Publications

The Poor Man's Obfuscator

The Poor Man's Obfuscator

The purpose of this publication is to present ELF and Mach-O transformations which impact or hinder disassemblers like IDA, BinaryNinja, Ghidra, and Radare2.

Pass The Salt
Romain Thomas
July 4, 2022
DroidGuard: A Deep Dive into SafetyNet

DroidGuard: A Deep Dive into SafetyNet

SafetyNet is the Android component developed by Google to verify the devices’ integrity. These checks are used by the developers to prevent running applications on devices that would not meet security requirements but it is also used by Google …

SSTIC & BlackHat Asia
Romain Thomas
May 12, 2022
PGSharp: Analysis of a Cheat Engine on Android

PGSharp: Analysis of a Cheat Engine on Android

PGSharp is a cheating app for PokemonGO that works on non-rooted devices. This talk introduces its functionalities and the protections used to prevent reverse-engineering.

Ekoparty
Romain Thomas
November 5, 2021
QBDL: QuarkslaB Dynamic Loader

QBDL: QuarkslaB Dynamic Loader

The QuarkslaB Dynamic Loader (QBDL) library aims at providing a modular and portable way to dynamically load and link binaries

SSTIC
Adrien Guinet , Romain Thomas
June 3, 2021
Dynamic Binary Instrumentation Techniques to Address Native Code Obfuscation

Dynamic Binary Instrumentation Techniques to Address Native Code Obfuscation

Android applications are becoming more and more obfuscated to prevent reverse engineering. While obfuscation can be applied on both, the Dalvik bytecode and the native code, the former is more challenging to analyze due to the structure of the …

BlackHat Asia
Romain Thomas
October 1, 2020
Android Runtime Restrictions Bypass

Android Runtime Restrictions Bypass

This paper explains how to disable runtime restrictions without root privileges

Romain Thomas
March 23, 2019
Static Instrumentation Based on Executable Formats

Static Instrumentation Based on Executable Formats

Talk given at Recon Montréal and PassTheSalt18 about static instrumentation and its use cases.

Recon Montréal & PST
Romain Thomas
June 20, 2018
LIEF: Library to Instrument Executable Formats

LIEF: Library to Instrument Executable Formats

RMLL & Cybersecurity France-Japan
Romain Thomas
July 4, 2017
How Triton can help to reverse virtual machine based software protections

How Triton can help to reverse virtual machine based software protections

The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it’s possible to reverse virtual machine …

CSAW SOS
Jonathan Salwan , Romain Thomas
November 10, 2016
Dynamic Binary Analysis and Obfuscated Codes

Dynamic Binary Analysis and Obfuscated Codes

At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it’s possible to break some stuffs …

St'Hack
Jonathan Salwan , Romain Thomas
April 8, 2016
How Triton may help to analyse obfuscated binaries

How Triton may help to analyse obfuscated binaries

Binary obfuscation is used to protect software’s intellectual property. There exist different kinds of obfucation but roughly, it transforms a binary structure into another binary structure by preserving the same semantic. The aim of …

Jonathan Salwan , Romain Thomas
September 1, 2015