Defeating Software Protection With Metasm presented at HITBSecConf Malaysia 2009

by Alexander Gazet,

Tags: Security

Summary : Defeating Software Protection with MetasmPresentation AbstractMetasm, is a binary manipulation framework (disassembly, compilation, executable formats handling, etc.). currently supports x86 (32 and 64 bits) MIPS and PowerPC architectures.One of its distinctive characteristic, is the encoding of instructions semantics. Based on this semantic encoding, the disassembler takes advantage of what we call a “backtracking” engine (symbolic emulation) that allows a very fine disassembly. Using the encoded semantics of instruction, we have been developing a generic approach on x86 code virtualization based protection. We also used some optimization techniques to defeat obfuscation, and compilation to defeat virtualization. Moreover, there is a very new feature of Metasm: a C decompiler. We have already started to port the optimization into the decompiler with good results.Our talk will illustrate these different functionalities of Metasm, based on concrete results we have obtained against different state of the art software protections involving heavy obfuscation and codevirtualization.About Alexander GazetYoann and Alexandre are IT security research engineers at Sogeti ESEC R&D laboratory.** Note: Presenting with Yoann Guillot (Sogeti ESEC Research & Development)