Trail of Bits Releases CoBRA, an Open-Source Tool That Simplifies 99.86% of MBA Obfuscation Expressions
Trail of Bits released CoBRA, an open-source tool that simplifies Mixed Boolean-Arithmetic (MBA) obfuscation with a 99.86% success rate on over 73,000 expressions from seven datasets, giving malware analysts and reverse engineers a powerful new deobfuscation capability.
Trail of Bits released CoBRA, an open-source tool that dramatically simplifies Mixed Boolean-Arithmetic (MBA) obfuscation, a technique malware authors and software protectors use to disguise simple operations behind tangled combinations of arithmetic and bitwise operators. CoBRA achieves a 99.86% simplification rate across 73,066 expressions drawn from seven independent datasets, recovering readable equivalents like `x + y` from deeply obfuscated forms. The tool ships as a CLI utility, a C++ library, and an LLVM pass plugin, making it accessible for a wide range of reverse engineering workflows.
MBA obfuscation has long been a thorn in the side of security analysts because no standard simplification technique covers both arithmetic and Boolean logic simultaneously. Algebraic simplifiers cannot handle bitwise operations, and Boolean minimizers cannot handle arithmetic. An identity like `(x ^ y) + 2 * (x & y) == x + y` is true only because of how modular wrapping works at fixed bit-widths, yet existing tools are unable to verify it. Prior simplifiers such as SiMBA and GAMBA addressed parts of the problem — SiMBA handles linear expressions well, and GAMBA extends to polynomial cases — but until CoBRA, no single tool achieved high success rates across the full range of MBA expression types encountered in the wild.
CoBRA uses a worklist-based orchestrator that classifies each input expression and selects the right combination of simplification techniques from 36 discrete passes organized across four families: linear, semilinear, polynomial, and mixed. For linear expressions — sums of bitwise terms like `(x & y)`, `(x | y)`, and `~x`, each multiplied by a constant — the orchestrator evaluates the expression on all Boolean inputs to produce a signature, then races multiple recovery techniques against each other and picks the cheapest verified result. When constant masks appear (like `x & 0xFF`), the expression enters the semilinear pipeline, which breaks it down into its smallest bitwise building blocks and reconstructs a simplified result through bit-partitioned assembly. For expressions involving products of bitwise subexpressions, a decomposition engine extracts polynomial cores and solves residuals. Mixed expressions that combine products with bitwise operations often contain repeated subexpressions; a lifting pass replaces these with temporary variables, simplifying the inner pieces first.
Regardless of which pipeline an expression passes through, the final step is verification: CoBRA checks every result against random inputs or proves equivalence with Z3. No simplification is returned unless it is confirmed correct. The tool supports bit-widths from 1 to 64 bits and can optionally run Z3 equivalence proofs for additional certainty.
CoBRA runs in three modes. The CLI tool accepts an expression directly and returns the simplified form, with flags for bit-width and verification. The C++ library exposes a `Simplify` API for integration into automated analysis pipelines. The LLVM pass plugin (`libCobraPass.so`) can deobfuscate MBA patterns directly in LLVM IR, making it useful for deobfuscation pipelines built on tools like Remill. The LLVM pass handles patterns spanning multiple basic blocks and applies a cost gate, only replacing instructions when the simplified form is smaller. It supports LLVM versions 19 through 22.
The tool was validated against 73,066 expressions from SiMBA, GAMBA, OSES, and four other independent sources, covering the full spectrum of MBA complexity from two-variable linear expressions to deeply nested mixed-product obfuscations. CoBRA simplified 72,960 of those expressions, achieving a 99.86% success rate. The 106 unsupported expressions are carry-sensitive mixed-domain cases where bitwise and arithmetic interactions create edge cases that current techniques cannot handle.
By giving analysts a reliable method to reverse MBA obfuscation, CoBRA addresses a longstanding gap in malware analysis and software protection reverse engineering. The tool is available now as open source from Trail of Bits, and its LLVM pass plugin in particular is expected to streamline deobfuscation pipelines for advanced threat hunting and vulnerability research.