________________________________________________________________________________________

Imhotep v1.6.0.5 by ArthaXerXes
________________________________________________________________________________________

Use this program to remove obfuscation code from x86 Intel programs.
Imhotep is free of charge, but is not public domain.

Restrictions :
--------------

 - the code must use a 32 bits segment
 - this program only runs under Windows 9x & NT.
 - A Pentium processor or better is required.
 - You accept to use this program at YOUR OWN RISKS ONLY.

Thanks to :
-----------

 - Phisphace for the original idea.
 - dec0de12 for some hints about obfuscation.
 - Simon Tatham and Julian Hall for the code taken from their program Nasm 
   (netwide assembler), although I rewrote their code, they still deserve
   big credits.

How to use, step by step (mainly written for R!SC :-) :
-------------------------------------------------------

on a binary file
----------------
1.Extract the section you wish to clean up from the executable (use PEditor for
example).
2.Load the section into Imhotep and click "Do it!"
3.Replace the section in the executable with the new one.
4.Resume reversing.

on a PE file
------------
1.Choose which file you wish to load (EXE or DLL only).
2.Choose which section(s) you wish to clean. You should only clean the sections
which are recognized as code sections. Overmore, these sections must not be
ciphered or compressed.
3.Click OK, the clean-up will be done immediatly after (which means that you
need to choose the desobfuscation level BEFORE loading the PE file).
4.Resume reversing.

If the obfuscation code you wish to remove is only present in a small part of
the section, cut this part, "Imhotepize" it, and paste it back.
The smaller the data, the better.

Options to specify offset(s) will be added if requested.

What the level means :
----------------------

Level 1 desobfuscation : Will only remove null instructions (such as xchg eax, eax or mov ebx, ebx)
Level 2 desobfuscation : Level 2 + will rearrange jumps
Level 3 desobfuscation : Level 3 + will optimize jumps
Level 4 desobfuscation : Level 4 + will "nop" the parts during the previous pass

By default Level 3 is used since it is safe and works fine most of the time. If it is not enough, you should try Level 4.
On the other hand, if you think Level 3 is screwing things up try Level 2. Level 1 is very safe and cannot (unless there is 
a major bug in Imhotep) trash code, however, Level 1 removes only the very mundane obfuscation.

Things you should keep in mind :
--------------------------------

Imhotep actually traces the code, each instruction is disassembled and
skipped accordingly. However, Imhotep is not perfect, and it may not
disassemble correctly some instructions, this is why some portions of the code
may be removed whereas it should not have been.

It can also skip parts that should have been removed.

Nonetheless, there is a signifiant improvement over the last versions,
it is becoming harder and harder to fool Imhotep (especially since 1.5).

When disassembling sections (not the whole executable) with IDA, you must
tell to it "this is 32 bits code", otherwise you will have a wrong disassembly.

Except IDA, I do not think that there are a lot of disassemblers which will
correctly handle a Level 3 imhotepized code, this is because they might get
confused by such code :

	jmp	a
	garbage
	
a:
	code
	
Code at position a will most likely be disassembled incorrectly.Get IDA 3.7
if you do not have it, it is free (and IDA 4 is not too expensive after all).	

Known weaknesses/bugs :
-----------------------

 - Imhotep does not know a lot of "null" instruction, mail me your suggestions !
 - you may find this scheme in imhotepized code :
 
 	jmp	b	
 a:
 	code
 	jmp	c
 b:	
 	code
 	jmp	a
 c:
 
 or this one
 
 	jmp	a
 	
 a:
 	nop
 	nop
 	jmp	b
 
   This is ok, because sometimes the disassembler is not correctly "aligned" (sorry
   I do not know how to explain it better). Or, Imhotep may have detected some
   naughty trick (an endless loop for example), and ignored a chunk of code. Or,
   Imhotep may have attempted to place a "a: jmp a" (endless loop, again), detected
   that trick (again :-), and placed "nop nop" instead. Or, something else, I cannot
   think of all the possibilities, it is quite a complex machine you know...
 
 - some other weakness I keep secret, no need to make the job of protectionists
   easier heh ?

________________________________________________________________________________________

FACTS

 - Imhotep is written in Borland C++ Builder 5 Enterprise Edition
 - Imhotep has got more than 12,000 lines of code.
 - Imhotep features a real internal diassembler
 - Imhotep features a very l33t desobfuscation algorithm (works like an optimizer).
 - Imhotep features Ptah, my very own PE (and also very l33t) handling routines.

________________________________________________________________________________________

TO DO :

 - More user interaction.
 - Scarab interface -> live desobfuscation.
 - implement desobfuscation algorithm to annihilate this :
 
  code
  call a
  code
  
  a: ret
  
 - log file
 - imhotep.dll, you wanted it, you will get it !


________________________________________________________________________________________

HISTORY

==
v1.6.0.5

 - will now directly load a PE file into memory and clean-up the selected sections.
 - improved level 2, much more efficient and accurate (defeats SD2's obfuscation).
 - some internal changes/optimizations.
 - (at last) a working "anti-loopback" system...
 - unsupported imhotep.dll

==
v1.5.0.10

 - completely rewrote the desobfuscation algorithm. It is now "layered" and is much much
   more accurate and generic. It is also more careful.
 - the user may now choose how desobfuscation must be done, thanks the the layered 
   architecture (4 levels).
 - whatever the "jump maze" is, Imhotep will not be fooled anymore, it is too l33t now. 
   :-)
 - the obfuscation code is not "nopped" any more, it is only "jumped over" (unless you 
   use Level 4).
 - improved speed.
 - minor GUI tweaks.

==
v1.4.0.23
	
 - complete new structure, featuring NASM's disassembler engine (rewritten a bit though).
 - better support of null instructions
 - better support of jumps
 - Imhotep is now really less prone to clean parts of the code that should not be
 - beta "anti-loopback" system

==
v1.3.0.17

 - support for a wide variety of jumps
 - support for many "null" instructions (such as mov eax, eax or xchg eax, eax)
 - improved a lot the "jumps detector", it can now detect if the displacement
   has been stored as a 32 bits, a 16 bits or 8 bits number whatever its value
   is. 
 - Imhotep should be less prone to clean parts that should not be cleaned,
   however it is still not a real disassembler so it can easily be mistaken.

==
v1.2.0.15

 - brand new main algorithm (slower, but will work much much much better, it
   actually TRACES the code now)
 - file will be backed up before anything is done
 - added progress bars to keep the user informed about the progression
 - changed the GUI a bit
 - clean up now performed in a seperate thread

===
v1.1.0.11

first "official" release

 - improved main algorithm (faster and more reliable)
 - improved about box ;-)
 - changed name to Imhotep
 - added nice icon

===
v1.0.0.10

first "unofficial" release as "Sections"
________________________________________________________________________________________

(c)ArthaXerXes 2000-2001, all rights reserved.

   e-mail : xerxes@altern.org
       mb : http://arthaxerxes.nexen.net/forum/forum.php3
      www : http://www.altern.org/xerxes/

________________________________________________________________________________________
