#1
|
|||||
|
|||||
Decompiling the mov compiler
Has anyone a resource for unobfuscating and hence making decompilation practical for the output of the movfuscator?
Quote:
Quote:
Quote:
Quote:
Quote:
|
#2
|
|||
|
|||
Most likely it has to do with the fact that writing obfuscators is very profitable and writing deobfuscators is a huge chore and not very profitable at all, especially to release in public.
|
The Following User Says Thank You to mr.exodia For This Useful Post: | ||
chants (12-07-2016) |
#3
|
|||
|
|||
The movfuscator and its variations are mostly broken. For instance, have a look at this talk:
description: https://recon.cx/2016/talks/%22Movfuscator-Be-Gone.html video: https://www.youtube.com/watch?v=d_R8i0dVBsQ code: https://github.com/kirschju/demovfuscator thesis/writeup: https://kirschju.re/static/ba_jonischkeit_2016.pdf Others have broken the movfucator earlier: https://twitter.com/tathanhdinh/status/634165703558434816 Symbolic execution is also quite successful on these kind of obfuscations. If you mix it with some taint analysis, there should not be much left. For a great work for generic obfuscation have a look at https://www.cs.arizona.edu/people/debray/Publications/generic-deobf.pdf . Last edited by t3xc0d3; 12-08-2016 at 18:28. |
The Following User Gave Reputation+1 to t3xc0d3 For This Useful Post: | ||
niculaita (12-10-2016) |
#4
|
|||
|
|||
The thing about these kind of obfuscators is that:
1. Approaching a MoV'd binary *knowing* that it has been movfuscated makes it really easy, because you already know what are you dealing with, and on top of that, you have the source of the obfuscator - you don't have to spend a bunch of days reversing it, just to get the idea of the obfuscation because you already know it. 2. The obfuscation is not intelligent, but rather, it's almost a translation of instructions. If it can be done in one way, it can be done in the another, right? Even more so if the source is public and all you have to do is see how it works. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Who are familiar with decompiling? | DMichael | General Discussion | 3 | 08-09-2013 01:04 |
VB3 decompiling | wasq | General Discussion | 23 | 05-23-2005 02:30 |
decompiling back to C++? | Rhodium | General Discussion | 44 | 10-11-2004 08:30 |