整理了一些ollvm对抗的文章,大家可以参考。ollvm还原主要有静态分析的方法和动态分析的方法。无论哪种方法基本流程都是:找到所有基本块(特征匹配)-确定真实块之间的关联(静态的:符号执行/反编译器提供的IL的API;动态的:模拟执行/IDA trace)-patch原程序
利用符号执行去除控制流平坦化: f1dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6k6h3y4#2M7X3W2@1P5g2)9J5k6i4c8W2L8X3y4W2L8Y4c8Q4x3X3g2U0L8$3#2Q4x3V1k6A6L8X3c8W2P5q4)9J5k6i4m8Z5M7q4)9J5c8X3u0D9L8$3N6Q4x3V1k6E0M7$3N6Q4x3V1j5I4x3e0t1`.利用angr符号执行去除虚假控制流: https://bbs.pediy.com/thread-266005.htmTetCTF2022一道代码混淆题分析——crackme_pls: https://bbs.pediy.com/thread-271164.htmAngr Control Flow Deobfuscation: 6b5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4y4W2j5i4u0U0K9q4)9J5k6h3!0H3k6h3&6S2L8X3q4D9P5i4y4A6M7#2)9J5k6h3&6W2N6q4)9J5c8X3q4F1k6%4u0Q4x3V1k6K6P5h3#2T1L8$3I4A6j5#2)9J5y4e0t1H3k6i4S2W2j5%4g2@1K9h3!0F1i4K6u0r3k6r3g2G2j5X3k6#2M7$3y4S2N6r3W2G2L8W2)9J5c8Y4u0W2M7$3g2S2M7X3y4Z5i4K6u0r3x3U0l9J5x3W2)9J5c8U0l9K6i4K6u0r3x3U0k6Q4x3V1k6S2L8X3N6J5i4K6g2X3L8X3!0@1k6i4y4Q4x3X3g2Z5N6r3#2D9
Deobfuscation: recovering an OLLVM-protected program:89fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2M7i4g2S2M7X3E0K6L8r3q4T1i4K6u0W2j5$3!0E0i4K6u0r3k6r3g2G2j5X3k6#2M7$3y4S2N6r3W2G2L8W2)9J5k6s2u0W2j5$3!0$3k6i4u0A6L8X3N6Q4x3X3c8S2L8W2)9J5k6r3!0D9L8s2k6E0i4K6u0V1M7s2u0G2N6r3g2U0N6r3g2V1i4K6u0V1M7s2u0G2k6%4u0S2L8g2)9J5k6h3S2@1L8h3H3`.我印象中quarkslab这篇文章是最早的关于去ollvm混淆的文章,有点老了,不过还是值得学习。MODeflattener - Miasm's OLLVM Deflattener: 560K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7Y4b7@1L8Y4c8J5y4q4)9J5k6h3N6A6N6r3S2#2j5W2)9J5k6h3W2G2i4K6u0r3e0f1!0p5k6h3k6D9j5i4c8@1k6h3&6W2M7W2)9J5c8R3`.`.
c60K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6d9L8$3I4X3f1X3!0D9L8r3g2K6i4K6u0r3d9r3g2^5f1X3q4&6M7@1c8W2L8$3t1`.229K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6k6r3q4H3P5i4c8Z5L8$3&6Q4x3V1k6H3P5h3S2W2P5s2u0S2P5i4y4V1k6h3!0T1相关文章:b09K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Z5k6i4S2Q4x3X3c8J5j5i4W2K6i4K6u0W2j5$3!0E0i4K6u0r3j5X3I4G2k6#2)9J5c8X3S2W2P5q4)9J5k6s2u0S2P5i4y4Q4x3X3c8E0K9h3y4J5L8$3y4G2k6r3g2Q4x3X3c8S2M7r3W2Q4x3X3c8$3M7#2)9J5k6r3!0T1k6Y4g2K6j5$3q4@1K9h3&6Y4i4K6u0V1j5$3!0E0M7r3W2D9k6i4u0Q4x3V1j5`.b6eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2$3K9i4u0#2M7$3u0#2L8r3I4W2N6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3N6i4m8D9L8$3q4V1M7#2)9J5c8Y4m8V1k6W2)9J5c8X3y4G2L8X3k6W2M7X3g2F1j5$3g2Q4y4h3k6K6L8r3W2V1k6i4y4Q4x3V1j5J5x3o6p5&6i4K6u0r3g2V1t1J5x3o6p5&6i4K6u0V1d9r3q4J5N6i4W2S2L8h3q4Q4x3X3g2H3k6r3j5`.基于Microcode的IDA反编译代码优化插件(目前暂未开源): a9bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6G2j5Y4m8G2i4K6u0V1M7s2u0G2K9X3g2U0N6q4)9J5c8X3!0T1M7r3!0Q4x3X3c8H3L8s2g2Y4K9h3^5`.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
学习
