After last year’s talk by Christopher Domas titled “The M/o/Vfuscator”, we spent a great amount of time to analyze the inner workings of the famous one-instruction-compiler. We are happy to announce and release the (to our knowledge) first demovfuscator this year at recon0xA.
This talk presents a generic way of recovering the control flow of the original program from movfuscated binaries. As our approach makes zero assumptions about register allocations or a particular instruction order, but rather adheres to the high-level invariants that each movfuscated binary needs to conform to. Consequently, our demovfuscator is also not affected by the proposed hardening techniques such as register renaming and instruction reordering. To achieve this, we use a combination of static taint analysis on the movfuscated code and a satisfiable modulo theory (SMT) solver. We successfully used our demovfuscator against several movfuscated binaries that emerged during several CTFs during the last months (Hackover CTF, 0CTF and GoogleCTF) proving that it already can handle real-world binaries different from the synthetic samples created by us.
Our demovfuscator is under active development and we are working towards our next, ambitious goal: Generically getting rid of the instruction substitution and generating a much more compact and readable result. We will share our insights on this topic as well.