Flazzy
Flazzy copied to clipboard
ArachisH
AS3 Non-Complex Instruction Execution
Allow for the execution of instructions that only utilize the stack for arithmetic, and when instructions are comparing constant values caused by obfuscation.
Motivation
Currently the deobfuscation method in ASCode is capable of reducing the complexity of a method's control flow by removing redundant checks against constant values. Therefore, the idea is to move this logic into another type that allows for the execution of static methods containing basic instructions, as this would allow for more complex methods of deobfuscation.
Consider the following AS3 class which decodes a string at runtime using a collection of integer arrays.
public class SomeClass
{
private var field1:Array;
// Non-Static
public function SomeClass()
{
field1 = [10001, 10002, 10002, 10002, 10002];
}
// Non-Static
public function functionNeedingString() : void
{
var local1:* = [0, 0, 0, 0, 0];
var local2:* = [1, 1, 1, 1, 1];
var local2:String = getKeyValue(local1, 0)
}
// Static
private static function getKeyValue(param1:Array, param2:int) : String
{
var value:String = "";
for each(var local1 in param1)
{
for each(var local2 in local1)
{
value += String.fromCharCode(10000 - local2 + param2--);
}
}
return value;
}
}
Since all of the data required to generate the string is needed, we can load these values into their C# equivalent and call an emulated getKeyValue function to retrieve the string.
