Continuing the tradition from 2017, the topic for my annual InfoSec related hackathon is code deobfuscation.
We will be focusing on x86_64 MachOs obfuscated by my 2017 christmas project only and ignore all multi-stage obfuscations to make this small toy project as trivial as possible. As there has been a ton of similar researches on solving such tasks with overkill weapons like symbolic execution and dynamic taint analysis (and because I’m extremely new to this field), I decided to take a purely static approach, as in we are not attempting to do much more than a traditional static decompiler. Here are some theories I designed that should be hopefully more than enough for our task. It’s suggested for the the reader to have some LLVM background prior to reading through this article, however LLVM is rarely mentioned and the reader should be able to guess the meaning of LLVM related part without too much hassle.

I finally had enough fun with building LLVM Transform Obfuscation Passes and decided to build a VMProtect-Like obfuscation mechanism.

PhiNode is one of the most confusing concepts in compiler intermediate languages. This post attempts to introduces its concept and various fun aspects of it.

Since Apple’s Development Tools contains a bunch of modifications that will probably never see its day in LLVM upstream and Swift contains the latest open-source Apple fork of LLVM at the moment. It’s probably wise to port Hikari to Swift instead of using the upstream.

@Ouroburos sent me a IR which crashes Obfuscator-LLVM. So the investigation begin.

I’m preparing a new StringEncryption pass for Hikari, aim to fix various drawbacks from previous implementations.
The most famous one among those implementations would be GoSSIP-SJTU/Armariris
You can read the pass’s full source HERE

The current implementation of AntiDebugging is simply inject Inline Assemblies at function start and only works on iOS.
Since it’s now possible to do sysent hook on (certain versions of) iOS. Inline ptrace() alone is no longer safe.
Here is a few more ideas to be implemented.

By design,Function CallSite Obfuscation aims to replace direct call/invoke instructions with dlsym() equivalents at IR Level.
Symbol Obfuscation also suffers from the exact same issues

The core idea of acd is to extract ObjC class informations and create everything at a program-controlled stage instead of letting libObjC do the initialization for us.

For all Neowiz games. A similar API protocol is used.