|
|
#3
12-08-2016, 08:53
|
|||
|
|||
|
The movfuscator and its variations are mostly broken. For instance, have a look at this talk:
description: https://recon.cx/2016/talks/%22Movfuscator-Be-Gone.html video: https://www.youtube.com/watch?v=d_R8i0dVBsQ code: https://github.com/kirschju/demovfuscator thesis/writeup: https://kirschju.re/static/ba_jonischkeit_2016.pdf Others have broken the movfucator earlier: https://twitter.com/tathanhdinh/status/634165703558434816 Symbolic execution is also quite successful on these kind of obfuscations. If you mix it with some taint analysis, there should not be much left. For a great work for generic obfuscation have a look at https://www.cs.arizona.edu/people/debray/Publications/generic-deobf.pdf . Last edited by t3xc0d3; 12-08-2016 at 18:28. 
|
| The Following User Gave Reputation+1 to t3xc0d3 For This Useful Post: | ||
niculaita (12-10-2016) | ||
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Who are familiar with decompiling? | DMichael | General Discussion | 3 | 08-09-2013 01:04 |
| VB3 decompiling | wasq | General Discussion | 23 | 05-23-2005 02:30 |
| decompiling back to C++? | Rhodium | General Discussion | 44 | 10-11-2004 08:30 |
Threaded Mode