[Soot-list] Partial Evaluator based on Soot

[Saswat Anand]

Hi,

I wish to analyze obfuscated (android) programs using soot. So I am
wondering if anybody tried to de-obfuscate programs statically.
Specifically, what I have in mind is to partially evaluate parts of
the code and replace those parts with simpler code. The idea is
similar to what TamiFlex could using dynamic analysis.

For example, to prevent analysis, the following code not only uses
reflection to call a method, but the strings representing the method
and class names are obfuscated. In this example, it is possible to
replace the entire code with one invocation stmt.

Did anybody has any code that can either already do this or serve as a
starting point?

Thanks,
Saswat


        $b142 = 0;
        $b143 = -3;
        $s144 = 285;
        $r238 = staticinvoke <com.android.system.admin.ICICcOCo:
java.lang.String oCIlCll(int,int,int)>($b142, $b143, $s144);
        $r239 = $r238;
        $r240 = staticinvoke <java.lang.Class: java.lang.Class
forName(java.lang.String)>($r239);
        $r241 = $r240;
        $b145 = -34;
        $b146 = -1;
        $s147 = 188;
        $r242 = staticinvoke <com.android.system.admin.ICICcOCo:
java.lang.String oCIlCll(int,int,int)>($b145, $b146, $s147);
        $r243 = $r242;
        $n10 = null;
        $r244 = virtualinvoke $r241.<java.lang.Class:
java.lang.reflect.Method
getMethod(java.lang.String,java.lang.Class[])>($r243, $n10);
$r245 = $r244;
        $n11 = null;
        virtualinvoke $r245.<java.lang.reflect.Method:
java.lang.Object invoke(java.lang.Object,java.lang.Object[])>($r2,
$n11);