Automatic Binary Deobfuscation

This paper gives an overview of our research in the automation of the process of software protection analysis. We will focus more particularly on the problem of obfuscation.

Our current approach is based on a local semantic analysis, which aims to rewrite the binary code in a simpler (easier to understand) way. This approach has the advantage of not relying on a manual search for patterns of obfuscation. This way of manipulating the code is, at the end, quite similar to the optimising stage of most of compilers. We will exhibit concrete results based on the development of a prototype and its application to a test target. Current limitations and future prospects will be discussed in as well.

As a continuation of our work from last year, we focus on the automation of the software protection analysis process. We will focus more particularly on the problem of obfuscation.

This problem is crucial as most malicious binaries (like viruses or trojans) use this kind of protection to slow down their analysis and to make their detection harder. Automation is a key step in order to face the constant growth of the amount of malware, year after year.

Our previous paper was mainly focused on the attack and suppression of protection mechanisms using the Metasm framework. It provides many useful primitives to deal with protected code: control flow graph manipulation, recompilation, filtering processor, nevertheless most of these approaches rely on a tedious work of manual identification of the patterns used by the protection.

We will now present the development of our new methods, relying on a semantic analysis of the binary code to extract a simpler representation. The objective is no longer to seek and destroy known patterns, but to proceed to a complete, on-the-fly, optimised code rewriting.

We will exhibit concrete results obtained by applying these methods to a test target. Then, current limitations and future prospects will be discussed.