Summary: | This report addresses de-obfuscation on programs. The targeted obfuscation scheme is the control flow flattening, which is an obfuscation method focusing on hiding the control flow of a program. This scheme introduces a special block named dispatcher into the program. The control flow of the program is reconstructed to be directed back to the dispatcher whenever the execution of a basic block ends. By doing this, in the flattened program, each basic block could be recognized as a precursor or a successor of any other basic blocks. While the realcontrol flow of the program is merely disclosed during the execution of the program.This report aims to remove the dispatcher added in the flattenedprogram and rebuild the control flow of its original program. To achieve the targets, this report presents a de-obfuscation model based on theControl Flow Graph of an obfuscated program. The de-flattening model makes use of both static analysis and dynamic analysis.The de-flattening model primarily relies on execution paths which are obtained by executing a program dynamically. The idea is that in the execution paths, after eliminating the dispatcher block, the real control flow of the original program is disclosed. Then based on these real execution paths, the control flow of the program without obfuscation could be constructed.In order to obtain the full program structure, we need to gather the execution paths that result in a full coverage of the program. Merely with dynamic analysis, this could hardly be achieved. Therefore, static analysis are introduced. In the de-flattening model, the execution paths within a program are computed with the assistance of dynamic execution path analysis, which is a study to statically compute the feasible paths in a program by solving logical formulas obtained during the exploration of the program code. With this static analysis method, the model is adequate to reverse the flattened program to its original structure.The obfuscated programs are distributed in binaries, our research provides insights to de-obfuscation on binaries directly. Besides, the deflattening result obtained in the report is valuable for improvements to existing code obfuscation techniques.
|