Thread: Decompiling the mov compiler
View Single Post
  #3  
Old 12-08-2016, 08:53
t3xc0d3 t3xc0d3 is offline
Friend
  
Join Date: Oct 2016
Posts: 9
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 24 Times in 9 Posts
t3xc0d3 Reputation: 4
The movfuscator and its variations are mostly broken. For instance, have a look at this talk:

description: https://recon.cx/2016/talks/%22Movfuscator-Be-Gone.html
video: https://www.youtube.com/watch?v=d_R8i0dVBsQ
code: https://github.com/kirschju/demovfuscator
thesis/writeup: https://kirschju.re/static/ba_jonischkeit_2016.pdf

Others have broken the movfucator earlier: https://twitter.com/tathanhdinh/status/634165703558434816

Symbolic execution is also quite successful on these kind of obfuscations. If you mix it with some taint analysis, there should not be much left. For a great work for generic obfuscation have a look at https://www.cs.arizona.edu/people/debray/Publications/generic-deobf.pdf .
Last edited by t3xc0d3; 12-08-2016 at 18:28.
Reply With Quote
The Following User Gave Reputation+1 to t3xc0d3 For This Useful Post:
niculaita (12-10-2016)
The Following 3 Users Say Thank You to t3xc0d3 For This Useful Post:
chants (12-08-2016), niculaita (12-10-2016), tonyweb (12-08-2016)