Believe Be:leave


  • Home

  • About

  • Tags

  • Archives

  • (・∀・)

de_obf Part1: Theory

Posted on 2018-12-01 | Edited on 2018-12-02 | Views:

Continuing the tradition from 2017, the topic for my annual InfoSec related hackathon is code deobfuscation.
We will be focusing on x86_64 MachOs obfuscated by my 2017 christmas project only and ignore all multi-stage obfuscations to make this small toy project as trivial as possible. As there has been a ton of similar researches on solving such tasks with overkill weapons like symbolic execution and dynamic taint analysis (and because I’m extremely new to this field), I decided to take a purely static approach, as in we are not attempting to do much more than a traditional static decompiler. Here are some theories I designed that should be hopefully more than enough for our task. It’s suggested for the the reader to have some LLVM background prior to reading through this article, however LLVM is rarely mentioned and the reader should be able to guess the meaning of LLVM related part without too much hassle.

Read more »

Cross-Platform VMProtect with LLVM

Posted on 2018-08-08 | Edited on 2018-08-28 | Views:

I finally had enough fun with building LLVM Transform Obfuscation Passes and decided to build a VMProtect-Like obfuscation mechanism.

Read more »

PhiNode in LLVM

Posted on 2018-06-04 | Edited on 2018-06-05 | Views:

PhiNode is one of the most confusing concepts in compiler intermediate languages. This post attempts to introduces its concept and various fun aspects of it.

Read more »

Porting Hikari to Swift/Clang and Build for Production

Posted on 2018-02-13 | Edited on 2018-02-23 | Views:

Since Apple’s Development Tools contains a bunch of modifications that will probably never see its day in LLVM upstream and Swift contains the latest open-source Apple fork of LLVM at the moment. It’s probably wise to port Hikari to Swift instead of using the upstream.

Read more »

Bug in Obfuscator-LLVM's Bogus Control Flow

Posted on 2017-12-27 | Edited on 2017-12-28 | Views:

@Ouroburos sent me a IR which crashes Obfuscator-LLVM. So the investigation begin.

Read more »

Bug in StringEncryption Pass Armariris

Posted on 2017-12-26 | Edited on 2018-04-09 | Views:

I’m preparing a new StringEncryption pass for Hikari, aim to fix various drawbacks from previous implementations.
The most famous one among those implementations would be GoSSIP-SJTU/Armariris
You can read the pass’s full source HERE

Read more »

AntiDebugging Implementation Notes

Posted on 2017-12-21 | Edited on 2017-12-28 | Views:

The current implementation of AntiDebugging is simply inject Inline Assemblies at function start and only works on iOS.
Since it’s now possible to do sysent hook on (certain versions of) iOS. Inline ptrace() alone is no longer safe.
Here is a few more ideas to be implemented.

Read more »

FunctionCallSite/Symbol Obfuscation Implementation Notes

Posted on 2017-12-21 | Edited on 2017-12-28 | Views:

By design,Function CallSite Obfuscation aims to replace direct call/invoke instructions with dlsym() equivalents at IR Level.
Symbol Obfuscation also suffers from the exact same issues

Read more »

Anti class-dump Implementation Notes

Posted on 2017-12-21 | Edited on 2017-12-28 | Views:

The core idea of acd is to extract ObjC class informations and create everything at a program-controlled stage instead of letting libObjC do the initialization for us.

Read more »

Neowiz Protocols

Posted on 2017-11-08 | Edited on 2018-04-16 | Views:

For all Neowiz games. A similar API protocol is used.

Read more »

12
Naville Zhang

Naville Zhang

それは凄い桜だったが、もう二度と咲くことは無いだろう。

18 posts
3 tags
RSS
Creative Commons
© 2018 Naville Zhang
Powered by Hexo v3.8.0