13 Awesome Deobfuscation Tools For Reverse Engineers

A curated list of awesome deobfuscation tools for reverse engineers.

1. Balbuzard

https://bitbucket.org/decalage/balbuzard/wiki/Home

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

2. de4dot

https://github.com/0xd4d/de4dot

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren’t (usually) part of the obfuscated assembly. It uses dnlib to read and write assemblies so make sure you get it or it won’t compile.

3. FLOSS

https://github.com/fireeye/flare-floss

FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.

  

4. iheartxor

http://hooked-on-mnemonics.blogspot.kr/p/iheartxor.html

iheartxor can be used to bruteforce xor encoded strings within a user defined regular expression pattern (-r). The default search pattern is a regular expression of that searches for data between null bytes (‘\x00’). The tool can also be used to do a straight xor on a file with -f file.name -k value. The value must between 0x0-0x255.

5. NoMoreXOR

https://github.com/hiddenillusion/NoMoreXOR

NoMoreXOR helps guess a files 256 byte XOR key by using frequency analysis.

6. PackerAttacker

https://github.com/BromiumLabs/PackerAttacker

The Packer Attacker is a generic hidden code extractor for Windows malware. It supports the following types of pacers: running from heap, replacing PE header, injecting in a process.

7. unpacker

https://github.com/malwaremusings/unpacker/

unpacker is a automated malware unpacker for Windows malware based on WinAppDbg.

8. unxor

https://github.com/tomchop/unxor/

unxor will search through an XOR-encoded file (binary, text-file, whatever) and use known-plaintext attacks to deduce the original keystream. Works on keys half as long as the known-plaintext, in linear complexity.

9. VirtualDeobfuscator

https://github.com/jnraber/VirtualDeobfuscator

VirtualDeobfuscator is a reverse engineering tool for virtualization wrappers. The goal of the Virtual Deobfuscator is to analyze a runtrace and filter out the VM processing instructions, leaving a reverse engineer with a bytecode version of the original binary.

10. XORBruteForcer

http://eternal-todo.com/var/scripts/xorbruteforcer

XORBruteForcer is a python script that implements a XOR bruteforcing of a given file, although a specific key can be used too. It’s possible to look for a word in the xored result, minimizing the output.

11. XORSearch

https://blog.didierstevens.com/programs/xorsearch/

XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file. XORSearch will try all XOR keys (0 to 255), ROL keys (1 to 7), ROT keys (1 to 25) and SHIFT keys (1 to 7) when searching.

12. XORStrings

https://blog.didierstevens.com/programs/xorsearch/

XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length.

13. xortool

https://github.com/hellman/xortool

xortool is a python script that will attempt to guess the XOR key length (based on count of equal chars), as well as the key itself (based on knowledge of most frequent char).

If you know of any more deobfuscation tools that you think should be on this list, please let me know by leaving a comment on this post and I will get them added.

Ref. https://hackerlists.com/deobfuscation-tools/