<i>UnThemida</i>: Commercial obfuscation technique analysis with a fully obfuscated program

Suk, Jae Hyuk; Lee, Jae Yung; Jin, Hongjoo; Kim, In Seok; Lee, Dong Hoon

doi:10.1002/spe.2622

Cited by 11 publications

(13 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper, since only anti-VM and anti-DBI techniques were analyzed, it is difficult to present experimental results on whether the proposed bypass algorithm works properly even when other obfuscation options are applied. However, in the case of Themida, it is a structure in which unpacking is executed if it is not detected after the anti-analysis technique is performed, and these two parts can be considered to be separate [19]. Even when other protection techniques are applied, anti-analysis techniques are performed first and followed by other techniques.…”

Section: Discussionmentioning

confidence: 99%

“…Even when other protection techniques are applied, anti-analysis techniques are performed first and followed by other techniques. Therefore, even if other options are applied, deobfuscation should be applied after bypassing the anti-analysis technique, according to Suk et al [19]. Since other commercial protectors have a similar structure, the bypass algorithm presented in this paper can work normally even when other obfuscation options are applied.…”

Section: Discussionmentioning

confidence: 99%

“…Suk et al [19] used PIN to analyze Themida. Based on the analysis results, Themida's unpacking method was implemented by the algorithm, and the unpacking results were verified using a large data set.…”

Section: Related Workmentioning

confidence: 99%

“…Packing is a technique that changes the control flow of program execution, making it difficult to analyze. As such, many analysts use dynamic binary instrumentation (DBI) tools to analyze the packing of commercial protectors [11], [17], [19]. DBI tools insert executable code at run time to help dynamically analyze program behavior and make it possible to effectively assess obfuscation and packing techniques.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools

2021

Self Cite

View full text Add to dashboard Cite

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools

2021

Self Cite

View full text Add to dashboard Cite

“…To the best of our knowledge, it cannot unpack recent version of sophisticated (commercial) packers, including VMProtect, Themida, and Safengine. Recently, UnThemida [36] was developed as a plug-in for the Pin tool to analyze and to unpack the structure of files packed with Themida 2.4.5. Unlike previous tools including UnThemida or UPX unpacker, x64Unpack is designed to cope with diverse packers: it can handle both finding general unpacking routines and evading various anti-reverse engineering techniques.…”

Section: Related Workmentioning

confidence: 99%

x64Unpack: Hybrid Emulation Unpacker for 64-bit Windows Environments and Detailed Analysis Results on VMProtect 3.4

et al. 2020

View full text Add to dashboard Cite

In spite of recent remarkable advances in binary code analysis, malware developers are still using complex anti-reversing techniques to make analysis difficult. To protect malware, they use packers, which are (commercial) tools that contain various anti-reverse engineering techniques such as code encryption, anti-debugging, and code virtualization. In this paper, we present x64Unpack: a hybrid emulation scheme that makes it easier to analyze packed executable files and automatically unpacks them in 64-bit Windows environments. The most distinguishable feature of x64Unpack compared to other dynamic analysis tools is that x64Unpack and the target program share virtual memory to support both instruction emulation and direct execution. Emulation runs slow but provides detailed information, whereas direct execution of the code chunk runs very fast and can handle complex cases regarding to operating systems or hardware devices. With x64Unpack, we can monitor major API (Application Programming Interface) function calls or conduct fine-grained analysis at the instruction-level. Furthermore, x64Unpack can detect anti-debugging code chunks, dump memory, and unpack the packed files. To verify the effectiveness of x64Unpack, experiments were conducted on the obfuscation tools: UPX 3.95, MPRESS 2.19, Themida 2.4.6, and VMProtect 3.4. Especially, VMProtect and Themida are considered as some of the most complex commercial packers in 64bit Windows environments. Experimental results show that x64Unpack correctly emulates the packed executable files and successfully produces the unpacked version. Based on this, we provide the detailed analysis results on the obfuscated executable file that was generated by VMProtect 3.4.

show abstract

Building Deobfuscated Applications from Polymorphic Binaries

Crăciun

Mogage

2022

Innovative Security Solutions for Information Technology and Communications

View full text Add to dashboard Cite

UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

Cited by 11 publications

References 16 publications

Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools

Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools

x64Unpack: Hybrid Emulation Unpacker for 64-bit Windows Environments and Detailed Analysis Results on VMProtect 3.4

Building Deobfuscated Applications from Polymorphic Binaries

Contact Info

Product

Resources

About