Removing Obfuscation

[Git]

You are probably familiar with the type of obfuscation which looks like this in IDA :

Code:

0000008:1005F233                      loc_1005F233:                           ; CODE XREF: _0000008:1005F22Ej
_0000008:1005F233                                                              ; _0000008:1005F230j
_0000008:1005F233 8B 15 64 6E 04 10               mov     edx, ds:dword_10046E64
_0000008:1005F239 B8 2C 00 00 00                   mov     eax, 2Ch
_0000008:1005F23E 2B D0                                sub     edx, eax
_0000008:1005F240 89 15 64 6E 04 10               mov     ds:dword_10046E64, edx
_0000008:1005F246 7E 03                                jle     short near ptr loc_1005F24A+1
_0000008:1005F248 7F 01                                jg      short near ptr loc_1005F24A+1
_0000008:1005F24A
_0000008:1005F24A                      loc_1005F24A:                     ; CODE XREF: _0000008:1005F246j
_0000008:1005F24A                                                              ; _0000008:1005F248j
_0000008:1005F24A 25 01 05 68 6E                   and     eax, 6E680501h
_0000008:1005F24F 04 10                                add     al, 10h
_0000008:1005F251 7E 03                                jle     short near ptr loc_1005F255+1
_0000008:1005F253 7F 01                                jg      short near ptr loc_1005F255+1
_0000008:1005F255
_0000008:1005F255                      loc_1005F255:                     ; CODE XREF: _0000008:1005F251j
_0000008:1005F255                                                              ; _0000008:1005F253j
_0000008:1005F255 E9 8B 15 68 6E                       jmp     near ptr 7E6E07E5h
_0000008:1005F255                      ; ---------------------------------------------------------------------------
_0000008:1005F25A 04                                   db    4
_0000008:1005F25B 10                                   db  10h

You have to Undefine the code at the labels that are targets of jmpnn target+1. A new label appears 1 byte further on which you then convert to Code, like this :

Code:

_0000008:1005F233                      loc_1005F233:                     ; CODE XREF: _0000008:1005F22Ej
_0000008:1005F233                                                              ; _0000008:1005F230j
_0000008:1005F233 8B 15 64 6E 04 10                   mov     edx, ds:dword_10046E64
_0000008:1005F239 B8 2C 00 00 00                       mov     eax, 2Ch
_0000008:1005F23E 2B D0                                    sub     edx, eax
_0000008:1005F240 89 15 64 6E 04 10                   mov     ds:dword_10046E64, edx
_0000008:1005F246 7E 03                                    jle     short loc_1005F24B
_0000008:1005F248 7F 01                                    jg      short loc_1005F24B
_0000008:1005F248                      ; ---------------------------------------------------------------------------
_0000008:1005F24A 25                                      db  25h ; %
_0000008:1005F24B                      ; ---------------------------------------------------------------------------
_0000008:1005F24B
_0000008:1005F24B                      loc_1005F24B:                           ; CODE XREF: _0000008:1005F246j
_0000008:1005F24B                                                              ; _0000008:1005F248j
_0000008:1005F24B 01 05 68 6E 04 10                    add     ds:dword_10046E68, eax
_0000008:1005F251 7E 03                                     jle     short near ptr loc_1005F255+1
_0000008:1005F253 7F 01                                     jg      short near ptr loc_1005F255+1
_0000008:1005F255
_0000008:1005F255                      loc_1005F255:                           ; CODE XREF: _0000008:1005F251j
_0000008:1005F255                                                              ; _0000008:1005F253j
_0000008:1005F255 E9 8B 15 68 6E                       jmp     near ptr 7E6E07E5h
_0000008:1005F25A                      ; ---------------------------------------------------------------------------
_0000008:1005F25A 04 10                                   add     al, 10h

The obfuscation usually appears in blocks of 5 bytes that do nothing, like
jnz lab
jz lab
<random byte>
lab: ...

Sometimes you also get a push/pop pair or an add/sub pair.

These can be NOP'd out to finally give :

Code:

_0000008:1005F233 8B 15 64 6E 04 10                    mov     edx, ds:dword_10046E64
_0000008:1005F239 B8 2C 00 00 00                  mov     eax, 2Ch
_0000008:1005F23E 2B D0                               sub     edx, eax
_0000008:1005F240 89 15 64 6E 04 10              mov     ds:dword_10046E64, edx
_0000008:1005F246 90                                   nop
_0000008:1005F247 90                                   nop
_0000008:1005F248 90                                   nop
_0000008:1005F249 90                                   nop
_0000008:1005F24A 90                                   nop
_0000008:1005F24B 01 05 68 6E 04 10              add     ds:dword_10046E68, eax
_0000008:1005F251 90                                   nop
_0000008:1005F252 90                                   nop
_0000008:1005F253 90                                   nop
_0000008:1005F254 90                                   nop
_0000008:1005F255 90                                   nop
_0000008:1005F256 8B 15 68 6E 04 10              mov     edx, ds:dword_10046E68
_0000008:1005F25C 89 15 40 6E 04 10              mov     ds:dword_10046E40, edx
_0000008:1005F262 81 7C 24 28 75 03 74+        cmp     dword ptr [esp+28h], 1740375h

You can now turn the full block into a Procedure if relevant and the code is readable and assemblable. If you've got this far I have 2 questions. Firstly, what is this obfuscation called? (ie, name of the program that obfuscates it) and secondly, is there a more automated way of removing it?. I wrote a script which I use to turn a selected block into NOPs which helps, but it's still quite a trudge to do it by hand. If you read this far, thanks!

Git

[mm10121991]

I don't think this is a specific kind of obfuscation.
most of the time they are based on dissassembly way and an added junk byte
see

PHP Code:

http://forum.exetools.com/showthread.php?t=13313 


I think you can not do more than a specific script
also, I remember the plugin CodeDoctor remove obfuscation but I didn't try it.

[Git]

Thanks. I'll look more at CodeDoctor, but on first glance it seems dangerous.

Git

[Git]

I ended up using a script to use by hand. Put cursor at first of the 2 bad jumps and hit alt-F9 to run the script. It nops the 5 bad positions, makes a block of code Unknown and then makes it code from the first address. :

Code:

#include <idc.idc>

static main()
{
   auto i,j,from,size, addr1; 

  addr1 = ScreenEA();

  if(addr1==BADADDR)
  {
     Message("Bad address");
     Exit();
  }
  
  for ( i=addr1; i<addr1+5; i++ ) 
  { 
      PatchByte(i, 0x90);
  }
     
  MakeUnknown(addr1, 10, DOUNK_DELNAMES);
  MakeCode(addr1);
  
  Message("\n" + "OK\n");
 }

For obsfuscation nonsense blocks with a different size to 5 bytes, I used a script that NOP's the selected block :

Code:

#include <idc.idc>

static main()
{
   auto i,j,from,size, addr1, addr2; 

  addr1 = SelStart();
  addr2 = SelEnd();
  
  if(addr1==BADADDR || addr2==BADADDR)
  {
     Warning("No area selected");
     Exit();
  }
  
  for ( i=addr1; i<addr2; i++ ) 
  { 
      PatchByte(i, 0x90);
  }

  if(Name(addr2+1) != "")
     MakeNameEx(addr2+1, "", SN_PUBLIC);
     
  MakeUnknown(addr1, addr2-addr1+6, DOUNK_DELNAMES);
  MakeCode(addr1);
  
  Message("\n" + "OK\n");
 }

I guess it would be fairly easy to extend the script to detect all nonsense jump pairs and do the whole file with one script run, but false hits worry me.

Git

[deepzero]

I agree it`s probably the most common anti-disassembler trick. Olly handles it quiet well, if the code is within the code section & analyzed.

ASProtect uses this quiet heavily, and back in the day i also wrote a script to combat this.