Qian Yu,Lansheng Han,Tinghui Dong,Cai Fu,Ming Liu

2014-01-01

Abstract:General steps of analyzing malicious binary files include: Firstly, disassemble binary codes into assembly codes applicable on the current machine; Secondly, conduct analysis to all acquired assembly codes and comprehend code intents before identifying the attribution. These steps are summarized in inclusive descriptions rather than operable properties. One of the major difficulties contained is: Nowadays obfuscated code technique besets with a barrier to direct extraction for effective information from disassembled code files. This paper proposes one binary code analysis method that is generally applicable: Firstly perform an overall analysis to the binary file and complete preliminary wiping off interference information before screening out code snippets with respectively independent functions; secondly, conduct respective processing to each code snippet and achieve more independent basic behavioral units. Inter-skipping relationship within these basic behavioral units helps reestablish the fundamental logic framework of the entire snippet, or control flow graph "CFG". In return the logic framework of the entire program is deduced as well as the genuine intent of obfuscated codes. The last part of the paper carries out corresponding simulation experiment to provide supporting voice for its correctness and effectiveness.

Jinxin Ma,Zhoujun Li,Chaojian Hu

DOI: https://doi.org/10.1109/cicn.2012.216

2012-01-01

Abstract:Disassembly is the preparative and crucial phase in reverse engineering and it helps people obtain the high-level semantics of binaries. However, considerable obfuscation technologies are presented to prevent the binary from the disassembler for the benefit and safety consideration. Unfortunately, hackers also could disguise their malware with obfuscation to escape the detection. Therefore, substantial literatures are published to thwart the obfuscation. Without discussing which side is legitimate conceptually, the paper proposed a measure to improving the disassembly result especially for the obfuscated binaries. By adopting some brilliant thought from the preceding publications, the paper presented several solutions to improve the result. A novel technique of verification stack pointer which is utilized to distinguish the bounds of functions, moreover, bytes-based pattern matching assist the disassembler to construct intra-procedural control flow graph dramatically. An implementation is designed and developed with the technology and considerable evaluations were taken on it. An example was provided in the evaluation section and it turned out that our disassembler could perform effectively and accurately.

Weiping WEN,Han ZHANG,Xianglei CAO

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.05.011

2016-01-01

Abstract:With the rapid development of mobile intelligent terminals, Android operating system has become one of the most widely used mobile intelligent operating systems in the world. Java is famous for its features of good cross-platform, high efficiency and a large amount of developers, therefore the designers of Android choose Java as the system development language. The characteristics of the Java language make Java program easy be decompiled by decompilation tools and be analyzed, which makes Android applications face great risks. This paper focuses on the study of code obfuscation technology for the purpose of protecting Android applications, improving the dififculty of the attacker's reverse analysis and adding no extra time cost for the execution of the program. Based on Android executable ifle reorganization, this paper designs and implements a kind of Android obfuscation tool and carries out test and performances analysis. This Android obfuscation tool enhances the security of Android applications, protects Android applications developers' intellectual property rights, and avoids reverse analysis, piracy and malicious tampering to Android applications to a certain extent.

尚涛,谷大武

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.12.043

2009-01-01

Abstract:In order to protect the property of software,according to the characteristics of general disassembly algorithms,this paper provided code overlap,jumping address redirection and obfuscation of control flow etc.several approaches in code obfuscation technologies.These approaches are able to make the disassembly process go away,and misdirect the adversaries' comprehension to programs,consequently enhance the software's resistance to disassembly,thus preventing the software from reverse analysing and protecting its property effectively.

Robin David,Sébastien Bardin,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1612.05675

2016-12-17

Abstract:Software deobfuscation is a crucial activity in security analysis and especially, in malware analysis. While standard static and dynamic approaches suffer from well-known shortcomings, Dynamic Symbolic Execution (DSE) has recently been proposed has an interesting alternative, more robust than static analysis and more complete than dynamic analysis. Yet, DSE addresses certain kinds of questions encountered by a reverser namely feasibility questions. Many issues arising during reverse, e.g. detecting protection schemes such as opaque predicates fall into the category of infeasibility questions. In this article, we present the Backward-Bounded DSE, a generic, precise, efficient and robust method for solving infeasibility questions. We demonstrate the benefit of the method for opaque predicates and call stack tampering, and give some insight for its usage for some other protection schemes. Especially, the technique has successfully been used on state-of-the-art packers as well as on the government-grade X-Tunnel malware -- allowing its entire deobfuscation. Backward-Bounded DSE does not supersede existing DSE approaches, but rather complements them by addressing infeasibility questions in a scalable and precise manner. Following this line, we propose sparse disassembly, a combination of Backward-Bounded DSE and static disassembly able to enlarge dynamic disassembly in a guaranteed way, hence getting the best of dynamic and static disassembly. This work paves the way for robust, efficient and precise disassembly tools for heavily-obfuscated binaries.

Cryptography and Security,Software Engineering

Zeliang Kan,Haoyu Wang,Lei Wu,Yao Guo,Guoai Xu

DOI: https://doi.org/10.1109/icse-companion.2019.00135

2019-01-01

Abstract:In this paper, we propose an automated approach to facilitate the deobfuscation of Android native binary code. Specifically, given a native binary obfuscated by Obfuscator-LLVM (the most popular native code obfuscator), our deobfuscation system is capable of recovering the original Control Flow Graph. To the best of our knowledge, it is the first work that aims to tackle the problem. We have applied our system in different scenarios, and the experimental results demonstrate the effectiveness of our system based on generic similarity comparison metrics.

FU Jian-jing,WANG Ke

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.012

2010-01-01

Abstract:A compiler built-in obfuscating technology was developed in order to protect software intellectual property and keep from reverse engineering and static analysis. A crossing control-flow code obfuscation technology and the corresponding compiling solution were presented. The control crossing principle of If statement and While loop statement were given out,which produced the control blocks of multi-level exit and entry,so the code control flow became more complicated. Meanwhile,the protected code block was placed in the crossing control blocks to conceal the true control flow. Then the automatic anti-compile can be effectively prevented and the difficulty of software analysis was enhanced. Because the crossing control-flow in source code level cannot be passed by compiler,a compatible compiling method of built-in functions was presented,which made programming simple and safe. The simulation and analysis results indicated that the technology had good protection effect for source code; the target code was slightly increased after compiled,and its running efficiency was almost not affected.

秦青文,王戟,孙旭光,梅文华

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.22.029

2008-01-01

Abstract:Binary program transformation has played an important role in reverse program analysis.This paper proposes a program transformation method.In the method,machine code is first disassembled by IDA Pro.Along with rules and optimizing strategies,the program is transformed to intermediate language.The deterministic finite automata and context-free grammars are designed to parse assembly language,and the code optimization theory is also included in dataflow analysis.The intermediate language has a good readability,generality and comprehensibility.After transformation,the code contracts dramatically.The technique described can run automatically,which effectively reduce the amount of time in solving software analysis problems and debugging executable programs.A transform instance using this technique is presented.

Christian Collberg,Clark Thomborson,Douglas Low

1997-01-01

Abstract: It has become more and more common to distribute software in forms that retain most or all of the information present in the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks. In this paper we review several techniques for technical protection of software secrets. We will argue that automatic code obfuscation is currently the most viable method for preventing reverse engineering....

Jing Qiu,Xiao Hong Su,Pei Jun Ma

DOI: https://doi.org/10.4028/www.scientific.net/amr.989-994.1782

2014-01-01

Advanced Materials Research

Abstract:Instruction traces are essential for dynamic analysis in reverse engineering. Code in instruction traces is often obfuscated to hinder analysts from understanding and analyzing in malware and binaries that protected by packers. Non-returning calls and call-stack tampering are two typical kinds of such obfuscation. We propose a deobfuscation approach to fight against these two kinds of obfuscated code. We first apply static analysis on instruction traces to identify obfuscated code. Then we transform obfuscated code into semantically equivalent instructions to make the code be easy to understand. Evaluations results on some packed binaries indicate that our approach works well in deobfuscate instruction traces with non-returning calls and call-stack tampering in high precision.

Kan Zeliang,Wang Haoyu,Wu Lei,Guo Yao,Luo Daniel Xiapu

2019-01-01

Abstract: With the popularity of Android apps, different techniques have been proposed to enhance app protection. As an effective approach to prevent reverse engineering, obfuscation can be used to serve both benign and malicious purposes. In recent years, more and more sensitive logic or data have been implemented as obfuscated native code because of the limitations of Java bytecode. As a result, native code obfuscation becomes a great obstacle for security analysis to understand the complicated logic. In this paper, we propose DiANa, an automated system to facilitate the deobfuscation of native binary code in Android apps. Specifically, given a binary obfuscated by Obfuscator-LLVM (the most popular native code obfuscator), DiANa is capable of recovering the original Control Flow Graph. To the best of our knowledge, DiANa is the first system that aims to tackle the problem of Android native binary deobfuscation. We have applied DiANa in different scenarios, and the experimental results demonstrate the effectiveness of DiANa based on generic similarity comparison metrics.

C Collberg,C Thomborson,D Low

DOI: https://doi.org/10.1109/ICCL.1998.674154

1998-01-01

Abstract:To ensure platform independence, mobile programs are distributed in forms that are isomorphic to the original source code. Such codes are easy to decompile, and hence they increase the risk of malicious reverse engineering attacks.Code obfuscation is one of several techniques which has been proposed to alleviate this situation. An obfuscator is a tool which - through the application of code transformations - converts a program into an equivalent one that is more difficult to reverse engineer:In a previous paper [5] Me have described the design of a control flow obfuscator for Java. In this paper,ve extend the design with transformations that obfuscate data structures and abstractions. In particular; we shore how to obfuscate classes, arrays, procedural abstractions and built-in data types like strings, integers, and booleans.

Eric Filiol

DOI: https://doi.org/10.48550/arXiv.1009.4000

2010-09-21

Abstract:Fighting against computer malware require a mandatory step of reverse engineering. As soon as the code has been disassemblied/decompiled (including a dynamic analysis step), there is a hope to understand what the malware actually does and to implement a detection mean. This also applies to protection of software whenever one wishes to analyze them. In this paper, we show how to amour code in such a way that reserse engineering techniques (static and dymanic) are absolutely impossible by combining malicious cryptography techniques developped in our laboratory and new types of programming (k-ary codes). Suitable encryption algorithms combined with new cryptanalytic approaches to ease the protection of (malicious or not) binaries, enable to provide both total code armouring and large scale polymorphic features at the same time. A simple 400 Kb of executable code enables to produce a binary code and around $2^{140}$ mutated forms natively while going far beyond the old concept of decryptor.

Cryptography and Security

Junyuan Zeng,Yangchun Fu,Kenneth A. Miller,Zhiqiang Lin,Xiangyu Zhang,Dongyan Xu

DOI: https://doi.org/10.1145/2508859.2516664

2013-01-01

Abstract:With the wide existence of binary code, it is desirable to reuse it in many security applications, such as malware analysis and software patching. While prior approaches have shown that binary code can be extracted and reused, they are often based on static analysis and face challenges when coping with obfuscated binaries. This paper introduces trace-oriented programming (TOP), a general framework for generating new software from existing binary code by elevating the low-level binary code to C code with templates and inlined assembly. Different from existing work, TOP gains benefits from dynamic analysis such as resilience against obfuscation and avoidance of points-to analysis. Thus, TOP can be used for malware analysis, especially for malware function analysis and identification. We have implemented a proof-of-concept of TOP and our evaluation results with a range of benign and malicious software indicate that TOP is able to reconstruct source code from binary execution traces in malware analysis and identification, and binary function transplanting.

Yu-jia ZHANG,Jian-min PANG,Zheng ZHANG,Jiang-xing WU

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.02.037

2018-01-01

Abstract:With the development of reverse engineering,the software industry has suffered a great loss from the software piracy and malicious attack for a long time.Code obfuscation techniques which can hide specific function of a program from malicious analysis for malware is thus frequently employed to mitigate this risk.However,most of the existing obfuscation methods are language embedded and depend on the target architecture,this paper proposed a method of compile-time obfuscation,and further presented a prototype implementedation based on the LLVM compiler infrastructure.Furthermore,this paper implemented a mimic security defence system which is free from malicious attack with the software diversity method.

Jie Lin,Chuanyi Liu,Xinyi Zhang,Rongfei Zhuang,Binxing Fang

DOI: https://doi.org/10.1109/dsc.2019.00086

2019-01-01

Abstract:Virtual machine protection is an advanced anti-reverse packing technology. This paper presents a framework for automatic analysis of binary packed by virtual machine protection software. Using multi-granularity dynamic instrumentation to trace binary can effectively record instruction execution and value changes in memory and register. Symbol execution is used to simplify assembly instructions and filter invalid instructions. The experimental results show that the method presented in this paper can effectively assist reverse engineers in the analysis of packed program by virtual machine protection.

Xinlei Yao,Jianmin Pang,Yichi Zhang,Yong Yu,Jianping Lu

DOI: https://doi.org/10.1109/mines.2012.25

2012-01-01

Abstract:Control flow obfuscation is an important way of software copyright protection, the main purpose is to make the static analysis tools produce wrong control flow graph, and then prevent malicious use of reverse engineering against software. In this paper we ropose an approach to implement control flow obfuscation using Windows structured exception handling mechanism. Programs are obfuscated by replacing branch instructions with exception code and inserting fake branch instruction after the exception code. Furthermore, exception code random technology is used to improve the resilience of the obfuscated code. Experimental results show that disassemble tools fail to identify 56.7% control flow of the obfuscated code, and have a misunderstanding of 40% control flow. The increase in program size and execute time of the obfuscated code is also modest.

Zheheng Liang,Wenlin Li,Jing Guo,Deyu Qi,Jijun Zeng

DOI: https://doi.org/10.1109/PIC.2017.8359575

2017-01-01

Abstract:In order to enhance the white box security of software, we proposed a reduplicate code obfuscation algorithm to protect the source code. Firstly, we apply the parameter decomposition tree to formalize the code, and then we utilize flattening control flow system to decompose the source code into a multi-branch WHILE-SWITCH loop structure. Finally, we apply opaque predicates to obfuscate the flattened code for the secondary obfuscation. In this paper, opaque predicate code representation and different methods of inserting opaque predicates into program braches and sequence blocks were given. Experiments has been made to compare time-space cost of source code and obfuscated code. The results demonstrate that the proposed algorithm can improve code's anti-attack ability, increasing the difficulty of reverse engineering as well.

Peihua Zhang,Chenggang Wu,Mingfan Peng,Kai Zeng,Ding Yu,Yuanming Lai,Yan Kang,Wei Wang,Zhe Wang

DOI: https://doi.org/10.48550/arXiv.2301.11586

2023-01-27

Cryptography and Security

Abstract:Software obfuscation techniques can prevent binary diffing techniques from locating vulnerable code by obfuscating the third-party code, to achieve the purpose of protecting embedded device software. With the rapid development of binary diffing techniques, they can achieve more and more accurate function matching and identification by extracting the features within the function. This makes existing software obfuscation techniques, which mainly focus on the intra-procedural code obfuscation, no longer effective. In this paper, we propose a new inter-procedural code obfuscation mechanism Khaos, which moves the code across functions to obfuscate the function by using compilation optimizations. Two obfuscation primitives are proposed to separate and aggregate the function, which are called fission and fusion respectively. A prototype of Khaos is implemented based on the LLVM compiler and evaluated on a large number of real-world programs including SPEC CPU 2006 & 2017, CoreUtils, JavaScript engines, etc. Experimental results show that Khaos outperforms existing code obfuscations and can significantly reduce the accuracy rates of five state-of-the-art binary diffing techniques (less than 19%) with lower runtime overhead (less than 7%).

Christian S. Collberg,Clark D. Thomborson,Douglas Low

DOI: https://doi.org/10.1145/268946.268962

1998-01-01

Abstract:It has become common to distribute software in forms that are isomorphic to the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks.In this paper we describe the design of a Java code obfuscator, a tool which - through the application of code transformations - converts a Java program into an equivalent one that is more difficult to reverse engineer.We describe a number of transformations which obfuscate control-flow. Transformations are evaluated with respect to potency (To what degree is a human reader confused?), resilience (How well are automatic deobfuscation attacks resisted?), cost (How much time/space overhead is added?), and stealth (How well does obfuscated code blend in with the original code?).The resilience of many control-altering transformations rely on the resilience of opaque predicates. These are boolean valued expressions whose values are known to the obfuscator but difficult to determine for an automatic deobfuscator. We show how to construct resilient, cheap, and stealthy opaque predicates based on the intractability of certain static analysis problems such as alias analysis.