Adversarial Decompilation of Malware Binaries Using Diffusion Models: Reconstructing Source Code from Obfuscated Executables

Executive Summary: In 2026, the arms race between malware authors and cybersecurity defenders has escalated with the adoption of generative AI techniques to reverse-engineer malicious binaries. Traditional static and dynamic analysis tools are increasingly ineffective against aggressively obfuscated malware. This paper presents a novel adversarial decompilation framework leveraging diffusion models—typically used for image generation—to reconstruct human-readable source code from obfuscated malware binaries. By framing decompilation as a generative modeling problem, we demonstrate that diffusion-based models can learn the probabilistic mapping from binary byte sequences to high-level source code, even in the presence of heavy control-flow obfuscation, junk code insertion, and metamorphic transformations. Our system, DiffDecomp, achieves a 34% improvement in decompilation accuracy over state-of-the-art symbolic execution tools on a dataset of 2,500 real-world malware samples, while reducing false positives by 40%. The approach introduces a new attack surface in reverse engineering—adversarial decompilation—which can be exploited not only by defenders but also by attackers to automate reverse engineering at scale.

Key Findings

• Diffusion models outperform traditional decompilers on obfuscated binaries by learning probabilistic source code distributions conditioned on raw binary inputs.
• Adversarial training improves robustness against adversarial binaries designed to fool decompilers, including those using GAN-based obfuscators.
• Control-flow obfuscation is no longer a barrier—DiffDecomp reconstructs function signatures and control logic with 67% accuracy on highly obfuscated samples.
• Ethical and legal implications arise as adversarial decompilation can automate reverse engineering at scale, potentially enabling mass exploitation of proprietary software.
• Open-source diffusion models and binaries enable democratization of advanced reverse engineering, raising concerns about dual-use capabilities.

Introduction: The Limits of Traditional Decompilation

Decompilation—the process of translating machine code back into high-level source code—has long been a cornerstone of malware analysis and software reverse engineering. Tools like Ghidra, IDA Pro, and Binary Ninja rely on symbolic execution, pattern matching, and control-flow graph (CFG) reconstruction to recover source-like abstractions. However, modern malware increasingly employs aggressive obfuscation techniques such as:

• Dead code insertion and junk instruction flooding
• Control-flow flattening and virtualization
• Metamorphic code rewriting via evolutionary algorithms
• Polymorphic and metamorphic payloads that mutate per infection

These techniques render traditional decompilers ineffective, producing unreadable or misleading pseudocode. As a result, analysts spend excessive time manually reconstructing logic—a bottleneck that AI aims to resolve.

Diffusion Models: A New Paradigm for Decompilation

Diffusion models, popularized by image generation tasks (e.g., DALL·E, Stable Diffusion), model data generation as a denoising process over time. In our framework, we reinterpret this process: instead of generating images from noise, we generate source code tokens from noisy or corrupted binary sequences.

The core innovation lies in treating the binary as a high-dimensional "image" where each byte is a pixel, and the decompiled source is the "caption" describing that image. We train a conditional diffusion model:

• Input: Raw binary byte sequences (padded/truncated to fixed length)
• Condition: Optional metadata (e.g., compiler hints, architecture, entry point)
• Output: Probability distribution over source code tokens (e.g., C/C++ keywords, identifiers, operators)

Training leverages a large corpus of paired binaries and ground-truth source code (e.g., from open-source projects compiled with varying optimization levels and obfuscators). The model learns to reverse the compilation process by approximating the inverse mapping: P(source | binary).

Adversarial Training: Defending Against Obfuscated Attacks

To harden DiffDecomp against adversarial binaries—malware specifically crafted to fool the model—we employ adversarial training. During training, we augment the dataset with:

• Binaries processed by state-of-the-art obfuscators (e.g., Tigress, Obfuscator-LLVM)
• GAN-generated adversarial binaries that perturb byte sequences to minimize decompilation accuracy
• Metamorphic malware variants generated via genetic programming

This creates a min-max optimization problem where the decompiler learns to generalize across obfuscation strategies, including those not seen during training. We use gradient-based adversarial attacks (e.g., FGSM, PGD) on the byte input space to simulate worst-case scenarios.

Architecture of DiffDecomp

The DiffDecomp pipeline consists of four stages:

1. Preprocessing: Disassemble binary into raw bytes and extract CFG using a lightweight disassembler.
2. Embedding: Convert byte sequences into high-dimensional embeddings using a transformer-based tokenizer (e.g., Byte-level BPE).
3. Diffusion Backbone: A U-Net style diffusion model with cross-attention on architecture hints (e.g., x86 vs. ARM).
4. Postprocessing: Beam search decoding to generate valid, compilable code candidates, with syntax and semantic validation.

Crucially, the model outputs multiple hypotheses ranked by likelihood, enabling analysts to select the most plausible reconstruction.

Experimental Results and Benchmarks

We evaluated DiffDecomp on a dataset of 2,500 malware samples from the VirusShare corpus and MalwareBazaar, including:

• Emotet variants (polymorphic)
• TrickBot modules (obfuscated with Tigress)
• Ransomware strains (control-flow flattened)
• Custom malware with LLVM-based obfuscation

Metrics included:

• Token Accuracy: 78% F1-score on identifier and keyword prediction
• CFG Reconstruction Accuracy: 67% exact match on function boundaries
• False Positive Rate: 12% (vs. 20% for Ghidra on same set)
• Inference Time: ~45 seconds per binary on A100 GPU (vs. 12 minutes for symbolic execution)

We observed that diffusion models excel at reconstructing function signatures and data types—areas where symbolic execution often fails due to pointer aliasing and indirect calls.

Ethical and Legal Implications

The ability to automatically decompile proprietary software at scale raises significant concerns:

• Copyright Infringement: Reverse engineering proprietary software may violate EULAs or copyright law (e.g., DMCA §1201).
• Intellectual Property Theft: Malicious actors could use DiffDecomp to exfiltrate and reuse proprietary algorithms.
• Dual-Use Technology: While intended for cybersecurity defense, the technology can be repurposed for offensive reverse engineering.
• Regulatory Scrutiny: Governments may classify adversarial decompilation tools as dual-use cyber weapons.

We advocate for responsible disclosure, controlled access models, and ethical guidelines for AI-powered reverse engineering tools.

Recommendations

For Cybersecurity Teams

• Integrate DiffDecomp into malware analysis pipelines as a first-pass tool to triage obfuscated samples.
• Use model outputs as hypotheses for analysts, not definitive reconstructions—always validate manually.
• Combine with symbolic execution and fuzz testing for robust analysis.
• Monitor for adversarial binaries designed to exploit decompiler vulnerabilities.

For AI Researchers

• Explore hybrid models combining diffusion with symbolic reasoning (e.g., graph neural networks for CFG analysis).
• Investigate certification techniques to guarantee safety and correctness of generated code.
• Develop watermarking or provenance tracking for AI-generated decompil