好友
阅读权限40
听众
最后登录1970-1-1
|
楼主|
iawen
发表于 2009-2-23 14:08
hi, here the sample of usage, + 0.75 which hopefully fixes all the ugly bugs I introduced when I had extended the constant folding in 0.6x-0.7x...
it deobfuscates the following code (cut&paste from IDA) sar dx, cl
inc ah
add dh, 6Eh
mov eax, [ebp+0]
neg dl
shl dx, 9
mov dx, [ebp+4]
cmp cl, al
pushf
clc
cmp cx, di
add ebp, 6
jmp loc_4250D1
[...]
loc_4250D1:
call $+5
push [dword ptr esp]
mov [ss:eax], dx
pushf
pushf
lea esp, [esp+14h]
jmp common_end
this is another sample, used in IDA: I just fille dthe start and end of obfuscated code, which iscommon_end:
lea edx, [ebx+5FB827D6h]
btr dx, 4
rol al, cl
sal dl, 1
mov al, [esi-1]
cmp ah, dh
clc
shrd dx, bx, 1
xor al, bl
btc dx, 0Fh
movsx edx, cl
pushf
rol al, 3
sal dx, 0Ah
inc dx
add dh, 0B7h
btr edx, edx
xor al, 1
cmp esi, esi
adc dh, 25h
btr dx, cx
sub dl, bl
sub al, 37h
cmc
pop edx
call continue_1
continue_1:
neg al
inc dl
lea esi, [esi-1]
bsr dx, ax
dec al
pop edx
pusha
not al
pop edx
db 66h
bswap edx
movzx edx, bl
setnl dl
inc al
bts dx, bx
xor bl, al
cmc
clc
movzx eax, al
adc dl, al
db 66h
bswap edx
jmp continue_2
continue_2:
sbb dl, 17h
mov edx, [ds:Address_Table+eax*4]
mov [esp], ch
jmp continue_3
continue_3:
mov [esp+8], di
clc
bswap edx
call continue_4
proc continue_4 near
cmc
stc
add edx, 0D5B781C2h
push eax
jmp continue_5
continue_5:
bswap edx
cmc
cmp bh, 49h
bt sp, 1
pushf
sub edx, 89010C55h
cmc
cmp bh, 0BEh
jmp continue_end
continue_end:
clc
bswap edx
stc
add edx, 0
mov [byte ptr esp+0], 0Ch
mov [esp+return_address_of_ret____CARE], edx
pushf
push [esp+4+return_address_of_ret____CARE]
retn 2Ch
Basically, you set up a start/end, and then it provides to prune obfuscated code. Output is estabilished in the first 3 options, either notepad, IDB anterior comment (this EDIT your idb, care), or just in the IDA log window as messages. A little ida sdk note: call_system() wait the end of the called process, so until you close notepad you won't be able to click in IDA.
The 'table mode' just cycles thru a table of pointers deobfuscating all handles (useful for VM). When it fails, it stop, so you know the instruction that wasnt possible to deobfuscate (hopefully). To use the table mode, you need to position at start of table, fill 'pointers table end' and set table mode, of course. The 'max valid pointer address' is used to prevent invalid entries in handle table to cause problems.
The 'relative tracking' is explained in 1st sample: see the end layout line for EBP that says [EBP+0]=[EBP+4].
Stack constants moved back and forth the stack are tracked and sent to output, so you know how your stack will look like AFTER the deobfuscated sequence.
It can accumulate simple transformations whenever possible, and track down basic assignments.
Almost everywhere you will find an address before a line, as it allows a quick click-jump. Whenever you get to a Jcc or to a RET, it will ask you the address where it should jump to. Exiting there will 'stop' analysis there.
This is made to ease analysis, not to 'rewrite' code. I got an idea on a generic deobfuscation method and wanted to 'test it out' |
|
[复制链接]
发表于 2009-2-23 14:04
发表于 2009-2-23 14:16
发表于 2009-2-23 17:01
发表于 2009-2-23 17:09
