whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Reverse Engineering/Deobfuscation.md

3.2 KiB
Raw Blame History

Deobfuscation

Principles of Obfuscation

  • Software obfuscation may be divided into a theoretical layered approach, done by Hui Xu et. al

  • These layers and what's obfuscated are:

    • Code Element
      • Layout
      • Controls
      • Data
      • Classes
      • Methods
    • Software Component
    • Inter Component
      • Library calls
      • Used Resources
    • Application
      • DRM System
      • Neural Networks

Evade Statical Rules

  • Critical data is obfuscated by the Code Element layer which contains the following methods of obfuscation
    • Array Transformation
    • Data Encoding
    • Data Procedurization
    • Data Splitting & Merging

Splitting & Merging of Strings

  • Breaking signature by modifying data distribution inside the code

  • This may be done by modifying strings and functions through following measures

  • Joining

"CAFFEE" + "BABE"
  • Reordering
a = "BABE"
b = "CAFFEE"
f"{b}{a}"
  • Whitespaces of functions which are not interpreted
int main ( void ) {
    printf ( "The answer is %d", 42 ) ;
}

  • Adding ticks which are not interpreted

  • Change uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG

Adding Unnecessary Instructions

  • Obfuscation of layout and controls inside the code
  • Junk Stubs
  • Separation of Related Code
  • Stripping Redundant Symbols
  • Meaningless Identifiers
  • Converting Explicit to Implicit Instructions
  • Dispatcher Based Controls Executed During Runtime
  • Probabilistic Control Flows
  • Bogus Control Flows

Control Flow

  • Changing or adding to the flow of the code through change of conditions
  • Changes may be set to arbitrary code segments by Opaque Predicates
  • An Opaque Predicate is a control path and value known by the obfuscater and hard to find out by the reverse engineer

Protecting Data

  • Stripping and protecting

    • Code Structure
    • Object names
    • File & Compilation Properties

  • To strip symbols

strip --strip-all <binary>
  • Check via
nm <binary>

Usage

  • Find a deobfuscator like de4dot for e.g. deobfuscating dotfuscator

  • In case of dotnet: Do not only use ghidra for reversing, use ILSpy as well

  • Another alternative is dnSpy

  • Use Floss for string deobfuscation via

floss --no-static-strings $BINARY_FILE

Tools

Packers

  • UPX is a common packer, take a look at the binary if it is possibly packed via upx. Use the upx cli command to deobfuscate the binary
upx -d <binary>

Demangler

The binary may be mangled and needs to be demangled again for better readability. In case of C++ demangling, use c++filt to demangle the data types

c++filt _ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
std::__cxx11::collate_byname<char>::collate_byname(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long)