Hasty Briefsbeta

Bilingual

Static Devirtualization of Themida

4 days ago
  • #obfuscation
  • #binary_analysis
  • #devirtualization
  • Article covers devirtualization of CodeVirtualizer/Themida protected code, applicable to many VM-based obfuscators.
  • Uses guided symbolic evaluation: lifting native instructions into an intermediate representation and optimizing to resolve unknown branch destinations.
  • Key optimizations include constant promotion, constant folding, dead store elimination, instruction combination, and branch folding to collapse VM scaffolding.
  • Concretizes stack pointer initially for simplicity, with limitations on dynamic stack allocations.
  • Describes VMEXIT behavior detection via stack pointer displacement to classify call and other exits.
  • Addresses virtualized control flow: tracks virtual instruction pointers and handles Themida's VJCC handler specifically.
  • Includes a dead dependency analysis pass to remove unused register and flag computations.
  • Lowers optimized IR back to native code, aiming for minimal register spilling to maintain clean, executable output.
  • Results show devirtualized code is functionally 1:1 with original, executable, and disassembler-friendly.
  • Notes that preventing symbolic evaluation requires opaque MBA expressions or stronger techniques, as simple MBA reduction is now possible.
About|Login