👋, I'm Ale from http://rev.ng Labs. We develop a binary analysis framework and decompiler, http://rev.ng. We're Italian, as the author of the talk, but we didn't know him before the talk.

🔴 Disclaimer: we submitted a talk about deobfuscation to DEF CON using http://rev.ng, which was rejected. Here you can find the outline: https://pad.rev.ng/s/pnbE7AY1d...

Rejection is fine but, needless to say, we're kinda pissed our (actual) talk was rejected and this thing was accepted, but I'll try to be fair. We also presented http://rev.ng at DEF CON Demo labs. That was nice.

So, we went to the VMDragonSlayer talk. The presentation was good looking, with a retrowave vibe. In hindsight, it's most likely mostly generated by an LLM. You can find it here: https://media.defcon.org/DEF%2...

The talk was full of pompous statements like "we went from 💸💸💸 to 20 bucks to analyze X" and "from this many man months of analysts to just 20 minutes".

I'd say the first 30% of the presentation was pure boring narrative about how bad things were before VMDragonSlayer and a series of unsubstantiated claims about how good things are after VMDragonSlayer.

The rest described something which was a mix of symbolic execution (angr or Z3 directly) and dynamic analysis (using pin) + some machine learning. It was all quite unclear and people in the audience were looking at each other quite weirdly.

He mentioned success rates (not sure what was defined as "success"). Basically, the thing was supposedly failing with samples using 5 to 7 layers of nested virtualization. 🤷‍♂️

AFAIU the final claim was to be able to identify the dispatcher of the VM and to classify what the implementation of each opcode was doing.

He also had screenshot of the ghidra plugin. 🤷‍♂️

There was not-very-telling pre-recorded demo: https://media.defcon.org/DEF%2...

Some opcodes were classified as "hook browser" or "download URL". Quite weird for low-level opcode of a VM. 🤷‍♂️

The talk ended with a call for community action, because he was the solo dev of this thing and needed help.

After the talk, we went to the speaker, along with a bunch of other people. Everyone was very perplexed. The guy seemed... regular. A regular guy who just gave a low quality talk, I've met people giving this vibe in the past. He didn't seem to be acting.

He wouldn't say who he works for, saying that's a miracle that he was able to give the talk at all.

After a few questions, I left. The feeling was: the work was quite flaky but, removing the fog, he seemed to have some way to identify dispatchers and was using random forest to pattern match what an opcode was doing based on some ground truth he had from past analyses.

Overall, I was unhappy for the quality of the talk and due to the fact that he wasn't actually emitting deobfuscated code (as we do), but just identifying opcodes. At the offline Q&A he mentioned that he "had some ideas" on how to do that with Ghidra.

Actually understanding what the obfuscated code was doing was, in his terms, "analysts enrichment". I call that "actual reversing".

Now, the guy had *another* talk at DEF CON, which I didn't manage to attend. Captivating title: Jailbreaking the Hivemind Finding and Exploiting Kernel Vulnerabilities in the eBPF Subsystem

Presentation and demos are quite similar: https://media.defcon.org/DEF%2... https://media.defcon.org/DEF%2... The code is not released: https://github.com/poppopjmp/L...

Conclusion? I don't know. Either he has something, ran out of time, panicked, created the whole project with an LLM or he had a bet with his friends like "wanna bet I can get *two* talks accepted with pure AI slop?". In the latter case, he won.

What puzzles me is: if this is all made up, why not go the extra mile and state you can emit deobfuscated code?

Needless to say, the people reviewing talk submissions at DEF CON bear some responsibility in all of this, but I don't think I'm in the position to judge without full context.

@_revng @Van1sh_BSidesIT great share. thanks for letting us know.

@_revng @Van1sh_BSidesIT Has the guy had anything to say about it, fully his best move is to pretend like he was trying to game the system loooool

@_revng @Van1sh_BSidesIT DEF CON Organizers rn: