Jump to content
Tuts 4 You

Obfuscator


jksoom

Recommended Posts

I need help. I need some obfuscator algorithm finder.

I have a lot of obfuscated codes, and decoded codes.

Is there any program which can lear how to do this? For example I enter him 10 obfuscated codes, and right decoded codes which he should get, and then he finds valid connection between them.

For example:

obfuscated: 522E 6A53 A29E 3577 3533 4A91

decoded: 50E5 562E 3870 334A 91

I also have one working converter made by some guy, but I don't know how to read the algo from it. If someone can help, please call me on private message and i will send you the exe.

Link to comment

I'm not sure what you are after, because from your post i thought you mean something for removing obfuscation from x86 code (silly me, making assumptions, that was my fault) but pasting your bytes into Olly i get:

'Obfuscated'


PUSH EDX
PUSH 053h
MOV BYTE PTR [03577359Eh],AL
XOR ECX,DWORD PTR [EDX-06Fh]

'Decoded'


PUSH EAX
IN EAX,056h
CMP BYTE PTR CS:[EAX+033h],DH
DEC EDX
XCHG EAX,ECX

Neither code fragments make much sense, which is where i get confused. If you are talking about de-obfuscation then you can write a script to remove junk code, using signatures and even wildcards. But be careful that your script doesn't replace good code with NOPs also, because it could render it useless.

There is a plugin for OllyDbg called CodeDoctor, you can find it in this thread:


/>http://forum.tuts4you.com/index.php?showtopic=21638

The thread explains its use and functionality, SunBeam has also been testing it pretty thoroughly lately and he's posted his findings here:


/>http://forum.tuts4you.com/index.php?showtopic=23223

I also have one working converter made by some guy, but I don't know how to read the algo from it.

Does this mean you have a binary file which achieves what you want, yet you can't reverse it to understand how it achieves it OR that you have the source for something which (possibly) achieves what you want but you don't understand the code enough to change/fix it so that it will do what you need? Can you give a bit more detail about your problem in general please?

HR,

Ghandi

Link to comment

I did get your message but only just now had a chance to reply. What you are asking about is a keygenerator which takes an input, generates/extracts the required information and if the resulting checksum matches the chosen application then it will confirm that it is a valid code.

Personally, i don't have any experience with VM Protect and the algorithm for this application has been 'virtualized' so you need to remove the VM or at least reverse it enough to understand what is happening in there. There are many posts regarding VMP on this forum, as well as some scripts which may help you get started.

There are also a few members of this forum who are quite experienced with VMP, if you actually give it a bit of a go yourself and then post where you are having trouble with unpacking the VMP on this target, you will likely find that you will get assistance.

HR,

Ghandi

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...