Skip to content

whereisr0da/DeXoredMovs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

DeXorMov

DeXorMov

 
 

.gitignore

.gitignore

 
 

DeXorMov.sln

DeXorMov.sln

 
 

README.md

README.md

 
 

demo.png

demo.png

 
 

Repository files navigation

DeXoredMovs

A xored mov's deobfuscator for intel x86 asm

Intro

In intel x86 asm, mov instructions can be obfuscated like this :

# original instruction
mov eax, [esp]    # eax <- [esp]

# obfuscated
xor eax, eax      # eax <- 0
xor eax, [esp]    # eax(0) ^= [esp] : eax <- [esp]

So my tool just loop over all instructions of a code section buffer and replace each obfuscated xor operations by the original

I will update this tool with a full executable modification (just specify the executable in args and this will change the section) when my Serana Library have the modification update.

Dependencies

A cool C# disassembler lib : SharpDisasm

Usage

usages : [options] [output] [input]
         -d 0 : show disassembly of the code
            1 : show old xor before deobfuscation
            2 : show old xor before deobfuscation without nops
         -h : show usages

Example

DeXoredMovs.exe codeSectionCleaned _text
DeXoredMovs.exe -d 1 codeSectionCleaned _text

License

Creative Commons Attribution-NonCommercial-NoDerivatives

About

A xored mov's deobfuscator

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages