1. Introduction
In this post we'll talk about some useful features of our new Ariadne engine version we want to release soon. Firstly, we fixed a lot of bugs :) and we want to thank all the people who kindly provided feedback to help us improve our engine. We are pleased that our engine is interesting for community of reversers and other communities. So, let's talk about features!
2. Generate CFG trace
We have added a new function to our engine - AirGenerateCFGTrace. This function generates intermediate code for the Ariadne IR from the binary (executable file). It traces the executable file within the given limits, based on the emulator and the initial values in the context, and translates it into the intermediate representation. Unlike AirGenerateTrace function, if it meets conditional jump it follows both branches thus generating more complete code.
So, now we can to deobfuscate almost complete CFG.
3. New IR generation and deobfuscation settings
Now we can tell a deobfuscator to preserve flags (rFLAGS register in machine code) upon branches to a dynamically calculated location during code generation and upon exit from optimized code during code optimization. This can be useful if some flags which are modified in obfuscated code are used later outside of this code. But having this option set may also result in larger optimized code.
4. A pre-release new Ariadne plugin for IDA video sample
See it for yourself.
Stay tuned for more!
Best Regards, Ariadne Team.
In this post we'll talk about some useful features of our new Ariadne engine version we want to release soon. Firstly, we fixed a lot of bugs :) and we want to thank all the people who kindly provided feedback to help us improve our engine. We are pleased that our engine is interesting for community of reversers and other communities. So, let's talk about features!
2. Generate CFG trace
We have added a new function to our engine - AirGenerateCFGTrace. This function generates intermediate code for the Ariadne IR from the binary (executable file). It traces the executable file within the given limits, based on the emulator and the initial values in the context, and translates it into the intermediate representation. Unlike AirGenerateTrace function, if it meets conditional jump it follows both branches thus generating more complete code.
So, now we can to deobfuscate almost complete CFG.
3. New IR generation and deobfuscation settings
Now we can tell a deobfuscator to preserve flags (rFLAGS register in machine code) upon branches to a dynamically calculated location during code generation and upon exit from optimized code during code optimization. This can be useful if some flags which are modified in obfuscated code are used later outside of this code. But having this option set may also result in larger optimized code.
4. A pre-release new Ariadne plugin for IDA video sample
See it for yourself.
Stay tuned for more!
Best Regards, Ariadne Team.
No comments:
Post a Comment