code-obfuscation-deobfuscation
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: Code Obfuscation & Deobfuscation — Expert Analysis Playbook
SKILL:代码混淆与反混淆——专家分析操作手册
AI LOAD INSTRUCTION: Expert techniques for identifying, classifying, and defeating code obfuscation in native binaries. Covers junk code, opaque predicates, SMC, control flow flattening, movfuscator, VM protectors (VMProtect/Themida/Code Virtualizer), string encryption, import hiding, and anti-disassembly tricks. Base models often conflate packing with obfuscation and miss the distinction between static and dynamic deobfuscation strategies.
AI加载说明:用于识别、分类和破解原生二进制文件中代码混淆的专业技术,涵盖垃圾代码、不透明谓词、SMC、控制流平坦化、movfuscator、VM保护程序(VMProtect/Themida/Code Virtualizer)、字符串加密、导入表隐藏和反反汇编技巧。基础模型通常会将加壳与混淆混为一谈,且无法区分静态和动态反混淆策略。
0. RELATED ROUTING
0. 相关参考路径
- anti-debugging-techniques when the obfuscated binary also has anti-debug layers
- symbolic-execution-tools when using angr/Z3 for automated deobfuscation
- vm-and-bytecode-reverse for deep VM protector bytecode analysis
- 如果混淆后的二进制文件还带有反调试层,参考anti-debugging-techniques
- 如果需要使用angr/Z3实现自动化反混淆,参考symbolic-execution-tools
- 如果需要深入分析VM保护程序的字节码,参考vm-and-bytecode-reverse
Quick identification picks
快速识别对照表
| Symptom in IDA/Ghidra | Likely Obfuscation | Start With |
|---|---|---|
| Flat CFG, single giant switch | Control flow flattening | Symbolic execution to recover CFG |
Only | movfuscator | demovfuscation / trace-based lifting |
| pushad/pushfd → VM entry | VM protector | Handler table extraction |
| XOR loop before code execution | SMC / string encryption | Dynamic analysis, breakpoint after decode |
| Impossible conditions (opaque predicates) | Junk code insertion | Pattern-based removal |
| All strings unreadable | String encryption | Hook decryption routine, or emulate |
| No imports in IAT | Import hiding | Trace GetProcAddress / hash resolution |
| IDA/Ghidra中观察到的特征 | 对应的混淆类型 | 首选处理方案 |
|---|---|---|
| 平坦的CFG、单个巨型switch结构 | 控制流平坦化 | 用符号执行恢复CFG |
仅包含 | movfuscator | demovfuscation/基于trace的 lifting |
| pushad/pushfd指令后接VM入口 | VM保护 | 提取处理函数表 |
| 代码执行前存在XOR循环 | SMC/字符串加密 | 动态分析,在解码完成后下断点 |
| 不可能成立的分支条件(不透明谓词) | 垃圾代码插入 | 基于特征匹配移除 |
| 所有字符串都无法读取 | 字符串加密 | Hook解密函数,或者模拟执行 |
| IAT中无导入表项 | 导入表隐藏 | 跟踪GetProcAddress/哈希解析过程 |
1. JUNK CODE & OPAQUE PREDICATES
1. 垃圾代码与不透明谓词
1.1 Junk Code Insertion
1.1 垃圾代码插入
Dead code that never affects program output, added to increase analysis time.
Identification:
- Instructions that write to registers/memory never read afterward
- Function calls whose return values are discarded and have no side effects
- Loops with invariant bounds that compute unused results
Removal strategy:
- Compute def-use chains (IDA/Ghidra data flow analysis)
- Mark instructions with no downstream use as dead
- Verify removal doesn't change program behavior (trace comparison)
不会影响程序输出的死代码,添加目的是增加分析耗时。
识别特征:
- 写入寄存器/内存的指令后续从未被读取
- 函数调用的返回值被丢弃且无副作用
- 边界固定的循环计算出的结果从未被使用
移除策略:
- 计算def-use链(IDA/Ghidra数据流分析功能)
- 将没有下游使用的指令标记为死代码
- 验证移除后不会改变程序行为(trace对比)
1.2 Opaque Predicates
1.2 不透明谓词
Conditional branches where the condition is always true or always false, but this is non-obvious.
| Type | Example | Always Evaluates To |
|---|---|---|
| Arithmetic | | True |
| Number theory | | True (product of consecutive ints) |
| Pointer-based | | True |
| Hash-based | | True |
Deobfuscation:
- Abstract interpretation: prove the condition is constant
- Symbolic execution: Z3 proves
∀x: predicate(x) = True - Pattern matching: recognize known opaque predicate families
- Dynamic: trace and observe the branch is never taken / always taken
python
import z3
x = z3.BitVec('x', 32)
s = z3.Solver()
s.add(x * (x + 1) % 2 != 0)
print(s.check()) # unsat → always true分支条件恒为真或恒为假,但从代码表面无法直接判断的条件分支。
| 类型 | 示例 | 恒为 |
|---|---|---|
| 算术类 | | 真 |
| 数论类 | | 真(连续整数的乘积) |
| 指针类 | 别名处理后的 | 真 |
| 哈希类 | | 真 |
反混淆方法:
- 抽象解释:证明条件是常量
- 符号执行:用Z3证明
∀x: predicate(x) = True - 特征匹配:识别已知的不透明谓词家族
- 动态方法:跟踪执行观察分支是否从未被触发/始终被触发
python
import z3
x = z3.BitVec('x', 32)
s = z3.Solver()
s.add(x * (x + 1) % 2 != 0)
print(s.check()) # unsat → 恒为真2. SELF-MODIFYING CODE (SMC)
2. 自修改代码(SMC)
Runtime code patching: encrypted code is decrypted just before execution.
运行时代码补丁技术:加密的代码只会在即将执行前才会被解密。
2.1 XOR Decryption Loop (Most Common)
2.1 XOR解密循环(最常见)
asm
lea esi, [encrypted_code]
mov ecx, code_length
mov al, xor_key
decrypt_loop:
xor byte [esi], al
inc esi
loop decrypt_loop
jmp encrypted_code ; now decryptedasm
lea esi, [encrypted_code]
mov ecx, code_length
mov al, xor_key
decrypt_loop:
xor byte [esi], al
inc esi
loop decrypt_loop
jmp encrypted_code ; 此时代码已解密2.2 Analysis Strategy
2.2 分析策略
1. Identify the decryption routine (look for XOR/ADD/SUB in loops writing to .text)
2. Set breakpoint AFTER the loop completes
3. At breakpoint: dump the decrypted memory region
4. Re-analyze the dumped code in IDA/Ghidra
5. For multi-layer: repeat for each decryption stage1. 识别解密例程(查找向.text段写入的循环中的XOR/ADD/SUB指令)
2. 在循环执行完成后的位置下断点
3. 触发断点后:dump已解密的内存区域
4. 将dump出的代码导入IDA/Ghidra重新分析
5. 如果是多层加密:对每个解密阶段重复上述操作2.3 Automated Unpacking via Emulation
2.3 基于模拟执行的自动化脱壳
python
from unicorn import *
from unicorn.x86_const import *
mu = Uc(UC_ARCH_X86, UC_MODE_32)
mu.mem_map(0x400000, 0x10000)
mu.mem_write(0x400000, binary_code)
mu.emu_start(decrypt_entry, decrypt_end)
decrypted = mu.mem_read(code_start, code_length)python
from unicorn import *
from unicorn.x86_const import *
mu = Uc(UC_ARCH_X86, UC_MODE_32)
mu.mem_map(0x400000, 0x10000)
mu.mem_write(0x400000, binary_code)
mu.emu_start(decrypt_entry, decrypt_end)
decrypted = mu.mem_read(code_start, code_length)3. CONTROL FLOW FLATTENING (CFF)
3. 控制流平坦化(CFF)
3.1 Structure
3.1 结构
Original sequential blocks are transformed into a dispatcher loop:
Original: A → B → C → D
Flattened: ┌──────────────────┐
│ dispatcher │
│ switch(state) │◄─────┐
├──────────────────┤ │
│ case 1: block A │──────┤
│ case 2: block B │──────┤
│ case 3: block C │──────┤
│ case 4: block D │──────┘
└──────────────────┘Each block sets before jumping back to the dispatcher.
state = next_state原始的顺序执行块被转换为分发器循环结构:
原始结构: A → B → C → D
平坦化后结构: ┌──────────────────┐
│ 分发器 │
│ switch(state) │◄─────┐
├──────────────────┤ │
│ case 1: 块A │──────┤
│ case 2: 块B │──────┤
│ case 3: 块C │──────┤
│ case 4: 块D │──────┘
└──────────────────┘每个块在跳转回分发器前都会设置。
state = next_state3.2 Recovery Techniques
3.2 恢复技术
| Technique | Tool | Effectiveness |
|---|---|---|
| Symbolic execution | angr, Triton, miasm | High — traces all state transitions |
| Trace-based recovery | Pin/DynamoRIO trace → reconstruct CFG | Medium — covers executed paths only |
| Pattern matching | Custom IDA/Ghidra script | Medium — works for known flatteners |
| D-810 (IDA plugin) | IDA Pro | High — specifically designed for CFF |
| 技术 | 工具 | 效果 |
|---|---|---|
| 符号执行 | angr, Triton, miasm | 高——可跟踪所有状态转换 |
| 基于trace的恢复 | Pin/DynamoRIO trace → 重构CFG | 中——仅覆盖已执行的路径 |
| 特征匹配 | 自定义IDA/Ghidra脚本 | 中——对已知平坦化工具有效 |
| D-810(IDA插件) | IDA Pro | 高——专门为CFF设计 |
3.3 Symbolic Deflattening (angr approach)
3.3 符号化去平坦化(angr实现方案)
python
import angr, claripy
proj = angr.Project('./obfuscated')
cfg = proj.analyses.CFGFast()python
import angr, claripy
proj = angr.Project('./obfuscated')
cfg = proj.analyses.CFGFast()Find dispatcher block (highest in-degree basic block)
找到分发器块(入度最高的基本块)
dispatcher = max(cfg.graph.nodes(), key=lambda n: cfg.graph.in_degree(n))
dispatcher = max(cfg.graph.nodes(), key=lambda n: cfg.graph.in_degree(n))
For each case block, symbolically determine successor
对每个case块,通过符号执行确定真实的后继块
for block in case_blocks:
state = proj.factory.blank_state(addr=block.addr)
# ... solve state variable to find real successor
---for block in case_blocks:
state = proj.factory.blank_state(addr=block.addr)
# ... 求解状态变量找到真实后继
---4. MOVFUSCATOR
4. MOVFUSCATOR
4.1 Concept
4.1 概念
All computation reduced to instructions only (Turing-complete via memory-mapped computation tables). Created by Christopher Domas.
mov所有计算都被简化为仅使用指令(通过内存映射计算表实现图灵完备),由Christopher Domas开发。
mov4.2 Identification
4.2 识别特征
- Function contains only instructions (no add, sub, xor, jmp, call)
mov - Large lookup tables in data section
- Memory-mapped flag registers
- 函数仅包含指令(无add、sub、xor、jmp、call)
mov - data段存在大型查找表
- 内存映射的标志寄存器
4.3 Demovfuscation
4.3 Demovfuscation
| Approach | Description |
|---|---|
| demovfuscator (tool) | Static analysis, recovers original operations from mov patterns |
| Trace + taint analysis | Run with Pin/DynamoRIO, taint inputs, observe computation |
| Symbolic execution | Treat entire function as constraint system |
| 方案 | 描述 |
|---|---|
| demovfuscator(工具) | 静态分析,从mov模式中恢复原始操作 |
| Trace + 污点分析 | 用Pin/DynamoRIO运行,对输入做污点标记,观察计算过程 |
| 符号执行 | 将整个函数视为约束系统处理 |
5. VM PROTECTION (VMProtect / Themida / Code Virtualizer)
5. VM保护(VMProtect / Themida / Code Virtualizer)
5.1 VM Architecture
5.1 VM架构
Protected code → bytecode compiler → custom bytecode
Runtime: VM entry (pushad/pushfd) → fetch → decode → execute → VM exit (popad/popfd)待保护代码 → 字节码编译器 → 自定义字节码
运行时:VM入口(pushad/pushfd) → 取指 → 解码 → 执行 → VM退出(popad/popfd)5.2 VM Entry Point Identification
5.2 VM入口点识别
asm
; Typical VMProtect entry
pushad ; save all registers
pushfd ; save flags
mov ebp, esp ; VM stack frame
sub esp, VM_LOCALS_SIZE ; allocate VM context
mov esi, bytecode_addr ; bytecode instruction pointer
jmp vm_dispatcher ; enter VM loopasm
; 典型的VMProtect入口
pushad ; 保存所有寄存器
pushfd ; 保存标志位
mov ebp, esp ; VM栈帧
sub esp, VM_LOCALS_SIZE ; 分配VM上下文空间
mov esi, bytecode_addr ; 字节码指令指针
jmp vm_dispatcher ; 进入VM循环5.3 Handler Table Extraction
5.3 处理函数表提取
1. Find dispatcher (large switch or indirect jump via table)
2. Each case/entry = one VM handler (implements one VM opcode)
3. Map handler addresses to operations by analyzing each handler:
- Handler reads operand from bytecode stream (esi)
- Performs operation on VM registers/stack
- Advances bytecode pointer
- Returns to dispatcher1. 找到分发器(大型switch或通过表实现的间接跳转)
2. 每个case/条目对应一个VM处理函数(实现一个VM opcode)
3. 通过分析每个处理函数,将处理函数地址映射到对应的操作:
- 处理函数从字节码流(esi)读取操作数
- 对VM寄存器/栈执行操作
- 推进字节码指针
- 返回分发器5.4 Devirtualization Approaches
5.4 去虚拟化方案
| Method | Description | Tool |
|---|---|---|
| Manual handler mapping | Reverse each handler, build ISA spec | IDA + scripting |
| Trace recording | Record all handler executions, reconstruct program | REVEN, Pin |
| Symbolic lifting | Symbolically execute handlers, lift to IR | Triton, miasm |
| Pattern matching | Match handler patterns to known VM families | Custom scripts |
| 方法 | 描述 | 工具 |
|---|---|---|
| 手动处理函数映射 | 逆向每个处理函数,构建ISA规范 | IDA + 脚本 |
| Trace记录 | 记录所有处理函数执行过程,重构程序 | REVEN, Pin |
| 符号 lifting | 符号执行处理函数,lift到中间表示 | Triton, miasm |
| 特征匹配 | 将处理函数特征与已知VM家族匹配 | 自定义脚本 |
5.5 VMProtect Specifics
5.5 VMProtect特有特性
- Uses opaque predicates in dispatcher
- Handler mutation: same opcode, different handler code per build
- Multiple VM layers (VM inside VM)
- Integrates anti-debug and integrity checks
- 分发器中使用不透明谓词
- 处理函数变异:相同opcode,每个构建版本的处理函数代码都不同
- 多层VM(VM嵌套VM)
- 集成反调试和完整性检查
6. STRING ENCRYPTION
6. 字符串加密
6.1 Common Patterns
6.1 常见模式
| Pattern | Example | Recovery |
|---|---|---|
| XOR loop | | Hook or emulate XOR function |
| Stack strings | | IDA FLIRT / Ghidra script to reassemble |
| RC4 encrypted | Encrypted blob + RC4 key in binary | Extract key, decrypt offline |
| AES encrypted | Encrypted blob + AES key derived at runtime | Hook after decryption |
| Custom encoding | Base64 + XOR + reverse | Trace the decode function, replicate |
| 模式 | 示例 | 恢复方法 |
|---|---|---|
| XOR循环 | | Hook或模拟XOR函数 |
| 栈字符串 | | IDA FLIRT / Ghidra脚本重组 |
| RC4加密 | 加密blob + 二进制中的RC4密钥 | 提取密钥,离线解密 |
| AES加密 | 加密blob + 运行时派生的AES密钥 | 在解密完成后Hook |
| 自定义编码 | Base64 + XOR + 反转 | 跟踪解码函数,复刻逻辑 |
6.2 Automated String Decryption
6.2 自动化字符串解密
python
undefinedpython
undefinedGhidra script: find XOR decryption calls, emulate them
Ghidra脚本:查找XOR解密调用,模拟执行解密
from ghidra.program.model.symbol import SourceType
decrypt_func = getFunction("decrypt_string")
refs = getReferencesTo(decrypt_func.getEntryPoint())
for ref in refs:
call_addr = ref.getFromAddress()
# extract arguments (encrypted buffer ptr, key, length)
# emulate decryption, add comment with plaintext
---from ghidra.program.model.symbol import SourceType
decrypt_func = getFunction("decrypt_string")
refs = getReferencesTo(decrypt_func.getEntryPoint())
for ref in refs:
call_addr = ref.getFromAddress()
# 提取参数(加密缓冲区指针、密钥、长度)
# 模拟解密,添加明文字符串注释
---7. IMPORT HIDING
7. 导入表隐藏
7.1 GetProcAddress + Hash Lookup
7.1 GetProcAddress + 哈希查找
c
FARPROC resolve(DWORD hash) {
// Walk PEB → LDR → InMemoryOrderModuleList
// For each DLL, walk export table
// Hash each export name, compare with target hash
// Return matching function pointer
}c
FARPROC resolve(DWORD hash) {
// 遍历PEB → LDR → InMemoryOrderModuleList
// 对每个DLL,遍历导出表
// 对每个导出名称计算哈希,与目标哈希对比
// 返回匹配的函数指针
}7.2 Recovery
7.2 恢复方法
- Identify the hash algorithm (common: CRC32, djb2, ROR13+ADD)
- Compute hashes for all known API names
- Build hash → API name lookup table
- Annotate resolved calls in IDA/Ghidra
- 识别哈希算法(常见:CRC32、djb2、ROR13+ADD)
- 计算所有已知API名称的哈希
- 构建哈希→API名称查找表
- 在IDA/Ghidra中对已解析的调用添加注释
7.3 Common Hash Algorithms
7.3 常见哈希算法
| Name | Algorithm | Used By |
|---|---|---|
| ROR13 | | Metasploit shellcode |
| djb2 | | Various malware |
| CRC32 | Standard CRC32 of function name | Sophisticated packers |
| FNV-1a | | Modern malware |
| 名称 | 算法 | 使用场景 |
|---|---|---|
| ROR13 | | Metasploit shellcode |
| djb2 | | 各类恶意软件 |
| CRC32 | 函数名称的标准CRC32 | 复杂加壳程序 |
| FNV-1a | | 现代恶意软件 |
8. ANTI-DISASSEMBLY TRICKS
8. 反反汇编技巧
8.1 Techniques
8.1 技术手段
| Trick | Mechanism | Fix |
|---|---|---|
| Overlapping instructions | | Manual re-analysis from correct offset |
| Misaligned jumps | Jump into middle of multi-byte instruction | Force IDA to re-analyze at target |
| Conditional jump pair | | Convert to unconditional jmp |
| Return address manipulation | | Recognize push+ret as jump |
| Exception-based flow | Trigger exception, real code in handler | Analyze exception handler chain |
| Call + add [esp] | | Calculate actual target |
| 技巧 | 机制 | 修复方法 |
|---|---|---|
| 重叠指令 | | 从正确偏移手动重新分析 |
| 未对齐跳转 | 跳转到多字节指令的中间位置 | 强制IDA在目标位置重新分析 |
| 条件跳转对 | | 转换为无条件跳转 |
| 返回地址操纵 | 用 | 将push+ret识别为跳转 |
| 基于异常的控制流 | 触发异常,真实代码位于异常处理函数中 | 分析异常处理链 |
| Call + 栈修改 | | 计算实际目标地址 |
8.2 IDA Fixes
8.2 IDA修复操作
Right-click → Undefine (U)
Right-click → Code (C) at correct offset
Edit → Patch → Assemble (for permanent fix)右键 → 取消定义(U)
右键 → 在正确偏移处转换为代码(C)
编辑 → 补丁 → 汇编(永久修复)9. DECISION TREE
9. 决策树
Obfuscated binary — how to approach?
│
├─ Can you run it?
│ ├─ Yes → Dynamic analysis first
│ │ ├─ Set BP on interesting APIs (file, network, crypto)
│ │ ├─ Trace execution to understand real behavior
│ │ └─ Dump decrypted code/strings at runtime
│ │
│ └─ No (embedded/firmware/exotic arch) → Static only
│ └─ Identify obfuscation type from patterns below
│
├─ What does the code look like?
│ │
│ ├─ Giant flat switch/dispatcher loop?
│ │ ├─ State variable drives control flow → CFF
│ │ │ └─ Use D-810 or symbolic deflattening
│ │ └─ Bytecode fetch-decode-execute → VM protection
│ │ └─ Extract handlers, build disassembler
│ │
│ ├─ Only mov instructions?
│ │ └─ movfuscator → demovfuscator tool
│ │
│ ├─ XOR/ADD loop writing to .text section?
│ │ └─ SMC → breakpoint after decode, dump
│ │
│ ├─ Impossible conditions in branches?
│ │ └─ Opaque predicates → Z3 proving or pattern removal
│ │
│ ├─ Disassembly looks wrong / functions overlap?
│ │ └─ Anti-disassembly → manual re-analysis at correct offsets
│ │
│ ├─ No readable strings?
│ │ └─ String encryption → hook decrypt function or emulate
│ │
│ ├─ No imports in IAT?
│ │ └─ Import hiding → identify hash, build lookup table
│ │
│ └─ pushad/pushfd → complex code → popad/popfd?
│ └─ VM protector entry/exit → full VM analysis
│
└─ What tool to use?
├─ Known protector (VMProtect/Themida) → specific deprotection guide
├─ Custom obfuscation → combine: IDA scripting + Triton + manual
├─ CTF challenge → angr symbolic execution often fastest
└─ Malware analysis → dynamic (debugger + API monitor) first遇到混淆二进制文件,如何处理?
│
├─ 能否运行该文件?
│ ├─ 能 → 优先动态分析
│ │ ├─ 在感兴趣的API(文件、网络、加密)上下断点
│ │ ├─ 跟踪执行了解真实行为
│ │ └─ 运行时dump解密后的代码/字符串
│ │
│ └─ 不能(嵌入式/固件/特殊架构) → 仅静态分析
│ └─ 根据下方特征识别混淆类型
│
├─ 代码呈现什么特征?
│ │
│ ├─ 巨型平坦switch/分发器循环?
│ │ ├─ 状态变量驱动控制流 → CFF
│ │ │ └─ 使用D-810或符号去平坦化
│ │ └─ 字节码取指-解码-执行流程 → VM保护
│ │ └─ 提取处理函数,构建反汇编器
│ │
│ ├─ 仅含mov指令?
│ │ └─ movfuscator → 使用demovfuscator工具
│ │
│ ├─ 向.text段写入的XOR/ADD循环?
│ │ └─ SMC → 解码完成后下断点,dump内存
│ │
│ ├─ 分支中存在不可能成立的条件?
│ │ └─ 不透明谓词 → Z3证明或特征移除
│ │
│ ├─ 反汇编结果异常/函数重叠?
│ │ └─ 反反汇编 → 从正确偏移手动重新分析
│ │
│ ├─ 无可读字符串?
│ │ └─ 字符串加密 → Hook解密函数或模拟执行
│ │
│ ├─ IAT中无导入表?
│ │ └─ 导入表隐藏 → 识别哈希算法,构建查找表
│ │
│ └─ pushad/pushfd → 复杂代码 → popad/popfd结构?
│ └─ VM保护入口/出口 → 完整VM分析
│
└─ 该使用什么工具?
├─ 已知保护程序(VMProtect/Themida) → 对应脱壳指南
├─ 自定义混淆 → 组合使用:IDA脚本 + Triton + 手动分析
├─ CTF题目 → angr符号执行通常最快
└─ 恶意软件分析 → 优先动态分析(调试器 + API监控)10. TOOLBOX
10. 工具库
| Tool | Purpose | Best For |
|---|---|---|
| IDA Pro + Hex-Rays | Disassembly, decompilation, scripting | All-around analysis |
| Ghidra | Free alternative with scripting (Java/Python) | Budget-friendly RE |
| D-810 (IDA plugin) | Automated CFF deflattening | OLLVM-style obfuscation |
| miasm | IR-based analysis framework | Symbolic deobfuscation |
| Triton | Dynamic symbolic execution | Opaque predicate solving, CFF |
| REVEN | Full-system trace recording and replay | VM protector analysis |
| demovfuscator | movfuscator reversal | mov-only binaries |
| x64dbg + plugins | Dynamic analysis with scripting | Windows RE |
| Unicorn Engine | CPU emulation | SMC unpacking, shellcode |
| Capstone | Disassembly library | Custom tooling |
| IDA FLIRT | Function signature matching | Identify library code in stripped binaries |
| Binary Ninja | Alternative disassembler with MLIL/HLIL | Automated analysis |
| 工具 | 用途 | 最佳场景 |
|---|---|---|
| IDA Pro + Hex-Rays | 反汇编、反编译、脚本开发 | 全场景分析 |
| Ghidra | 支持脚本(Java/Python)的免费替代工具 | 低成本逆向分析 |
| D-810(IDA插件) | 自动化CFF去平坦化 | OLLVM类混淆 |
| miasm | 基于IR的分析框架 | 符号反混淆 |
| Triton | 动态符号执行 | 不透明谓词求解、CFF |
| REVEN | 全系统trace记录和回放 | VM保护分析 |
| demovfuscator | movfuscator逆向工具 | 仅含mov指令的二进制 |
| x64dbg + 插件 | 支持脚本的动态分析工具 | Windows逆向 |
| Unicorn Engine | CPU模拟 | SMC脱壳、shellcode分析 |
| Capstone | 反汇编库 | 自定义工具开发 |
| IDA FLIRT | 函数签名匹配 | 识别 stripped 二进制中的库代码 |
| Binary Ninja | 支持MLIL/HLIL的替代反汇编器 | 自动化分析 |