Yet another plugin for deobfuscating stack strings.
You can specify one or more starting addresses (e.g. entry point, cursor location, or all functions in the database), from which the plugin will emulate every feasible execution path using Unicorn. Conditional jumps are forced to branch, and emulation states are saved and restored as needed. Throughout this process, the stack is scanned for strings. When it encounters calls to unknown memory regions (typically imports) or unsupported instructions, it attempts to skip over them so that as many paths as possible can be emulated.
- Download the latest release from the releases page or compile it yourself (see Compiling below).
- Copy the plugin file into your IDA "plugins" directory:
- Windows:
C:\Program Files\IDA <version>\plugins - Linux/macOS:
~/ida/plugins
- Windows:
- Restart IDA if it is running.
- Confirm that the plugin has loaded by opening the Edit -> Plugins menu in IDA.
-
Load binary or memory blob into IDA.
-
Open the Edit -> Plugins -> unxorer menu. Configure options as needed. Click Ok to start.
-
Wait for the emulation to complete.
-
List of found strings will be displayed, search in it with Ctrl+F, double-click to jump to where it was found.
This plugin is targetting IDA SDK 9.2 and Windows, but in theory should work on any platform and hopefully future IDA versions as well. Those instructions are Windows specific.
- Download and install Visual Studio 2022 with C++ development tools and CMake.
- Setup vcpkg by following the setup instructions.
- Open the
CMakeLists.txtfile in Visual Studio. - Select desired build configuration (release-x64 or debug-x64).
- Build the project (Ctrl+Shift+B).
- The plugin will be compiled into
out\build\plugins\unxorer.dll.
- The branching algorithm is very basic, it might get stuck in infinite loop sometimes or skip actual loops.
- All of the limitations of Unicorn apply, such as:
- It does not support all instructions (e.g. some AVX instructions).
- It fails to emulate heavilly obfuscated or virtualized code.