hnedka
November 12th, 2009, 09:24
CodeDoctor is a new plugin for Olly and IDA, that can deobfuscate binary code and unpack AsProtect.
Olly version:
http://rapidshare.com/files/305337227/CodeDoctor.rar
IDA version:
http://rapidshare.com/files/305938009/CodeDoctor__IDA_Edition_.rar
________________________________________________________________________________
Functions:
1) Deobfuscate
Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.
Example:
Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI
Deobfuscated:
00874372 83C3 04 ADD EBX,4
Limitations:
- I worked hard on this, but don't expect perfect results, it differs from protector to protector
________________________________________________________
2) Deobfuscate - Single Step
This works like previous command, but does one transformation at a time
_______________________________________________________
3) Move NOPs to bottom
Converts this:
00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F
to this:
00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP
Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________
4) Undo / Redo
Undo or Redo last operation (from one of the above functions)
________________________________________________________
5) Retrieve Jumpy function (Olly only)
This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.
Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch
Example:
Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B |43 INC EBX
0087438C |41 INC ECX
0087438D |42 INC EDX
0087438E |EB 07 JMP SHORT somesoft.00874397
00874390 \B8 07000000 MOV EAX,7
00874395 ^ EB F4 JMP SHORT somesoft.0087438B
00874397 C3 RET
Result:
003B0000 B8 07000000 MOV EAX,7
003B0005 43 INC EBX
003B0006 41 INC ECX
003B0007 42 INC EDX
003B0008 C3 RET
Limitations:
- not tested much, buggy
________________________________________________________
6) Rebuild RSRC and Realign (Olly Only)
This function has some limited use when unpacking. It opens the debugged file
from disc. Then it retrieves all resources and rebuilds them to one place
(currently it rebuilds them only to original place in exe). Then it realigns file
and saves it under new name.
When is this useful? For example when unpacking aspack/asprotect or some other
packers. These steal some resources from original place and put them to its own
section, therefore increasing overall size and preventing you from cutting
packer's section. It also prevents Resource hacker from displaying these resouces.
This puts all resources to one place.
___________________________________________________
7) AsProtect Unpacker (Olly Only)
This will unpack file packed by AsProtect, fix it, dump asprotect.dll
and print various information to text file. Please report targets, where it fails.
Olly version:
http://rapidshare.com/files/305337227/CodeDoctor.rar
IDA version:
http://rapidshare.com/files/305938009/CodeDoctor__IDA_Edition_.rar
________________________________________________________________________________
Functions:
1) Deobfuscate
Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.
Example:
Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI
Deobfuscated:
00874372 83C3 04 ADD EBX,4
Limitations:
- I worked hard on this, but don't expect perfect results, it differs from protector to protector
________________________________________________________
2) Deobfuscate - Single Step
This works like previous command, but does one transformation at a time
_______________________________________________________
3) Move NOPs to bottom
Converts this:
00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F
to this:
00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP
Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________
4) Undo / Redo
Undo or Redo last operation (from one of the above functions)
________________________________________________________
5) Retrieve Jumpy function (Olly only)
This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.
Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch
Example:
Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B |43 INC EBX
0087438C |41 INC ECX
0087438D |42 INC EDX
0087438E |EB 07 JMP SHORT somesoft.00874397
00874390 \B8 07000000 MOV EAX,7
00874395 ^ EB F4 JMP SHORT somesoft.0087438B
00874397 C3 RET
Result:
003B0000 B8 07000000 MOV EAX,7
003B0005 43 INC EBX
003B0006 41 INC ECX
003B0007 42 INC EDX
003B0008 C3 RET
Limitations:
- not tested much, buggy
________________________________________________________
6) Rebuild RSRC and Realign (Olly Only)
This function has some limited use when unpacking. It opens the debugged file
from disc. Then it retrieves all resources and rebuilds them to one place
(currently it rebuilds them only to original place in exe). Then it realigns file
and saves it under new name.
When is this useful? For example when unpacking aspack/asprotect or some other
packers. These steal some resources from original place and put them to its own
section, therefore increasing overall size and preventing you from cutting
packer's section. It also prevents Resource hacker from displaying these resouces.
This puts all resources to one place.
___________________________________________________
7) AsProtect Unpacker (Olly Only)
This will unpack file packed by AsProtect, fix it, dump asprotect.dll
and print various information to text file. Please report targets, where it fails.