Idc Script to Deal with Obfuscation

[SailorMars]

Very often the code is obfuscated by having the jump target in the middle of another instruction.
e.g. (notice the +2 in the jump target)

Code:

jbe     short near ptr loc_141F47555+2 
:
:
loc_141F47555:
  11 90 4C 8B 15 CA  adc     [rax-35EA74B4h], edx
  97                 xchg   eax, edi
  AB                 stosd
  01 66 90           add     [rsi-70h], esp
  90                 nop
  84 E9              test    cl, ch

To manually handle this in the disassembly view, I do these:

i) press 'U' or Edit->Undefine at loc_141F47555 to remove the existing junk instruction e.g.

Code:

141F47555  11                     db  11h
141F47556  90                     db  90h
141F47557  4C                   unk_141F47557 db  4Ch ; L
141F47558  8B                     db  8Bh
141F47559  15                     db  15h
141F4755A  CA                     db 0CAh
141F4755B  97                     db  97h
141F4755C  AB                     db 0ABh
141F4755D  01                     db    1
141F4755E  66                     db  66h ; f
141F4755F  90                     db  90h
141F47560

ii) at the real jump target loc_141F47557, I used Edit->Code or 'C' to reveal the real instruction e.g.

Code:

141F47557                               loc_141F47557:      ; CODE XREF: Script_UnitName+E4↑j
141F47557 078 4C 8B 15 CA 97 AB 01        mov     r10, cs:dq_7FF62CDB1000
141F4755E 078 66 90                       xchg    ax, ax
141F47560 078 90                          nop
141F47561 078 84 E9                       test    cl, ch
141F47563 078 73 61                       jnb     short near ptr loc_141F475C1+5
141F47565 078 80 EE A0                    sub     dh, 0A0h
141F47568 078 C6 C6 86                    mov     dh, 86h

But the point is I want to do these in an Idc script. I tested with

Code:

del_items(0x141F47555, DELIT_EXPAND, 1);

for the undefine, but once the script ended, the undefined auto redefined.

I tried

Code:

  create_insn(0x141F47557) ;

as the Edit->Code function but the call never seems able to create the code

How should i implement the 'U' and 'C' in an idc script?

[SailorMars]

Amazing, windows' Copilot AI knows IDA Pro scripting better than us. And here is the answer given by the chatbot:

in ida pro how to implement edit->undefine in idc script

In IDA Pro, the Edit -> Undefine action removes the defined data or code at a given address, reverting it to an undefined state. To achieve this in an IDC script, you can use the MakeUnknown function.
Here's an example of how you can implement this in IDC:

Code:

#include <idc.idc>

static main() {
    auto ea;
    ea = ScreenEA(); // Get the current address
    MakeUnknown(ea, 1, DOUNK_SIMPLE); // Undefine 1 byte at the current address
}

This script undefines the byte at the current cursor position. If you need to undefine a larger range, adjust the second parameter (1) to the desired number of bytes.
Would you like help refining this for a specific use case?

but the instruction redefined after the script

Ah, I see the issue! When you undefine an instruction using MakeUnknown(), IDA's auto-analysis might immediately redefine it as code again. To prevent this, you can follow up with AutoMark(ea, AU_CODE) to tell IDA not to analyze that address.
Try this revised IDC script:

Code:

#include <idc.idc>

static main() {
    auto ea;
    ea = ScreenEA(); // Get the current address
    MakeUnknown(ea, 1, DOUNK_SIMPLE); // Undefine 1 byte at the current address
    AutoMark(ea, AU_CODE); // Prevent IDA from automatically analyzing it again
}

This should stop IDA from reinterpreting the instruction right away. Let me know if you need more fine-tuning!

[SailorMars]

no luck with the AutoMark(), but after further chatting, Copilot gives me this:

Code:

set_flag(INF_GENFLAGS, INFFL_AUTO, 0);

to stop the auto-analysis which works.

[Makkah]

I use a modified version of this python script https://www.ownedcore.com/forums/wor...te-binary.html (ida script to "deobfuscate" binary)