Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Greybox Program Synthesis: A New Approach to Attack Dataflow Obfuscation

deepzero
deepzero
in Reverse Engineering Articles

Featured Replies

Posted

https://www.blackhat.com/us-21/briefings/schedule/index.html#greybox-program-synthesis-a-new-approach-to-attack-dataflow-obfuscation-22930
 

Quote

 

Obfuscation is getting broadly adopted for a wide range of applications and especially to protect intellectual property (IP) in mobile ecosystem (Android, iOS) and embedded systems at large. It is now ubiquitous, and everyone is unwillingly and unknowingly executing obfuscated code. Throughout adoption it also gained maturity, potency making assessing such protection incrementally harder.

It is used in a variety of contexts from malware to famous and widely used mobile applications. In either case, the goal is to protect software secrets, communication protocol, APIs, and its inner working from reverse engineering. Thus, finding new ways to defeat evolving obfuscation schemes is getting more and more important in this endless cat and mouse game.

This talk presents the latest advances in program synthesis applied for deobfuscation. It aims at demystifying this analysis technique by showing how it can be put into action on obfuscation. Especially the implementation Qsynthesis released for this talk shows a complete end-to-end workflow to deobfuscate assembly instructions back in optimized (deobfuscated) instructions reassembled back in the binary.

More specifically the talk presents the greybox synthesizer developed combining two core components, an I/O-based black-box synthesis using precomputed tables and a white-box AST search algorithm backed by symbolic execution. This new approach provides a very good trade-off between accuracy and speed. Various experiments to improve it like expression linearization, expression learning or table evaluation JITing will be presented with both their strengths and weaknesses to address obfuscation schemes attacked.

Among existing schemes to impede program understanding, we show results obtained on various transformations like Mixed-Boolean-Arithmetic (MBA), arithmetic encoding, or virtualization that originates from multiple obfuscators like Tigress, YANSOllvm, or commercial applications.

Finally, we will highlight limitations of the approach, open research problems yielded, and various insights on how to improve the algorithm to bypass roadblocks in order to better leverage program synthesis for deobfuscation.

 

 

code: https://github.com/quarkslab/qsynthesis

documentation: https://quarkslab.github.io/qsynthesis/

demo: https://www.youtube.com/watch?v=AwZs56YajJw

slides: https://i.blackhat.com/USA21/Wednesday-Handouts/US-21-David-Greybox-Program-Synthesis.pdf

whitepaper: https://i.blackhat.com/USA21/Wednesday-Handouts/US-21-David-Greybox-Program-Synthesis.pdf

 

Edited by deepzero

...yeah Tigress, anyone seen this one used in a single software?

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.