An
Obfuscated Code is a code that has been modified and/or transformed in order to
make it harder (but not impossible) for humans to read and understand.
Unfortunately this technique has some disadvantages, it takes time to make an
obfuscated code especially if you have a long code, and some anti-virus
softwares could alert some obfuscated code as some kind of a malware.
There are
so many methods of obfuscation, I’ll only cover a few. In this tutorial I will talk
about is Code Mutation. It’s a technique that aims to replace each
instruction by it's equivalent.
Assuming
you want to calculate a number (for example 5) and then put it in a register (EAX
for example). Mathematically there are many ways as you can see:
- 1+1+1+1+1=5
- 2+3=5
- 2*3-1=5
- 25/5=5
- sqrt(25)=5
- 3!-1=5
This is the
same as in programming. Let's see how to do that. I'll only work
on the first one (1+1+1+1+1=5) given that this is not about how to calculate.
We can express (1+1+1+1+1=5) in many ways. The first
way would be to use INC instruction 5 times, meaning increase EAX
five times:
XOR EAX, EAXINC EAXINC EAXINC EAXINC EAXINC EAX
OR we can
use the instruction ADD EAX, 1 instead of INC EAX:
XOR EAX, EAXADD EAX, 1ADD EAX, 1ADD EAX, 1ADD EAX, 1ADD EAX, 1
Another way
is to use INC EAX or ADD EAX,1 inside a loop and
count EAX until it reaches 5:
XOR EAX, EAX@@:INC EAXCMP EAX, 5JNZ @B
@@:ADD EAX, 1CMP EAX, 5JNZ @B
But that has nothing with what we want, what we want is to make it just a little bit
harder to understand. That's where the important part comes, we’ll be working on the following code sample:
XOR EAX, EAXADD EAX, 1ADD EAX, 1ADD EAX, 1ADD EAX, 1
Instead of
using XOR EAX, EAX we could use MOV EAX, 0. And instead of ADD
EAX, 1 we could use:
NOT EAXNEG EAX
Which would
lead us to the following code:
MOV EAX, 0NOT EAXNEG EAXNOT EAXNEG EAXNOT EAXNEG EAXNOT EAXNEG EAXNOT EAXNEG EAX
MOV EAX,
0 could become:
LEA EAX, 0
NOT EAX:
NEG EAXSUB EAX, 1
AND NEG
EAX:
NOT EAXADD EAX, 1
I guess you
know what does that mean! Yes that’s right, we replace each instruction with it’s
equivalent:
As you can see above, our code has grown a little and has become a little bit harder to understand (not impossible). You can also see that we’ve got the same instructions we’ve mutated before (ADD EAX, 1, NOT EAX, NEG EAX) plus a new one (SUB EAX, 1) that can also be mutated to (NEG EAX and NOT EAX) which means that each instruction has an infinite amount of mutations.LEA EAX, 0NEG EAXSUB EAX, 1NOT EAXADD EAX, 1NEG EAXSUB EAX, 1NOT EAXADD EAX, 1NEG EAXSUB EAX, 1NOT EAXADD EAX, 1NEG EAXSUB EAX, 1NOT EAXADD EAX, 1NEG EAXSUB EAX, 1NOT EAXADD EAX, 1
Hope this was a useful article. Now you can try out the rest of the expressions.
Aucun commentaire:
Enregistrer un commentaire