hACKCASCAC/ObfusHide-StringDumper

# 🛡️ Obfus.h HIDE_STRING Dumper Static Hidden String Recovery Tool for Obfus.h Protected Binaries # 📌 Overview Obfus.h HIDE_STRING Dumper is a specialized C++ analysis utility designed exclusively for detecting and reconstructing strings hidden by the `HIDE_STRING` macro from the **Obfus.h** TCC obfuscation framework. Unlike generic string dumpers, this tool specifically targets the exact instruction patterns generated by Obfus.h during compile-time string protection. It statically parses Windows PE executables and rebuilds hidden plaintext strings directly from stack-based byte initialization sequences emitted by Tiny C Compiler (TCC). The scanner identifies dynamically constructed strings without emulation, unpacking, or runtime execution. Every recovered string is automatically resolved to its corresponding Virtual Address (VA), allowing instant navigation inside x64dbg, IDA Pro, Ghidra, or Binary Ninja. # 🚀 Features - ⚡ High-Speed Static PE Scanning Loads the target executable directly into memory for ultra-fast analysis. - 🧵 Obfus.h HIDE_STRING Reconstruction Detects the exact stack construction patterns generated by: - `HIDE_STRING(...)` - `STACK_STRING(...)` - Tiny C Compiler byte initialization code - 🎯 Virtual Address Resolution Converts raw file offsets into debugger-ready Virtual Addresses. - 🔍 TCC-Specific Pattern Matching Designed specifically around Tiny C Compiler opcode generation used by Obfus.h. - 🧠 PE Header Parsing Automatically processes: - DOS headers - NT headers - PE sections - ImageBase - RVA mappings - 🖥️ Colored Console Interface Styled hexadecimal reporting with debugger-friendly formatting. - 📦 Zero Dependencies Pure WinAPI + standard C++ implementation. # 🛠️ Usage Obfus.h HIDE_STRING Dumper is a command-line utility. ObfusHide_StringDumper.exe Example: ObfusHide_StringDumper.exe malware_sample.exe # 📄 Example Output [+] Scanning file: malware_sample.exe (231424 bytes) [VA: 0x000000014001A420 | File Offset: 0x00018820] -> "Hello World" [VA: 0x000000014001A480 | File Offset: 0x00018880] -> "https://api.telegram.org" [VA: 0x0000000140020F10 | File Offset: 0x0001F310] -> "Debugger detected" [+] Found 3 hidden strings. # 🧠 Under the Hood ## How Obfus.h Hides Strings The `HIDE_STRING` macro from Obfus.h avoids storing plaintext strings inside `.rdata` by constructing them byte-by-byte directly on the stack. Original code: HIDE_STRING("Hello World") becomes something similar to: mov eax, 48h mov [rbp-0Fh], al mov eax, 65h mov [rbp-0Eh], al mov eax, 6Ch mov [rbp-0Dh], al mov eax, 6Ch mov [rbp-0Ch], al mov eax, 6Fh mov [rbp-0Bh], al instead of the normal compiler output: lea rax, "Hello World" This removes plaintext strings from the binary data section and forces reconstruction at runtime. ## Detection Engine The scanner walks byte-by-byte through executable memory searching for exact instruction chains emitted by TCC and Obfus.h. Supported patterns include: B8 XX 00 00 00 88 45 YY and stack-write variants: C6 45 YY XX C6 44 24 YY XX When multiple sequential byte writes are detected, the tool reconstructs the original hidden string directly from opcode immediates. # ⚙️ Detection Logic A string candidate is considered valid when: - Multiple sequential stack writes are detected - At least 4 printable characters are reconstructed - The opcode chain matches known Obfus.h/TCC generation patterns Non-printable bytes are automatically filtered before output. # 🔬 Designed For Obfus.h analysis # 🏗️ Build Instructions The project targets Windows and is built using MSVC. ### Requirements - Visual Studio 2019/2022 - Windows SDK - C++17 recommended ### Build 1. Open the project in Visual Studio 2. Select: - `Release` - `x64` or `x86` 3. Build the solution (`Ctrl + Shift + B`) # ⚖️ Disclaimer This project is intended strictly for educational purposes, malware research, and authorized reverse engineering. Do not use this software against systems or binaries you do not own or have permission to analyze.