Add API Deobfuscation analysis

angrmanagement/data/analysis_options.py

@@ -344,3 +344,16 @@ def get_default_workers(self) -> int:
         if main_obj_size <= self.SMALL_BINARY_SIZE:
             return 0
         return default_workers
+
+
+class APIDeobfuscationConfiguration(AnalysisConfiguration):
+    """
+    Configuration for API deobfuscation.
+    """
+
+    def __init__(self, instance: Instance) -> None:
+        super().__init__(instance)
+        self.name = "api_deobfuscation"
+        self.display_name = "Deobfuscate API usage"
+        self.description = "Search for 'obfuscated' API use and attempt to deobfuscate it."
+        self.enabled = False

angrmanagement/data/jobs/__init__.py

@@ -4,6 +4,7 @@
 from .code_tagging import CodeTaggingJob
 from .ddg_generation import DDGGenerationJob
 from .decompile_function import DecompileFunctionJob
+from .deobfuscation import APIDeobfuscationJob
 from .dependency_analysis import DependencyAnalysisJob
 from .flirt_signature_recognition import FlirtSignatureRecognitionJob
 from .job import Job
@@ -14,6 +15,7 @@
 from .vfg_generation import VFGGenerationJob
 
 __all__ = [
+    "APIDeobfuscationJob",
     "CFGGenerationJob",
     "CodeTaggingJob",
     "DDGGenerationJob",

angrmanagement/data/jobs/deobfuscation.py

@@ -0,0 +1,28 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from angr.analyses.deobfuscator import APIObfuscationFinder
+
+from .job import InstanceJob
+
+if TYPE_CHECKING:
+    from angrmanagement.data.instance import Instance
+    from angrmanagement.logic.jobmanager import JobContext
+
+
+class APIDeobfuscationJob(InstanceJob):
+    """
+    Job for deobfuscating API usage.
+    """
+
+    def __init__(self, instance: Instance, on_finish=None) -> None:
+        super().__init__("API Deobfuscation", instance, on_finish=on_finish)
+
+    def run(self, ctx: JobContext) -> None:
+        self.instance.project.analyses[APIObfuscationFinder].prep(progress_callback=ctx.set_progress)(
+            variable_kb=self.instance.pseudocode_variable_kb
+        )
+
+    def __repr__(self) -> str:
+        return "APIDeobfuscationJob"

angrmanagement/ui/workspace.py

@@ -18,6 +18,7 @@
 from angrmanagement.config import Conf
 from angrmanagement.data.analysis_options import (
     AnalysesConfiguration,
+    APIDeobfuscationConfiguration,
     CFGAnalysisConfiguration,
     CodeTaggingConfiguration,
     FlirtAnalysisConfiguration,
@@ -26,6 +27,7 @@
 from angrmanagement.data.breakpoint import Breakpoint, BreakpointType
 from angrmanagement.data.instance import Instance, ObjectContainer
 from angrmanagement.data.jobs import (
+    APIDeobfuscationJob,
     CFGGenerationJob,
     CodeTaggingJob,
     FlirtSignatureRecognitionJob,
@@ -271,6 +273,9 @@ def on_cfg_generated(self, cfg_result) -> None:
                 )
             )
 
+        if self.main_instance._analysis_configuration["api_deobfuscation"].enabled:
+            self.job_manager.add_job(APIDeobfuscationJob(self.main_instance))
+
         if not self.main_instance.cfg.am_none:
             if not self._first_cfg_generation_callback_completed:
                 self._first_cfg_generation_callback_completed = True
@@ -524,6 +529,7 @@ def run_analysis(self, prompt_for_configuration: bool = True) -> None:
                     a(self.main_instance)
                     for a in [
                         CFGAnalysisConfiguration,
+                        APIDeobfuscationConfiguration,
                         FlirtAnalysisConfiguration,
                         CodeTaggingConfiguration,
                         VariableRecoveryConfiguration,