So I've become very interested in the entire deobfuscation-topic, and I was wondering what is actually the most efficient way to implement e.g. constant-folding for disassembled obfuscated binary data, or maybe some kind of instruction-reduction algorithm. By efficient, I obviously mean which would have the greatest impact and work best in reversing e.g. instruction expansion.

My current thoughts are whether it would be most efficient to write an IR-structure for a standard x86 instruction, which exposes data from the instruction operands, etc. and run for example a loop through a container of instructions to try and collapse some of them in a smart manner, or check if otherwise unused data is being added/subtracted to form a final data sum, and then fold the constants.

Another approach I thought about lately was writing a string-parser, that could take many different types of wildcards for assembly-types, and then write simple "parsing sequences" in pure string-types, and check if an instruction-container had any instances of the wildcard-lenient types. An example of this would be checking against e.g. "push $1" and "pop $2;" and transform that into "mov $2,$1" or something like that. Usage could be somewhat like this:

container.find_sequence({ "push $1", "pop $2" }).replace("mov $2, $1");

And then maybe use some internal parsing structure that mapped these things into equivalent objects and did direct instruction-compares or something like that.

However, I am very interested in what kind of solutions people think are the most efficient and why. Also, if anyone has any working examples or snippets, I'd be very interested in seeing actual live examples of deobfuscation done right, regardless of the programming language.

Thanks in advance  

Edited December 4, 20177 yr by VirtualPuppet

@SmilingWolf @fvrmatteo @Raham @Techlord @Castor

Maybe?  

Did you find an answer to this question? I'm interested too.