One layer will detect shellcode, another optimizes it into blocks, another determines global variables, and so forth.
#Ida pro pseudocode code#
When a binary is loaded into IDA Pro, the application will perform distinct layers of code analysis and optimization, referred to as maturity levels. optblock_t for defeating control flow flattening (defined as CFUnflattener)īefore continuing, it is important to understand Hex-Rays maturity levels.optinsn_t for defeating opaque predicates (defined as ObfCompilerOptimizer).HexRaysDeob installs two callbacks when loading: Rolles also provides an overview of each obfuscation technique in the same post. If you aren’t familiar with those structures (e.g, microcode data structures, maturity level, Microcode Explorer and so on), you should read his blog post. In order to perform the deobfuscation, the plugin manipulates the IDA intermediate language called microcode. HexRaysDeob is an IDA Pro plugin written by Rolf Rolles to address obfuscation seen in binaries. The image below shows the same function once it has been deobfuscated:įigure 2: de-obfuscated result of the same function Details The below image depicts, an example of an obfuscated function:įigure 1: obfuscated function example (all codes cannot be displayed in a screen) After the modification, TAU was able to recover the original code. TAU investigated the ANEL obfuscation algorithms then modified the HexRaysDeob code to defeat the obfuscations. The obfuscations looked similar to the ones explained in Hex-Rays blog, but the introduced IDA Pro plugin HexRaysDeob didn’t work for one of the obfuscated ANEL samples because the tool was made for another variant of the obfuscation. Instead, a switch statement is called in an infinite loop having multiple code blocks each performing operations, as detailed later in this paper in Figure 10.
Control flow flattening is an obfuscation method where programs do not cleanly flow from beginning to end. For example, this can be seen as calculating a value that will always return True. Opaque predicate is a programming term that refers to decision making where there is actually only one path. According to SecureWorks, all ANEL samples whose version is 5.3.0 or later are obfuscated with opaque predicates and control flow flattening. Another obfuscation, control flow flattening, was applied to APT10 ANEL and Dharma ransomware packer.ĪNEL (also referred to as UpperCut) is a RAT program used by APT10 and observed in Japan uniquely.
For example, opaque predicates were applied to Turla mosquito and APT10 ANEL.
#Ida pro pseudocode series#
The Carbon Black Threat Analysis Unit (TAU) recently analyzed a series of malware samples that utilized compiler-level obfuscations.