Hex-Rays against Aurora

As everyone knows, Google and some other companies were under a targeted attack a few days ago. A vulnerability in the Internet Explorer was used to penetrate the computers.
An IDA user very kindly sent us the following link
http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/


As it is visible from the screenshots, the code is somewhat nasty to analysis, because it consists of very short blocks like this:

Even displayed in the graph mode, the output is still lengthy and messy:

We were pleasantly surprised to see how the decompiler handles this code:

I renamed some variables and specified their types, but even without this, the output was very readable.
Just one more example. Virtually all functions are obfuscated with this quite simple technique:

Yet the decompiler output is pleasing to the eye:

I’m very impressed by the results :)
We are currently completing support for intrinsic functions in the decompiler (it turned out that there are literally hundreds and hundreds of them). Also, SEE based scalar floating point computations will be mapped to high level constructs. It will probably take a few more weeks before the code stabilizes, it won’t be long. Thanks for being patient :)

This entry was posted in Decompilation. Bookmark the permalink.

2 Responses to Hex-Rays against Aurora

  1. I love these articles. IDA Pro was also mentioned in last issue of ‘The NT Insider ‘
    If one of my children would understand this I would read the blog to them… I find it exciting for some reason…
    But unfortunately I’m still the only IDA Pro kaballist at home and even I’m a beginner.

  2. Peter Belm says:

    Very interesting read. The decompiler output works wonders, it’s a shame I work mostly with MIPS. Does HexRays have any rough plans for when they’ll have either a MIPS version or release the lower level API so I can port it myself?
    It would help massively with my reverse engineering projects. Being able to forgo delving through pages of ASM to find one little hardware setup register value, just get straight to it in C code. Exciting stuff, keep up the good work!