Technical Stream
Technical Stream
CIL deobfuscation

Overview:

To develop a program that provides deobfuscation (simplification) of the decompiled CIL bytecode, to which an obfuscation method was previously applied.

Objective:

To protect code against statistical analysis, modern malware developed for the .NET platform uses special obfuscation techniques implemented in malicious as well as open or commercial protectors used by honest developers. Examples of the latter are Confuser (https://confuser.codeplex.com/) and Dotfuscator (https://www.preemptive.com/products/dotfuscator/overview).

One obfuscation technique that seriously complicates analysis is obfuscation of program control flow. An example of this technique is the dispatching method, i.e. unblocking the source code in the base blocks, hashing of the resulting blocks and creating a dispatcher whose internal logic determines the sequence in which these blocks should be executed so that the logic of the program operation remains unchanged.

The obfuscation scheme is shown in Figure 1. An example of C# obfuscation is shown in Figure 2.

CIL Deobfuscation

Figure 1

An interesting approach is to study deobfuscation by presenting a sequence of instructions as a system of linear equations. In this case, if the system of linear equations for the condition used in the conditional transition does not have a solution, this transition may not be considered.

CIL Deobfuscation

Figure 2

The aim of this work is to develop a deobfuscator prototype that for this method of class or sequence of CIL instructions is capable of unraveling the control flow and make the code suitable for analysis.

Data:

The developers are provided with several compiled .NET modules protected by different protectors implementing obfuscation of the control flow using the method described above.

The data is available after registration.

Requirements:

To develop a deobfuscator of .NET samples consisting of the MSIL disassembler, MSIL-> SMT translator, SMT solver and MSIL decompiler. The program should perform automated and semi-automated deobfuscation. Semi-automated implies deobfuscation of manual code editing and the ability to change the equation system (for example, to manually supplement the system of equations in the event of external API calls) while running the program.

At the input stage, the .NET module and information about what class/method/specific MSIL code sequence should be unraveled is transmitted to the program. At the output stage, the analyst should receive a modified .NET sample that can be decompiled.

Evaluation criteria:

The following criteria will be used to evaluate the solutions:

  1. The quality of deobfuscation of the proposed modules in the automated mode is evaluated by comparing the cyclomatic complexity of the source code, protected and deobfuscated code.
  2. Usability of the interface from the point of view of a virus analyst and reverse engineer.
  3. Scalability of the program for deobfuscation of large sample flows.
Interested? Ask an expert.
Register and start now!