A Reconstruction Method of Type Abstraction in Binary Code

Reconstructing type information in binary code plays an important role in reverse engineering, malicious code detecting and vulnerabilities analysis. Type reconstruction is always considered to be one of the most difficult problems because type information is eliminated during the compile procedure and it is hard to understand the low level abstraction of binary code. Currently, most of tools are not able to reconstruct type precisely enough yet. In this paper, we present a conservative method of type construction and introduce a simple intermediate language. Based on the intermediate language, the register abstract syntax trees are constructed and used to resolve the ambiguity problem of base address pointer, which could effectively collect the basic type and structure type constraint information. We also present the method of identification of loop structure and loop count variable in binary code and it could effectively collect the array type constraint information. Type constraint is generated as per type information and resolved to reconstruct the final type. We have evaluated 15 tools of CoreUtils and it turned out that our method could reconstruct data types effectively. It could reconstruct structure type data 5 times more than IDA Pro. Manual analysis of the restored type proves that it could reconstruct types accurately.