BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.recon.cx//recon-2026//talk//8TZSJN BEGIN:VTIMEZONE TZID:EST BEGIN:STANDARD DTSTART:20001029T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z TZNAME:EST TZOFFSETFROM:-0400 TZOFFSETTO:-0500 END:STANDARD BEGIN:STANDARD DTSTART:20071104T030000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11 TZNAME:EST TZOFFSETFROM:-0400 TZOFFSETTO:-0500 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000402T030000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z TZNAME:EDT TZOFFSETFROM:-0500 TZOFFSETTO:-0400 END:DAYLIGHT BEGIN:DAYLIGHT DTSTART:20070311T030000 RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3 TZNAME:EDT TZOFFSETFROM:-0500 TZOFFSETTO:-0400 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-recon-2026-8TZSJN@cfp.recon.cx DTSTART;TZID=EST:20260619T170000 DTEND;TZID=EST:20260619T180000 DESCRIPTION:Over the past eight years we have systematically reverse-engine ered nearly ten interpreter and VM binaries\, including Lua\, Python\, Rub y\, PHP\, VBScript\, JScript\, PowerShell\, and V8\, to extract their inte rnal structures and automate that extraction at scale. This talk presents 11 concrete analysis techniques\, organized around 6 foundational binary a nalysis approaches\, for recovering interpreter internals from stripped bi naries. The techniques include multiple detection logics for VM component recovery that identify their exact locations in memory\, and a progressive deduction algorithm for ISA recovery that iteratively eliminates opcode a mbiguity across hundreds of test traces. Together they power STAGER\, our automated dynamic analysis system built on top of Intel Pin. STAGER comple tes a full analysis of one interpreter in at most a couple of hours\, whic h is an order-of-magnitude improvement over manual reverse engineering tha t typically takes days to weeks\, and keeps pace with the frequent version updates of real-world interpreter binaries. We will release STAGER as ope n-source at the conference.\n\nThe security payoff is direct. We use STAGE R output to build script-level API tracers\, which hook the interpreter's own built-in API functions (e.g.\, eval)\, enabling behavioral monitoring across diverse interpreter targets. We further leverage branch VM instruct ion identification and conditional flag detection to build a multi-path ex plorer\, and use recovered ISA mappings to perform dynamic bytecode instru mentation\; together these enable fine-grained analysis of evasive script malware that actively resists conventional debugging. We also combine STAG ER output with fuzzing harnesses for vulnerability discovery in interprete r runtimes\, and demonstrate bytecode-based process injection techniques f or red team operations that bypass diverse security mechanisms. These appl ications are grounded in real targets and will be shown in a live demo.\n\ nBeyond the techniques themselves\, we share hard-won lessons from nearly ten real-world targets: how compiler register allocation breaks memory-bas ed variable tracking and how to compensate with register-level static anal ysis\, how to handle interpreters layered atop other interpreters (e.g.\, PowerShell on .NET CLR) where execution traces interleave two VM layers\, and how to suppress or work around JIT compilation interference\, includin g the aggressive JIT behavior seen in V8. Accuracy results across all targ ets\, including honest failure cases where our approach hits fundamental l imitations\, are presented per technique.\n\nThree concrete takeaways for attendees:\n1. A working mental model of interpreter internals as attack a nd analysis surface\, grounded in nearly ten real-world targets.\n2. The 1 1-technique framework\, including VM component localization logics and a p rogressive ISA deduction algorithm\, directly applicable to diverse interp reter binaries.\n3. STAGER (open-source release) and the methods to adapt it to new interpreter targets. DTSTAMP:20260612T175825Z LOCATION:Grand Salon Opera SUMMARY:8 Years of Reverse-Engineering Interpreters: Techniques\, Automatio n\, and One Framework - Toshinori Usui URL:https://cfp.recon.cx/recon-2026/talk/8TZSJN/ END:VEVENT END:VCALENDAR