Devmp: A Virtual Instruction Extraction Method for Commercial Code Virtualization Obfuscators
In code virtualization deobfuscation, extracting virtual instructions is a crucial first step for reverse-engineering programs protected by virtual machine obfuscation. This process is essential for uncovering concealed malicious code, yet existing methods face significant limitations, such as the inability to resolve virtual branch jumps and support multi-version of specified obfuscators, severely hindering their effectiveness. To address these challenges, we introduce a novel method for virtual instruction extraction based on dynamic binary instrumentation and symbolic execution. We implement this method in Devmp, a prototype system designed to extract virtual instructions and facilitate virtualization deobfuscation. Devmp dynamically generates instruction traces through binary instrumentation and performs offline analysis to partition handler sets based on virtual machine structures and jump rules. Then it employs symbolic execution to derive state expressions for semantic analysis of handlers and extracts virtual instructions with complete semantics. We evaluate Devmp on eight test programs protected by two versions of VMProtect. Experimental results demonstrate that Devmp outperforms state-of-the-art tools like \emph{VMP Analysis Plugin} and \emph{NoVmpy}, achieving a 28.49% increase in virtual instruction recognition rate by optimized virtual branch processing and accurately analyzing all extracted virtual instructions through enhanced cross-version applicability. These results indicate that Devmp not only improves the accuracy and completeness of virtual instruction extraction but also provides a robust and versatile solution for analyzing programs obfuscated by commercial code virtualization obfuscators.
Sat 21 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
14:00 - 15:30 | Session5: Software Vulnerability and Security IINew Idea Track / Research Track at Cosmos 3A Chair(s): Chuanyi Li Nanjing University | ||
14:00 15mTalk | Devmp: A Virtual Instruction Extraction Method for Commercial Code Virtualization Obfuscators Research Track Shenqianqian Zhang Key Laboratory of Cyberspace Security, Ministry of Education, Weiyu Dong Information Engineering University, Jian Lin Information Engineering University | ||
14:15 15mTalk | Line-level Semantic Structure Learning for Code Vulnerability Detection Research Track Ziliang Wang Peking University, Ge Li Peking University, Jia Li Tsinghua University, Yihong Dong Peking University, Yingfei Xiong Peking University, Zhi Jin Peking University | ||
14:30 15mTalk | SLVHound: Static Detection of Session Lingering Vulnerabilities in Modern Java Web Applications Research Track Haining Meng SKLP, Institute of Computing Technology, CAS, China; University of Chinese Academy of Sciences, China, Jie Lu SKLP, Institute of Computing Technology, CAS, China; University of Chinese Academy of Sciences, China, Yongheng Huang Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Lian Li Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences | ||
14:45 15mTalk | Def-VAE: Identifying Adversarial Inputs with Robust Latent Representations Research Track Chengye Li Institute of Software, Chinese Academy of Sciences, Changshun Wu Université Grenoble Alpes, Rongjie Yan Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences | ||
15:00 15mTalk | Fuzzing for Stateful Protocol Programs Based on Constraints between States and Message Types Research Track Kunpeng Jian Institute of Information Engineering, Chinese Academy of Sciences, Yanyan Zou Institute of Information Engineering, Chinese Academy of Sciences, Menghao Li Institute of Information Engineering, Chinese Academy of Sciences, Wei Huo Institute of Information Engineering at Chinese Academy of Sciences | ||
15:15 10mTalk | PriceSleuth: Detecting DeFi Price Manipulation Attacks in Smart Contracts Using LLM and Static Analysis New Idea Track Hao Wu Xi'an JiaoTong University, Haijun Wang Xi'an Jiaotong University, Shangwang Li Xi'an Jiaotong University, Yin Wu Xi'an Jiaotong University, Ming Fan Xi'an Jiaotong University, Yitao Zhao Yunnan Power Grid Co., Ltd, Ting Liu Xi'an Jiaotong University Pre-print | ||
Cosmos 3A is the first room in the Cosmos 3 wing.
When facing the main Cosmos Hall, access to the Cosmos 3 wing is on the left, close to the stairs. The area is accessed through a large door with the number “3”, which will stay open during the event.