OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: October 26, 2007 05:41 CDT by bodzcount .

Hi,
i need to do that. is there already a tool which can do that or does anybody have scripts or tools that help?
If i cant find anything, i will start programming a tool that can do the job (looks like a little bit work though).

Features should be:
-remove garbage-jumps like:
jmp @l1
@l1:
jmp @l2
@l2

or
call @l1
@l1:
xchg ss:[esp],ecx
pop ecx

-remove constant manipulation like
push 0343254325
pop eax
xor eax,e4452435
and eax,4352452

-refold loops (that is the most difficult thing i guess)
i want to detect which code (address) is executed several times and then merge it somehow. I think i need to make the code address-free and then introduce labels...

any ideas are welcome :)

PS: I am planning to use ollydbg tracelog and write a seperate app. Do you think an ida plugin would have any advantages? Ida-tracing doesnt work as good somehow and unfortunately x86emu doesnt support tracing :(

regards!

PSUJobu		October 26, 2007 06:20.47 CDT
> bodzcount: > PS: I am planning to use ollydbg tracelog and write a seperate app. Do you think an ida plugin would have any advantages? Ida-tracing doesnt work as good somehow and unfortunately x86emu doesnt support tracing :( I have only one comment about x86emu: keep in mind that it is open source -- tracing could always be added. Based on my limited experience with it a couple years ago (adding support for ICEBP, for example), the code was fairly easy to understand and modify. As for the general idea, it does sound like a good chunk of work! :)

Orr		October 26, 2007 08:31.26 CDT
Take a look at the MetaPHOR virus. It has some interesting features regarding de-permutation and de-obfuscation.

sp		October 26, 2007 09:29.06 CDT
I wanted to do something (vaguely) comparable to what you proposed for college. Turns out that someone else already did something that was (vaguely) comparable to what I had planned, so I did something else. Anyway, check out this. That guy's thesis was close enough to what I wanted to do. He tried to solve some of the same problems you have. It might give you some ideas for your tool. Furthermore, I'm not sure how good you are in compiler theory. Most of the ideas you had are standard compiler theory problems which have been solved. You do not need to come up with solutions for them yourself. Just get a book about compiler theory and take the algorithms from the chapters about code creation/optimization.

bodzcount		October 26, 2007 17:09.06 CDT
Propagate constants Eliminate dead code Remove redundant computations Remove spurious unconditional branch statements Reshape Expressions Fix statement order Rename Variables should it always happen in this order? I would begin with removing spurious unconditional branch statements...

cseagle		October 28, 2007 22:25.05 CDT
> bodzcount: Hi, > PS: I am planning to use ollydbg tracelog and write a seperate app. Do you think an ida plugin would have any advantages? Ida-tracing doesnt work as good somehow and unfortunately x86emu doesnt support tracing :( Tracing is on the drawing board for x86emu! Any requests while I am at it? Chris

bodzcount		October 29, 2007 15:15.14 CDT
Hi Chris, the possibility to update ida assembly on the basis of trace data would be nice (ie for deobfuscating). If you want, I can help you with that :) regards

cseagle		October 30, 2007 16:49.42 CDT
> bodzcount: Hi Chris, > > the possibility to update ida assembly on the basis of trace data would be nice (ie for deobfuscating). What kind of updates would you like? The emulator already forces IDA to convert every address from which it fetches into code (when you step rather than run), is there something else you would like to see? In the next update, I intend to record all fetched bytes so that they can be recovered even if the obfuscator later goes back and overwrites them. Chris

bodzcount		October 31, 2007 08:20.35 CDT
I need to write a routine now, that checks if the obfuscated code is self modifying... (if yes, then record patched bytes). Another thing that i see is, that there are jumps to addresses inside multibytes instructions, which creates "new instructions". Don't know what to do best with that... Maybe we can coordinate our deobfuscation effords, so that we don't do it twice... I think the best approach for deobfuscating is, taking a trace log and rebuilding the function from there. what do you think? because then you already have a working code (besides some conditional jumps that might depend on initial data) that you just have to compact. I want to do it like: - create a tracelog - read it into my own ida-like database, but still all linear - then maybe CFG to identify code segments that can be folded, by this time the code needs to be address-free and labels have to be inserted.

anonymouse		November 1, 2007 11:35.48 CDT
if you are doing some one time job and use ollydbg you can use olydbgs inherent search mechanism to weed out all these crap disassembly if you have patience and perseverance you can build upon those functionality with a seperate plugin rightclikk -> search for all commands / search for all sequences / search for commands / search for sequences say for example you could search for call CONST or might be rearranged in binary with e8 00000000 or e8 42????06 (the question marks are masks anything goes there ) or do Call Const any three ret it will look and show you all sequence that has in a seperate window which you can use for further patching or nopping or whatever call 1234567 nop (for example) nop nop ret

bodzcount		November 1, 2007 12:50.50 CDT
if i remember correctly, i can not apply those functions in the olly trace window :( Another bad thing is, that i can not load old traces with olly...

cseagle		November 1, 2007 23:32.48 CDT
> bodzcount: I need to write a routine now, that checks if the obfuscated code is self modifying... (if yes, then record patched bytes). The idea there is to check the fetched byte against the original database byte. If they don't match, then you are executing self-modified code. if (get_original_byte(ea) != get_byte(ea)) { ... }

kioresk		November 8, 2007 07:20.16 CST
bodzcount, Currently, i'm working on a similiar task - rebuilding polymorphed code. Now i'm using trace log too, but planning to replace it with disassembler and command emulation as soon as i would find nice solution to rebuild branched code (with conditions, loops, etc.). There are a lot of obsuscated commands, but it's not hard to convert them back to normal state. I can send you known obfuscation patterns that i've met working with different applications. PS. I've send you a PM with my email.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit