基于Capstone和流敏感混合执行的自动化反混淆技术  

作　　者：鲁辉 郭润生 金成杰 何陆潇涵 王兴伟 田志宏 LU Hui;GUO Run-Sheng;JIN Cheng-Jie;HE Lu-Xiao-Han;WANG Xing-Wei;TIAN Zhi-Hong(Cyberspace Institute of Advanced Technology,Guangzhou University,Guangzhou 510336,China;School of Computer Science and Engineering,Northeastern University,Shenyang 110169,China)

机构地区：[1]广州大学网络空间先进技术研究院,广东广州510336 [2]东北大学计算机科学与工程学院,辽宁沈阳110169

出　　处：《软件学报》2023年第8期3745-3756,共12页Journal of Software

基　　金：国家自然科学基金(61972108,U20B2046);国家重点研发计划(2021YFB2012402);广东省重点研发计划(2020B0101120002)。

摘　　要：经过多年的技术发展和攻防对抗,Android平台应用加固技术已较为成熟,防护粒度逐步从通用的DEX动态修改发展为高度定制化的Native层混淆机制,通过不断提高逆向分析的难度和工作量,增强客户端代码防护能力.针对近期崛起的OLLVM混淆加固技术,提出一种基于Capstone和流敏感混合执行的自动化反混淆决方案(CiANa).CiANa采用Capstone引擎分析基本块及其指令结构,识别散落在程序反汇编控制流程图中的真实块,并基于流敏感的混合执行确定各真实块间的执行顺序,最后对真实块汇编指令进行指令修复得到反混淆后的可执行二进制文件.实验对比结果表明,CiANa可有效恢复ARM/ARM64架构下经OLLVM混淆的Android Native文件.CiANa是目前为止首个在ARM/ARM64架构中,支持对全版本(Debug/Realse版本)OLLVM进行有效反混淆并生成可执行文件的框架,为逆向分析提供了必要的辅助支撑.After years of technical development and attack-defense confrontation,the reinforcement technology for Android applications has matured to the extent that protection granularity has gradually developed from general dynamic Dalvik executable(DEX)modification to a highly customized Native-layer obfuscation mechanism.Client code protection is strengthened by continuously increasing reverse analysis difficulty and workload.For the newly emerged reinforcement technology of obfuscator low level virtual machine(OLLVM)obfuscation,this study proposes an automatic anti-obfuscation solution CiANa based on Capstone and flow-sensitive concolic execution.The Capstone engine is used to analyze the basic block and its instruction structure,thereby identifying the real blocks scattered in the control flow graph of program disassembly.Then,the execution sequence of the real blocks is determined by leveraging flow-sensitive concolic execution.Finally,the real block assembly instructions are repaired to obtain anti-obfuscated executable binary files.The comparative experimental results show that CiANa can recover the Android Native files under OLLVM obfuscation in the ARM/ARM64 architecture.As the first framework that offers effective anti-obfuscation and generates executable files for all versions(Debug/Release version)of OLLVM in the ARM/ARM64 architecture,CiANa provides necessary auxiliary support for reverse analysis.

关 键 词：OLLVM混淆 Android Native文件 反混淆 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]