Explore advanced techniques for defeating the latest script obfuscation methods in this 30-minute conference talk from Derbycon 2016. Learn about the purpose and methods of script obfuscation, its role in attack scenarios, and the importance of deobfuscation. Discover general tips for tackling obfuscated scripts, including handling unused code, complicated naming conventions, and obscured control flow. Gain insights into simplifying arithmetic sequences, decoding obfuscated string values, and dealing with heavily obfuscated scripts. Master practical steps like removing junk code, standardizing formatting, and rearranging functions to improve readability. Understand the process of function relabeling and explore various deobfuscation tools to enhance your analysis capabilities.
Overview
Syllabus
Intro
OUTLINE
INTRO
WHAT IS OBFUSCATION?
WHY OBFUSCATE SCRIPTS?
HOW ARE SCRIPTS OBFUSCATED?
OBFUSCATED SCRIPTS IN ATTACK SCENARIOS
WHY DEOBFUSCATE?
DEOBFUSCATION GOALS
WHAT DO I NEED?
GENERAL TIPS
UNUSED / GARBAGE CODE
COMPLICATED VARIABLE AND FUNCTION NAMES
INDIRECT CALLS AND OBSCURED CONTROL FLOW
ARITHMETIC SEQUENCES
OBFUSCATED STRING VALUES
IF SCRIPT IS STILL HEAVILY OBFUSCATED
REMOVE JUNK
STANDARDIZE FORMATTING
REARRANGE FUNCTION ORDER
MERGE FUNCTIONS TOGETHER
BEGIN SIMPLIFYING...
PICTURE BEGINS TO CLEAR UP
YUP, THEY'RE FILE PATHS
FUNCTION RELABELING
DEOBFUSCATION TOOLS
CONCLUSION
