摘要： 由于虚拟机采用虚拟化技术和代码混淆技术,采用传统的逆向分析方法还原被虚拟机保护的算法时存在 较大困难。为此,提出一种基于动态数据流分析的虚拟机保护破解方法。以动态二进制插桩平台Pin 作为支撑,跟 踪记录被虚拟机保护的算法在动态执行过程中的数据流信息,对记录的数据流信息进行整理分析,获取虚拟机指 令的解释执行轨迹,还原程序的控制流图,根据轨迹信息对数据生成过程进行分层次、分阶段还原,并由分析人员 结合控制流图和数据生成过程进行算法重构。实验结果证明,该方法能够正确还原程序的控制流和数据生成过 程,辅助分析人员完成被保护算法的重构。

关键词: 数据流分析, 虚拟机保护, 控制流还原, 算法还原

Abstract: Traditional reverse analysis methods are not very effective in the analysis of the algorithms protected by virtual machine because of virtualization technology and code obfuscation technology. Aiming at this problem,this paper presents a virtual machine protection reverse engineering technique based on dataflow analysis. It uses Pin platform to record the data flow information during the execution of the protected algorithms dynamically, analyses the record information,restores the track of the virtual machine instructions and the control flow graph of the protected algorithms, gets data generation process hierarchically by using the track information. Then the analyzer uses those information to reconstruct the protected algorithms. Experimental results show that the proposed method can correctly restore the program control flow and data generation process,and assist the analyzer to reconstruct the protected algorithms.

Key words: dataflow analysis, virtual machine protection, control flow reduction, algorithm reduction

中图分类号: 

• TP309