Abstract:

The high-level code obfuscation of ARM program has the problem of blindness, which not only reduces the obfuscation accuracy but also is resilient by reversing easily. To deal the problem, the low-level code obfuscation of ARM program is studied, which combines the features of ARM architecture instruction system and proposes the ARM assembly code obfuscation algorithm based on mode switch including instruction mode switch obfuscation, register obfuscation and junk instruction obfuscation. The control flow of obfuscated assembly code is more complex. The random register obfuscation for switch address improves the difficulty of dynamic trace debugging. Besides, the mode switch and junk instruction obfuscations can incur the error of disassembly. At last, the test and evaluation are performed from the aspects of complex potency, reverse resilience and performance cost. Test shows the proposed algorithm in the paper not only can improve the strength of cyclomatic complexity significantly, but also can combat the reverse analysis of disassembly tool effectively. In addition, the additional costs of size and time consume introduced by proposed algorithm are low, which is practical in term of performance.

Key words: control flow, assembly, code obfuscation, mode switch, reverse engineering

摘要：

针对ARM程序高层代码混淆存在盲目性较强而降低混淆准确度，且很容易被逆向还原的问题。从ARM汇编指令底层研究ARM程序混淆，通过结合ARM架构指令系统的特点，基于模式切换提出一种ARM汇编代码混淆算法，包括指令模式切换混淆、寄存器随机分配混淆和虚假指令混淆，使混淆后汇编代码的控制流变得更加复杂，且对切换地址的寄存器混淆也提高了动态调试跟踪的难度。模式切换及虚假指令混淆也会造成反汇编错误，从复杂强度、逆向弹性和性能开销三方面进行测试评估。测试结果表明，该混淆算法不仅有效地提高了程序的控制流循环复杂度，而且能够抵抗反汇编工具的逆向分析。该混淆算法引发的额外体积开销和时间开销较低，具有实用性。

关键词: 控制流, 汇编, 代码混淆, 模式切换, 逆向工程