Trail of Bits Blog
Follow
Simplifying MBA obfuscation with CoBRA
MBA obfuscation conceals operations using arithmetic and bitwise operators, making analysis difficult. CoBRA is an open-source tool designed to simplify these complex MBA expressions. It recovers simplified equivalents from obfuscated code, improving readability. CoBRA addresses the shortcomings of existing tools, which struggle with the interaction of bitwise and arithmetic logic. It uses a worklist-based orchestrator with various simplification techniques across multiple pipelines. CoBRA simplifies expressions by classifying them and choosing the appropriate simplification method, like linear, semilinear, polynomial, or mixed. The tool provides a CLI, a C++ library, and an LLVM pass plugin for easy use and integration. CoBRA verifies its results for accuracy using random inputs or Z3 proofs. It has a high success rate, simplifying nearly all expressions from diverse datasets. Future development includes addressing specific limitations and expanding integration options with tools.
