def deobfuscation(self):
""" Deobfuscation of the push_reg function """
print Color.step("Emulating each call to {}".format(self.pattern.name))
# for each call to the function
for match_func in self.pattern.matches.matches:
for args in match_func.args:
push_arg1 = int(args["push1"][0].info.arg1, 16)
push_arg2 = int(args["push2"][0].info.arg1, 16)
push_addr2 = args["push2"][0].info.address
func_end = match_func.match["last_inst"][0].info.address
ret_addr = args["call"][0].info.address + len(
args["call"][0].info.opcode) + 1
# init registers and call the targeted function
self.sb.call_callback(match_func.func_addr,
push_arg1,
push_arg2,
cb=self.end,
ret_addr=ret_addr,
bp=func_end)
# save the deobfuscated instruction
if self.tmp:
# calculate call address
addr = (self.tmp - push_addr2) & 0xFFFFFFFF
match_func.deobf_inst.append({
"args": args,
"inst": "JMP {}".format(addr)
})
self.tmp = 0
def patch(self):
patch = Patch(self.sb)
print Color.step("Patching each call to {} (can take a while)".format(
self.pattern.name))
for match_func in self.pattern.matches.matches:
for elem in match_func.deobf_inst:
args = elem["args"]
inst = elem["inst"]
start = args["push"][0].info.address
end = args["call"][0].info.address + len(
args["call"][0].info.opcode) + 1
# patch the range with NOPs
patch.nop_range(start, end)
# write the deobfuscated instruction
patch.patch(start, end, inst)
def main():
"""Main"""
# Init
options = usage()
emu = Emu(options)
# Deobfuscation
emu.deobf_push_reg()
emu.deobf_detour_call()
emu.deobf_detour_jmp()
# Generation of IDA script
if options.ida:
ida = Ida(emu)
ida.dump(options.input + "_ida.py")
# Create the deobfuscated version
clean = options.input + ".clean"
print Color.step("Patched nymaim available: {}".format(clean))
open(clean, 'wb').write(str(emu.sb.pe))
def deobfuscation(self):
""" Deobfuscation of the push_reg function """
print Color.step("Emulating each call to {}".format(self.pattern.name))
# for each call to the function
for match_func in self.pattern.matches.matches:
for args in match_func.args:
push_arg = int(args["push"][0].info.arg1, 16)
# init registers and call the targeted function
self.init()
self.sb.call_callback(match_func.func_addr,
push_arg,
cb=self.end)
# save the deobfuscated instruction
if self.tmp_str:
match_func.deobf_inst.append({
"args": args,
"inst": self.tmp_str
})
self.tmp_str = ""
def _search(self):
"""Searching for the pattern in the binary"""
print Color.step("Searching for the pattern {}".format(self.name))
self.matches = Matches(self.cfg, self.test_graph)
def dump(self, path):
""" Dump the script into a file"""
with open(path, 'w') as f:
f.writelines(self.script)
print Color.step("Creation of an IDA script to rename function: {}".format(path))
