首页
社区
课程
招聘
[转帖]D810: Creating an extensible deobfuscation plugin for IDA Pro
发表于: 2020-11-26 06:25 5096

[转帖]D810: Creating an extensible deobfuscation plugin for IDA Pro

2020-11-26 06:25
5096

D810: Creating an extensible deobfuscation plugin for IDA Pro

Summary

During our day to day tasks, we often have to analyze obfuscated binaries. Therefore, each time there’s a new technique or tool, we ought to try it. Often, they are designed to work on one specific case or are hard to use and we end up losing time instead.


A few years back, we were very interested by the results obtained by Rolf Rolles and decided to have a closer look at his HexRaysDeob plugin while reverse engineering several obfuscated binaries. The first results were very promising, and we found that it could really ease our life. However, when the binary was compiled using a different obfuscator, we noticed that we had to write a lot of new rules to simplify the decompiled code.


So, we started to investigate how we could speed up the writing of new rules while we performing a reverse engineering project with a short deadline.


With the release of the Python bindings of the Hex-Rays microcode API, we decided to build our own deobfuscation plugins with the following goals:


It should have the least possible impact on our standard reverse engineering workflow

Fully integrated to IDA Pro

It should be easily extensible and configurable

Fast creation of new deobfuscation rules

Configurable so that we do not have to modify the source code to use rules for a specific project

Performance impact should be reasonable

Our goal is to be transparent for the reverse engineer

But we do not care if the decompilation of a function takes 1 more second if the resulting code is much simpler.

Today, we’re thrilled to release Deobfuscator-810 (D-810). As other deobfuscation tools, the end goal is to transform something horrible into something a bit more exploitable.

https://eshard.com/posts/d810_blog_post_1/?s=09



[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 1
支持
分享
最新回复 (5)
雪    币: 2332
活跃值: (8740)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
2

网页本地存档

链接:https://pan.baidu.com/s/1LqIvMsCDj8rdSzBDun0uIA 

提取码:299v


2020-11-26 07:26
0
雪    币: 97697
活跃值: (200834)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
3
FleTime 网页本地存档链接:https://pan.baidu.com/s/1LqIvMsCDj8rdSzBDun0uIA 提取码:299v
2020-11-26 07:27
0
雪    币: 41
活跃值: (198)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4

胡乱翻译一下:

    

    我经常需要分析一些被混淆过的程序,每当有一个新的反混淆技术工具出现,我就会去尝鲜。然而,这些新工具往往只能针对特定场景或非常难用,浪费了我的青春。
    几年时间下来,我终于发现了一个看起来能节省生命的有潜力的工具,这是个名为HexRaysDeob的IDA插件,唯一的问题是针对不同被混淆程序时,需要我们编写不少规则脚本。


    IDA microcode API提供了Python支持后,我决定自己写一个插件解决掉上述各种让我不爽的地方。插件的目标如下:
。。。。。
     该插件只支持IDA7.5或更高版本。插件的运行效果相当不错,从截图你们能看出511行的伪代码变成了44行,分析的难度降低了一个数量级。
。。。。。
      T-800曾经说过:想活命就跟我来。我把插件命名为D-810,希望他能终结掉混淆代码 :)

最后于 2020-11-26 12:27 被sqhua编辑 ,原因:
2020-11-26 09:33
0
雪    币: 5855
活跃值: (438)
能力值: ( LV4,RANK:45 )
在线值:
发帖
回帖
粉丝
5
这个厉害,测试下看
2020-11-26 22:15
0
雪    币: 2124
活跃值: (1507)
能力值: ( LV3,RANK:35 )
在线值:
发帖
回帖
粉丝
6
运行d810.py没反应.....
2021-9-2 13:52
0
游客
登录 | 注册 方可回帖
返回
//