[Release source code(Make Public) fo Code Deobfuscator x86_32/64]

Posted May 1, 20223 yr

https://github.com/Pigrecos/CodeDeob

2
1

Saturday at 06:03 AM2 days

any one have it as compiled executeble?

1

Saturday at 10:07 AM2 days

readme says -

>* This plugin enables you to remove some common obfuscations

question: this is plugin to what debugger/tool/framework?

1

Saturday at 04:19 PM2 days

had some fun (installing ol'good Delphi :) etc

made a POC tool based on above Github codes

usage

tool.exe pe-file VA (hex: use eg $400100)

opened up all debug prints, eg:

I don't know yet it's capabilities...

CodeDeob-0.0.1.7z

Edited Saturday at 04:20 PM2 days by jackyjask

1

Yesterday at 01:10 PM1 day

Author

It's a project for enthusiasts who love to learn and understand; it's not a ready-to-use tool. To use it, you need to study the code, otherwise it won't do anything.
typically:

procedure TfrmMain.testPeepHole2(fFile : string);
var
  ins1       : TArray<TIstruzione> ;
  Deobf      : TDeobFuscate;
  i,
  nNumStartL : Integer;
  LWatch     : TStopwatch;
  modo       : Byte;
  linea      : string;
  procedure printInstrs(const instrs : TArray<TIstruzione>);
  var
    instr : TIstruzione;
  begin
        for instr in  instrs do
            mmo1.Lines.Add(instr.ToString);
        mmo1.Lines.Add('');
  end;
begin
    LWatch := TStopwatch.StartNew;
    if fFile = '' then fFile := 'Code.txt';
    ins1 := FileToSimbolicI(fFile,modo);
    nNumStartL := High(ins1);
    Deobf := TDeobFuscate.Create(modo);
    try
      mmo1.Lines.Add(sLineBreak +'Input Code:');
      mmo1.Lines.BeginUpdate;
      try
        printInstrs(ins1);
        Deobf.UsaDeadC_Sp := chkDeadSper_0.Checked;
        Deobf.DeobfuscateList(ins1);
        mmo1.Lines.Add('---- Deobfuscate Code : -------');
        printInstrs(ins1);
      finally
        mmo1.Lines.EndUpdate;
      end;
      frmMain.mmo1.Lines.Add(sLineBreak +  Format('-->Funzione testPeephole<--  Totale Linee: %d/%d  operazione eseguita in: %d ms', [High(ins1),nNumStartL,LWatch.ElapsedMilliseconds]) );
      mmoCodeOri.Lines.LoadFromFile(fFile);
      for i := 0 to mmoCodeOri.Lines.Count - 1 do
      begin
          linea := mmoCodeOri.Lines[i];
          if Pos('Codice Orig.:',Linea) <> 0 then
          begin
               mmoCodeOri.Clear;
               mmoCodeOri.Lines.Add(linea) ;
               pnl1.Visible := True;
               Break;
          end;
          pnl1.Visible := False;
      end;
    finally
      Deobf.Free;
    end;
end;

1

Yesterday at 01:43 PM1 day

@root thanks!

this is my sample POC based on your lib:

begin
  try
    Writeln('CodeDeob cli demo util v0.1 (c) 2025 by jj');
    if (ParamCount > 1) then
    begin
      deo := TDeobFuscate.Create(CP_MODE_32, ParamStr(1));
      insList := TLinkedList<TCpuIstruz>.Create;
      deo.DeobfuscateAT(StrToInt(ParamStr(2)), insList);
    end
    else
      Writeln('Usage: tool pe-file VA');

  except
    on E: Exception do
      Writeln(E.ClassName, ': ', E.Message);
  end;
end.

but it fails due to diff reasons...

is it correct usage?

1

Yesterday at 01:55 PM1 day

Author

11 minutes ago, jackyjask said:

@root thanks!

this is my sample POC based on your lib:

begin
  try
    Writeln('CodeDeob cli demo util v0.1 (c) 2025 by jj');
    if (ParamCount > 1) then
    begin
      deo := TDeobFuscate.Create(CP_MODE_32, ParamStr(1));
      insList := TLinkedList<TCpuIstruz>.Create;
      deo.DeobfuscateAT(StrToInt(ParamStr(2)), insList);
    end
    else
      Writeln('Usage: tool pe-file VA');

  except
    on E: Exception do
      Writeln(E.ClassName, ': ', E.Message);
  end;
end.

but it fails due to diff reasons...

is it correct usage?

It's a project I worked on years ago, I don't remember everything exactly but it seems to be correct. I need to understand what errors it gives and on which target it was tested.

1

Yesterday at 05:11 PM1 day

is it OK to test on a simple (eg masm binaries) or it needs only sophisticated mutatied/vm-ed opcodes

1

15 hours ago15 hr

1st issue on sample masm binary -

(400250 = EP VA)

c:\CodeDeob-main\Win32\Debug\123>Deob1.exe fire.exe $400250

EListError: Item not found

fire.zip

Edited 15 hours ago15 hr by jackyjask

1

13 hours ago13 hr

Author

1 hour ago, jackyjask said:
1st issue on sample masm binary -
(400250 = EP VA)
c:\CodeDeob-main\Win32\Debug\123>Deob1.exe fire.exe $400250
CodeDeob cli demo util v0.1 (c) 2025 by jj
EListError: Item not found
fire.zip

there is nothing to deobfuscate in that code, the list remains empty

 text:0000000000400250
.text:0000000000400250 ; =============== S U B R O U T I N E =======================================
.text:0000000000400250
.text:0000000000400250 ; Attributes: bp-based frame
.text:0000000000400250
.text:0000000000400250                 public start
.text:0000000000400250 start           proc near               ; DATA XREF: HEADER:00000000004000B0↑o
.text:0000000000400250
.text:0000000000400250 var_20          = qword ptr -20h
.text:0000000000400250
.text:0000000000400250                 enter   40h, 0
.text:0000000000400254                 and     [rsp+40h+var_20], 0
.text:000000000040025A                 mov     ecx, offset __ImageBase ; hInstance
.text:000000000040025F                 mov     edx, 64h ; 'd'  ; lpTemplateName
.text:0000000000400264                 xor     r8d, r8d        ; hWndParent
.text:0000000000400267                 lea     r9, DialogFunc  ; lpDialogFunc
.text:000000000040026E                 call    cs:DialogBoxParamA
.text:0000000000400274                 xor     ecx, ecx
.text:0000000000400276                 call    cs:RtlExitUserProcess
.text:0000000000400276 start           endp ; sp-analysis failed
.text:0000000000400276
.text:000000000040027C
.text:000000000040027C ; =============== S U B R O U T I N E =======================================
.text:000000000040027C
.text:000000000040027C ; Attributes: bp-based frame
.text:000000000040027C
.text:000000000040027C ; INT_PTR __stdcall DialogFunc(HWND, UINT, WPARAM, LPARAM)
.text:000000000040027C DialogFunc      proc near               ; DATA XREF: start+17↑o
.text:000000000040027C
.text:000000000040027C format          = dword ptr -80h
.text:000000000040027C h               = qword ptr -5Ch
.text:000000000040027C ho              = qword ptr -54h
.text:000000000040027C Paint           = tagPAINTSTRUCT ptr -48h
.text:000000000040027C hWnd            = qword ptr  10h
.text:000000000040027C
.text:000000000040027C                 enter   0A0h, 0
.text:0000000000400280                 mov     [rbp+hWnd], rcx
.text:0000000000400284                 cmp     edx, 110h
.text:000000000040028A                 jz      short loc_4002E5
.text:000000000040028C                 cmp     edx, 111h
.text:0000000000400292                 jz      loc_400654
.text:0000000000400298                 cmp     edx, 10h
.text:000000000040029B                 jz      loc_40065A
.text:00000000004002A1                 cmp     edx, 113h
.text:00000000004002A7                 jz      loc_4003C2
.text:00000000004002AD                 cmp     edx, 0Fh
.text:00000000004002B0                 jz      loc_4004BC
.text:00000000004002B6                 cmp     edx, 201h
.text:00000000004002BC                 jnz     loc_40067C
.text:00000000004002C2                 call    cs:ReleaseCapture
.text:00000000004002C8                 mov     rcx, [rbp+hWnd] ; hWnd
.text:00000000004002CC                 mov     edx, 112h       ; Msg
.text:00000000004002D1                 mov     r8d, 0F012h     ; wParam
.text:00000000004002D7                 xor     r9d, r9d        ; lParam
.text:00000000004002DA                 call    cs:SendMessageA
.text:00000000004002E0                 jmp     loc_40067C
.text:00000000004002E5 ; ---------------------------------------------------------------------------
.text:00000000004002E5
.text:00000000004002E5 loc_4002E5:                             ; CODE XREF: DialogFunc+E↑j
.text:00000000004002E5                 call    cs:GetTickCount
.text:00000000004002EB                 mov     cs:dword_400800, eax
.text:00000000004002F1                 push    offset pszFaceName ; pszFaceName
.text:00000000004002F6                 push    1               ; iPitchAndFamily
.text:00000000004002F8                 push    2               ; iQuality
.text:00000000004002FA                 push    0               ; iClipPrecision
.text:00000000004002FC                 push    6               ; iOutPrecision
.text:00000000004002FE                 push    0               ; iCharSet
.text:0000000000400300                 push    0               ; bStrikeOut
.text:0000000000400302                 push    0               ; bUnderline
.text:0000000000400304                 push    0               ; bItalic
.text:0000000000400306                 push    2BCh            ; cWeight
.text:000000000040030B                 sub     esp, 20h
.text:000000000040030E                 mov     ecx, 50h ; 'P'  ; cHeight
.text:0000000000400313                 mov     edx, 19h        ; cWidth
.text:0000000000400318                 xor     r8d, r8d        ; cEscapement
.text:000000000040031B                 xor     r9d, r9d        ; cOrientation
.text:000000000040031E                 call    cs:CreateFontA
.text:0000000000400324                 mov     cs:h, rax
.text:000000000040032B                 mov     ecx, 40h ; '@'  ; uFlags
.text:0000000000400330                 mov     edx, 400h       ; dwBytes
.text:0000000000400335                 call    cs:GlobalAlloc
.text:000000000040033B                 mov     cs:qword_4007F8, rax
.text:0000000000400342                 mov     edi, eax
.text:0000000000400344                 mov     ecx, 40h ; '@'

1

12 hours ago12 hr

I fully agree

but the question was about this - why?

>EListError: Item not found

1

2 hours ago2 hr

Author

9 hours ago, jackyjask said:
I fully agree
but the question was about this - why?
>EListError: Item not found

The tool was designed for obfuscated code, not for handling standard code with external calls (iat, etc.).

So, when splitting blocks, an address will likely be invalid.

There's nothing stopping you from implementing and adding new features to the code.

procedure TCFG_Analysis.SplitBlock( split_addr: UInt64);
        (*
            Split basic block @ split_addr and create a new basic_blocks[]
            entry.
        *)
var
  bb_head,orig_head : UInt64;
  instr             : TCfGIns;
  tmpIns            : TIns;
begin
    OutDbg( Format('>Function:SplitBlock - Entry splitting @ [%08x] ',[split_addr]));
    if Fbasic_blocks.ContainsKey(split_addr) then Exit;
    bb_head := split_addr;
    orig_head := DFSBBSearchHead(split_addr);
    if orig_head = 0 then
    begin
        OutDbg(Format('>Function:SplitBlock - Failed @ [%08x]: orig_head=None ',[split_addr]));
       // raise Exception.Create('SplitBlock: orig_head not found');
    end;
    OutDbg(Format('>Function:SplitBlock - Got orig_head [%08x] ',[orig_head]));
    // Create new BBlock
    Fbasic_blocks.Add(bb_head,[]) ;
    if Length(Fbasic_blocks[orig_head]) > 0 then
    begin
        tmpIns:= Fbasic_blocks[orig_head];
        instr := tmpIns[ High(Fbasic_blocks[orig_head]) ];
        SetLength(tmpIns, Length(Fbasic_blocks[orig_head])-1);
        Fbasic_blocks[orig_head] := tmpIns;
    end
    else
        Exit;
    while True do
    begin
        tmpIns:= Fbasic_blocks[orig_head];
        Insert(instr,tmpIns,0 );
        Fbasic_blocks[orig_head] := tmpIns;
        if instr.OriginEA = bb_head then break ;
        tmpIns:= Fbasic_blocks[orig_head];
        instr := tmpIns[ High(Fbasic_blocks[orig_head]) ];
        SetLength(tmpIns, Length(Fbasic_blocks[orig_head])-1);
        Fbasic_blocks[orig_head] := tmpIns;
    end;
    OutDbg(Format('>>Function:SplitBlock - Split @ [%08x]; original @ [%08x]',[split_addr,orig_head]));
end;

Sign In

[Release source code(Make Public) fo Code Deobfuscator x86_32/64]

Featured Replies

Create an account or sign in to comment

Account

Navigation

Search

Configure browser push notifications

Chrome (Android)

Chrome (Desktop)

Safari (iOS 16.4+)

Safari (macOS)

Edge (Android)

Edge (Desktop)

Firefox (Android)

Firefox (Desktop)