{"id":30692204,"url":"https://github.com/samueltulach/unxorer","last_synced_at":"2026-03-07T00:08:02.074Z","repository":{"id":307719322,"uuid":"1025151712","full_name":"SamuelTulach/unxorer","owner":"SamuelTulach","description":"Yet another IDA Pro/Home plugin for deobfuscating stack strings","archived":false,"fork":false,"pushed_at":"2026-03-06T22:26:58.000Z","size":13505,"stargazers_count":122,"open_issues_count":1,"forks_count":9,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-03-06T23:47:23.084Z","etag":null,"topics":["ida","ida-plugin","ida-pro","idalib"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SamuelTulach.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-07-23T20:04:39.000Z","updated_at":"2026-03-06T22:18:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"a5138c62-5cb3-4dcc-a1d0-f013c4c1759c","html_url":"https://github.com/SamuelTulach/unxorer","commit_stats":null,"previous_names":["samueltulach/unxorer"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/SamuelTulach/unxorer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelTulach%2Funxorer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelTulach%2Funxorer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelTulach%2Funxorer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelTulach%2Funxorer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SamuelTulach","download_url":"https://codeload.github.com/SamuelTulach/unxorer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelTulach%2Funxorer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30204114,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-06T19:07:06.838Z","status":"ssl_error","status_checked_at":"2026-03-06T18:57:34.882Z","response_time":250,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ida","ida-plugin","ida-pro","idalib"],"created_at":"2025-09-02T04:50:07.125Z","updated_at":"2026-03-07T00:08:02.056Z","avatar_url":"https://github.com/SamuelTulach.png","language":"C++","readme":"# unxorer\nYet another plugin for deobfuscating stack strings.\n\n![demo](/assets/demo.gif)\n\n## Concept\nYou can specify one or more starting addresses (e.g. entry point, cursor location, or all functions in the database), from which the plugin will emulate every feasible execution path using [Unicorn](https://www.unicorn-engine.org/). Conditional jumps are forced to branch, and emulation states are saved and restored as needed. Throughout this process, the stack is scanned for strings. When it encounters calls to unknown memory regions (typically imports) or unsupported instructions, it attempts to skip over them so that as many paths as possible can be emulated.\n\n## Installation\n1. Download the latest release from the [releases page](https://github.com/SamuelTulach/unxorer/releases) or compile it yourself (see **Compiling** below).  \n2. Copy the plugin file into your IDA \"plugins\" directory:\n   - **Windows:** `C:\\Program Files\\IDA \u003cversion\u003e\\plugins`\n   - **Linux/macOS:** `~/ida/plugins`\n3. Restart IDA if it is running.\n4. Confirm that the plugin has loaded by opening the **Edit -\u003e Plugins** menu in IDA.\n\n## Usage\n1. Load binary or memory blob into IDA.\n1. Open the **Edit -\u003e Plugins -\u003e unxorer** menu. Configure options as needed. Click **Ok** to start.\n   \n   ![menu](/assets/menu.png)\n1. Wait for the emulation to complete.\n   \n   ![progress](/assets/progress.png)\n1. List of found strings will be displayed, search in it with Ctrl+F, double-click to jump to where it was found.\n   \n   ![results](/assets/results.png)\n\n## Compiling\nThis plugin is targetting [IDA SDK 9.2](https://github.com/HexRaysSA/ida-sdk) and Windows, but in theory should work on any platform and hopefully future IDA versions as well. Those instructions are Windows specific.\n1. Download and install [Visual Studio 2022](https://visualstudio.microsoft.com/) with [C++ development tools and CMake](https://learn.microsoft.com/en-us/cpp/build/vscpp-step-0-installation?view=msvc-170).\n1. Setup vcpkg by following [the setup instructions](https://learn.microsoft.com/en-us/vcpkg/get_started/get-started?pivots=shell-powershell).\n1. Open the `CMakeLists.txt` file in Visual Studio.\n1. Select desired build configuration (**release-x64** or **debug-x64**).\n1. Build the project (Ctrl+Shift+B).\n1. The plugin will be compiled into `out\\build\\plugins\\unxorer.dll`.\n\n## Limitations\n- The branching algorithm is *very* basic, it might get stuck in infinite loop sometimes or skip actual loops.\n- All of the limitations of [Unicorn](https://www.unicorn-engine.org/) apply, such as:\n  - It does not support all instructions (e.g. [some AVX instructions](https://github.com/unicorn-engine/unicorn/issues/1879)).\n  - It fails to emulate heavilly obfuscated or virtualized code.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamueltulach%2Funxorer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamueltulach%2Funxorer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamueltulach%2Funxorer/lists"}