Automatically de-obfuscate ollvm and generate binaries

Overview

AntiOllvm

Automatically deobfuscate binaries and generate new binaries.

Chinese Help

中文帮助点击 帮助

Decriptor

Software obfuscation protection is very common these days. Although this protects the rights and interests of normal developers, it also provides convenience for the authors of malware and viruses. They can also use obfuscation to protect malware. This is a security analyst. A great hindrance, they have to spend a lot of time to analyze and sort out the logic, AntiOllvm provides automatic de-obfuscation function, which greatly reduces unnecessary analysis time, and it is not only de-obfuscation.

This software uses retdec to convert binary code to LLVM IR code, optimize and remove the obfuscated part, and use LLVM recompile it to generate a new binary file corresponding to the symbol address of the original binary file, and at the same time ensure the semantic correctness of the code, the original obfuscated function body must be larger than the unobfuscated function body, so after optimization Recompile writes code to original file location and fixes relocations using global variables.

Official website https://antiollvm.com (coming soon)

Software purchase

China Other Regions Binding Device Number of Bindings Features Restrictions Follow-up Feature Restrictions Bonus Windows x64 Linux x64 macOS
Trial \ \ \ \ Only Arm, does not support recompilation \ \ Support Subsequent opening Subsequent opening
Annual subscription 9600¥ 1650$ 1 device 3 time None Additional charges may apply Now-01/18/2023 Support Subsequent opening Subsequent opening
Permanent 38000¥ 6800$ 1 device 15 times None None Unlimited Support Subsequent opening Subsequent opening
  • Purchase example

    • For example, if you purchase 1 year on 01/15/2022, the actual validity period is 01/15/2022 - 01/18/2024, and if you purchase two years, the validity period is 01/15/2022 - 01/18/2025 and so on.
    • For example, if you purchase 1 year on 06/01/2022, the validity period is 06/01/2022 - 01/18/2024
    • Purchase after 01/18/2023, such as 02/01/2023 purchase for one year, the validity period is 02/01/2023 - 02/01/2024
    • There is no limit to the validity period if you purchase the permanent version
  • Binding device restrictions

    • At present, both annual and permanent users can only bind one device at the same time.
  • Example of binding times

    • The number of bindings will not be deducted for the first binding of the device
    • For example, if you want to change computer after binding computer A, you must first unbind it on computer A and then bind it on computer B. At the same time, the number of bindings will be deducted once. When the number of bindings is 0, the device cannot be changed.
    • Computer A can be windows/linux/mac, computer B can also be windows/linux/mac, that is to say, it can be bundled with the same system, or it can be bundled with different systems
  • Contact information

  • At present, there may be some problems. The first purchase gift is valid until 01/18/2023. If you encounter any problems, you can report it through the contact information above. Please be patient and wait for the repair.

  • Trial version download click

  • Download the official version, please contact me through the above contact information

Current development timeline

  1. Add goron version of indirect jump to de-obfuscate
  2. Enable mac x86, mac arm, Linux X64 versions

Please follow the official account or join the above TG QQ group for the latest news

Using help

Click

Development progress

Architecture ELF COFF Mach-O
Arm Yes Yes
Arm64 Yes Yes
X86
X86_64

Instructions for use

  • This project is a paid project, and this repository will only store the source code and binary files of the description files and some test samples
  • Everyone is welcome to provide samples (the more complex the better) to my mailbox [email protected], you can also submit issues in this warehouse with samples and instructions , please indicate binary architecture and file format in the title when sending the sample The obfuscation difficulty level (1-3), I will reply you with the deobfuscated binary after the deobfuscation passed

Disclaimer

AntiOllvm is a software that automatically de-obfuscates binary files. It is suitable for software security researchers and software security enthusiasts to use security products for learning and research. Do not use it for unauthorized and illegal purposes.

When you use this security product for research/testing, you should ensure that the behavior complies with local laws and regulations and has sufficient authorization. If you have any illegal behavior in the process of using this security product, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint responsibility.

Before you use this security product, please read it carefully and fully understand the contents, limitations, disclaimers or other terms involving your significant rights and interests. Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not use this security product.

Your use behavior or your acceptance of this Agreement in any other express or implied manner shall be deemed that you have read and agreed to be bound by this Agreement.

directory description

  • Each test directory contains the corresponding test source code, and the preset static library (not obfuscated, obfuscated), the bin in the corresponding directory generates binary files related to the architecture and file format, binary files and static libraries Without -obf suffix is generated without obfuscation, with -obf suffix is generated after obfuscation, with -anti in the binary directory is the de-obfuscated binary output.
  • For the description of each test item, please refer to the doc directory document in the corresponding directory
  • OpenSSL Test
  • Arm64 Test

personal blog

Including technical article sharing, software instructions, video demonstrations, etc.

Software Future

  • Open X86, X86_64 deobfuscation support
  • IDA plugin, convenient de-obfuscation, better optimized de-obfuscation using IDA analysis results
  • Develop simulation execution to realize cross-platform binary file tracking operation on PC, such as algorithm analysis, etc.
  • IDA virtual debugging, built on simulated execution.

Quote

retdec https://github.com/avast/retdec

LLVM https://github.com/llvm/llvm-project

Releases(antiollvm-trial)
  • antiollvm-trial(Jan 15, 2022)

    • The trial version only supports the arm instruction set, does not support recompilation
    • File SHA512 da12470e6edffce1674241faac99d91d6fc0d28b6bb4585836738124fea01599d74b5de2b15349ee296c518543643cd38f6784b6724acf7affc476789ff67295
    • File SHA256 c0ca940cb4f3b8ad5efbef79c721e957418e7dbab7e3446e439f7f302844121d
    Source code(tar.gz)
    Source code(zip)
    antiollvm-trial.7z(26.65 MB)
Owner
sanfengAndroid
专注于Android逆向安全
sanfengAndroid
Obfuscator refactored and extended from OLLVM.

OLLVM++ Obfuscator refactored and extended from OLLVM. Environment Ubuntu 18.04.5 LTS LLVM 12.0.1 Clang 12.0.1 CMake 3.21.1 Usage Compile Obfuscation

34r7hm4n 392 Aug 9, 2022
Minify and obfuscate GLSL or HLSL code

Shader Minifier Shader Minifier is a tool that minifies and obfuscates shader code (GLSL and HLSL). Its original use-case is for the demoscene, for op

Laurent Le Brun 231 Aug 6, 2022
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem-CP-M This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so ev

null 10 Apr 7, 2022
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem4CPM This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so eve

null 10 Apr 7, 2022
StochFuzz - Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

StochFuzz: A New Solution for Binary-only Fuzzing StochFuzz is a (probabilistically) sound and cost-effective fuzzing technique for stripped binaries.

Zhuo Zhang 161 Aug 9, 2022
OS X command line tool to inject Frameworks and dylibs on mach-o binaries (iOS & Mac Apps).

macho-inject OS X command line tool to inject Frameworks and dylibs on mach-o binaries. It does the injection of the framework and the codesigning. It

Jon Gabilondo 5 Jul 29, 2022
Powerful automated tool for reverse engineering Unity IL2CPP binaries

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Katy 1.9k Aug 5, 2022
Universal binaries for Linux.

FatELF The latest information about FatELF can be found at https://icculus.org/fatelf/ What is this? FatELF is a simple file format that allows you to

Ryan C. Gordon 32 May 22, 2022
「👾」Some binaries for you to crack

「 ?? 」Crackme Hello visitor! I'll leave some binaries made by me for you to try to crack. I'm not experienced in this area but I'm taking the opportun

null 2 Apr 22, 2022
A tool for analyzing x86-64 binaries.

reopt Reopt is a general purpose decompilation and recompilation tool for repurposing application logic. It does this by analyzing machine code to rec

Galois, Inc. 255 Aug 5, 2022
Invoke functions with a spoofed return address. For 32-bit Windows binaries

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.

Daniel Krupiński 61 Aug 12, 2022
Imphash-like calculation on Golang binaries

gimphash gimphash is a proposed method to calculate an imphash equivalent for Go binaries. It's name stands for Go-import-hash. Golang binaries contai

Nextron Systems GmbH 31 Jul 16, 2022
Growtopia internal cheat focused around enhancements and framework, that is loaded automatically. By: ama6nen

CREDITS TO AMA6NEN ORIGINAL REPO: https://github.com/ama6nen/INZERNAL INZERNAL INZERNAL has been discontinued for public usage and a private version t

TheC0mpany 11 Jul 30, 2022
The command line app automatically determines your location using GeoIP and adjusts the color temperature depending on time

go-sct A color temperature setting library and CLI that operates in a similar way to f.lux and Redshift. The command line app automatically determines

Florine Sueur 1.1k Jan 25, 2022
GraphicsFuzz provides tools for automatically finding and simplifying bugs in graphics drivers, specifically graphics shader compilers.

GraphicsFuzz GraphicsFuzz is a set of tools for testing shader compilers GraphicsFuzz provides tools for automatically finding and simplifying bugs in

Google 502 Jul 27, 2022
Automatically exported from code.google.com/p/vartypes

======================================================================== VarTypes Author: Stefan Zickler <http://szickler.net>, (C) 2007-2015 Avai

null 14 Jan 22, 2022
Compiles c files automatically on any change

Compiles c files automatically on any change

notaweeb 10 Mar 11, 2022
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021
Automatically load dlls into any executables without replacing any files!

Automatically loaded dll using xinput9_1_0 proxy. Please put the modified xinput9_1_0.dll in the executable's directory.

null 11 Apr 17, 2022