gdbinit/HexRaysDeob gdbinit/HexRaysDeob

  • Stars
    star
    118
  • Rank 299,923 (Top 6 %)
  • Language
    C++
  • License
    GNU General Publi...
  • Created about 4 years ago
  • Updated about 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
gdbinit/HexRaysDeob
github

gdbinit

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hex-Rays OLLVM Deobfuscator and MicroCode Explorer

Hex-Rays OLLVM Deobfuscator and MicroCode Explorer

Original by Rolf Folles Ported from https://github.com/RolfRolles/HexRaysDeob

Reference: https://www.hex-rays.com/blog/hex-rays-microcode-api-vs-obfuscating-compiler/

  • Implements all options in a menu item on pseudo code view

  • Allows to runtime enable/disable the deobfuscator

  • After enable/disable press F5 again in the pseuco code view to refresh

This uses the new C++ plugin API so it's only >= IDA 7.5 compatible

Based on IDA SDK ht_view sample plugin

Alternative microcode explorer with different features is Lucid

Build

The default Makefile is for macOS version. Windows and Linux versions available per original project.

Mac build

Edit the Makefile and fix the IDA paths if necessary.

To compile and install 64 bit version:

EA=1 make
EA=1 make install

To compile and install 32 bit version:

EA=0 make
EA=0 make install

Linux build

To compile and install 64 bit version:

EA=1 IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> make -f makefile.lnx
EA=1 IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> make install -f makefile.lnx

To compile and install 32 bit version:

EA=0 IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> make -f makefile.lnx
EA=0 IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> make install -f makefile.lnx

Windows build

Open the Visual Studio project and hope for the best. Didn't test :-)

IDA SDK References

Deobfuscation references

More Repositories

1

MachOView

MachOView fork
C
2,495
star
2

Gdbinit

Gdbinit for OS X, iOS and others - x86, x86_64 and ARM
1,596
star
3

lldbinit

A gdbinit clone for LLDB
Python
325
star
4

firmware_vault

A repo for all Apple EFI firmware files
255
star
5

readmem

A small OS X/iOS userland util to dump processes memory
C
218
star
6

onyx-the-black-cat

Kernel extension to disable anti-debug tricks and other useful XNU "features"
C
209
star
7

rootfool

A small tool to dynamically disable and enable SIP in El Capitan
C
163
star
8

EFISwissKnife

An IDA plugin to improve (U)EFI reversing
C++
142
star
9

hydra

A kernel extension and userland daemon to patch applications
C
104
star
10

otool-ng

Some improvements to Apple's otool.
C
100
star
11

gopher

A OS X crypto ransomware PoC
C
90
star
12

mach_race

Exploit code for CVE-2016-1757
C
81
star
13

efi_dxe_emulator

EFI DXE Emulator and Interactive Debugger
C
79
star
14

pydbg64

PyDBG64 - OS X PyDbg with 64 bits support
C
68
star
15

osx_boubou

A PoC Mach-O infector via library injection
C
64
star
16

mpress_dumper

MPRESS dumper for OS X
Assembly
64
star
17

gimmedebugah

A small utility to inject a Info.plist into binaries.
C
57
star
18

gdb-ng

Apple's gdb fork with some fixes and enhancements
C
54
star
19

ExtractMachO

IDA plugin to extract Mach-O binaries located in the disassembly or data
C
54
star
20

Gatekeerper

A kernel extension to mitigate Gatekeeper bypasses
C
48
star
21

kextstat_aslr

Implementation of kexstat via /dev/kmem with kernel ASLR support
C
38
star
22

can_I_suid

A TrustedBSD module to control execution of binaries with suid bit set
C
37
star
23

crackme_nr1

fG!'s crackme #1 source code
C
36
star
24

bruteforcesysent

Small util to discover OS X sysent via bruteforce
C
33
star
25

tcplognke

Apple's tcplognke code sample
C
29
star
26

TELoader

A TE executable format loader for IDA
C
28
star
27

unicorn_string_deobfuscator

A Unicorn based emulator to deobfuscate Equation Group string XOR obfuscation
C
27
star
28

mario

The kernel component of rootpipe fix for Mavericks
C
27
star
29

adium-ng-preview

Repo to dump some preview info and builds for adium-ng
27
star
30

MicrocodeExplorer

Hex-Rays MicrocodeExplorer
C++
26
star
31

readkmem

small utility to dump kernel memory
C
25
star
32

rex_versus_the_romans

Anti Hacking Team TrustedBSD module
C
25
star
33

readphysmem

A small utility to read and write to Macs physical memory using default AppleHWAccess.kext.
Objective-C
25
star
34

llvmpatches

Misc llvm patches
CMake
22
star
35

hello_santa_bye_santa

Bypass Google's Santa
C
21
star
36

fixobjc

IDA IDC script to improve Objective-C disassembly output
21
star
37

checkidt

Small util to dump the IDT table of a running OS X system with kmem enabled
C
20
star
38

armorysandbox

A USB armory based USB sandbox
Makefile
20
star
39

MachOPlugin

IDA plugin to Display Mach-O headers
C
19
star
40

icetheguardianv2

A TrustedBSD module PoC to monitor writes to Daemons and Agents folders
C
19
star
41

diagnostic_service

OS X rootkit loader version #1
C++
18
star
42

kgmacros

Fixed kgmacros to work with VMware kernel gdb stub
17
star
43

ExtractMacho2

IDA plugin to extract Mach-O binaries located in the disassembly or data
C++
17
star
44

syscall-benchmark

macOS syscall performance benchmark
Assembly
16
star
45

av-monster

PoC kext to disable OS X anti-virus software
C
15
star
46

luigi

The userland component of rootpipe fix for Mavericks
Objective-C
14
star
47

carbon_copy_cloner_keychaingen

A keygen for Carbon Copy Cloner private keychain
Objective-C
14
star
48

Crisis-Analysis-Tools

Scripts and other material related to OS.X/Crisis malware analysis
C
13
star
49

diagnostic_service2

OS X rootkit loader version #2
C++
12
star
50

calcspace

Small util to calculate available free space in mach-o binaries for code injection
C
12
star
51

idc-scripts

Random collection of IDA's IDC scripts
11
star
52

Disable-m3u

iTunes plugin to disable creation of m3u playlists
C
11
star
53

rexthewonderdog

A lazy PoC for implementing backdoors in OS X TrustedBSD Mac framework.
C
10
star
54

fuckyouilfak

A IDA Pro 9.0 Beta 2 macOS x86 Fix Loader
C
10
star
55

delambert

GreenLambert macOS IDA plugin to deobfuscate strings
C++
10
star
56

GiveMeHex

A quick IDA hack to get addresses with 0x prefix
C++
9
star
57

twitterwipe

A Go utillty to delete your Twitter history
Go
9
star
58

how_crap_is_ida

An IDA plugin to compare IDA detected functions output versus LC_FUNCTION_STARTS information
C++
9
star
59

evilquest_stats

Small utility to hash EvilQuest code and cstrings sections
Go
7
star
60

keygen_CrackMe_nr1_qwertyoruiop

Keygen for qwertyoruiop's CrackMe nr1
C
7
star
61

spiflash

Very fast reader for SPI flashes for Teensy 2.x.
C
7
star
62

bpf_dbg_output

Small tool to convert bpf binary bytecode to bpf_dbg format
C
7
star
63

evilquest_deobfuscator

EvilQuest/ThiefQuest malware strings decrypter/deobfuscator
Go
6
star
64

icetheguardian

A PoC to protect critical OS X files using TrustedBSD Mac framework.
C
5
star
65

SMBIOSKeygen

macserial and GenSMBIOS merged and ported to Go
Go
4
star
66

yage

An age fork with internal Yubikeys support
Go
2
star
67

snake_queue_parser

A decryptor for Snake/Turla configuration files
Objective-C
2
star
68

Mach-O-Lib

Library to access and manipulate Mach-O headers
1
star
69

macserial

macserial Go module
1
star