flat assembler
Message board for the users of flat assembler.

Index > Heap > Code obfuscation

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
MHajduk wrote:

If I undestood correctly, You are be able to protect already compiled applications without necessity to have source code (decompilation -> obfuscation -> compilation)?

It is just the protection layer which gets disassembled, obfuscated and rebuilded. When "Move Entry Point" feature is enabled, a few bytes of the original application are "stolen" and obfuscated too.
MHajduk wrote:

Another question: do the obfuscation always implicate, that the result code will be much bigger than entered code?
For example: how much big will be 5kB application written in FASM after obfuscation?

It depends on the selected obfuscation methods and its ratios. You can select just instruction rearrange and the size doesn't grow. If you select 100% instruction expansion, the size can grow three times or more, depending of the code structure.
MHajduk wrote:

Will it be improper if I ask the next question: how many time You spent on this project and how many people was engaged in it?

As for the obfuscator, I started it some day in 2003 from scratch and I'm the only developer of it.
Post 24 Mar 2007, 19:49
View user's profile Send private message Visit poster's website Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
HyperVista wrote:
thank you for this most interesting thread vid. during MazeGen's presentation in Krakow, you mentioned there are "hints" in the code that assists with the obfuscation/deobfuscation. can you say more about these "hints"?

These hints are needed to solve the "halting problem" during disassembly process. The disassembler works on flat binary code and know nothing more about it. With the fact the process is fully automatic, there rise some issues which can't be 100% resolved. For instance, external calls and their calling convention must be indicated to enable keeping track of the stack. This hint is just some special instruction which is removed from the final instruction stream.
Post 24 Mar 2007, 19:51
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
MazeGen wrote:
As for the obfuscator, I started it some day in 2003 from scratch and I'm the only developer of it.
Big, hard work, but effects are worth of it. Very Happy
Post 24 Mar 2007, 20:53
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
haha, I also committed the 6F5104 bug Razz

Sorry but I'm not sure if you are refering to the same "dependencies", I mean using the environment (EFLAGS, registers, memory?) of a previous obfuscated code to obfuscate another. In my example above if I remove the instruction that belongs to the "cmp eax, 6f5105/ja label" (BLUE) obfuscation, the obfuscation for "mov eax, [esi]" (GREEN) doesn't work anymore because it has an EFLAGS (CF) dependance with BLUE.

Thanks for the data MazeGen

PS: Don't forget to update the image Wink
Post 24 Mar 2007, 22:36
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
PS: Don't forget to update the image

Remind me in monday after 12:00 Wink
Post 25 Mar 2007, 01:51
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Alarm set Razz
Post 25 Mar 2007, 02:47
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
BTW, someone here realised that this engine could be used by a virus to protect itself from being detected?

The polimorphism technique which is mentioned on the blog posted by vid is not to much challenging for anti-virus programs because they can still search for a minimun pattern and if found then proceed to decryption to see if it is a virus. But with metamorphism there is no chance for pattern searching. I wonder if some virus use metamorphism and how future anti-virus programs will get rid of this technique (or they do it already?).

Why all the good things always can be used for bad purposes too Sad
Post 25 Mar 2007, 23:05
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
the engine is not publicly available at all. Even new SVKP is only available through web interface. VX writers would have to create their own obfuscator
Post 25 Mar 2007, 23:45
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
LocoDelAssembly wrote:

Sorry but I'm not sure if you are refering to the same "dependencies", I mean using the environment (EFLAGS, registers, memory?) of a previous obfuscated code to obfuscate another. In my example above if I remove the instruction that belongs to the "cmp eax, 6f5105/ja label" (BLUE) obfuscation, the obfuscation for "mov eax, [esi]" (GREEN) doesn't work anymore because it has an EFLAGS (CF) dependance with BLUE.

Yeah, the obfuscator keeps tracking of the environment during the obfuscation process and therefore knows that CF is always set after JAE.
LocoDelAssembly wrote:
BTW, someone here realised that this engine could be used by a virus to protect itself from being detected?

As vid already said, there is no way how to get the engine. However, we are planning some public interface for the obfuscator for future, but I can't say now if there would be real possibility to apply the obfuscation to a virus.
LocoDelAssembly wrote:

I wonder if some virus use metamorphism

I'm not aware of any worldwide virus using "methamorphism". A few of z0mbie's viruses use some kind of obfuscation, but I was told by my friend from an AV company that these viruses are very resistant to duplicate Smile so they are interesting only from an academic point of view. Let me know if you are interested, IIRC I have some paper about them somewhere there.
LocoDelAssembly wrote:
how future anti-virus programs will get rid of this technique (or they do it already?).

The only chance is probably heuristic analysis. During this code and data flow analysis, the scanner is collecting data and if there is certain number of suspicious actions, the code can be signed as dangerous (virus, spyware, ...).
This analysis is limited by real time though. For example, I'm now implementing a new additional layer of protection into my obfuscator, which would be very time-consuming for the heuristic emulator (it will be quite time-consuming even real-time) so the modified code probably never gets emulated till the end at all...
Post 26 Mar 2007, 09:18
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:
As vid already said, there is no way how to get the engine
I mean the idea, not the MazeGen itself Razz

Thanks again MazeGen!!

PS: About the paper please no now, I must study for an exam tomorrow and such info catches my attention over anything else.Embarassed
Post 26 Mar 2007, 12:47
View user's profile Send private message Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
exam passed? Smile

Here goes that article, it is about W95/Zmist virus by z0mbie:

http://www.peterszor.com/zmist.pdf

Quote:

The permutation is fairly slow because it is done only once
per infection of a machine. It consists of instruction
replacement, such as the reversing of branch conditions,
register moves replaced by push/pop sequences, alternative
opcode encoding, xor/sub and or/test interchanging, and
garbage instruction generation. The same engine, Real
Permutating Engine (RPME), is used in several viruses
including W95/Zperm, also written by Zombie.


That's just a slight introduction. There are more interesting articles:

Collection of z0mbie's articles:

http://vx.netlux.org/lib/?lang=EN&author=Z0mbie

Mental Driller also wrote a bunch of interesting articles on the topic:

http://vx.netlux.org/lib/?lang=EN&author=The%20Mental%20Driller

Have fun.
Post 29 Mar 2007, 18:28
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Thanks Smile
Post 29 Mar 2007, 19:54
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
I suggest reversing(study Smile) Virus.Win32.Evol.c to see the most complete metamorph-engine that I've seen or heard of, that you can get your fingers at...


edit: and it's better than mistfall or w/e z0mbie made...
Post 29 Mar 2007, 22:22
View user's profile Send private message MSN Messenger Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
Thanks for letting us know, it is really a metamorphic virus.

https://www.openrce.org/articles/full_view/27
Post 30 Mar 2007, 07:59
View user's profile Send private message Visit poster's website Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
try to search in internet for z0mbie homepage archive, there're was some metamorph and polymorph engine written in ANSI C and ASM, also check out 29A, there're also to many different engines: http://vx.netlux.org/29a/
Post 30 Mar 2007, 12:45
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
Yes, z0mbie's codes are worth reading, but iirc mistfall uses some kind of padding so code it obfuscates had to be aligned in specific way.
Post 30 Mar 2007, 17:38
View user's profile Send private message MSN Messenger Reply with quote
Gonzalo28



Joined: 03 Feb 2008
Posts: 9
Gonzalo28
is this obfuscation valid?
sample:
Code:
format PE console
entry start

include "include/win32a.inc"

section '.data' data writeable   ; .data?
OutStdHandle dd ?


section '.code' code readable executable   ; .code
start:
     jmp _1
; Obfuscation init here
section '' readable
_0__ db '@'
_1:
     push -11
     call [GetStdHandle]
     mov [OutStdHandle], eax
     push 2000
     call [Sleep]
     push 0
     call [ExitProcess]


section 'idata' import data readable      ;.idata
library kernel32, "kernel32.dll"
import kernel32,\
       GetStdHandle, 'GetStdHandle',\
       ExitProcess,'ExitProcess',\
       Sleep,'Sleep' 
    

Disassembly listing generated by PE Explorer version 1.98
Is only one part of code generated
Code:
 EntryPoint:
               db      E9h;   '©'
               db      FCh;   'ì'
               db      0Fh;
                db      00h;
                db      00h;
;------------------------------------------------------------------------------
             000001FBh DUP (??)
;
;
;------------------------------------------------------------------------------
;  Name: 
;  Virtual Address:    00403000h  Virtual Size:    00000021h
;  Pointer To RawData: 00000600h  Size Of RawData: 00000200h
;
               db      40h;   '@'
                db      6Ah;   'j'
                db      F5h;   'å'
               db      FFh;   'ï'
               db      15h;
                db      46h;   'F'
                db      40h;   '@'
                db      40h;   '@'
                db      00h;
                db      A3h;   '?'
                db      00h;
                db      10h;
                db      40h;   '@'
                db      00h;
                db      68h;   'h'
                db      D0h;   ''
               db      07h;
                db      00h;
                db      00h;
                db      FFh;   'ï'
               db      15h;
                db      4Eh;   'N'
                db      40h;   '@'
                db      40h;   '@'
                db      00h;
                db      6Ah;   'j'
                db      00h;
                db      FFh;   'ï'
               db      15h;
                db      4Ah;   'J'
                db      40h;   '@'
                db      40h;   '@'
                db      00h;
;------------------------------------------------------------------------------
             000001DFh DUP (??)

    

Is valid? or is a Stupidity?

Disassembly listing without obfuscation

Code:
 EntryPoint:
                push    FFFFFFF5h
           call    [kernel32.dll!GetStdHandle]
                 mov     [L00401000],eax
             push    000007D0h
           call    [kernel32.dll!Sleep]
                push    00000000h
           call    [kernel32.dll!ExitProcess]
;------------------------------------------------------------------------------
               000001E0h DUP (??)

    
Post 13 Feb 2008, 03:44
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
It's pretty stupid. It wastes memory on a new section, and it doesn't confuse real disassemblers like IDA at all.
Post 13 Feb 2008, 10:43
View user's profile Send private message Visit poster's website Reply with quote
Gonzalo28



Joined: 03 Feb 2008
Posts: 9
Gonzalo28
ok thx Embarassed Very Happy
Post 13 Feb 2008, 15:39
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.