Overview
Explore techniques for deobfuscating API functions in modern packers during this 42-minute Black Hat conference talk. Learn about static and dynamic API obfuscation methods used by malware to hinder analysis. Discover a novel approach using memory access analysis to map obfuscated API functions to their original counterparts, overcoming limitations of pattern matching and code optimization techniques. Examine the iterative run-until-API method for handling static obfuscation, leveraging dynamic binary instrumentation with Intel Pin to identify real API functions without full system emulation. Gain insights into applying these deobfuscation techniques to Themida 32/64 packed binaries, enabling analysis with common reverse engineering tools like x64dbg, Ollydbg, and IDA Pro.
Syllabus
API Deobfuscator: Resolving Obfuscated API Functions In Modern Packers
Taught by
Black Hat