{"id":4143,"date":"2023-04-15T09:07:00","date_gmt":"2023-04-15T17:07:00","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=4143"},"modified":"2023-05-01T08:01:12","modified_gmt":"2023-05-01T16:01:12","slug":"control-flow-unflattening-in-the-wild","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/control-flow-unflattening-in-the-wild\/","title":{"rendered":"Control-flow unflattening in the wild"},"content":{"rendered":"\n

Both JEB decompiler engines 1<\/a><\/sup> ship with code optimizers capable of rebuilding methods whose control-flow was transformed by flattening obfuscators.<\/p>\n\n\n

\n
\"\"<\/a>
Image \u00a9 Tigress<\/a> (University of Arizona)<\/figcaption><\/figure>\n<\/div>\n\n\n

Control-flow flattening, sometimes referred to as chenxification<\/em>2<\/a><\/sup>, is an obfuscation technique employed to destructure a routine control-flow. While a compiled routine is typically composed of a number of basic blocks having low ingress and egress counts, a flattened routine may exhibit an outlier node having high input and high output edge counts, and generally, a very high centrality in the graph (in terms of vertex betweenness). Practically speaking, the original method M is reduced to a many-way conditional block H evaluating an expression VPC, dispatching the flow of execution to units of code, each one performing a part of M, updating VPC, and looping back to H. In effect, the original structured code is reduced to a large switch-like block, whose execution is guided by a synthetic variable VPC. Therefore, the original flow of control, critical to infer meaning while performing manual reverse-engineering, is lost. 3<\/a><\/sup><\/p>\n\n\n\n

We upgraded dexdec<\/em>‘s control flow unflattener earlier this year. 4<\/a><\/sup> The v2 of the unflattener is more generic than our original implementation. It is able to cover cases in which the obfuscated does not map to the clean model presented above, e.g. cases where the dispatcher stands out.<\/p>\n\n\n\n

This week, we encountered an instance of code that was auto-deobfuscated to clean code and thought it’d be a good example to show how useful generic deobfuscation of such code can be. It seems that the obfuscator that was used to protect the original code was BlackObfuscator<\/a>, a project used by clean apps and malware alike.<\/p>\n\n\n\n

Hash: 92ae23580c83642ad0e50f19979b9d2122f28d8b3a9d4b17539ce125ae8d93eb<\/a><\/p>\n\n\n\n

\"\"<\/a>
Before deobfuscation.<\/figcaption><\/figure>\n\n\n\n

After deobfuscation, the code looks like:<\/p>\n\n\n\n

\"\"<\/a>
After deobfuscation.<\/figcaption><\/figure>\n\n\n\n

If you encounter examples where the unflattener does not perform adequately, please let us know. We’ll see if they can be fixed or upgraded to cover obfuscation corner-cases.<\/p>\n\n\n\n

Thank you & until next time — Nicolas.<\/p>\n\n\n\n

—<\/p>\n\n\n\n

<\/p>\n\n\n

<\/div>
  1. dexdec<\/em> is JEB’ dex\/dalvik decompiler, gendec<\/em> is JEB’s generic decompiler used for native code and any code other than dex\/dalvik ↩<\/a><\/span><\/li>
  2. A term coined by University of Arizona’s Pr. Christian Collberg for the fact that an early description of this technique was presented by Dr. Chenxi Wang in her PhD thesis ↩<\/a><\/span><\/li>
  3. Control-flow flattening can be seen as a particular case of code virtualization, which was covered in previous blog entries. ↩<\/a><\/span><\/li>
  4. JEB 4.25 released on Jan 17 2023<\/a> ↩<\/a><\/span><\/li><\/ol><\/div>","protected":false},"excerpt":{"rendered":"

    Both JEB decompiler engines 1 ship with code optimizers capable of rebuilding methods whose control-flow was transformed by flattening obfuscators. Control-flow flattening, sometimes referred to as chenxification2, is an obfuscation technique employed to destructure a routine control-flow. While a compiled routine is typically composed of a number of basic blocks having low ingress and egress … Continue reading Control-flow unflattening in the wild<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,22,2,5],"tags":[],"class_list":["post-4143","post","type-post","status-publish","format-standard","hentry","category-decompilation","category-jeb4","category-malware","category-obfuscation"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=4143"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4143\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=4143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=4143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=4143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}