A tool for emulating and analyzing obfuscated functions inside a binary file. It maps the binary into memory, sets up a virtual CPU environment, and executes the obfuscated code starting from a specified RVA.
program -b <binary_path> -o <log_path> -rva <rva> -sectionStart <start_addr> -sectionSize <size>
โ
Required arguments:
Argument Description
-b <path> Path to the binary file (e.g., .exe, .dll)
-o <path> Path to the output log file (e.g., D:\log.txt)
-rva <rva> RVA of the first instruction of the obfuscated function. Supports decimal or hexadecimal formats
-sectionStart <addr> RVA of the beginning of the obfuscated section. Supports decimal or hexadecimal formats
-sectionSize <size> Size of the obfuscated section in bytes. Supports decimal or hexadecimal formats
๐ Optional:
Argument Description
-help Show help message
โ ๏ธ Important
The -rva argument must point to the first instruction of the obfuscated function inside the obfuscated section.
All numeric arguments (-rva, -sectionStart, -sectionSize) can be specified as decimal (e.g., 1234) or hexadecimal (e.g., 0x4D2).
๐ Output
The emulator will execute the obfuscated function starting from the specified RVA and log execution details to the file specified with -o.