[Soot-list] Partial Evaluator based on Soot

Marc-André Laverdière-Papineau marc-andre.laverdiere-papineau at polymtl.ca
Fri Jun 14 16:38:28 EDT 2013 

Hello,

I have never heard of a de-obfuscator using Soot. I think you can get
some starting point using string propagation and, for harder string
operations, string analysis.

I have heard that JSA is implemented over soot, but never used it...
maybe that will help?
http://www.brics.dk/JSA/

Regards,

Marc-André Laverdière-Papineau
Doctorant - PhD Candidate

On 13/06/13 07:51 PM, Saswat Anand wrote:
> Hi,
> 
> I wish to analyze obfuscated (android) programs using soot. So I am
> wondering if anybody tried to de-obfuscate programs statically.
> Specifically, what I have in mind is to partially evaluate parts of
> the code and replace those parts with simpler code. The idea is
> similar to what TamiFlex could using dynamic analysis.
> 
> For example, to prevent analysis, the following code not only uses
> reflection to call a method, but the strings representing the method
> and class names are obfuscated. In this example, it is possible to
> replace the entire code with one invocation stmt.
> 
> Did anybody has any code that can either already do this or serve as a
> starting point?
> 
> Thanks,
> Saswat
> 
> 
>         $b142 = 0;
>         $b143 = -3;
>         $s144 = 285;
>         $r238 = staticinvoke <com.android.system.admin.ICICcOCo:
> java.lang.String oCIlCll(int,int,int)>($b142, $b143, $s144);
>         $r239 = $r238;
>         $r240 = staticinvoke <java.lang.Class: java.lang.Class
> forName(java.lang.String)>($r239);
>         $r241 = $r240;
>         $b145 = -34;
>         $b146 = -1;
>         $s147 = 188;
>         $r242 = staticinvoke <com.android.system.admin.ICICcOCo:
> java.lang.String oCIlCll(int,int,int)>($b145, $b146, $s147);
>         $r243 = $r242;
>         $n10 = null;
>         $r244 = virtualinvoke $r241.<java.lang.Class:
> java.lang.reflect.Method
> getMethod(java.lang.String,java.lang.Class[])>($r243, $n10);
> $r245 = $r244;
>         $n11 = null;
>         virtualinvoke $r245.<java.lang.reflect.Method:
> java.lang.Object invoke(java.lang.Object,java.lang.Object[])>($r2,
> $n11);
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>

More information about the Soot-list mailing list