An arm32 ollvm like deofuscator,aim to remove obfuscation made by ollvm like compiler
An experimental ollvm like deofuscator,aim to remove obfuscation made by ollvm like compiler, exspecially FLA to make reverse engineering easier... 中文原理说明
In the future this will be possible through pypi.
Make sure you are using python 3.7.
pip install -r requirements.txt
If you have trouble getting the
keystone-enginedependency on Windows (as I did): 1. Clone their repository 2. Open a terminal inbindings/python3. Runpython setup.py install(Make sure you are using python 3.7) 4. Download theirWindows - Core enginepackage here for your python arch. 5. Put thekeystone.dllinC:\location_to_python\Lib\site-packages\keystone\.
3.run python deobf.py - the input ELF to remove obfuscate - output ELF - the trace file path of the target function, which contains the instruction trace, can be collect by ida trace break point.there is an example file tests/bin/data/ins-url.trc - the start offset of the target function - the end offset of the target function - 0/1 is the target function is thumb - <type> [optional] the detector type, not passing is ok for many case
example
python deobf.py tests/bin/libmakeurl2.4.9.so url.so tests/data/ins-url.trc 0x0000342C 0x00003668 1- This should deobf libmakeurl2.4.9.so JNIONLoad, you can see the output url.so JNIONLoad, has been simplified.