Archive for September, 2010

Discovering Variables in Executables

Author : Gogul Balakrishnan + Thomas Reps

Description This paper addresses the problem of recovering variable-like entities when analyzing executables in the absence of debugging information. We show that variable-like entities can be recovered by iterating Value-Set Analysis (VSA), a combined numeric-analysis and pointer-analysis algorithm, and Aggregate Structure Identification, an algorithm to identify the structure of aggregates. Our initial experiments show that the technique is successful in correctly identifying 88% of the local variables and 89% of the fields of heap-allocated objects. Previous techniques recovered 83% of the local variables, but 0% of the fields of heap-allocated objects. Moreover, the values computed by VSA using the variables recovered by our algorithm would allow any subsequent analysis to do a better job of interpreting instructions that use indirect addressing to access arrays and heap-allocated data objects: indirect operands can be resolved better at 4% to 39% of the sites of writes and up to 8% of the sites of reads. (These are the memory-access operations for which it is the most difficult for an analyzer to obtain useful results.)

Filesize 244.87 kB

Download here:


An Exercise in RSA Reversal (RSA128 + MD5)

Author:  Office Jesus

Description Hi and welcome to another Office Jesus tutorial. I just want to go ahead and say that if you are an ABSOLUTE beginner with no experience debugging or coding (Delphi in this case), you should NOT read this tutorial! I recommend watching Lena151’s tutorials; they can be found at In this tutorial we will be exploring a simple serial checking routine that uses the MD5 hash and the RSA algorithm. I will not go into detail on how MD5 works or how it could be implemented. For more reading about MD5, check out the MD5 tutorials by Encrypto and ARTeam. I will try to explain RSA to the best of my ability. For further reading on RSA, visit RSA Wiki.

Filesize 1.25 MB

Download here:

Automatic Binary Deobfuscation

Author : Yoann Guillot + Alexandre Gazet

Author email : yoann.guillot©

Description This paper gives an overview of our research in the automation of the process of software protection analysis. We will focus more particularly on the problem of obfuscation.

Our current approach is based on a local semantic analysis, which aims to rewrite the binary code in a simpler (easier to understand) way. This approach has the advantage of not relying on a manual search for “patterns” of obfuscation. This way of manipulating the code is, at the end, quite similar to the optimising stage of most of compilers. We will exhibit concrete results based on the development of a prototype and its application to a test target. Current limitations and future prospects will be discussed in as well.

As a continuation of our work from last year, we focus on the automation of the software protection analysis process. We will focus more particularly on the problem of obfuscation.

This problem is crucial as most malicious binaries (like viruses or trojans) use this kind of protection to slow down their analysis and to make their detection harder. Automation is a key step in order to face the constant growth of the amount of malware, year after year.

Our previous paper was mainly focused on the attack and suppression of protection mechanisms using the Metasm framework. It provides many useful primitives to deal with protected code: control flow graph manipulation, recompilation, filtering processor, nevertheless most of these approaches rely on a tedious work of manual identification of the “patterns” used by the protection.

We will now present the development of our new methods, relying on a semantic analysis of the binary code to extract a simpler representation. The objective is no longer to seek and destroy known patterns, but to proceed to a complete, on-the-fly, optimised code rewriting.

We will exhibit concrete results obtained by applying these methods to a test target. Then, current limitations and future prospects will be discussed.

Filesize 437.38 kB

Download here :