SlideShare uma empresa Scribd logo

Applying Anti-Reversing Techniques to Machine Code

Teodoro Cipresso
Teodoro Cipresso

CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Machine Code Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015

Software
1 de 41
Baixar para ler offline
CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Machine Code Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015 The information in this presentation is taken from the thesis “Software reverse engineering education” available at http://scholarworks.sjsu.edu/etd_theses/3734/ where all citations can be found.
Applying Anti-Reversing Techniques to Machine Code Introduction, Motivation, and Considerations  Extreme care must be taken when applying anti-reversing techniques because most techniques ultimately change the machine code.  In the end, if a program does not run correctly, measuring how efficient or difficult to reverse engineer it is becomes meaningless [18].  Anti-reversing transformations performed on source code make a program more difficult to understand in both source and executable formats.  These transforms can expose compiler bugs because the program no longer looks like something a human would write.  [18] states “any compiler is going to have at least some pathological programs which it will not compile correctly.” 2
Applying Anti-Reversing Techniques to Machine Code Introduction, Motivation, and Considerations  Compiler failures on “pathological” programs occur because compiler test cases are most often coded by people.  Test cases are not typically generated by some sophisticated tool that knows how to try every fringe case and surface every bug.  Therefore we should not be surprised if some compilers have difficulty with obfuscated source code.  We now investigate the technique Eliminating Symbolic Information as it applies to machine code.  We previously looked at this technique in Applying Anti-Reversing Techniques to Java Bytecode. 3
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  Eliminating Symbolic Information calls for the removal of any meaningful symbolic information in machine code that is not important to the execution of the program, but serves to ease debugging or reuse of it by another program.  For example, if a Windows program references functions (methods) exported by one or more libraries (DLLs), the names of those methods will appear in the .idata (import data) section of the program binary.  In production versions of a program, the machine code doesn't directly contain any symbolic information from the original source code. In the executable:  Method names, variable names (etc..), and line numbers are all absent.  Only the machine instructions produced directly or indirectly by the compiler [9] are present. 4
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  This lack of information about the connection between the machine instructions and HLL source is unacceptable for purposes of debugging.  Therefore most modern compilers, like GCC, include an option to include debugging information into an executable.  The included debugging information allows a debugger to map one or more machine instructions back to a particular HLL statement [9].  To demonstrate symbolic information that is inserted into machine code to enable debugging of an application:  Calculator.cpp was compiled using the GNU C++ compiler (g++) with options to include debugging information and to generate assembly source instead of an executable (machine code). 5
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code 6 Calculator.cpp
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  The GNU compiler stores debug information in the symbol tables (.stabs) section of the Windows PE header so that it will be loaded into memory as part of the program image.  The generated assembly language files CalculatorDebug.s on the next slide shows some of the debugging information inserted by GCC.  While this information is not a replacement for the original source code it does provide some helpful information to a reverser.  The GNU Project Debugger (GDB) is a source-level debugger and therefore must access the HLL source file to make use of the debugging information. 7
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code 8 CalculatorDebug.cpp
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  Debugging information can give plenty of hints to a reverse engineer, such as the count and type of parameters one must pass to a given method.  An obvious recommendation is to ensure the code is not compiled with debugging information before shipment to end-users.  The hunt for symbolic information doesn't end with information embedded by debuggers; actually it rarely begins there.  Eliminating symbolic information in machine code is difficult, therefore we’ll manually implement some familiar techniques to obfuscate the information.  First, we will take a detour to look at obfuscation of source code and what use cases it might address. 9
Applying Anti-Reversing Techniques to Machine Code Source Code Obfuscation  Obfuscating the Program calls for performing transformations to the source or machine code that would render either code extremely difficult to understand but functionally equivalent to the original.  When delivering software to customers, they may require the source code so that the product can be compiled using in-house build and audit procedures.  In the likely event that the source code contains intellectual property, it can be obfuscated without changing the the resultant machine code.  To demonstrate source code obfuscation, COBF [23], a free C/C++ source code obfuscator was configured and given Calculator.cpp.  Stunnix C/C++ is a commercial source code obfuscator. 10
11 cobf.h CalculatorObf.cpp
Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code  [19] states “Obfuscation of Java bytecode is possible for the same reasons that decompiling is possible: Java bytecode is standardized and well documented.”  Machine code is not standardized; instruction sets, formats, and program image layouts vary depending on the target platform architecture.  Tools to assist with obfuscating machine code are much more challenging to implement and expensive to acquire. (I have not found any free tools).  EXECryptor is an industrial-strength machine code obfuscator.  When applied to the machine code for the Password Vault application, EXECryptor rendered it extremely difficult to understand.  EXECryptor fails to start in Windows 8.1 due to an anti-debug error. 12
Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code  Direct machine code obfuscations can be hard to analyze or follow, so we'll perform obfuscations at the source code level and observe differences in the assembly code generated by the GNU C/C++ compiler.  Success is achieved when an obfuscated program has the same functionality as the original, but is more difficult to understand during live or static analysis.  There are no standards for code obfuscation, but it's relatively important to ensure that the obfuscations applied to a program are not easily undone because deobfuscation tools can be used to eliminate easily identified obfuscations [5].  We now look at the source and disassembly for VerifyPassword.cpp, a simple C++ program that contains a simple if-test for a password.  We then embed a simple cipher to protect sensitive constants. 13
Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code 14 VerifyPassword.cpp
15 .text section .rdata section
Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code 16 VerifyPasswordObf.cpp
17 .text section .rdata section
18 http://www.frida.re/
19 Run As Admin Python Editor
20 Dump of .rdata Start @ 0x443000 Run exe in new window
21 Run Frida Script Plaintext extracted
22 Run As Admin Python Editor
23 Run exe in new window Dump of .rdata Start @ 0x445000
24 Run Frida Script Ciphertext extracted
25 http://www.frida.re/
26 max.c We want to call max() dynamically using Frida Keep the program resident
27 Debug statements from int max(x,y) function
28 Run max.exe using OllyDbg File->Open Specify arguments
29 int max(x,y) 0x4012F0 X >= Y ?
30
31 Run max.exe in new window max.exe stays resident
32 Run max.py 2x to invoke max(x,y) in max.exe
33 Applying Anti-Reversing Techniques to Machine Code Password Vault Anti-Reversing Exercise  The machine code anti-reversing exercise asks one to create a new executable version of the Password Vault application where the following transformations are applied:  Encryption of string literals (data obfuscation).  Obfuscation of the numeric representation of the password record limit (computation obfuscation).  Obfuscation of the method that performs the record limit check (control flow obfuscation). Contains both unobfuscated and Obfuscated source
34 Applying Anti-Reversing Techniques to Machine Code Data Obfuscation  Encryption of String Literals (data obfuscation): Strings are decrypted each time they are used using a bundled cipher.
35 Applying Anti-Reversing Techniques to Machine Code Computation Obfuscation  Obfuscation of the numeric representation of the password record limit (computation obfuscation): Complex evaluations obscure the actual condition.
36 Applying Anti-Reversing Techniques to Machine Code Computation Obfuscation (cont’d)  Obfuscation of the numeric representation of the password record limit (computation obfuscation) (cont’d): Testing for a function of a number can slow a reverser down.
37 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation  Obfuscation of the method that performs the record limit check (control flow obfuscation):  We introduce some non-essential, recursive, and randomized logic to the password limit check to make it more difficult for a reverser to perform static and/or live analysis.  Since no standards exist for control flow obfuscation, a custom algorithm was designed to hinder live and static analysis through use of recursive and randomized procedure calls.  Recursion grows the stack considerably, making stepping through the code difficult, while randomization makes execution unpredictable (breakpoints may not trigger & run traces differ).
38 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d) A control flow obfuscation algorithm for the record limit check. Depth of the recursion is randomized on each check of the limit. Random procedure call targets generate and return a number that is added to an instance variable, preventing the procedures from being identified as NOOPs by a code optimizer.
39 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d)  To measure the effectiveness of the control flow algorithm in hindering analysis, three execution traces of the section of the code containing the record limit check were compared.  The Levenshtein Distance (LD) was computed between the three traces where each instruction in the trace was compared. LD was modified to consider each line as opposed to each character.  The execution traces were collected using OllyDbg and had to be cleaned of disassembly artifacts such as line numbers, base addresses, and comments in order to ensure that the analysis was fair.
40 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d) Comparison of executions of record limit check on identical program input.
41

Recomendados

Principles of ui design
Principles of ui designPrinciples of ui design
Principles of ui designIaroslava Rizova
 
Natural Language Processing
Natural Language ProcessingNatural Language Processing
Natural Language ProcessingCloudxLab
 
Foundation Models in Recommender Systems
Foundation Models in Recommender SystemsFoundation Models in Recommender Systems
Foundation Models in Recommender SystemsAnoop Deoras
 
Building a Pipeline for State-of-the-Art Natural Language Processing Using Hu...
Building a Pipeline for State-of-the-Art Natural Language Processing Using Hu...Building a Pipeline for State-of-the-Art Natural Language Processing Using Hu...
Building a Pipeline for State-of-the-Art Natural Language Processing Using Hu...Databricks
 
Deep Learning for NLP: An Introduction to Neural Word Embeddings
Deep Learning for NLP: An Introduction to Neural Word EmbeddingsDeep Learning for NLP: An Introduction to Neural Word Embeddings
Deep Learning for NLP: An Introduction to Neural Word EmbeddingsRoelof Pieters
 
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInDataModel serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInDataGetInData
 
The Paved PaaS to Microservices at Netflix (IAS2017 Nanjing)
The Paved PaaS to Microservices at Netflix (IAS2017 Nanjing)The Paved PaaS to Microservices at Netflix (IAS2017 Nanjing)
The Paved PaaS to Microservices at Netflix (IAS2017 Nanjing)Yunong Xiao
 
ROI & Business Value of CI, CD, DevOps, DevSecOps, & Microservices
ROI & Business Value of CI, CD, DevOps, DevSecOps, & MicroservicesROI & Business Value of CI, CD, DevOps, DevSecOps, & Microservices
ROI & Business Value of CI, CD, DevOps, DevSecOps, & MicroservicesDavid Rico
 

Recomendados

Principles of ui design
Principles of ui designPrinciples of ui design
Principles of ui designIaroslava Rizova
 
Natural Language Processing
Natural Language ProcessingNatural Language Processing
Natural Language ProcessingCloudxLab
 
Foundation Models in Recommender Systems
Foundation Models in Recommender SystemsFoundation Models in Recommender Systems
Foundation Models in Recommender SystemsAnoop Deoras
 
Building a Pipeline for State-of-the-Art Natural Language Processing Using Hu...
Building a Pipeline for State-of-the-Art Natural Language Processing Using Hu...Building a Pipeline for State-of-the-Art Natural Language Processing Using Hu...
Building a Pipeline for State-of-the-Art Natural Language Processing Using Hu...Databricks
 
Deep Learning for NLP: An Introduction to Neural Word Embeddings
Deep Learning for NLP: An Introduction to Neural Word EmbeddingsDeep Learning for NLP: An Introduction to Neural Word Embeddings
Deep Learning for NLP: An Introduction to Neural Word EmbeddingsRoelof Pieters
 
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInDataModel serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInDataGetInData
 
The Paved PaaS to Microservices at Netflix (IAS2017 Nanjing)
The Paved PaaS to Microservices at Netflix (IAS2017 Nanjing)The Paved PaaS to Microservices at Netflix (IAS2017 Nanjing)
The Paved PaaS to Microservices at Netflix (IAS2017 Nanjing)Yunong Xiao
 
ROI & Business Value of CI, CD, DevOps, DevSecOps, & Microservices
ROI & Business Value of CI, CD, DevOps, DevSecOps, & MicroservicesROI & Business Value of CI, CD, DevOps, DevSecOps, & Microservices
ROI & Business Value of CI, CD, DevOps, DevSecOps, & MicroservicesDavid Rico
 
Retos en la arquitectura de Microservicios
Retos en la arquitectura de MicroserviciosRetos en la arquitectura de Microservicios
Retos en la arquitectura de MicroserviciosDomingo Suarez Torres
 
메타버스 백서 (by 텐투플레이)
메타버스 백서 (by 텐투플레이)메타버스 백서 (by 텐투플레이)
메타버스 백서 (by 텐투플레이)Eunkyoung Lee
 
Requirements Engineering - Domain Models
Requirements Engineering - Domain ModelsRequirements Engineering - Domain Models
Requirements Engineering - Domain ModelsBirgit Penzenstadler
 
DevOps Patterns - Team Topologies
DevOps Patterns - Team TopologiesDevOps Patterns - Team Topologies
DevOps Patterns - Team TopologiesMatthew Skelton
 
Recursive Neural Networks
Recursive Neural NetworksRecursive Neural Networks
Recursive Neural NetworksSangwoo Mo
 
Initiating and Sustaining Design Systems for the Enterprise
Initiating and Sustaining Design Systems for the EnterpriseInitiating and Sustaining Design Systems for the Enterprise
Initiating and Sustaining Design Systems for the Enterpriseuxpin
 
TensorFlow and Keras: An Overview
TensorFlow and Keras: An OverviewTensorFlow and Keras: An Overview
TensorFlow and Keras: An OverviewPoo Kuan Hoong
 
DevOps : mission [im]possible ?
DevOps : mission [im]possible ?DevOps : mission [im]possible ?
DevOps : mission [im]possible ?rfelden
 
Building a Neural Machine Translation System From Scratch
Building a Neural Machine Translation System From ScratchBuilding a Neural Machine Translation System From Scratch
Building a Neural Machine Translation System From ScratchNatasha Latysheva
 
Connectionist Temporal Classification
Connectionist Temporal ClassificationConnectionist Temporal Classification
Connectionist Temporal ClassificationJulius Hietala
 
DevEx Essentials
DevEx EssentialsDevEx Essentials
DevEx EssentialsNicole Forsgren
 
Introduction To TensorFlow
Introduction To TensorFlowIntroduction To TensorFlow
Introduction To TensorFlowSpotle.ai
 
Design rules Human computer interaction.ppt
Design rules Human computer interaction.pptDesign rules Human computer interaction.ppt
Design rules Human computer interaction.pptSohail735908
 
DevOps
DevOps DevOps
DevOps Hakan Yüksel
 
Bert
BertBert
BertAbdallah Bashir
 
01- Introdução a programação e modelo RAD v1.0
01- Introdução a programação e modelo RAD v1.001- Introdução a programação e modelo RAD v1.0
01- Introdução a programação e modelo RAD v1.0César Augusto Pessôa
 
Requirements engineering for agile methods
Requirements engineering for agile methodsRequirements engineering for agile methods
Requirements engineering for agile methodsSyed Zaid Irshad
 
DevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationDevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationMaruti Gollapudi
 
Everything you need to know about design system.pdf
Everything you need to know about design system.pdfEverything you need to know about design system.pdf
Everything you need to know about design system.pdfKoru UX Design
 
rnn BASICS
rnn BASICSrnn BASICS
rnn BASICSPriyanka Reddy
 
Reengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareReengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareTeodoro Cipresso
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java BytecodeTeodoro Cipresso
 

Mais conteúdo relacionado

Mais procurados

Retos en la arquitectura de Microservicios
Retos en la arquitectura de MicroserviciosRetos en la arquitectura de Microservicios
Retos en la arquitectura de MicroserviciosDomingo Suarez Torres
 
메타버스 백서 (by 텐투플레이)
메타버스 백서 (by 텐투플레이)메타버스 백서 (by 텐투플레이)
메타버스 백서 (by 텐투플레이)Eunkyoung Lee
 
Requirements Engineering - Domain Models
Requirements Engineering - Domain ModelsRequirements Engineering - Domain Models
Requirements Engineering - Domain ModelsBirgit Penzenstadler
 
DevOps Patterns - Team Topologies
DevOps Patterns - Team TopologiesDevOps Patterns - Team Topologies
DevOps Patterns - Team TopologiesMatthew Skelton
 
Recursive Neural Networks
Recursive Neural NetworksRecursive Neural Networks
Recursive Neural NetworksSangwoo Mo
 
Initiating and Sustaining Design Systems for the Enterprise
Initiating and Sustaining Design Systems for the EnterpriseInitiating and Sustaining Design Systems for the Enterprise
Initiating and Sustaining Design Systems for the Enterpriseuxpin
 
TensorFlow and Keras: An Overview
TensorFlow and Keras: An OverviewTensorFlow and Keras: An Overview
TensorFlow and Keras: An OverviewPoo Kuan Hoong
 
DevOps : mission [im]possible ?
DevOps : mission [im]possible ?DevOps : mission [im]possible ?
DevOps : mission [im]possible ?rfelden
 
Building a Neural Machine Translation System From Scratch
Building a Neural Machine Translation System From ScratchBuilding a Neural Machine Translation System From Scratch
Building a Neural Machine Translation System From ScratchNatasha Latysheva
 
Connectionist Temporal Classification
Connectionist Temporal ClassificationConnectionist Temporal Classification
Connectionist Temporal ClassificationJulius Hietala
 
Introduction To TensorFlow
Introduction To TensorFlowIntroduction To TensorFlow
Introduction To TensorFlowSpotle.ai
 
Design rules Human computer interaction.ppt
Design rules Human computer interaction.pptDesign rules Human computer interaction.ppt
Design rules Human computer interaction.pptSohail735908
 
01- Introdução a programação e modelo RAD v1.0
01- Introdução a programação e modelo RAD v1.001- Introdução a programação e modelo RAD v1.0
01- Introdução a programação e modelo RAD v1.0César Augusto Pessôa
 
Requirements engineering for agile methods
Requirements engineering for agile methodsRequirements engineering for agile methods
Requirements engineering for agile methodsSyed Zaid Irshad
 
DevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationDevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationMaruti Gollapudi
 
Everything you need to know about design system.pdf
Everything you need to know about design system.pdfEverything you need to know about design system.pdf
Everything you need to know about design system.pdfKoru UX Design
 

Mais procurados (20)

Retos en la arquitectura de Microservicios
Retos en la arquitectura de MicroserviciosRetos en la arquitectura de Microservicios
Retos en la arquitectura de Microservicios
 
메타버스 백서 (by 텐투플레이)
메타버스 백서 (by 텐투플레이)메타버스 백서 (by 텐투플레이)
메타버스 백서 (by 텐투플레이)
 
Requirements Engineering - Domain Models
Requirements Engineering - Domain ModelsRequirements Engineering - Domain Models
Requirements Engineering - Domain Models
 
DevOps Patterns - Team Topologies
DevOps Patterns - Team TopologiesDevOps Patterns - Team Topologies
DevOps Patterns - Team Topologies
 
Recursive Neural Networks
Recursive Neural NetworksRecursive Neural Networks
Recursive Neural Networks
 
Initiating and Sustaining Design Systems for the Enterprise
Initiating and Sustaining Design Systems for the EnterpriseInitiating and Sustaining Design Systems for the Enterprise
Initiating and Sustaining Design Systems for the Enterprise
 
TensorFlow and Keras: An Overview
TensorFlow and Keras: An OverviewTensorFlow and Keras: An Overview
TensorFlow and Keras: An Overview
 
DevOps : mission [im]possible ?
DevOps : mission [im]possible ?DevOps : mission [im]possible ?
DevOps : mission [im]possible ?
 
Building a Neural Machine Translation System From Scratch
Building a Neural Machine Translation System From ScratchBuilding a Neural Machine Translation System From Scratch
Building a Neural Machine Translation System From Scratch
 
Connectionist Temporal Classification
Connectionist Temporal ClassificationConnectionist Temporal Classification
Connectionist Temporal Classification
 
DevEx Essentials
DevEx EssentialsDevEx Essentials
DevEx Essentials
 
Introduction To TensorFlow
Introduction To TensorFlowIntroduction To TensorFlow
Introduction To TensorFlow
 
Design rules Human computer interaction.ppt
Design rules Human computer interaction.pptDesign rules Human computer interaction.ppt
Design rules Human computer interaction.ppt
 
DevOps
DevOps DevOps
DevOps
 
Bert
BertBert
Bert
 
01- Introdução a programação e modelo RAD v1.0
01- Introdução a programação e modelo RAD v1.001- Introdução a programação e modelo RAD v1.0
01- Introdução a programação e modelo RAD v1.0
 
Requirements engineering for agile methods
Requirements engineering for agile methodsRequirements engineering for agile methods
Requirements engineering for agile methods
 
DevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationDevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay Application
 
Everything you need to know about design system.pdf
Everything you need to know about design system.pdfEverything you need to know about design system.pdf
Everything you need to know about design system.pdf
 
rnn BASICS
rnn BASICSrnn BASICS
rnn BASICS
 

Destaque

Reengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareReengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareTeodoro Cipresso
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java BytecodeTeodoro Cipresso
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Teodoro Cipresso
 
Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorAsanka Dilruk
 
Make Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EEMake Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EETeodoro Cipresso
 
Why z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsWhy z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsTeodoro Cipresso
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringTeodoro Cipresso
 

Destaque (10)

Reengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareReengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy Software
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java Bytecode
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
 
Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array Processor
 
Make Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EEMake Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EE
 
Why z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsWhy z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIs
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse Engineering
 
Array Processor
Array ProcessorArray Processor
Array Processor
 
CO Module 5
CO Module 5CO Module 5
CO Module 5
 

Semelhante a Applying Anti-Reversing Techniques to Machine Code

Binary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programmingBinary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programmingnong_dan
 
Source vs object code
Source vs object codeSource vs object code
Source vs object codeSana Ullah
 
Reversing and Patching Machine Code
Reversing and Patching Machine CodeReversing and Patching Machine Code
Reversing and Patching Machine CodeTeodoro Cipresso
 
Fundamentals of programming with C++
Fundamentals of programming with C++Fundamentals of programming with C++
Fundamentals of programming with C++Seble Nigussie
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyUltraUploader
 
An introduction to_programming_the_microchip_pic_in_ccs_c
An introduction to_programming_the_microchip_pic_in_ccs_cAn introduction to_programming_the_microchip_pic_in_ccs_c
An introduction to_programming_the_microchip_pic_in_ccs_cSuresh Murugesan
 
Larson and toubro
Larson and toubroLarson and toubro
Larson and toubroanoopc1998
 
10Pro Code Injector
10Pro Code Injector10Pro Code Injector
10Pro Code Injector10pro
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notesWE-IT TUTORIALS
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codeAndrey Karpov
 
DEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdf
DEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdfDEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdf
DEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdfSrikrishna Thota
 
C language introduction geeksfor geeks
C language introduction geeksfor geeksC language introduction geeksfor geeks
C language introduction geeksfor geeksAashutoshChhedavi
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET Journal
 

Semelhante a Applying Anti-Reversing Techniques to Machine Code (20)

Binary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programmingBinary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programming
 
Source vs object code
Source vs object codeSource vs object code
Source vs object code
 
Reversing and Patching Machine Code
Reversing and Patching Machine CodeReversing and Patching Machine Code
Reversing and Patching Machine Code
 
Fundamentals of programming with C++
Fundamentals of programming with C++Fundamentals of programming with C++
Fundamentals of programming with C++
 
Dlf2
Dlf2Dlf2
Dlf2
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
 
Part 1
Part 1Part 1
Part 1
 
An introduction to_programming_the_microchip_pic_in_ccs_c
An introduction to_programming_the_microchip_pic_in_ccs_cAn introduction to_programming_the_microchip_pic_in_ccs_c
An introduction to_programming_the_microchip_pic_in_ccs_c
 
Unit-2.pptx
Unit-2.pptxUnit-2.pptx
Unit-2.pptx
 
Introduction to c language
Introduction to c language Introduction to c language
Introduction to c language
 
Larson and toubro
Larson and toubroLarson and toubro
Larson and toubro
 
10Pro Code Injector
10Pro Code Injector10Pro Code Injector
10Pro Code Injector
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notes
 
Srgoc dotnet_new
Srgoc dotnet_newSrgoc dotnet_new
Srgoc dotnet_new
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ code
 
Embedded C.pptx
Embedded C.pptxEmbedded C.pptx
Embedded C.pptx
 
DEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdf
DEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdfDEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdf
DEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdf
 
C language introduction geeksfor geeks
C language introduction geeksfor geeksC language introduction geeksfor geeks
C language introduction geeksfor geeks
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable Software
 

Último

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 

Último (20)

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 

Applying Anti-Reversing Techniques to Machine Code

  • 1. CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Machine Code Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015 The information in this presentation is taken from the thesis “Software reverse engineering education” available at http://scholarworks.sjsu.edu/etd_theses/3734/ where all citations can be found.
  • 2. Applying Anti-Reversing Techniques to Machine Code Introduction, Motivation, and Considerations  Extreme care must be taken when applying anti-reversing techniques because most techniques ultimately change the machine code.  In the end, if a program does not run correctly, measuring how efficient or difficult to reverse engineer it is becomes meaningless [18].  Anti-reversing transformations performed on source code make a program more difficult to understand in both source and executable formats.  These transforms can expose compiler bugs because the program no longer looks like something a human would write.  [18] states “any compiler is going to have at least some pathological programs which it will not compile correctly.” 2
  • 3. Applying Anti-Reversing Techniques to Machine Code Introduction, Motivation, and Considerations  Compiler failures on “pathological” programs occur because compiler test cases are most often coded by people.  Test cases are not typically generated by some sophisticated tool that knows how to try every fringe case and surface every bug.  Therefore we should not be surprised if some compilers have difficulty with obfuscated source code.  We now investigate the technique Eliminating Symbolic Information as it applies to machine code.  We previously looked at this technique in Applying Anti-Reversing Techniques to Java Bytecode. 3
  • 4. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  Eliminating Symbolic Information calls for the removal of any meaningful symbolic information in machine code that is not important to the execution of the program, but serves to ease debugging or reuse of it by another program.  For example, if a Windows program references functions (methods) exported by one or more libraries (DLLs), the names of those methods will appear in the .idata (import data) section of the program binary.  In production versions of a program, the machine code doesn't directly contain any symbolic information from the original source code. In the executable:  Method names, variable names (etc..), and line numbers are all absent.  Only the machine instructions produced directly or indirectly by the compiler [9] are present. 4
  • 5. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  This lack of information about the connection between the machine instructions and HLL source is unacceptable for purposes of debugging.  Therefore most modern compilers, like GCC, include an option to include debugging information into an executable.  The included debugging information allows a debugger to map one or more machine instructions back to a particular HLL statement [9].  To demonstrate symbolic information that is inserted into machine code to enable debugging of an application:  Calculator.cpp was compiled using the GNU C++ compiler (g++) with options to include debugging information and to generate assembly source instead of an executable (machine code). 5
  • 6. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code 6 Calculator.cpp
  • 7. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  The GNU compiler stores debug information in the symbol tables (.stabs) section of the Windows PE header so that it will be loaded into memory as part of the program image.  The generated assembly language files CalculatorDebug.s on the next slide shows some of the debugging information inserted by GCC.  While this information is not a replacement for the original source code it does provide some helpful information to a reverser.  The GNU Project Debugger (GDB) is a source-level debugger and therefore must access the HLL source file to make use of the debugging information. 7
  • 8. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code 8 CalculatorDebug.cpp
  • 9. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  Debugging information can give plenty of hints to a reverse engineer, such as the count and type of parameters one must pass to a given method.  An obvious recommendation is to ensure the code is not compiled with debugging information before shipment to end-users.  The hunt for symbolic information doesn't end with information embedded by debuggers; actually it rarely begins there.  Eliminating symbolic information in machine code is difficult, therefore we’ll manually implement some familiar techniques to obfuscate the information.  First, we will take a detour to look at obfuscation of source code and what use cases it might address. 9
  • 10. Applying Anti-Reversing Techniques to Machine Code Source Code Obfuscation  Obfuscating the Program calls for performing transformations to the source or machine code that would render either code extremely difficult to understand but functionally equivalent to the original.  When delivering software to customers, they may require the source code so that the product can be compiled using in-house build and audit procedures.  In the likely event that the source code contains intellectual property, it can be obfuscated without changing the the resultant machine code.  To demonstrate source code obfuscation, COBF [23], a free C/C++ source code obfuscator was configured and given Calculator.cpp.  Stunnix C/C++ is a commercial source code obfuscator. 10
  • 12. Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code  [19] states “Obfuscation of Java bytecode is possible for the same reasons that decompiling is possible: Java bytecode is standardized and well documented.”  Machine code is not standardized; instruction sets, formats, and program image layouts vary depending on the target platform architecture.  Tools to assist with obfuscating machine code are much more challenging to implement and expensive to acquire. (I have not found any free tools).  EXECryptor is an industrial-strength machine code obfuscator.  When applied to the machine code for the Password Vault application, EXECryptor rendered it extremely difficult to understand.  EXECryptor fails to start in Windows 8.1 due to an anti-debug error. 12
  • 13. Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code  Direct machine code obfuscations can be hard to analyze or follow, so we'll perform obfuscations at the source code level and observe differences in the assembly code generated by the GNU C/C++ compiler.  Success is achieved when an obfuscated program has the same functionality as the original, but is more difficult to understand during live or static analysis.  There are no standards for code obfuscation, but it's relatively important to ensure that the obfuscations applied to a program are not easily undone because deobfuscation tools can be used to eliminate easily identified obfuscations [5].  We now look at the source and disassembly for VerifyPassword.cpp, a simple C++ program that contains a simple if-test for a password.  We then embed a simple cipher to protect sensitive constants. 13
  • 14. Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code 14 VerifyPassword.cpp
  • 16. Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code 16 VerifyPasswordObf.cpp
  • 23. 23 Run exe in new window Dump of .rdata Start @ 0x445000
  • 26. 26 max.c We want to call max() dynamically using Frida Keep the program resident
  • 27. 27 Debug statements from int max(x,y) function
  • 28. 28 Run max.exe using OllyDbg File->Open Specify arguments
  • 30. 30
  • 31. 31 Run max.exe in new window max.exe stays resident
  • 32. 32 Run max.py 2x to invoke max(x,y) in max.exe
  • 33. 33 Applying Anti-Reversing Techniques to Machine Code Password Vault Anti-Reversing Exercise  The machine code anti-reversing exercise asks one to create a new executable version of the Password Vault application where the following transformations are applied:  Encryption of string literals (data obfuscation).  Obfuscation of the numeric representation of the password record limit (computation obfuscation).  Obfuscation of the method that performs the record limit check (control flow obfuscation). Contains both unobfuscated and Obfuscated source
  • 34. 34 Applying Anti-Reversing Techniques to Machine Code Data Obfuscation  Encryption of String Literals (data obfuscation): Strings are decrypted each time they are used using a bundled cipher.
  • 35. 35 Applying Anti-Reversing Techniques to Machine Code Computation Obfuscation  Obfuscation of the numeric representation of the password record limit (computation obfuscation): Complex evaluations obscure the actual condition.
  • 36. 36 Applying Anti-Reversing Techniques to Machine Code Computation Obfuscation (cont’d)  Obfuscation of the numeric representation of the password record limit (computation obfuscation) (cont’d): Testing for a function of a number can slow a reverser down.
  • 37. 37 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation  Obfuscation of the method that performs the record limit check (control flow obfuscation):  We introduce some non-essential, recursive, and randomized logic to the password limit check to make it more difficult for a reverser to perform static and/or live analysis.  Since no standards exist for control flow obfuscation, a custom algorithm was designed to hinder live and static analysis through use of recursive and randomized procedure calls.  Recursion grows the stack considerably, making stepping through the code difficult, while randomization makes execution unpredictable (breakpoints may not trigger & run traces differ).
  • 38. 38 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d) A control flow obfuscation algorithm for the record limit check. Depth of the recursion is randomized on each check of the limit. Random procedure call targets generate and return a number that is added to an instance variable, preventing the procedures from being identified as NOOPs by a code optimizer.
  • 39. 39 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d)  To measure the effectiveness of the control flow algorithm in hindering analysis, three execution traces of the section of the code containing the record limit check were compared.  The Levenshtein Distance (LD) was computed between the three traces where each instruction in the trace was compared. LD was modified to consider each line as opposed to each character.  The execution traces were collected using OllyDbg and had to be cleaned of disassembly artifacts such as line numbers, base addresses, and comments in order to ensure that the analysis was fair.
  • 40. 40 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d) Comparison of executions of record limit check on identical program input.
  • 41. 41