Thread: Removing Obfuscation
View Single Post
  #4  
Old 01-03-2012, 21:57
Git's Avatar
Git Git is offline
Old Git
  
Join Date: Mar 2002
Location: Torino
Posts: 1,116
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 110
Thanks Rcvd at 220 Times in 126 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
I ended up using a script to use by hand. Put cursor at first of the 2 bad jumps and hit alt-F9 to run the script. It nops the 5 bad positions, makes a block of code Unknown and then makes it code from the first address. :

Code:
#include <idc.idc>

static main()
{
   auto i,j,from,size, addr1; 

  addr1 = ScreenEA();

  if(addr1==BADADDR)
  {
     Message("Bad address");
     Exit();
  }
  
  for ( i=addr1; i<addr1+5; i++ ) 
  { 
      PatchByte(i, 0x90);
  }
     
  MakeUnknown(addr1, 10, DOUNK_DELNAMES);
  MakeCode(addr1);
  
  Message("\n" + "OK\n");
 }
For obsfuscation nonsense blocks with a different size to 5 bytes, I used a script that NOP's the selected block :

Code:
#include <idc.idc>

static main()
{
   auto i,j,from,size, addr1, addr2; 

  addr1 = SelStart();
  addr2 = SelEnd();
  
  if(addr1==BADADDR || addr2==BADADDR)
  {
     Warning("No area selected");
     Exit();
  }
  
  for ( i=addr1; i<addr2; i++ ) 
  { 
      PatchByte(i, 0x90);
  }

  if(Name(addr2+1) != "")
     MakeNameEx(addr2+1, "", SN_PUBLIC);
     
  MakeUnknown(addr1, addr2-addr1+6, DOUNK_DELNAMES);
  MakeCode(addr1);
  
  Message("\n" + "OK\n");
 }
I guess it would be fairly easy to extend the script to detect all nonsense jump pairs and do the whole file with one script run, but false hits worry me.

Git
Reply With Quote