Deobfuscation
Principles of Obfuscation
- 
Software obfuscation may be divided into a theoretical layered approach, done by Hui Xu et. al 
- 
These layers and what's obfuscated are: 
- Code Element
- Layout
- Controls
- Data
- Classes
- Methods
 
- Software Component
- Inter Component
- Library calls
- Used Resources
 
- Application
- DRM System
- Neural Networks
 
 
Evade Statical Rules
- Critical data is obfuscated by the Code Element layer which contains the following methods of obfuscation
- Array Transformation
- Data Encoding
- Data Procedurization
- Data Splitting & Merging
 
Splitting & Merging of Strings
a = "BABE"
b = "CAFFEE"
f"{b}{a}"
- Whitespaces of functions which are not interpreted
int main ( void ) {
    printf ( "The answer is %d", 42 ) ;
}
Adding Unnecessary Instructions
- Obfuscation of layout and controls inside the code
- Junk Stubs
- Separation of Related Code
- Stripping Redundant Symbols
- Meaningless Identifiers
- Converting Explicit to Implicit Instructions
- Dispatcher Based Controls Executed During Runtime
- Probabilistic Control Flows
- Bogus Control Flows
Control Flow
- Changing or adding to the flow of the code through change of conditions
- Changes may be set to arbitrary code segments by Opaque Predicates
- An Opaque Predicate is a control path and value known by the obfuscater and hard to find out by the reverse engineer
Protecting Data
- 
Stripping and protecting 
- Code Structure
- Object names
- File & Compilation Properties
 
- 
To strip symbols 
strip --strip-all <binary>
Usage
- Find a deobfuscator like de4dot for e.g. deobfuscating dotfuscator 
- In case of dotnet: Do not only use ghidra for reversing, use ILSpy as well