1. Introduction
In this lesson we'll talk about Ariadne deobfuscation techniques usage with the most popular user-mode debuggers - OllyDbg 1.10 and Immunity Debugger. Since these debuggers are a little bit similar to each other :) we'll work with OllyDbg 1.10 (the same steps are also applicable to the Immunity Debugger case).
To work with OllyDbg 1.10 it's needed to download Ariadne deobfuscation plugin for OllyDbg 1.10. To understand this lesson deeper it's recommended to read Lesson 1. So let's begin!
2. Plugin components
- ariadne.dll - framework dll which can be obtained from the official site and also changed from demo to full version
- ariadne_plugin.dll - plugin which interacts with OllyDbg
- ariadne_stub.exe - additional stub which gets parameters, does all the optimization and passes results back to the plugin
3. Prot.exe trace deobfuscation
We'll deobfuscate a sample from Lesson 1. A protected executable file can be downloaded here. Open it with OllyDbg 1.10, follow necessary code fragment in disassembler window and go to Main menu->Plugins->Ariadne optimizer or use right mouse button in disassembler window and look for Ariadne optimizer item in context menu or use Alt+D shortcut in disassembler window to show the main plugin window.
Fill Start trace RVA, End trace RVA, Internal context start VA and Internal context end VA fields like on the picture above and then press Run stub button. Wait for a few seconds and then you'll see the following Notepad window.
This picture represents a result of a trace deobfuscation in Ariadne IR.
4. Under the hood
When one opens Ariadne optimizer window the following happens:
Ariadne Demo version
Ariadne plugin for OllyDbg 1.10
Ariadne plugin for Immunity Debugger
A protected sample
Lesson 1: How to play with Ariadne deobfuscation plugin for IDA
Stay tuned for more! :)
Best Regards, Ariadne Team.
Fill Start trace RVA, End trace RVA, Internal context start VA and Internal context end VA fields like on the picture above and then press Run stub button. Wait for a few seconds and then you'll see the following Notepad window.
This picture represents a result of a trace deobfuscation in Ariadne IR.
4. Under the hood
When one opens Ariadne optimizer window the following happens:
- Check is made if selected in disassembler window code belongs to any executable module, error otherwise
- Source PE file field is filled with the path of source file taken from OllyDbg
- Temporary log file is generated automatically in Temp directory with alf (Ariadne Log File) prefix
- Start trace RVA is filled with current cursor position in disassembler window
- End trace RVA is filled with end of current function in OllyDbg if possible or the next instruction after the current one
- Other fields are filled with default values
- The main window with filled fields is shown
- Check for existence of source PE file is made and exit if it failed
- As Ariadne disassembles file by itself and uses default imagebase Internal context start VA and Internal context end VA are recalculated if belong to the module being deobfuscated, warning otherwise
- Stub process is run with the given parameters using command line
- Stub does the following:
- Parses passed parameters
- Disassembles passed source file
- Runs the process if passed parameter Run under debugger says so, stops at Start trace RVA and reads registers values from debugger to emulator context, fills emulator context with default values otherwise
- Generates trace withing limits given in Start trace RVA and End trace RVA using emulator and initial values in its context from the previous step, Internal context start VA and Internal context end VA are also used here
- Optimizes the generated trace with flags passed (Static optimization, Dynamic optimization and Preserve lower stack)
- Writes the optimized listing to the passed Temporary log file
- The following actions are done in a separate thread which uses a marker to allow only one instance of optimizer to be run simultaneously:
- Plugin is waiting for the stub to finish or for the user to press the Cancel button in waiting window. In latter case the stub process is killed and optimization fails
- When the stub process is finished check for return value is made to ensure the optimization run successfully, exit otherwise
- Temporary log file is checked for existence, exit if failed
- Temporary log file is opened in notepad and then deleted
5. Unification
As you can see, the steps to deobfuscate a protected sample with OllyDbg 1.10 (or Immunity Debugger) are almost the same to the ones for IDA Pro. I.e. Ariadne engine work and deobfuscation result don't depend on the utility it is used with.
6. Links
Ariadne official siteAriadne Demo version
Ariadne plugin for OllyDbg 1.10
Ariadne plugin for Immunity Debugger
A protected sample
Lesson 1: How to play with Ariadne deobfuscation plugin for IDA
Stay tuned for more! :)
Best Regards, Ariadne Team.
No comments:
Post a Comment