SlideShare une entreprise Scribd logo

Appsec obfuscator reloaded

Cyber Security Alliance
Cyber Security Alliance

e

Technologie
1  sur  51
Télécharger pour lire hors ligne
Obfuscator Reloaded Johan Wehrli Rinaldini Julien
Who the **** are we? • Johan Wehrli • Master of Science HES-SO in Engineering • Scientific Collaborator • @jowehrli • Julien Rinaldini • Master of Science HES-SO in Engineering • Research Engineer • @pyknite / http://rand0m.ch • IICT, Institute for Information an Communication Technology
Evil Plan • Obfuscator? • LLVM? • Tamper-proofing • Functions merging • Tests • Conclusion
Obfuscator • Research project in IT security • Managed by Phd. Pascal Junod • IICT, HEIG-VD • Open-source (well, not everything ;) ): http://o-llvm.org • Important dates • Born in 2010 • First public release in 2013 • Still in development • Increase software security • Substitution, flattening, BCF, …
LLVM • Open-source project, written in C++ • Compilation framework, several modules • Support multiple languages: • C/C++, Obj-C, Haskell, Java,… • … And multiple architectures: • x86, ARM, MIPS, PowerPC,…
The tamper-proofing is... • Detecting any modifications • Making sure that a software is run in the way it was expected to be when it was designed
The tamper-proofing is not... • A way of preventing the reverse engineering
Two-Step • Check • Verification of the result • Calculation of execution time • Hash of a snippet of code • Respond • Ending the software • Restore the initial code • Tamper the result or the performance
Typical Attacks • Search for patterns • Statically • Dynamically • Deactivation of the RESPOND • Modification of the condition • Pre-processing the new hash value
Prerequisites - Flattening • Flatten the control flow of a function • Uses • External loop • switch • One case per basic block • Basic block -> end -> switch • Branch variable (SwitchVar)
int main(int argc, char **argv){ int tab[10] = {5, 9, … , 1}; for(int i = 0; i < 10; ++i){ printf("%d, ",tab[i]); } return 0; }
Now, let’s do some meth math…
Prerequisites - CRC 1/10 • Linear Code C over a finite field GF(q) of length n • C is a cyclic code if, for every word in the code • Notions • Alphabet : • Word : • Cyclic code : • Generator polynomial : • Equations c = (c0, c1, ..., cn 1) in GF(q)n ⇤ = 0, 1 x = 0b10010 = (1, 0, 0, 1, 0) 2 ⇤5 00000, 00111, 01110, 01001, 11100, 11011, 10010, 101010 g(x) = x2 + x + 1 0 · g(x), 1 · g(x), x · g(x), (x + 1) · g(x), x2 · g(x), (x2 + 1) · g(x), (x2 + x) · g(x), (x2 + x + 1) · g(x)
Prerequisites - CRC • Cyclic Redundancy Check • To detect errors during transmission • To calculate the remainder of a polynomial division • Easy to implement (CRC32) • How it works • Cyclic code • Euclidean division • Remainder = CRC
Step One • ModulePass, IR code, go through all the program • …
Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • ...
uint32_t normalCRC(uint32_t init, uint32_t* begin, uint32_t* end){ uint32_t crc = init; while(begin end){ __asm__ __volatile__( crc32l %%ecx, %%esi; :=S (crc) :0 (crc), c (*begin) ); ++begin; } return crc; } uint32_t inverseCRC(uint32_t init, uint32_t* begin, uint32_t* end){ uint32_t crc = init; while(begin end){ __asm__ __volatile__( crc32l %%ecx, %%esi; :=S (crc) :0 (crc), c (*end) ); --end; } return crc; }
Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • Place random call to the check • 1..n per basic block • Random area of code • ...
... store i32 1928457517, i32* %crc, align 4 store i32* inttoptr (i32 4196792 to i32*), i32** %begin, align 8 store i32* inttoptr (i32 4196848 to i32*), i32** %end, align 8 %2 = load i32* %crc, align 4 %3 = load i32** %begin, align 8 %4 = load i32** %end, align 8 %call = call i32 @vHpAKyNAxHgMhPd(i32 %2, i32* %3, i32* %4) store i32 %call, i32* %crc, align 4 ...
Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • Place random call to the check • 1..n per basic block • Random area of code • Get all the call result, calcul the new SwitchVar SwitchV ar = const res1 res2 ... resn
... %14 = load i32* %const1 %15 = load i32* %crc, align 4 %16 = load i32* %crc2, align 4 %xor = xor i32 %15, %16 %xor5 = xor i32 %xor, %14 store i32 %xor5, i32* %switchVar ...
Problems • Calculation of the precedence • One check area is over the xor • Modify the constant value - Modify SwitchVar • The pass occurs in the middle-end • No addresses • No machine code
Solutions • Use static array • Get the value at a certain address • SwitchV ar = tab[0] res1 res2 ... resn • Post-process the binary file • Python script • PyElfTool
Post-Processing • Patch the file once the compilation is over • Launch manually • Platform dependent • Created because the LLVM pass lack informations • Begin address • End address • Hash value • Static value
Post-Processing • Read the log file • Find the data • Heuristic vs. Search • Search by function • Update the data • Calculate the offset • Update the addresses • Calculate the check • Update the static value
Conclusion - Tamper • Selection policies • Area : .Text vs. Function • CHECK placement • Control flow modification • Good combinaison between static and dynamic values • Future • Use the Clang driver, detect link phase • Generic solution, uses the LLVM API
Functions Merging What is that?
// Module test.c int foo(int a) { return a+2; } float bar(float a) { return a+2.0; }
// Module test.c void merge(int sw, void *ret, ...) { switch(sw) { case 0: va_list ap; va_start(ap, 1); int a = va_args(ap, int); va_end(ap); int *b = (int*)ret; *b = a+2; break; case 1: va_list ap; va_start(ap, 1); float a = va_args(ap, float); va_end(ap); float *b = (float*)ret; *b = a+2.0; break; } return; }
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
• Save all functions, except: • main() • Arbitrary choice • Variadic functions • Special treatment needed • No time left to implement it • fastcall functions • Try to pass arguments through registers
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
• Merge function • 3 arguments • int sw • void *result • variadic argument (…) • Uses a switch as a dispatcher • Random name - avoid linking problems define void @merge-1196957890(i128 %sw, i8* %retArg, ...) { entry: %sw.addr = alloca i128 store i128 %sw, i128* %sw.addr %sw1 = load i128* %sw.addr switch i128 %sw1, label %default [ ] default: ; preds = %entry ret void }
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
• switch value • sha256 + salt • Only use 128 bits • Avoid online attack switch i128 %sw1, label %default [ i128 27710209634873760713303062182632130818 , label %0 i128 -6843076191789525760054781676266687358 , label %17 i128 -26221607966511614330399007306620848255 , label %56 ]
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
... %ap = alloca i8* %ap2 = bitcast i8** %ap to i8* call void @llvm.va_start(i8* %ap2) %1 = va_arg i8** %ap, i32 call void @llvm.va_end(i8* %ap2) ...
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
• Replace all return • load the return value in the retArg • ret void ... %14 = alloca i8* store i8* %retArg , i8** %14 %15 = load i8** %14 %16 = bitcast i8* %15 to i32* store i32 3, i32* %16 ret void
• We still have some problems • Inter-module calls • Distribution of an obfuscated library • API breakage
• Wrappers! The solution for every problems ;) ; Function Attrs: nounwind ssp uwtable define float @bar(float %a) { entry: %ret = alloca float %retPty = alloca float* store float* %ret, float** %retPty %load = load float** %retPty %bit = bitcast float* %load to i8* call void (i128, i8*, ...)* @merge1806660435(i128 49770522224456207387965548547940082999, i8* %bit, float %a) %0 = load float** %retPty %1 = load float* %0 ret float %1 }
Conclusion - Function merging • Use strip! • Fonctions name give a lot of informations • Use it with other obfuscations
Tests • Test suite • LibTomCrypt • OpenSSL • SQLite (+200’000 tests) • Obfuscation of ALL the code • Global idea of the consequences
Conclusion • Both obfuscations works fine • Debugging is hard • Promising project • A lot of others obfuscations • Flattening V2, debug tricks, tamper V2,… • Backend obfuscations • Winner “Bourse Start-Up Heig-VD 2014”
▄▄▄▄▄▄▄▄▄▄ ▄▄█████████▄▄▄▄▄ ██▄▄▄██████▄▄▄██▄▄ ██▄▄▄██████▄████████ ▄██▄████▄▄▄▄▄▄▄▄▄████ ████████████████▄▄███ ██████▄▄▄▄▄▄█████▄▄▄▄ ▀█████▄▄███████▄▄▄█▄▀ Questions? ▄▄▄▄▄▄▄▄▄ ████▄████████▄▄▄▀ ▄▄█████████▄▄ ▄▄██████████▄███ ███████▄▀▀▀▄█▄▄ ▄▄▄█▄▄█▄▄█▄▄▄▄▄▀▀ ████████ ▀▄▄▄▄███▄██▄▄▄███ ████████ ▄▄ ▄▄▄▄▄█▄▄▄▄███████ ████████▄▄██ ██▄▄▄██████████▄▀ ▀▄██████▄▄▄▀ ▀▄█▄██████████▄▀ ▄▄████▄▄██ ▄███▄█▄▄▄▄██▄██ █████████▄▀ █████▄▄▀ ██████ ███▄███▀▀ ███████ ███▄▄▄▄ ▀▄▄▄▀ ████████ ███████ ████████ ████▄▄██▄ ██████▄▄█ ██████▄▄█ █▄▄▄▄█ █▄▄▄▄█

Recommandé

[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate Compilers[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate CompilersFunctional Thursday
 
Digital system design practical file
Digital system design practical fileDigital system design practical file
Digital system design practical fileArchita Misra
 
Vhdl lab manual
Vhdl lab manualVhdl lab manual
Vhdl lab manualMukul Mohal
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
Introduction to Erlang Part 2
Introduction to Erlang Part 2Introduction to Erlang Part 2
Introduction to Erlang Part 2Dmitry Zinoviev
 
Introduction to Erlang Part 1
Introduction to Erlang Part 1Introduction to Erlang Part 1
Introduction to Erlang Part 1Dmitry Zinoviev
 
Programs of VHDL
Programs of VHDLPrograms of VHDL
Programs of VHDLRkrishna Mishra
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesRicardo Castro
 

Recommandé

[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate Compilers[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate CompilersFunctional Thursday
 
Digital system design practical file
Digital system design practical fileDigital system design practical file
Digital system design practical fileArchita Misra
 
Vhdl lab manual
Vhdl lab manualVhdl lab manual
Vhdl lab manualMukul Mohal
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
Introduction to Erlang Part 2
Introduction to Erlang Part 2Introduction to Erlang Part 2
Introduction to Erlang Part 2Dmitry Zinoviev
 
Introduction to Erlang Part 1
Introduction to Erlang Part 1Introduction to Erlang Part 1
Introduction to Erlang Part 1Dmitry Zinoviev
 
Programs of VHDL
Programs of VHDLPrograms of VHDL
Programs of VHDLRkrishna Mishra
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesRicardo Castro
 
VERILOG CODE
VERILOG CODEVERILOG CODE
VERILOG CODEDhaval Kaneria
 
Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Béo Tú
 
VLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationVLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationGouthaman V
 
radix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfradix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfsakthi1986
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014Béo Tú
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
 
Lecture 2 verilog
Lecture 2 verilogLecture 2 verilog
Lecture 2 verilogvenravi10
 
VLSI Lab manual PDF
VLSI Lab manual PDFVLSI Lab manual PDF
VLSI Lab manual PDFUR11EC098
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
 
Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Béo Tú
 
Fpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesFpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesMalik Tauqir Hasan
 
VHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESVHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESkarthik kadava
 
verilog code
verilog codeverilog code
verilog codeMantra VLSI
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
CSharp for Unity Day2
CSharp for Unity Day2CSharp for Unity Day2
CSharp for Unity Day2Duong Thanh
 
Klee and angr
Klee and angrKlee and angr
Klee and angrWei-Bo Chen
 
Verilog Lecture2 thhts
Verilog Lecture2 thhtsVerilog Lecture2 thhts
Verilog Lecture2 thhtsBéo Tú
 
Verilogforlab
VerilogforlabVerilogforlab
VerilogforlabShankar Bhukya
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Day2 Verilog HDL Basic
Day2 Verilog HDL BasicDay2 Verilog HDL Basic
Day2 Verilog HDL BasicRon Liu
 
02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++Manzoor ALam
 
Memory Management with Java and C++
Memory Management with Java and C++Memory Management with Java and C++
Memory Management with Java and C++Mohammad Shaker
 

Contenu connexe

Tendances

Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Béo Tú
 
VLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationVLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationGouthaman V
 
radix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfradix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfsakthi1986
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014Béo Tú
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
 
Lecture 2 verilog
Lecture 2 verilogLecture 2 verilog
Lecture 2 verilogvenravi10
 
VLSI Lab manual PDF
VLSI Lab manual PDFVLSI Lab manual PDF
VLSI Lab manual PDFUR11EC098
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
 
Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Béo Tú
 
Fpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesFpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesMalik Tauqir Hasan
 
VHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESVHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESkarthik kadava
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
CSharp for Unity Day2
CSharp for Unity Day2CSharp for Unity Day2
CSharp for Unity Day2Duong Thanh
 
Verilog Lecture2 thhts
Verilog Lecture2 thhtsVerilog Lecture2 thhts
Verilog Lecture2 thhtsBéo Tú
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Day2 Verilog HDL Basic
Day2 Verilog HDL BasicDay2 Verilog HDL Basic
Day2 Verilog HDL BasicRon Liu
 

Tendances (20)

VERILOG CODE
VERILOG CODEVERILOG CODE
VERILOG CODE
 
Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014
 
VLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationVLSI Anna University Practical Examination
VLSI Anna University Practical Examination
 
radix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfradix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdf
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON China
 
Lecture 2 verilog
Lecture 2 verilogLecture 2 verilog
Lecture 2 verilog
 
VLSI Lab manual PDF
VLSI Lab manual PDFVLSI Lab manual PDF
VLSI Lab manual PDF
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes
 
Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014
 
Fpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesFpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directives
 
VHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESVHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLES
 
verilog code
verilog codeverilog code
verilog code
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
 
CSharp for Unity Day2
CSharp for Unity Day2CSharp for Unity Day2
CSharp for Unity Day2
 
Klee and angr
Klee and angrKlee and angr
Klee and angr
 
Verilog Lecture2 thhts
Verilog Lecture2 thhtsVerilog Lecture2 thhts
Verilog Lecture2 thhts
 
Verilogforlab
VerilogforlabVerilogforlab
Verilogforlab
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
 
Day2 Verilog HDL Basic
Day2 Verilog HDL BasicDay2 Verilog HDL Basic
Day2 Verilog HDL Basic
 

Similaire à Appsec obfuscator reloaded

02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++Manzoor ALam
 
Memory Management with Java and C++
Memory Management with Java and C++Memory Management with Java and C++
Memory Management with Java and C++Mohammad Shaker
 
openMP loop parallelization
openMP loop parallelizationopenMP loop parallelization
openMP loop parallelizationAlbert DeFusco
 
Lecture#6 functions in c++
Lecture#6 functions in c++Lecture#6 functions in c++
Lecture#6 functions in c++NUST Stuff
 
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...corehard_by
 
Practical file
Practical filePractical file
Practical filerajeevkr35
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor ConcurrencyAlex Miller
 
Cse115 lecture04introtoc programming
Cse115 lecture04introtoc programmingCse115 lecture04introtoc programming
Cse115 lecture04introtoc programmingMd. Ashikur Rahman
 
掀起 Swift 的面紗
掀起 Swift 的面紗掀起 Swift 的面紗
掀起 Swift 的面紗Pofat Tseng
 
Object oriented programming system with C++
Object oriented programming system with C++Object oriented programming system with C++
Object oriented programming system with C++msharshitha03s
 
golang_getting_started.pptx
golang_getting_started.pptxgolang_getting_started.pptx
golang_getting_started.pptxGuy Komari
 
Getting started cpp full
Getting started cpp fullGetting started cpp full
Getting started cpp fullVõ Hòa
 
Golang and Eco-System Introduction / Overview
Golang and Eco-System Introduction / OverviewGolang and Eco-System Introduction / Overview
Golang and Eco-System Introduction / OverviewMarkus Schneider
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
NDC Sydney 2019 - Async Demystified -- Karel Zikmund
NDC Sydney 2019 - Async Demystified -- Karel ZikmundNDC Sydney 2019 - Async Demystified -- Karel Zikmund
NDC Sydney 2019 - Async Demystified -- Karel ZikmundKarel Zikmund
 

Similaire à Appsec obfuscator reloaded (20)

02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++
 
Memory Management with Java and C++
Memory Management with Java and C++Memory Management with Java and C++
Memory Management with Java and C++
 
Code optimization
Code optimization Code optimization
Code optimization
 
Code optimization
Code optimization Code optimization
Code optimization
 
openMP loop parallelization
openMP loop parallelizationopenMP loop parallelization
openMP loop parallelization
 
Lecture#6 functions in c++
Lecture#6 functions in c++Lecture#6 functions in c++
Lecture#6 functions in c++
 
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
 
functions
functionsfunctions
functions
 
C++ Functions
C++ FunctionsC++ Functions
C++ Functions
 
Practical file
Practical filePractical file
Practical file
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor Concurrency
 
Cse115 lecture04introtoc programming
Cse115 lecture04introtoc programmingCse115 lecture04introtoc programming
Cse115 lecture04introtoc programming
 
掀起 Swift 的面紗
掀起 Swift 的面紗掀起 Swift 的面紗
掀起 Swift 的面紗
 
Object oriented programming system with C++
Object oriented programming system with C++Object oriented programming system with C++
Object oriented programming system with C++
 
golang_getting_started.pptx
golang_getting_started.pptxgolang_getting_started.pptx
golang_getting_started.pptx
 
Getting started cpp full
Getting started cpp fullGetting started cpp full
Getting started cpp full
 
Golang and Eco-System Introduction / Overview
Golang and Eco-System Introduction / OverviewGolang and Eco-System Introduction / Overview
Golang and Eco-System Introduction / Overview
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
 
NDC Sydney 2019 - Async Demystified -- Karel Zikmund
NDC Sydney 2019 - Async Demystified -- Karel ZikmundNDC Sydney 2019 - Async Demystified -- Karel Zikmund
NDC Sydney 2019 - Async Demystified -- Karel Zikmund
 
C language
C languageC language
C language
 

Plus de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Plus de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Dernier

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Dernier (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Appsec obfuscator reloaded

  • 1. Obfuscator Reloaded Johan Wehrli Rinaldini Julien
  • 2. Who the **** are we? • Johan Wehrli • Master of Science HES-SO in Engineering • Scientific Collaborator • @jowehrli • Julien Rinaldini • Master of Science HES-SO in Engineering • Research Engineer • @pyknite / http://rand0m.ch • IICT, Institute for Information an Communication Technology
  • 3. Evil Plan • Obfuscator? • LLVM? • Tamper-proofing • Functions merging • Tests • Conclusion
  • 4. Obfuscator • Research project in IT security • Managed by Phd. Pascal Junod • IICT, HEIG-VD • Open-source (well, not everything ;) ): http://o-llvm.org • Important dates • Born in 2010 • First public release in 2013 • Still in development • Increase software security • Substitution, flattening, BCF, …
  • 5. LLVM • Open-source project, written in C++ • Compilation framework, several modules • Support multiple languages: • C/C++, Obj-C, Haskell, Java,… • … And multiple architectures: • x86, ARM, MIPS, PowerPC,…
  • 6.
  • 7. The tamper-proofing is... • Detecting any modifications • Making sure that a software is run in the way it was expected to be when it was designed
  • 8. The tamper-proofing is not... • A way of preventing the reverse engineering
  • 9. Two-Step • Check • Verification of the result • Calculation of execution time • Hash of a snippet of code • Respond • Ending the software • Restore the initial code • Tamper the result or the performance
  • 10. Typical Attacks • Search for patterns • Statically • Dynamically • Deactivation of the RESPOND • Modification of the condition • Pre-processing the new hash value
  • 11. Prerequisites - Flattening • Flatten the control flow of a function • Uses • External loop • switch • One case per basic block • Basic block -> end -> switch • Branch variable (SwitchVar)
  • 12. int main(int argc, char **argv){ int tab[10] = {5, 9, … , 1}; for(int i = 0; i < 10; ++i){ printf("%d, ",tab[i]); } return 0; }
  • 13.
  • 14. Now, let’s do some meth math…
  • 15. Prerequisites - CRC 1/10 • Linear Code C over a finite field GF(q) of length n • C is a cyclic code if, for every word in the code • Notions • Alphabet : • Word : • Cyclic code : • Generator polynomial : • Equations c = (c0, c1, ..., cn 1) in GF(q)n ⇤ = 0, 1 x = 0b10010 = (1, 0, 0, 1, 0) 2 ⇤5 00000, 00111, 01110, 01001, 11100, 11011, 10010, 101010 g(x) = x2 + x + 1 0 · g(x), 1 · g(x), x · g(x), (x + 1) · g(x), x2 · g(x), (x2 + 1) · g(x), (x2 + x) · g(x), (x2 + x + 1) · g(x)
  • 16.
  • 17. Prerequisites - CRC • Cyclic Redundancy Check • To detect errors during transmission • To calculate the remainder of a polynomial division • Easy to implement (CRC32) • How it works • Cyclic code • Euclidean division • Remainder = CRC
  • 18. Step One • ModulePass, IR code, go through all the program • …
  • 19.
  • 20. Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • ...
  • 21. uint32_t normalCRC(uint32_t init, uint32_t* begin, uint32_t* end){ uint32_t crc = init; while(begin end){ __asm__ __volatile__( crc32l %%ecx, %%esi; :=S (crc) :0 (crc), c (*begin) ); ++begin; } return crc; } uint32_t inverseCRC(uint32_t init, uint32_t* begin, uint32_t* end){ uint32_t crc = init; while(begin end){ __asm__ __volatile__( crc32l %%ecx, %%esi; :=S (crc) :0 (crc), c (*end) ); --end; } return crc; }
  • 22. Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • Place random call to the check • 1..n per basic block • Random area of code • ...
  • 23. ... store i32 1928457517, i32* %crc, align 4 store i32* inttoptr (i32 4196792 to i32*), i32** %begin, align 8 store i32* inttoptr (i32 4196848 to i32*), i32** %end, align 8 %2 = load i32* %crc, align 4 %3 = load i32** %begin, align 8 %4 = load i32** %end, align 8 %call = call i32 @vHpAKyNAxHgMhPd(i32 %2, i32* %3, i32* %4) store i32 %call, i32* %crc, align 4 ...
  • 24. Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • Place random call to the check • 1..n per basic block • Random area of code • Get all the call result, calcul the new SwitchVar SwitchV ar = const res1 res2 ... resn
  • 25. ... %14 = load i32* %const1 %15 = load i32* %crc, align 4 %16 = load i32* %crc2, align 4 %xor = xor i32 %15, %16 %xor5 = xor i32 %xor, %14 store i32 %xor5, i32* %switchVar ...
  • 26.
  • 27. Problems • Calculation of the precedence • One check area is over the xor • Modify the constant value - Modify SwitchVar • The pass occurs in the middle-end • No addresses • No machine code
  • 28. Solutions • Use static array • Get the value at a certain address • SwitchV ar = tab[0] res1 res2 ... resn • Post-process the binary file • Python script • PyElfTool
  • 29. Post-Processing • Patch the file once the compilation is over • Launch manually • Platform dependent • Created because the LLVM pass lack informations • Begin address • End address • Hash value • Static value
  • 30. Post-Processing • Read the log file • Find the data • Heuristic vs. Search • Search by function • Update the data • Calculate the offset • Update the addresses • Calculate the check • Update the static value
  • 31. Conclusion - Tamper • Selection policies • Area : .Text vs. Function • CHECK placement • Control flow modification • Good combinaison between static and dynamic values • Future • Use the Clang driver, detect link phase • Generic solution, uses the LLVM API
  • 33. // Module test.c int foo(int a) { return a+2; } float bar(float a) { return a+2.0; }
  • 34. // Module test.c void merge(int sw, void *ret, ...) { switch(sw) { case 0: va_list ap; va_start(ap, 1); int a = va_args(ap, int); va_end(ap); int *b = (int*)ret; *b = a+2; break; case 1: va_list ap; va_start(ap, 1); float a = va_args(ap, float); va_end(ap); float *b = (float*)ret; *b = a+2.0; break; } return; }
  • 35. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 36. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 37. • Save all functions, except: • main() • Arbitrary choice • Variadic functions • Special treatment needed • No time left to implement it • fastcall functions • Try to pass arguments through registers
  • 38. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 39. • Merge function • 3 arguments • int sw • void *result • variadic argument (…) • Uses a switch as a dispatcher • Random name - avoid linking problems define void @merge-1196957890(i128 %sw, i8* %retArg, ...) { entry: %sw.addr = alloca i128 store i128 %sw, i128* %sw.addr %sw1 = load i128* %sw.addr switch i128 %sw1, label %default [ ] default: ; preds = %entry ret void }
  • 40. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 41. • switch value • sha256 + salt • Only use 128 bits • Avoid online attack switch i128 %sw1, label %default [ i128 27710209634873760713303062182632130818 , label %0 i128 -6843076191789525760054781676266687358 , label %17 i128 -26221607966511614330399007306620848255 , label %56 ]
  • 42. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 43. ... %ap = alloca i8* %ap2 = bitcast i8** %ap to i8* call void @llvm.va_start(i8* %ap2) %1 = va_arg i8** %ap, i32 call void @llvm.va_end(i8* %ap2) ...
  • 44. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 45. • Replace all return • load the return value in the retArg • ret void ... %14 = alloca i8* store i8* %retArg , i8** %14 %15 = load i8** %14 %16 = bitcast i8* %15 to i32* store i32 3, i32* %16 ret void
  • 46. • We still have some problems • Inter-module calls • Distribution of an obfuscated library • API breakage
  • 47. • Wrappers! The solution for every problems ;) ; Function Attrs: nounwind ssp uwtable define float @bar(float %a) { entry: %ret = alloca float %retPty = alloca float* store float* %ret, float** %retPty %load = load float** %retPty %bit = bitcast float* %load to i8* call void (i128, i8*, ...)* @merge1806660435(i128 49770522224456207387965548547940082999, i8* %bit, float %a) %0 = load float** %retPty %1 = load float* %0 ret float %1 }
  • 48. Conclusion - Function merging • Use strip! • Fonctions name give a lot of informations • Use it with other obfuscations
  • 49. Tests • Test suite • LibTomCrypt • OpenSSL • SQLite (+200’000 tests) • Obfuscation of ALL the code • Global idea of the consequences
  • 50. Conclusion • Both obfuscations works fine • Debugging is hard • Promising project • A lot of others obfuscations • Flattening V2, debug tricks, tamper V2,… • Backend obfuscations • Winner “Bourse Start-Up Heig-VD 2014”
  • 51. ▄▄▄▄▄▄▄▄▄▄ ▄▄█████████▄▄▄▄▄ ██▄▄▄██████▄▄▄██▄▄ ██▄▄▄██████▄████████ ▄██▄████▄▄▄▄▄▄▄▄▄████ ████████████████▄▄███ ██████▄▄▄▄▄▄█████▄▄▄▄ ▀█████▄▄███████▄▄▄█▄▀ Questions? ▄▄▄▄▄▄▄▄▄ ████▄████████▄▄▄▀ ▄▄█████████▄▄ ▄▄██████████▄███ ███████▄▀▀▀▄█▄▄ ▄▄▄█▄▄█▄▄█▄▄▄▄▄▀▀ ████████ ▀▄▄▄▄███▄██▄▄▄███ ████████ ▄▄ ▄▄▄▄▄█▄▄▄▄███████ ████████▄▄██ ██▄▄▄██████████▄▀ ▀▄██████▄▄▄▀ ▀▄█▄██████████▄▀ ▄▄████▄▄██ ▄███▄█▄▄▄▄██▄██ █████████▄▀ █████▄▄▀ ██████ ███▄███▀▀ ███████ ███▄▄▄▄ ▀▄▄▄▀ ████████ ███████ ████████ ████▄▄██▄ ██████▄▄█ ██████▄▄█ █▄▄▄▄█ █▄▄▄▄█