Skip to content

Dynamically reconstruct control flow #52

New issue
New issue
Closed
Closed
Dynamically reconstruct control flow#52
@Davincible

Description

@Davincible
Davincible
opened on Dec 13, 2022

I wanted to create a discussion for this but I can't seem to open a discussion, so feel free to convert this to a discussion.

I am running into an RE challenge and wondered whether it would be possible to create a module for this lib to tackle this.

The code I am trying to RE, uses a lot of small if statements to obfuscate the control flow. It uses a large array with numbers as a sequence of when to execute which if blocks.

Currently, I have been reverse engineering this by manually stepping through it in a debugger and keeping track of the logic, which works, but gets very tedious for bigger operations. So I was wondering if it would be possible to dynamically analyze the control flow and simplify it.

Simplified example:

// encoded variable content
var data = "484e4f4a403f52...";

// i is the array with > 1000 numbers containing the operating sequence
var i = [];

// Provision i

for (var x = [];;) {
  try {
    // r increases by an arbitrary amount each iteration
    // v dictates which block will be executed next
    var v = i[r++];
    if (v < 33) {
      if (v < 14) {
        // ...
      } else if (v < 22) {
        if (v < 19) {
          if (v < 17) {
          // ...
          } else if (17 === v) {
          // ...
          } else {
          // ...
          }
        } else if (v < 20) {
          // ...
        } else if (20 === v) {
          // ...
        } else {
          // ...
        }
      } else if (v < 25) {
        // ...
      }
    }
  }
  catch (e) {
    // ...
  }
}

Each block here performs a small and simple task, and currently, my RE process entails keeping track of what data is modified in which way. Which as you can imagine gets very labor-intensive for a large sequence of operations.

I was thinking it could perhaps theoretically be possible to simplify the control flow by executing the code and dynamically keeping track of what happens, and then reconstructing that logic.

I understand it's not a simple thing, but I am no expert on the topic so I am curious to hear others' perspectives on this.

So.. Any ideas on if it's possible to create a module for this, or other tips to RE code like this?

I've tried to keep the details here brief for clarity, but I can further elaborate on specific aspects if needed

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions