Skip to main content
SpringerLink
Log in

Automatic binary deobfuscation

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

This paper gives an overview of our research in the automation of the process of software protection analysis. We will focus more particularly on the problem of obfuscation. Our current approach is based on a local semantic analysis, which aims to rewrite the binary code in a simpler (easier to understand) way. This approach has the advantage of not relying on a manual search for “patterns” of obfuscation. This way of manipulating the code is, at the end, quite similar to the optimising stage of most of compilers. We will exhibit concrete results based on the development of a prototype and its application to a test target. Current limitations and future prospects will be discussed in as well.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Guillot Y., Gazet A.: Semi-automatic binary protection tampering. J. Comput. Virol. 5(2), 119–150 (2009)

    Article  Google Scholar 

  2. Guillot, Y.: Metasm. In: 5ème Symposium sur la Sécurité des Technologies de l’Information et des Communicatins (SSTIC’07). http://actes.sstic.org (2007)

  3. Tip F.: A survey of program slicing techniques. J. Program. Lang. 3, 121–189 (1995)

    Google Scholar 

  4. Wroblewski, G.: General method of program code obfuscation (2002)

  5. Beck, J., Eichmann, D.: Program and interface slicing for reverse engineering. In: In IEEE/ACM 15th Conference on Software Engineering (ICSE’93), pp. 509–518. IEEE Computer Society Press (1993)

  6. Quist, D., Valsmith: Covert debugging—circumventing software armoring techniques (2007)

  7. Bohne, L.: Pandora’s bochs: automated malware unpacking (2008)

  8. Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables (2007)

  9. Perriot, F.: Defeating polymorphism through code optimization (2003)

  10. Webster, M., Malcolm, G.: Detection of metamorphic and virtualization-based malware using algebraic specification. In: EICAR (2008)

  11. Christodorescu, M., Kinder, J., Jha, S., Katzenbeisser, S., Veith, H.: Malware normalization. Technical Report 1539, University of Wisconsin, Madison, Wisconsin, USA (Nov 2005)

  12. http://orange-bat.com

  13. Futamura Y.: Partial evaluation of computation process—an approach to a compiler-compiler. Syst. Comput. Controls 2, 45–50 (1971)

    Google Scholar 

  14. Rolles, R.: Optimizing and compiling (2008)

  15. Marlet, R.: Vers une formalisation de l’évaluation partielle. PhD thesis, L’Université de Nice - Sophia Antipolis, École Doctorale - Sciences pour l’Ingénieur (1994)

  16. Hartmann, L., Jones, N.D., Simonsen, J.G.: Interpretive overhead and optimal specialisation

  17. Dullien, T., Porst, S.: Reil: a platform-independent intermediate representation of disassembled code for static code analysis. In: CanSecWest (2009)

Download references

Author information

Authors and Affiliations

  1. Sogeti, ESEC, 6-8 rue Duret, 75116, Paris, France

    Yoann Guillot & Alexandre Gazet

Authors
  1. Yoann Guillot
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexandre Gazet
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexandre Gazet.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Guillot, Y., Gazet, A. Automatic binary deobfuscation. J Comput Virol 6, 261–276 (2010). https://doi.org/10.1007/s11416-009-0126-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0126-4

Keywords

Search

Navigation