rpisec / llvm-deobfuscator Goto Github PK

Blocking on Vector35/binaryninja-api#1606

Right now, we undo control flow flattening by patching the binary and saving it to disk. Now that binja has a decompiler, it's worth updating the IL instead, keeping everything platform-independent.

Since we're completely reconstructing the function, I see two solutions here:

1. incrementally update control flow, re-placing phi nodes as we go (or)
2. completely re-build the IL for the function w/ correct control flow fixups

But it all depends on how the feature works in binja when it's ready

plugin get below error while deobfuscating.

function sub_6f84c650 in attached binary.

Exception in thread Thread-3:
Traceback (most recent call last):
File "threading.py", line 1016, in bootstrap_inner
File "D:\Program Files\Vector35\BinaryNinja\plugins..\python\binaryninja\plugin.py", line 928, in run
self.task.run()
File "C:\Users\cools\AppData\Roaming\Binary Ninja\plugins\llvm-deobfuscator_init.py", line 18, in run
self.func(bv, self.addr)
File "C:\Users\cools\AppData\Roaming\Binary Ninja\plugins\llvm-deobfuscator\deflatten.py", line 298, in deflatten_cfg
backbone = compute_backbone_map(bv, mlil, state_var)
File "C:\Users\cools\AppData\Roaming\Binary Ninja\plugins\llvm-deobfuscator\deflatten.py", line 133, in compute_backbone_map
var = mlil[uses[-1]].dest
IndexError: list index out of range
netapi32-patched.zip

With the introduction of the Binary Ninja Plugin Manager 2.0 we will be releasing a installation UI for all plugins in the community repository. Please check https://binary.ninja/2019/07/04/plugin-manager-2.0.html for the latest information about how to submit your plugin. If you no longer want your plugin in the repository please disregard this issue

Plugin fails on binary ninja 2.0.x
I was simply looking at InSpectre https://www.grc.com/files/InSpectre.exe

Exception in thread Thread-2:
Traceback (most recent call last):
  File "C:\Users\user\Desktop\BinaryNinja\BinaryNinja-Windows\plugins\lib\threading.py", line 810, in __bootstrap_inner
    self.run()
  File "C:\Users\user\Desktop\BinaryNinja\BinaryNinja-Windows\plugins\..\python\binaryninja\plugin.py", line 731, in run
    self.task.run()
  File "C:\Users\user\AppData\Roaming\Binary Ninja\plugins\llvm-deobfuscator\__init__.py", line 18, in run
    self.func(bv, self.addr)
  File "C:\Users\user\AppData\Roaming\Binary Ninja\plugins\llvm-deobfuscator\deflatten.py", line 295, in deflatten_cfg
    state_var = func.get_low_level_il_at(addr).medium_level_il.dest
AttributeError: 'NoneType' object has no attribute 'dest'

As you can see, there is a problem when we remove the confusion. How can we solve it
Errors is as follows:

Call target 0x0 does not appear to be code in instruction at 0x4005ce Function at 0x4005e0 is too large, skipping analysis Analysis update took 0.050 seconds Error fetching version list: Update authentication failed Analysis update took 0.000 seconds Exception in thread Thread-2: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner self.run() File "/home/XXXXX/binaryninja/plugins/../python/binaryninja/plugin.py", line 420, in run self.task.run() File "/home/XXXXX/.binaryninja/plugins/llvm-deobfuscator-e7ec09ea4ae0d52ee9a4d28ff9f391c7efea2a57/__init__.py", line 16, in run self.func(bv, self.addr) File "/home/XXXXX/.binaryninja/plugins/llvm-deobfuscator-e7ec09ea4ae0d52ee9a4d28ff9f391c7efea2a57/deflatten.py", line 295, in deflatten_cfg state_var = func.get_low_level_il_at(addr).medium_level_il.dest AttributeError: 'NoneType' object has no attribute 'medium_level_il'

Thanks

Currently the about section of the repo points to an old URL. It should instead point to https://rpis.ec/blog/dissection-llvm-obfuscator-p1/