5

I have a piece of C code I need to deobfuscate. It contains a bunch of tricky macros. I ran the code through C preprocessor and indent and now it looks similar to this:

switch (9263 + 1505) {
case 1505 + 41131 + 6729 + 2347:
            ...
case 1505 + 41131 + 6729 + 2347 + 1:
            ...
case 1505 + 41131 + 6729 + 2347 + 2:
            ...

To simplify further analysis I am looking for some tool that can fold all the constants in the code. I know that C preprocessor is unable to do this and constant folding optimisation will be performed during compilation stage. But what about source code?

Shell scripts are appreciated as well, as I suspect this could be the only way to do this.

StayOnTarget
  • 11,743
  • 10
  • 52
  • 81
Pavel Zaichenkov
  • 835
  • 5
  • 12

1 Answers1

4

Use clang to compile it, and use its c backend to generate c code.

Something like this should work:

clang -emit-llvm source.cpp -o - | llc -march=c
Rahul Banerjee
  • 2,343
  • 15
  • 16
  • As I can see, C as a backend for LLVM is no longer supported. I tried to use C++ instead, but the result is very different from the initial source. – Pavel Zaichenkov Mar 04 '13 at 12:57
  • Can you just pull an older clang from git and compile it yourself? The C backend does seem to be the best way to do it. Try a version from around Dec 2009. Otherwise, you'll have to hack the switch case statement (line 669) yourself: http://clang.llvm.org/doxygen/Stmt_8h_source.html – Rahul Banerjee Mar 05 '13 at 03:06
  • I did it. Well, the final code is far from readable, but it is not so long and complicated anymore. So with the help of gdb I managed to deobfuscate it. Thanks. – Pavel Zaichenkov Mar 05 '13 at 17:20
  • @PavelZaichenkov could you please post your findings somewhere? – Janus Troelsen Jun 04 '14 at 14:42
  • @JanusTroelsen, if you are interested in the program itself, [here](http://pastebin.com/J4V5p14d) it is. The program sorts a list of numbers. Your goal is to understand what kind of sorting algorithm it uses. – Pavel Zaichenkov Jun 09 '14 at 09:07