Semi-automatic Code Deobfuscation

This repository contains slides, samples and code of the 2h code deobfuscation workshop at r2con2020. We use Miasm to automatically identify opaque predicates in the X-Tunnel APT128-malware using symbolic execution and SMT solving. Afterward, we automatically remove the opaque predicates via patching.

The recording is available here.

Cutter Notes

To correctly disassembly the targeted function in Cutter, the analysis depth has to been increased:

e anal.depth=9999
af @ 0x491aa0
s 0x491aa0

Contact

For more information, contact (@mr_phrazer).