5

VM packers like Code Virtualizer and VMProtect seem challenging to existing reverse engineering work, especially static approach like IDA Pro.

According to this slides

www.hex-rays.com/products/ida/support/ppt/caro_obfuscation.ppt

from Hex-rays, IDA Pro requires experienced reverse engineer to manually recognize the opcode array and understand the semantic, then decode the bytecode array..

I myself use IDA Pro to deal with simple quicksort program using Code Virtualizer, and I can share two pics.

enter image description here

See, I use Code Virtualizer to protect this part and IDA Pro can not go to 0X599050h.

enter image description here

See, the size of relocation section has a significant growth.

So my questions:

  1. Can IDA Pro automatically deal with VM obfuscated binaries?
  2. Any other interesting materials on the state-of-art in this area?

Thank you!

lllllllllllll
  • 2,485
  • 2
  • 32
  • 50

2 Answers2

9

Regarding question #1, no IDA does not handle obfuscated binaries.

You might be interested by the Virtual Deofbuscator talk Jason Raber gave at Blackhat last year, he also released an IDA plugin and the source code is available.

ekse
  • 2,208
  • 13
  • 19
1

There's now (from 2020) a plugin for IDA Pro that helps in working with obfuscated binaries. It is called D810: Creating an extensible deobfuscation plugin for IDA Pro.

auspicious99
  • 474
  • 3
  • 16
  • That's a blatant misrepresentation. D-810 helps deal with obfu in pseudo-decompiled functions, and isn't going to be a lick of help in decoding VMProtected or other kind of "decrypt at loadtime" protection. All D-810 is going to do is make the psuedo-decompiled functions slightly easier to read. Not that this isn't awesome, it's just not addressing the OPs concern. – Orwellophile Mar 01 '21 at 07:17