A curated list of awesome deobfuscation tools for reverse engineers.
Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.
de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren’t (usually) part of the obfuscated assembly. It uses dnlib to read and write assemblies so make sure you get it or it won’t compile.
FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
iheartxor can be used to bruteforce xor encoded strings within a user defined regular expression pattern (-r). The default search pattern is a regular expression of that searches for data between null bytes (‘\x00’). The tool can also be used to do a straight xor on a file with -f file.name -k value. The value must between 0x0-0x255.
NoMoreXOR helps guess a files 256 byte XOR key by using frequency analysis.
The Packer Attacker is a generic hidden code extractor for Windows malware. It supports the following types of pacers: running from heap, replacing PE header, injecting in a process.
unpacker is a automated malware unpacker for Windows malware based on WinAppDbg.
unxor will search through an XOR-encoded file (binary, text-file, whatever) and use known-plaintext attacks to deduce the original keystream. Works on keys half as long as the known-plaintext, in linear complexity.
VirtualDeobfuscator is a reverse engineering tool for virtualization wrappers. The goal of the Virtual Deobfuscator is to analyze a runtrace and filter out the VM processing instructions, leaving a reverse engineer with a bytecode version of the original binary.
XORBruteForcer is a python script that implements a XOR bruteforcing of a given file, although a specific key can be used too. It’s possible to look for a word in the xored result, minimizing the output.
XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file. XORSearch will try all XOR keys (0 to 255), ROL keys (1 to 7), ROT keys (1 to 25) and SHIFT keys (1 to 7) when searching.
XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length.
xortool is a python script that will attempt to guess the XOR key length (based on count of equal chars), as well as the key itself (based on knowledge of most frequent char).
If you know of any more deobfuscation tools that you think should be on this list, please let me know by leaving a comment on this post and I will get them added.