Awesome
QSynth Synthesis Artefacts
Datasets
These artifacts provide the following four datasets:
- syntia: 500 functions obfuscated with EncodeArithmetic and EncodeData
- custom_EA: 500 functions obfuscated with EncodeArithmetic
- custom_VR_EA: 500 functions obfuscated with Virtualize and EncodeArithmetic
- custom_EA_ED: 500 functions obfuscated with EncodeArithmetic and Virtualize (the database trace is truncated to 293 functions)
A benchmark
Each dataset directory contains the following files:
-
original.c: source file containing all the functions
-
obfuscated.c: obfuscated source file as generated by Tigress
-
run_tigress.sh: Shell script to regenerating the obfuscated.c file
-
ground_truth.json: a JSON file containing the ground truth. For each function it contains the original expression (in original.c) and its obfuscated counter-part in (obfuscated.c)
-
obfuscated: pre-compiled binary as x86_64 (no PIE)
-
trace.db: the execution trace as a SQLite database (likely the most interesting file)
-
results:
- qsynth.log: the raw output of the synthesis script
- qsynth.json: QSynth processable output (very likely the second most interesting file)
Result
The qsynth.json contains for each function the the following entries such as:
{
"target_1": {
"fun_name": "target_1",
"start": 164,
"stop": 238,
"orig_ast": "~(b*d ^ d*d) - b",
"orig_node": 10,
"orig_depth": 5,
"obfu_ast": "(((b & d)*(b | d) + (b & ~d)*(~b & d) & (d & d)*(d | d) + (d & ~d)*(~d & d)) - ((b & d)*(b | d) + (b & ~d)*(~b & d) | (d & d)*(d | d) + (d & ~d)*(~d & d)) - 1 ^ b) - ((~(((b & d)*(b | d) + (b & ~d)*(~b & d) & (d & d)*(d | d) + (d & ~d)*(~d & d)) - ((b & d)*(b | d) + (b & ~d)*(~b & d) | (d & d)*(d | d) + (d & ~d)*(~d & d)) - 1) & b) + (~(((b & d)*(b | d) + (b & ~d)*(~b & d) & (d & d)*(d | d) + (d & ~d)*(~d & d)) - ((b & d)*(b | d) + (b & ~d)*(~b & d) | (d & d)*(d | d) + (d & ~d)*(~d & d)) - 1) & b))",
"obfu_node": 229,
"obfu_depth": 12,
"triton_ast": "(((b & d)*(b | d) + (~b & d)*(~d & b) & d*d) - (d*d | (b & d)*(b | d) + (~b & d)*(~d & b)) - 1 ^ b) - (((d*d ^ (b & d)*(b | d) + (~b & d)*(~d & b)) & b) + ((d*d ^ (b & d)*(b | d) + (~b & d)*(~d & b)) & b))",
"triton_node": 95,
"triton_depth": 10,
"synthesized_ast": "~((d*d ^ d*b) + b)",
"synth_node": 10,
"synth_depth": 5,
"dse_t": 0.10445356369018555,
"synthesis_t": 0.03491616249084473,
"sem_orig_obf": "UNK",
"sem_obf_trit": "UNK",
"sem_orig_synth": "OK",
"is_simplified": true,
"is_fully_synthesized": true
}
}
Start and stop are the offsets in the execution trace (thus id in the DB). Then for each
expression the expression itself and its node size and depth. Then dse_t
, synthesis_t
gives
respectively the symbolic execution time and the synthesis time. is_simplified
and is_fully_synthesized
indicates if the function was simplified and if so if it was fully. sem_orig_obf
, sem_obf_trit
and sem_orig_synth
indicates if the semantic is preserved between for instance original and synthesized
(sem_orig_synth
). "UNK" indicates that it has not been checked or that it yielded a timeout.
Synthesis oracle tables
The tables used for the benchmarks are available here: https://ret2libc.com/static/various/lts_15/ They are Python pickle objects. Expressions are encoded with a similar Reverse-Polish-Notation (RPN) than Syntia.