code obfuscation 10**2+(2*a+3)%2 - synacktiv · me@jsecin:/ $ whoami gaetan ferry @mabo^w not on...
TRANSCRIPT
![Page 1: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/1.jpg)
When 2018/11/29Where JSecInWho Gaetan FerryWhy For fun!
Code Code Obfuscation 10**2+(2*a+3)%2Obfuscation 10**2+(2*a+3)%2
![Page 2: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/2.jpg)
me@JSecIN:/ $ whoami
Gaetan Ferry
@mabo^W Not on twitter
Security expert @Synacktiv :
Offensive security company : pentest, red team, reverse/exploit…
Pentest team peon:
1 me / 17 pentester / 41 ninjas
Breaking things since 2012
Web, internal, external, IOT, indus, cloud
![Page 3: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/3.jpg)
WE WANT YOU FOR OUR NINJA ARMY !
![Page 4: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/4.jpg)
INTRODUCTION
![Page 5: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/5.jpg)
Why this presentation?
Why not?
Obfuscation is an undervalued domain■ Usefulness often discussed■ Defined as security by obscurity
Therefore abandoned
Therefore unknown→ We want to redeem obfuscation
![Page 6: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/6.jpg)
What is in this presentation?
Objectives of a proper obfuscation
Details of classic obfuscation patterns
Implementation with / for Python
Examples and …
…demos (pray demo gods)
![Page 7: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/7.jpg)
WHAT IS OBFUSCATION ?
![Page 8: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/8.jpg)
A bit of theory
Let P be the set of all programs and T a set of transformations such as:
Ti : P → P
Ti is an obfuscation transformation if and only if:
- out(Ti(P
k)) == out(P
k)
- analysis of Ti(P
k) is harder than analysis of P
k
Ti is considered efficient if the knowledge of T
i(P
k) is equivalent to having a black-box oracle
of Pk.
![Page 9: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/9.jpg)
A bit of theory
Let P be the set of all programs and T a set of transformations such as:
Ti : P → P
Ti is an obfuscation transformation if and only if:
- out(Ti(P
k)) == out(P
k)
- analysis of Ti(P
k) is harder than analysis of P
k
Ti is considered efficient if the knowledge of T
i(P
k) is equivalent to having a black-box oracle
of Pk.
![Page 10: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/10.jpg)
This is not what we are doing
Obfuscation does not stand well theory
Theoretical results are demoralizing In general cases obfuscation is impossible Some exceptions: point functions
Let's go with a more pragmatic approach
![Page 11: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/11.jpg)
A more pragmatic approach
Process of complicating programs Take a beautiful well written program Transform it in some way Retrieve an obscure ugly program
Two rules to follow Resulting program is semantically equivalent More difficult to analyze and understand
![Page 12: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/12.jpg)
A more pragmatic approach
Process of complicating programs Take a beautiful well written program Transform it in some way Retrieve an obscure ugly program
Two rules to follow Resulting program is semantically equivalent More difficult to analyse and understand
![Page 13: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/13.jpg)
Why do you want obfuscation?
Useful for good and bad guys
![Page 14: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/14.jpg)
Why do you want obfuscation?
Useful for good and bad guys
Protect industrial secretsDiscourage hackers who open the thing
![Page 15: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/15.jpg)
Why do you want obfuscation?
Useful for good and bad guys
Protect industrial secretDiscourage hackers who open the thing
Bypass sandbox / antivirus detectionPrevent reverse engineering by the good guys
![Page 16: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/16.jpg)
LET'S OBFUSCATE THINGS
![Page 17: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/17.jpg)
How to complicate a program?
Remove as much information as possible
Three main directions: Abstractions Data Control flow
We need to obfuscate each kind
![Page 18: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/18.jpg)
How to complicate a program?
Abstractions
Data
Control flow
![Page 19: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/19.jpg)
LET'S OBFUSCATE ABSTRACTIONS
![Page 20: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/20.jpg)
Program abstractions
Abstractions help understand programs
→ Imagine a program without proper function names or convoluted class hierarchy !
Giveaway much of the program semantic Division in semantic blocks Role of the blocks
Sensitive abstractions: Variables Functions Classes
![Page 21: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/21.jpg)
Names obfuscation
First step of a successful obfuscation Remove meaningful names from the code Replace with random or unrelated ones
This information is unrecoverable! \o/
EZ as 123: Search for all declarations functions, variables, class Replace at each usage location
![Page 22: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/22.jpg)
Names obfuscationdef power(number, exponent) {
count = numberwhile (exponent > 1) {
count = count * numberexponent = exponent - 1
}return count
}
power(2, 10)
DefinitionUsage
def toast(number, exponent) {count = numberwhile (exponent > 1) {
count = count * numberexponent = exponent - 1
}return count
}
toast(2, 10)
def toast(bread, butter) {salad = breadwhile (butter > 1) {
salad = salad * breadbutter = butter - 1
}return salad
}
toast(2, 10)
![Page 23: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/23.jpg)
Going further
Does not seem sufficient Still leaking information Program partitioning unchanged
We should try to break things
Ideas: Function inlining Merging / Splitting
Warning: Beware of introspection calls!
![Page 24: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/24.jpg)
Function mergingdef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
def mult(a, b) {count = 0while (b > 0){
count += ab -= 1
}return count
}
A = 2B = 3
C = add(A,B)D = mult(C,A)
![Page 25: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/25.jpg)
Function mergingdef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
def mult(a, b) {count = 0while (b > 0){
count += ab -= 1
}return count
}
def toast(a, b, c, d, e) {
if (e) {count = awhile (b > 0){
count += 1b -= 1
}return count
} else {count = 0while (d > 0){
count += cd -= 1
}return count
}}
A = 2B = 3
C = add(A,B)D = mult(C,A)
A = 2B = 3
C = toast(A,B,B,A,true)D = toast(A,C,C,A,false)
![Page 26: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/26.jpg)
Function merging - smarterdef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
def mult(a, b) {count = 0while (b > 0){
count += ab -= 1
}return count
}
def toast(a, b, e) {if (e) {
count = aadd = 1
} else {count = 0add = a
}while (b > 0){
count += addb -= 1
}return count
}
A = 2B = 3
C = add(A,B)D = mult(C,A)
A = 2B = 3
C = toast(A,B,true)D = toast(C,A,false)
![Page 27: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/27.jpg)
(disappointing) DEMO
![Page 28: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/28.jpg)
Before
After
![Page 29: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/29.jpg)
LET'S OBFUSCATE DATA
![Page 30: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/30.jpg)
Program data
All programs contain data: Numbers, strings, arrays, etc
Often (always) discloses important information: Status / debug messages Important constants (MD5, AES S-Box, etc)
We want to hide those nasty values ! In our example: integers
![Page 31: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/31.jpg)
Program data
All programs contain data: Numbers, strings, arrays, etc
Often (always) discloses important information: Status / debug messages Important constants (MD5, AES S-Box, etc)
We want to hide those nasty values ! In our example: integers
USE OPAQUE PREDICATES !
![Page 32: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/32.jpg)
Opaque predicates and values
One of the core concepts of obfuscation
We want to build expressions for which: Value is known at obfuscation time At run time value is hard to determine
When value is a boolean it's a predicate
![Page 33: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/33.jpg)
Opaque predicates – naive idea
![Page 34: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/34.jpg)
Opaque predicates – naive idea
Open a mathematics course book
Ctrl + F “demonstrate that“
Profit
Examples: (n² + n) % 2 = 0 If n is odd : n² % 8 = 1 (3 (2n + 2) + 1) % 8 = 2
![Page 35: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/35.jpg)
Opaque predicates – naive ideadef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
![Page 36: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/36.jpg)
Opaque predicates – naive ideadef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
(n² + n) % 2 = 0 n² % 8 = 1
![Page 37: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/37.jpg)
Opaque predicates – naive ideadef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
(n² + n) % 2 = 0 n² % 8 = 1
def add(a, b){count = an = rand()while (b > (n² + n) % 2){
count += n² % 8b -= n² % 8
}return count
}
![Page 38: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/38.jpg)
Opaque predicates – naive ideadef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
(n² + n) % 2 = 0 n² % 8 = 1
def add(a, b){count = an = rand() * 2 + 1while (b > (n² + n) % 2){
count += n² % 8b -= n² % 8
}return count
}
???
![Page 39: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/39.jpg)
Opaque predicates – naive ideadef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
(n² + n) % 2 = 0 n² % 8 = 1
def add(a, b){count = an = rand() * 2 + 1while (b > (n² + n) % 2){
count += n² % 8b -= n² % 8
}return count
}
???def add(a, b){
count = awhile (b > (a² + a) % 2){
n = count*2+1count += (n)² % 8b -= n² % 8
}return count
}
![Page 40: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/40.jpg)
Opaque predicates – naive idea
Problem:
Smart cat is smart! Smart cat knows mathematics!
Attacking those predicates is easy: Build a collection of mathematics results Pattern match known relations Replace
We can do better
![Page 41: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/41.jpg)
Array aliasing
Let's build our own mathematical results Create an array Decide properties Initialize the array respecting the properties
Then use the properties like previously
![Page 42: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/42.jpg)
Array aliasing
Example:
3 == A[1]%A[4] A[2] == A[5]%A[4]
1 == A[5]%A[8] A[9] == A[0]%A[8]
A = [17,53,3,5,1,8,25,33,4,1]
== 3 mod 5 == 1 mod 4
![Page 43: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/43.jpg)
Array aliasingdef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
0 == A[5]%A[3] - A[1]%A[3]1 == A[4]%A[8]1 == A[0]%A[8]
![Page 44: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/44.jpg)
Array aliasingdef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}
A = [17,53,3,5,1,8,25,33,4,1]def add(a, b){
count = awhile (b > A[5]%A[3]-A[1]%A[3]){
count += A[4]%A[8]b -= A[0]%A[8] }
return count}
0 == A[5]%A[3] - A[1]%A[3]1 == A[4]%A[8]1 == A[0]%A[8]
![Page 45: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/45.jpg)
Array aliasing
Still insufficient: Global array is static Attacker can globally replace values
We need to bring indecision in!
Idea: change the array during the program’s execution Hard! (e.g. How to know the state in function bodies?)
![Page 46: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/46.jpg)
Array aliasing
Still insufficient: Global array is static Attacker can globally replace values
We need to bring indecision in
Idea: change the array during the program’s execution Hard! (e.g. How to know the state in function bodies?) But not if you keep the properties
![Page 47: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/47.jpg)
Array aliasing
Example:
3 == A[1]%A[4] A[2] == A[5]%A[4]
1 == A[5]%A[8] A[9] == A[0]%A[8]
A = [17,53,3,5,1,8,25,33,4,1]== 3 mod 5 == 1 mod 4
+ A[3] + A[8]
![Page 48: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/48.jpg)
Array aliasing
Example:
3 == A[1]%A[4] A[2] == A[5]%A[4]
1 == A[5]%A[8] A[9] == A[0]%A[8]
A = [17,53,3,5,1,8,25,33,4,1]== 3 mod 5 == 1 mod 4
+ A[3] + A[8]
A = [25,58,3,5,5,33,17,8,4,1]
OK
![Page 49: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/49.jpg)
Array aliasingdef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}add(2,3)
A = [17,53,3,5,1,8,25,33,4,1]def add(a, b){
count = awhile (b > A[5]%A[3]-A[1]%A[3]){
count += A[4]%A[8]b -= A[0]%A[8] }
return count}add(2,3)
0 == A[5]%A[3] - A[1]%A[3]1 == A[4]%A[8]1 == A[0]%A[8]
![Page 50: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/50.jpg)
Array aliasingdef add(a, b){
count = awhile (b > 0){
count += 1b -= 1
}return count
}add(2,3)
0 == A[5]%A[3] - A[1]%A[3]1 == A[4]%A[8]1 == A[0]%A[8]
A = [17,53,3,5,1,8,25,33,4,1]def add(a, b){
A[0]=A[4]count = awhile (b > A[5]%A[3]-A[1]%A[3]){
A[4] += A[0]%A[8]count += A[4]%A[8]b -= A[0]%A[8] }
return count}A[5]=(A[1]+A[7])%A[4]+A[7]add(2,3)
A = [17,53,3,5,1,8,25,33,4,1]def add(a, b){
count = awhile (b > A[5]%A[3]-A[1]%A[3]){
count += A[4]%A[8]b -= A[0]%A[8] }
return count}add(2,3)
![Page 51: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/51.jpg)
Array aliasing
Results Data now changes at each run Function add change
Guessing the value of add(2,3) now requires analyzing more than just the add function
Result might change at each call
A = [17,53,3,5,1,8,25,33,4,1]def add(a, b){
A[0]=A[4]count = awhile (b > A[5]%A[3]-A[1]%A[3]){
A[4] += A[0]%A[8]count += A[4]%A[8]b -= A[0]%A[8] }
return count}A[5]=(A[1]+A[7])%A[3]+A[7]c = add(2,3)A[5]=(A[1]+A[7])%A[3]+A[7]D = add(2,3)C == D ???
![Page 52: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/52.jpg)
Array aliasing
Results Data now change at each run Function add change
Guessing the value of add(2,3) now require analyzing more than just the add function
Result might change at each call
A = [17,53,3,5,1,8,25,33,4,1]def add(a, b){
A[0]=A[4]count = awhile (b > A[5]%A[3]-A[1]%A[3]){
A[4] += A[0]%A[8]count += A[4]%A[8]b -= A[0]%A[8] }
return count}A[5]=(A[1]+A[7])%A[3]+A[7]c = add(2,3)A[5]=(A[1]+A[7])%A[3]+A[7]D = add(2,3)C == D ???
![Page 53: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/53.jpg)
DEMO
![Page 54: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/54.jpg)
Before
After
![Page 55: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/55.jpg)
LET'S OBFUSCATE CONTROL FLOW
![Page 56: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/56.jpg)
Control Flow Graph
All programs make use of control instructions– if, while, for, switch, etc
They define a “Control Flow Graph” Composed of test and instructions blocks Define which instruction is executed when Wise attacker can deduce information of the CFG
We want to obfuscate that
![Page 57: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/57.jpg)
Control Flow Graph - ExampleN = RAND()C = 2if (N % 2 == 0) {
while (N > 0) {C = C * CN = N - 1
}} else {
C = 0}print(C)
N = RAND()C = 2
N % 2 == 0
N > 0
C = C * CN = N - 1
C = 0
print(C)
![Page 58: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/58.jpg)
Control Flow Graph – Naive (?)
Ideas: Add dead branches Duplicate branches
Increases the amount of code to analyze
→ Use opaque predicates !
![Page 59: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/59.jpg)
Control Flow Graph - ExampleN = RAND()C = 2
N % 2 == 0
N > 0
C = C * CN = N - 1
C = 0
print(C)
N = RAND()C = 2
N % 2 == 0
N > 0
C = C * CN = N - 1
C = 0
print(C)
N % 4 == 0
C = 1N % 2 == 0
N = -(- N + 1)C = C² / C
![Page 60: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/60.jpg)
Control Flow Graph - ExampleN = RAND()C = 2
N % 2 == 0
N > 0
C = C * CN = N - 1
C = 0
print(C)
N = RAND()C = 2
N % 2 == 0
N > 0
C = C * CN = N - 1
C = 0
print(C)
N % 4 == 0
C = 1N % 2 == 0
N = -(- N + 1)C = C³ / C
![Page 61: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/61.jpg)
Control Flow Graph – Flattening
Can we do better (i.e. destroy the graph) ?
Yes! We can flatten the graph Technique called Chenxification after Chenxi Wang Improved by Lazlo & Kiss
The idea: Replace the whole program by a big switch / case Put all instruction blocks in it Jump on blocks depending on a control value
![Page 62: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/62.jpg)
Control Flow Graph - ExampleN = RAND()C = 2
N % 2 == 0
N > 0
C = C * CN = N - 1
C = 0
print(C)
ctrl = 0
Switch(ctrl)
N = RAND()C = 2ctrl = 1
C = 0ctrl = 4
C = C * CN = N – 1ctrl = 2
print(C)ctrl = 123
N%2=0 ? ctrl = 2 : ctrl = 3
1 3
N > 0 ? ctrl = 5 : ctrl = 4
2
4
5
![Page 63: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/63.jpg)
Control Flow Graph - ExampleN = RAND()C = 2
N % 2 == 0
N > 0
C = C * CN = N - 1
C = 0
print(C)
ctrl = 0
Switch(ctrl)
N = RAND()C = 2ctrl = 1
C = 0ctrl = 4
C = C * CN = N – 1ctrl = 2
print(C)ctrl = 123
N%2=0 ? ctrl = 2 : ctrl = 3
1 3
N > 0 ? ctrl = 5 : ctrl = 4
2
4
5
![Page 64: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/64.jpg)
Control Flow Graph - Examplectrl = 0
Switch(ctrl)
N = RAND()C = 2ctrl = 1
C = 0ctrl = 4
C = C * CN = N – 1ctrl = 2
print(C)ctrl = 123
N%2=0 ? ctrl = 2 : ctrl = 3
0
1 3
N > 0 ? ctrl = 5 : ctrl = 4
2 4
5
![Page 65: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/65.jpg)
Control Flow Graph - Examplectrl = 0
Switch(ctrl)
N = RAND()C = 2ctrl = 1
C = 0ctrl = 4
C = C * CN = N – 1ctrl = 2
print(C)ctrl = 123
N%2=0 ? ctrl = 2 : ctrl = 3
0
1 3
N > 0 ? ctrl = 5 : ctrl = 4
2 4
5
END
123
![Page 66: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/66.jpg)
DEMO
![Page 67: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/67.jpg)
Before
After
![Page 68: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/68.jpg)
PUTTING IT ALL TOGETHER
![Page 69: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/69.jpg)
Putting it all together
We have three obfuscation transforms
We should be able to combine them Choose the correct order to maximize efficiency Use data obfuscation to mask flattening control Optionally iterate some transforms
Keep in mind the performance impact The execution time can increase significantly The program size can explode Maybe necessary to target sensitive functions
![Page 70: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/70.jpg)
Putting it all together
Keep in mind the performance loss
SIZE TIME
FLATTENING + 100 % < +10 %
RENAMING +0 % +0 %
ARRAY ALIASING
x 10 +11 %
![Page 71: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/71.jpg)
DEMO
![Page 72: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/72.jpg)
Before
After
![Page 73: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/73.jpg)
Conclusion
We achieve a nice looking obfuscation Using somehow simple transforms
But might not hold against advanced analysis In particular dynamic analysis
→ Debugging, Symbolic execution, etc
What about dynamic obfuscation?→ Self modifying programs, white box crypto, etc
![Page 74: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/74.jpg)
Conclusion
We achieve a nice looking obfuscation Using somehow simple transforms
But might not hold against advanced analysis In particular dynamic analysis
→ Debugging, Symbolic execution, etc
What about dynamic obfuscation?→ Self modifying programs, white box crypto, etc
![Page 75: Code Obfuscation 10**2+(2*a+3)%2 - Synacktiv · me@JSecIN:/ $ whoami Gaetan Ferry @mabo^W Not on twitter Security expert @Synacktiv : Offensive security company : pentest, red team,](https://reader033.vdocument.in/reader033/viewer/2022042301/5ecc34d33b23a768ed1915ad/html5/thumbnails/75.jpg)
Thank you for your attention
ANY QUESTIONS ?