Scrambler: Mixed Boolean Arithmetic Obfuscation Tool Using E-graph and Equality Expansion

Here is an explanation of the paper "Scrambler" using simple language and creative analogies.

The Big Idea: Hiding a Secret Recipe

Imagine you have a simple, delicious recipe: "Mix 2 cups of flour with 1 cup of sugar."

If you want to hide this recipe from a rival chef (a hacker trying to reverse-engineer your software), you could just write it in a secret code. But a smart rival might crack that code.

Instead, you decide to rewrite the recipe using a massive, confusing list of ingredients and steps that mathematically result in the exact same mixture, but look like a nightmare to read.

Original: Flour + Sugar
Obfuscated: (Flour × 2) - (Sugar ÷ 2) + (Flour - Sugar) ... (and so on for 500 lines).

This is MBA Obfuscation (Mixed Boolean-Arithmetic). It mixes math and logic to make code look incredibly complex while keeping the result exactly the same.

The Problem with Old Tools

For a long time, tools that did this were like bakers with a tiny cookbook.

They only knew a few specific tricks (rules) to rewrite the recipe.
If they wanted to make the recipe longer, they had to manually look up a "truth table" (a giant chart of every possible outcome) for every single ingredient.
This made the process slow, limited, and prone to errors. Sometimes, the "rewritten" recipe didn't actually taste the same as the original because the math got messy.

The Solution: Enter "Scrambler"

The authors of this paper built a new tool called Scrambler. Think of Scrambler not as a baker, but as a magical, infinite Lego factory.

1. The E-Graph: The "Universal Blueprint"

Traditional tools build one version of the recipe at a time. Scrambler uses something called an E-Graph.

Analogy: Imagine a blueprint where every possible way to build a wall is drawn on the same piece of paper, connected by dotted lines.
In this blueprint, the tool knows that 2 + 2, 4, and 1 + 3 are all the "same thing" (they belong to the same "family" or e-class). It doesn't waste time building them separately; it keeps them all connected in one giant web of possibilities.

2. Equality Expansion: The "Infinite Growth" Machine

Old tools used a method called "Equality Saturation," which tries to find the simplest way to write a recipe. Scrambler flips this script. It uses Equality Expansion.

Analogy: Instead of trying to shrink the recipe down to its simplest form, Scrambler is told: "Keep adding Legos until the tower is 100 feet tall, but make sure it still looks like a house."
It takes a simple rule (like "you can swap a multiplication for an addition if you subtract something else") and applies it over and over again. Because the E-Graph keeps track of what is equal to what, the tool never gets confused. It just keeps expanding the complexity until it hits a limit you set (like "stop when the code has 3,000 steps").

Why Scrambler is a Game-Changer

The paper compares Scrambler to three other tools (NeuReduce, Loki, and MBA Obfuscator). Here is what they found:

Feature	Old Tools	Scrambler
Complexity	They could make the code a little messy (maybe 200 steps).	It made the code massively complex (over 34,000 steps in tests!).
Speed	Slow. They had to check their math constantly.	Fast. Because the E-Graph guarantees the math is right as it builds, it doesn't need to stop and double-check.
Safety	Sometimes they made mistakes, requiring a separate "police check" (SMT solver) to ensure the code still worked.	Self-Checking. If the rules are correct, the result is guaranteed to be correct. No police check needed.

The "Secret Sauce" Analogy

Think of the old tools as a translator who knows 10 words in a foreign language. To translate a long sentence, they have to stop and look up every word in a dictionary, which takes forever and might get the grammar wrong.

Scrambler is like a polyglot AI that knows the entire language structure. It doesn't just translate word-for-word; it understands that "The cat sat" and "Sat the cat" are the same concept. It can take a short sentence and expand it into a 10-page story that means the exact same thing, using thousands of synonyms, without ever making a grammar mistake.

The Bottom Line

The researchers created Scrambler to make software security much stronger.

Before: Hackers could often untangle the "scrambled" code because the tools used to scramble it were limited and slow.
Now: Scrambler can generate code so incredibly complex and diverse that it would take a hacker years to figure out what the original program was doing. And because the tool builds the complexity logically, it never accidentally breaks the program.

In short: Scrambler takes a simple math problem and turns it into a giant, unbreakable puzzle, all while guaranteeing the answer is still correct.

Here is a detailed technical summary of the paper "Scrambler: Mixed Boolean Arithmetic Obfuscation Tool Using E-Graph and Equality Expansion."

1. Problem Statement

Program obfuscation aims to transform code into a functionally equivalent but unreadable form to hinder reverse engineering. Mixed Boolean-Arithmetic (MBA) obfuscation is a popular technique that complicates expressions by mixing Boolean and arithmetic operators (e.g., rewriting $x + y$ as $(x \lor y) + (x \land y)$ ).

However, existing MBA obfuscation tools face significant limitations:

Limited Diversity: They rely on predefined rules, truth tables, and matrix-based representations, restricting the variety of generable expressions.
Scalability and Overhead: Tools like NeuReduce and Loki suffer from high generation overhead and limited operator sets.
Verification Bottlenecks: Most tools require post-generation verification using SMT solvers (e.g., Z3) to ensure semantic equivalence. This process degrades significantly in performance as expressions become larger or more complex.
Manual Configuration: Tools often require manual setup of truth tables based on the number of variables, making them difficult to scale.

2. Methodology

The authors propose Scrambler, a novel MBA obfuscation tool that leverages E-Graphs and a technique called Equality Expansion.

Core Concepts

E-Graphs (Equality Graphs): A data structure that represents equivalence classes of expressions. Instead of storing duplicate nodes for semantically identical expressions, an e-graph groups them into "e-classes." This allows multiple equivalent expressions to be represented simultaneously within a single graph structure.
Equality Expansion: An adaptation of the Equality Saturation optimization algorithm.
- Standard Equality Saturation: Applies rewrite rules to an e-graph to find the simplest expression (optimization).
- Equality Expansion (Scrambler's approach): Applies rewrite rules to generate the most complex expression satisfying specific termination conditions (e.g., AST size > 1000).
Implementation: Scrambler is built using the Rust egg framework. It takes three inputs:
1. A set of rewrite rules.
2. The expression to be obfuscated.
3. Termination conditions (e.g., AST node limit, time limit, or rule search depth).

Workflow

Initialization: The input expression is inserted into the e-graph.
Expansion: The system iteratively applies user-defined rewrite rules to the e-graph. Because the e-graph tracks equivalence, it can explore a vast space of semantically equivalent expressions without redundancy.
Termination: The process stops when a configured condition is met (e.g., the AST size exceeds a threshold).
Extraction: A complex expression is extracted from the e-graph.

Key Advantage: Since the e-graph construction guarantees semantic equivalence by design (based on the input rules), no post-generation verification (SMT solving) is required.

3. Key Contributions

Novel Tool (Scrambler): The first MBA obfuscation tool to utilize E-Graphs and Equality Expansion specifically for generating complex obfuscation rather than simplification.
Guaranteed Equivalence without Verification: By relying on the structural properties of the e-graph, Scrambler eliminates the need for expensive SMT solver checks, significantly improving generation efficiency.
High Expressiveness: The tool supports a wider range of operators and can generate linear, polynomial, and non-polynomial MBA expressions dynamically based on the provided rule set.
Scalability: It overcomes the manual configuration limitations of previous tools by using a rule-based expansion mechanism that scales with the complexity of the e-graph traversal.

4. Experimental Results

The authors compared Scrambler against three existing tools: NeuReduce, Loki, and the MBA Obfuscator. The evaluation used six metrics: AST Size, Number of Variables, Number of Constants, Number of Operators, MBA Alternation, and Shannon Entropy.

Key Findings:

Structural Complexity: Scrambler significantly outperformed all other tools.
- AST Size: Scrambler generated expressions with an average size of 34,786.77 nodes, compared to ~235 for the MBA Obfuscator and ~216 for Loki.
- Operator Count: Scrambler averaged 23,373.46 operators, vastly exceeding the ~142 (Loki) and ~136 (MBA Obfuscator).
- MBA Alternation: Scrambler achieved an alternation score of 6,387.58, compared to ~38 for Loki and ~31 for the MBA Obfuscator.
Efficiency: Despite generating much larger expressions, Scrambler operated within a 2-second time limit per expression (with a 3,000 node limit during traversal), demonstrating high generation speed.
Robustness: The study noted that increasing the number of rewrite rules led to a sharp increase in complexity metrics once a certain threshold was crossed.

5. Significance

Advancement in Obfuscation: Scrambler sets a new benchmark for the complexity and diversity of MBA obfuscation, making reverse engineering significantly harder due to the sheer size and structural complexity of the generated code.
Paradigm Shift: It shifts the paradigm from "generate then verify" (using SMT solvers) to "generate with guaranteed equivalence" (using E-Graphs), solving a major performance bottleneck in the field.
Future Potential: The approach suggests that by carefully curating rewrite rules, developers can create highly robust obfuscation schemes that are difficult to deobfuscate using standard symbolic execution or pattern matching techniques.

Limitations & Future Work:
The authors acknowledge that the correctness of the generated expressions relies entirely on the correctness of the input rewrite rules. Therefore, rigorous validation of the rule set is critical. Future work will focus on optimizing rule selection to balance complexity and performance.