An
Obfuscated Code is a code that has been modified and/or transformed in order to
make it harder (but not impossible) for humans to read and understand.
Unfortunately this technique has some disadvantages, it takes time to make an
obfuscated code especially if you have a long code, and some anti-virus
softwares could alert some obfuscated code as some kind of a malware.
There are
so many methods of obfuscation, I’ll only cover a few. In this tutorial I will talk
about is Code Mutation. It’s a technique that aims to replace each
instruction by it's equivalent.
Assuming
you want to calculate a number (for example 5) and then put it in a register (EAX
for example). Mathematically there are many ways as you can see:
- 1+1+1+1+1=5
- 2+3=5
- 2*3-1=5
- 25/5=5
- sqrt(25)=5
- 3!-1=5
This is the
same as in programming. Let's see how to do that. I'll only work
on the first one (1+1+1+1+1=5) given that this is not about how to calculate.
We can express (1+1+1+1+1=5) in many ways. The first
way would be to use INC instruction 5 times, meaning increase EAX
five times:
XOR EAX,
EAX
INC EAX
INC EAX
INC EAX
INC EAX
INC EAX
OR we can
use the instruction ADD EAX, 1 instead of INC EAX:
XOR EAX,
EAX
ADD EAX,
1
ADD EAX,
1
ADD EAX,
1
ADD EAX,
1
ADD EAX,
1
Another way
is to use INC EAX or ADD EAX,1 inside a loop and
count EAX until it reaches 5:
XOR EAX,
EAX
@@:
INC EAX
CMP EAX,
5
JNZ @B
@@:
ADD EAX,
1
CMP EAX,
5
JNZ @B
But that has nothing with what we want, what we want is to make it just a little bit
harder to understand. That's where the important part comes, we’ll be working on the following code sample:
XOR EAX,
EAX
ADD EAX,
1
ADD EAX,
1
ADD EAX,
1
ADD EAX,
1
Instead of
using XOR EAX, EAX we could use MOV EAX, 0. And instead of ADD
EAX, 1 we could use:
NOT EAX
NEG EAX
Which would
lead us to the following code:
MOV EAX,
0
NOT EAX
NEG EAX
NOT EAX
NEG EAX
NOT EAX
NEG EAX
NOT EAX
NEG EAX
NOT EAX
NEG EAX
MOV EAX,
0 could become:
LEA EAX,
0
NOT EAX:
NEG EAX
SUB EAX,
1
AND NEG
EAX:
NOT EAX
ADD EAX,
1
I guess you
know what does that mean! Yes that’s right, we replace each instruction with it’s
equivalent:
LEA EAX,
0
NEG EAX
SUB EAX,
1
NOT EAX
ADD EAX,
1
NEG EAX
SUB EAX,
1
NOT EAX
ADD EAX,
1
NEG EAX
SUB EAX,
1
NOT EAX
ADD EAX,
1
NEG EAX
SUB EAX,
1
NOT EAX
ADD EAX,
1
NEG EAX
SUB EAX,
1
NOT EAX
ADD EAX,
1
As you can see above, our code has grown a
little and has become a little bit harder to understand (not impossible). You can
also see that we’ve got the same instructions we’ve mutated before (ADD EAX,
1, NOT EAX, NEG EAX) plus a new one (SUB EAX, 1) that can also be
mutated to (NEG EAX and NOT EAX) which means that each
instruction has an infinite amount of mutations.
Hope this was a useful article. Now you can try out the rest of the expressions.