Sojobo is an emulator for the B2R2 framework. It was created to easier the analysis of potentially malicious files. It is totally developed in .NET so you don't need to install or compile any other external libraries (the project is self contained).

With Sojobo you can:

• Emulate a (32 bit) PE binary
• Inspect the memory of the emulated process
• Read the process state
• Display a disassembly of the executed code
• Emulate functions in a managed language (C# || F#)

• ADVDeobfuscator

ADVDeobfuscator is tool based on the Sojobo binary analysis framework that analyzes a binary obfuscated with ADBObfuscator and decodes the identified strings.

A compiled version is available to Community sponsored users. If you are a sponsored user you can download the binary from: https://github.com/enkomio-sponsor/compiled_binaries

The image below shows an execution of ADVDeobfuscator on the Conti Ransomware.

The image below shows an execution of ADVDeobfuscator on the Taurus Stealer (see also Predator the thief).

I wrote a blog post on how to deobfuscate the Team 9 binaries.

Sojobo is intended to be used as a framework to create program analysis utilities. However, various sample utilities were created in order to show how to use the framework in a profitable way.

• Source code

The project is fully documented in F# (cit.) :) Joking apart, I plan to write some blog posts related to how to use Sojobo. Below a list of the current posts:

• Sojobo - Yet another binary analysis framework

You can also read the API documentation.

In order to compile Sojobo you need .NET Core to be installed and Visual Studio. To compile just run build.bat.

Copyright (C) 2019 Antonio Parata - @s4tan

Sojobo is licensed under the Creative Commons.