Filters








129 Hits in 6.3 sec

Automatic binary deobfuscation

Yoann Guillot, Alexandre Gazet
2009 Journal in Computer Virology  
This way of manipulating the code is, at the end, quite similar to the optimising stage of most of compilers.  ...  Our current approach is based on a local semantic analysis, which aims to rewrite the binary code in a simpler (easier to understand) way.  ...  Our results are definitively positive, in particular for code deobfuscation; however, we have to put them back in their context.  ... 
doi:10.1007/s11416-009-0126-4 fatcat:id4o3b5ee5hcpj2ivkc47dogcy

SATURN – Software Deobfuscation Framework Based on LLVM [article]

Peter Garba, Matteo Favaro
2019 arXiv   pre-print
We show how binary code can be lifted back into the compiler intermediate language LLVM-IR and explain how we recover the control flow graph of an obfuscated binary function with an iterative control flow  ...  In this paper we discuss a generic approach for deobfuscation and recompilation of obfuscated code based on the compiler framework LLVM.  ...  Right now we are concretizing the stack pointer to be able to retrieve the stack slots, but we think that we could change this step to be based on a completely symbolic approach.  ... 
arXiv:1909.01752v2 fatcat:4jypll2xnngttj5jrfpakt3doy

Twinner: A Framework for Automated Software Deobfuscation

Behnam Momeni, Mehdi Kharrazi
2019 Scientia Iranica. International Journal of Science and Technology  
As the analysis methods have evolved, malware authors have adopted more techniques such as the virtualization obfuscation to protect the malware inner workings.  ...  This makes it possible to nd hidden logics and deobfuscate di erent obfuscation techniques without being dependent on their speci c details.  ...  The resulting twincode has a CFG similar to that of the original code.  ... 
doi:10.24200/sci.2019.21601 fatcat:u3ws4x73ujf6vdayzpbzfni72m

Towards Generic Deobfuscation of Windows API Calls [article]

Vadim Kotov, Michael Wojnowicz
2020 arXiv   pre-print
The technique utilizes symbolic execution and hidden Markov models to predict API names from the arguments passed to the API functions.  ...  To complicate the reverse engineering of their programs, malware authors deploy API obfuscation techniques, hiding them from analysts' eyes and anti-malware scanners.  ...  Originally created to improve code coverage for software testing [11] , symbolic execution has applications in security, 3 For simplicity we ignore side effects in this example.  ... 
arXiv:1802.04466v2 fatcat:yo36wwxzkbh4jb64262y3jqdwq

A Comparative Study on Optimization, Obfuscation, and Deobfuscation tools in Android

Geunha You, Gyoosik Kim, Seong-je Cho, Hyoil Han
2021 Journal of Internet Services and Information Security  
Code obfuscation transforms a program and makes its code more difficult for a human to understand, which protects the code from reversing engineering.  ...  The deobfuscated code is easier to understand with less analysis time compared to the obfuscated one.  ...  DeGuard could not recover the final 20.9% of symbols, due to mis-deobfuscated symbols different from their original symbols or due to failed obfuscation where the obfuscated symbols remain.  ... 
doi:10.22667/jisis.2021.02.28.002 dblp:journals/jisis/YouKCH21 fatcat:wfnipslpgvgwvhmyxkulvxcq4i

Symbolic Execution of Obfuscated Code

Babak Yadegari, Saumya Debray
2015 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15  
However, malicious code tend to very often be obfuscated, and current concolic analysis techniques have trouble dealing with some of these obfuscations, leading to imprecision and/or excessive resource  ...  Symbolic and concolic execution find important applications in a number of security-related program analyses, including analysis of malicious code.  ...  code program, and those arising from a different input to the original byte code program.  ... 
doi:10.1145/2810103.2813663 dblp:conf/ccs/YadegariD15 fatcat:wyon46tkbvgcxlk2wpwuutkdiy

Symbolic Execution and Debugging Synchronization [article]

Andrea Fioraldi
2020 arXiv   pre-print
into a symbolic executor in order to automatically identify the input values required to reach a target point in the code.  ...  After that, the user can also transfer back the correct input values found with symbolic execution in order to continue the debugging.  ...  Symbolic execution is used for different tasks, varying from deobfuscation to vulnerability detection and automatic exploit generation.  ... 
arXiv:2006.16601v1 fatcat:mj4bfsbrmja3dc6dryoqhd4kpu

Combating Control Flow Linearization [chapter]

Julian Kirsch, Clemens Jonischkeit, Thomas Kittel, Apostolis Zarras, Claudia Eckert
2017 IFIP Advances in Information and Communication Technology  
We evaluate both the performance and size overhead of CFL as well as the feasibility of our approach to deobfuscation.  ...  In an extreme case, this means that the obfuscated program degenerates to one singular basic block, while still preserving its original semantics.  ...  Acknowledgements The research was supported by the German Federal Ministry of Education and Research under grant 16KIS0327 (IUNO).  ... 
doi:10.1007/978-3-319-58469-0_26 fatcat:4ath4qcc2vhezhbvli74i2exnu

VMAttack

Anatoli Kalysch, Johannes Götzfried, Tilo Müller
2017 Proceedings of the 12th International Conference on Availability, Reliability and Security - ARES '17  
VMAttack is currently limited to stack-based virtual machines like VMProtect.  ...  Using static analysis, complex bytecode sequences of the VM are mapped to easy-to-read pseudocode instructions, based on an intermediate representation specifically designed for stack-based virtual machines  ...  We also want to thank Prof. Dr.-Ing. Felix Freiling for his helpful comments on this paper.  ... 
doi:10.1145/3098954.3098995 dblp:conf/IEEEares/KalyschGM17 fatcat:h55th7umozgajobnhf2e7n65je

A Survey of Symbolic Execution Techniques [article]

Roberto Baldoni, Emilio Coppa, Daniele Cono D'Elia, Camil Demetrescu, Irene Finocchi
2018 arXiv   pre-print
Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs.  ...  Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations  ...  Two scenarios arise: (1) From concrete to symbolic and back: the arguments of B are made symbolic and B is explored symbolically in full.  ... 
arXiv:1610.00502v3 fatcat:zez6xtyiuna6rgv7ola3nzxmty

A Survey of Symbolic Execution Techniques

Roberto Baldoni, Emilio Coppa, Daniele Cono D'elia, Camil Demetrescu, Irene Finocchi
2018 ACM Computing Surveys  
Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs.  ...  Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations  ...  Two scenarios arise: (1) From concrete to symbolic and back: the arguments of B are made symbolic and B is explored symbolically in full.  ... 
doi:10.1145/3182657 fatcat:h6kadibzkvevxa3lgzdtdokq74

BinRec

Anil Altinay, Joseph Nash, Taddeus Kroes, Prabhu Rajasekaran, Dixin Zhou, Adrian Dabrowski, David Gens, Yeoul Na, Stijn Volckaert, Cristiano Giuffrida, Herbert Bos, Michael Franz
2020 Proceedings of the Fifteenth European Conference on Computer Systems  
In this paper, we present BinRec, a new approach to heuristic-free binary recompilation which lifts dynamic traces of a binary to a compiler-level intermediate representation (IR) and lowers the IR back  ...  This enables BinRec to apply rich program transformations, such as compiler-based optimization passes, on top of the recovered representation.  ...  Acknowledgments We thank our shepherd and the anonymous reviewers for their feedback. This material is based upon work partially supported by the Defense  ... 
doi:10.1145/3342195.3387550 dblp:conf/eurosys/AltinayNKRZDGNV20 fatcat:luiav7fu7zgtlahwcpt6wvkp3a

Drndalo: Lightweight Control Flow Obfuscation Through Minimal Processor/Compiler Co-Design [article]

Novak Boskov, Mihailo Isakov, Michel A. Kinsy
2019 arXiv   pre-print
However, the same technique may be employed by an attacker to analyze the original binaries in order to reverse engineer them and extract exploitable weaknesses.  ...  When a binary is distributed to end users, it becomes a common remotely exploitable attack point. Code obfuscation is used to hinder reverse engineering of executable programs.  ...  According to the mechanics used for restoring the original program from the obfuscated code and the secret key, we outline two families of in-software deobfuscation procedures: JIT-based deobfuscation.  ... 
arXiv:1912.01560v1 fatcat:34pudt4opngi5nw2x6tfzzkoqe

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation [article]

Pietro Borrello, Emilio Coppa, Daniele Cono D'Elia
2021 arXiv   pre-print
The results suggest a significant amount of computational resources would be required to carry a deobfuscation attack for secret finding and code coverage goals.  ...  We show how to build chains that can withstand popular static and dynamic deobfuscation approaches, evaluating the robustness and overheads of the design over common programs.  ...  it from the location of the original code block.  ... 
arXiv:2012.06658v2 fatcat:3pa76iqkarh7xg34cjck62vkqi

Syntia: Synthesizing the Semantics of Obfuscated Code

Tim Blazytko, Moritz Contag, Cornelius Aschermann, Thorsten Holz
2017 USENIX Security Symposium  
Current state-of-the-art deobfuscation approaches operate on instruction traces and use a mixed approach of symbolic execution and taint analysis; two techniques that require precise analysis of the underlying  ...  As program synthesis can synthesize code of arbitrary code complexity, it is only limited by the complexity of the underlying code's semantic.  ...  Acknowledgments We thank the reviewers for their valuable feedback.  ... 
dblp:conf/uss/BlazytkoCAH17 fatcat:2nayu7gzynf2fog4todzpbyzqa
« Previous Showing results 1 — 15 out of 129 results