Skip to main content

SymSem: Symbolic Execution with Time Stamps for Deobfuscation

  • 714 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12020)


Code virtualization technique obfuscates programs by transforming original code to self-defined bytecode in a different instruction architecture. It is widely used in obfuscating malware for its ability to render normal analysis ineffective. Using symbolic execution to assist in deobfuscating such programs turned to be a trend in recent research. However, we found many challenges that may lead to semantic confusion in previous symbolic execution technique, and proposed a novel symbolic execution technique enhanced by time stamps to tackle these issues. For evaluation, we implemented it as a prototype of SymSem and deobfuscated programs protected by popular virtual machines. The results indicate that our method is able to accurately recover the semantics of obfuscated function trace.


  • Deobfuscation
  • Virtualization obfuscation
  • Symbolic execution
  • Trace rewriting

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-42921-8_13
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-42921-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.


  1. Code virtualizer. Accessed 4 July 2019

  2. Manticore. Accessed 4 July 2019

  3. Themida. Accessed 4 July 2019

  4. Vmprotct. Accessed 4 July 2019

  5. Banescu, S., Collberg, C., Ganesh, V., Newsham, Z., Pretschner, A.: Code obfuscation against symbolic execution attacks. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 189–200. ACM, New York (2016).

  6. Bao, T., Wang, R., Shoshitaishvili, Y., Brumley, D.: Your exploit is mine: automatic shellcode transplant for remote exploits. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 824–839, May 2017.

  7. Bardin, S., David, R., Marion, J.Y.: Backward-bounded DSE: targeting infeasibility questions on obfuscated codes, pp. 633–651, May 2017.

  8. Bauman, E., Lin, Z., Hamlen, K.: Superset disassembly: statically rewriting x86 binaries without heuristics. In: Proceedings of the 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, CA, February 2018

    Google Scholar 

  9. Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: techniques and implications. In: 2008 IEEE Symposium on Security and Privacy (SP 2008), pp. 143–157, May 2008.

  10. Coogan, K., Lu, G., Debray, S.K.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: ACM Conference on Computer & Communications Security (2011)

    Google Scholar 

  11. Kalysch, A., Götzfried, J., Müller, T.: VMAttack: deobfuscating virtualization-based packed binaries. In: The 12th International Conference (2017)

    Google Scholar 

  12. Liang, M., Li, Z., Zeng, Q., Fang, Z.: Deobfuscation of virtualization-obfuscated code through symbolic execution and compilation optimization. In: Qing, S., Mitchell, C., Chen, L., Liu, D. (eds.) ICICS 2017. LNCS, vol. 10631, pp. 313–324. Springer, Cham (2018).

    CrossRef  Google Scholar 

  13. Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, pp. 190–200. ACM, New York (2005).

  14. Ming, J., Xu, D., Jiang, Y., Wu, D.: BinSim: trace-based semantic binary diffing via system call sliced segment equivalence checking. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 253–270. USENIX Association, Vancouver (2017).

  15. Rolles, R.: Unpacking virtualization obfuscators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies, January 2009

    Google Scholar 

  16. Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: IEEE Symposium on Security & Privacy (2009)

    Google Scholar 

  17. Wang, R., et al.: Ramblr: making reassembly great again. In: Proceedings of the Network and Distributed System Security Symposium (2017)

    Google Scholar 

  18. Xu, D., Ming, J., Fu, Y., Wu, D.: VMHunt: a verifiable approach to partially-virtualized binary code simplification. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 442–458. ACM, New York (2018).

  19. Yadegari, B., Debray, S.: Symbolic execution of obfuscated code. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 732–744. ACM, New York (2015).

Download references


This work was supported by the General Program of National Natural Science Foundation of China (GrantNo. 61872237).

Author information

Authors and Affiliations


Corresponding author

Correspondence to Huayi Li .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Li, H., Zhan, Y., Jianqiang, W., Gu, D. (2020). SymSem: Symbolic Execution with Time Stamps for Deobfuscation. In: Liu, Z., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2019. Lecture Notes in Computer Science(), vol 12020. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42920-1

  • Online ISBN: 978-3-030-42921-8

  • eBook Packages: Computer ScienceComputer Science (R0)