D810: Creating an extensible deobfuscation plugin for IDA Pro
Summary
During our day to day tasks, we often have to analyze obfuscated binaries. Therefore, each time there’s a new technique or tool, we ought to try it. Often, they are designed to work on one specific case or are hard to use and we end up losing time instead.
A few years back, we were very interested by the results obtained by Rolf Rolles and decided to have a closer look at his HexRaysDeob plugin while reverse engineering several obfuscated binaries. The first results were very promising, and we found that it could really ease our life. However, when the binary was compiled using a different obfuscator, we noticed that we had to write a lot of new rules to simplify the decompiled code.
So, we started to investigate how we could speed up the writing of new rules while we performing a reverse engineering project with a short deadline.
With the release of the Python bindings of the Hex-Rays microcode API, we decided to build our own deobfuscation plugins with the following goals:
It should have the least possible impact on our standard reverse engineering workflow
Fully integrated to IDA Pro
It should be easily extensible and configurable
Fast creation of new deobfuscation rules
Configurable so that we do not have to modify the source code to use rules for a specific project
Performance impact should be reasonable
Our goal is to be transparent for the reverse engineer
But we do not care if the decompilation of a function takes 1 more second if the resulting code is much simpler.
Today, we’re thrilled to release Deobfuscator-810 (D-810). As other deobfuscation tools, the end goal is to transform something horrible into something a bit more exploitable.