Hello,
I decided to share this code capable Deobuscation various techniques of obfuscation typical of modern systems of protection based Virtual Machine (Themida, vmProtect etc ..). This tools is intended for analyzing and readable code.
I share this tool (the result of hours and hours of my free time) so that someone can improve the code and help me in the very complex that is Control Flow Optimization.

https://github.com/Pigrecos/CodeDeobfuscator

I am attaching a video to show its use

Deobuscator.exe

its a long time that i have planned to do something like this.

very interested. thanks for your sharing.

unfortunately i should learn delphi for it

i will look it on future.

i'm interesting on helping improve it (i hope i get some free time)

 

Good LuCk

Thank you  Raham 

Nice share!! Will test it now

Edited January 25, 20169 yr by reasen

Thanks for sharing, will put it to a test soon :)

 

I also wrote a deobfuscator using Capstone & Unicorn. It's capable of handling x86/x64 assembly and stack based virtual machine. I will share the code, but I'm superbusy with University, I need to recode it better. @root would you like to talk a bit about how we handle things? Did you compared it with CodeDoctor?

22 minutes ago, fvrmatteo said:

I also wrote a deobfuscator using Capstone & Unicorn. It's capable of handling x86/x64 assembly and stack based virtual machine. I will share the code, but I'm superbusy with University, I need to recode it better. @root would you like to talk a bit about how we handle things? Did you compared it with CodeDoctor?

Yes, but in English it is really hard for me to communicate complex things, I'm sorry;).
I have to take a course in English

Great idea and job root ... and thanks a lot for sharing your hard work.

Best Regards,
Tony
 

can share the compiled exe (here see there delphi must download in many days with my low speed)

16 minutes ago, Apuromafo said:

can share the compiled exe (here see there delphi must download in many days with my low speed)

Of course.

Hello

 

Deobfuscator.rar

4 hours ago, root said:

Yes, but in English it is really hard for me to communicate complex things, I'm sorry;).
I have to take a course in English

Just saying, we are both italians, right? If you want ping me on Twitter @fvrmatteo

I also wrote a little paper about a technique I use to deal with heavy stack obfuscation (Themida/VMProtect). And also have some comparison with CodeDoctor based on real test cases.

3 minutes ago, fvrmatteo said:

Just saying, we are both italians, right? If you want ping me on Twitter @fvrmatteo

I also wrote a little paper about a technique I use to deal with heavy stack obfuscation (Themida/VMProtect). And also have some comparison with CodeDoctor based on real test cases.

A sorry I did not see that you were too Italian

A scusa non avevo visto che eri anche tu italiano

 

From what I heard someone is waiting for my code. Be warned it is REALLY MESSY CODE, I wrote it to learn about obfuscation/deobfuscation, but it needs a complete rewrite (the C file I'll share will contain unused code I wrote for test purposes, and also many routines I wrote to face various obfuscations). The ideas are good I think, and it can handle obfuscation good, but as said above, a complete rewrite is needed to have something nice. Also, many optimizations I have in mind needs to be implemented, but I just started a new University year and I don't know how much time I will be able to have. I will share a repository tomorrow, you'll have fun with that horrible C code also to fully understand the output (interleaved with error/debug messages) you'll need to read the code because I can't explain it now.

EDIT:

https://github.com/fvrmatteo/DeobfuscatorTest

It should be compiled with msys2 on Windows. You'll need XEDParse.dll, unicorn.lib & capstone.lib

The code is ugly. Of ~10000 code lines, half (4000/5000) can be deleted because I kept old test functions and the new one are not optimized at all. I simply wrote each simplification crossed my mind. The main idea is to reduce pattern matching (peephole optimization) to the least possible (currently 2 patterns, and they are generals).

I will publish a little paper I wrote about a technique to handle stack access (read/write/push/pop) in an easy and global way. So one can apply the standard optimizations (constant folding/propagation, junk elimination, etc) in a similar way to the one applied to registers.

The code can handle (or at least it should) basic block of assembly, without JMPs/CALLs/RETs. This because I'm coding a tracer to extract the executed code, and then deonfuscate it (so no jumps will be present).

Root's deobfuscator works better, I only tested ideas, so don't hope in a miracle. But, if you have time you can extract the current actively used routines and rewrite them better (I'll do it, but now I don't have time). The ideas are good I think, Themida/VMP tests works good, but sometimes they are not in a minimal form (I already know which optimizations are missing). But surely if you manage to understand the code, compile it and try it, you can send me tests with un-handled obfuscation so I can understand and add them.

Matteo

Edited March 3, 20169 yr by fvrmatteo

deob_test_x64.rar

On 25.01.2016 at 10:13 PM, root said:

Hello,
I decided to share this code capable Deobuscation various techniques of obfuscation typical of modern systems of protection based Virtual Machine (Themida, vmProtect etc ..). This tools is intended for analyzing and readable code.
I share this tool (the result of hours and hours of my free time) so that someone can improve the code and help me in the very complex that is Control Flow Optimization.

https://github.com/Pigrecos/CodeDeobfuscator

I am attaching a video to show its use

Deobuscator.exe

Thanks!!!

Hi,

test it then got an error. 

Quote

Errore: 00000001  - [CODEGEN] -invalid combination of opcode and operands

rtrace.txt