![]() The BN team recommended that I do try this in C++ and definitely don't try this in Python. The way that we hook into the Binary Ninja lifters is by using their Workflow API. We'll look into 2 potential options, but first, let's take a look at how to build a basic workflow to hook into the analysis and make our own changes. What we want to do is hook the LLIL and convert this LowLevelILRet instruction into something that the higher level ILs can handle properly. In practice it's not being clever here, it literally just has a return statement on line 6. I initially thought that the LLIL had actually interpreted the push/pop/jump correctly, but this is actually just the notation for printing a return statement. The low level IL makes it a bit more clear what is happening here: There's a var declared that isn't used either, this is kind of weird. This is quite confusing from the high level IL, as it looks like it's calling a syscall and returning the response. As we can see, it picks up the initial function right through to the RET opcode and then stops, and it doesn't find the rest of the function: We'll start with a simple app that we can load up into Binary Ninja, source code is here. For a decompiler/lifter it's also generally important to trust RET opcodes and turn them into return statements, and this is why it's using PUSH/RET combinations is a good obfuscation tool. ![]() It's normal for a disassembler explore a function, traversing all branches, and terminate each when it gets to a RET opcode. ![]() The PUSH before the return here is actually the address we're about to jump to The RET/ RETN opcode in x86/圆4 pops the stack and jumps to that address If you've been reversing x86/圆4 for a while then you will have definitely come across functions that end like this:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |