{"componentChunkName":"component---src-templates-post-template-js","path":"/unicorn-binary-deobfuscation-en","result":{"data":{"markdownRemark":{"id":"c78c20ec-6bea-5323-991e-8bdb59a574c8","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/unicorn-binary-deobfuscation\">original page</a>.</p>\n</blockquote>\n<p>This article covers the deobfuscation technique for self-restoring binaries using Unicorn and Capstone, based on the Rev challenge “Singlestep” from Cyber Apocalypse CTF 2025.</p>\n<p>Reference: <a href=\"/ctf-cyber-apocalypse-2025-en\">Cyber Apocalypse CTF 2025 Writeup</a></p>\n<p>I had used Unicorn for emulating execution code once a long time ago, but had not touched it much since.</p>\n<p>Reference: <a href=\"/ctf-idek-2022-en\">Emulating x86_64 Architecture Shellcode with Unicorn</a></p>\n<p>During the contest, I used gdb-python to forcibly extract the deobfuscated assembly from the execution code, but I ended up extracting an enormous amount of code due to failing to account for loop processing, and the extracted code could not be decompiled.</p>\n<p>However, the Unicorn + Capstone method described here allows for a much cleaner deobfuscation of the binary, and also makes it possible to extract the deobfuscated code in a form that can be decompiled.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#problem-overview\">Problem Overview</a></li>\n<li>\n<p><a href=\"#hooking-and-dumping-execution-code-with-unicorn-and-capstone\">Hooking and Dumping Execution Code with Unicorn and Capstone</a></p>\n<ul>\n<li><a href=\"#emulator-initialization\">Emulator Initialization</a></li>\n<li><a href=\"#hooking-execution-code-with-unicorn\">Hooking Execution Code with Unicorn</a></li>\n<li><a href=\"#disassembling-execution-code-with-capstone\">Disassembling Execution Code with Capstone</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#deobfuscating-the-challenge-binary\">Deobfuscating the Challenge Binary</a></p>\n<ul>\n<li><a href=\"#defining-conditions-to-clearly-distinguish-deobfuscated-instructions-from-others\">Defining Conditions to Clearly Distinguish Deobfuscated Instructions from Others</a></li>\n<li><a href=\"#library-function-calls-must-be-ignored-to-continue-emulation\">Library Function Calls Must Be Ignored to Continue Emulation</a></li>\n<li><a href=\"#the-deobfuscated-code-itself-does-not-need-to-be-executed\">The Deobfuscated Code Itself Does Not Need to Be Executed</a></li>\n</ul>\n</li>\n<li><a href=\"#obtaining-the-flag\">Obtaining the Flag</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"problem-overview\" style=\"position:relative;\"><a href=\"#problem-overview\" aria-label=\"problem overview permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Problem Overview</h2>\n<blockquote>\n<p><strong>Singlestep</strong></p>\n<p>Malakar has locked away a sacred artifact away in his dungeon. He has enchanted the locking mechanism to be self-protecting. Can you embark on a mission to free the artifact back to the people’s hands?</p>\n</blockquote>\n<p>Running the provided ELF binary prompts for some input.</p>\n<p>Entering the correct value appears to yield the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 828px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/37d919c3c231d1744afff09251deeab2/8efc2/image-20250329132226427.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 115.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAXCAYAAAALHW+jAAAACXBIWXMAAAsTAAALEwEAmpwYAAADpElEQVQ4y31VZ5PiSAxl2CGYZGyic8CBYIyNgQlwdVW7tf//J72TBMzt7LD7QdVtqfX6KbRcizYuwsiC608wN3TYcx+2uYBJq2vFMI0QjhXBopX1xsyDY4ZXux3BCUN0ul2o6gADkpoxVqH3R9B6OvTBCOPhiNYhptoYk6GOYX+Akaph2ON1SHZdbKwbqSomox6enxtoNBqo1+uoLaII+2qHosy/yK7Ykq3E69sJp5cjyv1OdEVxP0N+xQ7VvsDpWCHwPdTSNEZFTiUZWdh4OOyxp/X9/RWXyxlxHCNaRDi/v+Ht7UVsfIbPlgKaC4bnuaglSXQ1iLLAer1ERKzZ0TJNKO0Omo0Wms2W7I25gSOxCcMAaZoI0G+A8Q1wRzfvkOcZlsslNE2HonSh62O4rg/LsmXfJlCN8hhHMTabtbBlwMMXhhwygXIoQRBgOp3D9wMsFotryMTa96myrofxeCI2Znr1+wQY/xJyiSzbYDabi2OapnTIp0IQ+2ovuiRJZJ3PDKxWK/EtvgBW/yeXc8ShDfpD7HY7LFdrYccseZ/nOTGcikxI2Id9fwMsPxiG1KhzAnUcl9hmwmxFOV0sQtpX2G63YnMcB7btUIrKRwyvyhfqNXaI40RYcXFSYhYkqUhK+pR1lAoOl31Pp8MV8PALIFeKQVerJTzKD4fHxWDHkenAoUuCsoRu2HIRg7Ew05gfxs3/EyBLnm8p5IWA8ZoTkBunMCh3LE6UUKts5EIG5IJx63zN4a1Sx+NemjUIQsllSax2RYHB3IRmuZSOXPLKzDkd3F6nU/WHKt+Kkki4kbDMthm9nA0sKoBlu5SzlL7XH4AhAd7z/7DKnFg+zIDMkJ19YpttMgotk/5jIO5FPsdn+CEUf2tszo9DbNiZgQ3DhDpQofZpVE1momMbvxTO4f7me3hclIwALNj0dh0S2/FgmBZ8YwJrolF/mqJjcbwApuVIIWVKPSoK0+c2+FZvoNftwyMWNrXGdESDV9epTTxh1aNhW396lpF2D7l6FPK9dThPZVngTLPweDrh/Xym/QWXfy401l7p3B5LyuGd3SdAHrAcP4+u6tagR7qVJwnf/kqv5+fPH/j+/V95FdwRXDy2V7dUsfC3zxO7pbShdDtQOndR0Ka1rSiyb9G+0+vKtwjbSFpk459Sh/ctGr6Ew/+VWn04xF1qgwGa3SbtVXzrKWiqXdSnM9Q1DU/9Pp7I/kR/ODlLOZ1SfzYZpFb7kP8AGg+LWwnryb0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/37d919c3c231d1744afff09251deeab2/8ac56/image-20250329132226427.webp 240w,\n/static/37d919c3c231d1744afff09251deeab2/d3be9/image-20250329132226427.webp 480w,\n/static/37d919c3c231d1744afff09251deeab2/712de/image-20250329132226427.webp 828w\"\n              sizes=\"(max-width: 828px) 100vw, 828px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/37d919c3c231d1744afff09251deeab2/8ff5a/image-20250329132226427.png 240w,\n/static/37d919c3c231d1744afff09251deeab2/e85cb/image-20250329132226427.png 480w,\n/static/37d919c3c231d1744afff09251deeab2/8efc2/image-20250329132226427.png 828w\"\n            sizes=\"(max-width: 828px) 100vw, 828px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/37d919c3c231d1744afff09251deeab2/8efc2/image-20250329132226427.png\"\n            alt=\"image-20250329132226427\"\n            title=\"image-20250329132226427\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Decompiling the binary shows that the <code class=\"language-text\">main</code> function simply calls a function at address <code class=\"language-text\">0x43e0</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 438px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e4f7c082da999cfd3170fdd571792bf0/50e4b/image-20250329132433561.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHUlEQVQoz6WQ2W7CMBBF8yUtWRyHTSSxA1Wj0qgqYsliCIQtUfsTVX//MqSpUMVDqfpwNONja+S52rFSUOsEarPHcvuOfLvCocyw2iTIiwLbwxHJMm1cTjROpThWGZbrnN7taherFTRfSrhCEEGNR70nxVcVEr4M6ns/kOTPBNQPyckrd36vmcwG5xwOt8GcNkxO2A5MxsF4h2jDIgyLXTCtprKfnqCBDKOhiwfZQ8+jH4YRHFfUwwYiRN8dwekO6iEtw/wVLYpeUC5SVLHCZDqjHDJM5wuE42c8Po0v0Dm8AS2JY3yUO3y+VSjKPSZpQkEXmCUpXmfzP6PptEq7b6PTZ2BdBwZFcHevo6UbN614tfI5SN2wCKrfYf+DE2aXArvEsh+JAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e4f7c082da999cfd3170fdd571792bf0/8ac56/image-20250329132433561.webp 240w,\n/static/e4f7c082da999cfd3170fdd571792bf0/4a74f/image-20250329132433561.webp 438w\"\n              sizes=\"(max-width: 438px) 100vw, 438px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e4f7c082da999cfd3170fdd571792bf0/8ff5a/image-20250329132433561.png 240w,\n/static/e4f7c082da999cfd3170fdd571792bf0/50e4b/image-20250329132433561.png 438w\"\n            sizes=\"(max-width: 438px) 100vw, 438px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e4f7c082da999cfd3170fdd571792bf0/50e4b/image-20250329132433561.png\"\n            alt=\"image-20250329132433561\"\n            title=\"image-20250329132433561\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This function is implemented as follows. It is clearly attempting to replace the code at <code class=\"language-text\">0x43ec</code> via an XOR operation and then continue execution.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 548px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/72fcbbd12322b39be7d342ec6d82683c/a58fe/image-20250329132542827.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 28.333333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHUlEQVQY022QS2+DMBCE+TUVxcZgwDbvRyE5tGkJ6UuEXnuo1Gv796cLNFEq9fBpZmet9WotLiQYF7hmDLbDSDkczpfameHuBWvPcS/8L4yyK9uGVfc9sm0HqSJkRQZlNNxQQSYpfG3gej5cXy6IRQO4YlUhg7XnUU+Gy1CreNkivi2RFCnarkJAg6s2RUE+r3PoPEdUNNBViyjJEZYJzKZEVKUI6HPV5FAtvSPlQsCKhw5BR5vFCs0NhZ4HlcYwVQmpFdU+OG0yw8gznzYOJTgpEx7l/pn5TNbX9zs+PyaMb0e8TiN2+wOex4k44n54xF0/YHdiv+o5o7en+uHwBENnstosQZ0YKLpXSEREoPTC7COzZn/4J1NxvGz4A0lNx4SBDNG6AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/72fcbbd12322b39be7d342ec6d82683c/8ac56/image-20250329132542827.webp 240w,\n/static/72fcbbd12322b39be7d342ec6d82683c/d3be9/image-20250329132542827.webp 480w,\n/static/72fcbbd12322b39be7d342ec6d82683c/01940/image-20250329132542827.webp 548w\"\n              sizes=\"(max-width: 548px) 100vw, 548px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/72fcbbd12322b39be7d342ec6d82683c/8ff5a/image-20250329132542827.png 240w,\n/static/72fcbbd12322b39be7d342ec6d82683c/e85cb/image-20250329132542827.png 480w,\n/static/72fcbbd12322b39be7d342ec6d82683c/a58fe/image-20250329132542827.png 548w\"\n            sizes=\"(max-width: 548px) 100vw, 548px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/72fcbbd12322b39be7d342ec6d82683c/a58fe/image-20250329132542827.png\"\n            alt=\"image-20250329132542827\"\n            title=\"image-20250329132542827\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Analyzing this operation in gdb confirms that when the XOR at <code class=\"language-text\">0x43e1</code> is executed, the code at <code class=\"language-text\">0x43ec</code> is replaced with what appears to be a function prologue.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 959px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9e200563fdda5f644dd0c8d48a225bb0/d7abb/image-20250329133023471.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 15.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAw0lEQVQI1yXOzUrEMBSG4bRpkiYmtp3OWGW04MqFwwwjIoLSoffgWkT8AUGX3v7raV18nNV5eFV3umJ3s2G7v6aqa7q1olp5irTAxWNsiFjjSKEl+galFCHPWcqdFrWm9J6maQghoO4fb/n+fefj55nXtxc+v554ONyhcoMpS7SxFIUR1OPMkYAZJssIEyyzgltnZ8xai+r7nnEcGYaB8/UFl1eG9iz9F6ZqLgxlxLtEHTu0luc840SwaUkKvWBtu5jRP7O9Slc20fPOAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9e200563fdda5f644dd0c8d48a225bb0/8ac56/image-20250329133023471.webp 240w,\n/static/9e200563fdda5f644dd0c8d48a225bb0/d3be9/image-20250329133023471.webp 480w,\n/static/9e200563fdda5f644dd0c8d48a225bb0/1bae5/image-20250329133023471.webp 959w\"\n              sizes=\"(max-width: 959px) 100vw, 959px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9e200563fdda5f644dd0c8d48a225bb0/8ff5a/image-20250329133023471.png 240w,\n/static/9e200563fdda5f644dd0c8d48a225bb0/e85cb/image-20250329133023471.png 480w,\n/static/9e200563fdda5f644dd0c8d48a225bb0/d7abb/image-20250329133023471.png 959w\"\n            sizes=\"(max-width: 959px) 100vw, 959px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9e200563fdda5f644dd0c8d48a225bb0/d7abb/image-20250329133023471.png\"\n            alt=\"image-20250329133023471\"\n            title=\"image-20250329133023471\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Furthermore, looking at the code above, the XOR at <code class=\"language-text\">0x43f1</code> restores the code at <code class=\"language-text\">0x43ec</code> to its original form, ensuring that the decrypted code does not persist in memory after execution.</p>\n<p>Tracing through the rest of the code, it becomes clear that the binary repeatedly decodes, executes, and re-encodes the real execution code in blocks ranging from <code class=\"language-text\">pushfq -> xor</code> to <code class=\"language-text\">xor -> popfq</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 800px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cb9fd1153cbc8335cf0a3fe8108731e8/5a190/image-20250329133418360.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA3UlEQVQY0zWQy07DMBBFJ37HifNOgVJRdQESUhS1QLqBDf//UZfrSCyOrkcanZmxbPcvfHxeEWPC8CA4XQQ+VTB1C183fJMQ4V1AiiOMshARJGMwMjMH0rCOdQVZlgXruqKuGnSzYDgIdOxgKTOhhI2UWw/nPIKroQq9C6NW6JgtyRmVYh+HXbcF9+8bUtPi8Sw4vwrKaaawQ8EmZSxTQxOjHYqi2IWW6Zn/5FppDrv9vGH7fUfFM+ej4Eipzef2E8p+RBwmBH5HvqBPT7Da78KR25yYz+Ql184hpoQ/BR1biVSiHrMAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cb9fd1153cbc8335cf0a3fe8108731e8/8ac56/image-20250329133418360.webp 240w,\n/static/cb9fd1153cbc8335cf0a3fe8108731e8/d3be9/image-20250329133418360.webp 480w,\n/static/cb9fd1153cbc8335cf0a3fe8108731e8/d00b9/image-20250329133418360.webp 800w\"\n              sizes=\"(max-width: 800px) 100vw, 800px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cb9fd1153cbc8335cf0a3fe8108731e8/8ff5a/image-20250329133418360.png 240w,\n/static/cb9fd1153cbc8335cf0a3fe8108731e8/e85cb/image-20250329133418360.png 480w,\n/static/cb9fd1153cbc8335cf0a3fe8108731e8/5a190/image-20250329133418360.png 800w\"\n            sizes=\"(max-width: 800px) 100vw, 800px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cb9fd1153cbc8335cf0a3fe8108731e8/5a190/image-20250329133418360.png\"\n            alt=\"image-20250329133418360\"\n            title=\"image-20250329133418360\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>During the contest I forcibly extracted the deobfuscated assembly using gdb-python, but this time I’ll deobfuscate more elegantly using Unicorn and Capstone.</p>\n<h2 id=\"hooking-and-dumping-execution-code-with-unicorn-and-capstone\" style=\"position:relative;\"><a href=\"#hooking-and-dumping-execution-code-with-unicorn-and-capstone\" aria-label=\"hooking and dumping execution code with unicorn and capstone permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Hooking and Dumping Execution Code with Unicorn and Capstone</h2>\n<p>The following code hooks the execution code emulated by Unicorn and outputs the disassembly results using Capstone.</p>\n<p>(Due to the binary’s self-modifying behavior, the hook behavior for the XOR line that modifies execution code may differ slightly from the actual program behavior — this is ignored for now.)</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> unicorn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">from</span> unicorn<span class=\"token punctuation\">.</span>x86_const <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">from</span> capstone <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># ============================</span>\n<span class=\"token comment\"># Globals</span>\n<span class=\"token comment\"># ============================</span>\n\n<span class=\"token comment\"># Initialize Unicorn &amp; Capstone</span>\nmu <span class=\"token operator\">=</span> Uc<span class=\"token punctuation\">(</span>UC_ARCH_X86<span class=\"token punctuation\">,</span> UC_MODE_64<span class=\"token punctuation\">)</span> <span class=\"token comment\"># mu is initialized as a virtual CPU</span>\nmd <span class=\"token operator\">=</span> Cs<span class=\"token punctuation\">(</span>CS_ARCH_X86<span class=\"token punctuation\">,</span> CS_MODE_64<span class=\"token punctuation\">)</span> <span class=\"token comment\"># md is initialized as an x64 disassembler</span>\n\n<span class=\"token comment\"># Initial values</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">'singlestep'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'rb'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    code <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\ncall_addrs <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x43E0</span><span class=\"token punctuation\">]</span>\ncurrent_call_addr <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nprevious_call_addr <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n\n<span class=\"token comment\"># Hook function</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">hook_code</span><span class=\"token punctuation\">(</span>uc<span class=\"token punctuation\">,</span> address<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">,</span> user_data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">global</span> current_call_addr\n    <span class=\"token keyword\">global</span> previous_call_addr\n    previous_call_addr <span class=\"token operator\">=</span> current_call_addr\n    \n    instruction_bytes <span class=\"token operator\">=</span>  uc<span class=\"token punctuation\">.</span>mem_read<span class=\"token punctuation\">(</span>address<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">for</span> i<span class=\"token punctuation\">,</span>instruction <span class=\"token keyword\">in</span> <span class=\"token builtin\">enumerate</span><span class=\"token punctuation\">(</span>md<span class=\"token punctuation\">.</span>disasm<span class=\"token punctuation\">(</span>instruction_bytes<span class=\"token punctuation\">,</span> address<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        complete_instruction <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>i<span class=\"token punctuation\">}</span></span><span class=\"token string\"> 0x</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">.</span>address<span class=\"token punctuation\">:</span><span class=\"token format-spec\">x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">:\\t</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">.</span>mnemonic<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\t</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">.</span>op_str<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>complete_instruction<span class=\"token punctuation\">)</span>\n        \n        <span class=\"token keyword\">if</span> instruction<span class=\"token punctuation\">.</span>mnemonic <span class=\"token operator\">==</span> <span class=\"token string\">\"call\"</span><span class=\"token punctuation\">:</span>\n            addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>instruction<span class=\"token punctuation\">.</span>op_str<span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">if</span> addr <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x1260</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"PLT function called.\"</span><span class=\"token punctuation\">)</span>\n                <span class=\"token comment\"># uc.emu_stop()</span>\n                <span class=\"token keyword\">return</span>\n\n        <span class=\"token keyword\">elif</span> instruction<span class=\"token punctuation\">.</span>mnemonic <span class=\"token operator\">==</span> <span class=\"token string\">\"ret\"</span><span class=\"token punctuation\">:</span>\n            <span class=\"token comment\"># uc.emu_stop()</span>\n            <span class=\"token keyword\">return</span>\n\n<span class=\"token comment\"># ============================</span>\n\n\n<span class=\"token comment\"># Initialize virtual memory, RSP/RBP</span>\nstack_addr <span class=\"token operator\">=</span> <span class=\"token number\">0x900000</span>\nstack_size <span class=\"token operator\">=</span> <span class=\"token number\">0x100000</span>\nmu<span class=\"token punctuation\">.</span>mem_map<span class=\"token punctuation\">(</span>stack_addr<span class=\"token punctuation\">,</span> stack_size<span class=\"token punctuation\">)</span>\nmu<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RSP<span class=\"token punctuation\">,</span> stack_addr <span class=\"token operator\">+</span> stack_size <span class=\"token operator\">-</span> <span class=\"token number\">8</span> <span class=\"token operator\">-</span> <span class=\"token number\">0x200</span><span class=\"token punctuation\">)</span>\nmu<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RBP<span class=\"token punctuation\">,</span> stack_addr <span class=\"token operator\">+</span> stack_size <span class=\"token operator\">-</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Read original binary</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"singlestep\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    code <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Allocate 0x50000 bytes of virtual memory and map the execution code</span>\ncode_addr <span class=\"token operator\">=</span> <span class=\"token number\">0x0</span>\nmu<span class=\"token punctuation\">.</span>mem_map<span class=\"token punctuation\">(</span>code_addr<span class=\"token punctuation\">,</span><span class=\"token number\">0x50000</span><span class=\"token punctuation\">)</span>\nmu<span class=\"token punctuation\">.</span>mem_write<span class=\"token punctuation\">(</span>code_addr<span class=\"token punctuation\">,</span>code<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Add hook to Unicorn</span>\n<span class=\"token comment\"># UC_HOOK_CODE invokes the hook immediately before each instruction executes</span>\n<span class=\"token comment\"># hook_code(mu, address, size, user_data)</span>\nmu<span class=\"token punctuation\">.</span>hook_add<span class=\"token punctuation\">(</span>UC_HOOK_CODE<span class=\"token punctuation\">,</span> hook_code<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run program</span>\n<span class=\"token keyword\">while</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>call_addrs<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        current_call_addr <span class=\"token operator\">=</span> call_addrs<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        mu<span class=\"token punctuation\">.</span>emu_start<span class=\"token punctuation\">(</span>current_call_addr<span class=\"token punctuation\">,</span><span class=\"token number\">0x900D</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># emu_start(begin,end)</span>\n    <span class=\"token keyword\">except</span> Exception <span class=\"token keyword\">as</span> e<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Error: %s\"</span> <span class=\"token operator\">%</span> e<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"at : %s\"</span> <span class=\"token operator\">%</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>mu<span class=\"token punctuation\">.</span>reg_read<span class=\"token punctuation\">(</span>UC_X86_REG_RIP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">break</span></code></pre></div>\n<h3 id=\"emulator-initialization\" style=\"position:relative;\"><a href=\"#emulator-initialization\" aria-label=\"emulator initialization permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Emulator Initialization</h3>\n<p>The following is an excerpt of the emulator initialization code.</p>\n<p>Both <code class=\"language-text\">Uc(UC_ARCH_X86, UC_MODE_64)</code> and <code class=\"language-text\">Cs(CS_ARCH_X86, CS_MODE_64)</code> initialize Unicorn and Capstone respectively, targeting x64.</p>\n<p>The code then allocates a stack region, initializes the RSP/RBP registers, and finally maps the executable file data directly into memory.</p>\n<p>To properly emulate an ELF, you would normally need to reproduce the ELF loader behavior (library loading, section alignment, etc.), but since we only need to emulate the XOR-based restoration of execution code, mapping the raw ELF file directly is sufficient.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Initialize Unicorn &amp; Capstone</span>\nmu <span class=\"token operator\">=</span> Uc<span class=\"token punctuation\">(</span>UC_ARCH_X86<span class=\"token punctuation\">,</span> UC_MODE_64<span class=\"token punctuation\">)</span> <span class=\"token comment\"># mu is initialized as a virtual CPU</span>\nmd <span class=\"token operator\">=</span> Cs<span class=\"token punctuation\">(</span>CS_ARCH_X86<span class=\"token punctuation\">,</span> CS_MODE_64<span class=\"token punctuation\">)</span> <span class=\"token comment\"># md is initialized as an x64 disassembler</span>\n\n\n<span class=\"token comment\"># Initialize virtual memory, RSP/RBP</span>\nstack_addr <span class=\"token operator\">=</span> <span class=\"token number\">0x900000</span>\nstack_size <span class=\"token operator\">=</span> <span class=\"token number\">0x100000</span>\nmu<span class=\"token punctuation\">.</span>mem_map<span class=\"token punctuation\">(</span>stack_addr<span class=\"token punctuation\">,</span> stack_size<span class=\"token punctuation\">)</span>\nmu<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RSP<span class=\"token punctuation\">,</span> stack_addr <span class=\"token operator\">+</span> stack_size <span class=\"token operator\">-</span> <span class=\"token number\">8</span> <span class=\"token operator\">-</span> <span class=\"token number\">0x200</span><span class=\"token punctuation\">)</span>\nmu<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RBP<span class=\"token punctuation\">,</span> stack_addr <span class=\"token operator\">+</span> stack_size <span class=\"token operator\">-</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\n\n\n<span class=\"token comment\"># Read original binary</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"singlestep\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    code <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n    \n<span class=\"token comment\"># Allocate 0x50000 bytes of virtual memory and map the execution code</span>\ncode_addr <span class=\"token operator\">=</span> <span class=\"token number\">0x0</span>\nmu<span class=\"token punctuation\">.</span>mem_map<span class=\"token punctuation\">(</span>code_addr<span class=\"token punctuation\">,</span><span class=\"token number\">0x50000</span><span class=\"token punctuation\">)</span>\nmu<span class=\"token punctuation\">.</span>mem_write<span class=\"token punctuation\">(</span>code_addr<span class=\"token punctuation\">,</span>code<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reference: <a href=\"https://www.unicorn-engine.org/docs/tutorial.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Programming with C &#x26; Python languages – Unicorn – The Ultimate CPU emulator</a></p>\n<h3 id=\"hooking-execution-code-with-unicorn\" style=\"position:relative;\"><a href=\"#hooking-execution-code-with-unicorn\" aria-label=\"hooking execution code with unicorn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Hooking Execution Code with Unicorn</h3>\n<p>The following code uses <code class=\"language-text\">UC_HOOK_CODE</code> to hook every instruction’s execution, configuring a hook for Unicorn code execution.</p>\n<p>Unicorn supports hooking other operations too, such as specific memory accesses.</p>\n<p>Reference: <a href=\"https://github.com/alexander-hanel/unicorn-engine-notes\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">alexander-hanel/unicorn-engine-notes</a></p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Add hook to Unicorn</span>\n<span class=\"token comment\"># UC_HOOK_CODE invokes the hook immediately before each instruction executes</span>\n<span class=\"token comment\"># hook_code(mu, address, size, user_data)</span>\nmu<span class=\"token punctuation\">.</span>hook_add<span class=\"token punctuation\">(</span>UC_HOOK_CODE<span class=\"token punctuation\">,</span> hook_code<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run program</span>\n<span class=\"token keyword\">while</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>call_addrs<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        current_call_addr <span class=\"token operator\">=</span> call_addrs<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        mu<span class=\"token punctuation\">.</span>emu_start<span class=\"token punctuation\">(</span>current_call_addr<span class=\"token punctuation\">,</span><span class=\"token number\">0x900D</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># emu_start(begin,end)</span>\n    <span class=\"token keyword\">except</span> Exception <span class=\"token keyword\">as</span> e<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Error: %s\"</span> <span class=\"token operator\">%</span> e<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"at : %s\"</span> <span class=\"token operator\">%</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>mu<span class=\"token punctuation\">.</span>reg_read<span class=\"token punctuation\">(</span>UC_X86_REG_RIP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">break</span></code></pre></div>\n<h3 id=\"disassembling-execution-code-with-capstone\" style=\"position:relative;\"><a href=\"#disassembling-execution-code-with-capstone\" aria-label=\"disassembling execution code with capstone permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Disassembling Execution Code with Capstone</h3>\n<p>In the hook function called at each instruction, Capstone is used to disassemble the execution code.</p>\n<p>When the hook function is invoked by Unicorn, the instruction address and its size are passed as arguments.</p>\n<p>The byte data obtained via <code class=\"language-text\">uc.mem_read(address, size)</code> is passed to <code class=\"language-text\">md.disasm(instruction_bytes, address)</code>, which returns an iterator containing the disassembly result.</p>\n<p>Reference: <a href=\"https://www.capstone-engine.org/iteration.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Disassemble in iterartion style – Capstone – The Ultimate Disassembler</a></p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Hook function</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">hook_code</span><span class=\"token punctuation\">(</span>uc<span class=\"token punctuation\">,</span> address<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">,</span> user_data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">global</span> current_call_addr\n    <span class=\"token keyword\">global</span> previous_call_addr\n    previous_call_addr <span class=\"token operator\">=</span> current_call_addr\n    \n    instruction_bytes <span class=\"token operator\">=</span>  uc<span class=\"token punctuation\">.</span>mem_read<span class=\"token punctuation\">(</span>address<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">for</span> i<span class=\"token punctuation\">,</span>instruction <span class=\"token keyword\">in</span> <span class=\"token builtin\">enumerate</span><span class=\"token punctuation\">(</span>md<span class=\"token punctuation\">.</span>disasm<span class=\"token punctuation\">(</span>instruction_bytes<span class=\"token punctuation\">,</span> address<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        complete_instruction <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>i<span class=\"token punctuation\">}</span></span><span class=\"token string\"> 0x</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">.</span>address<span class=\"token punctuation\">:</span><span class=\"token format-spec\">x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">:\\t</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">.</span>mnemonic<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\t</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">.</span>op_str<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>complete_instruction<span class=\"token punctuation\">)</span>\n        \n        <span class=\"token keyword\">if</span> instruction<span class=\"token punctuation\">.</span>mnemonic <span class=\"token operator\">==</span> <span class=\"token string\">\"call\"</span><span class=\"token punctuation\">:</span>\n            addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>instruction<span class=\"token punctuation\">.</span>op_str<span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">if</span> addr <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x1260</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"PLT function called.\"</span><span class=\"token punctuation\">)</span>\n                <span class=\"token comment\"># uc.emu_stop()</span>\n                <span class=\"token keyword\">return</span>\n\n        <span class=\"token keyword\">elif</span> instruction<span class=\"token punctuation\">.</span>mnemonic <span class=\"token operator\">==</span> <span class=\"token string\">\"ret\"</span><span class=\"token punctuation\">:</span>\n            <span class=\"token comment\"># uc.emu_stop()</span>\n            <span class=\"token keyword\">return</span></code></pre></div>\n<p>Running this allows the disassembly results of the hooked execution code to be dumped as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 571px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7b5a38227b64127b5197d1863a51292c/17d73/image-20250330115806338.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 60.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABp0lEQVQoz5VS13aCUBBEBQxKMRCVKCpVwG7y/9822VkDnjwlebjnFpbZnWKs1ytU+wqn8xGj0QiGYcDzPJwvJ2x3G73/a6XpTsBO+Pi8wzRNfQyCAO2hheM4iKIIO6nZbDeI4yWyPIPne1jKeblcoGlrLBbzJ+A6WaOqSpRVgeFwqI/T6RRFWWAwGCh4/B4rQBSFMvVWv0dvEeYCxPeOma6dFDRtIxM1/YfZLND7ZDLR5bquymDZ1u+UFbCpcbmef1A+ng5YCCXSDqSBH/gC7mA8HisTTmlZlt5dd9r/aySbBPt6r1p0E7KYuvFMWuW3JKxlIzahiYnIleUpbvcrwjB8mnI4tupq14X06DzP1I/nosjBRLAxG9bNXoxKsJK3ViTjtP2ENIW0uwl938f944Y0S/8fG7pWC2VOaZoPQNdzxeUczuShX15kGg1q+i4Tz15nGhnujBNZcjAa2JtCHXpAcZVvjA21YQ3jRRDmkKYxNnEcKwvbtpUy6w12oB7U0B7bD5dlKt5J3XFeFCgQl/9EmaJT2FKCTNdCCS/3zmV2JpWu2W/rCzBFHgechyvDAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7b5a38227b64127b5197d1863a51292c/8ac56/image-20250330115806338.webp 240w,\n/static/7b5a38227b64127b5197d1863a51292c/d3be9/image-20250330115806338.webp 480w,\n/static/7b5a38227b64127b5197d1863a51292c/9ac82/image-20250330115806338.webp 571w\"\n              sizes=\"(max-width: 571px) 100vw, 571px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7b5a38227b64127b5197d1863a51292c/8ff5a/image-20250330115806338.png 240w,\n/static/7b5a38227b64127b5197d1863a51292c/e85cb/image-20250330115806338.png 480w,\n/static/7b5a38227b64127b5197d1863a51292c/17d73/image-20250330115806338.png 571w\"\n            sizes=\"(max-width: 571px) 100vw, 571px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7b5a38227b64127b5197d1863a51292c/17d73/image-20250330115806338.png\"\n            alt=\"image-20250330115806338\"\n            title=\"image-20250330115806338\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"deobfuscating-the-challenge-binary\" style=\"position:relative;\"><a href=\"#deobfuscating-the-challenge-binary\" aria-label=\"deobfuscating the challenge binary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Deobfuscating the Challenge Binary</h2>\n<p>To deobfuscate the challenge binary, two main operations are needed:</p>\n<ol>\n<li>Replace all addresses in the binary’s execution code that are not the actual deobfuscated instructions with NOP.</li>\n<li>Replace the obfuscated portions with the deobfuscated instructions.</li>\n</ol>\n<p>The following challenges arise for this binary:</p>\n<ul>\n<li>A condition must be defined to clearly distinguish the actual deobfuscated instructions from all other instructions.</li>\n<li>Library function calls and similar must be ignored so emulation can continue.</li>\n<li>The deobfuscated code itself does not need to be executed (input validation, branching, etc.).</li>\n</ul>\n<p>With the above in mind, the following solver was created.</p>\n<p>Running this code produces a <code class=\"language-text\">deobfuscated</code> binary containing the deobfuscated execution code.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> unicorn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">from</span> unicorn<span class=\"token punctuation\">.</span>x86_const <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">from</span> capstone <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">import</span> copy\n\n<span class=\"token comment\"># ============================</span>\n<span class=\"token comment\"># Globals</span>\n<span class=\"token comment\"># ============================</span>\n\n<span class=\"token comment\"># Initialize Unicorn &amp; Capstone</span>\nmu <span class=\"token operator\">=</span> Uc<span class=\"token punctuation\">(</span>UC_ARCH_X86<span class=\"token punctuation\">,</span> UC_MODE_64<span class=\"token punctuation\">)</span> <span class=\"token comment\"># mu is initialized as a virtual CPU</span>\nmd <span class=\"token operator\">=</span> Cs<span class=\"token punctuation\">(</span>CS_ARCH_X86<span class=\"token punctuation\">,</span> CS_MODE_64<span class=\"token punctuation\">)</span> <span class=\"token comment\"># md is initialized as an x64 disassembler</span>\n\n<span class=\"token comment\"># Initial values</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">'singlestep'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'rb'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    code <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\ncode <span class=\"token operator\">=</span> <span class=\"token builtin\">bytearray</span><span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">)</span>\ndeobfuscated_code <span class=\"token operator\">=</span> copy<span class=\"token punctuation\">.</span>deepcopy<span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">)</span>\n\ncall_addrs <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x43E0</span><span class=\"token punctuation\">]</span>\ndeobfuscated_addrs <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\npopfq_flag <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\ncurrent_call_addr <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nprevious_call_addr <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n\n<span class=\"token comment\"># Hook function</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">hook_code</span><span class=\"token punctuation\">(</span>uc<span class=\"token punctuation\">,</span> address<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">,</span> user_data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">global</span> current_call_addr\n    <span class=\"token keyword\">global</span> previous_call_addr\n    <span class=\"token keyword\">global</span> popfq_flag\n    <span class=\"token keyword\">global</span> deobfuscated_code\n    <span class=\"token keyword\">global</span> deobfuscated_addrs\n    previous_call_addr <span class=\"token operator\">=</span> current_call_addr\n    \n    instruction_bytes <span class=\"token operator\">=</span>  uc<span class=\"token punctuation\">.</span>mem_read<span class=\"token punctuation\">(</span>address<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">for</span> i<span class=\"token punctuation\">,</span>instruction <span class=\"token keyword\">in</span> <span class=\"token builtin\">enumerate</span><span class=\"token punctuation\">(</span>md<span class=\"token punctuation\">.</span>disasm<span class=\"token punctuation\">(</span>instruction_bytes<span class=\"token punctuation\">,</span> address<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        complete_instruction <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>i<span class=\"token punctuation\">}</span></span><span class=\"token string\"> 0x</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">.</span>address<span class=\"token punctuation\">:</span><span class=\"token format-spec\">x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">:\\t</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">.</span>mnemonic<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\t</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">.</span>op_str<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span>\n\n    <span class=\"token keyword\">if</span> instruction<span class=\"token punctuation\">.</span>mnemonic <span class=\"token operator\">==</span> <span class=\"token string\">\"popfq\"</span><span class=\"token punctuation\">:</span>\n        popfq_flag <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\n        deobfuscated_code<span class=\"token punctuation\">[</span>address<span class=\"token punctuation\">:</span>address<span class=\"token operator\">+</span>size<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">b\"\\x90\"</span> <span class=\"token operator\">*</span> size\n    \n    <span class=\"token keyword\">elif</span> instruction<span class=\"token punctuation\">.</span>mnemonic <span class=\"token operator\">==</span> <span class=\"token string\">\"pushfq\"</span><span class=\"token punctuation\">:</span>\n        popfq_flag <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n        deobfuscated_code<span class=\"token punctuation\">[</span>address<span class=\"token punctuation\">:</span>address<span class=\"token operator\">+</span>size<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">b\"\\x90\"</span> <span class=\"token operator\">*</span> size\n    \n    <span class=\"token keyword\">elif</span> instruction<span class=\"token punctuation\">.</span>mnemonic <span class=\"token operator\">==</span> <span class=\"token string\">\"ret\"</span><span class=\"token punctuation\">:</span>\n        popfq_flag <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"ret.\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token comment\"># print(complete_instruction)</span>\n        uc<span class=\"token punctuation\">.</span>emu_stop<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">return</span>\n    \n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">if</span> popfq_flag <span class=\"token keyword\">and</span> address <span class=\"token keyword\">not</span> <span class=\"token keyword\">in</span> deobfuscated_addrs<span class=\"token punctuation\">:</span>\n            popfq_flag <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n\n            <span class=\"token comment\"># print(complete_instruction)</span>\n            deobfuscated_code<span class=\"token punctuation\">[</span>address<span class=\"token punctuation\">:</span>address<span class=\"token operator\">+</span>size<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> instruction_bytes\n            deobfuscated_addrs<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>address<span class=\"token punctuation\">)</span>\n\n            <span class=\"token comment\"># Skip de-deobfuscated instruction</span>\n            uc<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RIP<span class=\"token punctuation\">,</span> address <span class=\"token operator\">+</span> size<span class=\"token punctuation\">)</span>\n            \n            <span class=\"token keyword\">if</span> instruction<span class=\"token punctuation\">.</span>mnemonic <span class=\"token operator\">==</span> <span class=\"token string\">\"call\"</span><span class=\"token punctuation\">:</span>\n                addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>instruction<span class=\"token punctuation\">.</span>op_str<span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">if</span> addr <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x1260</span><span class=\"token punctuation\">:</span>\n                    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"PLT function called.\"</span><span class=\"token punctuation\">)</span>\n                    <span class=\"token keyword\">return</span>\n                <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                    call_addrs<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>addr<span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            deobfuscated_code<span class=\"token punctuation\">[</span>address<span class=\"token punctuation\">:</span>address<span class=\"token operator\">+</span>size<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">b\"\\x90\"</span> <span class=\"token operator\">*</span> size\n\n    <span class=\"token keyword\">return</span>\n    \n<span class=\"token comment\"># ============================</span>\n\n\n<span class=\"token comment\"># Initialize virtual memory, RSP/RBP</span>\nstack_addr <span class=\"token operator\">=</span> <span class=\"token number\">0x900000</span>\nstack_size <span class=\"token operator\">=</span> <span class=\"token number\">0x100000</span>\nmu<span class=\"token punctuation\">.</span>mem_map<span class=\"token punctuation\">(</span>stack_addr<span class=\"token punctuation\">,</span> stack_size<span class=\"token punctuation\">)</span>\nmu<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RSP<span class=\"token punctuation\">,</span> stack_addr <span class=\"token operator\">+</span> stack_size <span class=\"token operator\">-</span> <span class=\"token number\">8</span> <span class=\"token operator\">-</span> <span class=\"token number\">0x200</span><span class=\"token punctuation\">)</span>\nmu<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RBP<span class=\"token punctuation\">,</span> stack_addr <span class=\"token operator\">+</span> stack_size <span class=\"token operator\">-</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Read original binary</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"singlestep\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    code <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Allocate 0x50000 bytes of virtual memory and map the execution code</span>\ncode_addr <span class=\"token operator\">=</span> <span class=\"token number\">0x0</span>\nmu<span class=\"token punctuation\">.</span>mem_map<span class=\"token punctuation\">(</span>code_addr<span class=\"token punctuation\">,</span><span class=\"token number\">0x50000</span><span class=\"token punctuation\">)</span>\nmu<span class=\"token punctuation\">.</span>mem_write<span class=\"token punctuation\">(</span>code_addr<span class=\"token punctuation\">,</span>code<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Add hook to Unicorn</span>\n<span class=\"token comment\"># UC_HOOK_CODE invokes the hook immediately before each instruction executes</span>\n<span class=\"token comment\"># hook_code(mu, address, size, user_data)</span>\nmu<span class=\"token punctuation\">.</span>hook_add<span class=\"token punctuation\">(</span>UC_HOOK_CODE<span class=\"token punctuation\">,</span> hook_code<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run program</span>\n<span class=\"token keyword\">while</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>call_addrs<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        current_call_addr <span class=\"token operator\">=</span> call_addrs<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> current_call_addr <span class=\"token keyword\">not</span> <span class=\"token keyword\">in</span> deobfuscated_addrs<span class=\"token punctuation\">:</span>\n            mu<span class=\"token punctuation\">.</span>emu_start<span class=\"token punctuation\">(</span>current_call_addr<span class=\"token punctuation\">,</span><span class=\"token number\">0x900D</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># emu_start(begin,end)</span>\n            deobfuscated_addrs<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>current_call_addr<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">except</span> Exception <span class=\"token keyword\">as</span> e<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Error: %s\"</span> <span class=\"token operator\">%</span> e<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"at : %s\"</span> <span class=\"token operator\">%</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>mu<span class=\"token punctuation\">.</span>reg_read<span class=\"token punctuation\">(</span>UC_X86_REG_RIP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">break</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">'deobfuscated'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'wb'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>deobfuscated_code<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Below is a summary of the key points.</p>\n<h3 id=\"defining-conditions-to-clearly-distinguish-deobfuscated-instructions-from-others\" style=\"position:relative;\"><a href=\"#defining-conditions-to-clearly-distinguish-deobfuscated-instructions-from-others\" aria-label=\"defining conditions to clearly distinguish deobfuscated instructions from others permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Defining Conditions to Clearly Distinguish Deobfuscated Instructions from Others</h3>\n<p>As confirmed earlier, the binary repeatedly decodes, executes, and re-encodes real execution code in blocks from <code class=\"language-text\">pushfq -> xor</code> to <code class=\"language-text\">xor -> popfq</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 800px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cb9fd1153cbc8335cf0a3fe8108731e8/5a190/image-20250329133418360.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA3UlEQVQY0zWQy07DMBBFJ37HifNOgVJRdQESUhS1QLqBDf//UZfrSCyOrkcanZmxbPcvfHxeEWPC8CA4XQQ+VTB1C183fJMQ4V1AiiOMshARJGMwMjMH0rCOdQVZlgXruqKuGnSzYDgIdOxgKTOhhI2UWw/nPIKroQq9C6NW6JgtyRmVYh+HXbcF9+8bUtPi8Sw4vwrKaaawQ8EmZSxTQxOjHYqi2IWW6Zn/5FppDrv9vGH7fUfFM+ej4Eipzef2E8p+RBwmBH5HvqBPT7Da78KR25yYz+Ql184hpoQ/BR1biVSiHrMAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cb9fd1153cbc8335cf0a3fe8108731e8/8ac56/image-20250329133418360.webp 240w,\n/static/cb9fd1153cbc8335cf0a3fe8108731e8/d3be9/image-20250329133418360.webp 480w,\n/static/cb9fd1153cbc8335cf0a3fe8108731e8/d00b9/image-20250329133418360.webp 800w\"\n              sizes=\"(max-width: 800px) 100vw, 800px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cb9fd1153cbc8335cf0a3fe8108731e8/8ff5a/image-20250329133418360.png 240w,\n/static/cb9fd1153cbc8335cf0a3fe8108731e8/e85cb/image-20250329133418360.png 480w,\n/static/cb9fd1153cbc8335cf0a3fe8108731e8/5a190/image-20250329133418360.png 800w\"\n            sizes=\"(max-width: 800px) 100vw, 800px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cb9fd1153cbc8335cf0a3fe8108731e8/5a190/image-20250329133418360.png\"\n            alt=\"image-20250329133418360\"\n            title=\"image-20250329133418360\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Therefore, we simply need to capture instructions immediately after a <code class=\"language-text\">pushfq -> xor -> popfq</code> sequence, excluding <code class=\"language-text\">pushfq</code> itself.</p>\n<h3 id=\"library-function-calls-must-be-ignored-to-continue-emulation\" style=\"position:relative;\"><a href=\"#library-function-calls-must-be-ignored-to-continue-emulation\" aria-label=\"library function calls must be ignored to continue emulation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Library Function Calls Must Be Ignored to Continue Emulation</h3>\n<p>In this case, Unicorn is used to emulate small units of execution code. When a <code class=\"language-text\">call</code> instruction is encountered, the function call is skipped during the current trace, and <code class=\"language-text\">mu.emu_start</code> is used to separately trace it.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Skip de-deobfuscated instruction</span>\nuc<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RIP<span class=\"token punctuation\">,</span> address <span class=\"token operator\">+</span> size<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> instruction<span class=\"token punctuation\">.</span>mnemonic <span class=\"token operator\">==</span> <span class=\"token string\">\"call\"</span><span class=\"token punctuation\">:</span>\n    addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>instruction<span class=\"token punctuation\">.</span>op_str<span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> addr <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x1260</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"PLT function called.\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">return</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        call_addrs<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>addr<span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"the-deobfuscated-code-itself-does-not-need-to-be-executed\" style=\"position:relative;\"><a href=\"#the-deobfuscated-code-itself-does-not-need-to-be-executed\" aria-label=\"the deobfuscated code itself does not need to be executed permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The Deobfuscated Code Itself Does Not Need to Be Executed</h3>\n<p>Since the deobfuscated code does not need to actually run, RIP is overwritten to skip emulation of it.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Skip de-deobfuscated instruction</span>\nuc<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RIP<span class=\"token punctuation\">,</span> address <span class=\"token operator\">+</span> size<span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"obtaining-the-flag\" style=\"position:relative;\"><a href=\"#obtaining-the-flag\" aria-label=\"obtaining the flag permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Obtaining the Flag</h2>\n<p>Running the deobfuscated binary produced by the above code shows that it behaves the same as the original program.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 856px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/355cd6610204acae777d21edd561c49e/ad12c/image-20250330151401344.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 115.00000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAXCAYAAAALHW+jAAAACXBIWXMAAAsTAAALEwEAmpwYAAAD9ElEQVQ4y31VaY/iRhAFdnZmwDeXb/CBDQZjjG1gRiuNlGRXUfL//89LVRlGym6UD6Vud1e/rveqqj1IihBRaiOMZ7DtOXw3he+n8JwIgb8R871UzLZXCL1+z/cSrJINDGsK0zRgTS2Mx2MMllMTxtiCMTFhaRZMVcdUMzE3pjAUDaaik2mybqkGZrpF+xbNNSxnKoajEYbDIQaDQW+Hco/qVIrVdYVTfZSxPB5o7Yju0uBybdG09X3t4VfRnEb67roGm03aAzbnE9r2LHa5tGLXayfjt2/vtN4gjmJ0bYv39xtu972r+DY4EzD75/mmB+TbzgTKxo5pmqJpziiKHaakz2Ss4PV1AmWiwjItHPZ7lIeD+F0oshOxYOAsu0fICwzKxlEeiVYcxwJgmlNKUICIInQcF4ZuynocJ+RX0sU1TtVPlBmouUd4u3Xi6HsBwnBFThtst1tkeU6UciRJQns+PDJmwYxqCojpZ9mdMgPxTS0ZO6xWa7iOh/U6wq4osN8f6DKWoMBut6NLMji2izX5dV37q4YVhcy0z+eK9CmIpgVdN+C6Htquw3ZXIAxC5NsdSdIioLlFUljWjLTcy1kOJk2THrDksiFQ1o41ZM1YcD7YNA0OlIDsTp2/1+u1fPe0a9ovRK4kiXtABmJANqbMJbLd5kJ5S7oFNIZEN1xF2KQbocwVwMCcDA6IAdMHoER47AEjOswRcgIiOpBSVCYBZdcrrHCNKEkFkLVkP9bxAfgZYS369VnmGzm7TI+drwQ0X8cIDiUWq1iSk1CULANHKGUjdUhZfpTNI8tst9tFADkCPvDx8QGfgFXOapzKBRxhWZayz2VW/3+nNFLEh3snnGoWvRSQPN9S4o4SPY/sx5H9Z6cw2OOmFUXIYKs79SBY0TySTmFtuYuyLCMmoQBW907Jfu4ULpmyPEg2M4omihLE9N45yyVseuIW8wUioh1TYvJ8J35VdZSzDJx/dgoDcqcQYF2fMJ8vMaZ+5dGlFvQcG97chL1YwKFin80W9JCq9Ni6EhmzY2afrfco7IoLm/ozjiKJZrfjgm2IdoFNxrqd5Lso9lgslkKdwX4tG07KPctt1zf8G797b1e8kf3x/Tf89fef+P7jd3poO1nnd5H9elbVvx8H117Sf8QRar7nwnNd+DR3bBsu6Rd6HkW9Jh9X9HRZAtrzHIf63RE/Pje1rB7wC/1gBhP6uagqRsornidfMdA0Gr9gZOkYkX4DZYyhOsZIVzCk+Whm4slQoen08KpkigJVU0l7wklq+tuVOtyjCf+ok/ATfNXG0O0XqI4CI9ShLCbQHDJXoTnt+ZrM54GKZWDh+fkZLy8veHp6wj97H4HXLePR1QAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/355cd6610204acae777d21edd561c49e/8ac56/image-20250330151401344.webp 240w,\n/static/355cd6610204acae777d21edd561c49e/d3be9/image-20250330151401344.webp 480w,\n/static/355cd6610204acae777d21edd561c49e/e2cd0/image-20250330151401344.webp 856w\"\n              sizes=\"(max-width: 856px) 100vw, 856px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/355cd6610204acae777d21edd561c49e/8ff5a/image-20250330151401344.png 240w,\n/static/355cd6610204acae777d21edd561c49e/e85cb/image-20250330151401344.png 480w,\n/static/355cd6610204acae777d21edd561c49e/ad12c/image-20250330151401344.png 856w\"\n            sizes=\"(max-width: 856px) 100vw, 856px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/355cd6610204acae777d21edd561c49e/ad12c/image-20250330151401344.png\"\n            alt=\"image-20250330151401344\"\n            title=\"image-20250330151401344\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Analyzing the restored binary shows that unnecessary parts have been replaced with NOPs, leaving only the deobfuscated execution code.</p>\n<p>The decompiler is also able to analyze the deobfuscated execution code.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/55b7e789149a9683342121b420f78a5a/1628f/image-20250330151459595.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 60.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABpElEQVQoz32T2XKjMBBF/S0GhKRGC2HHZmzGechUkqq85P8/5aYl2xgnzjzcagGq07cXNmXbYn75h+n0jPFwwH6eUXc9fN1imE7oxh3KrkW4Z30JUz6xyl+1UbXD/PGCYTeirBu04wgyFlmu+XxE3Y/Q3kAQYZukSNIM2/9oI2uL/duMpmugjYOvapB1IFJoxj1sPyFXmhNIpFIiyURUmuXnKPI7sUOL6f3EwBbkfHRZMFDkOZz3cFUFV3J0jkvy0OxUak7A8EyqCFmDF2A/9ihWwFSIGGPfrIVxZoHl+uw4QB8C929/0Q/dDcgxAEMvK34mY5Dw5W0qsL2UvNYVGrQAY8n25jB81KQjNDpSEkLdSgwJEvETvADbNTA6zLmPErooeFgGigoejvoxhKuSy5DuHd71MFyUsNy/umngnyoUpgBxAqkputfFua9Ely1YhnJ1+A0YLpEheO/YIcX1UVrFFgiW5rOmS4LwnsFxD6f3s8PrHq6BoWTHf4eIK3I/gEfaUFvi+fMVf44HNMMOw+G49DBjBXgAGt5DHVyxoyx/vNRBX540bVADM+8zAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/55b7e789149a9683342121b420f78a5a/8ac56/image-20250330151459595.webp 240w,\n/static/55b7e789149a9683342121b420f78a5a/d3be9/image-20250330151459595.webp 480w,\n/static/55b7e789149a9683342121b420f78a5a/e46b2/image-20250330151459595.webp 960w,\n/static/55b7e789149a9683342121b420f78a5a/46ece/image-20250330151459595.webp 1232w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/55b7e789149a9683342121b420f78a5a/8ff5a/image-20250330151459595.png 240w,\n/static/55b7e789149a9683342121b420f78a5a/e85cb/image-20250330151459595.png 480w,\n/static/55b7e789149a9683342121b420f78a5a/d9199/image-20250330151459595.png 960w,\n/static/55b7e789149a9683342121b420f78a5a/1628f/image-20250330151459595.png 1232w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/55b7e789149a9683342121b420f78a5a/d9199/image-20250330151459595.png\"\n            alt=\"image-20250330151459595\"\n            title=\"image-20250330151459595\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at the code, it first initializes a 4×4 memory region to create the following 2D array:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 343px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/047054f4ee4553fe929be57cb42999cd/41431/image-20250330151523745.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 128.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAaCAYAAAC3g3x9AAAACXBIWXMAAAsTAAALEwEAmpwYAAAEBUlEQVRIx31VWW8aVxjln6SGYfb1zj4ww2IwxhhsjOUtmLZR1YeofohSKU2lqpWb9KlZXvtrT797B2Njpn24Go3EPXO276NmOQ6aioqmrCBPPLRjD1nownNNdOh92A7QigOkRQ9pKwPzA3S6PZieAyNwYKU+gnEL4aiApluoabqBF3sNWKYO17UwoMvvZof4+fgAbxYz6LqKbyQJkqJBUTXxYX4aTRl1uYm6IqOhK5B0DQ1JRm1+fo6j2QxnFy8xv7rFavkK7+/e4tfXP+Gfu9d4f32J31ZLXC/OMJqfYLKYY7o4x3g6K89xeQ6Pp+K9djiZoDsY0MsZJicLjI5PcXBygdFsjrvlDX6YTvDjbIrpeIzeeIT98SEG4yP0BkO6t3vWkuvQDQuO68F2GdKsQBglaBUF9kiebJioS02S3sAePblcfqfq1HgokizDDVrw44KeGaJsSCH00e114VMIvX4fLmPQPBsGc+EEId1RKk/Nsh3xRZuAfd8XF7NWmxhG6O73KQwVL+qS+A2/0FgH8vRUAnphGyzK6RRIO8eI2z0MOh2qUYzTyRH8wIfKLKoKMQwjSBxIeQR6AN4AcslB0gUj4KQYIy/28fvlAn8sTvD3d0sMWykUZsMkQCG7G8EftGDanvD3AXQN2BTMOKBHwElxhLwzwF/LK/xJgF8J8IADhg50x4KsabDzQIDa5LFMHd1h6Pgp/KgMJc4P0c77uL9aCMBPqxsMsxSybwtAjY5dhLCzAKbD/k9yT/jIAfPOPgGe48P5HF+/vyWGGRQaNdN3oFkmzJTB20/gJclmcp4ANkUovDYOS0qGVJsPLy9wP5/i0+21YCjZBnnoQLVNYhiADVMh+T8Z+iKUnDyciFBKhqeCIQesayoxdIVkpxPBaydiIWwq9RgKAfpZmbKQPBahcA8F4CuSTIANWiDcQ8XQYUYMluvTQmhW9fAxZR6O8JAYflxePoaSJoKhQdOi2Ra8YQKWp1A14wnD55LJw01t1pI54BfeQy6ZVhT3UNGJYcLg9mMwqlNlbTYpUzhC8jMPecpNh8KImUjZoEXMDlKwdlYF+LzYE+Ehl3x/NsPnNcMmbXEOxlNmo5RC2Wa3W+y4otjE8PO3N5vacA+F5Ix6WCQwLFcQ2gEUktOqYj9Klj1LFFt3rbKHvVTM8gPg1ixvF3u8XewVL3YCydLFclCtstj+QQYnLjdPQ94JJSuLHVUXmy8H7qHBaPT4pKQh/eNRF2mHyrQzK1KuLjb38MsakEvWqYMqeekSY1U1sVdviKVbsb5ywbAsdlkbvr4+8h6unoVilD10wnBrjndnOe6I2kTtEVqU8jti98vJBPc3l+jTpMhCMq0wAnU6Idw8huX5Wyn/CzWfXm3dptK6AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/047054f4ee4553fe929be57cb42999cd/8ac56/image-20250330151523745.webp 240w,\n/static/047054f4ee4553fe929be57cb42999cd/1f248/image-20250330151523745.webp 343w\"\n              sizes=\"(max-width: 343px) 100vw, 343px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/047054f4ee4553fe929be57cb42999cd/8ff5a/image-20250330151523745.png 240w,\n/static/047054f4ee4553fe929be57cb42999cd/41431/image-20250330151523745.png 343w\"\n            sizes=\"(max-width: 343px) 100vw, 343px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/047054f4ee4553fe929be57cb42999cd/41431/image-20250330151523745.png\"\n            alt=\"image-20250330151523745\"\n            title=\"image-20250330151523745\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">var_278 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">[</span> <span class=\"token number\">88</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">17</span><span class=\"token punctuation\">,</span>  <span class=\"token number\">19</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">57</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n <span class=\"token punctuation\">[</span> <span class=\"token number\">45</span><span class=\"token punctuation\">,</span>  <span class=\"token operator\">-</span><span class=\"token number\">9</span><span class=\"token punctuation\">,</span>  <span class=\"token number\">10</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">29</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n <span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">56</span><span class=\"token punctuation\">,</span>  <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">12</span><span class=\"token punctuation\">,</span>  <span class=\"token number\">36</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n <span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">40</span><span class=\"token punctuation\">,</span>   <span class=\"token number\">8</span><span class=\"token punctuation\">,</span>  <span class=\"token operator\">-</span><span class=\"token number\">9</span><span class=\"token punctuation\">,</span>  <span class=\"token number\">26</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span></code></pre></div>\n<p>It also verifies that the input is 19 characters and matches a hyphen-delimited format like <code class=\"language-text\">AAA-BBBB-CCCC-DDDD</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 800px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/74f9252ebd77b27beb21611aae52d474/5a190/image-20250330151731168.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 74.58333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABpklEQVQ4y5VUW3KDMAzMVZqAH7JlIIQAvf+91JUMebQzLf3YSTxSVtqVlBMXlu46yTAMQszic5amddI4/8Dl2/s3nFyIUrpOhvEm032WoIS+kuz4D6kR5lKEQcpdLy5GEAZpA4DPf3foQUBMElMWHwmSE0hJHEW802GivehJuwgxSCQQAVElI6Cda+zcOKC1H5x3vL6bd1sguUrLXGRZ7nK93eS+rDJOE7wtKBRrsRDrdyja1QRVR2S/f+tQQUga+oLhjFL6wQgIBCmRUGaTTynZO3FnpBrPuRb7QRgo2LTHa7HOdEAB1UuBDVQ91WExJ+Gkm9HDHkYRzcmW64AHYcpRhuuA6qVOuoUnZvjxCT86VB9NImRoZx6VlKjFPu4Fd9P/gg1Fk7n0Mq9rXfB5kb7vpKi80hkOd6i+qNERvjQu2io0W0cfWI/zhiPdWYcqx9u1EOSSXU3edtGHGtMVqXmwZivWuGqV3+xSPKeMoJ7e+rnan8Q6T1VqRhHONtGAlVELaFsTvaaMGOOtO6yNVEKtEnWPnid02fyoV/JyGc27vNf4nvMFbLe4QL7fpbkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/74f9252ebd77b27beb21611aae52d474/8ac56/image-20250330151731168.webp 240w,\n/static/74f9252ebd77b27beb21611aae52d474/d3be9/image-20250330151731168.webp 480w,\n/static/74f9252ebd77b27beb21611aae52d474/d00b9/image-20250330151731168.webp 800w\"\n              sizes=\"(max-width: 800px) 100vw, 800px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/74f9252ebd77b27beb21611aae52d474/8ff5a/image-20250330151731168.png 240w,\n/static/74f9252ebd77b27beb21611aae52d474/e85cb/image-20250330151731168.png 480w,\n/static/74f9252ebd77b27beb21611aae52d474/5a190/image-20250330151731168.png 800w\"\n            sizes=\"(max-width: 800px) 100vw, 800px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/74f9252ebd77b27beb21611aae52d474/5a190/image-20250330151731168.png\"\n            alt=\"image-20250330151731168\"\n            title=\"image-20250330151731168\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Finally, it checks whether the product of the 4×4 array initialized at the beginning and an array generated from the input equals the identity matrix.</p>\n<p>The inverse of the initialized array is as follows:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 437px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/94389fad6e9c5155dac07cdc1dd877fa/5a428/image-20250330152959234.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 131.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAaCAYAAAC3g3x9AAAACXBIWXMAAAsTAAALEwEAmpwYAAADj0lEQVRIx4VVyW4bRxDl5/rqQ865+OJ7bklORgDbyCGQ4iUIDNtSLgIVUYIkiqIkkiI5+77P9Cwv1T1saiSRTAPFblZPv35T9aqmBzRoGm4AX3t+g9vbBtfjBstFA0VpYNkNXLc1y2qgaw2SVBwQZ7ujJx1yTrISipFDtzIs9RxukGO2yOCFNC9zOPR/cp8hL8rNgPwnzzLMpjNMpxOYVgjVLMVB02XwogJzJUMQF3QRgx9x4BQ52wHInWEYYnJ3RwcTAThfqDBNA1mWwnFtOI6DIPTh+x4MU0fdyFBteeWqrmHoOoIoxVxl0HSLYuYijmO6LEIQ+OLSKAqhabp4fidDOZKU4fouh2ZYMAx9BUZABOZ6HlxiOp8vBEPsYijpJxmjGBWUWY8yvESSpMQqolfPKMMWbDLLstfPb2UoZZMS4M20oDg5JA+VYucKsMD3KYYhbNuCbhh4kNtWwAfZqGYOL6BM5iSPvEBZliiKAowx4eNxzlm1XYePAPMKdlAgSqvOY+1eXTdilRW1sC4ZaR3A9lxMDJ2QwfALuBFDTBekRSUAdJeYxwxhWj4DkiHoYcOoiEm9ksWa4zrOu0fvdqripzdf8ev7f/Dz2wN8OTimqpng6mqE4XCIy8sLHB0dYTwe4/z8HIPBqVgfH/dxcjJATLo0Seie54gY9/qnN3jx4zv88PoPvHz1O3757QOGF2fo94/p8ADfv3/D3t4eBqdnODw8wP7+Pu318fdfn/Dnx89wbANXoyE0dSkS1uOoqqpBJfUriiaqgZcZ15xHQuailv/5zI3r0qEqCoJAsJIq4GHqPU07d24TrfTJZ/jMwaStstxN/ZMIk+N0cELx+hej0QjLpfL/SemykR2EFz7XXFVRw6CqMExLVAwXeb3erx+xfaRDPoqyxr1d4npRQ/FK3OkVbtQadg6Ml8CtDphJhctp6zfiEoNxjZlVg1UPIu8AVpgYFcZKDdVnsCISMs26T42W1iqJWiexW1EDzaNap2oyQ/pEOJk4uxFw7hAg3e5QNXDlcxlkadqWZBxR54nFOgwDpCu/77kiIc8Bq5bhxWwFSH7eXKO4BeGNVa45WJpmYs1ltBmQGE5NitH9A2DSBSR9xrFkGK4BeVffCjgjwOG8A5gkaxDOUK596o0SkK93vvL5lAATJjZ5Y5WxCqkqeIW04BRP6Se2GwG5vnJWC2Nlq7OnVtGlm/zdz8h/JRfVRYkMgv4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/94389fad6e9c5155dac07cdc1dd877fa/8ac56/image-20250330152959234.webp 240w,\n/static/94389fad6e9c5155dac07cdc1dd877fa/feb7b/image-20250330152959234.webp 437w\"\n              sizes=\"(max-width: 437px) 100vw, 437px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/94389fad6e9c5155dac07cdc1dd877fa/8ff5a/image-20250330152959234.png 240w,\n/static/94389fad6e9c5155dac07cdc1dd877fa/5a428/image-20250330152959234.png 437w\"\n            sizes=\"(max-width: 437px) 100vw, 437px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/94389fad6e9c5155dac07cdc1dd877fa/5a428/image-20250330152959234.png\"\n            alt=\"image-20250330152959234\"\n            title=\"image-20250330152959234\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Using the following script to recover the ASCII string from the inverse matrix, we can identify that the password required to obtain the flag is <code class=\"language-text\">BFCF-EJJL-CKKL-BLJQ</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> numpy <span class=\"token keyword\">as</span> np\n\nsecret <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\narray <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">5</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n       <span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n       <span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">5</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n       <span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">7</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> j <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        n <span class=\"token operator\">=</span> array<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">]</span>\n        secret <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>n <span class=\"token operator\">+</span> i<span class=\"token operator\">*</span>j <span class=\"token operator\">+</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n    secret <span class=\"token operator\">+=</span> <span class=\"token string\">\"-\"</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>secret<span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>During the contest I was forcibly extracting the deobfuscated code with gdb, but the Unicorn + Capstone approach was very enlightening.</p>\n<p>That said, both Unicorn and Capstone have relatively limited documentation, so I feel like it could take some time to become proficient with them.</p>\n<p>For simple execution-time hooking alone, it might also be worth trying Frida.</p>","fields":{"slug":"/unicorn-binary-deobfuscation-en","tagSlugs":["/tag/reversing-en/","/tag/english/"]},"frontmatter":{"date":"2025-03-30","description":"Self-Restoring Binary Deobfuscation with Unicorn and Capstone","tags":["Reversing (en)","English"],"title":"Self-Restoring Binary Deobfuscation with Unicorn and Capstone","socialImage":{"publicURL":"/static/2305d71b9a4423d01465fea769930809/unicorn-binary-deobfuscation.png"}}}},"pageContext":{"slug":"/unicorn-binary-deobfuscation-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}