Add "automatic" deobfuscation from Mikero's tools

Question

Add "automatic" deobfuscation from Mikero's tools

ilbinek opened this issue 2 years ago · 6 comments

Hey there, seeing as you can open "mangled" pbos by Mikero's tools, I think it would be cool to add at least somewhat automated deobfuscation.

From my understanding, it only changes the config.cpp etc to use #include "weirdAssName" to inlcude those random characters.
For example a config.cpp containing #include "ўЯњљЦ*�уаџѐ", renamiming "ўЯњљЦ*�уаџѐ" to "config.cpp" actually shows the correct config.cpp.

This feature would be really appreciated.

Answer 1 · 2023-04-21T19:08:15.000Z

Hi, the deobfuscation mechanism is hard to implement and easy to break. I don't have enough spare time to play the sword vs shield game against the Mikero's tools. Assuming the Mikero's tools will always be one step forward in the game and introduce new and new obfuscation features.

Answer 2 · 2023-04-21T19:13:22.000Z

I fully understand. It was that I just found out that right now it's just simple "move the code to a file with unorthodox name and replace the original with simple include", which Arma has no problem with.
Works for hpp, cpp and sqf files. Not sure if there's some kind of obfuscation going on for images or models.

A simple "preprocessor" implementation should do the trick

Answer 3 · 2023-04-22T20:25:13.000Z

But how woud you distinguish an "obfuscation include" and a "legitimate include"? How to resolve only "obfuscation includes" only and not "legitimate" ones?

Answer 4 · 2023-04-22T20:43:42.000Z

I see two ways.
Either let it be "manual" and let it up to the user to turn the "precompiler" on.
Or detection of obfuscated files - mainly by filenames. Containing nonstandard characters. I didn't check your code, but you have to be doing something to support the unpacking of these files. BankRev, an older PBOManager fails, might be a good starting point.

In the case of "legitimate" includes that have the files in the folder, I don't think it's a big deal if they get included in a big config.cpp. In the case of an obfuscated PBO, you usually don't care about how it was originally, you just want the data.

Answer 5 · 2023-04-27T19:42:02.000Z

The thing you describe looks for me as an IDE (VS Code) plugin, rather than the unpack tool feature.

Answer 6 · 2023-04-27T20:05:51.000Z

This feature can surely be implemented as IDE plugin, as standalone program, or simple python/bash script.
It would just make sense to me to make it a feature at "the core".