An Approach to Reconstruction of Control Flow of an Obfuscated Program

Control flow obfuscation is one of widespread methods used to protect application binary code from analysis. The obfuscation transformations dramatically increase the complexity of separation and recognition of the algorithm and data structures. This paper provides a short survey of obfuscating transformations and tools, essentially the control flow obfuscations like opaque predicates, dispatcher and code virtualization. Our research was concentrated in area of de-obfuscation based on dynamic binary code analysis methods. An approach to locating of potentially opaque predicates and accompanying obfuscations (like dead and redundant code insertion) in program trace is given. The main idea underlying the described method of opaque predicate detection is extraction of predicate code via dynamic program slicing. Next, we apply some heuristics to automatically reduce predicate list, and then our tool provides the analyst with information about potentially opaque predicates found in application binary code.

Another control flow obfuscation eliminated by described tool was code virtualization. An algorithm for control flow graph recovery of virtualized code is based on virtual program counter analysis. The corresponding tool was implemented and successfully tested on several applications that were protected via various virtualization obfuscators (VMProtect, CodeVirtualizer, Safengine, etc.). The experimental results described in this paper demonstrate the practical adaptability of implemented method to de-obfuscate virtualized applications.

obfuscating transformations, opaque predicates detection, virtualization, control flow graph recovery

1. Collberg C., Thomborson C., Low D. A Taxonomy of Obfuscating Transformations. Technical report #148, Department of Computer Sciences, The University of Auckland, 1997. doi: 10.1.1.38.9852

2. Chernov A.V. Аnaliz zaputyvayushhikh preobrazovanij programm [Analysis of Program Obfuscating Transformations] Trudy ISP RАN [The Proceedings of ISP RAS], 2002, vol. 3, no. 1, pp. 7-38 (in Russian).

3. Udupa S. K., Debray S. K., Madou M. Deobfuscation: Reverse Engineering Obfuscated Code. Proc. 12th IEEE Working Conference on Reverse Engineering, 2005, pp. 45-54. doi: 10.1.1.302.7805

4. Dalla Preda M., Madou M., Bosschere K. D., Giacobazzi R., Opaque Predicates Detection by Abstract Interpretation., Proc. Intern. Conf on Algebraic Methodology and Software Technology, 2006, pp. 81-95. doi: 10.1007/11784180_9

5. Rolles R. (2009), Unpacking virtualization obfuscators. Proc. 3rd USENIX Workshop on Offensive Technologies (WOOT’09), 2009, pp. 1-1. doi: 10.1.1.159.7552

6.

7.

8. Lau B. Dealing with virtualization packer. Second CARO Workshop on Packers, Decryptors, and Obfuscators, 2008, pp.275-284. doi: 10.1145/2046707.2046739

9. Sharif M., Lanzi A., Griffin J., Lee W. Automatic reverse engineering of malware emulators. Proc. 2009 IEEE Symposium on Security and Privacy, 2009, pp. 94-109. doi: 10.1109/SP.2009.27

10. Coogan K., Lu G., Debray S. Deobfuscation of Virtualization-Obfuscated Software: A Semantic-Based Approach. Proc. 18-th ACM Conference on Computer and Communication Security, 2011, pp. 275-284. doi: 10.1145/2046707.2046739

11. Tikhonov А.Y., Аvetisyan А.I., Padaryan V.А. Metodika izvlecheniya algoritma iz binarnogo koda na osnove dinamicheskogo analiza [Methodology of Exploring of an Algorithm from Binary Code by Dynamic Analysys]. Problemy informatsionnoj bezopasnosti. Komp'yuternye sistemy [Problems of Computer Security. Computer Systems], 2008, vol. 3, pp. 66–71 (in Russian).

12. Padaryan V.А., Get'man А.I., Solov'ev M.А. Programmnaya sreda dlya dinamicheskogo analiza binarnogo koda [Software Framework for Dynamic Binary Code Analysis]. Trudy ISP RАN [The Proceedings of ISP RAS], 2009, vol. 16, no. 1, pp. 51-72 (in Russian).

13. Korel B., Laski J. Dynamic program slicing. Information Processing Letters, 1988, vol. 29, issue 3, pp. 155-163. doi: 10.1016/0020-0190(88)90054-3

14. VMPSoft. VMProtect. http://www.vmpsoft.com

15. Oreans Technologies. CodeVirtualizer. http://www.oreans.com

16. The Enigma Protector. http://enigmaprotector.com

17. Safengine. Safengine Protector. http://www.safengine.com

18. Setisoft Technology. Private Exe Protector. http://www.setisoft.com

19. Obsidium Software. Obsidium. http://www.obsidium.de