unrubby: reversing without reversing presented at troopers 2016

by Richo Healey,

Summary : Obfuscating code is typically the domain of native code, or at least statically dispatched bytecode VM's. Despite this, the rise of SaaS companies, combined with the existing enterprise market is producing increased interest in attempts to obfuscate more dynamic, and higher level languages.
Presented will be a tool call unrubby, which uses a novel technique to generally defeat all obfuscation engines currently on the market. Instead of analyzing the obfuscated source, we abuse the dynamism of the containing vm to insert our instrumentation after the loader has run.
Furthermore, by instrumenting runtime behaviour of the VM itself, attempts to obfuscate the resulting bytecode can be largely overcome without paying much heed to the techniques used, providing significant durability against upstream development, and excellent coverage on black box targets.
While the implementation presented is targeted toward MRI, the gold standard ruby interpreter, the techniques are applicable to all languages with a dynamic bytecode VM.