SlideShare a Scribd company logo

Applying Anti-Reversing Techniques to Machine Code

Teodoro Cipresso
Teodoro Cipresso

CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Machine Code Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015

Software
1 of 41
Download to read offline
CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Machine Code Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015 The information in this presentation is taken from the thesis “Software reverse engineering education” available at http://scholarworks.sjsu.edu/etd_theses/3734/ where all citations can be found.
Applying Anti-Reversing Techniques to Machine Code Introduction, Motivation, and Considerations  Extreme care must be taken when applying anti-reversing techniques because most techniques ultimately change the machine code.  In the end, if a program does not run correctly, measuring how efficient or difficult to reverse engineer it is becomes meaningless [18].  Anti-reversing transformations performed on source code make a program more difficult to understand in both source and executable formats.  These transforms can expose compiler bugs because the program no longer looks like something a human would write.  [18] states “any compiler is going to have at least some pathological programs which it will not compile correctly.” 2
Applying Anti-Reversing Techniques to Machine Code Introduction, Motivation, and Considerations  Compiler failures on “pathological” programs occur because compiler test cases are most often coded by people.  Test cases are not typically generated by some sophisticated tool that knows how to try every fringe case and surface every bug.  Therefore we should not be surprised if some compilers have difficulty with obfuscated source code.  We now investigate the technique Eliminating Symbolic Information as it applies to machine code.  We previously looked at this technique in Applying Anti-Reversing Techniques to Java Bytecode. 3
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  Eliminating Symbolic Information calls for the removal of any meaningful symbolic information in machine code that is not important to the execution of the program, but serves to ease debugging or reuse of it by another program.  For example, if a Windows program references functions (methods) exported by one or more libraries (DLLs), the names of those methods will appear in the .idata (import data) section of the program binary.  In production versions of a program, the machine code doesn't directly contain any symbolic information from the original source code. In the executable:  Method names, variable names (etc..), and line numbers are all absent.  Only the machine instructions produced directly or indirectly by the compiler [9] are present. 4
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  This lack of information about the connection between the machine instructions and HLL source is unacceptable for purposes of debugging.  Therefore most modern compilers, like GCC, include an option to include debugging information into an executable.  The included debugging information allows a debugger to map one or more machine instructions back to a particular HLL statement [9].  To demonstrate symbolic information that is inserted into machine code to enable debugging of an application:  Calculator.cpp was compiled using the GNU C++ compiler (g++) with options to include debugging information and to generate assembly source instead of an executable (machine code). 5
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code 6 Calculator.cpp
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  The GNU compiler stores debug information in the symbol tables (.stabs) section of the Windows PE header so that it will be loaded into memory as part of the program image.  The generated assembly language files CalculatorDebug.s on the next slide shows some of the debugging information inserted by GCC.  While this information is not a replacement for the original source code it does provide some helpful information to a reverser.  The GNU Project Debugger (GDB) is a source-level debugger and therefore must access the HLL source file to make use of the debugging information. 7
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code 8 CalculatorDebug.cpp
Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  Debugging information can give plenty of hints to a reverse engineer, such as the count and type of parameters one must pass to a given method.  An obvious recommendation is to ensure the code is not compiled with debugging information before shipment to end-users.  The hunt for symbolic information doesn't end with information embedded by debuggers; actually it rarely begins there.  Eliminating symbolic information in machine code is difficult, therefore we’ll manually implement some familiar techniques to obfuscate the information.  First, we will take a detour to look at obfuscation of source code and what use cases it might address. 9
Applying Anti-Reversing Techniques to Machine Code Source Code Obfuscation  Obfuscating the Program calls for performing transformations to the source or machine code that would render either code extremely difficult to understand but functionally equivalent to the original.  When delivering software to customers, they may require the source code so that the product can be compiled using in-house build and audit procedures.  In the likely event that the source code contains intellectual property, it can be obfuscated without changing the the resultant machine code.  To demonstrate source code obfuscation, COBF [23], a free C/C++ source code obfuscator was configured and given Calculator.cpp.  Stunnix C/C++ is a commercial source code obfuscator. 10
11 cobf.h CalculatorObf.cpp
Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code  [19] states “Obfuscation of Java bytecode is possible for the same reasons that decompiling is possible: Java bytecode is standardized and well documented.”  Machine code is not standardized; instruction sets, formats, and program image layouts vary depending on the target platform architecture.  Tools to assist with obfuscating machine code are much more challenging to implement and expensive to acquire. (I have not found any free tools).  EXECryptor is an industrial-strength machine code obfuscator.  When applied to the machine code for the Password Vault application, EXECryptor rendered it extremely difficult to understand.  EXECryptor fails to start in Windows 8.1 due to an anti-debug error. 12
Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code  Direct machine code obfuscations can be hard to analyze or follow, so we'll perform obfuscations at the source code level and observe differences in the assembly code generated by the GNU C/C++ compiler.  Success is achieved when an obfuscated program has the same functionality as the original, but is more difficult to understand during live or static analysis.  There are no standards for code obfuscation, but it's relatively important to ensure that the obfuscations applied to a program are not easily undone because deobfuscation tools can be used to eliminate easily identified obfuscations [5].  We now look at the source and disassembly for VerifyPassword.cpp, a simple C++ program that contains a simple if-test for a password.  We then embed a simple cipher to protect sensitive constants. 13
Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code 14 VerifyPassword.cpp
15 .text section .rdata section
Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code 16 VerifyPasswordObf.cpp
17 .text section .rdata section
18 http://www.frida.re/
19 Run As Admin Python Editor
20 Dump of .rdata Start @ 0x443000 Run exe in new window
21 Run Frida Script Plaintext extracted
22 Run As Admin Python Editor
23 Run exe in new window Dump of .rdata Start @ 0x445000
24 Run Frida Script Ciphertext extracted
25 http://www.frida.re/
26 max.c We want to call max() dynamically using Frida Keep the program resident
27 Debug statements from int max(x,y) function
28 Run max.exe using OllyDbg File->Open Specify arguments
29 int max(x,y) 0x4012F0 X >= Y ?
30
31 Run max.exe in new window max.exe stays resident
32 Run max.py 2x to invoke max(x,y) in max.exe
33 Applying Anti-Reversing Techniques to Machine Code Password Vault Anti-Reversing Exercise  The machine code anti-reversing exercise asks one to create a new executable version of the Password Vault application where the following transformations are applied:  Encryption of string literals (data obfuscation).  Obfuscation of the numeric representation of the password record limit (computation obfuscation).  Obfuscation of the method that performs the record limit check (control flow obfuscation). Contains both unobfuscated and Obfuscated source
34 Applying Anti-Reversing Techniques to Machine Code Data Obfuscation  Encryption of String Literals (data obfuscation): Strings are decrypted each time they are used using a bundled cipher.
35 Applying Anti-Reversing Techniques to Machine Code Computation Obfuscation  Obfuscation of the numeric representation of the password record limit (computation obfuscation): Complex evaluations obscure the actual condition.
36 Applying Anti-Reversing Techniques to Machine Code Computation Obfuscation (cont’d)  Obfuscation of the numeric representation of the password record limit (computation obfuscation) (cont’d): Testing for a function of a number can slow a reverser down.
37 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation  Obfuscation of the method that performs the record limit check (control flow obfuscation):  We introduce some non-essential, recursive, and randomized logic to the password limit check to make it more difficult for a reverser to perform static and/or live analysis.  Since no standards exist for control flow obfuscation, a custom algorithm was designed to hinder live and static analysis through use of recursive and randomized procedure calls.  Recursion grows the stack considerably, making stepping through the code difficult, while randomization makes execution unpredictable (breakpoints may not trigger & run traces differ).
38 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d) A control flow obfuscation algorithm for the record limit check. Depth of the recursion is randomized on each check of the limit. Random procedure call targets generate and return a number that is added to an instance variable, preventing the procedures from being identified as NOOPs by a code optimizer.
39 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d)  To measure the effectiveness of the control flow algorithm in hindering analysis, three execution traces of the section of the code containing the record limit check were compared.  The Levenshtein Distance (LD) was computed between the three traces where each instruction in the trace was compared. LD was modified to consider each line as opposed to each character.  The execution traces were collected using OllyDbg and had to be cleaned of disassembly artifacts such as line numbers, base addresses, and comments in order to ensure that the analysis was fair.
40 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d) Comparison of executions of record limit check on identical program input.
41

Recommended

S.N.Sivanandam & S.N. Deepa - Introduction to Genetic Algorithms 2008 ISBN 35...
S.N.Sivanandam & S.N. Deepa - Introduction to Genetic Algorithms 2008 ISBN 35...S.N.Sivanandam & S.N. Deepa - Introduction to Genetic Algorithms 2008 ISBN 35...
S.N.Sivanandam & S.N. Deepa - Introduction to Genetic Algorithms 2008 ISBN 35...
edwinray3
 
HML: Historical View and Trends of Deep Learning
HML: Historical View and Trends of Deep LearningHML: Historical View and Trends of Deep Learning
HML: Historical View and Trends of Deep Learning
Yan Xu
 
Deep Learning A-Z™: Recurrent Neural Networks (RNN) - The Vanishing Gradient ...
Deep Learning A-Z™: Recurrent Neural Networks (RNN) - The Vanishing Gradient ...Deep Learning A-Z™: Recurrent Neural Networks (RNN) - The Vanishing Gradient ...
Deep Learning A-Z™: Recurrent Neural Networks (RNN) - The Vanishing Gradient ...
Kirill Eremenko
 
Logistic regression
Logistic regressionLogistic regression
Logistic regression
Venkata Reddy Konasani
 
Bat algorithm and applications
Bat algorithm and applicationsBat algorithm and applications
Bat algorithm and applications
Md.Al-imran Roton
 
Anomaly detection
Anomaly detectionAnomaly detection
Anomaly detection
Hitesh Mohapatra
 
Methods of Optimization in Machine Learning
Methods of Optimization in Machine LearningMethods of Optimization in Machine Learning
Methods of Optimization in Machine Learning
Knoldus Inc.
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
YOU SHENG CHEN
 

Recommended

S.N.Sivanandam & S.N. Deepa - Introduction to Genetic Algorithms 2008 ISBN 35...
S.N.Sivanandam & S.N. Deepa - Introduction to Genetic Algorithms 2008 ISBN 35...S.N.Sivanandam & S.N. Deepa - Introduction to Genetic Algorithms 2008 ISBN 35...
S.N.Sivanandam & S.N. Deepa - Introduction to Genetic Algorithms 2008 ISBN 35...
edwinray3
 
HML: Historical View and Trends of Deep Learning
HML: Historical View and Trends of Deep LearningHML: Historical View and Trends of Deep Learning
HML: Historical View and Trends of Deep Learning
Yan Xu
 
Deep Learning A-Z™: Recurrent Neural Networks (RNN) - The Vanishing Gradient ...
Deep Learning A-Z™: Recurrent Neural Networks (RNN) - The Vanishing Gradient ...Deep Learning A-Z™: Recurrent Neural Networks (RNN) - The Vanishing Gradient ...
Deep Learning A-Z™: Recurrent Neural Networks (RNN) - The Vanishing Gradient ...
Kirill Eremenko
 
Logistic regression
Logistic regressionLogistic regression
Logistic regression
Venkata Reddy Konasani
 
Bat algorithm and applications
Bat algorithm and applicationsBat algorithm and applications
Bat algorithm and applications
Md.Al-imran Roton
 
Anomaly detection
Anomaly detectionAnomaly detection
Anomaly detection
Hitesh Mohapatra
 
Methods of Optimization in Machine Learning
Methods of Optimization in Machine LearningMethods of Optimization in Machine Learning
Methods of Optimization in Machine Learning
Knoldus Inc.
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
YOU SHENG CHEN
 
Computer Vision with Deep Learning
Computer Vision with Deep LearningComputer Vision with Deep Learning
Computer Vision with Deep Learning
Capgemini
 
Dimensionality Reduction
Dimensionality ReductionDimensionality Reduction
Dimensionality Reduction
mrizwan969
 
Ch03
Ch03Ch03
Ch03
Sayantan Bhowmik
 
ラビットチャレンジレポート 深層学習Day1
ラビットチャレンジレポート 深層学習Day1ラビットチャレンジレポート 深層学習Day1
ラビットチャレンジレポート 深層学習Day1
HiroyukiTerada4
 
Handling concept drift in data stream mining
Handling concept drift in data stream miningHandling concept drift in data stream mining
Handling concept drift in data stream mining
Manuel Martín
 
On the Reliability of Coverage-based Fuzzer Benchmarking
On the Reliability of Coverage-based Fuzzer BenchmarkingOn the Reliability of Coverage-based Fuzzer Benchmarking
On the Reliability of Coverage-based Fuzzer Benchmarking
mboehme
 
Vanishing & Exploding Gradients
Vanishing & Exploding GradientsVanishing & Exploding Gradients
Vanishing & Exploding Gradients
Siddharth Vij
 
Hadoop ecosystem
Hadoop ecosystemHadoop ecosystem
Hadoop ecosystem
Stanley Wang
 
Nosql data models
Nosql data modelsNosql data models
Nosql data models
Viet-Trung TRAN
 
Convolutional Neural Networks (CNN)
Convolutional Neural Networks (CNN)Convolutional Neural Networks (CNN)
Convolutional Neural Networks (CNN)
Gaurav Mittal
 
A10 networks產品與核心價值介紹 2014-03-04
A10 networks產品與核心價值介紹 2014-03-04A10 networks產品與核心價值介紹 2014-03-04
A10 networks產品與核心價值介紹 2014-03-04
Michael Lin
 
Big Data Sunum
Big Data SunumBig Data Sunum
Big Data Sunum
Serkan Sakınmaz
 
Transfer Learning
Transfer LearningTransfer Learning
Transfer Learning
Hichem Felouat
 
Semi-supervised Machine Learning
Semi-supervised Machine LearningSemi-supervised Machine Learning
Semi-supervised Machine Learning
Spotle.ai
 
Differential evolution optimization technique
Differential evolution optimization techniqueDifferential evolution optimization technique
Differential evolution optimization technique
Siksha 'O' Anusandhan (Deemed to be University )
 
Transfer learning-presentation
Transfer learning-presentationTransfer learning-presentation
Transfer learning-presentation
Bushra Jbawi
 
Feature selection
Feature selectionFeature selection
Feature selection
dkpawar
 
Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)
Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)
Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)
Universitat Politècnica de Catalunya
 
A white paper on Program Management
A white paper on Program ManagementA white paper on Program Management
A white paper on Program Management
Eagle-Eye Management Consultancy (UK) Limited
 
"Approaches for Energy Efficient Implementation of Deep Neural Networks," a P...
"Approaches for Energy Efficient Implementation of Deep Neural Networks," a P..."Approaches for Energy Efficient Implementation of Deep Neural Networks," a P...
"Approaches for Energy Efficient Implementation of Deep Neural Networks," a P...
Edge AI and Vision Alliance
 
Reengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareReengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy Software
Teodoro Cipresso
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java Bytecode
Teodoro Cipresso
 

More Related Content

What's hot

Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)
Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)
Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)
Universitat Politècnica de Catalunya
 
"Approaches for Energy Efficient Implementation of Deep Neural Networks," a P...
"Approaches for Energy Efficient Implementation of Deep Neural Networks," a P..."Approaches for Energy Efficient Implementation of Deep Neural Networks," a P...
"Approaches for Energy Efficient Implementation of Deep Neural Networks," a P...
Edge AI and Vision Alliance
 

What's hot (20)

Computer Vision with Deep Learning
Computer Vision with Deep LearningComputer Vision with Deep Learning
Computer Vision with Deep Learning
 
Dimensionality Reduction
Dimensionality ReductionDimensionality Reduction
Dimensionality Reduction
 
Ch03
Ch03Ch03
Ch03
 
ラビットチャレンジレポート 深層学習Day1
ラビットチャレンジレポート 深層学習Day1ラビットチャレンジレポート 深層学習Day1
ラビットチャレンジレポート 深層学習Day1
 
Handling concept drift in data stream mining
Handling concept drift in data stream miningHandling concept drift in data stream mining
Handling concept drift in data stream mining
 
On the Reliability of Coverage-based Fuzzer Benchmarking
On the Reliability of Coverage-based Fuzzer BenchmarkingOn the Reliability of Coverage-based Fuzzer Benchmarking
On the Reliability of Coverage-based Fuzzer Benchmarking
 
Vanishing & Exploding Gradients
Vanishing & Exploding GradientsVanishing & Exploding Gradients
Vanishing & Exploding Gradients
 
Hadoop ecosystem
Hadoop ecosystemHadoop ecosystem
Hadoop ecosystem
 
Nosql data models
Nosql data modelsNosql data models
Nosql data models
 
Convolutional Neural Networks (CNN)
Convolutional Neural Networks (CNN)Convolutional Neural Networks (CNN)
Convolutional Neural Networks (CNN)
 
A10 networks產品與核心價值介紹 2014-03-04
A10 networks產品與核心價值介紹 2014-03-04A10 networks產品與核心價值介紹 2014-03-04
A10 networks產品與核心價值介紹 2014-03-04
 
Big Data Sunum
Big Data SunumBig Data Sunum
Big Data Sunum
 
Transfer Learning
Transfer LearningTransfer Learning
Transfer Learning
 
Semi-supervised Machine Learning
Semi-supervised Machine LearningSemi-supervised Machine Learning
Semi-supervised Machine Learning
 
Differential evolution optimization technique
Differential evolution optimization techniqueDifferential evolution optimization technique
Differential evolution optimization technique
 
Transfer learning-presentation
Transfer learning-presentationTransfer learning-presentation
Transfer learning-presentation
 
Feature selection
Feature selectionFeature selection
Feature selection
 
Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)
Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)
Transfer Learning (D2L4 Insight@DCU Machine Learning Workshop 2017)
 
A white paper on Program Management
A white paper on Program ManagementA white paper on Program Management
A white paper on Program Management
 
"Approaches for Energy Efficient Implementation of Deep Neural Networks," a P...
"Approaches for Energy Efficient Implementation of Deep Neural Networks," a P..."Approaches for Energy Efficient Implementation of Deep Neural Networks," a P...
"Approaches for Energy Efficient Implementation of Deep Neural Networks," a P...
 

Viewers also liked

Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Teodoro Cipresso
 

Viewers also liked (10)

Reengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy SoftwareReengineering and Reuse of Legacy Software
Reengineering and Reuse of Legacy Software
 
Reversing and Patching Java Bytecode
Reversing and Patching Java BytecodeReversing and Patching Java Bytecode
Reversing and Patching Java Bytecode
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
 
Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array Processor
 
Make Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EEMake Your API Catalog Essential with z/OS Connect EE
Make Your API Catalog Essential with z/OS Connect EE
 
Why z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIsWhy z/OS is a Great Platform for Developing and Hosting APIs
Why z/OS is a Great Platform for Developing and Hosting APIs
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse Engineering
 
Array Processor
Array ProcessorArray Processor
Array Processor
 
CO Module 5
CO Module 5CO Module 5
CO Module 5
 

Similar to Applying Anti-Reversing Techniques to Machine Code

Binary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programmingBinary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programming
nong_dan
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
UltraUploader
 
An introduction to_programming_the_microchip_pic_in_ccs_c
An introduction to_programming_the_microchip_pic_in_ccs_cAn introduction to_programming_the_microchip_pic_in_ccs_c
An introduction to_programming_the_microchip_pic_in_ccs_c
Suresh Murugesan
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notes
WE-IT TUTORIALS
 
C language introduction geeksfor geeks
C language introduction geeksfor geeksC language introduction geeksfor geeks
C language introduction geeksfor geeks
AashutoshChhedavi
 

Similar to Applying Anti-Reversing Techniques to Machine Code (20)

Binary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programmingBinary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programming
 
Source vs object code
Source vs object codeSource vs object code
Source vs object code
 
Reversing and Patching Machine Code
Reversing and Patching Machine CodeReversing and Patching Machine Code
Reversing and Patching Machine Code
 
Fundamentals of programming with C++
Fundamentals of programming with C++Fundamentals of programming with C++
Fundamentals of programming with C++
 
Dlf2
Dlf2Dlf2
Dlf2
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
 
Part 1
Part 1Part 1
Part 1
 
An introduction to_programming_the_microchip_pic_in_ccs_c
An introduction to_programming_the_microchip_pic_in_ccs_cAn introduction to_programming_the_microchip_pic_in_ccs_c
An introduction to_programming_the_microchip_pic_in_ccs_c
 
Unit-2.pptx
Unit-2.pptxUnit-2.pptx
Unit-2.pptx
 
Introduction to c language
Introduction to c language Introduction to c language
Introduction to c language
 
Larson and toubro
Larson and toubroLarson and toubro
Larson and toubro
 
10Pro Code Injector
10Pro Code Injector10Pro Code Injector
10Pro Code Injector
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notes
 
Srgoc dotnet_new
Srgoc dotnet_newSrgoc dotnet_new
Srgoc dotnet_new
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ code
 
Embedded C.pptx
Embedded C.pptxEmbedded C.pptx
Embedded C.pptx
 
DEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdf
DEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdfDEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdf
DEVELOPMENT TOOLS FOR MICROCONTROLLERS.pdf
 
C language introduction geeksfor geeks
C language introduction geeksfor geeksC language introduction geeksfor geeks
C language introduction geeksfor geeks
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable Software
 

Recently uploaded

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
Alluxio, Inc.
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock
Skilrock Technologies
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
Alluxio, Inc.
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
mbmh111980
 

Recently uploaded (20)

Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 

Applying Anti-Reversing Techniques to Machine Code

  • 1. CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Machine Code Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015 The information in this presentation is taken from the thesis “Software reverse engineering education” available at http://scholarworks.sjsu.edu/etd_theses/3734/ where all citations can be found.
  • 2. Applying Anti-Reversing Techniques to Machine Code Introduction, Motivation, and Considerations  Extreme care must be taken when applying anti-reversing techniques because most techniques ultimately change the machine code.  In the end, if a program does not run correctly, measuring how efficient or difficult to reverse engineer it is becomes meaningless [18].  Anti-reversing transformations performed on source code make a program more difficult to understand in both source and executable formats.  These transforms can expose compiler bugs because the program no longer looks like something a human would write.  [18] states “any compiler is going to have at least some pathological programs which it will not compile correctly.” 2
  • 3. Applying Anti-Reversing Techniques to Machine Code Introduction, Motivation, and Considerations  Compiler failures on “pathological” programs occur because compiler test cases are most often coded by people.  Test cases are not typically generated by some sophisticated tool that knows how to try every fringe case and surface every bug.  Therefore we should not be surprised if some compilers have difficulty with obfuscated source code.  We now investigate the technique Eliminating Symbolic Information as it applies to machine code.  We previously looked at this technique in Applying Anti-Reversing Techniques to Java Bytecode. 3
  • 4. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  Eliminating Symbolic Information calls for the removal of any meaningful symbolic information in machine code that is not important to the execution of the program, but serves to ease debugging or reuse of it by another program.  For example, if a Windows program references functions (methods) exported by one or more libraries (DLLs), the names of those methods will appear in the .idata (import data) section of the program binary.  In production versions of a program, the machine code doesn't directly contain any symbolic information from the original source code. In the executable:  Method names, variable names (etc..), and line numbers are all absent.  Only the machine instructions produced directly or indirectly by the compiler [9] are present. 4
  • 5. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  This lack of information about the connection between the machine instructions and HLL source is unacceptable for purposes of debugging.  Therefore most modern compilers, like GCC, include an option to include debugging information into an executable.  The included debugging information allows a debugger to map one or more machine instructions back to a particular HLL statement [9].  To demonstrate symbolic information that is inserted into machine code to enable debugging of an application:  Calculator.cpp was compiled using the GNU C++ compiler (g++) with options to include debugging information and to generate assembly source instead of an executable (machine code). 5
  • 6. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code 6 Calculator.cpp
  • 7. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  The GNU compiler stores debug information in the symbol tables (.stabs) section of the Windows PE header so that it will be loaded into memory as part of the program image.  The generated assembly language files CalculatorDebug.s on the next slide shows some of the debugging information inserted by GCC.  While this information is not a replacement for the original source code it does provide some helpful information to a reverser.  The GNU Project Debugger (GDB) is a source-level debugger and therefore must access the HLL source file to make use of the debugging information. 7
  • 8. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code 8 CalculatorDebug.cpp
  • 9. Applying Anti-Reversing Techniques to Machine Code Eliminating Symbolic Information in Machine Code  Debugging information can give plenty of hints to a reverse engineer, such as the count and type of parameters one must pass to a given method.  An obvious recommendation is to ensure the code is not compiled with debugging information before shipment to end-users.  The hunt for symbolic information doesn't end with information embedded by debuggers; actually it rarely begins there.  Eliminating symbolic information in machine code is difficult, therefore we’ll manually implement some familiar techniques to obfuscate the information.  First, we will take a detour to look at obfuscation of source code and what use cases it might address. 9
  • 10. Applying Anti-Reversing Techniques to Machine Code Source Code Obfuscation  Obfuscating the Program calls for performing transformations to the source or machine code that would render either code extremely difficult to understand but functionally equivalent to the original.  When delivering software to customers, they may require the source code so that the product can be compiled using in-house build and audit procedures.  In the likely event that the source code contains intellectual property, it can be obfuscated without changing the the resultant machine code.  To demonstrate source code obfuscation, COBF [23], a free C/C++ source code obfuscator was configured and given Calculator.cpp.  Stunnix C/C++ is a commercial source code obfuscator. 10
  • 12. Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code  [19] states “Obfuscation of Java bytecode is possible for the same reasons that decompiling is possible: Java bytecode is standardized and well documented.”  Machine code is not standardized; instruction sets, formats, and program image layouts vary depending on the target platform architecture.  Tools to assist with obfuscating machine code are much more challenging to implement and expensive to acquire. (I have not found any free tools).  EXECryptor is an industrial-strength machine code obfuscator.  When applied to the machine code for the Password Vault application, EXECryptor rendered it extremely difficult to understand.  EXECryptor fails to start in Windows 8.1 due to an anti-debug error. 12
  • 13. Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code  Direct machine code obfuscations can be hard to analyze or follow, so we'll perform obfuscations at the source code level and observe differences in the assembly code generated by the GNU C/C++ compiler.  Success is achieved when an obfuscated program has the same functionality as the original, but is more difficult to understand during live or static analysis.  There are no standards for code obfuscation, but it's relatively important to ensure that the obfuscations applied to a program are not easily undone because deobfuscation tools can be used to eliminate easily identified obfuscations [5].  We now look at the source and disassembly for VerifyPassword.cpp, a simple C++ program that contains a simple if-test for a password.  We then embed a simple cipher to protect sensitive constants. 13
  • 14. Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code 14 VerifyPassword.cpp
  • 16. Applying Anti-Reversing Techniques to Machine Code Basic Obfuscation of Machine Code 16 VerifyPasswordObf.cpp
  • 23. 23 Run exe in new window Dump of .rdata Start @ 0x445000
  • 26. 26 max.c We want to call max() dynamically using Frida Keep the program resident
  • 27. 27 Debug statements from int max(x,y) function
  • 28. 28 Run max.exe using OllyDbg File->Open Specify arguments
  • 30. 30
  • 31. 31 Run max.exe in new window max.exe stays resident
  • 32. 32 Run max.py 2x to invoke max(x,y) in max.exe
  • 33. 33 Applying Anti-Reversing Techniques to Machine Code Password Vault Anti-Reversing Exercise  The machine code anti-reversing exercise asks one to create a new executable version of the Password Vault application where the following transformations are applied:  Encryption of string literals (data obfuscation).  Obfuscation of the numeric representation of the password record limit (computation obfuscation).  Obfuscation of the method that performs the record limit check (control flow obfuscation). Contains both unobfuscated and Obfuscated source
  • 34. 34 Applying Anti-Reversing Techniques to Machine Code Data Obfuscation  Encryption of String Literals (data obfuscation): Strings are decrypted each time they are used using a bundled cipher.
  • 35. 35 Applying Anti-Reversing Techniques to Machine Code Computation Obfuscation  Obfuscation of the numeric representation of the password record limit (computation obfuscation): Complex evaluations obscure the actual condition.
  • 36. 36 Applying Anti-Reversing Techniques to Machine Code Computation Obfuscation (cont’d)  Obfuscation of the numeric representation of the password record limit (computation obfuscation) (cont’d): Testing for a function of a number can slow a reverser down.
  • 37. 37 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation  Obfuscation of the method that performs the record limit check (control flow obfuscation):  We introduce some non-essential, recursive, and randomized logic to the password limit check to make it more difficult for a reverser to perform static and/or live analysis.  Since no standards exist for control flow obfuscation, a custom algorithm was designed to hinder live and static analysis through use of recursive and randomized procedure calls.  Recursion grows the stack considerably, making stepping through the code difficult, while randomization makes execution unpredictable (breakpoints may not trigger & run traces differ).
  • 38. 38 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d) A control flow obfuscation algorithm for the record limit check. Depth of the recursion is randomized on each check of the limit. Random procedure call targets generate and return a number that is added to an instance variable, preventing the procedures from being identified as NOOPs by a code optimizer.
  • 39. 39 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d)  To measure the effectiveness of the control flow algorithm in hindering analysis, three execution traces of the section of the code containing the record limit check were compared.  The Levenshtein Distance (LD) was computed between the three traces where each instruction in the trace was compared. LD was modified to consider each line as opposed to each character.  The execution traces were collected using OllyDbg and had to be cleaned of disassembly artifacts such as line numbers, base addresses, and comments in order to ensure that the analysis was fair.
  • 40. 40 Applying Anti-Reversing Techniques to Machine Code Control Flow Obfuscation (cont’d) Comparison of executions of record limit check on identical program input.
  • 41. 41