def deobfuscation(self): """ Deobfuscation of the push_reg function """ print Color.step("Emulating each call to {}".format(self.pattern.name)) # for each call to the function for match_func in self.pattern.matches.matches: for args in match_func.args: push_arg1 = int(args["push1"][0].info.arg1, 16) push_arg2 = int(args["push2"][0].info.arg1, 16) push_addr2 = args["push2"][0].info.address func_end = match_func.match["last_inst"][0].info.address ret_addr = args["call"][0].info.address + len( args["call"][0].info.opcode) + 1 # init registers and call the targeted function self.sb.call_callback(match_func.func_addr, push_arg1, push_arg2, cb=self.end, ret_addr=ret_addr, bp=func_end) # save the deobfuscated instruction if self.tmp: # calculate call address addr = (self.tmp - push_addr2) & 0xFFFFFFFF match_func.deobf_inst.append({ "args": args, "inst": "JMP {}".format(addr) }) self.tmp = 0
def patch(self): patch = Patch(self.sb) print Color.step("Patching each call to {} (can take a while)".format( self.pattern.name)) for match_func in self.pattern.matches.matches: for elem in match_func.deobf_inst: args = elem["args"] inst = elem["inst"] start = args["push"][0].info.address end = args["call"][0].info.address + len( args["call"][0].info.opcode) + 1 # patch the range with NOPs patch.nop_range(start, end) # write the deobfuscated instruction patch.patch(start, end, inst)
def main(): """Main""" # Init options = usage() emu = Emu(options) # Deobfuscation emu.deobf_push_reg() emu.deobf_detour_call() emu.deobf_detour_jmp() # Generation of IDA script if options.ida: ida = Ida(emu) ida.dump(options.input + "_ida.py") # Create the deobfuscated version clean = options.input + ".clean" print Color.step("Patched nymaim available: {}".format(clean)) open(clean, 'wb').write(str(emu.sb.pe))
def deobfuscation(self): """ Deobfuscation of the push_reg function """ print Color.step("Emulating each call to {}".format(self.pattern.name)) # for each call to the function for match_func in self.pattern.matches.matches: for args in match_func.args: push_arg = int(args["push"][0].info.arg1, 16) # init registers and call the targeted function self.init() self.sb.call_callback(match_func.func_addr, push_arg, cb=self.end) # save the deobfuscated instruction if self.tmp_str: match_func.deobf_inst.append({ "args": args, "inst": self.tmp_str }) self.tmp_str = ""
def _search(self): """Searching for the pattern in the binary""" print Color.step("Searching for the pattern {}".format(self.name)) self.matches = Matches(self.cfg, self.test_graph)
def dump(self, path): """ Dump the script into a file""" with open(path, 'w') as f: f.writelines(self.script) print Color.step("Creation of an IDA script to rename function: {}".format(path))