Assembly obfusscation

[Zigmund]

In this topic I want to collect everything about methods/principles/algotihms on assembly code obfuscation. I'm sure that it will helps not only me, but a lot of people reading this forum too.

Code obfuscation in simple way is "Anti-Disasm"... but I don't want to use such termin

So... Waiting for you replies about it. It will be nice to view some examples (tools, URLs, etc.)

Thanks.

[redbull]

Are you refering to Anti-debugging tricks or Anti-Dissassembling tricks or both ??

The best way to prevent dis-assembling is to use self-modifying code.

The only problem is most high level lanugages create code segments which are not writable. (I guess a work around could be MapViewOfFile but that would write the changes back to the exe file)

Eg

In Delphi this code would AV

asm
mov ebp, offset @ChangeHere
mov eax, $102356CB; // something artitary
xor eax , $80B3C65B; // Makes eax contain 4 nops (90909090)

mov dword ptr [ebp], eax; // overwrite the jmp @screwheDisAsm (and push pop pair) with NOPS so it does not execute
// becareful of the PIQ at this point...
// This is where the AV is generated cause you are not allowed to write
// to the code segment in the default EXE

@ChangeHere:
Jmp @ScrewTheDisAsm
push eax
pop eax

jmp @PastTheScrew

@ScrewTheDisAsm:
// this is just garbage that looks like dynamic code
pop ebx
call ebx
cmp edx, 1
jne @ScrewTheDisAsm
db $ea; // first byte of a jmp opcode (IDA can correctly handle this most of the time)
// but out of interest the bytes that follow @PastTheScrew are encoded as part
// of the jmp

@PastTheScrew:
// Carry on Soldier
end;


Now if you edit the PE EXE file that delphi produces and flag all the code segments as writable ... this code should run fine!


Other much safer ways of fucking up dis-assms is to decode your code onto the stack and then make a jmp to esp .... thus executing the code on the stack. .......


Etcv

etc

Nice topic .... we should persue <spelling> this one further

[Zigmund]

As you said 'IDA can correctly handle this most of the time'...
That's the main goal of obfuscation - prevent disassembling... But IDA in use of skilled reverser can give very good results in suche way (example you gave)...

Simpliest way (as for me) is to change outputed .asm listing of compilled program and parse it. Hardest and more professional methods : write you own translator and write VirtualMachine.

I'll describe JUNKs technique (one of the sipliest):

we have some asm listing:
--
$L8547:
mov eax, 1
Junk1
test eax, eax
je $L8548
Junk2
mov ecx, DWORD PTR [ebp-64]
mov dl, BYTE PTR [ecx+3]
or dl, 128
--
and Junk1(2) are macroses like:

Junk1 macro
local @@y
jmp @@y
db 0BCh
@@y:
endm

Junk2 macro
local @@1, @@2
push offset @@1
ret
db 069h
@@1:
push offset @@2
ret
db 0E8h
@@2:
endm

db 069h, E8h, BCh... etc - opcodes of long instructions

MOst of times IDA displays real JUNK in disasm

Any other methods? Or tools?!

[redbull]

You hit the nail on the head.

The only way to effectively dis-assm this stuff is to use a virtual machine kinda enviroment

or dump while debugging ...

Now as for junk macros ... any opcode which is more than 1 byte can be turned into a junk opcode.... obviously the most effective at the really long ones like Far calls and Far jmps but obscure 2-3 byte instructions work jsut as well...

I still think self-modifying code is the most effective way to beat dis-assming is to write a full code generator

like this psuedo code

<--code-->
Data = array (0a,85,de,09,87, 45, 34, 12)

@1:
Load data element
xor it by key
push onto stack
loop @1

jmp to stack
<--code-->

so dis-asming this will just result in understanding the loading routine and not the XOR of the actual code stored in DATA array.

So basically all your program is is a loader of stuff into areas of memory with jmps to that memory.... (ie using calls to allocmem() )

That would represent the best anti - dis-asm routines... unfortunately high level languages dont compile code like this ... so you have two options

1. Write a compiler which does this.
2. Write / use an exe protection tool.

Now 1 is hard but the best bet in the long run
and 2 is a fuck up cause you know that no matter how obscure the exe protector, somebody somewhere will always unpack it.....

[ajron]

Quote:

Originally Posted by redbull

I guess a work around could be MapViewOfFile but that would write the changes back to the exe file

You can use MapViewOfFile with copy on write access by setting up FILE_MAP_COPY access falg.

Quote:

Originally Posted by Zigmund

Hardest and more professional methods : write you own translator and write VirtualMachine.

I agree. Some time ago I had written crackme that use this method. Crackme is very very easy, but it's very hard to trace it. Only 2 guys show me a solution. You can see what I'm talking about at hxxp://powergg.prv.pl/crackme.zip

Well then you should check this page:

www.mysz.org

That guy wrote a PhD thesis on program obfuscation. Although primarily aimed at x86 architecter, this doc seems to cover also the theory basics. Quite useful and nice read.
You should check also the "links" section. You can find more info there.

I've just wanted to point some links about this there in general :

hxxp://www.woodmann.com/crackz/Tutorials/Anticrk.htm
hxxp://www.anticracking.sk/coding.html

And a must-have book by Pavol Cerven : Crackproof Your Software !

You can get it as online edition on google somewhere ...

Google-ing can give u good results on this subject ...

-
Fr1c