid":"a2887b4a-0c9d-4220-a52f-c65c20ae25d7","weight":33},{"event_id":4795,"event_guid":"722ce759-9cde-4e3b-8db5-5a97aa9673d9","weight":57},{"event_id":4796,"event_guid":"ff24373e-ebe2-4077-9db0-eae5ab003538","weight":68},{"event_id":4817,"event_guid":"be19fbe3-e825-4e67-93f9-a6aeda2e31af","weight":92},{"event_id":4819,"event_guid":"55f921ed-ab90-4553-9903-8658557ac447","weight":79},{"event_id":4826,"event_guid":"16645200-2036-4a3c-a44d-a5ff44ac2991","weight":95},{"event_id":4828,"event_guid":"4cb7be14-bfbd-42a2-a556-9ef8e8bd6ba7","weight":20},{"event_id":4832,"event_guid":"275f85de-d612-4440-8755-85dee5912f12","weight":78},{"event_id":4833,"event_guid":"e1a60f7b-6a56-4dce-ab3a-c686fa940aa8","weight":149},{"event_id":4837,"event_guid":"664f6c37-2fab-4191-a5d6-042aba7518c3","weight":60},{"event_id":4841,"event_guid":"c38ddf1b-10d7-462c-a934-e69e9259ab19","weight":62},{"event_id":4842,"event_guid":"581ccbad-4bbf-47a2-8845-f52278d61061","weight":70},{"event_id":4845,"event_guid":"c21cb389-aba3-4eaa-ba1f-76f966b1686e","weight":80},{"event_id":4846,"event_guid":"832b8fb8-beb1-4d92-93d0-ba3b7568905a","weight":57},{"event_id":4855,"event_guid":"51b586be-500c-436e-b70c-fc433e65c4be","weight":56},{"event_id":4859,"event_guid":"95f6e79b-e6a5-4d93-b4ba-cb70470ed819","weight":82},{"event_id":4866,"event_guid":"117a52b4-f675-49dd-aafe-659c07b6bc9c","weight":77},{"event_id":4898,"event_guid":"8c303809-3c7c-4532-ab1e-c9a4e7c38245","weight":59}],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"DRAFT_34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation.en_DRAFT.srt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2022-01-15T16:22:35.920+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/DRAFT_34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation.en_DRAFT.srt","url":"https://api.media.ccc.de/public/recordings/57309","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":429,"length":3602,"mime_type":"video/mp4","language":"eng","filename":"34c3-8789-eng-Lets_break_modern_binary_code_obfuscation.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-28T22:01:20.935+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/h264-hd/34c3-8789-eng-Lets_break_modern_binary_code_obfuscation.mp4","url":"https://api.media.ccc.de/public/recordings/21254","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":430,"length":3602,"mime_type":"video/mp4","language":"deu","filename":"34c3-8789-deu-Lets_break_modern_binary_code_obfuscation.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-28T22:01:58.384+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/h264-hd/34c3-8789-deu-Lets_break_modern_binary_code_obfuscation.mp4","url":"https://api.media.ccc.de/public/recordings/21255","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":599,"length":3602,"mime_type":"video/mp4","language":"eng-deu","filename":"34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-28T22:02:25.964+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/h264-hd/34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_hd.mp4","url":"https://api.media.ccc.de/public/recordings/21256","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":228,"length":3602,"mime_type":"video/mp4","language":"eng-deu","filename":"34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_hd-slides.mp4","state":"new","folder":"slides-h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-28T22:44:16.686+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/slides-h264-hd/34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_hd-slides.mp4","url":"https://api.media.ccc.de/public/recordings/21287","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":34,"length":3587,"mime_type":"audio/opus","language":"eng","filename":"34c3-8789-eng-Lets_break_modern_binary_code_obfuscation.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2017-12-28T22:50:37.881+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/opus/34c3-8789-eng-Lets_break_modern_binary_code_obfuscation.opus","url":"https://api.media.ccc.de/public/recordings/21298","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":202,"length":3602,"mime_type":"video/mp4","language":"eng-deu","filename":"34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2017-12-28T22:51:20.604+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/h264-sd/34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_sd.mp4","url":"https://api.media.ccc.de/public/recordings/21299","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":54,"length":3587,"mime_type":"audio/mpeg","language":"eng","filename":"34c3-8789-eng-Lets_break_modern_binary_code_obfuscation.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2017-12-28T22:51:39.054+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/mp3/34c3-8789-eng-Lets_break_modern_binary_code_obfuscation.mp3","url":"https://api.media.ccc.de/public/recordings/21300","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":410,"length":3602,"mime_type":"video/webm","language":"eng-deu","filename":"34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2017-12-29T00:09:20.393+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/webm-sd/34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/21348","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":849,"length":3602,"mime_type":"video/webm","language":"eng-deu","filename":"34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-29T01:50:09.737+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/webm-hd/34c3-8789-eng-deu-Lets_break_modern_binary_code_obfuscation_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/21399","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":72,"length":3602,"mime_type":"video/mp4","language":"eng","filename":"34c3-8789-eng-Lets_break_modern_binary_code_obfuscation_sd-slides.mp4","state":"new","folder":"slides-h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2018-01-02T15:24:18.433+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/slides-h264-sd/34c3-8789-eng-Lets_break_modern_binary_code_obfuscation_sd-slides.mp4","url":"https://api.media.ccc.de/public/recordings/22265","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":1,"length":null,"mime_type":"application/pdf","language":"eng","filename":"34c3-8789-lets_break_modern_binary_code_obfuscation.pdf","state":"new","folder":"slides-pdf","high_quality":true,"width":null,"height":null,"updated_at":"2018-01-08T18:52:29.877+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/slides-pdf/34c3-8789-lets_break_modern_binary_code_obfuscation.pdf","url":"https://api.media.ccc.de/public/recordings/22451","event_url":"https://api.media.ccc.de/public/events/5cf8c222-47d3-4741-9324-be182b4d0fb8","conference_url":"https://api.media.ccc.de/public/conferences/34c3"}]}