binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Convert switch-case with two cases {0, 1} to an if-else branch

Open xusheng6 opened this issue 1 year ago • 0 comments

I have a binary that obfuscates a regular if-else statement to a switch-case with two cases. It would be good if we can automatically concert such a case to an if-else branch, thus defeating the obfuscation, with minimal user-interaction:

Here is what it now looks like in HLIL:

Screenshot 2024-06-20 at 12 43 49 PM

We can see it is checking if the start of the buffer is 0x5a4d, a typical check for PE file.

Repro steps:

  1. Download the binary from https://malshare.com/sample.php?action=detail&hash=0cf55c7e1a19a0631b0248fb0e699bbec1d321240208f2862e37f6c9e75894e7 and open it
  2. Go to function 0x434a60
  3. Set the type of the data variable at 0x44284c to const int32_t
  4. Set the type of the data variable at 0x442844 to const int32_t[2]
  5. View the function code in HLIL

I came across this while looking at https://github.com/Vector35/binaryninja-api/discussions/5629.

P.S. some other switch-case conversion related issues: https://github.com/Vector35/binaryninja-api/issues/4670, https://github.com/Vector35/binaryninja-api/issues/1723

xusheng6 avatar Jun 20 '24 04:06 xusheng6