Static Analysis of the Disassembly against Malicious Code Obfuscated with Conditional Jumps

Abstract

With the application of information technology and network, malicious codes have become a main threat to the computer security. In order to avoid being analyzed statically, malicious codes resort to various obfuscation techniques to hide themselves. Conditional jumps obfuscation is just such a kind of technique. In this paper, we introduce four forms of conditional jumps obfuscation which could confuse both of the two commonly used disassembly algorithms. Their basic idea is that two elaborate constructed conditional jump instructions are semantically equivalent to one unconditional jump. We propose a modified algorithm to crack the obfuscation. And we implement our idea in our reverse analysis tool Radux (Reverse Analysis for Detecting Unsafe eXecutables). Last we compare the disassembly output of Radux with objdump and IDApro. Relevant tests show that our implementation is effective.