View Single Post
  #1  
Old 03-21-2005, 21:10
auroras
 
Posts: n/a
Obfuscation - Proof of concept

Hi all

I was just wondering whether the following form of obfuscation will work. It seems to me that it should work against current image dumpers, and if so, how would one go about 'de-obfuscating' it.

The way is for the code to decode itself, without using any external decoders, and such that at no time will an entire copy of the code be present at memory. I have used simple mov [ds:si], xxxx instructions, where ds = cs, to generate instructions in real time starting at where older code used to be. Where there are decisions, only one of those decisions will be generated. Theorectically, other things can be also be done, but probably not by hand.

I hacked up the following in debug, and it works so far (since it is in debug, all code has CS:100 as base). It a simple function that will return a magic number based on the input in BX.

The original code is:
0BEE:0100 81FB5050 CMP BX,5050
0BEE:0104 7403 JZ 0109
0BEE:0106 31C0 XOR AX,AX
0BEE:0108 C3 RET
0BEE:0109 B83412 MOV AX,1234
0BEE:010C C3 RET

I decided to have 2 layers of decode, so the XOR AX, AX; RET and MOV AX, 1234; RET will be generated by generated code. This is what I have after encoding:

; Create CMP BX, 5050; Jz ??? <- we will decide where ??? later
; The created code will reside in CS:100
push cs
pop ds
mov si, 100
mov ax, FB81
mov [si], ax
inc si
inc si
mov ax, 5050
mov [si], ax
inc si
inc si
mov ax, 1074 -> Jmp to mov ax, 1234 etc - which will be at 0116
mov [si], ax
; Create the code to create xor ax, ax; ret - see commented code below
;
inc si
inc si
mov ax, 00Be
mov [si], ax
inc si
inc si
mov ax, B801
mov [si], ax
inc si
inc si
mov ax, C031
mov [si], ax
inc si
inc si
mov ax, 0489
mov [si], ax
inc si
inc si
mov ax, 4646
mov [si], ax
inc si
inc si
mov ax, c3b8
mov [si], ax
inc si
inc si
mov ax, eb90
mov [si], ax
inc si
inc si
mov ax, 90eb
mov [si], ax

; This code is the code to create xor ax, ax; ret
; The code will reside in CS:106
; It will be created
;0BEE:0106 BE0001 MOV SI,0100
;0BEE:0109 B831C0 MOV AX,C031
;0BEE:010C 8904 MOV [SI],AX
;0BEE:010E 46 INC SI
;0BEE:010F 46 INC SI
;0BEE:0110 B8C390 MOV AX,90C3
;0BEE:0113 EBEB JMP 0100

; Create the code to create mov ax, 1234; ret - see commented code below
inc si
inc si
mov ax, 06Be
mov [si], ax
inc si
inc si
mov ax, b801
mov [si], ax
inc si
inc si
mov ax, 34b8
mov [si], ax
inc si
inc si
mov ax, 0489
mov [si], ax
inc si
inc si
mov ax, 4646
mov [si], ax
inc si
inc si
mov ax, 12b8
mov [si], ax
inc si
inc si
mov ax, 89c3
mov [si], ax
inc si
inc si
mov ax, eb04
mov [si], ax
inc si
inc si
mov ax, 90ef
mov [si], ax

; This code is the code to create mov ax, 1234; ret
; The code will reside in 106
; And just to spice thing up, I will put the generated code in 106 instead
; of 100
; It will be created
;0BEE:0106 BE0601 MOV SI,0106
;0BEE:0109 B8B834 MOV AX,34B8
;0BEE:010C 8904 MOV [SI],AX
;0BEE:010E 46 INC SI
;0BEE:010F 46 INC SI
;0BEE:0110 B812C3 MOV AX,C312
;0BEE:0113 8904 MOV [SI],AX
;0BEE:0115 EBEF JMP 0106

jmp 100


Aur
Reply With Quote