Mergen is a tool engineered to convert Assembly code into LLVM Intermediate Representation (IR). This tool is designed for:
- The deobfuscation or devirtualization of obfuscated binary code
- The enhancement of the reverse engineering process, making it more efficient and effective, especially for complex software systems.
-
Parsing Assembly to LLVM IR:
Initial Step: Mergen begins by parsing existing Assembly instructions into LLVM Intermediate Representation.
Process: It continues this parsing process until it encounters a jump instruction or a return.
asm_to_zydis_to_liftparses bytes to zydis Instructions to be lifted into llvm ir in the functionliftInstruction. -
Analyzing Jumps and Returns:
Jump Analysis: When a jump instruction is encountered, Mergen checks if the jump destination is a constant value.
Return Analysis: For return instructions, the tool assesses whether the
retis part of a standard function return or a Return-Oriented Programming gadget used for jumping to the next handler. This involves checking for any modifications to the instruction pointer (xIP). -
Solving Jump Destinations:
Destination Resolution: If the jump is not to a constant or the return is identified as an ROP gadget, Mergen resolves where the control flow is intended to jump next.
-
Iterative Parsing and Analysis:
Looping Process: The tool repeats the process from step 1, parsing subsequent asm instructions into LLVM IR.
Termination Condition: This iteration continues until Mergen identifies a real
retinstruction. A real ret is confirmed when the stack pointer (xSP) at the end of the function matches the xSP value at the start of the function.
Join our Mergen Discord Server to trade ideas or just chatting in general.