Deobfuscation: By Hand

Deobfuscation

By hand

With our experimental environment, it should also be possible to try to deobfuscate this whole transformation. We start with the same screenshot as we ended with after the obfuscation process.

Manual inspection of the obfuscated function reveals that control flow falls through from the entry basic block to the switch-block.

True/False Opaque Predicates

True/False Opaque Predicates

Control Flow Flattening

Control Flow Flattening


One of the build-in control flow obfuscation transformations is the control flow flattaning, introduced by Wang. Applying this obfuscation transformation, results in the following CFG:



Original Call Graph (CG) and the Control Flow Graph (CFG) of the function factorial (fun)

Original Call Graph(CG) and the Control Flow Graph(CFG) of the function fun


Loco can easily build up the callgraph:



Loco can easily present the control flow graph of the function fun:



Example

Obfuscation


Example: validation algorithm


In this example, the license key consists of two values, where the faculty of the first value has to be equal to the second value to be a regular license key. The following check-function will be used to validate the license key:

bool check(int key_part1, int key_part2)
{
  if(fun(key_part1)==key_part2)
    return true;
  return false;
}

int fun(int key)
{
  int a=1;
  if (key<1)
    a=1;
  else
    do{
      a *= key--;
    }while (key>1);
  return a;
}

Publications


Obfuscation publications:

ISSPIT 2005 presentation

You can download our presentation at the ISSPIT 2005 conference.

how to use -pi , -pb option..

can i show the execution conuts for instruction or basic block to .dot file(-D generant)?

and how to use -pi, -pb option..?

Diablo 0.4.1 released

Date:
Fri, 2005-12-16 23:00

News Item:
Diablo 0.4.1 is out. See the release notes for more details...

Demo video (warning: 8MB)

You can download the demo here if it is not showing in your browser.

You can download the demo here if it is not showing in your browser.

Syndicate content