The Deobfuscator presented at REcon 2008

by Eric D. Laspe,


Summary : The Deobfuscator is an IDA Pro plug-in that neutralizes anti-disassembly code and transforms obfuscated code to simplified code in the actual binary. This plug-in uses emulation techniques to remove obfuscated code and replace it with a simplified, transformed equivalent. It can be used alone to modify an IDA Pro database for static analysis, or in conjunction with a binary injector to ease dynamic analysis. We developed this tool in assessing strengths of protections and malware analysis for DoD government entities and commercial companies. Since its inception, the Deobfuscator has proven to reduce analysis tasks that previously took days into ones that take mere minutes. The Deobfuscator can currently replace over 49 different obfuscation patterns with simplified code that improves disassembly and human-readability. Most of these patterns are generic in nature--not limited to simple peephole observations. The Deobfuscator can resolve: many forms of anti-disassembly such as jump chains, push-returns, call-returns, return folds, jump indirects, jumps into instructions; several types of move and stack manipulation obfuscations, which try to mask the flow of data; and unnecessary operations having no net effect. In its "aggressive" and "ultra" modes, the Deobfuscator tracks single or multiple register liveness, respectively, and can replace "dead code" with nop instructions. Its "nop remove" and "collapse" modes can then be used to further simplify the display of deobfuscated code.