Reverse Engineering Google’s Play Integrity Protect VM Obfuscation

Google offers an automatic integrity protection feature for apps through Play Integrity Protect. Previous resarch has shown that there are plenty of anti-debugger and anti-emulation techniques used. While the previous research lays the groundwork for this one, it does not describe the VM based obfuscation technique employed by Google in detail.

Warning

The information presented here is for educational purposes only!

This collection of documents serves as a resource for understanding the VM-based obfuscation used by Google. It also includes API documentation for the accompanying Python package available in the repository.

Reversing

• Overview
• Identifying the VM
  • Handler Functions
• Instruction Set
  • Opcode Obfuscation
  • Virtual Memory
  • Entry Point
  • Instruction Format
• Strings
  • Heuristic String Scanning
• Automatic Analysis
  • Collecting Opcode Handlers
  • Re-creating Instruction Formats
  • Following States until tomorrow
  • Bottom-Up: From Handlers to their States

Generating a VM

• Pairip VM (CXX)
  • The Idea
  • Discovered Operations

Python API

• Virtual Machine Context
  • decode_address()
  • VMMemory
  • VMContext
  • VMState
• Instruction Format Classes
  • InsnFormat
  • InsnInfo
  • Insn
  • O()
• String Decoding
  • s_ppdecode()
  • s_pdecode()
  • ppdecode()
  • pdecode()
• Decompiler Components
  • decompiler_main()
  • from_opcode_def()
  • CFG
  • Disassembler
  • Code Writer
  • Utilities