摘要
针对Miasm反混淆框架反混淆后的结果是一张图片,无法反编译恢复程序源码的问题,在对底层虚拟机混淆器(OLLVM)混淆策略和Miasm反混淆思路进行深入学习研究后,提出并实现了一种基于符号执行的OLLVM通用型自动化反混淆框架。首先,利用基本块识别算法找到混淆程序中有用的基本块和无用块;其次,采用符号执行技术确定各个有用块之间的拓扑关系;然后,直接对基本块汇编代码进行指令修复;最后,得到一个反混淆后的可执行文件。实验结果表明,该框架在保证尽量少的反混淆用时前提下,反混淆后的程序与未混淆源程序的代码相似度为96.7%,能非常好地实现x86架构下C/C++文件的OLLVM反混淆。
The deobfuscation result of deobfuscation framework Miasm is a picture, which cannot be decompiled to recovery program source code. After deep research on the obfuscation strategy of Obfuscator Low Level Virtual Machine(OLLVM) and Miasm deobfuscation idea, a general OLLVM automatic deobfuscation framework based on symbolic execution was proposed and implemented. Firstly, the basic block identification algorithm was used to find useful basic blocks and useless blocks in the obfuscated program. Secondly, the symbolic execution technology was used to determine the topological relations among useful blocks. Then, the instruction repairment was directly applied to the assembly code of basic blocks.Finally, an executable file after deobfuscation was obtained. The experimental results show that, under the premise of guaranteeing the deobfuscation time as little as possible, the code similarity between the deobfuscation program and the nonobfuscated source program is 96. 7%. The proposed framework can realize the OLLVM deobfuscation of the C/C + + files under the x86 architecture very well.
作者
肖顺陶
周安民
刘亮
贾鹏
刘露平
XIAO Shuntao, ZHOU Anmin, LIU Liang , JIA Peng, LIU Luping(College of Electronics and Information Engineering, Sichuan University, Chengdu Sichuan 610065, Chin)
出处
《计算机应用》
CSCD
北大核心
2018年第6期1745-1750,共6页
journal of Computer Applications
关键词
Miasm
底层虚拟机混淆器
反混淆
符号执行
指令修复
代码相似度
Miasm
Obfuscator Low Level Virtual Machine (OLLVM)
deobfuscation
symbolic execution
instruction repairment
code similarity
