Disassembly is a challenging task, particularly for obfuscated executables containing junk bytes, which is designed to induce disassembly errors. Existing solutions rely on heuristics or leverage machine learning techniques, but only achieve limited successes. Fundamentally, such obfuscation cannot be defeated without in-depth understanding of the binary executable's semantics, which is made possible by the emergence of large language models (LLMs). In this paper, we present DisasLLM, a novel LLM-driven dissembler to overcome the challenge in analyzing obfuscated executables. DisasLLM consists of two components: an LLM-based classifier that determines whether an instruction in an assembly code snippet is correctly decoded, and a disassembly strategy that leverages this model to disassemble obfuscated executables end-to-end. We evaluated DisasLLM on a set of heavily obfuscated executables, which is shown to significantly outperform other state-of-the-art disassembly solutions.

翻译：反汇编是一项具有挑战性的任务，尤其对于包含垃圾字节的混淆可执行文件而言，这些字节旨在引发反汇编错误。现有解决方案依赖于启发式方法或利用机器学习技术，但仅取得了有限的成功。从根本上讲，若不深入理解二进制可执行文件的语义，便无法有效应对此类混淆，而大型语言模型的出现使之成为可能。本文提出了一种新颖的LLM驱动的反汇编器——DisasLLM，以克服分析混淆可执行文件所面临的挑战。DisasLLM包含两个组件：一个基于LLM的分类器，用于判断汇编代码片段中的指令是否被正确解码；以及一种利用该模型对混淆可执行文件进行端到端反汇编的策略。我们在大量混淆的可执行文件上对DisasLLM进行了评估，结果表明其性能显著优于其他最先进的反汇编解决方案。