Attached is the dirty implementation of idea from Ferib: Reversing Common Obfuscation Techniques. The script is "as is", development version, lot of debugging output and such. far from ideal but someone can find it helpful (easier than do it by hands) to de-obfuscate function.
usage - runscript("/path/to/script/deobf.py") from IDA python. the script will work from "current screen ea" (cursor address), best way is start of the function.
Feel free to provide feedback and/or improvements.
i would add a lil to it misses a lot of common ones they use on path to what i currently use wanted to see Opaque Patcher but gone before i got home but love to see useful stuff regardless
Last edited by charles420; 11-25-2022 at 10:48 PM.
cool script, but keep in mind this isnt strong. this quite often makes false-positive NOPs, false-positive "good JMP" decisions.
nonetheless, thanks for sharing. big kudos to ferib and you.
thanks! I would appreciate feedback especially with the reference where the script is working wrong. If you provide feedback - please keep in mind, i am on latest retail version.