CN114817918A - Anti-confusion method, system and application - Google Patents
Anti-confusion method, system and application Download PDFInfo
- Publication number
- CN114817918A CN114817918A CN202210402618.5A CN202210402618A CN114817918A CN 114817918 A CN114817918 A CN 114817918A CN 202210402618 A CN202210402618 A CN 202210402618A CN 114817918 A CN114817918 A CN 114817918A
- Authority
- CN
- China
- Prior art keywords
- block
- real
- blocks
- code
- confusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides an anti-confusion method, a system and application, which are characterized in that a target program is converted and real blocks and confusion blocks are distinguished, traversal is performed on all code blocks, so that the association between connection paths of the real blocks is obtained, and finally the confusion blocks are completely eliminated by modifying connection codes of real block time, so that the problem of poor anti-confusion effect caused by omission in traversal of the existing anti-confusion scheme is solved.
Description
Technical Field
The invention relates to the technical field of binary security, in particular to an anti-confusion method.
Background
Obfuscating is to convert code into a functional code, but the functional code is not changed, but is difficult to read and understand, and leakage of source code can be prevented. The anti-confusion is a process which is inverse to the confusion and is a process for converting codes which are difficult to read and understand into simple, understandable and intuitive codes, and can prevent antivirus software from being incapable of normally identifying some malicious scripts due to code confusion processing so as to prevent the malicious scripts from being effectively detected and killed.
At present, some code anti-aliasing technologies exist, but the anti-aliasing methods all have the problems of omission and poor anti-aliasing effect.
Disclosure of Invention
The embodiment of the invention provides an anti-confusion method and application, and the technical scheme can effectively avoid the problem of missing traversal.
In a first aspect, an anti-aliasing method is provided, including:
and S10, acquiring the binary file information of the target program, converting the binary file information into an IR intermediate code, and distinguishing code blocks.
And S20, analyzing all code blocks based on the IR intermediate codes, and identifying the code blocks as real blocks or confusion blocks through an IR analysis structure.
And S30, simulating and executing to traverse all code blocks, acquiring real block connection paths, and acquiring the association between the real blocks after execution.
And S40, modifying the connection codes between the real blocks to remove the confusion blocks.
And S50, performing decompiling on the modified binary system to obtain a decompiled pseudo code of the target program.
According to the invention, the target program is converted, the real block and the confusion block are distinguished, traversal is performed on all the code blocks, so that the association between the connection paths of the real blocks is obtained, and finally the confusion block is completely eliminated by modifying the connection codes of the real block time, so that the problem of poor anti-confusion effect caused by omission in traversal of the existing anti-confusion scheme is solved.
Preferably, in the S10 and/or S50, the compiler, 010Editor, IDA or Ghidra decompilation tool is used for decompilation. Wherein, the S10 obtains a file architecture of arm or arm64 by decompiling, and distinguishes the binary file into code blocks.
Preferably, the S20 includes:
the block instruction characteristics are used for block classification, specifically,
and if the confusion block has only one precursor, the precursor block is also marked as the confusion block.
The block is judged as a conditional block by the presence of goto and jcndb.
The rest are real blocks, the real block corresponding to the condition block has a plurality of successor blocks, and the rest real blocks correspond to one successor block.
The invention is applied to eliminating the confusion blocks, so after classification, the identified results are respectively stored by two arrays: realBlocks, confleblocks. The conditional block is attributed to the real block, the real block and the conditional block are stored in realBlocks, and the obfuscated block is stored in conflueblocks.
Preferably, in S30, a branch mirror is created by modifying the cpsr value, so that all code blocks are traversed.
Preferably, in S30, the unicorn is used as an execution tool to perform simulation and traverse all code blocks to obtain a real block connection path, specifically:
and opening up a memory space and loading the binary file of the target program.
Starting with the function entry, executing the simulation:
when a function call execution, such as call, jmp, or BL, is encountered during execution, instruction patch is skipped to Nop.
When the cmp instruction is executed, the cpsr value of the current instruction is recorded, whether the instruction is subjected to mirror traversal or not is judged, and when all mirrors of the instruction are traversed, the sub-simulator stops running.
When the program is executed to the conditional instructions, including but not limited to csel, b.cc, beq, bneq, begin to save the current mirror, modify the value of the CPSR, create multiple mirrors of the current instruction, start with the instruction, and create multiple recursion sub-simulators with the mirror features as the incoming values. And when the sub-simulator stops running, different real block chains corresponding to the CPSR state are obtained, after the recursion is completed, the mirror image is recovered, and the simulator continues to execute downwards.
Preferably, the obtaining of the association between the real blocks after the execution in S30 includes:
when the program is executed to the entry of the real block, the predecessor of the real block is obtained and stored in an array, and block _ real _ aa [ block _ real _ bb, block _ real _ cc ], so as to obtain real block link information.
It is checked whether the conditional block has multiple successors and whether the other real block has one and no successor.
And obtaining a link map after the verification is completed:
block_real_aa->block_real_cc/block_real_cc->block_real_dd。
preferably, the S40 includes:
and cutting the link map to enable the link data to become a dictionary.
Judging whether the two real blocks are directly connected or not: if it is a direct connection, no modification is required. When an obfuscated block exists before the two real blocks, modifying the tail code of the predecessor block to b aa _ addr, wherein the aa _ addr is the head address of the successor block, thereby completing the management of the two real blocks.
The condition block is repaired to have a plurality of successors, the tail linkage modification is carried out on the related instructions based on the CPSR, and when two branches exist in the CPSR, the tail two instructions are modified: ne aa _ addr; b bb _ addr; where aa _ addr, bb _ addr are addresses corresponding to two real blocks.
In a second aspect, an anti-aliasing system is provided, comprising:
a data acquisition module for acquiring binary file information of the target program
The data processing module converts the target program into an IR intermediate code and distinguishes code blocks; analyzing all code blocks based on the IR intermediate codes, and identifying the code blocks as real blocks or confusion blocks through an IR analysis structure; simulating and executing to traverse all code blocks, acquiring connection paths of real blocks, and acquiring association between the real blocks after execution; modifying the connection codes between the real blocks to remove the confusion blocks; and performing decompiling on the modified binary system to obtain a decompiled pseudo code of the target program.
In a third aspect, an anti-aliasing apparatus is provided, comprising: memory, processor. The memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the anti-obfuscation method of the first aspect.
In a fourth aspect, an embodiment of the invention provides a non-transitory machine-readable storage medium having stored thereon executable code which, when executed by a processor of an electronic device, causes the processor to implement at least the anti-obfuscation method of the first aspect.
In the embodiment of the invention, an anti-aliasing method, a system and application are provided, which have the following beneficial effects:
1. the method comprises the steps of obtaining the association between real block connection paths by traversing all code blocks, and finally completely eliminating confusion blocks by modifying connection codes of real block time, so that the problem of poor anti-confusion effect caused by omission in the traversing process of the existing anti-confusion scheme is solved;
2. and by modifying the value of cpsr, a branch mirror image is established, all code blocks are ensured to be traversed, and omission is avoided.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention.
Wherein:
FIG. 1 is a diagram of the steps of an antialiasing method.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below, and it is obvious that the described embodiments are a part of the embodiments of the present invention, but not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the description of the invention and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and "the plural" typically includes at least two.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
The anti-confusion is a process which is inverse to the confusion and is a process for converting codes which are difficult to read and understand into simple, understandable and intuitive codes, and can prevent antivirus software from being incapable of normally identifying some malicious scripts due to code confusion processing so as to prevent the malicious scripts from being effectively detected and killed. At present, some code anti-aliasing technologies exist, but all the anti-aliasing methods have the problems of omission and poor anti-aliasing effect.
Aiming at the problems, the invention provides an anti-aliasing method, which comprises the steps of converting a target program, distinguishing a real block and an aliased block, traversing all code blocks to obtain the association between the connection paths of the real blocks, and finally modifying the connection codes of the real block time to completely remove the aliased block, thereby solving the problem of poor anti-aliasing effect caused by omission in the existing anti-aliasing scheme during traversal.
The principles of implementation of the methods, systems, devices and media of the present invention are similar and will not be described herein again.
Having described the general principles of the present invention, various non-limiting embodiments of the present invention are described in detail below, it being noted that the examples provided by the present invention are only shown for the convenience of understanding the spirit and principles of the present invention, and the embodiments of the present invention are not limited in any way in this respect. Rather, embodiments of the present invention may be applied to any system where applicable.
The first embodiment is as follows:
an anti-aliasing method, as shown in fig. 1, comprising:
and S10, acquiring the binary file information of the target program, converting the binary file information into an IR intermediate code, and distinguishing code blocks.
In one embodiment, a Hopper, 010Editor, IDA or Ghidra decompilation tool is used for decompilation, and binary files are divided into code blocks.
And S20, analyzing all code blocks based on the IR intermediate codes, and identifying the code blocks as real blocks or confusion blocks through an IR analysis structure.
In one embodiment, block instruction features are used for block classification:
and if the confusion block has only one precursor, the precursor block is also marked as the confusion block.
The block is judged as a conditional block by the presence of goto and jcndb.
The rest are real blocks, the real block corresponding to the condition block has a plurality of successor blocks, and the rest real blocks correspond to one successor block.
The conditional block is attributed to the real block.
After classification, the identified results are respectively stored in two arrays: realBlocks, confleblocks.
And S30, simulating and executing to traverse all code blocks, acquiring real block connection paths, and acquiring the association between the real blocks after execution.
In this embodiment, a branch mirror is created by modifying the cpsr value, so that all code blocks are traversed.
In a specific embodiment, unicorn is used as an execution tool to simulate and execute traversing all code blocks to obtain a real block connection path. The Unicorn simulator can establish a branch mirror image, can support multi-architecture instructions, and can quickly acquire a Code Trace (Code contour), and specifically comprises the following steps:
and opening up a memory space and loading the binary file of the target program.
Starting with the function entry, executing the simulation:
when a function call execution, such as call, jmp, or BL, is encountered during execution, instruction patch is skipped to Nop.
When the cmp instruction is executed, the cpsr value of the current instruction is recorded, whether the instruction is subjected to mirror traversal or not is judged, and when all mirrors of the instruction are traversed, the sub-simulator stops running.
When the program is executed to the conditional instructions, including but not limited to csel, b.cc, beq, bneq, begin to save the current mirror, modify the value of the CPSR, create multiple mirrors of the current instruction, start with the instruction, and create multiple recursion sub-simulators with the mirror features as the incoming values. And when the sub-simulator stops running, different real block chains corresponding to the CPSR state are obtained, after the recursion is completed, the mirror image is recovered, and the simulator continues to execute downwards.
In an embodiment, obtaining the association between real blocks after execution comprises:
when the program is executed to the entry of the real block, the predecessor of the real block is obtained and stored in an array, and block _ real _ aa [ block _ real _ bb, block _ real _ cc ], so as to obtain real block link information.
It is checked whether the conditional block has multiple successors and whether the other real block has one and no successor.
And obtaining a link map after the verification is completed:
block_real_aa->block_real_cc/block_real_cc->block_real_dd。
and S40, modifying the connection codes between the real blocks to remove the confusion blocks.
Further, in this step, after obtaining the link diagram information of the real blocks and identifying the association between the two blocks, it is necessary to repair the association instruction between the real blocks according to the link diagram, so as to obtain a complete binary file that is not confused, and the binary file can be decompiled and analyzed in multiple platforms, specifically, the step is:
and cutting the link map to enable the link data to become a dictionary.
Judging whether the two real blocks are directly connected or not: if it is a direct connection, no modification is required. When an obfuscated block exists before the two real blocks, modifying the tail code of the predecessor block to b aa _ addr, wherein the aa _ addr is the head address of the successor block, thereby completing the management of the two real blocks.
The condition block is repaired to have a plurality of successors, the tail linkage modification is carried out on the related instructions based on the CPSR, and when two branches exist in the CPSR, the tail two instructions are modified: ne aa _ addr; b bb _ addr; where aa _ addr, bb _ addr are addresses corresponding to two real blocks.
And S50, performing decompiling on the modified binary system to obtain a decompiled pseudo code of the target program.
In one embodiment, decompilation is performed using a Hopper, 010Editor, IDA, or Ghidra decompilation tool to obtain microcode that can be analyzed.
Example two:
an anti-obfuscation system comprising:
a data acquisition module for acquiring binary file information of the target program
The data processing module converts the target program into an IR intermediate code and distinguishes code blocks; analyzing all code blocks based on the IR intermediate codes, and identifying the code blocks as real blocks or confusion blocks through an IR analysis structure; simulating and executing to traverse all code blocks, acquiring connection paths of real blocks, and acquiring association between the real blocks after execution; modifying the connection codes between the real blocks to remove the confusion blocks; and performing decompiling on the modified binary system to obtain a decompiled pseudo code of the target program.
Example three:
an anti-obfuscation device comprising: memory, processor. The memory has stored thereon executable code that, when executed by the processor, causes the processor to perform an anti-obfuscation method as described in embodiment one.
Example four:
a non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of an electronic device, causes the processor to implement at least the anti-obfuscation method of embodiment one.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An anti-aliasing method, comprising:
s10, acquiring the binary file information of the target program, converting the binary file information into an IR intermediate code, and distinguishing code blocks;
s20, analyzing all code blocks based on the IR intermediate codes, and identifying the code blocks as real blocks or confusion blocks through an IR analysis structure;
s30, simulating and executing to traverse all code blocks, acquiring connection paths of real blocks, and acquiring the association between the real blocks after execution;
s40, modifying the connection codes between the real blocks to remove the confusion blocks;
and S50, performing decompiling on the modified binary system to obtain a decompiled pseudo code of the target program.
2. An anti-obfuscation method as claimed in claim 1, wherein in S10 and/or S50, the decompilation is performed using a Hopper, 010Editor, IDA or Ghidra decompilation tool; the S10 obtains a file architecture of arm or arm64 by decompiling, and distinguishes the binary file into code blocks.
3. An anti-aliasing method according to claim 1, wherein the S20 comprises:
and (3) carrying out block classification by using block instruction characteristics: the block has goto and jcndv at the same time, judge it is a confusion block, mark the confusion block and carry out the precursor of the confusion block, if the confusion block has only one precursor, the precursor block is marked as the confusion block too; the goto and the jcndb exist in the block at the same time, and the block is judged to be a condition block; the rest are real blocks, the real block corresponding to the condition block has a plurality of successor blocks, and the rest real blocks correspond to one successor block;
and respectively storing the identified results in two arrays: realBlocks, confleblocks; the conditional block and the real block are stored in realBlocks, and the obfuscated block is stored in confuseBlocks.
4. An anti-aliasing method according to claim 1, wherein in S30, by modifying the cpsr value, a branch mirror is created to let all code blocks be traversed.
5. An anti-aliasing method according to claim 4, wherein in the step S30, simulating and executing by using unicorn as an executing tool to traverse all code blocks to obtain a real block connection path, comprises:
opening up a memory space to load a binary file of a target program;
simulation execution was performed starting with function entry:
when the execution meets the function call execution such as call, jmp or BL, skipping and setting the instruction patch to Nop;
when a cmp instruction is executed, the cpsr value of the current instruction is recorded so as to judge whether the instruction is subjected to mirror image traversal, and when all the mirror images of the instruction are traversed, the sub-simulator stops running;
when the program is executed to the conditional instructions, including but not limited to csel, b.cc, beq and bneq, starting to store the current mirror image, modifying the value of the CPSR, establishing a plurality of mirror images of the current instruction, and establishing a plurality of recursion sub-simulators by taking the instruction as the start and the mirror image characteristics as the incoming values; and when the sub-simulator stops running, different real block chains corresponding to the CPSR state are obtained, after the recursion is completed, the mirror image is recovered, and the simulator continues to execute downwards.
6. An anti-aliasing method according to claim 1 or 5, wherein the obtaining the association between the real blocks in S30 after execution comprises:
when a program is executed to an entrance of a real block, acquiring predecessors of the real block, and storing the predecessors in an array mode, wherein block _ real _ aa is [ block _ real _ bb, block _ real _ cc ], so as to acquire real block link information;
checking whether the condition block has a plurality of successors or not and whether the other real blocks have one successor or not and only one successor;
and obtaining a link map after the verification is completed:
block_real_aa->block_real_cc/block_real_cc->block_real_dd。
7. an anti-aliasing method according to claim 6, wherein the S40 comprises:
cutting the link map to make the link data become a dictionary;
judging whether the two real blocks are directly connected or not: if the direct connection is realized, no modification is needed; when an obfuscated block exists before the two real blocks, modifying the tail code of the predecessor block to baa _ addr, wherein aa _ addr is the head address of the successor block, thereby completing the management of the two real blocks;
the condition block is repaired to have a plurality of successors, the tail linkage modification is carried out on the related instructions based on the CPSR, and when two branches exist in the CPSR, the tail two instructions are modified: ne aa _ addr; b bb _ addr; where aa _ addr, bb _ addr are the addresses of the corresponding two real blocks.
8. An anti-obfuscation system, comprising:
a data acquisition module for acquiring binary file information of the target program
The data processing module converts the target program into an IR intermediate code and distinguishes code blocks; analyzing all code blocks based on the IR intermediate codes, and identifying the code blocks as real blocks or confusion blocks through an IR analysis structure; simulating and executing to traverse all code blocks, acquiring connection paths of real blocks, and acquiring association between the real blocks after execution; modifying the connection codes between the real blocks to remove the confusion blocks; and performing decompiling on the modified binary system to obtain a decompiled pseudo code of the target program.
9. An anti-aliasing device, comprising: a memory, a processor; the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the anti-obfuscation method of claims 1-7.
10. A non-transitory machine-readable storage medium having stored thereon executable code which, when executed by a processor of an electronic device, causes the processor to at least implement an anti-obfuscation method as defined in claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210402618.5A CN114817918A (en) | 2022-04-18 | 2022-04-18 | Anti-confusion method, system and application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210402618.5A CN114817918A (en) | 2022-04-18 | 2022-04-18 | Anti-confusion method, system and application |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114817918A true CN114817918A (en) | 2022-07-29 |
Family
ID=82536891
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210402618.5A Pending CN114817918A (en) | 2022-04-18 | 2022-04-18 | Anti-confusion method, system and application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114817918A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117573142A (en) * | 2024-01-15 | 2024-02-20 | 广州大学 | JAVA code anti-obfuscator based on simulation execution |
-
2022
- 2022-04-18 CN CN202210402618.5A patent/CN114817918A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117573142A (en) * | 2024-01-15 | 2024-02-20 | 广州大学 | JAVA code anti-obfuscator based on simulation execution |
| CN117573142B (en) * | 2024-01-15 | 2024-04-23 | 广州大学 | JAVA code anti-obfuscator based on simulation execution |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10296447B2 (en) | Automated software program repair | |
| CN107315961B (en) | Program vulnerability detection method and device, computing equipment and storage medium | |
| CN106778247B (en) | Method and device for dynamically analyzing application program | |
| CN108197476B (en) | Vulnerability detection method and device for intelligent terminal equipment | |
| CN113961919B (en) | Malicious software detection method and device | |
| CN110209520B (en) | Method and device for improving SSD (solid State disk) testing efficiency, computer equipment and storage medium | |
| CN111428233B (en) | Security analysis method for embedded equipment firmware | |
| US11237943B2 (en) | Generating inputs for computer-program testing | |
| US20210374241A1 (en) | Undetectable sandbox for malware | |
| CN114817918A (en) | Anti-confusion method, system and application | |
| WO2020264515A1 (en) | Automatic correctness and performance measurement of binary transformation systems | |
| CN110414218B (en) | Kernel detection method and device, electronic equipment and storage medium | |
| US9710360B2 (en) | Optimizing error parsing in an integrated development environment | |
| CN107844703B (en) | Client security detection method and device based on Android platform Unity3D game | |
| CN106709287B (en) | Method and device for application shelling | |
| JPWO2020194455A1 (en) | Test case generator, test case generator, and test case generator | |
| US20180121660A1 (en) | Apparatus and method for dynamic binary analysis on hardware board | |
| CN112784290B (en) | Data export tool security analysis method and system and data export method | |
| CN107341403B (en) | File conversion method and device | |
| US10460108B1 (en) | Method and system to identify and rectify input dependency based evasion in dynamic analysis | |
| CN112948819A (en) | Application file shelling method and device and computer readable storage medium | |
| CN112015436A (en) | Short message platform deployment method and device, computing equipment and computer storage medium | |
| CN111367752A (en) | Method, device and storage medium for identifying Android real machine and simulator | |
| CN109408063A (en) | Instruction pile pitching method and device based on virtual machine | |
| CN109614773A (en) | Code self-modifying method, apparatus and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |