samedi 6 décembre 2014

Writing Obfuscated Code in Assembly - Code Mutation


An Obfuscated Code is a code that has been modified and/or transformed in order to make it harder (but not impossible) for humans to read and understand. Unfortunately this technique has some disadvantages, it takes time to make an obfuscated code especially if you have a long code, and some anti-virus softwares could alert some obfuscated code as some kind of a malware. 

There are so many methods of obfuscation, I’ll only cover a few. In this tutorial I will talk about is Code Mutation. It’s a technique that aims to replace each instruction by it's equivalent.

Assuming you want to calculate a number (for example 5) and then put it in a register (EAX for example). Mathematically there are many ways as you can see:
  1. 1+1+1+1+1=5
  2. 2+3=5
  3. 2*3-1=5
  4. 25/5=5
  5. sqrt(25)=5
  6. 3!-1=5
This is the same as in programming. Let's see how to do that. I'll only work on the first one (1+1+1+1+1=5) given that this is not about how to calculate.

We can express (1+1+1+1+1=5) in many ways. The first way would be to use INC instruction 5 times, meaning increase EAX five times:
XOR EAX, EAX
INC EAX
INC EAX
INC EAX
INC EAX
INC EAX
OR we can use the instruction ADD EAX, 1 instead of INC EAX:
XOR EAX, EAX
ADD EAX, 1
ADD EAX, 1
ADD EAX, 1
ADD EAX, 1
ADD EAX, 1
Another way is to use INC EAX or ADD EAX,1 inside a loop and count EAX until it reaches 5:
XOR EAX, EAX
@@:
  INC EAX
  CMP EAX, 5
  JNZ @B
@@:
  ADD EAX, 1
  CMP EAX, 5
  JNZ @B
But that has nothing with what we want, what we want is to make it just a little bit harder to understand. That's where the important part comes, we’ll be working on the following code sample:
XOR EAX, EAX
ADD EAX, 1
ADD EAX, 1
ADD EAX, 1
ADD EAX, 1
Instead of using XOR EAX, EAX we could use MOV EAX, 0. And instead of ADD EAX, 1 we could use:
NOT EAX
NEG EAX
Which would lead us to the following code:
MOV EAX, 0
NOT EAX
NEG EAX
NOT EAX
NEG EAX
NOT EAX
NEG EAX
NOT EAX
NEG EAX
NOT EAX
NEG EAX
MOV EAX, 0 could become:
LEA EAX, 0
NOT EAX:
NEG EAX
SUB EAX, 1
AND NEG EAX:
NOT EAX
ADD EAX, 1
I guess you know what does that mean! Yes that’s right, we replace each instruction with it’s equivalent:
LEA EAX, 0
NEG EAX
SUB EAX, 1
NOT EAX
ADD EAX, 1
NEG EAX
SUB EAX, 1
NOT EAX
ADD EAX, 1
NEG EAX
SUB EAX, 1
NOT EAX
ADD EAX, 1
NEG EAX
SUB EAX, 1
NOT EAX
ADD EAX, 1
NEG EAX
SUB EAX, 1
NOT EAX
ADD EAX, 1
As you can see above, our code has grown a little and has become a little bit harder to understand (not impossible). You can also see that we’ve got the same instructions we’ve mutated before (ADD EAX, 1, NOT EAX, NEG EAX) plus a new one (SUB EAX, 1) that can also be mutated to (NEG EAX and NOT EAX) which means that each instruction has an infinite amount of mutations. 

Hope this was a useful article. Now you can try out the rest of the expressions.