Exetools - Decompiling the mov compiler

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Decompiling the mov compiler (https://forum.exetools.com/showthread.php?t=18028)

Decompiling the mov compiler

Has anyone a resource for unobfuscating and hence making decompilation practical for the output of the movfuscator?

Quote:

https://github.com/xoreaxeaxeax/movfuscator

Quote:

The M/o/Vfuscator (short 'o', sounds like "mobfuscator") compiles programs into "mov" instructions, and only "mov" instructions. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other form of non-mov cheating.
The basic effects of the process can be seen in overview, which illustates compiling a simple prime number function with gcc and the M/o/Vfuscator.

Inspired by "mov is Turing-complete" by Stephen Dolan

Quote:

Finding Turing-completeness in unlikely places has long been a pastime of bored computer scientists.

Quote:

Removing all but the mov instruction from future iterations of the x86 architecture would have many advantages: the instruction format would be greatly simpliﬁed, the expensive decode unit would become much cheaper, and silicon currently used for complex functional units could be repurposed as even more cache. As long as someone else implements the compiler.

;)

Quote:

http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf

It is an interesting topic since it looks like obfuscation is ahead of deobfuscation and quite significantly given this and other AES based schemes out there.

Most likely it has to do with the fact that writing obfuscators is very profitable and writing deobfuscators is a huge chore and not very profitable at all, especially to release in public.

The movfuscator and its variations are mostly broken. For instance, have a look at this talk:

description: https://recon.cx/2016/talks/%22Movfuscator-Be-Gone.html
video: https://www.youtube.com/watch?v=d_R8i0dVBsQ
code: https://github.com/kirschju/demovfuscator
thesis/writeup: https://kirschju.re/static/ba_jonischkeit_2016.pdf

Others have broken the movfucator earlier: https://twitter.com/tathanhdinh/status/634165703558434816

Symbolic execution is also quite successful on these kind of obfuscations. If you mix it with some taint analysis, there should not be much left. For a great work for generic obfuscation have a look at https://www.cs.arizona.edu/people/debray/Publications/generic-deobf.pdf .

The thing about these kind of obfuscators is that:

1. Approaching a MoV'd binary *knowing* that it has been movfuscated makes it really easy, because you already know what are you dealing with, and on top of that, you have the source of the obfuscator - you don't have to spend a bunch of days reversing it, just to get the idea of the obfuscation because you already know it.
2. The obfuscation is not intelligent, but rather, it's almost a translation of instructions. If it can be done in one way, it can be done in the another, right? Even more so if the source is public and all you have to do is see how it works.