whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Reverse Engineering/Deobfuscation.md

2.6 KiB
Raw Blame History

Deobfuscation

Principles of Obfuscation

  • Software obfuscation may be divided into a theoretical layered approach, done by Hui Xu et. al

  • These layers and what's obfuscated are:

    • Code Element
      • Layout
      • Controls
      • Data
      • Classes
      • Methods
    • Software Component
    • Inter Component
      • Library calls
      • Used Resources
    • Application
      • DRM System
      • Neural Networks

Evade Statical Rules

  • Critical data is obfuscated by the Code Element layer which contains the following methods of obfuscation
    • Array Transformation
    • Data Encoding
    • Data Procedurization
    • Data Splitting & Merging

Splitting & Merging of Strings

  • Breaking signature by modifying data distribution inside the code

  • This may be done by modifying strings and functions through following measures

  • Joining

"CAFFEE" + "BABE"
  • Reordering
a = "BABE"
b = "CAFFEE"
f"{b}{a}"
  • Whitespaces of functions which are not interpreted
int main ( void ) {
    printf ( "The answer is %d", 42 ) ;
}

  • Adding ticks which are not interpreted

  • Change uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG

Adding Unnecessary Instructions

  • Obfuscation of layout and controls inside the code
  • Junk Stubs
  • Separation of Related Code
  • Stripping Redundant Symbols
  • Meaningless Identifiers
  • Converting Explicit to Implicit Instructions
  • Dispatcher Based Controls Executed During Runtime
  • Probabilistic Control Flows
  • Bogus Control Flows

Control Flow

  • Changing or adding to the flow of the code through change of conditions
  • Changes may be set to arbitrary code segments by Opaque Predicates
  • An Opaque Predicate is a control path and value known by the obfuscater and hard to find out by the reverse engineer

Protecting Data

  • Stripping and protecting

    • Code Structure
    • Object names
    • File & Compilation Properties

  • To strip symbols

strip --strip-all <binary>
  • Check via
nm <binary>

Usage

  • Find a deobfuscator like de4dot for e.g. deobfuscating dotfuscator

  • In case of dotnet: Do not only use ghidra for reversing, use ILSpy as well

  • Another alternative is dnSpy

  • Use Floss for string deobfuscation via

floss --no-static-strings $BINARY_FILE