26/08/07 1 shock shaastra obfuscated code contest sriram k r vivek s

26/08/07

1

SHOCKSHaastra Obfuscated Code Contest

Sriram K RVivek S

26/08/07

2

What is Obfuscation?What is Obfuscation?

• Obfuscation is about concealing the meaning of communication by making it more confusing and harder to interpret.

• One definition of "code obfuscation" is a set of transformations on a program, that preserve the same black box specification while making the internals difficult to reverse-engineer. There turns out to be many such transformations.

• The job of a good obfuscator is to destroy as much as possible of this structure that lends a program to being human-readable.

26/08/07

3

Where it is used ?Where it is used ?

• It is used to deter reverse engineering attempts in languages like Java and the .NET family.

• Reverse obfuscation helps understand programs better.

• Obfuscated code is used by spammers to hide malicious JavaScript code in emails etc.

• Code size can be minimized by Obfuscation.

• Reducing variable name length

• Destroying structures and modules.

• It is done for recreational purposes.

26/08/07

4

International ContestsInternational Contests

• There are contests held in the international level every year to test obfuscation skills of the contestants.

• IOCCC : International Obfuscated C Code Contest

• IORCC :International Obfuscated Ruby Code Contest

• Annual Obfuscated Perl Contest

26/08/07

5

Some ExamplesSome Examples

#include<stdio.h>

int main (int j,char**V){char*R=V[1],i=0,k=48;for(;*R>k;*++R|| puts(R-i))++i;for(;++k<58;*R && main(*R=k,V),*R=1) for(j=81;j --;) *R*=R[j-i]-k||i/9^j/9&&i%9^j%9&&i/27^j/27|i%9/3^j%9/3;}

This 176 character C code solves SUDOKU !

26/08/07

6

#define _ -F<00||--F-OO--;

int F=00,OO=00;main(){F_OO();printf("%1.3f\n",4.*-F/OO/OO);}F_OO()

{

_-_-_-_

_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_-_-_-_-_

_-_-_-_-_-_-_-_

_-_-_-_

}

26/08/07

7

The Tardy Bus problemThe Tardy Bus problem

Given the following statements as premises:

1) If Bill takes the bus, then Bill misses his appointment, if the bus is late.

2) Bill shouldn't go home, if (a) Bill misses his appointment, and (b) Bill feels downcast.

3) If Bill doesn't get the job, then (a) Bill feels downcast, and (b) Bill should go home.

Is it valid to conclude:

Q1) that if Bill takes the bus, then Bill does get the job, if the bus is late? True

Q2) that Bill does get the job, if (a) Bill misses his appointment, and (b) Bill should go home? True

26/08/07

8

Obfuscating Code

• Obfuscation and reversing it• Language specific techniques• C provides a lot of scope for obfuscation• Learning by studying obfuscated programs• Some examples

26/08/07

9

Reversing Obfuscation – An Example

main( _,__,___,____,_____) {long long ago=741760571427457290;__=2925166600716333;___=++_<<--_+_<<_;____ = _;_____ =( ___*((___<<_)-(_<<_)))+(_<<_)+1;_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;while(_---'_')write(____,&__,____);_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>') +_____;write(____,&ago,___);_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;while(_---'_')write(____,&__,____);printf("\n");}

Objective of the program is to print SHOCK surrounded by dashed lines.

26/08/07

10

Step 1 : Indent the program

main( _,__,___,____,_____) {

long long ago=741760571427457290;

__=2925166600716333;

___=++_<<--_+_<<_;____ = _;

_____ =( ___*((___<<_)-(_<<_)))+(_<<_)+1;_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;

while(_---'_')

write(____,&__,____);_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;

write(____,&ago,___);_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;while(_---'_')write(____,&__,____);

printf("\n");

}

26/08/07

11

Step 2 :Name variables properly

main( e,d,c,b,a) {

long long ago=741760571427457290;

d=2925166600716333;

c=++e<<--e+e<<e;b = e;

a =( c*((c<<e)-(e<<e)))+(e<<e)+1;e=e=e=e=e=e=e=e=e=e=(e=e>>e-'>')+a;

while(e---'_')

write(b,&d,b);e=e=e=e=e=e=e=e=e=e=(e=e>>e-'>')+a;

write(b,&ago,c);e=e=e=e=e=e=e=e=e=e=(e=e>>e-'>')+a;while(e---'_')write(b,&d,b);

printf("\n");

}

26/08/07

12

Step 3 : Fix verbose statements

main( e,d,c,b,a) {

long long ago=741760571427457290;

d=2925166600716333;

c=++e<<--e+e<<e;b = e;

a =(c*((c<<e) - (e<<e)))+(e<<e)+1;

e=(e>>e-'>')+a;

while(e---'_')

write(b,&d,b);

e=(e>>e-'>')+a;

write(b,&ago,c);

e=(e>>e-'>')+a;

while(e---'_')

write(b,&d,b);

printf("\n");}

26/08/07

13

Step 3 : Resolve the constants

main( e,d,c,b,a) {

char ago[9]="\n\tShock\n";

char f[2]="-";

c=++e<<--e+e<<e;b = e;

a =(c*((c<<e) - (e<<e)))+(e<<e)+1;

e=(e>>e-'>')+a;

while(e---'_')

write(b,&f,b);

e=(e>>e-'>')+a;

write(b,&ago,c);

e=(e>>e-'>')+a;

while(e---'_')

write(b,&f,b);

printf("\n");}

Resolve these constants by printing them

26/08/07

14

Step 3 : Resolve the constants

main( e,d,c,b,a) {

char ago[9]="\n\tShock\n";

char f[2]="-";

c=++e<<--e+e<<e;b = e;

a =(c*((c<<e) - (e<<e)))+(e<<e)+1;

e=(e>>e-'>')+a;

while(e---'_')

write(b,&f,b);

e=(e>>e-'>')+a;

write(b,&ago,c);

e=(e>>e-'>')+a;

while(e---'_')

write(b,&f,b);

printf("\n");}

Resolve these constants by printing them

e = argc = 1

26/08/07

15

The final program

main( e,d,c,b,a) {

char ago[9]="\n\tShock\n";

char f[2]="-";

c=8; b=1; a=115; e=115;

while(e---95)

write(1,&f,b);

e=209;

write(1,&ago,c);

e=115;

while(e---95)

write(1,&f,b);

printf("\n");}

26/08/07

16

Another example

#define _ sum

#define __ prod(

#define l ~0

#define r return

#define ___ )

sum(i){while(!i)r

1;r __ i , ~i , i

^i);}prod(i,j,k){

j = _ (i-1);while

(i-- && (j= ~j))

k= (j>>l-(l<< 5))

?k+((j^~j)

-j):k+j;r k;}

main(){printf("%d"

,_(5));}

26/08/07

17

Step 1 : Indentation

#define _ sum#define __ prod(#define l ~0#define r return#define ___ )

sum(i){ while(!i) r 1; r __ i , ~i , i^i);}prod(i,j,k){ j = _ (i-1); while (i-- && (j= ~j)) k= (j>>l-(l<< 5))?k+((j^~j)-j):k+j;r k;}main(){ printf("%d",_(5));}

26/08/07

18

Step 2 : Resolve the defines

#define l ~0

sum(i){

while(!i) return 1;return prod ( i , ~i , i^i);

}prod(i,j,k){

j = sum (i-1);while (i-- && (j= ~j))k= (j>>l-(l<< 5))?k+((j^~j)-j):k+j;return k;

}main(){

printf("%d",sum(5));}

26/08/07

19

Step 3 : Reduce complicated statements

sum(i){

while(!i) return 1;return prod (i ,~i ,0);

}prod(i,j,k){

j = sum (i-1);while (i-- )k= k+j;return k;

}main(){

printf("%d",sum(5));}

26/08/07

20

The C Preprocessor

• Using defines to obfuscate code• Macros : Recursion and Precedence• The cpp instruction set is Turing Complete• Reversing with the help of cpp

26/08/07

21

What you need to participate?

• Experience with programming in C

Additional skills that can help :

•Knowing other languages

•Some experience with logical puzzles etc

•Bad programming practices

What might not really help:

•Knowledge of obscure C constructs / functions

•Formal introduction to logic

26/08/07

22

Event Format

• Prelims– Written– Questions on logic and code

obfuscation– Time : 30 – 45 mins

26/08/07

23

Event Format

• Finals : – Two rounds

• Forward : You will be given a problem statement and some plain code and asked to obfuscate. Judges will award points to the obfuscated code based on certain criteria.

• Reverse : You will be asked to make sense out of obfuscated code.

26/08/07

24

Event Format

• Finals - Forward Round :– Broadly, short and creative code will fetch more

points– Some of the possible criteria :

• Size / Number of Statements• Flow of control• Hiding constants• Syntax abuse• Legibility of code• Code shape etc

26/08/07

25

Event Format

• Finals – Reverse round :– You might be asked to

• Predict the output• Swat bugs• Interface with the given code etc