Removing Obfuscation
 

You are probably familiar with the type of obfuscation which looks like this in IDA :

You have to Undefine the code at the labels that are targets of jmpnn target+1. A new label appears 1 byte further on which you then convert to Code, like this :

Code:

---

_0000008:1005F233                      loc_1005F233:                    ; CODE XREF: _0000008:1005F22Ej
_0000008:1005F233                                                              ; _0000008:1005F230j
_0000008:1005F233 8B 15 64 6E 04 10                  mov    edx, ds:dword_10046E64
_0000008:1005F239 B8 2C 00 00 00                      mov    eax, 2Ch
_0000008:1005F23E 2B D0                                    sub    edx, eax
_0000008:1005F240 89 15 64 6E 04 10                  mov    ds:dword_10046E64, edx
_0000008:1005F246 7E 03                                    jle    short loc_1005F24B
_0000008:1005F248 7F 01                                    jg      short loc_1005F24B
_0000008:1005F248                      ; ---------------------------------------------------------------------------
_0000008:1005F24A 25                                      db  25h ; %
_0000008:1005F24B                      ; ---------------------------------------------------------------------------
_0000008:1005F24B
_0000008:1005F24B                      loc_1005F24B:                          ; CODE XREF: _0000008:1005F246j
_0000008:1005F24B                                                              ; _0000008:1005F248j
_0000008:1005F24B 01 05 68 6E 04 10                    add    ds:dword_10046E68, eax
_0000008:1005F251 7E 03                                    jle    short near ptr loc_1005F255+1
_0000008:1005F253 7F 01                                    jg      short near ptr loc_1005F255+1
_0000008:1005F255
_0000008:1005F255                      loc_1005F255:                          ; CODE XREF: _0000008:1005F251j
_0000008:1005F255                                                              ; _0000008:1005F253j
_0000008:1005F255 E9 8B 15 68 6E                      jmp    near ptr 7E6E07E5h
_0000008:1005F25A                      ; ---------------------------------------------------------------------------
_0000008:1005F25A 04 10                                  add    al, 10h

---

The obfuscation usually appears in blocks of 5 bytes that do nothing, like
jnz lab
jz lab
<random byte>
lab: ...

Sometimes you also get a push/pop pair or an add/sub pair.

These can be NOP'd out to finally give :

Code:

---

_0000008:1005F233 8B 15 64 6E 04 10                    mov    edx, ds:dword_10046E64
_0000008:1005F239 B8 2C 00 00 00                  mov    eax, 2Ch
_0000008:1005F23E 2B D0                              sub    edx, eax
_0000008:1005F240 89 15 64 6E 04 10              mov    ds:dword_10046E64, edx
_0000008:1005F246 90                                  nop
_0000008:1005F247 90                                  nop
_0000008:1005F248 90                                  nop
_0000008:1005F249 90                                  nop
_0000008:1005F24A 90                                  nop
_0000008:1005F24B 01 05 68 6E 04 10              add    ds:dword_10046E68, eax
_0000008:1005F251 90                                  nop
_0000008:1005F252 90                                  nop
_0000008:1005F253 90                                  nop
_0000008:1005F254 90                                  nop
_0000008:1005F255 90                                  nop
_0000008:1005F256 8B 15 68 6E 04 10              mov    edx, ds:dword_10046E68
_0000008:1005F25C 89 15 40 6E 04 10              mov    ds:dword_10046E40, edx
_0000008:1005F262 81 7C 24 28 75 03 74+        cmp    dword ptr [esp+28h], 1740375h

---

You can now turn the full block into a Procedure if relevant and the code is readable and assemblable. If you've got this far I have 2 questions. Firstly, what is this obfuscation called? (ie, name of the program that obfuscates it) and secondly, is there a more automated way of removing it?. I wrote a script which I use to turn a selected block into NOPs which helps, but it's still quite a trudge to do it by hand. If you read this far, thanks!

Git

I don't think this is a specific kind of obfuscation.
most of the time they are based on dissassembly way and an added junk byte
see
I think you can not do more than a specific script
also, I remember the plugin CodeDoctor remove obfuscation but I didn't try it.
:)

Thanks. I'll look more at CodeDoctor, but on first glance it seems dangerous.

Git

I ended up using a script to use by hand. Put cursor at first of the 2 bad jumps and hit alt-F9 to run the script. It nops the 5 bad positions, makes a block of code Unknown and then makes it code from the first address. :

For obsfuscation nonsense blocks with a different size to 5 bytes, I used a script that NOP's the selected block :

I guess it would be fairly easy to extend the script to detect all nonsense jump pairs and do the whole file with one script run, but false hits worry me.

Git

I agree it`s probably the most common anti-disassembler trick. Olly handles it quiet well, if the code is within the code section & analyzed.

ASProtect uses this quiet heavily, and back in the day i also wrote a script to combat this. :)