2025-06-27 –, Grand Salon
From gaming anti-cheat and DRM solutions to malware, Mixed Boolean-Arithmetic (MBA) obfuscation hides critical computations behind intricate Boolean and arithmetic transformations. In this talk, we demystify how these transformations are constructed and why they turn even simple code into a reverse-engineering nightmare. We then examine recent breakthroughs in algebraic and synthesis-based methods—--like QSynthesis, msynth, and Goomba---revealing both their strengths and shortcomings for real-world deobfuscation scenarios. Next, we introduce a new Binary Ninja plugin that uses a combination of SSA-based slicing & synthesis to systematically simplify MBA computations, showcasing its reliability and effectiveness in real-world protection scenarios. Finally, we discuss the future of MBA research, highlighting how these emerging techniques continue to dismantle once-impenetrable defenses.
Mixed Boolean-Arithmetic (MBA) obfuscation has emerged as a powerful tactic for protecting software in a variety of domains, from commercial gaming anti-cheat and DRM solutions to advanced malware campaigns. Through intricate compositions of Boolean and arithmetic operations, MBA can transform even a simple expression into an unwieldy jungle of code, thwarting both manual analysis and automated reverse engineering tools. As MBAs often serve as building blocks for more complex protection schemes, understanding how and why MBAs are generated is essential for researchers and practitioners who need to penetrate these layers of obfuscation.
In this talk, we begin by exploring the foundations of MBA obfuscation. We outline the most common techniques---ranging from linear expansions to deeply recursive formulas and permutation polynomials---that make MBAs so resistant to typical decompilation and symbolic execution workflows. We then survey the evolution of MBA deobfuscation strategies, highlighting notable breakthroughs in algebraic methods, as well as synthesis-based approaches such as QSynthesis, msynth, and Goomba. These techniques not only reveal theoretical weaknesses in certain MBA schemes, but also offer practical ways to recover simplified expressions from highly obfuscated binaries.
Next, we introduce a new Binary Ninja plugin engineered to simplify complex MBAs in real-world applications. By leveraging SSA-based backward slicing to isolate obfuscated expressions and then feeding them into a specialized synthesis engine, this plugin systematically peels away layers of MBA transformations to restore a more readable, high-level logic of the original semantics. Through concrete example, we demonstrate how this workflow significantly strengthens reverse engineering efforts across a diverse range of obfuscated binaries.
Finally, we look ahead to future directions in MBA research, including the integration of algebraic rewriting with advanced synthesis techniques and potential applications of equality saturation in automated deobfuscation. Attendees will come away with a comprehensive understanding of MBA's inner workings, as well as actionable insights into the latest tools and techniques for cracking these defenses in practical reverse engineering scenarios.
Tim Blazytko is a well-known binary security researcher and co-founder of emproof. After working on novel methods for code deobfuscation, fuzzing and root cause analysis during his PhD, Tim now builds code obfuscation schemes tailored to embedded devices. Moreover, he gives trainings on reverse engineering & code deobfuscation, analyzes malware and performs security audits.
Nicolò Altamura is a final-year MSc student in Computer Science and Engineering at the University of Verona. He specializes in reverse engineering, static analysis, and software security, creating tools like disassemblers, decompilers, and obfuscation frameworks. Through his blog and open-source projects, he explores advanced topics ranging from Mixed Boolean-Arithmetic transformations to malware detection heuristics. Drawing on both academic research and hands-on experience, he aims to bridge theory and practice in the field of software protection.