RPISEC/llvm-deobfuscator RPISEC/llvm-deobfuscator

  • Stars
    star
    395
  • Rank 106,763 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created over 6 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
RPISEC/llvm-deobfuscator
github

RPISEC

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

llvm-deobfuscator

Performs the inverse operation of the control flow flattening pass performed by LLVM-Obfuscator. It does not yet undo the bogus control flow and expression substitution passes.

Makes use of the BinaryNinja SSA form to determine all usages of the state variable. To use, right click on the state variable and click "Deobfuscate (OLLVM)". Note that the instruction writing to the state variable is typically in the first basic block of the function, and looks something like:

mov dword [rbp-0xf8], 0x962e7c4e

with minor variations in the large constant and variable offset.

For more information on llvm obfuscator itself, the source is an obvious ground truth :)

Installation

Should just be able to git clone the repository into your plugins repository.

Other Protections

More Repositories

1

MBE

Course materials for Modern Binary Exploitation by RPISEC
C
5,355
star
2

Malware

Course materials for Malware Analysis by RPISEC
3,651
star
3

HackTheVote

Handouts, setup scripts, sources, and solutions for challenges from Hack The Vote CTFs
C
217
star
4

website

Verilog
7
star
5

csci-4971-bomb

C
6
star
6

tools-website

https://tools.rpis.ec
HTML
4
star
7

Writeups

C
1
star