Software Deobfuscation Techniques

Instructor:  Tim Blazytko
Dates:  June 15 to 18 2026
Location:  Delta Hotel President Kennedy
Capacity:  20

Modern reverse engineering increasingly relies on automation, custom tooling, and agent-assisted workflows. But these approaches quickly run into limits when binaries actively resist analysis through control-flow obfuscation, virtualization, mixed Boolean-arithmetic, and other transformations. This training teaches the practical deobfuscation workflows needed to break such protections and to make automated reverse-engineering workflows effective on real-world targets.

Participants first learn how modern obfuscation techniques complicate reverse engineering, and then gradually build the deobfuscation techniques needed to attack them in hands-on sessions. Along the way, they deepen their understanding of program analysis and learn when and how to apply different techniques in practice.

First, we have a look at important code obfuscation techniques and discuss how to attack them. Afterwards, we analyze a virtual machine-based (VM-based) obfuscation scheme, learn about VM hardening techniques and how to tackle them.

In the second part, we cover SMT-based program analysis. In detail, students learn how to solve program analysis problems with SMT solvers, how to prove characteristics of code, how to deobfuscate mixed Boolean-Arithmetic and how to break weak cryptography.

Before we use symbolic execution to automate large parts of code deobfuscation, we first introduce intermediate languages and compiler optimizations to simplify industrial-grade obfuscation schemes. Following, we use symbolic execution to automate SMT-based program analysis and break opaque predicates. Finally, we learn how to write disassemblers for virtualization-based obfuscators and how to reconstruct the original code.

The last part covers program synthesis, an approach to simplify code based on its semantic behavior. After collecting input-output pairs from binary code, we not only learn how to simplify large expression trees, but also how we can verify the correctness of simplifications. Then, we use program synthesis to deobfuscate mixed Boolean-Arithmetic and learn the semantics of VM instruction handlers.

Teaching

Note that the training focuses on hands-on sessions. While some lecture parts provide an understanding of when to use which method, various hands-on sessions teach how to use them to build custom purpose tools for one-off problems. The trainer actively supports the students to successfully solve the given tasks. After a task is completed, we discuss different solutions in class. Furthermore, students receive detailed reference solutions that can be used during and after the course.

While the hands-on sessions use x86 assembly, all tools and techniques can also be applied to other architectures such as MIPS, PPC or ARM.

Learning Objectives

• Get to know the state-of-the-art of code obfuscation and deobfuscation techniques
• Build practical workflows to analyze and simplify protected binaries that resist standard static analysis
• Learn compiler optimizations, SMT-based program analysis, symbolic execution, and program synthesis
• Apply these techniques to break obfuscation schemes in various hands-on sessions
• Write disassemblers for VM-based obfuscators and simplify complex arithmetic expressions

Class Outline

The training orientates at the following outline:

• Introduction to Code (De)obfuscation
  • Motivation
  • Application scenarios
  • Program analysis techniques
• Code Obfuscation Techniques
  • Opaque predicates
  • Control-flow flattening
  • Mixed Boolean-Arithmetic
  • Virtual machines
  • Virtual machine hardening
• Code Deobfuscation Techniques
  • Compiler optimizations
  • Reconstructing control flow
  • SMT-based program analysis
  • Taint analysis
  • Symbolic execution
  • Program synthesis
• Compiler Optimizations
  • Dead code elimination
  • Constant propagation/folding
  • Static single assignment (SSA)
  • Optimizing obfuscated code
• SMT-based Program Analysis
  • SAT and SMT solvers
  • Encoding programs analysis problems for SMT solvers
  • Proving semantic equivalence
  • Proving properties of a piece of code
  • Solving complex program constraints
  • Deobfuscating mixed Boolean-Arithmetic
  • Breaking weak cryptography
• Symbolic Execution
  • Intermediate languages for reverse engineering
  • Symbolic and semantic simplification of obfuscated code
  • Automation in reverse engineering
  • Identifying virtual machine components
  • Interaction with SMT solvers
  • Breaking opaque predicates
  • Writing disassemblers for virtualization-based obfuscators
• Program Synthesis
  • Concept of program synthesis
  • Learning code semantics based on its input/output behavior
  • Obtaining input/output pairs from code
  • Methods to simplify large expression trees
  • Proving the correctness of simplifications
  • Deobfuscating mixed Boolean-Arithmetic
  • Learning semantics of VM instruction handlers

Requirements

Hardware/Software:

• Students should have a disassembler of their choice (e.g., IDA, Ghidra, or Binary Ninja) and a working Docker installation. A Docker image with all required tools and course material will be provided.

Prerequisites:

• The participants should have basic reverse engineering skills
• Furthermore, they should be familiar with x86 assembly and Python

BIO

Tim Blazytko is a well-known binary security researcher and reverse-engineering expert with a PhD in program analysis. He focuses on independent consulting and hands-on work across reverse engineering and software protection. He regularly contributes to the reverse engineering community through trainings, international conference talks, research papers, and open-source tools. Furthermore, he supports clients with advanced binary analysis, malware investigations, and security audits. Tim also serves as Chief Scientist at Emproof.

To Register

Click here to register.