Deobfuscating Maze's Control Flow Obfuscations
This is the source code related to my blogpost The Many Paths Through Maze. Forgive me, but currently the source code is written using Python 2.7.
Deobfuscation Methods
Currently, only the Byte-search Method discussed in the blog post is covered. Eventually, I'd like to add a few different methods.
Bytesearch Method
Relies upon searching for specific bytes to identify the obfuscations.
- Takes a bit to run, to many "plan_and_wait()" functions, and I print logs to the output window
- Functions that don't get auto-defined after patching should now be definable in IDA via pressing 'p'
- The main-branch works, but I am working on some improvements
- Some functions have orphaned basic blocks, it's annoying and I'm working on a solution
- Comments are being updated
- bytesearch/maze_cfg_cleanup.py
- Execute this script to decode the IDB
IOCs
Hashes
- 2a6c602769ac15bd837f9ff390acc443d023ee62f76e1be8236dd2dd957eef3d
Further Reading
- Escape from the Maze pt 1 Research by Blueliv
- A Malware Researcher's Guide to Reversing Maze by Mihai Neagu (@mneagu8d) and Bogdan BOTEZATU (@bbotezatu)
- Leverages IDA's Processor Module Extensions
- Transparent Deobfuscation With IDA Processor Module Extensions by Rolf Rolles