added to deobfuscation
This commit is contained in:
parent
5236e6a477
commit
279f3f0c74
|
|
@ -1,4 +1,97 @@
|
||||||
# Deobfuscation
|
# Deobfuscation
|
||||||
|
|
||||||
|
## Principles of Obfuscation
|
||||||
|
|
||||||
|
* Software obfuscation may be divided into a theoretical layered approach, done by [Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)
|
||||||
|
|
||||||
|
* These layers and what's obfuscated are:
|
||||||
|
* __Code Element__
|
||||||
|
* Layout
|
||||||
|
* Controls
|
||||||
|
* Data
|
||||||
|
* Classes
|
||||||
|
* Methods
|
||||||
|
* __Software Component__
|
||||||
|
* __Inter Component__
|
||||||
|
* Library calls
|
||||||
|
* Used Resources
|
||||||
|
* __Application__
|
||||||
|
* DRM System
|
||||||
|
* Neural Networks
|
||||||
|
|
||||||
|
## Evade Statical Rules
|
||||||
|
|
||||||
|
* Critical data is obfuscated by the __Code Element__ layer which contains the following methods of obfuscation
|
||||||
|
* __Array Transformation__
|
||||||
|
* __Data Encoding__
|
||||||
|
* __Data Procedurization__
|
||||||
|
* __Data Splitting & Merging__
|
||||||
|
|
||||||
|
### Splitting & Merging of Strings
|
||||||
|
|
||||||
|
* Breaking signature by modifying data distribution inside the code
|
||||||
|
* This may be done by modifying strings and functions through following measures
|
||||||
|
|
||||||
|
* __Joining__
|
||||||
|
```python
|
||||||
|
"CAFFEE" + "BABE"
|
||||||
|
```
|
||||||
|
|
||||||
|
* __Reordering__
|
||||||
|
```python
|
||||||
|
a = "BABE"
|
||||||
|
b = "CAFFEE"
|
||||||
|
f"{b}{a}"
|
||||||
|
```
|
||||||
|
|
||||||
|
* __Whitespaces of functions which are not interpreted__
|
||||||
|
```c
|
||||||
|
int main ( void ) {
|
||||||
|
printf ( "The answer is %d", 42 ) ;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
* __Adding ticks which are not interpreted__
|
||||||
|
|
||||||
|
* __Change `uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG`__
|
||||||
|
|
||||||
|
### Adding Unnecessary Instructions
|
||||||
|
|
||||||
|
* Obfuscation of layout and controls inside the code
|
||||||
|
* __Junk Stubs__
|
||||||
|
* __Separation of Related Code__
|
||||||
|
* __Stripping Redundant Symbols__
|
||||||
|
* __Meaningless Identifiers__
|
||||||
|
* __Converting Explicit to Implicit Instructions__
|
||||||
|
* __Dispatcher Based Controls Executed During Runtime__
|
||||||
|
* __Probabilistic Control Flows__
|
||||||
|
* __Bogus Control Flows__
|
||||||
|
|
||||||
|
|
||||||
|
### Control Flow
|
||||||
|
|
||||||
|
* Changing or adding to the flow of the code through change of conditions
|
||||||
|
* Changes may be set to arbitrary code segments by __Opaque Predicates__
|
||||||
|
* An __Opaque Predicate__ is a control path and value known by the obfuscater and hard to find out by the reverse engineer
|
||||||
|
|
||||||
|
### Protecting Data
|
||||||
|
|
||||||
|
* Stripping and protecting
|
||||||
|
* __Code Structure__
|
||||||
|
* __Object names__
|
||||||
|
* __File & Compilation Properties__
|
||||||
|
|
||||||
|
* To strip symbols
|
||||||
|
```sh
|
||||||
|
strip --strip-all <binary>
|
||||||
|
```
|
||||||
|
|
||||||
|
* Check via
|
||||||
|
```sh
|
||||||
|
nm <binary>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
* Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator
|
* Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator
|
||||||
* In case of dotnet: Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well
|
* In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue