Geodesic
Control Flow Flattening deobfuscation using symbolic execution
Prikladnaya Diskretnaya Matematika. Supplement, no. 14 (2021), pp. 134-138 Cet article a éte moissonné depuis la source Math-Net.Ru

Voir la notice de l'article

Control Flow Flattening obfuscation method replaces jumps in program code (both conditional and unconditional) with a jump to a dispatcher block, which determines the real control flow. It complicates reverse engineering of the program, because researcher can't easily say which block of code will be executed after another one. In the paper, we propose the algorithm which recovers the original control flow for given obfuscated program. This algorithm is based on symbolic execution, which helps us to find all possible triples $(a_i, x_i, b_i)$, where $a_i$ is the address from which the dispatcher was reached, $x_i$ is the value of the control register at which the jump to address $b_i$ occurs. Then the set of triples is converted to the set of patches to the original program. In comparison with other algorithms, this algorithm doesn't imply any restrictions on the structure of obfuscated functions, but also doesn't affect anything except the control flow.
Keywords: reverse engineering, symbolic execution, obfuscation, control flow flattening. 
@article{PDMA_2021_14_a29,
     author = {V. V. Lebedev},
     title = {Control {Flow} {Flattening} deobfuscation using symbolic execution},
     journal = {Prikladnaya Diskretnaya Matematika. Supplement},
     pages = {134--138},
     year = {2021},
     number = {14},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDMA_2021_14_a29/}
}
TY  - JOUR
AU  - V. V. Lebedev
TI  - Control Flow Flattening deobfuscation using symbolic execution
JO  - Prikladnaya Diskretnaya Matematika. Supplement
PY  - 2021
SP  - 134
EP  - 138
IS  - 14
UR  - http://geodesic.mathdoc.fr/item/PDMA_2021_14_a29/
LA  - ru
ID  - PDMA_2021_14_a29
ER  - 
%0 Journal Article
%A V. V. Lebedev
%T Control Flow Flattening deobfuscation using symbolic execution
%J Prikladnaya Diskretnaya Matematika. Supplement
%D 2021
%P 134-138
%N 14
%U http://geodesic.mathdoc.fr/item/PDMA_2021_14_a29/
%G ru
%F PDMA_2021_14_a29
V. V. Lebedev. Control Flow Flattening deobfuscation using symbolic execution. Prikladnaya Diskretnaya Matematika. Supplement, no. 14 (2021), pp. 134-138. http://geodesic.mathdoc.fr/item/PDMA_2021_14_a29/

[1] Wang C., Hill J., Knight J., Davidson J., Software Tamper Resistance: Obstructing Static Analysis of Programs, Technical Report, University of Virginia, USA, 2000

[2] Boyer R. S., Elspas B., Levitt K. N., “SELECT — a formal system for testing and debugging programs by symbolic execution”, Proc. Intern. Conf. Reliable Software, Association for Computing Machinery, Los Angeles, California, 1975, 234–245 | DOI

[3] Kan Z., Wang H., Wu L., et al., Automated Deobfuscation of Android Native Binary Code, 2020, arXiv: 1907.06828

[4] Peter Garba, Matteo Favaro, “SATURN — software deobfuscation framework based on LLVM”, 3rd Intern. Workshop Software Protection (Nov. 2019, London), arXiv: 1909.01752

[5] Shoshitaishvili Y., Wang R., Salls C., et al., “SOK: (State of) The art of war: Offensive techniques in binary analysis”, IEEE Symp. Security Privacy, 2016, 138–157