killchain-compendium/reverse engineering/docs/deobfuscation.md

2.4 KiB

Deobfuscation

Principles of Obfuscation

  • Software obfuscation may be divided into a theoretical layered approach, done by Hui Xu et. al

  • These layers and what's obfuscated are:

    • Code Element
      • Layout
      • Controls
      • Data
      • Classes
      • Methods
    • Software Component
    • Inter Component
      • Library calls
      • Used Resources
    • Application
      • DRM System
      • Neural Networks

Evade Statical Rules

  • Critical data is obfuscated by the Code Element layer which contains the following methods of obfuscation
    • Array Transformation
    • Data Encoding
    • Data Procedurization
    • Data Splitting & Merging

Splitting & Merging of Strings

  • Breaking signature by modifying data distribution inside the code

  • This may be done by modifying strings and functions through following measures

  • Joining

"CAFFEE" + "BABE"
  • Reordering
a = "BABE"
b = "CAFFEE"
f"{b}{a}"
  • Whitespaces of functions which are not interpreted
int main ( void ) {
    printf ( "The answer is %d", 42 ) ;
}
  • Adding ticks which are not interpreted

  • Change uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG

Adding Unnecessary Instructions

  • Obfuscation of layout and controls inside the code
  • Junk Stubs
  • Separation of Related Code
  • Stripping Redundant Symbols
  • Meaningless Identifiers
  • Converting Explicit to Implicit Instructions
  • Dispatcher Based Controls Executed During Runtime
  • Probabilistic Control Flows
  • Bogus Control Flows

Control Flow

  • Changing or adding to the flow of the code through change of conditions
  • Changes may be set to arbitrary code segments by Opaque Predicates
  • An Opaque Predicate is a control path and value known by the obfuscater and hard to find out by the reverse engineer

Protecting Data

  • Stripping and protecting

    • Code Structure
    • Object names
    • File & Compilation Properties
  • To strip symbols

strip --strip-all <binary>
  • Check via
nm <binary>

Usage

  • Find a deobfuscator like de4dot for e.g. deobfuscating dotfuscator
  • In case of dotnet: Do not only use ghidra for reversing, use ILSpy as well