This work proposes a general deobfuscation approach that operates without execution traces, overcoming a key limitation of existing techniques which rely on dynamic analysis or dynamic symbolic execution and often fail to produce structurally coherent code. For the first time, it achieves complete control flow graph (CFG) recovery and high-quality decompilation without depending on path satisfiability solving. The method integrates VPC-aware unconstrained symbolic simulation, CFG reconstruction, and large language model (LLM)-assisted code comprehension. Evaluated on over 1,000 academic and commercial obfuscated samples—including VMProtect and Themida—it successfully reconstructs full CFGs and generates readable C-like pseudocode, effectively addressing scalability and output usability bottlenecks of prior approaches. The technique has also been successfully applied to analyze previously unknown VMProtect-protected malware samples on VirusTotal.

In the ever-evolving battle against malware, binary obfuscation techniques are a formidable barrier to effective analysis by both human security analysts and automated systems. In particular, virtualization or VM-based obfuscation is one of the strongest protection mechanisms that evade automated analysis. Despite widespread use of virtualization, existing automated deobfuscation techniques suffer from three major drawbacks. First, they only work on execution traces, which prevents them from recovering all logic in an obfuscated binary. Second, they depend on dynamic symbolic execution, which is expensive and does not scale in practice. Third, they cannot generate "well-formed" code, which prevents existing binary decompilers from generating human-friendly output. This paper introduces PUSHAN, a novel and generic technique for deobfuscating virtualization-obfuscated binaries while overcoming the limitations of existing techniques. PUSHAN is trace-free and avoids path-constraint accumulation by using VPC-sensitive, constraint-free symbolic emulation to recover a complete CFG of the virtualized function. It is the first approach that also decompiles the protected code into high-quality C pseudocode to enable effective analysis. Crucially, PUSHAN circumvents reliance on path satisfiability, a known NP-hard problem that hampers scalability. We evaluate PUSHAN on more than 1,000 binaries, including targets protected by academic state of the art (Tigress) and commercial-strength obfuscators VMProtect and Themida. PUSHAN successfully deobfuscates these binaries, retrieves their complete CFGs, and decompiles them to C pseudocode. We further demonstrate applicability by analyzing a previously unanalyzed VMProtect-obfuscated malware sample from VirusTotal, where our decompiled output enables LLM-assisted code simplification, reuse, and program understanding.