Live Stream VOD: Emotet Deobfuscation Part 1 - Learning The Control Flow (Patreon)

In this Twitch stream we begin to look at the CFF obfuscation in Emotet. Our first step is to build an algorithm to separate the dispatcher control flow blocks from the original basic blocks. 

We have a rough start since the function we focus on has two entry points to the dispatcher which means we can't use the same approach we used for Pandora ransomware and need to develop a more generic algorithm. To get started we decide to use use a non-symbolic-execution approach and simply analyzing the disassembly directly to separate the dispatcher blocks and label them. The algorithm for this is provided by @mrexodia (x64dbg developer). All thanks to him for the help <3 

We end the stream with a working script that allows us to separate the dispatcher and original basic blocks and label them in IDA. This sets us up for the next stream where we can try various generic algorithms so we aren't tied to the assembly. 

Sample: c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01

Sample Unpacked (this is the one we use in the stream): eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827

Rough notes (with code): Emotet Deobfuscation