Hex Rays
Hex Rays Blog —  State of the art code analysis

The highlighter

Today I’ll present you a pretty small yet useful plugin. If you tried to trace an obfuscated code in the debugger you already know that it is quite difficult to follow. The code modifies itself, performs complex computations, repeats itself so that after a while you are lost and do not even remember if the current instruction is something you saw before or a completely new thing. You could rename locations and put comments to make the code more recognizable but this is a ungrateful and tedious task which distracts you from the main goal of following the logic of the application. Imagine finding a name for the 30th loop of the 23d meaningless function! It is much better in these cases to relax and let the application to execute without trying to understand it. Quite often all this obfuscated code ends up doing something trivial. If you let the code execute to the end of a function or a logic chunk, the result becomes apparent by itself and you can move on by giving the function a nice name. The function is still obfuscated but you do not care at all since you know its purpose and the outcome. If you decide to let the code do its job without trying to understand how it is done, your task is much simpler. You just need to follow the execution flow till its end. No need to care about the register values, the meaning of loops or if-then-else or other constructs. Very simple trick: single step the function until we return from the function or jump out of it. This simple trick is easier to state than to do since the obfuscated code will not have precise function boundaries. More than that there might be many useless jumps or repeated code with the only purpose of confusing you. The highlighter plugin solves this very problem: it makes apparent the code which has been single stepped in the debugger. Here is how the disassembly listing looks with the plugin: The little blue boxes denote instructions which have already been executed. Since the plugin is very simple and light, it has no configuration parameters – just copy it to the plugins subdirectory and it is ready to use. As usual, it comes with the source code: highlighter.zip. Happy code exploration!
Go to top of page