Abstract
Both on malicious binaries and commercial software like video games, the complexity of software protections, which aim at slowing reverse-engineering, is constantly growing. Analyzing those protections and eventually circumventing them, require more and more elaborated tools. Through two examples, we illustrate some particularly interesting protection families and try to show their limits and how to remove them to recover a binary which is close to the original code. Each of our approaches is based on the use of the binary manipulation framework Metasm.
Similar content being viewed by others
References
Allamigeon X., Hymans C.: Static analysis by abstract interpretation: application to the detection of heap overflows. J. Comput. Virol. 4(1), 5–24 (2007)
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations, Technical Report 148, Department of Computer Science, University of Auckland, July 1997. http://www.cs.auckland.ac.nz/~collberg/Research/Publications/CollbergThomborsonLow97a; http://citeseer.nj.nec.com/collberg97taxonomy.html (1997)
Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Principles of Programming Languages 1998, POPL’98, pp. 184–196. http://citeseer.ist.psu.edu/collberg98manufacturing.html (1998)
Guillot, Y.: Metasm. In: Proceedings of the 5ème Symposium sur la Sécurité Technologies de l’Information et des Communicatins (SSTIC’07). http://actes.sstic.org (2007)
Guillot, Y.: Metasm, a ruby (dis)assembler. In: Proceedins of the Hack.Lu 2007 Conference. http://www.hack.lu/archive/2007 (2007)
Metasm Website. http://metasm.cr0.org/
Ruby Programming Language Website. http://ruby-lang.org/
yEd Graph Editor Homepage. http://www.yworks.com/en/products_yed_about.html
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Guillot, Y., Gazet, A. Semi-automatic binary protection tampering. J Comput Virol 5, 119–149 (2009). https://doi.org/10.1007/s11416-009-0118-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-009-0118-4