Binary Obfuscation from the Top Down: Obfuscation Executables without Writing Assembly
Code Obfuscation Final Presentation
description
Transcript of Code Obfuscation Final Presentation
Topics to be discussed Problem Definition
Project Purpose – Building Obfuscator
Obfuscation Using Opaque Predicates
Implementation details
Obfuscation example
Obfuscation Quality and Measurements
2
Problem Definition
3
Project purpose - Building Obfuscator
Creating an application that for a given C++ source code ,
generates an obfuscated one that has the exact same
functionality as the original one.
4
Source code
Obfuscated Source code
Compilation Output
Inte
rnet
(
Serve
r – C
lient
)
Compilation Output
ApplicationExecute
Source code
Obfuscated Source code
Deobfuscation
Decopmilation
Obfuscation Using Opaque PredicatesKnown fact : Adding junctions makes our life
harder
So we will obfuscate our code by adding If-else structures with Opaque Predicates in order to complicate
the control flow of the code.
Opaque PredicateOpaque Predicate : an expression that evaluates to
either "true" or "false“ , which its outcome is known
to the obfuscator and is very difficult and even
impossible for the deobfuscator to evaluate , without
running the application itself.
6
Opaque Predicate Benefits:I. Increased number of predicates to deduce
II. Inserting Dead and irrelevant code to
confuse an attacker.
Dead CodeT
Introduce an obfuscated Graph class to the code.
Introduce a code that manipulates (build and changes) the Graph.
Building Opaque Predicate with user input names according to
specific invariants that the graph structure holds.
Adding Randomness for the IF conditions together with the predicate.
7
Opaque Predicate Benefits:
Input : User prepares config file , to configure parameters for the Opaque
predicate inserting , and the “String” option that replaces given tokens with
random tokens
8
/**************************************************************//* Configuration File For Koby's Obfuscation App *//**************************************************************/
/* Working Folder */WorkingFolder=C:\Users\koby\Desktop\New folder
/* Source Files */SourceFileList=folder.cpp
/********************************************//* Parameters for "Opaque" Option *//********************************************/
/* Related Project Names */RelatedProjectNames=melody,tune,volume,artist,singer
/* Number Of Predicates To Add */NumberOfPredicatesToAdd=2
/* Function Names To Insert The Predicates */FunctionNamesToInsertThePredicates=Play_Song
/********************************************//* Parameters for "Strings" Option *//*******************************************/
/* Function Names To Be Obuscated */FunctionNamesToBeObuscated=Play_Song,Print_Folder_Songs
/* Variable Names */VariableNames=Folder,song_name,temp_song
Original Code
9
bool Folder::Print_Folder_Songs (const string& curr_artist_name) // not checked{Iterator<Song> itr =songs_list.GetIterator(); Song temp_song; if (curr_artist_name=="temp_not_given")
{while (itr.HasNext()) {itr.Next().Print_Song_Name();}} else {while (itr.HasNext()) {temp_song=itr.Next(); if (temp_song.Get_Artist_Name()==curr_artist_name) {temp_song.Print_Song_Name();}}} return true;}
bool Folder::Play_Song (const string& song_name){Song curr_song; Iterator<Song> itr =songs_list.GetIterator(); bool found=false; while (itr.HasNext()&&(!found)) {curr_song=itr.Next(); if (curr_song.song_name==song_name) {curr_song.Play_Song(); found=true;}} return found;}
Obfuscated Code – Opaque Option
10
bool Folder::Print_Folder_Songs (const string& curr_artist_name) // not checked{Iterator<Song> itr =songs_list.GetIterator(); Song temp_song; if (curr_artist_name=="temp_not_given")
{while (itr.HasNext()) {itr.Next().Print_Song_Name();}} else {while (itr.HasNext()) {temp_song=itr.Next(); if (temp_song.Get_Artist_Name()==curr_artist_name) {temp_song.Print_Song_Name();}}} return true;}
bool Folder::Play_Song (const string& song_name){Song curr_song;
srand (time(NULL) );artist* melody = new artist();melody->singer();melody= melody->__singer();melody->singer();melody= melody->__singer();melody->singer();melody->singer();melody->___tune();melody= melody->__singer();melody->singer();melody->singer();melody->___tune();melody= melody->__singer();melody->singer();melody->singer();melody->___tune();artist* tune;tune=melody->__artist();tune->singer();tune = tune->__singer();tune->singer();melody->singer();tune->singer();tune = tune->__singer();
tune->singer();melody->singer();melody= melody->__singer();tune->___tune();melody->singer();melody->singer();melody->___tune();if (melody->__volume(tune) ){artist* melody = new artist();melody->singer();melody= melody->__singer();melody->singer();melody= melody->__singer();melody->singer();melody->singer();melody->___tune();melody= melody->__singer();melody->singer();melody->singer();melody->___tune();melody= melody->__singer();melody->singer();melody->singer();melody->___tune();artist* tune;tune=melody->__artist();tune->singer();tune = tune->__singer();tune->singer();melody->singer();tune->singer();tune = tune->__singer();tune->singer();melody->singer();melody= melody->__singer();tune->___tune();melody->singer();melody->singer();melody->___tune();
tune1: int tune2 = rand() % 2;if (melody->__volume(tune) && tune2){
tune->singer();melody->singer();tune->singer();tune = tune->__singer();tune->singer();melody->singer();melody= melody->__singer();tune->___tune();melody->singer();melody->singer();goto tune1;melody->___tune();
}tune->singer();melody->singer();melody->singer();melody->___tune();
} Iterator<Song> itr =songs_list.GetIterator(); bool found=false; while (itr.HasNext()&&(!found)) {curr_song=itr.Next(); if (curr_song.song_name==song_name) {curr_song.Play_Song();
found=true;}} return found;}
Obfuscated Code – Opaque Option + String Option
11
#include "folder.h"#include "_include_.h"
/* implementation of class ____18960____ */
//private methods
bool ____18960___::__17385___(const string& curr___28814___name) // not checked{Iterator<Song> itr =songs_list.GetIterator(); Song ____237____; if (curr_____28814_____name=="temp_not_given")
{while (itr.HasNext()) {itr.Next().Print_Song_Name();}} else {while (itr.HasNext()) {____237____=itr.Next(); if (____237____.Get_Artist_Name()==curr_____28814_____name) {____237____.Print_Song_Name();}}} return true;}
bool ____18960____::____4251____ (const string& ____8667____){Song curr_song;
srand (time(NULL) );____28814____* ____15463____ = new ____28814____();____15463____->____13731____();____15463____= ____15463____->______13731____();____15463____->____13731____();____15463____= ____15463____->______13731____();____15463____->____13731____();____15463____->____13731____();____15463____->_______9449____();____15463____= ____15463____->______13731____();____15463____->____13731____();____15463____->____13731____();____15463____->_______9449____();____15463____= ____15463____->______13731____();
____15463____->____13731____();____15463____->_______9449____();____28814____* ____9449____;____9449____=____15463____->______28814____();____9449____->____13731____();____9449____ = ____9449____->______13731____();____9449____->____13731____();____15463____->____13731____();____9449____->____13731____();____9449____ = ____9449____->______13731____();____9449____->____13731____();____15463____->____13731____();____15463____= ____15463____->______13731____();____9449____->_______9449____();____15463____->____13731____();____15463____->____13731____();____15463____->_______9449____();if (____15463____->______10535____(____9449____)){____28814____* ____15463____ = new ____28814____();____15463____->____13731____();____15463____= ____15463____->______13731____();____15463____->____13731____();____15463____= ____15463____->______13731____();____15463____->____13731____();____15463____->____13731____();____15463____->_______9449____();____15463____= ____15463____->______13731____();____15463____->____13731____();____15463____->____13731____();____15463____->_______9449____();____15463____= ____15463____->______13731____();____15463____->____13731____();____15463____->____13731____();____15463____->_______9449____();____28814____* ____9449____;____9449____=____15463____->______28814____();____9449____->____13731____();
12
Mccabe metric (Cyclomatic complexity) – known
metric that trys to measure code complexity.
The cyclomatic complexity of a section of source
code is the count of the number of linearly
independent paths through the source code.
13
How to compute the “Cyclomatic complexity”:
Build control flow graph of the program , and the compute: E − N + 2PE − N + 2PWhere E = the number of edges of the graph N = the number of nodes of the graph P = the number of connected components• Note that for a program without any IF statements or WHILE, FOR , CASE statements the Cyclomatic complexity is 1
Cyclomatic complexity = 9 - 8 + 2 = 3
14
I used the “CCCC” freeware to compute the cyclomatic complexity on
the Obfuscation example given in the previous sides