Pushan: Trace-Free Deobfuscation of Virtualization-Obfuscated Binaries

TL;DR

PUSHAN introduces a trace-free, scalable deobfuscation technique for virtualization-obfuscated binaries that produces complete control flow graphs and high-quality C pseudocode, enhancing malware analysis and reverse engineering.

Contribution

It is the first approach to deobfuscate virtualization-protected binaries without relying on execution traces or path constraints, enabling scalable and human-readable analysis.

Findings

Successfully deobfuscated over 1,000 binaries including VMProtect and Themida

Generated complete CFGs and high-quality C pseudocode for protected binaries

Enabled analysis of previously unanalyzed VMProtect malware sample

Abstract

In the ever-evolving battle against malware, binary obfuscation techniques are a formidable barrier to effective analysis by both human security analysts and automated systems. In particular, virtualization or VM-based obfuscation is one of the strongest protection mechanisms that evade automated analysis. Despite widespread use of virtualization, existing automated deobfuscation techniques suffer from three major drawbacks. First, they only work on execution traces, which prevents them from recovering all logic in an obfuscated binary. Second, they depend on dynamic symbolic execution, which is expensive and does not scale in practice. Third, they cannot generate "well-formed" code, which prevents existing binary decompilers from generating human-friendly output. This paper introduces PUSHAN, a novel and generic technique for deobfuscating virtualization-obfuscated binaries while overcoming the limitations of existing techniques. PUSHAN is trace-free and avoids path-constraint accumulation by using VPC-sensitive, constraint-free symbolic emulation to recover a complete CFG of the virtualized function. It is the first approach that also decompiles the protected code into high-quality C pseudocode to enable effective analysis. Crucially, PUSHAN circumvents reliance on path satisfiability, a known NP-hard problem that hampers scalability. We evaluate PUSHAN on more than 1,000 binaries, including targets protected by academic state of the art (Tigress) and commercial-strength obfuscators VMProtect and Themida. PUSHAN successfully deobfuscates these binaries, retrieves their complete CFGs, and decompiles them to C pseudocode. We further demonstrate applicability by analyzing a previously unanalyzed VMProtect-obfuscated malware sample from VirusTotal, where our decompiled output enables LLM-assisted code simplification, reuse, and program understanding.