Professional Documents
Culture Documents
Control Flow Deobfuscation Via Abstract Interpretation
Control Flow Deobfuscation Via Abstract Interpretation
Abstract Interpretation
© Rolf Rolles, 2010
Obfuscated Target Example
1-3: Manipulations to ss
are anti-debugging
4-5: edx = flags
6: Mask off everything
but TF
7-8: Shift TF into ZF
position
9: Push flags again
10: Mask off ZF from #9
11: OR flags with the TF
in the ZF position
12: Restore flags
Jump is taken if the code is being traced, not taken if the
13: JZ false_branch (if
code is not being traced.
TF was set)
Obfuscated Control Flow Graph
We focus on #1.
A Syntactic Pattern for this Construct
OR 0 ½ 1 NOT 0 ½ 1
0 0 ½ 1 1 ½ 0
½ ½ ½ 1
1 1 1 1
A BOOL3-bitvector
0 1 ½ 0 1 ½ 0 0
Bitvector << 1
0 ½ 0 1 ½ 0 1 ½
Bitvector >> 1
½ ½ 0 1 ½ 0 1 ½
Bitvector SAR 1
• Consider B = A * 0x1230
• 0x1230 = 0001 0010 0011 0000
• = 212 + 29 + 25 + 24
• => B = A * (212 + 29 + 25 + 24)
• => B = A * 212 + A * 29 + A * 25 + A * 24
• => B = (A << 12) + (A << 9) + (A << 5) + (A << 4)
• Addition and shifts by constants have
previously been covered
Integer Operations: Unsigned Multiplication