Skip to content
/ xdeobf Public

A deobfuscation plugin for IDA

Notifications You must be signed in to change notification settings

teapotd/xdeobf

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

xdeobf

Experimental deobfuscation plugin for IDA 7.2. It aims to reverse control flow flattening transformation that I encountered (probably a variation of obfuscator-llvm). The plugin most likely won't work out of the box, as it was designed to handle a specific binary.

Approach

  1. Switch reconstruction - in LOCOPT phase
    • find dispatcher variable
    • find mapping from dispatcher variable values to blocks (switch cases)
    • copy blocks reachable from multiple switch cases (so that subgraphs for different cases don't overlap)
    • finally create NWAY block for recovered switch cases
  2. Unflattening - in GLBOPT1 phase
    • find dispatcher switch and variable again
    • recover succesors for each switch case

xdeobf, unlike HexRaysDeob, runs in two microcode optimization phases. Switch reconstruction in LOCOPT phase allows HexRays decompiler to optimize away conditions that change dispatcher variable better, before attempting to recover control flow in GLBOPT1 phase.

References