06-29, 09:30–10:00 (US/Eastern), Grand Salon
Themida is a popular commercial software obfuscator which provides code
virtualization and code mutation features.
While Themida's code mutation is unanimously considered a weaker obfuscation
scheme than code virtualization, there's little to no public information on the
feature's implementation. As a result, it's difficult to estimate the code
mutation's impact on an attacker's reverse engineering flow. In this talk we
fill a bit of that gap by studying Themida's code mutation in details and looking
for potential shortcomings.
We'll use Binary Ninja and Python to understand how the code mutation works for
x86-64 executables, ultimately automating its deobfuscation using Miasm and
symbolic execution.
In this talk we discuss x86-64 machine code obfuscation while studying Themida's
code mutation feature in particular.
We start by presenting Themida and the methodology used to study its code
obfuscation implementation.
We then dive into Themida's implementation of mutation-based code obfuscation
and the resulting findings of the research.
We finally leverage the acquired knowledge to implement an attack based on
symbolic execution, which allows us to completely deobfuscate the protected
machine code and regenerate working, simplified binaries.
Erwan Grelet is a security researcher currently working at Ubisoft in the Game Security team. He spent several years working as a low-level software engineer before that.
He is particularly interested in software reverse engineering, vulnerability research and software obfuscation.