Research On Path Branch Obfuscation Technique

In recent years,with the rapid growth of computing and storage capacity,software automatic analysis technology which was based on symbol execution,comprehensive application of dynamic pile insertion,stain analysis and constraint solving techniques has been developed by leaps and bounds,and has been widely used in the field of reverse engineering.Because software automatic analysis technology based on symbolic execution can restore the internal logical relationship of software by analyzing and processing the path branch information which was leaked by program code,so the emergence of this technology reduce the difficulty of reverse engineering,improve the efficiency of the reverse,make software intellectual property protection being faced with new serious threat.Path branch obfuscation is a kind of code obfuscation technology which aims at protecting path branch information and fighting against symbol execution.It can defeat the software automatic analysis technology based on symbol execution.At present,a series of achievements have been made in the research of path branch confusion,and the leakage of branch information has been restrained to some extent.However,there are still some problems to be studied that restrict the development and application of path branch confusion.In this dissertation,the classification of branch obfuscation,the construction of conditional exception code in branch obfuscation,the restoration and improvement of branch obfuscation,the extension of branch obfuscation on the branch of floating-point number comparison path,and the combination of branch obfuscation and code encryption are studied,and the relevant results are as follows:1.Summarized and classified branch obfuscation,and a new construction method for conditional exception codes in branch obfuscation is proposed to improve the branch obfuscation's concealment and antagonism.Based on the comprehensive analysis and research of the current path branch obfuscation technique,the branch obfuscation technique is summarized into three categories according to the different objects of the obfuscation transform,and the advantages and disadvantages of the three categories of branch obfuscation technique are analyzed and summarized.The progress of current branch obfuscation research is introduced in detail,and the future development trend of branch obfuscation is analyzed.In the branch obfuscation based on branch control mode transform,because the current conditions of exception code construction method will lead to a problem that the critical data in exception codes can only be chosen in two values.This reduces the concealment of branch obfuscation and antagonism with symbolic execution.By introducing a new randomization construction method of the key data in exception codes,and using structured exception handling control mode to replace original branch selecting method,the concealment of the obfuscation and confrontational with symbolic execution was improved.2.Based on the importance of anti-restoration of branch obfuscation,restoration and improvement of branch obfuscation were studied.Firstly,in the branch obfuscation based on prefix-preserving encryption,its obfuscation algorithm has some defects.In view of the defects of the obfuscation algorithm,an obfuscation restoration attack method against the obfuscation algorithm is proposed,and the obfuscation based on prefix-preserving encryption branch obfuscation is restored.Furthermore,the obfuscation algorithm of the branch obfuscation is improved by using hash value matching instead of prefix matching,so that the improved branch obfuscation can be better against obfuscation restoration,and at the same time the obfuscation is guaranteed to be highly antagonistic in the confrontation with symbol execution.The improved obfuscation method has the same consumption as before,in other words,it improves the obfuscation performance without increasing the obfuscation consumption.Secondly,aiming at the general character of continuity and boundness of branch input set in branch condition,an attack method of obfuscation restoration based on dichotomy is proposed.To resolve the disadvantage of being vulnerable to attack,an improved branch obfuscation is proposed.By dividing and scaling the input value set of the branch,the input value's interval of the branch is no longer characterized with single boundary,and the anti-restore characteristic of branch obfuscation is improved,at the same time the obfuscation consumption increases less.3.Because the current branch obfuscation method based on branching condition transformation cannot be applied to floating-point number comparison branch,a new branch obfuscation technique suitable for floating-point number comparison branch is proposed.By analyzing and studying the relationship between floating-point number storage structure and floating-point number comparison,it is proved that there is a prefix matching relation between any value in floating-point number interval and the prefix set corresponding to the binary data interval of floating-point number.Based on the matching relation,the prefix matching relation is first used to replace the floating-point number comparison relation,and then the prefix hash value comparison is used to replace the prefix matching.Through analysis and experiment,it is proved that this method has lower consumption,better obfuscation performance and better practical value.4.Conditional code encryption technology is formed from the combination of code encryption and path branch obfuscation.But it only can be applied to branches which shaped with equal conditions,and it's consumption is much higher on compound branch combined with two or more equal conditions.We use our improved branch obfuscation technology and Lagrange interpolation method to adjust the key generation algorithm,solving the problem that how to integrate the encryption key and the execution logic and reduce the consumption of the encryption on branch combined with two or more equal conditions.Extends the application of conditional code encryption from the equal comparison branch to the comparison branch of integer and floating-point numbers,and the complex branch of equal comparison and size comparison.Through analysis and experimental data,it is proved that the new conditional code encryption extends the application condition but consumption increases little,so it has a good application value.