MIT IEEE URTC 2024. GSET 2024. Repository for the "MBASED: Practical Simplifications of Mixed Boolean-Arithmetic Obfuscation". A Binary Ninja decompiler plugin taking ideas from compiler construction to simplify obfuscated boolean expressions.
The main actions from the plugin drive from registering a PluginCommand which can be called by the user similar to the example provided in Vector35/OpaquePredicatePatcher. This task involves writing code inside __init__.py which will be the main thread driving the rest of the analysis of our plugin. To start of, we want this initial plugin to be very simple as other members of the group work on developing the other components of the plugin. While mixed boolean-arithmetic can appear in many places within lifted code, for now, we will make an assumption that much of our analysis will be conducted on conditional branches within Medium Level Intermediate Language (MLIL) for Binary Ninja Intermediate Language (BNIL). The plugin should only log all of the MILI_IF instructions to the Binary Ninja log. An example of how to do this is shown in the code snippet below. You can run it by copying and pasting the code snippet into the Binary Ninja Python console.
for instr in bv.mlil_instructions:
if instr.operation == MediumLevelILOperation.MLIL_IF:
log_info(instr)
Action Items
Do all of the following inside __init__.py.
[x] write a class, MBADeobfuscationInBackground which inherits from BackgroundTaskThread. Write a constructor for this class.
[x] inside your MBADeobfuscationInBackground class, write a run function which visits all of the mlil_instructions and logs all of the MLIL_IF instructions to the Binary Ninja console. An example code snippet is shown above.
[x] write a function, mba_deobfuscation_in_background, which calls start() on an instance of our MBADeobfuscationInBackground class
[x] register a PluginCommand which calls our mba_deobfuscation_in_background function
[x] test your changes by installing your plugin to your copy of Binary Ninja and running this analysis on a sample binary
Resources
Vector35/OpaquePredicatePatcher: it's recommended to check out the __init__.py of this plugin since the underlying structure will most likely be quite similar to our plugin.
Binary Ninja Cookbook: A useful set of examples and documentation for developing plugins for Binary Ninja.
Binary Ninja Cheatsheet: A helpful cheatsheet with commonly used commands and quick notes to understand different parts of the Binary Ninja Python scripting API.
The main actions from the plugin drive from registering a
PluginCommandwhich can be called by the user similar to the example provided in Vector35/OpaquePredicatePatcher. This task involves writing code inside__init__.pywhich will be the main thread driving the rest of the analysis of our plugin. To start of, we want this initial plugin to be very simple as other members of the group work on developing the other components of the plugin. While mixed boolean-arithmetic can appear in many places within lifted code, for now, we will make an assumption that much of our analysis will be conducted on conditional branches within Medium Level Intermediate Language (MLIL) for Binary Ninja Intermediate Language (BNIL). The plugin should only log all of theMILI_IFinstructions to the Binary Ninja log. An example of how to do this is shown in the code snippet below. You can run it by copying and pasting the code snippet into the Binary Ninja Python console.Action Items
Do all of the following inside
__init__.py.MBADeobfuscationInBackgroundwhich inherits fromBackgroundTaskThread. Write a constructor for this class.MBADeobfuscationInBackgroundclass, write arunfunction which visits all of themlil_instructionsand logs all of theMLIL_IFinstructions to the Binary Ninja console. An example code snippet is shown above.mba_deobfuscation_in_background, which callsstart()on an instance of ourMBADeobfuscationInBackgroundclassPluginCommandwhich calls ourmba_deobfuscation_in_backgroundfunctionResources
__init__.pyof this plugin since the underlying structure will most likely be quite similar to our plugin.