Sojobo - A binary analysis framework

Sojobo is an emulator for the B2R2 framework. It was created to easier the analysis of potentially malicious files. It is totally developed in .NET so you don't need to install or compile any other external libraries (the project is self contained).

With Sojobo you can:

  • Emulate a (32 bit) PE binary
  • Inspect the memory of the emulated process
  • Read the process state
  • Display a disassembly of the executed code
  • Emulate functions in a managed language (C# || F#)

Tools using Sojobo

  • ADVDeobfuscator

ADV Deobfuscator - A string deobfuscator for ADVObfuscator

ADVDeobfuscator is tool based on the Sojobo binary analysis framework that analyzes a binary obfuscated with ADBObfuscator and decodes the identified strings.


A compiled version is available to Community sponsored users. If you are a sponsored user you can download the binary from:


The image below shows an execution of ADVDeobfuscator on the Conti Ransomware.

The image below shows an execution of ADVDeobfuscator on the Taurus Stealer (see also Predator the thief).

I wrote a blog post on how to deobfuscate the Team 9 binaries.

Using Sojobo

Sojobo is intended to be used as a framework to create program analysis utilities. However, various sample utilities were created in order to show how to use the framework in a profitable way.



The project is fully documented in F# (cit.) :) Joking apart, I plan to write some blog posts related to how to use Sojobo. Below a list of the current posts:


In order to compile Sojobo you need .NET Core to be installed and Visual Studio. To compile just run build.bat.


Copyright (C) 2019 Antonio Parata - @s4tan

Sojobo is licensed under the Creative Commons.


A binary analysis framework

Sojobo Info

⭐ Stars127
πŸ”— Source
πŸ•’ Last Update10 months ago
πŸ•’ Created4 years ago
🐞 Open Issues0
βž— Star-Issue RatioInfinity
😎 Authorenkomio