## samedi 6 décembre 2014

### Writing Obfuscated Code in Assembly - Code Mutation

An Obfuscated Code is a code that has been modified and/or transformed in order to make it harder (but not impossible) for humans to read and understand. Unfortunately this technique has some disadvantages, it takes time to make an obfuscated code especially if you have a long code, and some anti-virus softwares could alert some obfuscated code as some kind of a malware.

There are so many methods of obfuscation, I’ll only cover a few. In this tutorial I will talk about is Code Mutation. It’s a technique that aims to replace each instruction by it's equivalent.

Assuming you want to calculate a number (for example 5) and then put it in a register (EAX for example). Mathematically there are many ways as you can see:
1. 1+1+1+1+1=5
2. 2+3=5
3. 2*3-1=5
4. 25/5=5
5. sqrt(25)=5
6. 3!-1=5
This is the same as in programming. Let's see how to do that. I'll only work on the first one (1+1+1+1+1=5) given that this is not about how to calculate.

We can express (1+1+1+1+1=5) in many ways. The first way would be to use INC instruction 5 times, meaning increase EAX five times:
XOR EAX, EAX
INC EAX
INC EAX
INC EAX
INC EAX
INC EAX
OR we can use the instruction ADD EAX, 1 instead of INC EAX:
XOR EAX, EAX
Another way is to use INC EAX or ADD EAX,1 inside a loop and count EAX until it reaches 5:
XOR EAX, EAX
@@:
INC EAX
CMP EAX, 5
JNZ @B
@@:
CMP EAX, 5
JNZ @B
But that has nothing with what we want, what we want is to make it just a little bit harder to understand. That's where the important part comes, we’ll be working on the following code sample:
XOR EAX, EAX
Instead of using XOR EAX, EAX we could use MOV EAX, 0. And instead of ADD EAX, 1 we could use:
NOT EAX
NEG EAX
Which would lead us to the following code:
MOV EAX, 0
NOT EAX
NEG EAX
NOT EAX
NEG EAX
NOT EAX
NEG EAX
NOT EAX
NEG EAX
NOT EAX
NEG EAX
MOV EAX, 0 could become:
LEA EAX, 0
NOT EAX:
NEG EAX
SUB EAX, 1
AND NEG EAX:
NOT EAX
I guess you know what does that mean! Yes that’s right, we replace each instruction with it’s equivalent:
LEA EAX, 0
NEG EAX
SUB EAX, 1
NOT EAX
NEG EAX
SUB EAX, 1
NOT EAX
NEG EAX
SUB EAX, 1
NOT EAX
NEG EAX
SUB EAX, 1
NOT EAX