feat: IDA Pro plugin for MBA deobfuscation#14
Open
kyle-elliott-tob wants to merge 23 commits intomasterfrom
Open
feat: IDA Pro plugin for MBA deobfuscation#14kyle-elliott-tob wants to merge 23 commits intomasterfrom
kyle-elliott-tob wants to merge 23 commits intomasterfrom
Conversation
Adds COBRA_BUILD_IDA_PLUGIN option and lib/ida/ with a MODULE target linking cobra-core; stub sources compile and link clean against IDA SDK. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements IsMba, EvalMinsn, and DetectMbaCandidates over the HexRays microcode IR. Fixes IDA SDK include ordering: absl/STL headers must precede hexrays.hpp to avoid fpro.h poison macros breaking libc++/absl. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements BuildExprFromMinsn (minsn_t tree -> cobra::Expr AST) and ReconstructMinsn (cobra::Expr -> minsn_t tree) with correct IDA SDK include ordering (STL/abseil before hexrays.hpp via MicrocodeDetector.h). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements ProbablyEquivalent (256-probe random + special-case testing via CompiledExpr) and CountNodes for the cost gate. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements the main ida-cobra.cpp plugin lifecycle: init(), plugin_ctx_t, run_ah_t action handler, hex_callback for hxe_microcode/hxe_glbopt/ hxe_populating_popup events, and ida-cobra.cfg with COBRA_RUN_AUTOMATICALLY. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…walk Adds DetectMbaCandidatesCrossBlock to MicrocodeDetector. Uses mba.get_graph()->depth_first_postorder_for_all_entries for block ordering, reverse instruction walk, and already_in_tree dedup. graph_chains_t use-def chain traversal is left as a TODO pending manual IDA SDK experimentation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix Linux linker flag: --no-undefined → --unresolved-symbols=ignore-in-shared-libs (IDA resolves SDK symbols at plugin load time) - Fix cost gate: use ComputeCost on both original and simplified Expr with IsBetter, instead of comparing mismatched metrics (weighted_size vs node count) - Switch hxe_glbopt to use DetectMbaCandidatesCrossBlock which has already_in_tree dedup, preventing subtree fragmentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When a v* tag is pushed, the release job:
- Waits for build, lint, and ida-plugin jobs to pass
- Downloads all ida-cobra-{Linux,macOS,Windows} artifacts
- Packages each as a tar.gz
- Creates a GitHub Release with auto-generated notes and the plugin archives
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
IDA's microcode tree can have multiple mop_t nodes representing the same variable at different addresses. All leaf lookups, deduplication, and evaluation now use mop_t::operator== instead of pointer identity. - EvalMinsn takes parallel vectors instead of flat_hash_map<const mop_t*> - LeafCollector walks .l/.r manually and deduplicates by value - FindLeafIndex compares *leaves[i] == op - Verifier uses a single vals vector for both eval paths Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
MBA expressions wrapped in xdu/xds/mov were being missed or evaluated with wrong bitwidth. MbaRoot now walks past these wrappers to find the topmost arithmetic/boolean instruction. - Add IsMbaOpcode and MbaRoot helpers - Remove is_mcode_xdsu guard from IsMba (wrappers are now handled) - Derive bitwidth from leaf operand sizes (LeafBitwidth) instead of the wrapper instruction's destination size Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All recursive minsn/Expr tree traversals are now iterative to avoid stack overflow on deeply nested expressions. - EvalMinsn and BuildExprFromMinsn use MicrocodePostOrder (two-stack flatten) then evaluate bottom-up with a value stack - LeafCollector uses an explicit worklist - ReconstructImpl flattens the Expr tree then builds minsn bottom-up - Extract ResolveLeafExpr, CombineExpr, MakeLeafInsn, CombineMinsn helpers to support the flat evaluation loop Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix mop_t matching, handle wrapper opcodes, iterative traversal
Store the simplification count in a netnode keyed by the function's entry address so IDAPython scripts can discover which functions were simplified. Also include the function address in the log message. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Decompiles all functions in a binary and reports which ones CoBRA simplified, using the netnode tag to identify them. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ida-cobraIDA Pro plugin that detects and simplifies MBA-obfuscated expressions in Hex-Rays decompiled code using CoBRA'sSimplify()APIhxe_glboptcallback with right-click menu + auto-run config optionTest plan
-DCOBRA_BUILD_IDA_PLUGIN=ON -DIDA_SDK_DIR=...COBRA_RUN_AUTOMATICALLY = YESin configCloses #11
🤖 Generated with Claude Code