Decompilation improvement for function obfuscated by Arxan

[FeeeeK]

I'm trying to improve the decompilation of an Arxan-obfuscated function that was split into 3 by replacing if else with jump to other functions.

Initial Decompilation:

This function conditionally jumps to one of two other functions:

• Target 1:
• Target 2:

Attempts:

1. CALL_RETURN Flow Override: Slightly improved output but still split into 3 functions.

bool FUN_144ed58ac(CSChrBehaviorDebugAnimHelper *param_1,ChrInsModuleContainer *param_2) {
  bool bVar1;
  code *pcVar2;
  pcVar2 = FUN_142084bfa;
  if (param_1->field6_0x14 != 1) {
    pcVar2 = thunk_FUN_1401806c5;
  }
  bVar1 = (bool)(*pcVar2)(param_1,param_2);
  return bVar1;
}

2. Marking Target Functions as Inline: Failed, likely due to the indirect call.

3. Adding References + SwitchOverride.java Script: This was the most successful with resulting C-like code:

bool FUN_144ed58ac(CSChrBehaviorDebugAnimHelper *param_1, ChrInsModuleContainer *param_2) {
    code *pcVar1;
    pcVar1 = FUN_142084bfa;
    if (param_1->field6_0x14 != 1) {
        pcVar1 = thunk_FUN_1401806c5;
    }
    /* WARNING: Switch is manually overridden */
    switch (pcVar1) {
        case thunk_FUN_1401806c5:
            return false;
        case FUN_142084bfa:
            return param_1->field41_0x40 == false;
    }
}

Desired Outcome:

While the switch is functionally correct, a more natural decompilation would be:

bool FUN_144ed58ac(CSChrBehaviorDebugAnimHelper *param_1, ChrInsModuleContainer *param_2) {
    if (param_1->field6_0x14 != 1) {
        return false; 
    } else {
        return param_1->field41_0x40 == false;
    }
}

Are there other techniques or settings to achieve decompilation with if/else, or to simplify the script-generated switch into an if/else?

[FeeeeK]

Also, this SwitchOverride method will not work if the jump is made with a return like here

[FeeeeK]

I returned to this again, but now with another question: How can I override pcode to properly display conditional branching? None of the flow overrides allow me to specify targets and conditions and I can't find a simple way to patch pcode without forking Ghidra and modifying the compiler spec.

For the last screenshot, something like this should work instead of return:

tmp = INT_EQUAL(condition_register, target1_address)
CBRANCH target1_address, tmp
BRANCH target2_address  

[FeeeeK]

I think the main problem is that the decompiler can't recognize that after all these manipulations with the stack, the value at [RSP-0x8] is actually the constant LAB_140163be5 that was loaded earlier:

                             LAB_144db9453                                   XREF[6]:     141035a48 (*) ,  141035a61 (*) , 
                                                                                          141035a97 (*) ,  141035ab4 (j) , 
                                                                                          144cfd55a (*) ,  144cfd568 (*)   
       144db9453 48  8b  45  50                     MOV                RAX ,qword ptr [RBP  + 0x50 ]
                                                      $U4780 :8 =  INT_ADD  RBP , 0x50 :8
                                                      $U12000 :8 =  LOAD  ram ($U4780 :8)
                                                      RAX  =  COPY  $U12000 :8
       144db9457 0f  b6  00                         MOVZX              EAX ,byte ptr [RAX ]
                                                      $U11e80 :1 =  LOAD  ram (RAX )
                                                      EAX  =  INT_ZEXT  $U11e80 :1
                                                      RAX  =  INT_ZEXT  EAX
       144db945a 0f  b6  c0                         MOVZX              EAX ,AL
                                                      EAX  =  INT_ZEXT  AL
                                                      RAX  =  INT_ZEXT  EAX
       144db945d 33  45  60                         XOR                EAX ,dword ptr [RBP  + 0x60 ]
                                                      $U4780 :8 =  INT_ADD  RBP , 0x60 :8
                                                      CF  =  COPY  0:1
                                                      OF  =  COPY  0:1
                                                      $U11f80 :4 =  LOAD  ram ($U4780 :8)
                                                      EAX  =  INT_XOR  EAX , $U11f80 :4
                                                      RAX  =  INT_ZEXT  EAX
                                                      SF  =  INT_SLESS  EAX , 0:4
                                                      ZF  =  INT_EQUAL  EAX , 0:4
                                                      $U2c280 :4 =  INT_AND  EAX , 0xff :4
                                                      $U2c300 :1 =  POPCOUNT  $U2c280 :4
                                                      $U2c380 :1 =  INT_AND  $U2c300 :1, 1:1
                                                      PF  =  INT_EQUAL  $U2c380 :1, 0:1
       144db9460 89  45  60                         MOV                dword ptr [RBP  + 0x60 ],EAX
                                                      $U4780 :8 =  INT_ADD  RBP , 0x60 :8
                                                      $U6b00 :4 =  COPY  EAX
                                                      STORE  ram ($U4780 :8), $U6b00 :4
       144db9463 8b  45  60                         MOV                EAX ,dword ptr [RBP  + 0x60 ]
                                                      $U4780 :8 =  INT_ADD  RBP , 0x60 :8
                                                      $U11f80 :4 =  LOAD  ram ($U4780 :8)
                                                      EAX  =  COPY  $U11f80 :4
                                                      RAX  =  INT_ZEXT  EAX
       144db9466 8b  55  60                         MOV                EDX ,dword ptr [RBP  + 0x60 ]
                                                      $U4780 :8 =  INT_ADD  RBP , 0x60 :8
                                                      $U11f80 :4 =  LOAD  ram ($U4780 :8)
                                                      EDX  =  COPY  $U11f80 :4
                                                      RDX  =  INT_ZEXT  EDX
       144db9469 4c  89  64  24  f8                  MOV                qword ptr [RSP  + -0x8 ],R12
                                                      $U4e80 :8 =  INT_ADD  -8 :8, RSP
                                                      $U6b80 :8 =  COPY  R12
                                                      STORE  ram ($U4e80 :8), $U6b80 :8
       144db946e 48  8d  64  24  f8                  LEA                RSP ,[RSP  + -0x8 ]
                                                      $U4e80 :8 =  INT_ADD  -8 :8, RSP
                                                      RSP  =  COPY  $U4e80 :8
       144db9473 4c  8d  25  6b  a7  3a  fb            LEA                R12 ,[LAB_140163be5 ]
                                                      R12  =  COPY  0x140163be5 :8
       144db947a 4c  87  24  24                     XCHG               qword ptr [RSP ],R12
                                                      CALLOTHER  "LOCK "
                                                      $U6b80 :8 =  LOAD  ram (RSP )
                                                      $Ue8680 :8 =  COPY  $U6b80 :8
                                                      $U6b80 :8 =  COPY  R12
                                                      STORE  ram (RSP ), $U6b80 :8
                                                      R12  =  COPY  $Ue8680 :8
                                                      CALLOTHER  "UNLOCK "
       144db947e 48  8d  64  24  08                  LEA                RSP ,[RSP  + 0x8 ]
                                                      $U4e80 :8 =  INT_ADD  8:8, RSP
                                                      RSP  =  COPY  $U4e80 :8
       144db9483 ff  64  24  f8                     JMP                qword ptr [RSP  + -0x8 ]
                                                      $U4e80 :8 =  INT_ADD  -8 :8, RSP
                                                      $U12000 :8 =  LOAD  ram ($U4e80 :8)
                                                      BRANCHIND  $U12000 :8

and because of this, it struggles to recognize even simple jump with one target