On the 7th of June, I presented SourceFu at SSTIC, a french infosec conference. This was the opportunity for me to release it publicly, and to explain quickly how it works. As a reminder, the idea is to use partial interpretation on AST to provide a deobfuscating tool, using ANTLR in the background to be able to work on multiple languages. While the tool might be usable by analysts in its current state, it's clearly still in its infancy and its results are not that good. As an example, you can see in the following video two examples of analyzing some VBA obfuscated samples. While the first sample is analyzed pretty much correctly, the second one is not deofuscated completely:

Once the conference ended, my main questioning was about the fact that such a tool might interest people or not... Indeed, I'm not an analyst myself, and I don't know if it's important or not to deobfuscate malicious codes. By the way, if you're reading this blog post, i would be really interested in a little mail explaining if deobfuscation is for you a day to day job, or if it's utterly useless...

Well, @Decalage2 showed some interest into the project, and one of his tweet presenting the tool received some positive feedback.

From this, my decision has been taken : I shall continue to dev this tool! Hence, that's why I launch this blog. People will be able to get some news regarding the development, as well as research on deobfuscation and tutorials. As such, don't hesitate to check out at least sometimes this blog :)

So, where to go on from now? For the next month, I will be quite busy due to my participation in le Hack infosec con, where I'm part of the CTF organizers. However, I should be able to work on SourceFu from time to time. Priority will be set to the contributing documentation and to the base core quality of VBA code. Indeed, some deobfuscation routines appear to be quite wrong...

See ya!