KR102203200B1 - Apparatus for deobfuscation and method for the same - Google Patents

Abstract

It relates to an apparatus and method for de-obfuscation, wherein the de-obfuscation apparatus analyzes the obfuscated program obtained by obfuscation of the original program and obtains information on the original program, and the analysis unit is based on the information obtained by the analysis unit. As a result, it may include a restoration unit for obtaining a result program corresponding to the original program.

Description

DEOBFUSCATION AND METHOD FOR THE SAME {APPARATUS FOR DEOBFUSCATION AND METHOD FOR THE SAME}

The present invention relates to a de-obfuscation apparatus and method.

Forgery and tamper-resistant software (anti-tamper software, tamper-resistant software) may include software (program, etc.) that transforms a program by a predetermined method in order to make it difficult to analyze and alter the program (hereinafter, the original program). Hereinafter, a program may also be referred to as an app or an application). Anti-counterfeiting and tampering software detects vulnerabilities by analyzing the original program without permission, inserts illegal code (for example, cracking code) into the program, or prevents copying of the program (for example, digital rights management ( It is used to prevent actions such as neutralizing DRM, Digital Right Management)).

Conventional anti-counterfeiting and tampering software uses an active or passive method to prevent forgery and tampering, where the active method is to make it impossible to execute when the original program is altered, and the passive method is to This makes it difficult to analyze the original program itself by obfuscation.

The obfuscation technique refers to a method that makes it difficult for a program analyst to analyze the original program by modifying the data structure or control flow while maintaining the function of the program. Therefore, by using such an obfuscation technique, it is possible to block unauthorized alteration of a program or incapacitation of the copy prevention means to some extent.

However, in recent years, the obfuscation technique is increasingly used for malicious purposes. For example, by applying obfuscation techniques to malicious codes, antivirus software or malicious code analysts cannot easily detect malicious codes. In this case, even if the obfuscated malicious code is successfully detected, it is difficult to effectively replace the malicious code because the difficulty of analyzing the malicious code increases because the malicious code must be de-obfuscated. Moreover, commercial obfuscation tools are not only easy to obtain, but also provide automatic obfuscation, making it possible to obfuscate the original program (malware, etc.) more conveniently. For this reason, the number of obfuscated malicious codes is increasing, which makes the work of malicious code analysts more difficult.

Korean Patent Registration No. 1861341 (2018.05.18.) Korean Patent Registration No. 1920597 (2018.11.14.)

An object of the present invention is to provide an apparatus and method for de-obfuscation that can easily and effectively de-obfuscate obfuscated programs.

In order to solve the above-described problems, an apparatus and method for de-obfuscation are provided.

The de-obfuscation apparatus analyzes the obfuscated program obtained by obfuscation of the original program and obtains information on the original program, and a result program corresponding to the original program based on the information obtained by the analysis unit. It may include a restoration unit to obtain.

The analysis unit may detect the import address table from the obfuscated program to determine the location of the import address table, and the restoration unit may obtain the import address table using the location of the import address table.

The restoration unit may build an import directory table based on the import address table.

The analysis unit may receive at least one program and determine whether the program is an obfuscated program based on an inherent characteristic of an obfuscation tool used to obfuscate the original program.

The analysis unit may extract at least one of the original code and the original data, and the restoration unit may patch at least one of the original code and the original data.

The analysis unit determines whether to apply the analysis prevention option by detecting the operation of the multi-thread-based analysis prevention code when the obfuscated program is executed, or determines whether the application programming interface wrapping option is applied to the obfuscation of the obfuscated program. And, if the application programming interface wrapping option is applied, information on the original program is obtained by obtaining the original application programming interface address, checking the indirect address of a direct call/jump statement, or checking the original entry point. can do.

The restoration unit determines whether to compress at least one of the code section and the data section, and performs extrusion decompression for at least one of the code section and the data section according to the determination result, or based on the indirect address of the direct call/jump command. As a result, the direct call/jump statement may be modified to obtain the indirect call/jump statement, or the original entry point may be patched.

The de-obfuscation method includes analyzing the obfuscated program obtained by obfuscation of the original program to obtain information on the original program, and obtaining a result program corresponding to the original program based on the obtained information. It may include.

The step of obtaining information on the original program by analyzing the obfuscated program obtained by obfuscation of the original program includes determining the location of the import address table by detecting an import address table from the obfuscated program. And obtaining a result program corresponding to the original program based on the obtained information may include obtaining an import address table using a position of the import address table.

Obtaining a result program corresponding to the original program based on the obtained information may further include building an import directory table based on the import address table.

The step of obtaining information on the original program by analyzing the obfuscated program obtained by obfuscation of the original program includes receiving at least one program and determining whether the program is an obfuscated program. It may include the step of determining based on the inherent characteristics of the obfuscation tool used for the speech.

The step of obtaining information on the original program by analyzing the obfuscated program obtained by obfuscation of the original program includes extracting at least one of the original code and the original data, and based on the obtained information Obtaining a result program corresponding to the original program may include patching at least one of the original code and the original data.

The step of obtaining information on the original program by analyzing the obfuscated program obtained by obfuscation of the original program is to apply the analysis prevention option by detecting the operation of the multi-thread-based analysis prevention code when the obfuscated program is executed. Determining whether the application programming interface wrapping option is applied to the obfuscation of the obfuscated program, and if the application programming interface wrapping option is applied, obtaining the original application programming interface address, direct call It may include at least one of confirming the indirect address of the /jump instruction and obtaining information on the original program by confirming the original entry point.

In the step of obtaining a result program corresponding to the original program based on the obtained information, it is determined whether at least one of the code section and the data section is compressed, and according to the determination result, at least one of the code section and the data section is At least one of: performing an extrusion release for the direct call/jump command, obtaining an indirect call/jump statement by modifying the direct call/jump statement based on the indirect address of the direct call/jump statement, and patching the original entry point It may include.

According to the above-described de-obfuscation apparatus and method, it is possible to efficiently, easily and effectively de-obfuscate obfuscated programs, and thus, it is possible to obtain an effect of increasing the ease of analysis of obfuscated programs.

In addition, it is possible to increase the likelihood of success in de-obfuscation of obfuscated programs and the like, and to effectively shorten the time required for de-obfuscation or analysis of obfuscation tools.

In addition, it is possible to perform de-obfuscation of obfuscated codes more easily, so that the convenience of de-obfuscation of experts or non-experts can be improved, and malicious code can be detected and analyzed more easily. You can also get the effect of being able to do it.

Detailed description of each drawing is provided in order to more fully understand the drawings cited in the detailed description of the present invention.
1 is an overall block diagram for explaining an apparatus for de-obfuscation.
2 is a diagram for explaining a control flow when an obfuscated program is executed.
3A and 3B are FIGS. 1 and 2 for explaining a part of rules of a dummy as an example of an obfuscation tool.
4 is a block diagram of an embodiment of an analysis unit.
5 is a block diagram of an embodiment of a restoration unit.
6 is a flowchart of an embodiment of a de-obfuscation method.
7 is a flowchart of an example of a method for analyzing an obfuscated program.
8 is a flowchart of an embodiment of a method for restoring a result program.

In the following specification, the same reference numerals refer to the same elements unless otherwise specified. The term "unit" used below may be implemented in software or hardware, and according to an embodiment, one "unit" is implemented as one physical or logical part, or a plurality of "units" It may be implemented as a physical or logical part, or one'unit' may be implemented as a plurality of physical or logical parts.

When a part is said to be connected to another part throughout the specification, it may mean a physical connection depending on the part and another part, or may mean electrically connected. In addition, when a part includes another part, this does not exclude another part other than the other part unless otherwise stated, and it means that another part may be included further according to the designer's choice. do. On the other hand, expressions in the singular number may include plural expressions unless there is clearly an exception in the context.

Hereinafter, an embodiment of the de-obfuscation apparatus will be described with reference to FIGS. 1 to 5.

1 is an overall block diagram for explaining an apparatus for de-obfuscation.

Referring to FIG. 1, the de-obfuscation device 70 refers to a device capable of de-obfuscation of the obfuscated program 2 obtained by obfuscating an original program (1, hereinafter, the original program). Here, the original program (1) and/or the obfuscated program (2) may include a program code, and may include data or the like as necessary. The original program 1 and/or the obfuscated program 2 may be implemented in the form of at least one computer file, and the computer file may be stored in a predetermined format (format). Here, the format may include a portable executable (PE) format, but is not limited thereto.

The de-obfuscation device 70 may be an information processing device including a processor 80 and a memory device 90. The information processing device may include an electronic device capable of performing various operations and/or controls. For example, the information processing device includes a desktop computer, a laptop computer, a server computer, a smart phone, a tablet PC, a smart watch, a portable game machine, an artificial intelligence sound reproducing device, a navigation device, a head mounted display (HMD) device, It may include at least one of devices capable of processing information, such as a digital television, a set-top box, a vehicle, a home appliance, or a personal digital assistant (PDA).

The processor 80 may perform an operation, processing, control, and/or analysis of a program necessary for the overall or partial operation of the de-obfuscation apparatus 70. For example, the processor 80 analyzes the obfuscated program 2 and, if necessary, obtains a deobfuscated program corresponding to the original program 1 (hereinafter, the result program) based on the analysis result. May be. Here, the resulting program may include a program identical to or very similar to the original program (1).

The processor 80 may execute a pre-embedded program and/or a program stored in the memory device 90 to perform a predetermined operation. Here, the program stored in the memory device 90 may be stored directly from a designer, or may be acquired through an electronic software distribution network accessible through a wired or wireless communication network.

The processor 80 is a central processing unit (CPU), a microcontroller unit (MCU), a microprocessor (Micom), an application processor (AP), an electronic control unit (ECU), Electronic Controlling Unit) and/or other electronic devices capable of processing various operations and generating control signals. Depending on the embodiment, the processor 80 may be implemented using one physical device, or may be implemented using two or more physical devices.

According to an embodiment, the processor 80 may include a de-obfuscation unit 100. The de-obfuscation unit 100 analyzes the obfuscated program 2 and, if necessary, generates a result program according to the analysis result to perform de-obfuscation on the obfuscated program 2. The de-obfuscation unit 100 may start performing the de-obfuscation operation for the obfuscated program 2 manually and/or automatically according to a predefined setting according to a user's manipulation. Depending on the embodiment, the deobfuscation unit 100 may be implemented in software or in hardware. In addition, the above-described de-obfuscation unit 100, analysis unit 110, restoration unit 160, etc. will be understood as a function block that performs a predetermined function of the de-obfuscation device 70, for example, an operation of the processor 80. Therefore, the de-obfuscation apparatus 70 may be understood as including the de-obfuscation unit 100 including the analysis unit 110 and the restoration unit 160.

According to an embodiment, the deobfuscation unit 100 may be implemented in the form of at least one program. In this case, the deobfuscation unit 100 may be manufactured and implemented based on a dynamic binary instrumentation tool (DBI tool). The dynamic binary measurement tool may include a Pin Tool or Valgrind. The pin tool refers to a software tool composed of a number of application programming interface (API)(s) capable of performing runtime binary instrumentation in Windows or Linux. The pin tool inserts additional code desired by the user (e.g., counts, memory recording or instruction collection, etc.) into the program, so that the de-obfuscation device 70 is programmed (e.g., obfuscated program 2). To analyze the behavior of Pin tools can provide just-in-time compilation (JIT compilation), so they operate more efficiently than other tools.

According to an embodiment, the deobfuscation unit 100 may include an analysis unit 110 and/or a restoration unit 160. The analysis unit 110 may analyze the obfuscated program 2. The restoration unit 160 may restore the original program 1 by generating a result program corresponding to the obfuscated program 2. In this case, the restoration unit 160 may generate a result program based on the analysis result of the analysis unit 110. The analysis unit 110 and the restoration unit 160 may be classified by software or by hardware. In the latter case, each of the analysis unit 110 and the restoration unit 160 may be implemented using different physical devices (such as a predetermined semiconductor chip). Depending on the embodiment, any one of the analysis unit 110 and the restoration unit 160 may be omitted. A detailed description of the analysis unit 110 and the restoration unit 160 will be described later.

The memory device 90 may temporarily or non-temporarily store various types of data necessary for the operation of the processor 80. For example, the memory device 90 may store a program designed for de-obfuscation, a program to be de-obfuscated (ie, obfuscated program (2)), and may also store a de-obfuscation result. You can also save the acquired program. The memory device 90 may include at least one of a main memory device and an auxiliary memory device. The main memory device may be implemented using a semiconductor storage medium such as ROM and/or RAM. Auxiliary storage devices include solid state drives (SSDs), flash memory devices, hard disks (HDDs, Hard Discs), SD (Secure Digital) cards, magnetic drums, magnetic tapes, compact disks (CDs), and DVDs. ), a laser disk, a magneto-optical disk, and/or a floppy disk, or the like, and may be implemented using at least one storage medium capable of permanently or semi-permanently storing data.

The obfuscated program 2 that is deobfuscated by the processor 80 and/or stored in the memory device 90 is obfuscated by another device (10, hereinafter referred to as the obfuscation device) different from the deobfuscation device 70. It may be obtained by a speech operation. Of course, it is possible for the de-obfuscation device 70 to perform obfuscation to generate the obfuscated program 2 depending on the situation. The obfuscation apparatus 10 may include an information processing apparatus identical to or different from the de-obfuscation apparatus 70, and may include a device such as a desktop computer, a laptop computer, a server computer, or a smartphone.

The obfuscation apparatus 10 may include an obfuscation unit 11 that generates and obtains the obfuscated program 2 from the original program 1. The obfuscation unit 11 obfuscates the original program (1) using one or more obfuscation tools (can be referred to as obfuscation applications or obfuscation programs), and finally obtains the obfuscated program (2). You can (or create). The obfuscation tool is a program that can perform obfuscation of all or part of the original program (1), and may be a program designed only for obfuscation, or a program that is partially included in the obfuscation function. have. The obfuscation tool is a commercial obfuscation tool such as Themida tool (hereinafter referred to as Dummy), WinLicense tool (hereinafter referred to as Win License), or VMProtect tool (hereinafter referred to as VM Protect). It may include. The obfuscation unit 11 can be implemented using a processor or the like.

The obfuscation unit 11 may perform obfuscation by applying at least one obfuscation option (12: 12-1 to 12-N) in performing obfuscation. For example, dummy, one of the obfuscation tools, provides users with approximately 21 options (12: 12-1 to 12-N) for obfuscation. In more detail, for example, dummy is anti debugger, anti dumper, anti patching, compression for applications or resources, secure engine code or compression of resources , Improved application program interface wrapping (Advanced API wrapping) or entry point obfuscation, etc. Various options (12) for anti-analysis at the binary code level are provided. As such, the existence of various obfuscation options (12: 12-1 to 12-N) makes it difficult to determine what options (12: 12-1 to 12-N) applied in the obfuscation process are, and thus obfuscate. The difficulty of de-obfuscation of the old program (2) is increasing.

The de-obfuscation apparatus 70 may acquire the program 2 obfuscated by the obfuscation apparatus 10 through various paths. For example, the deobfuscation device 70 may acquire the obfuscated program 2 using at least one memory medium such as an external hard disk device or a universal serial bus memory (USB memory) device, and / Or access to a wired/wireless communication network, and via an external server device (for example, a mail server or an electronic software distribution network server, etc.), or by receiving the obfuscated program (2) directly from the obfuscation device (10). May be. In addition, the de-obfuscation device 70 may obtain the obfuscated program 2 through a commonly known method for delivering the program.

Hereinafter, the obfuscated program 2 will be described in more detail, but the obfuscated program 2 will be described as an example using dummy da as an obfuscation tool. However, the specific content of the obfuscated program (2) to be described later is not limited only to the case of obfuscation using a dummy. All or part of the contents to be described later may also correspond to programs obfuscated using other obfuscation tools (eg, Win license and/or VM Protect application).

Obfuscation tools (eg, dummy) can provide various obfuscation and analysis prevention techniques based on a number of options, but these options do not in principle damage the source code and the raw data. Also, dummy is essentially a packer. A packer refers to a tool or technique for concealing code or data by performing an exclusive OR (XOR) with a specific key, and restoring the original code and data by performing an exclusive OR again with the key at runtime. Therefore, even in the case of the program (2) obfuscated using a dummy, there is inevitably a point in time when the source code and the source data are exposed as they are in the runtime. Taking this into account, when static analysis and dynamic analysis are performed on the obfuscated program 2 based on the dummy, it can be seen that there are inherent characteristics peculiar to the obfuscation tool.

For example, when a program is obfuscated by an obfuscation tool, the original program (1) or the code or data contained therein is packed, and unpacked according to a predetermined routine (unpacking routine) during execution time (runtime). do. Such an unpacking routine for the original program 1 may be provided in advance in the obfuscation tool. Typically, obfuscation tools provide five or six unpacking routines, which can be added or removed depending on the selection of specific options (12:12-1 to 12-N). Thus, the unpacking routine can be an inherent feature of a particular obfuscation tool.

Some of the unpacking routines have the same or similar byte pattern regardless of the options applied (12:12-1 to 12-N). The byte pattern used in such an unpacking routine may be an inherent characteristic peculiar to the obfuscation tool, and based on this, it is possible to determine whether to use the obfuscation tool. Here, the byte pattern may be identified by static analysis.

In addition, the intrinsic feature of the obfuscation tool may include information (eg, the number or name of sections) on sections to be described later. This is because some sections are added or removed depending on the selection of options (12:12-1 to 12-N).

2 is a diagram for explaining a control flow when an obfuscated program is executed.

When a behavior analysis is performed on the obfuscated program 2 based on the above-described obfuscation tool, the control flow is performed based on a plurality of sections 21 to 25 as shown in FIG. 2. Able to know.

The plurality of sections 21 to 25 are, for example, a dummy 2 section 21, a dummy 1 section 22, an import address table (IAT) removal section 23, and compressed/encrypted data. It may include a section 24 and a packed code section 25. Although five sections 21 to 25 are shown in Fig. 2, the number of sections 21 to 25 may be larger or smaller depending on the situation. For example, depending on the selected option (12: 12-1 to 12-N), a new section may be added or some of the sections may be omitted. More specifically, for example, when obfuscation is performed by additionally reflecting the secure engine compression option, a corresponding section may be further added. The control flow proceeds in the order of dummy2 section (21), dummy1 section (22), import address table removal section (23), compressed/encrypted data section (24), and packed code section (25). The executed sections 21 to 25 are not executed multiple times (see Rule 4-1 and Rule 4-2 in Fig. 3B).

The dummy 2 section 21 operates as an entry point, and unpacks the dummy 1 section 22. In the dummy2 section 21, the anti-analysis code is not executed, so the exception code delays the analysis.

The dummy 1 section 22 performs unpacking of the packed code 25 and data 24, and also executes an anti-analysis code 26. Here, the analysis prevention code 26 may be an analysis prevention code based on a multi-thread. In addition, a dynamic link library (DLL, Dynamic Link Library) is also dynamically loaded by the dummy 1 section 22. If the above-described resource compression option or resource compression option is selected, the dummy 1 section 22 decompresses the data section 24 and further performs decoding. The dummy 2 section 21 and the dummy 1 section 22 are no longer used when the unpacking of the code section 25 is completed (refer to Rule 4-2 in FIG. 3B).

The data section 24 includes data and the like included in the original program 1, and in this case, the data may be compressed and/or encrypted to be provided in the data section 24. The data section 24 is restored like the original program 1 by the operation of the dummy 1 section 22 described above.

The code section 25 is a part containing the code of the original program 1, in which case the original program 1 may be packed and included in the code section 25. The code section 25 may be unpacked and restored by the dummy 1 section 22 described above. In this case, the restoration result may be the same as the original program 1 or may be partially different. When the packed code section 25 is restored, it becomes possible to perform the original function or operation intended by the original program 1.

The import address table removal section 23 is designed to remove the import address table to make it difficult to analyze the obfuscated program 2. However, in practice, functions in the dynamic link library or program (for example, the import address table) are not completely deleted in the IAT removal section 23, and information (for example, the import directory table (IDT) )) only is deleted. Accordingly, the actual address of the function is not removed even by obfuscation, and it may appear distorted only due to the absence of information. Accordingly, the entire import address table can be restored by recovering such deleted information.

In the case of executing the obfuscated program (2) as described above, the packed code or compressed/encrypted data according to the operation of the dummy 2 section 21 and the dummy 1 section 22 is unpacked. The same or similar program as the program 1 can be executed.

3A and 3B are diagrams for explaining some of the rules of a dummy da as an example of an obfuscation tool, and are diagrams illustrating rules found when dummy da is applied to a portable executable file.

According to the above analysis, the dummy, which is one of the obfuscation tools, can obfuscate the original program 1 according to a plurality of rules as shown in FIGS. 3A and 3B.

For example, Dummy Dummy merges a number of sections in the original program (1) and rebuilds it into a specific number of sections (Rule 1), but adds a text section (.text), a data section (.data), and an import address table section. Merge into the top section (Rule 1-1). On the other hand, the resource section (.rsrc) is placed in the original position, but some resource values are moved to the dummy 1 section 22 (Rule 1-2). The location of the source code, data and import address tables remains unchanged (Rule 1-3).

In addition, dummy rewrites the compressed code, data, and the removed import address table in an obfuscated program with special rules (rule 2).If the application and/or resource is encrypted or compressed according to the applied option, the import Decryption or decompression is performed prior to restoration of the address table (Rule 2-1), and if applications and/or resources are not encrypted or compressed, only the restoration of the import address table is performed (Rule 2-2). Also, if the address of the restored import address table is referenced by call/jump, all referenced indirect call/jump (ICJ) statements are converted to direct call/jump (DCJ) statements. Convert (Rule 2-3). When the obfuscated program jumps to an unpacked section of code, the entire process is terminated and all objects that have been packed, encrypted, compressed or removed are restored (Rule 2-4).

If the dummy application program interface wrapping option is selected and applied, the import address table can be further modified and damaged by changing the value of the import address table. In addition, it is also possible to damage the import address table at a selected arbitrary number of times (Rule 3, Rule 3-1). When the application program interface wrapping option is applied in this way, the original application program interface code is obfuscated and duplicated in the dynamically allocated memory area (Rule 3-2), and the import address table value is changed to the address of the cloned application program interface code. Becomes (Rule 3-3). Dummy Dummy rebuilds the corresponding process during runtime to rebuild the import address table.

Meanwhile, as described with reference to FIG. 2, a program obfuscated by a dummy has a common control flow rule regardless of options (Rule 4, Rule 4-1 to Rule 4-3).

According to an embodiment, in order to perform de-obfuscation on the obfuscated program 2, the de-obfuscation unit 100 of the processor 80 provides the above-described obfuscation tool (for example, a dummy). It may be produced and implemented using results derived from static analysis, dynamic analysis, and behavior analysis. Specifically, the analysis unit 110 and the restoration unit 160 of the de-obfuscation unit 100 analyze the obfuscated program 2 according to these analysis results and/or the same or similar results as the original program 1 It may be designed to restore a program.

Hereinafter, the analysis unit 110 and the restoration unit 160 of the de-obfuscation unit 100 will be described in more detail.

4 is a block diagram of an embodiment of an analysis unit.

The analysis unit 110 may analyze the obfuscated program 2 to extract and obtain information on the original program 1 according to the analysis result, and the restoration unit 160 recovers at least one data acquired as necessary. ). According to one embodiment, the analysis unit 110 drives the obfuscated program 2 and then extracts at least one piece of information in the driving process of the obfuscated program 2, thereby executing the obfuscated program 2 Can be analyzed.

4, the analysis unit 110 includes an obfuscation determination unit 111, an analysis prevention detection unit 113, an application programming interface wrapping processing unit 115, an import address table detection unit 117, and direct A call/jump detection unit 119, a source entry point verification unit 121 and a source code extraction unit 123 may be included, and an input unit 131 and an output unit 132 may be further included. Depending on the embodiment, at least one of these elements 111 to 123, 131, 132 may be omitted, and/or other elements other than these elements 111 to 123, 131, 132 may be further added.

The input unit 131 may receive a program to be analyzed by the analysis unit 110. The program received here may include an obfuscated program 2. The input unit 131 may transmit the received program to the obfuscation determination unit 111 and may further transmit the received program to the analysis prevention detection unit 113 according to an embodiment.

The obfuscation determination unit 111 may determine whether the program transmitted from the input unit 131 is the obfuscated program 2. In addition, the obfuscation determination unit 111 may determine whether or not obfuscation has been performed using which obfuscation tool. In other words, the obfuscation determination unit 111 may identify the obfuscation tool. According to an embodiment, the obfuscation determination unit 111 may determine whether or not the obfuscated program 2 is based on an inherent characteristic peculiar to the obfuscation tool. Here, the inherent characteristics peculiar to the obfuscation tool may include an unpacking routine or a byte pattern included therein, as described above. If an intrinsic characteristic peculiar to the obfuscation tool is identified or detected from the program, the obfuscation determination unit 111 may determine that the input program is the obfuscated program 2. The determination result may be transmitted to the analysis prevention detection unit 113, and may be further transmitted to the application programming interface wrapping processing unit 115 if necessary. On the contrary, if the inherent characteristic peculiar to the obfuscation tool is not confirmed or detected from the program, the obfuscation determination unit 111 may determine that the input program is not the obfuscated program 2. In this case, the de-obfuscation process is terminated, and, if necessary, information indicating that de-obfuscation has ended may be provided to the user through an output unit (not shown) of the de-obfuscation device 70 in the form of a message.

The analysis prevention detection unit 113 may determine whether the program 2 is obfuscated by applying the analysis prevention option provided by the obfuscation unit 11. The analysis prevention detection unit 113 may determine whether or not the analysis prevention option is applied using, for example, a pin tool. Specifically, the pin tool can track multi-threaded programs. Accordingly, as shown in FIG. 2, when the driving of the multi-thread-based analysis prevention code 26 is started by the dummy 1 section 22, the pin tool can detect this and obtain a detection result. Accordingly, the analysis prevention detection unit 113 may determine whether or not the analysis prevention option is applied, and also determine whether the analysis prevention option is obfuscated.

The application programming interface wrapping processing unit 115 may process an application programming interface wrapping option. As described above, when the application programming interface wrapping option is applied, the import address table is additionally deformed. Therefore, the application programming interface wrapping processing unit 115 determines whether to apply the application programming interface wrapping option for more appropriate restoration of the import address table. I can judge.

According to an embodiment, the interface wrapping processing unit 115 may include an identification unit 115-1 and an original address acquisition unit 115-2.

The identification unit 115-1 may determine whether the obfuscated program 2 has been obfuscated using an application programming interface wrapping option. For example, in the case of an obfuscation tool such as Dummy, when the original program 1 is obfuscated by applying an application programming interface wrapping option, the import address table value is changed (refer to Rule 3). At this time, the application programming interface wrapping option obfuscates the original application programming interface code, and copies it to the dynamically allocated memory space using read/write/execute rights (refer to Rule 3-2). The application programming interface wrapping processing unit 115 may use this to determine and determine whether an interface wrapping option is applied. Specifically, for example, the application programming interface wrapping processor 115 may determine whether to apply the interface wrapping option by monitoring (monitoring) a predetermined function (eg, NtAllocateVirtualMemory API) having read/write/execution rights. .

If the identification unit 115-1 determines that the obfuscated program 2 is obfuscated by applying the application programming interface wrapping option, the original address acquisition unit 115-2 may obtain the original application programming interface address. I can. In this case, the original address acquisition unit 115-2 may acquire the original application programming interface address by monitoring the original address and the destination address included in the application programming interface copy instruction. The obtained original application programming interface address may be recorded in a predetermined log, for example an unwrapping log. The thus-obtained application programming interface address may be used to supplement the import address table log (IAT log).

The import address table detection unit 117 may detect the import address table and determine where the import address table exists based on the detection result. For example, Dummy merges a text section (.text), a data section (.data), and an import address table section into the top section (see Rule 1-1). Accordingly, the import address table detection unit 117 may determine the location of the import address table by monitoring memory writes to the uppermost section. The decision result can be recorded in the import address table log. According to an embodiment, when the identification unit 115-1 determines that the application programming interface wrapping option is applied, the import address table detection unit 117 obtains the application programming interface address. It may be designed to detect the import address table after one.

The direct call/jump detection unit 119 may check and record the location of the direct call/jump command. In addition, the direct call/jump detection unit 119 may check and record the indirect address of the direct call/jump command. Indirect addresses are intended to convert direct call/jump statements into indirect call/jump statements (see Rule 2-3). Specifically, in the case of dummy, the packed code, data, and the removed import address table are rewritten with special rules in the obfuscated program (2), and when the import address table is restored, the restored import address table When referenced by this call/jump, it is designed to convert all referenced indirect call/jump statements into direct call/jump statements. Therefore, in order to convert such a direct call/jump command back into an indirect call/jump command, the direct call/jump detection unit 119 may further acquire and record the indirect address of the direct call/jump command. The location of the direct call/jump statement or the indirect address for the direct call/jump statement can be recorded in the direct call/jump log.

The original entry point confirmation unit 121 may check and record an original entry point (OEP). In order to confirm and record the original entry point, it may be determined whether or not the obfuscated program 2 input through the input unit 131 is being executed. The dummy does not move the original code, data, and the location of the import address table to another location (see Rule 1-3), and if the obfuscated program (2) jumps to the unpacked code section (25), the raw The entry point is set to the target address (see Rule 4-3). The original entry point checking unit 121 uses this point to check whether the program 2 is executed in the unpacked code section 25, and checks and records the original entry point based on this. The identified original entry point can be recorded in the original entry point log.

The source code extraction unit 123 may extract at least one of the source code and the source data. For example, after the obfuscated program 2 jumps to the unpacked code section 25, the source code and the source code At least one of the data can be extracted. Specifically, when the obfuscated program (2) of the dummy jumps to the unpacked code section (25), all processes are designed to be completed (refer to Rule 2-4), and packed, encrypted, or compressed accordingly. All objects that have been destroyed and/or removed will be restored. Accordingly, the source code extraction unit 123 may acquire at least one of the source code and the source data of the obfuscated program 2.

The output unit 132 may output information obtained as described above. For example, the output unit 132 includes information on the import address table acquired by the import address table detection unit 117 (for example, a log storing the location of the import address table), a direct call/jump detection unit ( Information on the direct call/jump acquired by 119) (for example, the location of the direct call/jump statement or the log containing the indirect address for the direct call/jump statement), confirmed by the original entry point verification unit 121 At least one of information on the sourced entry point (for example, the source entry point log), the source code extracted by the source code extraction unit 123, and the source data extracted by the source code extraction unit 123 can be output. have. If necessary, the output unit 132 may further output an analysis prevention detection result or an application program interface wrapping identification and processing result.

Information output by the output unit 132 may be transmitted to the restoration unit 160. Depending on the embodiment, the output unit 132 may include all or part of the acquired information and transmit it to the restoration unit 160, or the restoration unit 160 may transmit all or part of the acquired information each time information is acquired. You can also pass it on.

4 shows the above-described obfuscation determination unit 111, analysis prevention detection unit 113, application programming interface wrapping processing unit 115, import address table detection unit 117, direct call/jump (DCJ, Direct Call & Jump). ) The detection unit 119, the source entry point verification unit 121, and the source code extraction unit 123 are shown to sequentially operate to obtain information, but the operation and processing sequence of these (111 to 123) are shown in FIG. It is not limited to what is shown in 4. The operation and processing order of these 111 to 123 may be arbitrarily changed according to the judgment of the designer.

5 is a block diagram of an embodiment of a restoration unit.

The restoration unit 160 may generate a result program identical to or similar to the original program 1. Accordingly, the original program 1 can be restored.

Depending on the embodiment, the restoration unit 160 may receive information(s) about the original program 1 from the analysis unit 110 and generate a result program based on the received information(s). In this case, the restoration unit 160 may perform a restoration process after the analysis of the analysis unit 110 is finished to generate a result program, or perform the restoration process while the analysis process of the analysis unit 110 is in progress. Can also be executed to generate the resulting program. In the latter case, when predetermined information is obtained according to the analysis, the analysis unit 110 transmits the acquired information to the restoration unit 160 regardless of whether the analysis is terminated, and the restoration unit 160 receives the received information. The resulting program can be created and restored using real-time or non-real-time. Since the restoration unit 160 can completely reconstruct a program corresponding to the original program 1 (ie, the result program) based on the input obfuscated program 2 and the information on the original program 1 , There is an advantage that the resultant program can be executed immediately by the restoration unit 160. In addition, since the restoration unit 160 can automatically generate a result program without manipulation of a user (eg, an analyst), the user's convenience may be improved.

5, the restoration unit 160 includes a patch unit 161, a compression processing unit 163, an entry point processing unit 165, an import directory table construction unit 167 (IDT construction unit), and an import address table. It may include a construction unit 169 (IAT construction unit), an indirect call / jump (ICJ, Indirect Call & Jump) processing unit 171 and a program generation unit 173. In addition, the restoration unit 160 may further include an input unit 181 and an output unit 182. Depending on the embodiment, at least one of these elements (163 to 173, 181, 182) may be omitted, and/or other elements other than these elements (163 to 173, 181, 182) may be further added.

The input unit 181 may receive the obfuscated program 2 and/or may receive information output from the output unit 132 of the analysis unit 110. Here, the information output from the output unit 132 may include at least one of information about the import address table, information about direct call/jump, information about an original entry point, source code, and source data.

The input unit 181 includes a patch unit 161, a compression processing unit 163, an entry point processing unit 165, an import directory table construction unit 167, an import address table construction unit 169, and the received program and/or information. It may be transmitted to at least one of the indirect call/jump processing unit 171 and the program generation unit 173. In this case, the input unit 181 may transmit the received program and/or information to the elements 163 to 173 corresponding to each. For example, the input unit 181 may transmit the code and data extracted by the analysis unit 110 to the patch unit 161, or transmit information on the entry point to the EP processing unit 165 that processes the entry point. May be.

The patch unit 161 may patch the source code and/or the source data. The source code and/or the source data may be extracted by the source code extraction unit 123 of the analysis unit 110 described above. The patch unit 161 may transmit the patch result of the code and/or data to the compression processing unit 163 or the entry point processing unit 165.

The compression processing unit 163 may perform processing related to compression and decompression of each section (eg, the data section 24 or the code section 25). According to an embodiment, the compression processing unit 163 may include a compression determination unit 163-1 and a decompression unit 163-2.

The compression determination unit 163-1 may determine whether the obfuscated program 2 is compressed. For example, if the obfuscated program 2 includes the data section 24 and/or the code section 25, the compression determination unit 163-1 may each of the sections 24 and 25 or It is also possible to determine whether the obfuscated program 2 is compressed by comparing the size of the raw section of both the sections 24 and 25 with the size of the corresponding virtual section.

The decompression unit 163-2 may perform decompression based on a determination result of the compression determination unit 163-1. For example, if it is determined that the code section 25 and/or the data section 24 is compressed, the information about the code section 25 and/or the information about the data section 24 is modified to modify the original program ( The result program corresponding to 1) can be accurately rebuilt.

The entry point processing unit 165 may patch the entry point extracted by the analysis unit 110, more specifically, the original entry point verification unit 121.

The import directory table construction unit 167 may build an import directory table using the extracted import address table log. When dummy is obfuscated, the import directory table is also damaged in the same way as the import address table, but the import directory table is not recreated when restoring. However, since Dummy Dummy rewrites the import address table in a specific location (for example, the same location as the import address table of the original program (1)) at runtime, the import directory table is rewritten by using the rewritten import address table and function name. It can be restored.

The import address table construction unit 169 may restore the import address table. According to an embodiment, the address table construction unit 169 may use the name of the function to restore the import address table. Of course, the address table construction unit 169 can extract the ordinal or virtual address of the function to construct the import address table. However, in the case of using a tool such as a pin tool, the extraction of the function ordinal or virtual address It can be relatively difficult compared to the extraction of the name of.

The indirect call/jump processing unit 171 may obtain the indirect call/jump command by modifying the direct call/jump command. For this purpose, the indirect call/jump processing unit 171 may refer to the indirect address of the direct call/jump command recorded in the direct call/jump log.

The program generation unit 173 includes a patch unit 161, a compression processing unit 163, an entry point processing unit 165, an import directory table construction unit 167, an import address table construction unit 169, and an indirect call/jump processing unit ( 171), a result program is constructed. Accordingly, it is possible to restore and obtain a program corresponding to the original program (1).

At least one of the above-described analysis unit 110 and restoration unit 160 is identically or partially deformed and obfuscated with an obfuscation tool other than Dummy Da (for example, Win License or VM Protect, etc.) It can also be applied to reverse obfuscation of program (2).

For example, since the program 2 obfuscated by the Win license is essentially the same or similar in structure to the program 2 obfuscated by the dummy, the above-described analysis unit 110 and restoration unit 160 The original program (1) can be restored from the program (2) obfuscated by the Win license by identically or partially modifying it.

VM Protect provides relatively few options compared to dummy, but does not damage the import address table when the import protect option is applied. In addition, VM Protect restores the code and data sections by executing two sections (vmp1 and vmp0 sections) similar to the dummy1 section and the dummyda2 section, but does not obfuscate the text section itself. Therefore, it is restored almost entirely to the same point as the original code without the need to restore the import address table. Considering this point, if the same or partially modified method as the above-described analysis unit 110 and restoration unit 160 is used, the original program (1) from the obfuscated program (2) based on the VM Protect ) Can be restored.

Hereinafter, various embodiments of the de-obfuscation method will be described with reference to FIGS. 6 to 8.

6 is a flowchart of an embodiment of a de-obfuscation method.

As shown in FIG. 6, first, the original program is obfuscated (200). Obfuscation may be performed based on a predetermined obfuscation tool, for example, may be performed based on a dummy, a Win license, and/or a VM Protect. Accordingly, an obfuscated program is created. The obfuscation of the original program may be performed by the obfuscation device, and the obfuscation device may be the same device as the de-obfuscation device described later, or may be different devices. When the obfuscation apparatus is different from the de-obfuscation apparatus, both may be the same type of apparatus or a heterogeneous apparatus.

According to an embodiment, when the original program is obfuscated, at least one of at least one obfuscation option may be selected and applied. Binary code level, for example, anti-debugger options, anti-dumper options, anti-patching options, compression options for applications or resources, compression options for secure engine code or resources, application interface wrapping options, or entry point obfuscation options. In the process of obfuscation, various options for preventing analysis are applicable.

The de-obfuscation apparatus may obtain an obfuscated program from the obfuscation apparatus (202). For example, the deobfuscation apparatus may acquire an obfuscated program through at least one memory medium or a wired/wireless communication network. If the obfuscation device is the same device as the de-obfuscation device, the de-obfuscation device acquires the obfuscated program immediately after the obfuscation ends.

The de-obfuscation apparatus may initiate analysis of the obfuscated program manually according to a user's manipulation or automatically according to a predefined setting (210). According to the analysis of the obfuscated program, the deobfuscation apparatus may acquire various types of information for generating a result program corresponding to the original program. For example, according to the analysis result, the de-obfuscation device provides information on whether to apply analysis prevention, information on whether to wrap the application programming interface, import address table, direct call and jump statements, raw entry points, raw code and raw data. At least one can be obtained. Depending on the embodiment, the analysis process 210 of the obfuscated program may be omitted.

The de-obfuscation apparatus may generate a result program corresponding to the original program before being obfuscated (230). In this case, the de-obfuscation apparatus can generate the resulting program when the analysis of the obfuscated program is finished (ie, after the end of step 210) or while the obfuscated program is being analyzed (ie, together with step 210). have. The de-obfuscation apparatus may use at least one piece of information acquired in the analysis process 210 to generate a result program. Depending on the embodiment, the process 230 of generating the result program may be omitted.

Hereinafter, an embodiment of the analysis process 210 of the obfuscated program will be described in more detail.

7 is a flowchart of an example of a method for analyzing an obfuscated program.

As shown in FIG. 7, for analysis of the obfuscated program, it may be determined whether or not the first input program is an obfuscated program (211). Also, if necessary, it may be determined whether a program is used for obfuscation. According to an embodiment, the determination of whether or not the program is obfuscated can be performed using the intrinsic characteristics of the above-described obfuscation tool. The inherent characteristics of the obfuscation tool may include, for example, an unpacking routine or a byte pattern.

If it is determined that the program has not been obfuscated (NO in 211), the analysis process 210 of the program is terminated, and the restoration process 230 is not performed.

Conversely, if it is determined that the program has been obfuscated (YES in 211), it may be sequentially determined whether to apply the analysis prevention option in the obfuscation process 200 of the original program (212). For example, whether or not the analysis prevention option is applied may be determined using a pin tool capable of tracking a multi-threaded program.

In addition, it may be determined whether the application programming interface wrapping option is applied (213). For example, whether or not the interface wrapping option is applied may be performed by monitoring a predetermined function having read, write, and execution rights.

If the application program interface wrapping option is applied (YES in 213), the original application programming interface address may be obtained in response thereto (214). In this case, the original application programming interface address can be obtained by monitoring the original address and the destination address included in the application programming interface copy instruction. The obtained application programming interface address may be recorded in an unwrapping log or the like. Conversely, if the application program interface wrapping option is not applied (No in 213), the process of obtaining the application programming interface address may not be performed.

In addition, the import address table is detected, and accordingly, a location where the import address table exists may be determined (215). In the case of dummy da, the text section, data section, and import address table section are merged into the top section, so if you monitor whether data is written to the top section, you can know the location of the import address table. When the application programming interface address is obtained 214, the import address table may be supplemented using the application programming interface address.

Also, by detecting the direct call/jump command, the location of the direct call/jump command may be checked and recorded (216). In this case, the indirect address of the direct call/jump statement can be checked and recorded as well, and this can be performed to convert the direct call/jump statement back to an indirect call/jump statement. The location of a direct call/jump statement or an indirect address for a direct call/jump statement may be recorded in the direct call/jump log, for example.

Meanwhile, the original entry point may be identified (217). In the case of dummy, the location of the original code, data, and import address table is not moved to another location, and the obfuscated program moves to the unpacked code section with the original entry point set as the target address, so it is first obfuscated. It is judged whether or not the program is executed, and the original entry points can be sequentially checked. The verified original entry point may be recorded in the original entry point log, for example.

In addition, source code and/or source data may be extracted (218). Since the obfuscated program jumps to the unpacked code section and all obfuscated objects are restored, the source code and/or the source data can be extracted using this.

Information about the extracted import address table, information about direct call/jump, information about the original entry point, information about the source code and/or the source data is output (219). The outputted information may be used for the restoration process 220. The information output 219 may be performed after all of the above-described operations 211 to 218 are completed. In addition, the information output 219 may be performed while the above-described operations 211 to 218 are performed. In this case, the information output 219 may be performed immediately or within a predetermined time when at least one of the above-described operations 212 to 218 is performed to obtain information.

The above-described operations 211 to 219 may be performed at the same time or at the same time, or may be performed sequentially when performed at this time. In addition, among the aforementioned operations 211 to 219, the operations 212 to 219 other than the obfuscation determination 211 may be processed in a different order as described above and according to the designer's selection. For example, the direct call and jump detection operation 216 may be performed before the import address table detection operation 215 or after the original entry point verification operation 217. Some of the operations 212 to 219 may be omitted depending on the designer's selection. In addition, the operation 212 of determining whether to apply the analysis prevention option may be omitted.

Hereinafter, an embodiment of the process of generating the result program, that is, the process of restoring the original program 230 will be described in more detail.

8 is a flowchart of an embodiment of a method for restoring a result program.

As shown in FIG. 8, the source code is patched, and the source data may also be patched as needed (231). The source code and the source data may be obtained according to the analysis operation 210 of the obfuscated program.

Whether or not the obfuscated program has been compressed may be determined (232). Determination of compression may be performed by comparing the size of the original section of the data section and/or the code section with the size of the corresponding virtual section.

If the obfuscated program is in a compressed state (YES in 232), decompression may be performed, and for example, decompression may be performed on the code section and/or the data section (233). If the obfuscated program is not in a compressed state (NO in 232), the decompression operation 233 may not be performed.

Also, an entry point patch may be performed (234). The entry point may be obtained by the above-described original entry point verification operation 217.

The construction of the import directory table may be performed (235). The construction of the import directory table may be performed using the import address table log, and in particular, may be performed using the rewritten import address table and function name.

Restoration of the import address table may also be performed (236). In this case, the import address table may be restored through the name of the function, the ordinal number of the function, or the virtual address.

The indirect call/jump statement may be obtained (237), and the indirect call/jump statement may be obtained by modifying the direct call/jump statement. For this, it is possible to refer to the indirect address of the direct call/jump statement.

A result program may be generated based on the results of the operations 231 to 237 described above (238). The resulting program can be created identical to or similar to the original program. According to the above-described operations 231 to 238, since the format of the original program is completely reconstructed using the input obfuscated program and original information, the generated result program can be executed immediately.

The de-obfuscation method, the analysis method, and the restoration method according to the above-described embodiment may be implemented in the form of a program that can be driven by a computer device. Here, the program may include a program command, a data file, a data structure, etc. alone or in combination. The program may be designed and manufactured using machine code or high-level language code. The program may be specially designed to implement the above-described de-obfuscation method, analysis method, and restoration method, or may be implemented using various functions or definitions previously known and available to those skilled in the computer software field. Here, the computer device may be implemented including a processor or a memory that enables the function of a program to be realized, and may further include a communication device if necessary.

A program for implementing the above-described de-obfuscation method, analysis method, and restoration method may be recorded in a computer-readable recording medium. Computer-readable recording media include magnetic tape, magnetic disk storage medium (hard disk floppy disk, etc.), optical recording medium (compact disk (CD), DVD or Blu-ray disk, etc.), magnetic-optical recording medium ( It may include various types of hardware devices capable of storing a specific program executed according to a call such as a computer, such as a floppy disk, etc.) and a semiconductor storage device (ROM, RAM, flash memory, etc.).

In the above, various embodiments of the de-obfuscation apparatus and de-obfuscation method have been described, but the apparatus and method are not limited to the above-described embodiments. An apparatus or method that can be implemented by modifying and modifying based on the above-described embodiment by a person of ordinary skill in the art may also be an example of the above-described de-obfuscation apparatus or de-obfuscation method. For example, the described techniques are performed in an order different from the described method, and/or components such as systems, structures, devices, circuits, etc. described are combined or combined in a form different from the described method, or other components or Even if it is replaced or substituted by an equivalent, it may be an embodiment of the above-described reverse obfuscation apparatus or reverse obfuscation method.

1: original program 2: obfuscated program
10: obfuscation device 11: obfuscation unit
70: deobfuscation device 80: processor
90: memory device 100: deobfuscation unit
110: analysis unit 111: obfuscation determination unit
113: analysis prevention detection unit 115: API wrapping processing unit
117: IAT detection unit 119: direct call/jump detection unit
121: source EP verification unit 123: source code extraction unit
160: restoration unit 161: patch unit
163: compression processing unit 165: EP processing unit
167: IDT construction unit 169: IAT construction unit
171: indirect call/jump detection unit 173: program generation unit

Claims (14)

An analysis unit that obtains information on the original program by analyzing the obfuscated program obtained by obfuscation of the original program; And
A restoration unit for obtaining a result program corresponding to the original program based on the information obtained by the analysis unit,
The analysis unit,
When the obfuscated program is executed, it is determined whether to apply the analysis prevention option by detecting the operation of the multi-thread-based analysis prevention code,
It monitors functions with read/write/execute rights to determine whether to apply the application programming interface wrapping option to obfuscation of the obfuscated program, and obtains the original application programming interface address when the application programming interface wrapping option is applied. ,
By monitoring memory writes to the top section, the import address table (IAT) is detected from the obfuscated program and the location of the import address table is determined,
Check the indirect address of the direct call/jump statement,
By checking the original entry point, obtaining information on the original program,
Reverse obfuscation device.
The method of claim 1,
The restoration unit acquires the import address table by using the location of the import address table,
Reverse obfuscation device.
The method of claim 2,
The restoration unit builds an import directory table (IDT) based on the import address table,
Reverse obfuscation device.
The method of claim 1,
The analysis unit receives at least one program and determines whether the program is an obfuscated program based on an intrinsic characteristic of the obfuscation tool used for obfuscation of the original program,
The intrinsic feature includes at least one of an unpacking routine, a byte pattern included in the unpacking routine, the number of sections, and a name of a section,
Reverse obfuscation device.
The method of claim 1,
The analysis unit extracts at least one of the source code and the source data,
The restoration unit patches at least one of the original code and the original data,
Reverse obfuscation device.
delete The method of claim 1,
The restoration unit,
It is determined whether at least one of the code section and the data section is compressed, and decompression is performed on at least one of the code section and the data section according to the determination result, or
Acquire an indirect call/jump statement by modifying the direct call/jump statement based on the indirect address of the direct call/jump statement, or
Patching the original entry point,
Reverse obfuscation device.
In the de-obfuscation method performed by the de-obfuscation apparatus including at least a processor,
Analyzing the obfuscated program obtained by obfuscating the original program to obtain information on the original program; And
Including the step of obtaining a result program corresponding to the original program based on the obtained information,
Obtaining information on the original program,
Determining whether to apply an analysis prevention option by detecting driving of a multi-thread-based analysis prevention code when the obfuscated program is executed;
It monitors functions with read/write/execute privileges to determine whether to apply the application programming interface wrapping option to obfuscation of the obfuscated program, and obtains the original application programming interface address when the application programming interface wrapping option is applied. step;
Detecting an import address table (IAT) from the obfuscated program by monitoring memory writes to an uppermost section, and determining a location of the import address table;
Checking the indirect address of the direct call/jump statement; And
By confirming the original entry point, comprising the step of obtaining information on the original program,
De-obfuscation method.
The method of claim 8,
The step of obtaining the resulting program includes obtaining the import address table using a location of the import address table,
De-obfuscation method.
The method of claim 9,
The step of obtaining the result program further comprises building an import directory table based on the import address table,
De-obfuscation method.
The method of claim 8,
Obtaining information on the original program,
Receiving at least one program; And
Determining whether the at least one program is an obfuscated program based on an intrinsic characteristic of the obfuscation tool used for obfuscation of the original program,
The intrinsic feature includes at least one of an unpacking routine, a byte pattern included in the unpacking routine, the number of sections, and a name of a section,
Deobfuscation method.
The method of claim 8,
The step of obtaining the information on the original program includes extracting at least one of the original code and the original data,
The step of obtaining the resulting program comprises fetching at least one of the source code and the source data,
De-obfuscation method.
delete The method of claim 8,
The step of obtaining the result program,
Determining whether to compress at least one of the code section and the data section, and decompressing at least one of the code section and the data section according to the determination result;
Obtaining an indirect call/jump statement by modifying the direct call/jump statement based on the indirect address of the direct call/jump statement; And
Comprising at least one of fetching the original entry point,
De-obfuscation method.

Images