- Ilfak's presentation at Recon 2018
- Microcode in pictures
- Hex-Rays Microcode API vs. Obfuscating Compiler
- Scripts vds10, vds11, vds12 and vds13 from Hex-Rays SDK
The CTREE is built from the optimized microcode (maturity at CMAT_FINAL
), it represents an AST-like tree with C statements and expressions. It can be printed as C code.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idaapi | |
class ExamplePlugin(idaapi.plugin_t): | |
flags = idaapi.PLUGIN_DRAW | |
comment = "This plugin does nothing useful" | |
help = "No help is needed" | |
wanted_name = "Example" | |
wanted_hotkey = "Alt-F11" | |
def init(self): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idautils | |
import ida_range | |
import ida_hexrays as hr | |
class decryptor(hr.mop_visitor_t): | |
def visit_mop(self, op, type, is_target): | |
if op.t != hr.mop_f: | |
return 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from binaryninja import * | |
from miasm.jitter.csts import PAGE_READ, PAGE_WRITE | |
from miasm.analysis.machine import Machine | |
def stop_sentinelle(jitter): | |
jitter.run = False | |
jitter.pc = 0 | |
return True | |
def emulate(bv, addr): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from miasm.analysis.binary import Container | |
from miasm.analysis.machine import Machine | |
from miasm.core.asmblock import AsmCFG | |
cont = Container.from_string("\xff\xe0\x89\xc0\x89\xd8\xeb\x05\x89\xc8\xeb\x01\x90\xc3") | |
bs = cont.bin_stream | |
machine = Machine("x86_32") | |
mn, dis_engine = machine.mn, machine.dis_engine |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
from miasm.analysis.machine import Machine | |
from miasm.analysis.binary import Container | |
from miasm.analysis.simplifier import IRCFGSimplifierSSA, IRCFGSimplifierCommon | |
cont = Container.from_stream(open(sys.argv[1], 'rb')) | |
machine = Machine('x86_64') | |
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
from miasm.analysis.machine import Machine | |
from miasm.analysis.binary import Container | |
#def cb_example(cur_bloc, loc_db, offsets_to_dis, *args, **kwargs): | |
#if len(cur_bloc.lines) < 1: | |
#return | |
cont = Container.from_stream(open(sys.argv[1], 'rb')) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
from PySide2.QtWidgets import (QApplication, QDialog, QPushButton, QLabel, QHBoxLayout) | |
from PySide2.QtCore import Qt | |
from binaryninjaui import (UIAction, UIActionHandler, Menu) | |
class GreatUI(QDialog): | |
def __init__(self, parent=None): | |
super(GreatUI, self).__init__(parent) | |
self.setWindowModality(Qt.NonModal) |