IDA Deobfuscator plugin 0.76b
作者:mpompeo转载自:http://www.woodmann.com/forum/showthread.php?t=12342
介绍:
basic deobfuscator plugin for IDA.
Go to an obfuscated code sequence, start it (ALT+O), enter the end address (start address is already filled) and go.
I wont push much this POC version as it needs a full rewrite -it is a quick&dirt tool-, but I am curious to know 'how it works' for you, and where it mainly fails.
(didnt test it on 5.3, drop me a line if it doesnt work and I'll update)
edit--- 0.2 which fixexs checkboxes (made confusion with some flag :P )
edit--- 0.3 which add some basic constants accumulation.
edit--- 0.5, minor constant accumulation, minor push/pop folding
edit--- 0.51, fixed a bug introduced in 0.5 (an "IF" code flow): now it remove the junk and keep the good instruction (+fixed table-mode, now it works)
edit-- 0.6 few bugfixes, added layout in the stack for registers at end of deobfuscated block.
edit-- 0.7 common indirect register tracking of values (experimental)
edit-- 0.71 removed a debug check left for error, that caused frequent crashes...
edit-- 0.76b fixed a bunch of deadly errors, added 'selection' to be taken as start-end and few other changes
本地备份一个: hi, here the sample of usage, + 0.75 which hopefully fixes all the ugly bugs I introduced when I had extended the constant folding in 0.6x-0.7x...
it deobfuscates the following code (cut&paste from IDA)
sar dx, cl
inc ah
add dh, 6Eh
mov eax,
neg dl
shl dx, 9
mov dx,
cmp cl, al
pushf
clc
cmp cx, di
add ebp, 6
jmp loc_4250D1
[...]
loc_4250D1:
call $+5
push
mov , dx
pushf
pushf
lea esp,
jmp common_end
this is another sample, used in IDA: I just fille dthe start and end of obfuscated code, which is
common_end:
lea edx,
btr dx, 4
rol al, cl
sal dl, 1
mov al,
cmp ah, dh
clc
shrd dx, bx, 1
xor al, bl
btc dx, 0Fh
movsx edx, cl
pushf
rol al, 3
sal dx, 0Ah
inc dx
add dh, 0B7h
btr edx, edx
xor al, 1
cmp esi, esi
adc dh, 25h
btr dx, cx
sub dl, bl
sub al, 37h
cmc
pop edx
call continue_1
continue_1:
neg al
inc dl
lea esi,
bsr dx, ax
dec al
pop edx
pusha
not al
pop edx
db 66h
bswap edx
movzx edx, bl
setnl dl
inc al
bts dx, bx
xor bl, al
cmc
clc
movzx eax, al
adc dl, al
db 66h
bswap edx
jmp continue_2
continue_2:
sbb dl, 17h
mov edx,
mov , ch
jmp continue_3
continue_3:
mov , di
clc
bswap edx
call continue_4
proc continue_4 near
cmc
stc
add edx, 0D5B781C2h
push eax
jmp continue_5
continue_5:
bswap edx
cmc
cmp bh, 49h
bt sp, 1
pushf
sub edx, 89010C55h
cmc
cmp bh, 0BEh
jmp continue_end
continue_end:
clc
bswap edx
stc
add edx, 0
mov , 0Ch
mov , edx
pushf
push
retn 2Ch
Basically, you set up a start/end, and then it provides to prune obfuscated code. Output is estabilished in the first 3 options, either notepad, IDB anterior comment (this EDIT your idb, care), or just in the IDA log window as messages. A little ida sdk note: call_system() wait the end of the called process, so until you close notepad you won't be able to click in IDA.
The 'table mode' just cycles thru a table of pointers deobfuscating all handles (useful for VM). When it fails, it stop, so you know the instruction that wasnt possible to deobfuscate (hopefully). To use the table mode, you need to position at start of table, fill 'pointers table end' and set table mode, of course. The 'max valid pointer address' is used to prevent invalid entries in handle table to cause problems.
The 'relative tracking' is explained in 1st sample: see the end layout line for EBP that says =.
Stack constants moved back and forth the stack are tracked and sent to output, so you know how your stack will look like AFTER the deobfuscated sequence.
It can accumulate simple transformations whenever possible, and track down basic assignments.
Almost everywhere you will find an address before a line, as it allows a quick click-jump. Whenever you get to a Jcc or to a RET, it will ask you the address where it should jump to. Exiting there will 'stop' analysis there.
This is made to ease analysis, not to 'rewrite' code. I got an idea on a generic deobfuscation method and wanted to 'test it out' 很不错的插件 继续更新 随便不知道他是干啥的,但是我还是把这东西扔我IDA里面,好歹东西多没坏处~ 谁能帮我简单介绍一下是干嘛用的 刚放进去发现我就有这个插件..... 原帖由 Hmily 于 2009-2-23 17:19 发表 http://www.52pojie.cn/images/common/back.gif
刚放进去发现我就有这个插件.....
太自私了,有了也不分享出来!
给大家说说,这个插件的用途,:lol 我这插件居多,不过都没用过.......IDA基本不用.......等待老鸭IDA语音分析教程~ 要是有个中文说明就好了
谢谢 呵呵,针对什么版的呢?
页:
[1]