Learning IDA Hex Rays Python API to Analyze Sliver Obfuscation (Stream - 21-06-2024)

In this stream we focused on learning the IDA Hex Rays Python API to capture information needed to deobfuscate Sliver payloads that are obfuscated using Garble (https://github.com/burrowers/garble)

Training: https://training.invokere.com/course/...
Notes: https://github.com/Invoke-RE/stream-n...
Twitch:   / invokereversing  
Twitter:   / invokereversing  
Mastodon: https://infosec.exchange/@invokerever...

0:00 Introduction
3:49 GoReSym, IDACode and Obfuscation Overview
14:00 IDAPython to Detect XOR Obfuscation
21:24 Exploring Hex Rays Microcode API
33:56 CTree Expression Visitor
52:30 CTree Instruction Visitor
1:09:30 HRDevHelper for Visualizing Hex Rays Objects
1:13:49 Identifying For Loop
1:32:17 Capturing Variables in For Loop
1:47:07 Capturing Integers from Variable Names
1:58:36 Fingerprinting Obfuscation Algorithm
2:04:49 Reimplementing Obfuscation Algorithm