#Deobfuscation of obfuscated jump instructions

hello all!
I'm currently working on reversing an app, however there is some really weird obfuscation applied to the target (which i can confirm is custom)

it seems to obfuscate any JMP calls to make the function graph look really weird
I know that it only obfuscated jumps that were inside of the original non-obfuscated program, multiple functions that simply return a constant for example, do not have these jumps added (see image 1)

first image is where no obfuscation is applied
second image is the resulting graph when obfuscated
third image is how those jumps look like in ASM

what i do know:
as seen in the third image, it uses 2 registers to track where to jump to (via a ton of compares), there are also multiple sections that have repeat code, but set the track registers differently (fourth image)

what id like to know:
how would one go about either fixing up these jumps and removing the (now dead) code
one idea i had was to let compiler optimization hit this, but i don't exactly know how to do that

thank you to anyone who responds, if your going to respond please ping me! thank you.

1st

2nd

3rd

4th

Deobfuscation of obfuscated jump instructions

You can "lift" the code. i.e. translate it into something like LLVM IR and then run it back though LLVM to get it try and optimise it away. Otherwise you'll need to write some tooling to parse out the jumps. You'll most likely end up with a deobfuscated dump you can analyse, rather than a patched executable

I've got some code here for removing a basic jmp obfuscator, it just follows the jmp instructions until it hits non jmp code, might be useful as some inspiration https://github.com/nathan-baggs/sapphirine/blob/main/sapphirine/src/clean.cpp

Thank you for the help (luv your videos btw!) I'll look into those options

Here is a talk about a similar concept but using wasm https://www.youtube.com/watch?v=Z-udrjM7Z78&pp=ygUeZGVvYmZ1c2NhdGluZyB3YXNtIHVzaW5nIGxsY3Zt

Ouhh that looks interesting, thank you!

Updates!

So I tried to use retdec it order to lift the code and apply optimizations

Good:
It seems to get through conditional optimization just fine!

Bad:
The next step (which is not logged >_>) runs out of memory and the entire deconp fails

What I want to know / do:
It seems retdec is a much bigger tool then I require, as it attempts to take the IR and generate c code, I only want the IR

Are there any better tools, or ways I can more easily diagnose the underlying issue?

I am running on a rather low end laptop, so I have limited ram (3.5 gb)

Bump. Still having le issues and would love so guidance on this, thank you :3

what you are trying to do is defintly not an easy topic

The only real guidance I can give you is try to convert it to LLVM IR then you can reduce it and apply optimziations to get rid of most issues.

Alright, thanks for the info

Might check if they forgot there obfuscation on a beta branch or smth

[not-needed]

the developers of the target i was reversing swapped back from there custom soulution to VMP
as such this thread is no longer needed, as
A: dont really wanna reverse it anymore
and B: VMP is a commercial solution and i doubt i can get help with it