IDA Pro & obfuscated code

Ilfak Guilfanov, Hex-Rays, Belgium

IDA Pro handles compiler generated code quite well but if the code is obfuscated, the results vary wildly. In mild cases it misses unimportant details, like an indirect memory reference; in the worst case, however, the code is completely incomprehensible. But all is not lost, and with some help from the user, any code can be deciphered.

This presentation will show you real-world obfuscated code samples and methods to how handle them. Both static (pure disassembler) and dynamic (using the debugger) methods will be discussed. On the other hand obfuscation methods continuously evolve and a simple enumeration of the current tips and tricks will quickly become obsolete; the presented methods will give you the idea how to handle difficult cases in general.