Need help with deobf?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

maiyao1988
168 Stars 76 Forks 226 Commits 1 Opened issues

Description

An arm32 ollvm like deofuscator,aim to remove obfuscation made by ollvm like compiler

Services available

!
?

Need anything else?

Contributors list

# 40,748
Android
coffees...
bittorr...
elf
42 commits
# 256,638
elf
Android
arm
C
25 commits
# 259,026
Android
Java
elf
binary-...
1 commit

deobf

An experimental ollvm like deofuscator,aim to remove obfuscation made by ollvm like compiler, exspecially FLA to make reverse engineering easier... 中文原理说明

Usage

In the future this will be possible through pypi.

Make sure you are using python 3.7.

  1. Clone the repository
  2. Run
    pip install -r requirements.txt

If you have trouble getting the

keystone-engine
dependency on Windows (as I did): 1. Clone their repository 2. Open a terminal in
bindings/python
3. Run
python setup.py install
(Make sure you are using python 3.7) 4. Download their
Windows - Core engine
package here for your python arch. 5. Put the
keystone.dll
in
C:\location_to_python\Lib\site-packages\keystone\
.

3.run python deobf.py - the input ELF to remove obfuscate - output ELF - the trace file path of the target function, which contains the instruction trace, can be collect by ida trace break point.there is an example file tests/bin/data/ins-url.trc - the start offset of the target function - the end offset of the target function - 0/1 is the target function is thumb - <type> [optional] the detector type, not passing is ok for many case

example

python deobf.py  tests/bin/libmakeurl2.4.9.so url.so tests/data/ins-url.trc 0x0000342C 0x00003668 1
- This should deobf libmakeurl2.4.9.so JNIONLoad, you can see the output url.so JNIONLoad, has been simplified.

Dependencies

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.