X-MBA: Towards Heterogeneous Mixed Boolean-Arithmetic Deobfuscation

Download PDF
Open Webpage

Gengwang Li, Min Yu, Dongliang Fang, Gang Li, Xiang Meng, Jianguo Jiang, Weiqing Huang

Published: 2024, Last Modified: 09 Feb 2026MILCOM 2024EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: The Mixed Boolean-Arithmetic (MBA) expression has been widely used by attackers as an effective obfuscation schema to hide malicious code and conceal sensitive data. For deobfuscating MBAs, the approaches based on signature vector offer excellent performance but struggle with MBA expressions involving nonzero constants or bit manipulators like Extract or Shift. We refer to such expressions as heterogeneous MBAs. In this paper, we focus on heterogeneous MBA deobfuscation. We found that any linear heterogeneous MBA expression can be partitioned as a disjoint set of homogeneous fragments, each of which can be simplified separately. Based on this observation, we proposed X-MBA, the neXt generation MBA deobfuscator. Our methodology has undergone several experiments, demonstrating that X-MBA outperforms SOTAs on different types of heterogeneous MBAs with only negligible compromises.