husk/build/reverse engineering/docs/deobfuscation.html

<!doctype html>
<html lang="en">
    <center>
    <head>
        
    
        <script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
        <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
        <script type="text/javascript" src="/static/js/auto-complete.js"></script>
        <script type="text/javascript" src="/static/js/lunr.min.js"></script>
        <script type="text/javascript" src="/static/js/search.js"></script>
        <link rel="stylesheet" href="/static/stylesheet.css">
        <link rel="stylesheet" href="/static/auto-complete.css">
        <br>
        <title>The Real Hugo</title>
        <meta name="viewport" content="width=device-width, initial-scale=1">
        

    </head>
    <body>
        <!-- topmenu -->
    <div class="menu">
    <a href="/" style="text-decoration:none">Husk</a>
    </div>
    <div class="search-container">    
        <label for="search-by"><i class="fas fa-search"></i></label>
        <input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
        <!--button type="submit"><i class="search"></i>&#128269;</button>-->
        <span data-search-clear=""><i class="fas fa-times"></i></span>
    </div>

</div>
    <div class="menu">
    </div>
    <!--br><br-->
    </center>
<p></p>
        <div class="columns">
        <!-- Sidebar -->
<div class="column column-1">
  <ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
</ul>
</div>
<div class="column column-2"> 
       <span class="body">
           <style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#deobfuscation">Deobfuscation</a><ul>
<li><a href="#principles-of-obfuscation">Principles of Obfuscation</a></li>
<li><a href="#evade-statical-rules">Evade Statical Rules</a><ul>
<li><a href="#splitting-merging-of-strings">Splitting &amp; Merging of Strings</a></li>
<li><a href="#adding-unnecessary-instructions">Adding Unnecessary Instructions</a></li>
<li><a href="#control-flow">Control Flow</a></li>
<li><a href="#protecting-data">Protecting Data</a></li>
</ul>
</li>
<li><a href="#usage">Usage</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="deobfuscation">Deobfuscation</h1>
<h2 id="principles-of-obfuscation">Principles of Obfuscation</h2>
<ul>
<li>
<p>Software obfuscation may be divided into a theoretical layered approach, done by <a href="https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf">Hui Xu et. al</a></p>
</li>
<li>
<p>These layers and what's obfuscated are:</p>
<ul>
<li><strong>Code Element</strong><ul>
<li>Layout</li>
<li>Controls</li>
<li>Data</li>
<li>Classes</li>
<li>Methods</li>
</ul>
</li>
<li><strong>Software Component</strong></li>
<li><strong>Inter Component</strong><ul>
<li>Library calls</li>
<li>Used Resources</li>
</ul>
</li>
<li><strong>Application</strong><ul>
<li>DRM System</li>
<li>Neural Networks</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="evade-statical-rules">Evade Statical Rules</h2>
<ul>
<li>Critical data is obfuscated by the <strong>Code Element</strong> layer which contains the following methods of obfuscation<ul>
<li><strong>Array Transformation</strong></li>
<li><strong>Data Encoding</strong></li>
<li><strong>Data Procedurization</strong></li>
<li><strong>Data Splitting &amp; Merging</strong></li>
</ul>
</li>
</ul>
<h3 id="splitting-merging-of-strings">Splitting &amp; Merging of Strings</h3>
<ul>
<li>Breaking signature by modifying data distribution inside the code</li>
<li>
<p>This may be done by modifying strings and functions through following measures</p>
</li>
<li>
<p><strong>Joining</strong></p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="s2">&quot;CAFFEE&quot;</span> <span class="o">+</span> <span class="s2">&quot;BABE&quot;</span>
</code></pre></div>

<ul>
<li><strong>Reordering</strong></li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">a</span> <span class="o">=</span> <span class="s2">&quot;BABE&quot;</span>
<span class="n">b</span> <span class="o">=</span> <span class="s2">&quot;CAFFEE&quot;</span>
<span class="sa">f</span><span class="s2">&quot;</span><span class="si">{</span><span class="n">b</span><span class="si">}{</span><span class="n">a</span><span class="si">}</span><span class="s2">&quot;</span>
</code></pre></div>

<ul>
<li><strong>Whitespaces of functions which are not interpreted</strong></li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="n">printf</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="s">&quot;The answer is %d&quot;</span><span class="p">,</span><span class="w"> </span><span class="mi">42</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="p">;</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>

<ul>
<li>
<p><strong>Adding ticks which are not interpreted</strong></p>
</li>
<li>
<p><strong>Change <code>uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG</code></strong></p>
</li>
</ul>
<h3 id="adding-unnecessary-instructions">Adding Unnecessary Instructions</h3>
<ul>
<li>Obfuscation of layout and controls inside the code</li>
<li><strong>Junk Stubs</strong></li>
<li><strong>Separation of Related Code</strong></li>
<li><strong>Stripping Redundant Symbols</strong></li>
<li><strong>Meaningless Identifiers</strong></li>
<li><strong>Converting Explicit to Implicit Instructions</strong></li>
<li><strong>Dispatcher Based Controls Executed During Runtime</strong></li>
<li><strong>Probabilistic Control Flows</strong></li>
<li><strong>Bogus Control Flows</strong></li>
</ul>
<h3 id="control-flow">Control Flow</h3>
<ul>
<li>Changing or adding to the flow of the code through change of conditions</li>
<li>Changes may be set to arbitrary code segments by <strong>Opaque Predicates</strong></li>
<li>An <strong>Opaque Predicate</strong> is a control path and value known by the obfuscater and hard to find out by the reverse engineer</li>
</ul>
<h3 id="protecting-data">Protecting Data</h3>
<ul>
<li>
<p>Stripping and protecting</p>
<ul>
<li><strong>Code Structure</strong></li>
<li><strong>Object names</strong></li>
<li><strong>File &amp; Compilation Properties</strong></li>
</ul>
</li>
<li>
<p>To strip symbols</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>strip --strip-all &lt;binary&gt;
</code></pre></div>

<ul>
<li>Check via</li>
</ul>
<div class="codehilite"><pre><span></span><code>nm &lt;binary&gt;
</code></pre></div>

<h2 id="usage">Usage</h2>
<ul>
<li>Find a deobfuscator like <a href="https://github.com/de4dot/de4dot.git">de4dot</a> for e.g. deobfuscating dotfuscator </li>
<li>In case of dotnet: <strong>Do not only use ghidra for reversing, use <a href="https://github.com/icsharpcode/ILSpy.git">ILSpy</a> as well</strong></li>
</ul>
        </span>
</div>
</div>
<div id="footer">
         
<p></p>
    <center>
            &copy; Stefan Friese
    </center>
            
        </div>

        <script>
    function linkClick(obj) {
       if (obj.open) {
           //console.log('open');
                       if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
                           sessionStorage.removeItem(obj.id);
                       }
           sessionStorage.setItem(obj.id,"open");
           console.log(obj.id);
       } else {
           //console.log('closed');
            sessionStorage.removeItem(obj.id);
      }
    }

    let _keys = Object.keys(sessionStorage);
    if (_keys) {
       for ( let i = 0; i < _keys.length; i++ ) {
            document.getElementById(_keys[i])['open'] = 'open';
       }
    }
</script>            
    <script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
    <script type="text/x-mathjax-config">
    MathJax.Hub.Config({
      config: ["MMLorHTML.js"],
      jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
      extensions: ["MathMenu.js", "MathZoom.js"]
    });
    </script>
    </body>
</html>
init 2022-09-02 09:05:59 +02:00			`<!doctype html>`
			`<html lang="en">`
			`<center>`
			`<head>`


			`<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>`
			`<script type="text/javascript" src="/static/js/auto-complete.js"></script>`
			`<script type="text/javascript" src="/static/js/lunr.min.js"></script>`
			`<script type="text/javascript" src="/static/js/search.js"></script>`
init 2022-09-02 09:05:59 +02:00			`<link rel="stylesheet" href="/static/stylesheet.css">`
			`<link rel="stylesheet" href="/static/auto-complete.css">`
			`<br>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<title>The Real Hugo</title>`
init 2022-09-02 09:05:59 +02:00			`<meta name="viewport" content="width=device-width, initial-scale=1">`


			`</head>`
			`<body>`
			`<!-- topmenu -->`
			`<div class="menu">`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<a href="/" style="text-decoration:none">Husk</a>`
init 2022-09-02 09:05:59 +02:00			`</div>`
			`<div class="search-container">`
			`<label for="search-by"><i class="fas fa-search"></i></label>`
			`<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">`
			`<!--button type="submit"><i class="search"></i>🔍</button>-->`
			`<span data-search-clear=""><i class="fas fa-times"></i></span>`
			`</div>`

			`</div>`
			`<div class="menu">`
			`</div>`
			`<!--br><br-->`
			`</center>`
			`<p></p>`
			`<div class="columns">`
			`<!-- Sidebar -->`
			`<div class="column column-1">`
Added settings.toml 2022-09-09 15:41:05 +02:00			<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
init 2022-09-02 09:05:59 +02:00			`</ul>`
			`</div>`
			`<div class="column column-2">`
			`<span class="body">`
			`<style>pre { line-height: 125%; }`
			`td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }`
			`span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }`
			`td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }`
			`span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }`
			`.codehilite .hll { background-color: #2C3B41 }`
			`.codehilite .c { color: #546E7A; font-style: italic } /* Comment */`
			`.codehilite .err { color: #FF5370 } /* Error */`
			`.codehilite .esc { color: #89DDFF } /* Escape */`
			`.codehilite .g { color: #EEFFFF } /* Generic */`
			`.codehilite .k { color: #BB80B3 } /* Keyword */`
			`.codehilite .l { color: #C3E88D } /* Literal */`
			`.codehilite .n { color: #EEFFFF } /* Name */`
			`.codehilite .o { color: #89DDFF } /* Operator */`
			`.codehilite .p { color: #89DDFF } /* Punctuation */`
			`.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */`
			`.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */`
			`.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */`
			`.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */`
			`.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */`
			`.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */`
			`.codehilite .gd { color: #FF5370 } /* Generic.Deleted */`
			`.codehilite .ge { color: #89DDFF } /* Generic.Emph */`
			`.codehilite .gr { color: #FF5370 } /* Generic.Error */`
			`.codehilite .gh { color: #C3E88D } /* Generic.Heading */`
			`.codehilite .gi { color: #C3E88D } /* Generic.Inserted */`
			`.codehilite .go { color: #546E7A } /* Generic.Output */`
			`.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */`
			`.codehilite .gs { color: #FF5370 } /* Generic.Strong */`
			`.codehilite .gu { color: #89DDFF } /* Generic.Subheading */`
			`.codehilite .gt { color: #FF5370 } /* Generic.Traceback */`
			`.codehilite .kc { color: #89DDFF } /* Keyword.Constant */`
			`.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */`
			`.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */`
			`.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */`
			`.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */`
			`.codehilite .kt { color: #BB80B3 } /* Keyword.Type */`
			`.codehilite .ld { color: #C3E88D } /* Literal.Date */`
			`.codehilite .m { color: #F78C6C } /* Literal.Number */`
			`.codehilite .s { color: #C3E88D } /* Literal.String */`
			`.codehilite .na { color: #BB80B3 } /* Name.Attribute */`
			`.codehilite .nb { color: #82AAFF } /* Name.Builtin */`
			`.codehilite .nc { color: #FFCB6B } /* Name.Class */`
			`.codehilite .no { color: #EEFFFF } /* Name.Constant */`
			`.codehilite .nd { color: #82AAFF } /* Name.Decorator */`
			`.codehilite .ni { color: #89DDFF } /* Name.Entity */`
			`.codehilite .ne { color: #FFCB6B } /* Name.Exception */`
			`.codehilite .nf { color: #82AAFF } /* Name.Function */`
			`.codehilite .nl { color: #82AAFF } /* Name.Label */`
			`.codehilite .nn { color: #FFCB6B } /* Name.Namespace */`
			`.codehilite .nx { color: #EEFFFF } /* Name.Other */`
			`.codehilite .py { color: #FFCB6B } /* Name.Property */`
			`.codehilite .nt { color: #FF5370 } /* Name.Tag */`
			`.codehilite .nv { color: #89DDFF } /* Name.Variable */`
			`.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */`
			`.codehilite .w { color: #EEFFFF } /* Text.Whitespace */`
			`.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */`
			`.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */`
			`.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */`
			`.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */`
			`.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */`
			`.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */`
			`.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */`
			`.codehilite .sc { color: #C3E88D } /* Literal.String.Char */`
			`.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */`
			`.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */`
			`.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */`
			`.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */`
			`.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */`
			`.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */`
			`.codehilite .sx { color: #C3E88D } /* Literal.String.Other */`
			`.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */`
			`.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */`
			`.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */`
			`.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */`
			`.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */`
			`.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */`
			`.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */`
			`.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */`
			`.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */`
			`.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>`
			`<div class="column column-3">`
			`<ul>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<li><a href="#deobfuscation">Deobfuscation</a><ul>`
			`<li><a href="#principles-of-obfuscation">Principles of Obfuscation</a></li>`
			`<li><a href="#evade-statical-rules">Evade Statical Rules</a><ul>`
			`<li><a href="#splitting-merging-of-strings">Splitting & Merging of Strings</a></li>`
			`<li><a href="#adding-unnecessary-instructions">Adding Unnecessary Instructions</a></li>`
			`<li><a href="#control-flow">Control Flow</a></li>`
			`<li><a href="#protecting-data">Protecting Data</a></li>`
			`</ul>`
			`</li>`
			`<li><a href="#usage">Usage</a></li>`
			`</ul>`
			`</li>`
init 2022-09-02 09:05:59 +02:00			`</ul>`
			`</div>`
			`<h1 id="deobfuscation">Deobfuscation</h1>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<h2 id="principles-of-obfuscation">Principles of Obfuscation</h2>`
			`<ul>`
			`<li>`
			`<p>Software obfuscation may be divided into a theoretical layered approach, done by <a href="https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf">Hui Xu et. al</a></p>`
			`</li>`
			`<li>`
			`<p>These layers and what's obfuscated are:</p>`
			`<ul>`
			`<li><strong>Code Element</strong><ul>`
			`<li>Layout</li>`
			`<li>Controls</li>`
			`<li>Data</li>`
			`<li>Classes</li>`
			`<li>Methods</li>`
			`</ul>`
			`</li>`
			`<li><strong>Software Component</strong></li>`
			`<li><strong>Inter Component</strong><ul>`
			`<li>Library calls</li>`
			`<li>Used Resources</li>`
			`</ul>`
			`</li>`
			`<li><strong>Application</strong><ul>`
			`<li>DRM System</li>`
			`<li>Neural Networks</li>`
			`</ul>`
			`</li>`
			`</ul>`
			`</li>`
			`</ul>`
			`<h2 id="evade-statical-rules">Evade Statical Rules</h2>`
			`<ul>`
			`<li>Critical data is obfuscated by the <strong>Code Element</strong> layer which contains the following methods of obfuscation<ul>`
			`<li><strong>Array Transformation</strong></li>`
			`<li><strong>Data Encoding</strong></li>`
			`<li><strong>Data Procedurization</strong></li>`
			`<li><strong>Data Splitting & Merging</strong></li>`
			`</ul>`
			`</li>`
			`</ul>`
			`<h3 id="splitting-merging-of-strings">Splitting & Merging of Strings</h3>`
			`<ul>`
			`<li>Breaking signature by modifying data distribution inside the code</li>`
			`<li>`
			`<p>This may be done by modifying strings and functions through following measures</p>`
			`</li>`
			`<li>`
			`<p><strong>Joining</strong></p>`
			`</li>`
			`</ul>`
			`<div class="codehilite"><pre><span></span><code><span class="s2">"CAFFEE"</span> <span class="o">+</span> <span class="s2">"BABE"</span>`
			`</code></pre></div>`

			`<ul>`
			`<li><strong>Reordering</strong></li>`
			`</ul>`
			`<div class="codehilite"><pre><span></span><code><span class="n">a</span> <span class="o">=</span> <span class="s2">"BABE"</span>`
			`<span class="n">b</span> <span class="o">=</span> <span class="s2">"CAFFEE"</span>`
			`<span class="sa">f</span><span class="s2">"</span><span class="si">{</span><span class="n">b</span><span class="si">}{</span><span class="n">a</span><span class="si">}</span><span class="s2">"</span>`
			`</code></pre></div>`

			`<ul>`
			`<li><strong>Whitespaces of functions which are not interpreted</strong></li>`
			`</ul>`
			`<div class="codehilite"><pre><span></span><code><span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>`
			`<span class="w"> </span><span class="n">printf</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="s">"The answer is %d"</span><span class="p">,</span><span class="w"> </span><span class="mi">42</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="p">;</span><span class="w"></span>`
			`<span class="p">}</span><span class="w"></span>`
			`</code></pre></div>`

			`<ul>`
			`<li>`
			`<p><strong>Adding ticks which are not interpreted</strong></p>`
			`</li>`
			`<li>`
			`<p><strong>Change <code>uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG</code></strong></p>`
			`</li>`
			`</ul>`
			`<h3 id="adding-unnecessary-instructions">Adding Unnecessary Instructions</h3>`
			`<ul>`
			`<li>Obfuscation of layout and controls inside the code</li>`
			`<li><strong>Junk Stubs</strong></li>`
			`<li><strong>Separation of Related Code</strong></li>`
			`<li><strong>Stripping Redundant Symbols</strong></li>`
			`<li><strong>Meaningless Identifiers</strong></li>`
			`<li><strong>Converting Explicit to Implicit Instructions</strong></li>`
			`<li><strong>Dispatcher Based Controls Executed During Runtime</strong></li>`
			`<li><strong>Probabilistic Control Flows</strong></li>`
			`<li><strong>Bogus Control Flows</strong></li>`
			`</ul>`
			`<h3 id="control-flow">Control Flow</h3>`
			`<ul>`
			`<li>Changing or adding to the flow of the code through change of conditions</li>`
			`<li>Changes may be set to arbitrary code segments by <strong>Opaque Predicates</strong></li>`
			`<li>An <strong>Opaque Predicate</strong> is a control path and value known by the obfuscater and hard to find out by the reverse engineer</li>`
			`</ul>`
			`<h3 id="protecting-data">Protecting Data</h3>`
			`<ul>`
			`<li>`
			`<p>Stripping and protecting</p>`
			`<ul>`
			`<li><strong>Code Structure</strong></li>`
			`<li><strong>Object names</strong></li>`
			`<li><strong>File & Compilation Properties</strong></li>`
			`</ul>`
			`</li>`
			`<li>`
			`<p>To strip symbols</p>`
			`</li>`
			`</ul>`
			`<div class="codehilite"><pre><span></span><code>strip --strip-all <binary>`
			`</code></pre></div>`

			`<ul>`
			`<li>Check via</li>`
			`</ul>`
			`<div class="codehilite"><pre><span></span><code>nm <binary>`
			`</code></pre></div>`

			`<h2 id="usage">Usage</h2>`
init 2022-09-02 09:05:59 +02:00			`<ul>`
			`<li>Find a deobfuscator like <a href="https://github.com/de4dot/de4dot.git">de4dot</a> for e.g. deobfuscating dotfuscator </li>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<li>In case of dotnet: <strong>Do not only use ghidra for reversing, use <a href="https://github.com/icsharpcode/ILSpy.git">ILSpy</a> as well</strong></li>`
init 2022-09-02 09:05:59 +02:00			`</ul>`
			`</span>`
			`</div>`
			`</div>`
			`<div id="footer">`

			`<p></p>`
			`<center>`
			`© Stefan Friese`
			`</center>`

			`</div>`

			`<script>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`function linkClick(obj) {`
init 2022-09-02 09:05:59 +02:00			`if (obj.open) {`
Added settings.toml 2022-09-09 15:41:05 +02:00			`//console.log('open');`
init 2022-09-02 09:05:59 +02:00			`if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {`
			`sessionStorage.removeItem(obj.id);`
			`}`
Added settings.toml 2022-09-09 15:41:05 +02:00			`sessionStorage.setItem(obj.id,"open");`
			`console.log(obj.id);`
init 2022-09-02 09:05:59 +02:00			`} else {`
Added settings.toml 2022-09-09 15:41:05 +02:00			`//console.log('closed');`
			`sessionStorage.removeItem(obj.id);`
			`}`
			`}`
init 2022-09-02 09:05:59 +02:00
Added settings.toml 2022-09-09 15:41:05 +02:00			`let _keys = Object.keys(sessionStorage);`
			`if (_keys) {`
			`for ( let i = 0; i < _keys.length; i++ ) {`
			`document.getElementById(_keys[i])['open'] = 'open';`
			`}`
			`}`
init 2022-09-02 09:05:59 +02:00			`</script>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>`
init 2022-09-02 09:05:59 +02:00			`<script type="text/x-mathjax-config">`
Added settings.toml 2022-09-09 15:41:05 +02:00			`MathJax.Hub.Config({`
			`config: ["MMLorHTML.js"],`
			`jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],`
			`extensions: ["MathMenu.js", "MathZoom.js"]`
			`});`
			`</script>`
init 2022-09-02 09:05:59 +02:00			`</body>`
			`</html>`