This work delves into deobfuscation of virtualized binaries, a process often used in malware to hide malicious intent. Various strategies exist, including virtualization, with obfuscators like Tigress, Themida, and VMProtect offering virtualization services. Devirtualization can be achieved through manual analysis or automated methods using dynamic taint analysis and symbolic execution. The authors present a devirtualization approach using dynamic taint analysis, splitting the execution trace at tainted conditional instructions to reconstruct the original program’s Control Flow Graph (CFG). LLVM is utilized for compiler optimizations, providing impressive results in deobfuscating binaries obfuscated with Tigress in record time. Limitations include struggles with loops and only deobfuscating a single execution path.
https://blog.thalium.re/posts/llvm-powered-devirtualization/