Skip to content
/ IDAPythonScDeobf Public
forked from flatbuffer/IDAPythonScDeobf

An IDAPython script to deobfuscate an ARMv7 library of a popular mobile app.

0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

freemanZYQ/IDAPythonScDeobf

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

docs

docs

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

deobf.py

deobf.py

 
 

Repository files navigation

IDAPythonScDeobf

An IDAPython script to deobfuscate an ARMv7 library of a popular mobile app.
This is a work in progress and my first attempt at an IDAPython script.

Obfuscation

These are all obfuscation methods found in the library.
This is not final.

Control Flow Flattening

Control Flow Flattening Image

The state machine initializes like this.

# Snip
ADD     R4, PC ; off_A4BE0
# Snip
MOVCC   R0, #9
LDR.W   R0, [R4,R0,LSL#2]
# Snip
MOV     PC, R0
# Sub chunks below..

The offset off_XXXXX holds a table containing all the blocks that probably belong to the original subroutine.

off_A4BE0       DCD loc_24BB4
                DCD loc_24C5E
                DCD loc_24CC2
                DCD sub_24D3A
                DCD loc_24BFA
                DCD loc_24D04
                DCD loc_24C2C
                DCD loc_24CD6
                DCD loc_24BE6
                DCD loc_24D26
                DCD loc_24C90
                DCD loc_24CEA
                DCD loc_24BA0

We can use this information to figure out the subroutine boundaries and reconstruct the control flow between those.

About

An IDAPython script to deobfuscate an ARMv7 library of a popular mobile app.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%