From 279f3f0c7469c055f2be375b6cf37a7827faa79e Mon Sep 17 00:00:00 2001 From: whx Date: Wed, 31 Aug 2022 15:10:08 +0200 Subject: [PATCH] added to deobfuscation --- reverse engineering/docs/deobfuscation.md | 95 ++++++++++++++++++++++- 1 file changed, 94 insertions(+), 1 deletion(-) diff --git a/reverse engineering/docs/deobfuscation.md b/reverse engineering/docs/deobfuscation.md index c6386b6..e5ee271 100644 --- a/reverse engineering/docs/deobfuscation.md +++ b/reverse engineering/docs/deobfuscation.md @@ -1,4 +1,97 @@ # Deobfuscation +## Principles of Obfuscation + +* Software obfuscation may be divided into a theoretical layered approach, done by [Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf) + +* These layers and what's obfuscated are: + * __Code Element__ + * Layout + * Controls + * Data + * Classes + * Methods + * __Software Component__ + * __Inter Component__ + * Library calls + * Used Resources + * __Application__ + * DRM System + * Neural Networks + +## Evade Statical Rules + +* Critical data is obfuscated by the __Code Element__ layer which contains the following methods of obfuscation + * __Array Transformation__ + * __Data Encoding__ + * __Data Procedurization__ + * __Data Splitting & Merging__ + +### Splitting & Merging of Strings + +* Breaking signature by modifying data distribution inside the code +* This may be done by modifying strings and functions through following measures + +* __Joining__ +```python +"CAFFEE" + "BABE" +``` + +* __Reordering__ +```python +a = "BABE" +b = "CAFFEE" +f"{b}{a}" +``` + +* __Whitespaces of functions which are not interpreted__ +```c +int main ( void ) { + printf ( "The answer is %d", 42 ) ; +} +``` + +* __Adding ticks which are not interpreted__ + +* __Change `uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG`__ + +### Adding Unnecessary Instructions + +* Obfuscation of layout and controls inside the code +* __Junk Stubs__ +* __Separation of Related Code__ +* __Stripping Redundant Symbols__ +* __Meaningless Identifiers__ +* __Converting Explicit to Implicit Instructions__ +* __Dispatcher Based Controls Executed During Runtime__ +* __Probabilistic Control Flows__ +* __Bogus Control Flows__ + + +### Control Flow + +* Changing or adding to the flow of the code through change of conditions +* Changes may be set to arbitrary code segments by __Opaque Predicates__ +* An __Opaque Predicate__ is a control path and value known by the obfuscater and hard to find out by the reverse engineer + +### Protecting Data + +* Stripping and protecting + * __Code Structure__ + * __Object names__ + * __File & Compilation Properties__ + +* To strip symbols +```sh +strip --strip-all +``` + +* Check via +```sh +nm +``` + +## Usage + * Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator -* In case of dotnet: Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well +* In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__