Control flow flattening deobfuscation using symbolic execution | Applied Discrete Mathematics. Supplement. 2021. № 14. DOI: 10.17223/2226308X/14/29

Control flow flattening deobfuscation using symbolic execution

Control Flow Flattening obfuscation method replaces jumps in program code (both conditional and unconditional) with a jump to a dispatcher block, which determines the real control flow. It complicates reverse engineering of the program, because researcher can't easily say which block of code will be executed after another one. In the paper, we propose the algorithm which recovers the original control flow for given obfuscated program. This algorithm is based on symbolic execution, which helps us to find all possible triples (ai, xi, bi), where ai is the address from which the dispatcher was reached, xi is the value of the control register at which the jump to address bi occurs. Then the set of triples is converted to the set of patches to the original program. In comparison with other algorithms, this algorithm doesn't imply any restrictions on the structure of obfuscated functions, but also doesn't affect anything except the control flow.

Download file
Counter downloads: 30

Keywords

reverse engineering, symbolic execution, obfuscation, control flow flattening

Authors

NameOrganizationE-mail
Lebedev V. V.National Research Tomsk State Universityd3fl4t3@gmail.com
Всего: 1

References

Shoshitaishvili Y., Wang R., Salls C., etal. SOK: (State of) The art ofwar: Offensive techniques in binary analysis // IEEE Symp. Security Privacy. 2016. P. 138-157.
Kan Z., Wang H., Wu L., et al. Automated Deobfuscation of Android Native Binary Code. 2020. https://arxiv.org/pdf/1907.06828.pdf.
Peter Garba, Matteo Favaro SATURN - software deobfuscation framework based on LLVM // 3rd Intern. Workshop Software Protection, Nov 2019, London. https://arxiv.org/abs/1909. 01752.
Wang C., Hill J., Knight J., and Davidson J. Software Tamper Resistance: Obstructing Static Analysis of Programs. Technical Report. University of Virginia, USA, 2000.
Boyer R. S., Elspas B., and Levitt K. N. SELECT - a formal system for testing and debugging programs by symbolic execution // Proc. Intern. Conf. Reliable Software. Los Angeles, California: Association for Computing Machinery, 1975. P. 234-245.
 Control flow flattening deobfuscation using symbolic execution | Applied Discrete Mathematics. Supplement. 2021. № 14. DOI: 10.17223/2226308X/14/29

Control flow flattening deobfuscation using symbolic execution | Applied Discrete Mathematics. Supplement. 2021. № 14. DOI: 10.17223/2226308X/14/29

Download full-text version
Counter downloads: 507