updated to new version

mrphrazer · Jan 25, 2023 · 16e2ec2 · 16e2ec2
1 parent a167ce2
commit 16e2ec2
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -1,16 +1,17 @@
-# Obfuscation Detection (v1.4)
+# Obfuscation Detection (v1.5)
 Author: **Tim Blazytko**
 
 _Automatically detect obfuscated code and other state machines_
 
 ## Description:
 
-Scripts and binaries to automatically detect obfuscated code and state machines in binaries.
+Scripts, binaries and a Binary Ninja plugin to automatically detect obfuscated code and state machines in binaries.
 
 Implementation is based on Binary Ninja. Check out the following blog posts for more information:
 
 * [Automated Detection of Control-flow Flattening](https://synthesis.to/2021/03/03/flattening_detection.html)
 * [Automated Detection of Obfuscated Code](https://synthesis.to/2021/08/10/obfuscation_detection.html)
+* [Statistical Analysis to Detect Uncommon Code](https://synthesis.to//2023/01/26/uncommon_instruction_sequences.html)
 
 
 ## Installation
@@ -70,6 +71,9 @@ Function 0x4017c0 (sub_4017c0) has a cyclomatic complexity of 214.
 Function 0x412f70 (sub_412f70) has a cyclomatic complexity of 54.
 Function 0x4138e0 (sub_4138e0) has a cyclomatic complexity of 10.
 Function 0x412df0 (sub_412df0) has a cyclomatic complexity of 10.
+Function 0x412c70 (sub_412c70) has a cyclomatic complexity of 10.
+Function 0x401602 (sub_401602) has a cyclomatic complexity of 7.
+Function 0x4013e3 (sub_4013e3) has a cyclomatic complexity of 5.
 ================================================================================
 Large Basic Blocks
 Basic blocks in function 0x405340 (sub_405340) contain on average 11 instructions.
@@ -78,6 +82,20 @@ Basic blocks in function 0x4013e3 (sub_4013e3) contain on average 10 instruction
 Basic blocks in function 0x413a80 (init) contain on average 9 instructions.
 Basic blocks in function 0x401349 (sub_401349) contain on average 7 instructions.
 Basic blocks in function 0x401030 (_init) contain on average 6 instructions.
+Basic blocks in function 0x4097a0 (sub_4097a0) contain on average 6 instructions.
+Basic blocks in function 0x405150 (sub_405150) contain on average 6 instructions.
+Basic blocks in function 0x4017c0 (sub_4017c0) contain on average 6 instructions.
+================================================================================
+Uncommon Instruction Sequences
+Function 0x401300 (sub_401300) has an uncommon instruction sequences score of 0.5.
+Function 0x405370 (sub_405370) has an uncommon instruction sequences score of 0.4697142857142857.
+Function 0x4016fa (sub_4016fa) has an uncommon instruction sequences score of 0.4444444444444444.
+Function 0x4097a0 (sub_4097a0) has an uncommon instruction sequences score of 0.42799688635184224.
+Function 0x4017c0 (sub_4017c0) has an uncommon instruction sequences score of 0.42788461538461536.
+Function 0x412df0 (sub_412df0) has an uncommon instruction sequences score of 0.35294117647058826.
+Function 0x412c70 (sub_412c70) has an uncommon instruction sequences score of 0.35294117647058826.
+Function 0x412f70 (sub_412f70) has an uncommon instruction sequences score of 0.352.
+Function 0x401290 (__ns_get32) has an uncommon instruction sequences score of 0.34782608695652173.
 ================================================================================
 Instruction Overlapping
 ```

diff --git a/plugin.json b/plugin.json
@@ -12,7 +12,7 @@
    "longdescription": "",
    "license": {
       "name": "GPL-2.0",
-      "text": "Copyright 2021 Tim Blazytko\n\nThis program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.\n\nThis program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses/>."
+      "text": "Copyright 2023 Tim Blazytko\n\nThis program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.\n\nThis program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses/>."
    },
    "platforms": [
       "Darwin",
@@ -24,6 +24,6 @@
       "Windows": "",
       "Linux": ""
    },
-   "version": "1.4",
+   "version": "1.5",
    "minimumbinaryninjaversion": 2487
 }
diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="obfuscation_detection",
-    version="1.4",
+    version="1.5",
     author="Tim Blazytko",
     author_email="[email protected]",
     description="Collection of scripts to pinpoint obfuscated code",