Post on 16-Apr-2017
What is obfuscation?
2
What is obfuscation?
3
What is obfuscation?
Wally
Other people
4
What is obfuscation?
Wally = *REAL* code
Other people = Dummy
5
Why?
6
Can you guess what this code is for?
Why?
To protect my code
Programmers like it!
but, Malware-developers like it too!
7
How?
Data-flow Obfuscation
Control-flow Obfuscation
Other techniques
8
Data-Flow Obfuscation
Dead-code insertion
Substituting instructions
9
Control-Flow Obfuscation
Jump chains
Opaque predicate
Control-flow flattening
10
Other techniques
Self-modifying code
Junk code
VM-based obfuscation
11
Data-Flow Obfuscation
12
Data-Flow Obfuscation -Dead code insertion-
What is ‘dead code’ ?
13
Data-Flow Obfuscation -Dead code insertion-
NOP
PUSH EAX MOV EAX, 1 POP EAX
PUSH EAXADD ESP, 4
JMP A XOR EAX, 1
A:
MOV EAX, 1 SUB EAX, 2 MOV EAX, 3
14
Data-Flow Obfuscation -Substituting instructions-
1 Instruction -> ’n’ Instructions
15
Data-Flow Obfuscation -Substituting instructions-
PUSH EAX
SUB ESP, 4 MOV [ESP], EAX
PUSH 1337 MOV [ESP], EAX
16
Data-Flow Obfuscation -Substituting instructions-
MOV EAX, 1
MOV EAX, 1000 SUB EAX, 999
MOV EAX, 1000 XOR EAX, 1001
17
Data-Flow Obfuscation -Substituting instructions-
MOV EAX, 1000
ADD EAX, 1234
SUB EAX, 1337
XOR EAX, 1337
ADD EAX, 1337
SUB EAX, 3056
MOV EAX, 1
18
Control-Flow Obfuscation
19
Control-Flow Obfuscation
-Jump chains-
1 Code block -> ’n’ Code blocks
20
Control-Flow Obfuscation
-Jump chains-
What is next instruction?
PUSH EBP MOV EBP, ESP SUB ESP, 0x4
.
.
.
SUB ESP, 0x4 JMP
PUSH EBP JMP
MOV EBP, ESP JMP
21
Control-Flow Obfuscation
-Opaque predicate-
It looks like conditional
But, always be True
Or always be False
22
Control-Flow Obfuscation
-Opaque predicate-
MOV EAX, 1 CMP EAX, 0
JNZ
CALL GetCommandLineCMP EAX, 0
JNZ
23
Control-Flow Obfuscation
-Opaque predicate-
24
MOV EAX, 1 CMP EAX, 0
JNZ
CALL GetCommandLineCMP EAX, 0
JNZ
Too easy, Isn’t it?
Control-Flow Obfuscation
-Opaque predicate-
(x * 2) % 2 == ?
(x + 1)%2 + x%2 == ?
(x**2 + x) % 2 == ?
25
Control-Flow Obfuscation
-Opaque predicate-
(x * 2) % 2 == 0
(x + 1)%2 + x%2 == 1
(x**2 + x) % 2 == 0
26
Control-Flow Obfuscation
-Opaque predicate-
27
Control-Flow Obfuscation
-Control-flow flattening-
28
Control-Flow Obfuscation
-Control-flow flattening-
29
Different Nesting-leveled
Block
Equal Nesting-leveled
Block
Control-Flow Obfuscation
-Control-flow flattening-
30
Control-Flow Obfuscation
-Control-flow flattening-
31
Control-Flow Obfuscation
-Control-flow flattening / Before-
32
Control-Flow Obfuscation
-Control-flow flattening / After-
33
Control-flow flattening + Jump chains + Opaque predicate
makes
Other techniques
34
Other techniques -Self-modifying code-
Do you know ‘Packer’ or ‘Protector’?
35
Other techniques -Self-modifying code-
MOV ECX, 0 A:
XOR [0x401000+ECX], 0x34 INC ECX
CMP ECX, 0x1000 JL A NOP
0x401000
36
Other techniques -Self-modifying code-
PUSH EBP MOV EBP, ESP
.
.
.
.
.
.
0x401000
37
MOV ECX, 0 A:
XOR [0x401000+ECX], 0x34 INC ECX
CMP ECX, 0x1000 JL A NOP
Other techniques -Junk code-
Anti-Disassemble Technique
Linear Sweep Disassembler
Recursive Traversal Disassembler
It can be combined with others!
38
Other techniques -Junk code-
39
B8 78 56 34 12 03 C3
MOV EAX, 0x12345678 ADD EAX, EBX
Other techniques -Junk code-
40
B8 78 56 34 12 03 C3
MOV EAX, 0x12345678 ADD EAX, EBX
B8
JMP
Other techniques -Junk code-
41
B8 78 56 34 12 03 C3
MOV EAX, 0x12345678 ADD EAX, EBX
B8
JMP
Other techniques -VM-based obfuscation-
CPU is to execute assembly-instructions
Custom CPU?
42
Other techniques -VM-based obfuscation-
Original Assembly code is converted to ‘byte code’
Byte bode will be executed by *Custom* CPU
43
Other techniques -VM-based obfuscation-
Insert Custom CPU (Virtual CPU)
To execute byte code
Original asssembly-code will be removed
It is replaced to Jump code(To execute custom cpu)
44
Other techniques -VM-based obfuscation-
45
MOV EAX, 1337 ADD EAX, 1337 XOR EAX, 1337
Other techniques -VM-based obfuscation-
46
MOV EAX, 1337 ADD EAX, 1337 XOR EAX, 1337
setarg1 0xdeaddead get
xorret1 0x12345678 setarg1 ret1
seteax . . .
Other techniques -VM-based obfuscation-
47
JMP VCPUsetarg1 0xdeaddead
get xorret1 0x12345678
setarg1 ret1 seteax ……
NEXT REAL-CODE
VCPU
Other techniques -VM-based obfuscation-
48
JMP VCPUsetarg1 0xdeaddead
get xorret1 0x12345678
setarg1 ret1 seteax ……
NEXT REAL-CODE
VCPU
MOV EAX, 1337 ADD EAX, 1337 XOR EAX, 1337
Both b
rings
same re
sult!
Examples
49
Example -Ransomware(reversing.kr)-
50
Example -My own obfuscator-
51
Example -Themida-
52
Obfuscation TIME TO SHOOT-THE-MOON
De
53
SHOOT-THE-MOON -Constant Propagation-
54
X = 10 Y = X
Z = X + Y
X = 10 Y = 10
Z = 10 + 10
SHOOT-THE-MOON -Constant Folding-
55
X = 10 Y = 10
Z = 10 + 10
X = 10 Y = 10 Z = 20
SHOOT-THE-MOON -Constant Propagation / Folding-
56
X = 10 Y = X
Z = X + Y Y = Z
X = 10 Y = 10
Z = 10 + 10 Y = Z
Propagation
SHOOT-THE-MOON -Constant Propagation / Folding-
57
X = 10 Y = 10
Z = 10 + 10 Y = Z
X = 10 Y = 10 Z = 20 Y = Z
Folding
SHOOT-THE-MOON -Constant Propagation / Folding-
58
X = 10 Y = 10 Z = 20 Y = Z
X = 10 Y = 10 Z = 20 Y = 20
Propagation
SHOOT-THE-MOON -Constant Propagation / Folding-
59
mov eax, 0x1234 shl eax, 0x10
add eax, 0x4321 jmp eax
Propagation
mov eax, 0x1234 ;eax=0x1234 shl eax, 0x10
;eax = 0x1234 << 0x10 add eax, 0x4321
jmp eax
SHOOT-THE-MOON -Constant Propagation / Folding-
60
mov eax, 0x1234 ;eax=0x1234 shl eax, 0x10
;eax = 0x1234 << 0x10 add eax, 0x4321
jmp eax
Folding
mov eax, 0x1234 ;eax=0x1234 shl eax, 0x10
;eax = 0x12340000 add eax, 0x4321
jmp eax
SHOOT-THE-MOON -Constant Propagation / Folding-
61
mov eax, 0x1234 ;eax=0x1234 shl eax, 0x10
;eax = 0x12340000 add eax, 0x4321
jmp eax
Propagation
mov eax, 0x1234 ;eax=0x1234 shl eax, 0x10
;eax = 0x12340000 add eax, 0x4321
eax = 0x12340000 + 0x4321 jmp eax
SHOOT-THE-MOON -Constant Propagation / Folding-
62
mov eax, 0x1234 ;eax=0x1234 shl eax, 0x10
;eax = 0x12340000 add eax, 0x4321
eax = 0x12340000 + 0x4321 jmp eax
Folding
mov eax, 0x1234 ;eax=0x1234 shl eax, 0x10
;eax = 0x12340000 add eax, 0x4321 eax = 0x12344320
jmp eax
SHOOT-THE-MOON -Constant Propagation / Folding-
63
mov eax, 0x1234 ;eax=0x1234 shl eax, 0x10
;eax = 0x12340000 add eax, 0x4321
eax = 0x12344320 jmp eax
Propagation & Result
mov eax, 0x1234 mov eax, 0x12340000 mov eax, 0x12344321
jmp 0x12344321
SHOOT-THE-MOON -Deadcode Removal-
Removing zero-mean codes
64
SHOOT-THE-MOON -Deadcode Removal-
65
X = 10 Y = 10 Z = 20 Y = 20
X = 10 Z = 20 Y = 20
SHOOT-THE-MOON -Deadcode Removal-
66
mov eax, 0x1234 mov eax, 0x12340000 mov eax, 0x12344321
jmp 0x12344321
mov eax, 0x12344321 jmp 0x12344321
SHOOT-THE-MOON -Code Replacement-
67
PUSH EAXSUB ESP, 4
MOV [ESP], EAX
SHOOT-THE-MOON -Code Replacement-
68
POP EAXMOV EAX, [ESP]
ADD ESP, 4
SHOOT-THE-MOON -Code Replacement-
69
PUSH EAX MOV EAX, 1337
POP EAX
SUB ESP, 4 MOV [ESP], EAX MOV EAX, 1337 MOV EAX, [ESP]
ADD ESP, 4
SHOOT-THE-MOON -Code Replacement-
70
SUB ESP, 4 MOV [ESP], EAX MOV EAX, 1337 MOV EAX, [ESP]
ADD ESP, 4
SUB ESP, 4 MOV [ESP], EAX MOV EAX, [ESP]
ADD ESP, 4
SHOOT-THE-MOON -Code Replacement-
71
SUB ESP, 4 MOV [ESP], EAX MOV EAX, [ESP]
ADD ESP, 4
SUB ESP, 4 MOV [ESP], EAX
ADD ESP, 4
SHOOT-THE-MOON -Code Replacement-
72
SUB ESP, 4 MOV [ESP], EAX
ADD ESP, 4MOV [ESP-4], EAX
SHOOT-THE-MOON -Emulator-
To defeat Self-modifying code & etc
Pin
Custom emulator
73
SHOOT-THE-MOON -SMT Solver-
Compare (x * 2) % 2 and 0
(x * 2) % 2 == 0
(x * 2) % 2 != 0
74
SHOOT-THE-MOON -SMT Solver-
75
SHOOT-THE-MOON -Code Cloning-
To break Control-flow flattening
Sharath K. Udupa, Deobfuscation: Reverse engineering obfuscated code
76
SHOOT-THE-MOON -Custom Disassembler-
To see deobfuscated code
without any changes on code
77
Q & A
78