2.5 KiB
2.5 KiB
Deobfuscation
Principles of Obfuscation
-
Software obfuscation may be divided into a theoretical layered approach, done by Hui Xu et. al
-
These layers and what's obfuscated are:
- Code Element
- Layout
- Controls
- Data
- Classes
- Methods
- Software Component
- Inter Component
- Library calls
- Used Resources
- Application
- DRM System
- Neural Networks
- Code Element
Evade Statical Rules
- Critical data is obfuscated by the Code Element layer which contains the following methods of obfuscation
- Array Transformation
- Data Encoding
- Data Procedurization
- Data Splitting & Merging
Splitting & Merging of Strings
-
Breaking signature by modifying data distribution inside the code
-
This may be done by modifying strings and functions through following measures
-
Joining
"CAFFEE" + "BABE"
- Reordering
a = "BABE"
b = "CAFFEE"
f"{b}{a}"
- Whitespaces of functions which are not interpreted
int main ( void ) {
printf ( "The answer is %d", 42 ) ;
}
-
Adding ticks which are not interpreted
-
Change
uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG
Adding Unnecessary Instructions
- Obfuscation of layout and controls inside the code
- Junk Stubs
- Separation of Related Code
- Stripping Redundant Symbols
- Meaningless Identifiers
- Converting Explicit to Implicit Instructions
- Dispatcher Based Controls Executed During Runtime
- Probabilistic Control Flows
- Bogus Control Flows
Control Flow
- Changing or adding to the flow of the code through change of conditions
- Changes may be set to arbitrary code segments by Opaque Predicates
- An Opaque Predicate is a control path and value known by the obfuscater and hard to find out by the reverse engineer
Protecting Data
-
Stripping and protecting
- Code Structure
- Object names
- File & Compilation Properties
-
To strip symbols
strip --strip-all <binary>
- Check via
nm <binary>