Add 'dlopen' & 'dlsym' as a name source for autorenamer;

Fix doc
KasperskyLab · Nov 20, 2024 · cdecd34 · cdecd34
1 parent c280f99
commit cdecd34
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 7 deletions.
diff --git a/doc/unflat.md b/doc/unflat.md
@@ -1,5 +1,8 @@
 ## Unflattening
-Here is a deep modification of original code of [Rolf Rolles](https://hex-rays.com/blog/hex-rays-microcode-api-vs-obfuscating-compiler) and [Takahiro Haruyama](https://blogs.vmware.com/security/2019/02/defeating-compiler-level-obfuscations-used-in-apt10-malware.html) to deal with nested flattening used in FinSpy (FinFisher) malware. As well it should be useful in RE other flattened malware.
+Here is a deep modification of original code by [Rolf Rolles](https://hex-rays.com/blog/hex-rays-microcode-api-vs-obfuscating-compiler)
+and [Takahiro Haruyama](https://blogs.vmware.com/security/2019/02/defeating-compiler-level-obfuscations-used-in-apt10-malware.html)
+to deal with nested flattening and jg/jle instead jz/jnz comparing were used in FinSpy (FinFisher) malware.
+As well it should be useful in RE other flattened malware.
 
 Unflattener may be disabled/enabled in decompiler's context menu. Current state of unflattener reported in a comment in the first line of pseudocode. 
 

diff --git a/src/hrtng.cpp b/src/hrtng.cpp
@@ -4386,7 +4386,7 @@ plugmod_t*
 	addon.producer = "Sergey Belov and Milan Bohacek, Rolf Rolles, Takahiro Haruyama," \
 									 " Karthik Selvaraj, Ali Rahbar, Ali Pezeshk, Elias Bachaalany, Markus Gaasedelen";
 	addon.url = "https://github.com/KasperskyLab/hrtng";
-	addon.version = "1.1.5";
+	addon.version = "1.1.6";
 	register_addon(&addon);	
 
 	return PLUGIN_KEEP;

diff --git a/src/rename.cpp b/src/rename.cpp
@@ -164,17 +164,16 @@ static bool getCallName(cfunc_t *func, cexpr_t* call, qstring* name)
 	if (!args.size())
 		return false;
 
-	if (!namecmp(funcname.c_str(), "LoadLibrary") ||
-	    !namecmp(funcname.c_str(), "GetModuleHandle")) {
+	if (!namecmp(funcname.c_str(), "LoadLibrary") || !namecmp(funcname.c_str(), "GetModuleHandle") || !namecmp(funcname.c_str(), "dlopen")) {
 		qstring argName;
-		if (args.size() == 1 && getExpName(func, &args[0], &argName)) {
+		if (args.size() >= 1 && getExpName(func, &args[0], &argName)) {
 			*name = "h";
 			*name += argName;
 			return true;
 		}
 	}
-	else if (!namecmp(funcname.c_str(), "GetProcAddress")) {
-		if (args.size() == 2 && getExpName(func, &args[1], name))
+	else if (!namecmp(funcname.c_str(), "GetProcAddress") || !namecmp(funcname.c_str(), "dlsym")) {
+		if (args.size() >= 2 && getExpName(func, &args[1], name))
 			return true;
 	}
 	else if (!namecmp(funcname.c_str(), "strdup") || !namecmp(funcname.c_str(), "wcsdup")) {