-
★ Elder ★
Opaque Patcher
Due to people only caring about random bashing instead of constructive feedback from using it on latest wow binaries you won't see any public tools like that anymore from me.
Good luck!
Last edited by doityourself; 11-03-2022 at 03:13 PM.
Reason: plebs
-
Post Thanks / Like - 7 Thanks
-
Member
Great tool. I used it to clean up DF, after unpacking with namreeb's tool. I checked a handful of functions and the disassembly/decompile looks great.
The only caveat that I can think of is that people will need to check the original unpacked binary when making machine sigs. since some of the machine code has been changed. (e.g., xchg cl,cl, jb -> jmp)
-
★ Elder ★
Originally Posted by
thateuler
Great tool. I used it to clean up DF, after unpacking with namreeb's tool. I checked a handful of functions and the disassembly/decompile looks great.
The only caveat that I can think of is that people will need to check the original unpacked binary when making machine sigs. since some of the machine code has been changed. (e.g., xchg cl,cl, jb -> jmp)
That's true. sadly it is required to patch those
Also IDA sucks sometimes so you have to undefined and create the whole function again. That is IDAs fault tho.
If u have places where it did not detect jumps or so please let me now so I can try to improve the detection rate
-
Fun fact, you don't really have to solve if a condition is opaque or not.
All you really wanna do is fix the linear disassembly so you can press F5 and let IDA Pro take care of whatever as the conditions aren't complex at all.
I found this source helpful in understanding how the linear disassembly was exploited: Ferib: Reversing Common Obfuscation Techniques
peace
Any fool can write code that a computer can understand. good programmers write code that humans can understand.
-
★ Elder ★
Originally Posted by
MrNoble
Fun fact, you don't really have to solve if a condition is opaque or not.
All you really wanna do is fix the linear disassembly so you can press F5 and let IDA Pro take care of whatever as the conditions aren't complex at all.
I found this source helpful in understanding how the linear disassembly was exploited:
Ferib: Reversing Common Obfuscation Techniques
peace
You want to always patch the conditional jumps to unconditional jumps to get proper clean c code in ida. That is basically 'solving the opaque predicates'. Which is at the same time fixing the 'linear assembly'y patching those. The code in the thread sadly also does not solve all parts but is a nice article!
I do not make use of any disassembler or checking flags or whatever too but these patches are a must for clean code.
Also keep this thread only related to this tool. Anything else will be reported as spam by me.
-
Originally Posted by
king48488
You want to always patch the conditional jumps to unconditional jumps to get proper clean c code in ida. That is basically 'solving the opaque predicates'. Which is at the same time fixing the 'linear assembly'y patching those. The code in the thread sadly also does not solve all parts but is a nice article!
I do not make use of any disassembler or checking flags or whatever too but these patches are a must for clean code.
Also keep this thread only related to this tool. Anything else will be reported as spam by me.
It might not always be possible to solve the opaque predicates as more sophisticated obfuscation techniques make use of runtime variables with mixed boolean arithmetics. Therefore I thought it was clever to look at the assembly misalignment and 'solve' them that way.
> Also keep this thread only related to this tool. Anything else will be reported as spam by me.
I would love to see how this tool tackles the problem, however, I do not see any source code other than a readme. (even when downloading a release .zip, but correct me if I'm wrong)
But if you happened to have any pseudo code or knowledge about how this tool operates I would like to see it posted here
Any fool can write code that a computer can understand. good programmers write code that humans can understand.
-
Member
Right is the tool from the article, left is this tool comparison
Not sure why it's not able to fix up these primitive cases.
-
Post Thanks / Like - 1 Thanks
MrNoble (1 members gave Thanks to jmrr for this useful post)