top | item 44240866

(no title)

jor-el | 8 months ago

You can take a look at SiMBA++ -> https://github.com/pgarba/SiMBA-

It is a C++ implementation of SiMBA [1] - a tool to handle linear MBAs, made available by Denuvo itself. Denuvo have another tool - Gamba for handling some variety of non-linear MBAs. And then further improvisation by another researcher - MSiMBA [3].

SiMBA++ since written in C++, it is fast and it integrates well into the LLVM passes to automatically identify the MBAs and replace them in the LLVM IR with simplified expressions. So no additional work required.

Shameless plug - me and my colleague (author of SiMBA++) recently gave a talk about using LLVM for deobfuscation of WASM, where we talk about MBAs, SiMBA++ etc. The idea is not limited to WASM, it is language agnostic once you have a binary lifted to LLVM IR. https://www.youtube.com/watch?v=gKRdOcuXbYI

[1] SiMBA - https://github.com/DenuvoSoftwareSolutions/SiMBA [2] Gamba - https://github.com/DenuvoSoftwareSolutions/GAMBA [3] MSiMBA - https://github.com/mazeworks-security/MSiMBA

discuss

nekitamo|8 months ago

Xyntia was also just released to deal with MBA obfuscation, but I haven't had the chance to try it:

https://github.com/binsec/xyntia

dahrkael|8 months ago

why would Denuvo release tools that work against their core business?

no_time|8 months ago

They have many more tricks in the bag and a competitor would need to put in even more R&D to stay ahead of crackers.

yukIttEft|8 months ago