README.md

# Introduction

## What is D-810

D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.
It was designed with the following goals in mind:

* It should have as least as possible impact on our standard reverse engineering workflow
    * Fully integrated to IDA Pro
* It should be easily extensible and configurable
    * Fast creation of new deobfuscation rules
    * Configurable so that we don't have to modify the source code to use rules for a specific project
* Performance impact should be reasonable
    * Our goal is to be transparent for the reverse engineer 
    * But we don't care if  the decompilation of a function takes 1 more second if the resulting code is much more simplier.


# Installation

**Only IDA v7.5 or later is supported** (since we need the microcode Python API) 

Copy this repository in `.idapro/plugins`

We recommend to install Z3 to be able to use several features of D-810:
```bash
pip3 install z3-solver 
```

# Using D-810

* Load the plugin by using the `Ctrl-Shift-D` shortcut, you should see this configuration GUI

![](d810/docs/source/images/gui_plugin_configuration.png)

* Choose or create your project configuration
  * If you are not sure what to do here, leave *default_instruction_only.json*. 
* Click on the `Start` button to enable deobfuscation
* Decompile an obfuscated function, the code should be simplified (hopefully)
* When you want to disable deobfuscation, just click on the `Stop` button.

# Warnings

This plugin is still in early stage of development, so issues ~~may~~ will happen.

 * Modifying incorrectly IDA microcode may lead IDA to crash. We try to detect that as much as possible to avoid crash, but since it may still happen **save you IDA database often**
 * We only tested this plugin on Linux, but it should work on Windows too.

# Documentation

Work in progress

Currently, you can read our [blog post](https://eshard.com/posts/) to get some  information.


# Licenses

This library is licensed under LGPL V3 license. See the [LICENSE](LICENSE) file for details.

## Authors

See [AUTHORS](AUTHORS.md) for the list of contributors to the project.

# Acknowledgement

Rolf Rolles for the huge work he has done with his [HexRaysDeob plugin](https://github.com/RolfRolles/HexRaysDeob) and all the information about Hex-Rays microcode internals described in his [blog post](https://www.hex-rays.com/blog/hex-rays-microcode-api-vs-obfuscating-compiler/). We are still using some part of his plugin in D-810.

Dennis Elser for the [genmc plugin](https://github.com/patois/genmc) plugin which was very helpful for debugging D-810 errors.
Initial commit 2020-10-29 11:09:07 +01:00			`# Introduction`

			`## What is D-810`

			`D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.`
			`It was designed with the following goals in mind:`

			`* It should have as least as possible impact on our standard reverse engineering workflow`
			`* Fully integrated to IDA Pro`
			`* It should be easily extensible and configurable`
			`* Fast creation of new deobfuscation rules`
			`* Configurable so that we don't have to modify the source code to use rules for a specific project`
			`* Performance impact should be reasonable`
			`* Our goal is to be transparent for the reverse engineer`
			`* But we don't care if the decompilation of a function takes 1 more second if the resulting code is much more simplier.`


			`# Installation`

			`Only IDA v7.5 or later is supported (since we need the microcode Python API)`

			Copy this repository in `.idapro/plugins`

			`We recommend to install Z3 to be able to use several features of D-810:`
			```bash
			`pip3 install z3-solver`
			```

			`# Using D-810`

			* Load the plugin by using the `Ctrl-Shift-D` shortcut, you should see this configuration GUI

			`![](d810/docs/source/images/gui_plugin_configuration.png)`

			`* Choose or create your project configuration`
			`* If you are not sure what to do here, leave default_instruction_only.json.`
			* Click on the `Start` button to enable deobfuscation
			`* Decompile an obfuscated function, the code should be simplified (hopefully)`
			* When you want to disable deobfuscation, just click on the `Stop` button.

			`# Warnings`

			`This plugin is still in early stage of development, so issues ~~may~~ will happen.`

			`* Modifying incorrectly IDA microcode may lead IDA to crash. We try to detect that as much as possible to avoid crash, but since it may still happen save you IDA database often`
			`* We only tested this plugin on Linux, but it should work on Windows too.`

			`# Documentation`

			`Work in progress`

			`Currently, you can read our [blog post](https://eshard.com/posts/) to get some information.`


			`# Licenses`

			`This library is licensed under LGPL V3 license. See the [LICENSE](LICENSE) file for details.`

			`## Authors`

			`See [AUTHORS](AUTHORS.md) for the list of contributors to the project.`

			`# Acknowledgement`

			`Rolf Rolles for the huge work he has done with his [HexRaysDeob plugin](https://github.com/RolfRolles/HexRaysDeob) and all the information about Hex-Rays microcode internals described in his [blog post](https://www.hex-rays.com/blog/hex-rays-microcode-api-vs-obfuscating-compiler/). We are still using some part of his plugin in D-810.`

			`Dennis Elser for the [genmc plugin](https://github.com/patois/genmc) plugin which was very helpful for debugging D-810 errors.`