Git Product home page Git Product logo

deobfuscator's Introduction

deobfuscator

Introduction

Flexible deobfuscator.

Feature

x86 x86_64 arm arm64
deflat TODO TODO PARTLY ✔️
  • two engine mode for deflat
  • flexible patch pattern
  • easy to port

Usage:

requirements:

  • python3.7 +
  • dependencies:
pip3 install qiling angr termcolor capstone keystone

modify the start address and filename in main.py, and

python3 main.py

Specify the strategy 0 or 1 in emulator.search_path, in order to handle different flatten cases.

TODO:

  • support x86, x86_64
  • support Bogus Control Flow deobfuscation
  • add blocks analysis manually
  • IDAPro plugin, in order to mark the blocks visually by interacting with the deobfuscator (to handle different ida python version)

deobfuscator's People

Contributors

pcy190 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

breathleas arryboom kuustudio kernelbk md-levitan h01k alehacksp piowind killvxk owensu kingking888 kknet ldzspace nhat3eo22 easy-forks

deobfuscator's Issues

AttributeError: 'QlRegisterManager' object has no attribute 'w9'

I run main.py ,But it raises this:

Traceback (most recent call last):
  File "main.py", line 12, in <module>
    emulator.search_path(strategy=0)  # or strategy=1
  File "/Users/wangyankun/Documents/deobfuscator-master/emulator.py", line 471, in search_path
    ql.run(begin=bb.start_addr)
  File "/Library/Python/3.7/site-packages/qiling/core.py", line 197, in run
    self.os.run()
  File "/Library/Python/3.7/site-packages/qiling/os/linux/linux.py", line 125, in run
    self.ql.emu_start(self.ql.loader.elf_entry, self.exit_point, self.ql.timeout, self.ql.count)
  File "/Library/Python/3.7/site-packages/qiling/core.py", line 259, in emu_start
    raise self.internal_exception
  File "/Library/Python/3.7/site-packages/qiling/utils.py", line 19, in wrapper
    return func(*args, **kw)
  File "/Library/Python/3.7/site-packages/qiling/core_hooks.py", line 159, in _hook_trace_cb
    ret = h.call(ql, addr, size)
  File "/Library/Python/3.7/site-packages/qiling/core_hooks.py", line 36, in call
    return self.callback(ql, *args)
  File "/Users/wangyankun/Documents/deobfuscator-master/emulator.py", line 158, in guide_hook
    reg2_val = ql.reg.__getattribute__(reg2)
  File "/Library/Python/3.7/site-packages/qiling/arch/register.py", line 28, in __getattribute__
    return super(QlRegisterManager, self).__getattribute__(name)
AttributeError: 'QlRegisterManager' object has no attribute 'w9'

尝试分析一个so文件时,出现的一些问题,希望能提供帮助或意见

使用analyzer.py去分析libmsaoaidsec.so文件
if name == 'main':
# load_to_angr('example/lib64_example.so', 0x13C88)
analyzer = DeflatAnalyzer('example/libmsaoaidsec.so')
analyzer.analysis_flatten_blocks(0xC40C)
analyzer.show_blocks_info()
以下是异常日志
CRITICAL | 2023-07-06 16:23:57,481 | cle.backends.backend | Deprecation warning: the custom_base_addr parameter has been renamed to base_addr
WARNING | 2023-07-06 16:23:57,864 | cle.backends.externs | Symbol was allocated without a known size; emulation may fail if it is used non-opaquely: __stack_chk_guard
WARNING | 2023-07-06 16:23:57,864 | cle.backends.externs | Symbol was allocated without a known size; emulation may fail if it is used non-opaquely: __sF
WARNING | 2023-07-06 16:23:57,868 | cle.loader | For more information about "Symbol was allocated without a known size",see https://docs.angr.io/extending-angr/environment#simdata
WARNING | 2023-07-06 16:24:08,360 | pyvex.lifting.gym.arm_spotter | Ignoring STMxx ^ instruction at 0x17518. This mode is not implemented by VEX! See pyvex/lifting/gym/arm_spotter.py
base addr : 0x0

            [WARNING] start address is higher than base address. 
            Check if the start address has stripped the base address.

fail to find function at 0xc40c, now try blocks analysis
是不是因为导入表的函数未找到,需要导入例如libc.so
感谢项目的开源

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.