5 Code Obfuscation

2024-11-30 Admin 写评论

Hello, if you have any need, please feel free to consult us, this is my wechat: wx91due

5 Code Obfuscation
This work aims to study different obfuscation and deobfuscation methods Obfuscation of code can be used for different purposes, including protecting commercial code against reverse engineering and hiding program code from various anti-malware software.

Obfuscation can help protect intellectual property by making it difficult for unauthorized individuals or competitors to understand and replicate the underlying algorithms or logic in the code. Such ability is crucial for software companies who want to keep their unique ideas or programs safe.

It can be used to enforce strict licensing restrictions by making it more difficult to tamper with or remove license checks within the code. By obscuring crucial components of the licensing mechanism, developers can safeguard against the unauthorized utilization or dissemination of their software.

In online multiplayer games, obfuscation techniques can be used to make it difficult for players to manipulate or cheat in the game. By obfuscating critical game logic or data, developers can make it more challenging for players to gain an unfair advantage by modifying the code.

Code obfuscation can make reverse engineering or analysis more difficult, but it is not foolproof and can be circumvented by determined attackers with sufficient time and resources. Therefore, it should be considered as one layer of defense among other security measures.

Bidgoli (2006) [1] discusses the concept of code obfuscation, explaining that it involves the use of heuristic techniques to alter a program’s code to safeguard its privacy, as noted by Libes in 1993 [3]. This process turns the program into a complex and less intelligible version that is difficult to reverse-engineer, yet it maintains the original functionality. Further elaboration by Collberg and Thomborson in 2002 categorizes the methods of code obfuscation into lexical, control, and data transformations [2]. So, according to [1], lexical transformations are designed to alter the appearance of code to confuse potential attackers. In contrast, data transformations are focused on concealing the data structures of the program, and control transformations target the obfuscation of the program’s control flow by using opaque predicates. The area of lexical transformation in code is particularly intriguing, attracting interest in academic circles and among programming enthusiasts. This fascination is evident in competitions such as the International Obfuscated C Code Contest, which challenges participants to write intentionally obfuscated code. References such as the IOCCC and Mateas[4, 5] highlight the creative, albeit complex, approaches programmers take to creating such code. These competitions attest to the ingenuity and technical skill required to effectively obfuscate code, transforming programming into a blend of art and science. The transformation process is not simply a matter of changing variable names. It requiresa deep understanding of how to manipulate the syntax and structure of the code itself to  preserve its functionality while rendering its logic nearly indecipherable to the human eye.

There are several common approaches to code obfuscation, each with its own techniques and characteristics. Some common techniques include:

✧ Renaming: This involves renaming variables, functions, or classes in the code to non-descriptive or meaningless names, making it difficult to understand the purpose or functionality of the code by simply reading it.
✧ Control flow obfuscation: This technique involves altering the control flow of the program by introducing additional code constructs, such as jumps, loops, or conditional MSCT «PREPRINT» © 2023 DRAFT DRAFT DRAFTBRIEF OVERVIEW 171 statements, that are not necessary for the original functionality of the program. This can make the program flow appear convoluted and harder to follow.
✧ Code encryption: Code encryption involves encrypting portions of the code and including a decryption routine that dynamically decrypts and executes the encrypted code at runtime. This makes it more difficult for static analysis tools to understand the code’s functionality.
✧ Dead Code Insertion: Dead code is never executed during normal program execution and can be strategically inserted to confuse reverse engineers. This can make it more difficult to determine the critical parts of the code or understand its logic.
✧ String Encryption: String literals in code, such as error messages or API calls, can be encrypted and decrypted at runtime to make it more difficult for attackers to extract meaningful information from the code.
5.1 Brief overview
5.2 Individual assignments
5.2.1 C++ code obfuscation
✧ Visit https://tigress.wtf/ and download the obfuscation framework.
✧ Develop a program that contains functions, control flows, loops, structured programs, for example, a C implementation of a linked list, etc.
✧ Generate the binary code without optimization, investigate it, and try to identify all strings, control flows, loops, etc.
✧ Generate the binary code with -O1, -O2, -O3 optimization levels (for gcc), investigate it, compare with the unoptimized version, and try to identify all strings, control flows, loops, etc.
✧ Experiment with different obfuscation methods from the ‘tigress C obfuscator’ and compare the results.
5.2.2 Investigating Metasploit Code Obfuscation Methods

Go to the Using Metasploit/Getting Started/Nightly Installers page and install the

Metasploit framework for your system. On Windows, you can use the native package or a virtualized environment like Oracle VirtualBox, VMware Workstation or Player, and WSL.
✧ Visit https://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html, generate a payload, and investigate it.
✧ Using a variant from table 5.1, encode the payload and compare it with the previous one.

Table 5.1: Obfuscator variants with their comments

Variant
Obfuscator
Comment
x86/xor_dynamic  
 Dynamic key XOR
x86/unicode_upper
Alpha2 Alphanumeric Unicode Uppercase
x86/unicode_mixed
Alpha2 Alphanumeric Unicode Mixed case
x86/shikata_ga_nai
Polymorphic XOR Additive Feedback
x86/opt_sub
Sub (optimized)
x86/nonupper
Non-Upper
x86/nonalpha
Non-Alpha
x86/jmp_call_additive
Jump/Call XOR Additive Feedback
x86/fnstenv_mov
Variable-length Fnstenv/mov Dword XOR
10 
x86/countdown 
Single-byte XOR Countdown
11 
x86/context_time 
time(2)-based  Context Keyed Payload
12 
x86/context_stat 
stat(2)-based  Context Keyed Payload
13 
x86/context_cpuid  
CPUID-based Context Keyed Payload
14 
x86/call4_dword_xor  
 Call+4 Dword XOR
15 
x86/bmp_polyglot
BMP Polyglot
16 
x86/bloxor 
BloXor - A Metamorphic Block Based XOR
17 
x86/avoid_utf8_tolower
Avoid UTF8/tolower
18 
x86/avoid_underscore_tolower 
Avoid underscore/tolower
19 
x86/alpha_upper Alpha2 
Alphanumeric Uppercase
20 
x86/alpha_mixed Alpha2
Alphanumeric Mixed case
21 
x86/add_sub
Add/Sub
22 
x64/zutto_dekiru
Zutto Dekiru
23 
x64/xor_dynamic
Dynamic key XOR
24  
 x64/xor
 XOR

References
[1] Hossien Bidgoli, ed. Handbook of information security.Vol. 3. Hoboken, NJ: John Wiley & Sons, 2006. 1008 pp. ISBN: 978-0-471-64832-1.

MSCT «PREPRINT» © 2023 DRAFT DRAFT DRAFTREFERENCES 173 

[2] C.S. Collberg and C. Thomborson.“Watermarking, tamper-proofing, and obfuscation - tools for software protection.” In: IEEE Transactions on Software Engineering 28.8 (Aug. 2002), pp. 735–746. DOI: 10.1109/tse.2002.1027797.

[3] Don Libes. Obfuscated C and other mysteries. Wiley professional computing. New York, NY: Wiley, 1993. 413 pp. ISBN: 978-0471578055.

[4] Michael Mateas and Nick Montfort. “A box, darkly: Obfuscation, weird languages, and code aesthetics.” In: Proceedings of the 6th Digital Arts and Culture Conference, IT University of Copenhagen. Vol. 144. 2005, p. 53.

[5] The International Obfuscated C Code Contest. 2023. 

发表评论

电子邮件地址不会被公开。 必填项已用*标注