This is the source code related to my blogpost The Many Paths Through Maze. Forgive me, but currently the source code is written using Python 2.7.
Currently, only the Byte-search Method discussed in the blog post is covered. Eventually, I'd like to add a few different methods.
Relies upon searching for specific bytes to identify the obfuscations.
- Takes a bit to run, to many "plan_and_wait()" functions, and I print logs to the output window
- Functions that don't get auto-defined after patching should now be definable in IDA via pressing 'p'
- The main-branch works, but I am working on some improvements
- Some functions have orphaned basic blocks, it's annoying and I'm working on a solution
- Comments are being updated
- bytesearch/maze_cfg_cleanup.py
- Execute this script to decode the IDB
Hashes
- 2a6c602769ac15bd837f9ff390acc443d023ee62f76e1be8236dd2dd957eef3d
- Escape from the Maze pt 1 Research by Blueliv
- A Malware Researcher's Guide to Reversing Maze by Mihai Neagu (@mneagu8d) and Bogdan BOTEZATU (@bbotezatu)
- Leverages IDA's Processor Module Extensions
- Transparent Deobfuscation With IDA Processor Module Extensions by Rolf Rolles