Deobfuscation of Semi-Linear Mixed Boolean-Arithmetic Expressions

TL;DR

This paper introduces an extension to existing linear MBA simplification methods, enabling efficient deobfuscation of more complex expressions involving constants, surpassing current tools in handling such cases.

Contribution

An extended SiMBA method that simplifies a broader class of mixed Boolean-arithmetic expressions involving constants inside bitwise operations.

Findings

Outperforms peer tools in simplifying complex MBAs.

Handles expressions with constants inside bitwise operands.

Achieves efficient deobfuscation of previously challenging expressions.

Abstract

Mixed Boolean-Arithmetic (MBA) obfuscation is a common technique used to transform simple expressions into semantically equivalent but more complex combinations of boolean and arithmetic operators. Its widespread usage in DRM systems, malware, and software protectors is well documented. In 2021, Liu et al. proposed a groundbreaking method of simplifying linear MBAs, utilizing a hidden two-way transformation between 1-bit and n-bit variables. In 2022, Reichenwallner et al. proposed a similar but more effective method of simplifying linear MBAs, SiMBA, relying on a similar but more involved theorem. However, because current linear MBA simplifiers operate in 1-bit space, they cannot handle expressions which utilize constants inside of their bitwise operands, e.g. (x&1), (x&1111) + (y&1111). We propose an extension to SiMBA that enables simplification of this broader class of expressions. It surpasses peer tools, achieving efficient simplification of a class of MBAs that current simplifiers struggle with.