整理了一些ollvm对抗的文章,大家可以参考。ollvm还原主要有静态分析的方法和动态分析的方法。无论哪种方法基本流程都是:找到所有基本块(特征匹配)-确定真实块之间的关联(静态的:符号执行/反编译器提供的IL的API;动态的:模拟执行/IDA trace)-patch原程序
利用符号执行去除控制流平坦化: https://security.tencent.com/index.php/blog/msg/112利用angr符号执行去除虚假控制流: https://bbs.pediy.com/thread-266005.htmTetCTF2022一道代码混淆题分析——crackme_pls: https://bbs.pediy.com/thread-271164.htmAngr Control Flow Deobfuscation: https://research.openanalysis.net/angr/symbolic%20execution/deobfuscation/research/2022/03/26/angr_notes.html
Deobfuscation: recovering an OLLVM-protected program:https://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html我印象中quarkslab这篇文章是最早的关于去ollvm混淆的文章,有点老了,不过还是值得学习。MODeflattener - Miasm's OLLVM Deflattener: https://mrt4ntr4.github.io/MODeflattener/
https://github.com/RolfRolles/HexRaysDeobhttps://github.com/idapython/pyhexraysdeob相关文章:https://hex-rays.com/blog/hex-rays-microcode-api-vs-obfuscating-compiler/https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf基于Microcode的IDA反编译代码优化插件(目前暂未开源): https://github.com/obpo-project/obpo-plugin
Dissecting LLVM Obfuscator Part 1: https://rpis.ec/blog/dissection-llvm-obfuscator-p1/使用Binary Ninja去除ollvm流程平坦混淆: https://bbs.pediy.com/thread-256299.htm
使用Ghidra P-Code对OLLVM控制流平坦化进行反混淆: http://galaxylab.com.cn/%e4%bd%bf%e7%94%a8ghidra-p-code%e5%af%b9ollvm%e6%8e%a7%e5%88%b6%e6%b5%81%e5%b9%b3%e5%9d%a6%e5%8c%96%e8%bf%9b%e8%a1%8c%e5%8f%8d%e6%b7%b7%e6%b7%86/
基于Unicorn 的ARM64 OLLVM反混淆: https://bbs.pediy.com/thread-252321-1.htmARM64 OLLVM反混淆(续: https://bbs.pediy.com/thread-253533.htm细说arm反类ollvm混淆-基本思想: https://bbs.pediy.com/thread-257878.htm这篇文章介绍了模拟执行和IDA trace两种方法。
这位是通过编译后端优化干掉混淆,这已经超过我的理解能力了...一种通过后端编译优化脱混淆壳的方法: https://bbs.pediy.com/thread-260626-1.htm一种通过后端编译优化脱虚拟机壳的方法: https://bbs.pediy.com/thread-266014.htm
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课