Automatic binary deobfuscation

Guillot, Yoann; Gazet, Alexandre

doi:10.1007/s11416-009-0126-4

Cited by 31 publications

(13 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Obfuscated program is constructed by instruction fragment diversification and control flow randomization, as shown in Fig. 3, where instruction fragments (31,32,33,34) and (41, 42, 43, 44) are generated from the instruction fragments 3 and 4 with diversified transformation rules. The original basic block only has one execute path, such as 1->2->3->4.…”

Section: E a Case In Studymentioning

confidence: 99%

See 1 more Smart Citation

An Iteration Obfuscation Based on Instruction Fragment Diversification and Control Flow Randomization

Liu¹,

Xie²,

Lu³

et al. 2016

IJCTE

View full text Add to dashboard Cite

Abstract-As the control flow graph can reflect the logic structure of programs, static and dynamic reverse methods are used to analyze the logic structure and instruction sequence, and the existing methods of control flow obfuscation have low potency to resist reverse attacks. To solve this problem, we propose an obfuscation method based on instruction fragment diversification and control flow randomization, diversified instruction fragments are generated by various equivalent transformation rules, and random functions are used to select one execution path from the multi-way branches of programs, then programs are iteratively obfuscated. Experiments and analysis show that diversified instruction fragments and multi-way branches can increase the difficulty of static reverse analysis, random selection for multi-way branches will increase the difficulty of dynamic instruction tracing, and iterative transformation for many times enhances the complexity of control flow graph.Index Terms-Code obfuscation, iterative transformation, instruction fragment diversification, control flow randomization.

show abstract

Section: E a Case In Studymentioning

confidence: 99%

“…The existing deobfuscation algorithms are based on the optimization theory [33], including peephole optimization, constant propagation, constant folding, operand folding, and stack optimization. These methods can remove junk instructions and invalid branches in functions that deobfuscate redundant codes to a certain extent.…”

Section: Deobfuscation Measurementmentioning

confidence: 99%

An Iteration Obfuscation Based on Instruction Fragment Diversification and Control Flow Randomization

Liu¹,

Xie²,

Lu³

et al. 2016

IJCTE

View full text Add to dashboard Cite

show abstract

“…We then transform the output of IDA into the intermediate representation (IR) that is part of METASM [9]. We chose METASM because it can symbolically accumulate assembly instructions in a compact and reasonably accurate form.…”

Section: Semantic Extractionmentioning

confidence: 99%

Leveraging semantic signatures for bug search in binary programs

Pewny

Schuster

Bernhard

et al. 2014

Proceedings of the 30th Annual Computer Security Applications Conference

120

View full text Add to dashboard Cite

Software vulnerabilities still constitute a high security risk and there is an ongoing race to patch known bugs. However, especially in closed-source software, there is no straightforward way (in contrast to source code analysis) to find buggy code parts, even if the bug was publicly disclosed.To tackle this problem, we propose a method called Tree Edit Distance based Equational Matching (TEDEM) to automatically identify binary code regions that are "similar" to code regions containing a reference bug. We aim to find bugs both in the same binary as the reference bug and in completely unrelated binaries (even compiled for different operating systems). Our method even works on proprietary software systems, which lack source code and symbols.The analysis task is split into two phases. In a preprocessing phase, we condense the semantics of a given binary executable by symbolic simplification to make our approach robust against syntactic changes across different binaries. Second, we use tree edit distances as a basic blockcentric metric for code similarity. This allows us to find instances of the same bug in different binaries and even spotting its variants (a concept called vulnerability extrapolation). To demonstrate the practical feasibility of the proposed method, we implemented a prototype of TEDEM that can find real-world security bugs across binaries and even across OS boundaries, such as in MS Word and the popular messengers Pidgin (Linux) and Adium (Mac OS).

show abstract

“…In the best case, they can be reduced to their original appearances. Many researches [10][11][12][13] can help to accomplish this work.…”

Section: A General Design Ideasmentioning

confidence: 99%

NISLVMP: Improved Virtual Machine-Based Software Protection

Fang

Yin

et al. 2013

2013 Ninth International Conference on Computational Intelligence and Security

View full text Add to dashboard Cite

The VM (Virtual Machine)-based software protection technique provides an effective solution to protect software, making it extremely difficult to analyze and crack. This technique has become the research focus of software protection. In this paper, we introduce the general design ideas of this technique. However, there exist some vulnerabilities in the design. We introduce these vulnerabilities in detail and come up with some improvements to mitigate them. We design and develop a VM-based protection system, named NISLVMP, and carry out some experiments with it. The results show that the improvements are effective. KeywordsVM-based software protection; dynamic attack; multi-VM-Context; security virtual instruction.

show abstract

Automatic binary deobfuscation

Cited by 31 publications

References 4 publications

An Iteration Obfuscation Based on Instruction Fragment Diversification and Control Flow Randomization

An Iteration Obfuscation Based on Instruction Fragment Diversification and Control Flow Randomization

Leveraging semantic signatures for bug search in binary programs

NISLVMP: Improved Virtual Machine-Based Software Protection

Contact Info

Product

Resources

About