The idea of this project comes from the open source community, and I will also feed back the results to the open source community. I hope everyone can gain something, and I would like to thank those generous colleagues who are committed to open source technology, and hope that we can make this world a better place.
The tool can be used to eliminate redundant instructions in a basic block, thus making the reverse analysis work simple and easy to carry out. The core ideas used are stain analysis and active variable analysis! If you want to know more details about this project, you can read this airtical is pulished on the "KanXue" forum.
- Language: C++
- IDE: VS2022
- External Dependencies: Capstone & Boost
You need clone this repo, the source code in the "clean_basic_block\src", the lib files in the "clean_basic_block\lib", the DLL files in the "clean_basic_block\dll", the header file in the "clean_basic_block\include".
You also can download the realse file to use this project.
This tools have four optinos:
- "-h" Displays help information.
- "-f" Set the path of "exe" file you want to clean.
- "-s" Set the start address(RVA) of basic block.
- "-e" Set the end address(RVA) of basic block.
This basic block has been obfuscated:
.vmp1:0064D713 56 push esi
.vmp1:0064D714 0F BF F1 movsx esi, cx
.vmp1:0064D717 BE A3 3B 66 6B mov esi, 6B663BA3h
.vmp1:0064D71C 55 push ebp
.vmp1:0064D71D 52 push edx
.vmp1:0064D71E 51 push ecx
.vmp1:0064D71F 9C pushf
.vmp1:0064D720 F5 cmc
.vmp1:0064D721 0F BF EF movsx ebp, di
.vmp1:0064D724 87 D6 xchg edx, esi
.vmp1:0064D726 50 push eax
.vmp1:0064D727 98 cwde
.vmp1:0064D728 57 push edi
.vmp1:0064D729 80 E6 1A and dh, 1Ah
.vmp1:0064D72C 87 FF xchg edi, edi
.vmp1:0064D72E 53 push ebx
.vmp1:0064D72F 66 F7 C6 9C 51 test si, 519Ch
.vmp1:0064D734 66 0F A4 E7 8F shld di, sp, 8Fh
.vmp1:0064D739 BA 00 00 00 00 mov edx, 0
.vmp1:0064D73E 85 EE test esi, ebp
.vmp1:0064D740 66 2B C7 sub ax, di
.vmp1:0064D743 D2 CF ror bh, cl
.vmp1:0064D745 52 push edx
.vmp1:0064D746 66 98 cbw
.vmp1:0064D748 8B 6C 24 28 mov ebp, [esp+24h+arg_0]
.vmp1:0064D74C 81 ED 25 26 6F 1D sub ebp, 1D6F2625h
.vmp1:0064D752 0F CD bswap ebp
.vmp1:0064D754 0F 47 C5 cmova eax, ebp
.vmp1:0064D757 98 cwde
.vmp1:0064D758 F6 C4 F5 test ah, 0F5h
.vmp1:0064D75B F7 DD neg ebp
.vmp1:0064D75D 66 0F BD F2 bsr si, dx
.vmp1:0064D761 66 0F BA F7 76 btr di, 76h ; 'v'
.vmp1:0064D766 66 F7 C7 A9 43 test di, 43A9h
.vmp1:0064D76B F7 D5 not ebp
.vmp1:0064D76D 66 0F AC C0 D8 shrd ax, ax, 0D8h
.vmp1:0064D772 81 ED 7B 53 BE 38 sub ebp, 38BE537Bh
.vmp1:0064D778 66 0F BA FF 07 btc di, 7
.vmp1:0064D77D 66 98 cbw
.vmp1:0064D77F C1 C5 03 rol ebp, 3
.vmp1:0064D782 66 0F A4 F0 AB shld ax, si, 0ABh
.vmp1:0064D787 2B DE sub ebx, esi
.vmp1:0064D789 8D 6C 15 00 lea ebp, [ebp+edx+0]
.vmp1:0064D78D 8B F4 mov esi, esp
.vmp1:0064D78F 66 0F BA F2 E5 btr dx, 0E5h
.vmp1:0064D794 66 0B D8 or bx, ax
.vmp1:0064D797 47 inc edi
.vmp1:0064D798 81 EC C0 00 00 00 sub esp, 0C0h
.vmp1:0064D79E 66 3B F8 cmp di, ax
.vmp1:0064D7A1 F9 stc
.vmp1:0064D7A2 66 85 EB test bx, bp
The project is used for cleaning the above basic block:
(base) PS C:\Users\g0mx> D:\Code_Files\Deobfusecate\Release\Clean_BB.exe -f D:\Code_Files\EliminateVmpJunkCode\Project1.vmp\Project1.vmp.exe -s "0x64D713" -e "0x64D7A5"After cleaning:
Insn List After Clean:
0x64d713: push esi
0x64d71c: push ebp
0x64d71d: push edx
0x64d71e: push ecx
0x64d71f: pushfd
0x64d726: push eax
0x64d728: push edi
0x64d72c: xchg edi, edi
0x64d72e: push ebx
0x64d734: shld di, sp, 0x8f
0x64d761: btr di, 0x76
0x64d778: btc di, 7
0x64d797: inc edi
clean over!!!