Keynote SSTIC 2009 - Désobfuscation automatique de binaires

Keynote SSTIC 2009 – Automatic deobfuscation of binaries

Presentation : Alexandre GAZET, Yoann GUILLOT

Malware is often obfuscated using "packers" or embedded virtual machines, or both!

In the proposed solution, the code of the offending binary is analyzed, then simplified (optimized); that is the binding (translate the code into pseudo-language). This eliminates many unnecessary operations (used to conceal illicit behavior).
Next, the pseudo-code is executed by the product, which will create the assembler code on the fly for each requested operation and compile it. in ia32.

The ia32 code thus generated can now be analyzed, regardless of the initial protection, or even decompiled to obtain higher-level code.

Future of this research Automatic decompilation, being further from the target architecture, providing higher-level code.
However, it's not the easiest task, especially for processor instructions that have no equivalent in higher-level languages (like C). A lot of work remains to be done to make the solution fully usable.

Professions

challenges

challenges

Risks

Who are we ?

Our commitments

Recruitment

Partners

Events

Blog

Keynote SSTIC 2009 – Automatic deobfuscation of binaries

Keynote SSTIC 2009 – Automatic deobfuscation of binaries

Articles by category

Subscribe to our newsletter

Pentest: Types of penetration tests, methods and implementation

Phishing: How to protect yourself from it in 2026?

MSI packages and local privilege escalation in 2025

Campaigns targeting the aerospace industry in Russia

Hide the threat – GPO lateral movement

BitLocker bypass: a simpler alternative to TPM sniffing

Professions

challenges

challenges

Risks

Who are we ?

Our commitments

Recruitment

Partners

Events

Blog