• Journal of the Korea Society of Computer and Information
• /
• v.16 no.6
• /
• pp.41-50
• /
• 2011

Code obfuscation has been proposed to protect codes in a program from malicious software reverse engineering. It converts a program into an equivalent one that is more difficult to understand the program. Code obfuscation has been classified into various obfuscation technique such as layout, data, control, by obfuscating goals. In those obfuscation techniques, control obfuscation is intended to complicate the control flow in a program to protect abstract information of control flow. For protecting control flow in a program, various control obfuscation transformation techniques have been proposed. However, strategies for effectively applying a control flow obfuscation to program have not been proposed yet. In this paper, we proposed a obfuscation strategy that effectively applies a control flow obfuscation transformation to a program. We conducted experiment to show that the proposed obfuscation strategy is useful for applying a control flow transformation to a program.

• Journal of Information Technology Services
• /
• v.10 no.3
• /
• pp.167-177
• /
• 2011

Code obfuscation is a technique that protects the abstract data contained in a program from malicious reverse engineering and various obfuscation methods have been proposed for obfuscating intention. As the abstract data of control flow about programs is important to clearly understand whole program, many control flow obfuscation transformations have been introduced. Generally, inlining is a compiler optimization which improves the performance of programs by reducing the overhead of calling invocation. In code obfuscation, inlining is used to protect the abstract data of control flow. In this paper, we define new control flow complexity metric based on entropy theory and N-Scope metric, and then apply genetic algorithm to obtain optimal inlining results, based on the defined metric.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.6
• /
• pp.1043-1053
• /
• 2023

Malware analysts work diligently to analyze and counteract malware, while developers persistently devise evasion tactics, notably through packing and obfuscation techniques. Although previous works have proposed general unpacking approaches, they inadequately address techniques like OEP obfuscation and API obfuscation employed by modern packers, leading to occasional failures during the unpacking process. This paper examines the OEP and API obfuscation techniques utilized by various packers and introduces a system designed to automatically de-obfuscate them. The system analyzes the memory of packed programs, detects trampoline codes, and identifies obfuscated information, for program reconstruction. Experimental results demonstrate the effectiveness of our system in de-obfuscating programs that have undergone OEP and API obfuscation techniques.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.4
• /
• pp.605-616
• /
• 2020

Obfuscation technology delays the analysis of a program by modifying internal logic such as data structure and control flow while maintaining the program's functionality. However, the application of such obfuscation technology to malicious code frequently occurs to reduce the detection rate of malware in antivirus software. The obfuscation technology applied to protect software intellectual property is applied to the malicious code in reverse, which not only lowers the detection rate of the malicious code but also makes it difficult to analyze and thus makes it difficult to identify the functionality of the malicious code. The study of reverse obfuscation techniques that can be closely restored should also continue. This paper analyzes the characteristics of obfuscated code with the option of Pack the Output File and Import Protection among detailed obfuscation technologies provided by VMProtect 3.4.0, a popular tool among commercial obfuscation tools. We present a de-obfuscation algorithm.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.4
• /
• pp.709-720
• /
• 2013

Virtualization obfuscation makes hard to analyze the code by applying virtualization to code section. Protected code by common used virtualization obfuscation technique has become known that it doesn't have restored point and also it is hard to analyze. However, it is abused to protect malware recently. So, It is been hard to analyze and take action for malware. Therefore, this paper's purpose is analyze and take action for protected malware by virtualization obfuscation technique through implement tool which can extract virtualization structure automatically and trace execution process. Hence, basic structure and operation process of virtualization obfuscation technique will be handled and analysis result of protected malware by virtualization obfuscation utilized Equation Reasoning System, one kind of program analysis. Also, we implement automatic analysis tool, extract virtualization structure from protected executable file by virtualization obfuscation technique and deduct program's execution sequence.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.38B no.8
• /
• pp.654-662
• /
• 2013

Android applications can be easily decompiled owing to their structural characteristics, in which applications are developed using Java and are self-signed so that applications modified in this way can be repackaged. It will be crucial that this inherent vulnerability may be used to an increasing number of Android-based financial service applications, including banking applications. Thus, code obfuscation techniques are used as one of solutions to protect applications against their forgery. Currently, many of applications distributed on Android market are using ProGuard as an obfuscation tool. However, ProGuard takes care of only the renaming obfuscation, and using this method, the original opcodes remain unchanged. In this paper, we thoroughly analyze obfuscation mechanisms applied in ProGuard, investigate its limitations, and give some direction about its improvement.

• Proceedings of the Korean Information Science Society Conference
• /
• 2006.10c
• /
• pp.521-525
• /
• 2006

최근 소프트웨어의 주요 알고리즘 및 자료구조 등의 지적재산권을 역공학 분석과 같이 악의적인 공격들로부터 보호하기 위한 연구가 이루어지고 있다. 본 논문에서는 산업 현장에서 많이 사용되는 Visual C++ 또는 MFC로 작성된 프로그램의 소스 코드를 역공학 공격으로부터 보호하기 위한 Obfuscation 도구를 구현하고 그 성능을 평가한다. 구현된 도구는 3가지 Obfuscation 알고리즘을 적용하여 소스 코드를 생성하며 생성된 소스 코드들은 가독성이 떨어지고 역공학 분석이 어렵도록 변환되지만, 프로그램의 본래 기능은 그대로 유지하며 성능상의 변화가 크지 않음을 실험을 통해 확인할 수 있었다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.605-615
• /
• 2018

Due to the rapid growth of the Internet of Things market, the use of the C/C++ language, which is the most widely used language in embedded systems, is also increasing. To improve the quality of code in the C/C++ language and reduce development costs, it is better to use static analysis, a software verification technique that can be performed in the first half of the software development life cycle. Many programs use static analysis to verify software safety and many static analysis tools are being used and studied. In this paper, we use Clang static analysis tool to check security weakness detection performance of verified test code. In addition, we compared the static analysis results of the test codes applied with the source obfuscation techniques, layout obfuscation, data obfuscation, and control flow obfuscation techniques, and the static analysis results of the original test codes, Analyze the detection ability impact of the Clang static analysis tool.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1201-1215
• /
• 2015

Obfuscation tools can be used to protect android applications from reverse-engineering in android environment. However, obfuscation tools can also be misused to protect malicious applications. In order to evade detection of anti-virus, malware authors often apply obfuscation techniques to malicious applications. It is difficult to analyze the functionality of obfuscated malicious applications until it is deobfuscated. Therefore, a study on deobfuscation is certainly required to address the obfuscated malicious applications. In this paper, we analyze APKs which are obfuscated by commercial obfuscation tools and propose the deobfuscation method that can statically identify obfuscation options and deobfuscate it. Finally, we implement automatic identification and deobfuscation tool, then show the results of evaluation.

• Journal of KIISE:Computing Practices and Letters
• /
• v.15 no.12
• /
• pp.1008-1012
• /
• 2009

Obfuscation is known as one of the most effective methods to protect software against malicious reverse engineering transforming the software into more complicated one with still preserving the original semantic. However, obfuscating a program can increase both code size of the program and execution time compared to the original program. In mobile devices, the increases of code size and execution time incur the waste of resources including the increase of power consumption. This paper has analyzed the effectiveness of some high-level obfuscation algorithms as well as their power consumption with implementing them under an embedded board equipped with ARM processor. The analysis results show that there is (are) an efficient obfuscation method(s) in terms of execution time or power consumption according to characteristics of a given program.