You are probably familiar with the type of obfuscation which looks like this in IDA :
Code:
0000008:1005F233 loc_1005F233: ; CODE XREF: _0000008:1005F22E�j
_0000008:1005F233 ; _0000008:1005F230�j
_0000008:1005F233 8B 15 64 6E 04 10 mov edx, ds:dword_10046E64
_0000008:1005F239 B8 2C 00 00 00 mov eax, 2Ch
_0000008:1005F23E 2B D0 sub edx, eax
_0000008:1005F240 89 15 64 6E 04 10 mov ds:dword_10046E64, edx
_0000008:1005F246 7E 03 jle short near ptr loc_1005F24A+1
_0000008:1005F248 7F 01 jg short near ptr loc_1005F24A+1
_0000008:1005F24A
_0000008:1005F24A loc_1005F24A: ; CODE XREF: _0000008:1005F246�j
_0000008:1005F24A ; _0000008:1005F248�j
_0000008:1005F24A 25 01 05 68 6E and eax, 6E680501h
_0000008:1005F24F 04 10 add al, 10h
_0000008:1005F251 7E 03 jle short near ptr loc_1005F255+1
_0000008:1005F253 7F 01 jg short near ptr loc_1005F255+1
_0000008:1005F255
_0000008:1005F255 loc_1005F255: ; CODE XREF: _0000008:1005F251�j
_0000008:1005F255 ; _0000008:1005F253�j
_0000008:1005F255 E9 8B 15 68 6E jmp near ptr 7E6E07E5h
_0000008:1005F255 ; ---------------------------------------------------------------------------
_0000008:1005F25A 04 db 4
_0000008:1005F25B 10 db 10h
You have to Undefine the code at the labels that are targets of jmpnn target+1. A new label appears 1 byte further on which you then convert to Code, like this :
Code:
_0000008:1005F233 loc_1005F233: ; CODE XREF: _0000008:1005F22E�j
_0000008:1005F233 ; _0000008:1005F230�j
_0000008:1005F233 8B 15 64 6E 04 10 mov edx, ds:dword_10046E64
_0000008:1005F239 B8 2C 00 00 00 mov eax, 2Ch
_0000008:1005F23E 2B D0 sub edx, eax
_0000008:1005F240 89 15 64 6E 04 10 mov ds:dword_10046E64, edx
_0000008:1005F246 7E 03 jle short loc_1005F24B
_0000008:1005F248 7F 01 jg short loc_1005F24B
_0000008:1005F248 ; ---------------------------------------------------------------------------
_0000008:1005F24A 25 db 25h ; %
_0000008:1005F24B ; ---------------------------------------------------------------------------
_0000008:1005F24B
_0000008:1005F24B loc_1005F24B: ; CODE XREF: _0000008:1005F246�j
_0000008:1005F24B ; _0000008:1005F248�j
_0000008:1005F24B 01 05 68 6E 04 10 add ds:dword_10046E68, eax
_0000008:1005F251 7E 03 jle short near ptr loc_1005F255+1
_0000008:1005F253 7F 01 jg short near ptr loc_1005F255+1
_0000008:1005F255
_0000008:1005F255 loc_1005F255: ; CODE XREF: _0000008:1005F251�j
_0000008:1005F255 ; _0000008:1005F253�j
_0000008:1005F255 E9 8B 15 68 6E jmp near ptr 7E6E07E5h
_0000008:1005F25A ; ---------------------------------------------------------------------------
_0000008:1005F25A 04 10 add al, 10h
The obfuscation usually appears in blocks of 5 bytes that do nothing, like
jnz lab
jz lab
<random byte>
lab: ...
Sometimes you also get a push/pop pair or an add/sub pair.
These can be NOP'd out to finally give :
Code:
_0000008:1005F233 8B 15 64 6E 04 10 mov edx, ds:dword_10046E64
_0000008:1005F239 B8 2C 00 00 00 mov eax, 2Ch
_0000008:1005F23E 2B D0 sub edx, eax
_0000008:1005F240 89 15 64 6E 04 10 mov ds:dword_10046E64, edx
_0000008:1005F246 90 nop
_0000008:1005F247 90 nop
_0000008:1005F248 90 nop
_0000008:1005F249 90 nop
_0000008:1005F24A 90 nop
_0000008:1005F24B 01 05 68 6E 04 10 add ds:dword_10046E68, eax
_0000008:1005F251 90 nop
_0000008:1005F252 90 nop
_0000008:1005F253 90 nop
_0000008:1005F254 90 nop
_0000008:1005F255 90 nop
_0000008:1005F256 8B 15 68 6E 04 10 mov edx, ds:dword_10046E68
_0000008:1005F25C 89 15 40 6E 04 10 mov ds:dword_10046E40, edx
_0000008:1005F262 81 7C 24 28 75 03 74+ cmp dword ptr [esp+28h], 1740375h
You can now turn the full block into a Procedure if relevant and the code is readable and assemblable. If you've got this far I have 2 questions. Firstly, what is this obfuscation called? (ie, name of the program that obfuscates it) and secondly, is there a more automated way of removing it?. I wrote a script which I use to turn a selected block into NOPs which helps, but it's still quite a trudge to do it by hand. If you read this far, thanks!
Git