1. Introduction
In this post we'll talk about AIR Wave Deobfuscation Technology. We'll try to answer the most frequently asked question - why Ariadne provides trace deobfuscation only.
2. Software protection against computer piracy
Obfuscation is often used for software protection against computer piracy. For example software vendor uses obfuscation to hide from reverser some parts of code which are responsible for licensing. Obfuscation also helps bind useful application code with licensing mechanism. Most of software protectors, packers and obfuscators are developed to protect software against unauthorized copying.
There is another problem in software distribution - protection of know-how. Using obfuscation software developer tries to impede analysis and illegal copying of his original techniques which are implemented in the software distributed.
To save his time and resources software vendor usually purchases a software protector, virtualizer or similar one which provides a set of obfuscation and licensing methods. To be in fashion :) most of protectors use code virtualization obfuscation technique.
In this case we are faced with a legal and useful obfuscation application.
3. Malware protection from detection and analysis
But obfuscation can be used to protect malicious code from detection and analysis. To protect a malware from detection a lot of code mutation techniques are used. Also obfuscation techniques are used to impede analysis of the malicious code by virus analysts.
Legal protectors are also used to protect malicious code. Of course, there are watermark blacklists in AVs. Protectors developers are not interested in their products being used for the malicious code protection. They provide information about watermarks to AV companies. And if a protected sample was recognized as malware, then all executables which are protected by the very same copy of protector are detected as malware.
This technique has two major issues. First, to mark an executable protected by legal protector as malware (if watermarks are not in blacklist) it's necessary to analyze it using behaviour analysis or manual analysis. Second, sometimes it's necessary to know what the malware does in detail. It's especially pressing matter for computer forensics. And, by the way, there is a possibility of watermarks erasing by an adversary.
In this case we are faced with a malicious obfuscation application.
4. We provide an instrument for analysis, not for software protections cracking
Let's talk about analysis of the obfuscated malware code in detail. In a large majority of cases this code receives a particular initial data. All we want to know is how this data is processed in this very particular case. Ariadne engine provides an effective mechanism for it - AIR Wave Deobfuscation Technology. Ariadne allows to set all initial values and then to deobfuscate a trace of code which was obtained using these inputs. Moreover, new Ariadne version, we'll release soon, provides CFG trace deobfuscation. I.e. conditional jumps are processed too. And, of course, it's possible to deobfuscate a lot of traces with the various initial data.
So, in a large majority of cases for the analysis it's enough to deobfuscate a trace (all the more Ariadne will provide CFG trace deobfuscation soon).
But for a complete source algorithms restoring with full coverage and functionality it's needed to process a complete CFG during deobfuscation.
Providing a deobfuscation of extended traces we help solve forensics tasks but we don't seriously help crack legal software.
We understand that there is a subset of tasks where complete CFG deobfuscation is necessary. We are ready to help you solve these problems. Just contact us.
Stay tuned for more!
Best Regards, Ariadne Team.
In this post we'll talk about AIR Wave Deobfuscation Technology. We'll try to answer the most frequently asked question - why Ariadne provides trace deobfuscation only.
2. Software protection against computer piracy
Obfuscation is often used for software protection against computer piracy. For example software vendor uses obfuscation to hide from reverser some parts of code which are responsible for licensing. Obfuscation also helps bind useful application code with licensing mechanism. Most of software protectors, packers and obfuscators are developed to protect software against unauthorized copying.
There is another problem in software distribution - protection of know-how. Using obfuscation software developer tries to impede analysis and illegal copying of his original techniques which are implemented in the software distributed.
To save his time and resources software vendor usually purchases a software protector, virtualizer or similar one which provides a set of obfuscation and licensing methods. To be in fashion :) most of protectors use code virtualization obfuscation technique.
In this case we are faced with a legal and useful obfuscation application.
3. Malware protection from detection and analysis
But obfuscation can be used to protect malicious code from detection and analysis. To protect a malware from detection a lot of code mutation techniques are used. Also obfuscation techniques are used to impede analysis of the malicious code by virus analysts.
Legal protectors are also used to protect malicious code. Of course, there are watermark blacklists in AVs. Protectors developers are not interested in their products being used for the malicious code protection. They provide information about watermarks to AV companies. And if a protected sample was recognized as malware, then all executables which are protected by the very same copy of protector are detected as malware.
This technique has two major issues. First, to mark an executable protected by legal protector as malware (if watermarks are not in blacklist) it's necessary to analyze it using behaviour analysis or manual analysis. Second, sometimes it's necessary to know what the malware does in detail. It's especially pressing matter for computer forensics. And, by the way, there is a possibility of watermarks erasing by an adversary.
In this case we are faced with a malicious obfuscation application.
4. We provide an instrument for analysis, not for software protections cracking
Let's talk about analysis of the obfuscated malware code in detail. In a large majority of cases this code receives a particular initial data. All we want to know is how this data is processed in this very particular case. Ariadne engine provides an effective mechanism for it - AIR Wave Deobfuscation Technology. Ariadne allows to set all initial values and then to deobfuscate a trace of code which was obtained using these inputs. Moreover, new Ariadne version, we'll release soon, provides CFG trace deobfuscation. I.e. conditional jumps are processed too. And, of course, it's possible to deobfuscate a lot of traces with the various initial data.
So, in a large majority of cases for the analysis it's enough to deobfuscate a trace (all the more Ariadne will provide CFG trace deobfuscation soon).
But for a complete source algorithms restoring with full coverage and functionality it's needed to process a complete CFG during deobfuscation.
Providing a deobfuscation of extended traces we help solve forensics tasks but we don't seriously help crack legal software.
We understand that there is a subset of tasks where complete CFG deobfuscation is necessary. We are ready to help you solve these problems. Just contact us.
Stay tuned for more!
Best Regards, Ariadne Team.
