SlideShare ist ein Scribd-Unternehmen logo

Appsec obfuscator reloaded

Cyber Security Alliance
Cyber Security Alliance

e

Technologie
1 von 51
Downloaden Sie, um offline zu lesen
Obfuscator Reloaded Johan Wehrli Rinaldini Julien
Who the **** are we? • Johan Wehrli • Master of Science HES-SO in Engineering • Scientific Collaborator • @jowehrli • Julien Rinaldini • Master of Science HES-SO in Engineering • Research Engineer • @pyknite / http://rand0m.ch • IICT, Institute for Information an Communication Technology
Evil Plan • Obfuscator? • LLVM? • Tamper-proofing • Functions merging • Tests • Conclusion
Obfuscator • Research project in IT security • Managed by Phd. Pascal Junod • IICT, HEIG-VD • Open-source (well, not everything ;) ): http://o-llvm.org • Important dates • Born in 2010 • First public release in 2013 • Still in development • Increase software security • Substitution, flattening, BCF, …
LLVM • Open-source project, written in C++ • Compilation framework, several modules • Support multiple languages: • C/C++, Obj-C, Haskell, Java,… • … And multiple architectures: • x86, ARM, MIPS, PowerPC,…
The tamper-proofing is... • Detecting any modifications • Making sure that a software is run in the way it was expected to be when it was designed
The tamper-proofing is not... • A way of preventing the reverse engineering
Two-Step • Check • Verification of the result • Calculation of execution time • Hash of a snippet of code • Respond • Ending the software • Restore the initial code • Tamper the result or the performance
Typical Attacks • Search for patterns • Statically • Dynamically • Deactivation of the RESPOND • Modification of the condition • Pre-processing the new hash value
Prerequisites - Flattening • Flatten the control flow of a function • Uses • External loop • switch • One case per basic block • Basic block -> end -> switch • Branch variable (SwitchVar)
int main(int argc, char **argv){ int tab[10] = {5, 9, … , 1}; for(int i = 0; i < 10; ++i){ printf("%d, ",tab[i]); } return 0; }
Now, let’s do some meth math…
Prerequisites - CRC 1/10 • Linear Code C over a finite field GF(q) of length n • C is a cyclic code if, for every word in the code • Notions • Alphabet : • Word : • Cyclic code : • Generator polynomial : • Equations c = (c0, c1, ..., cn 1) in GF(q)n ⇤ = 0, 1 x = 0b10010 = (1, 0, 0, 1, 0) 2 ⇤5 00000, 00111, 01110, 01001, 11100, 11011, 10010, 101010 g(x) = x2 + x + 1 0 · g(x), 1 · g(x), x · g(x), (x + 1) · g(x), x2 · g(x), (x2 + 1) · g(x), (x2 + x) · g(x), (x2 + x + 1) · g(x)
Prerequisites - CRC • Cyclic Redundancy Check • To detect errors during transmission • To calculate the remainder of a polynomial division • Easy to implement (CRC32) • How it works • Cyclic code • Euclidean division • Remainder = CRC
Step One • ModulePass, IR code, go through all the program • …
Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • ...
uint32_t normalCRC(uint32_t init, uint32_t* begin, uint32_t* end){ uint32_t crc = init; while(begin end){ __asm__ __volatile__( crc32l %%ecx, %%esi; :=S (crc) :0 (crc), c (*begin) ); ++begin; } return crc; } uint32_t inverseCRC(uint32_t init, uint32_t* begin, uint32_t* end){ uint32_t crc = init; while(begin end){ __asm__ __volatile__( crc32l %%ecx, %%esi; :=S (crc) :0 (crc), c (*end) ); --end; } return crc; }
Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • Place random call to the check • 1..n per basic block • Random area of code • ...
... store i32 1928457517, i32* %crc, align 4 store i32* inttoptr (i32 4196792 to i32*), i32** %begin, align 8 store i32* inttoptr (i32 4196848 to i32*), i32** %end, align 8 %2 = load i32* %crc, align 4 %3 = load i32** %begin, align 8 %4 = load i32** %end, align 8 %call = call i32 @vHpAKyNAxHgMhPd(i32 %2, i32* %3, i32* %4) store i32 %call, i32* %crc, align 4 ...
Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • Place random call to the check • 1..n per basic block • Random area of code • Get all the call result, calcul the new SwitchVar SwitchV ar = const res1 res2 ... resn
... %14 = load i32* %const1 %15 = load i32* %crc, align 4 %16 = load i32* %crc2, align 4 %xor = xor i32 %15, %16 %xor5 = xor i32 %xor, %14 store i32 %xor5, i32* %switchVar ...
Problems • Calculation of the precedence • One check area is over the xor • Modify the constant value - Modify SwitchVar • The pass occurs in the middle-end • No addresses • No machine code
Solutions • Use static array • Get the value at a certain address • SwitchV ar = tab[0] res1 res2 ... resn • Post-process the binary file • Python script • PyElfTool
Post-Processing • Patch the file once the compilation is over • Launch manually • Platform dependent • Created because the LLVM pass lack informations • Begin address • End address • Hash value • Static value
Post-Processing • Read the log file • Find the data • Heuristic vs. Search • Search by function • Update the data • Calculate the offset • Update the addresses • Calculate the check • Update the static value
Conclusion - Tamper • Selection policies • Area : .Text vs. Function • CHECK placement • Control flow modification • Good combinaison between static and dynamic values • Future • Use the Clang driver, detect link phase • Generic solution, uses the LLVM API
Functions Merging What is that?
// Module test.c int foo(int a) { return a+2; } float bar(float a) { return a+2.0; }
// Module test.c void merge(int sw, void *ret, ...) { switch(sw) { case 0: va_list ap; va_start(ap, 1); int a = va_args(ap, int); va_end(ap); int *b = (int*)ret; *b = a+2; break; case 1: va_list ap; va_start(ap, 1); float a = va_args(ap, float); va_end(ap); float *b = (float*)ret; *b = a+2.0; break; } return; }
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
• Save all functions, except: • main() • Arbitrary choice • Variadic functions • Special treatment needed • No time left to implement it • fastcall functions • Try to pass arguments through registers
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
• Merge function • 3 arguments • int sw • void *result • variadic argument (…) • Uses a switch as a dispatcher • Random name - avoid linking problems define void @merge-1196957890(i128 %sw, i8* %retArg, ...) { entry: %sw.addr = alloca i128 store i128 %sw, i128* %sw.addr %sw1 = load i128* %sw.addr switch i128 %sw1, label %default [ ] default: ; preds = %entry ret void }
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
• switch value • sha256 + salt • Only use 128 bits • Avoid online attack switch i128 %sw1, label %default [ i128 27710209634873760713303062182632130818 , label %0 i128 -6843076191789525760054781676266687358 , label %17 i128 -26221607966511614330399007306620848255 , label %56 ]
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
... %ap = alloca i8* %ap2 = bitcast i8** %ap to i8* call void @llvm.va_start(i8* %ap2) %1 = va_arg i8** %ap, i32 call void @llvm.va_end(i8* %ap2) ...
input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
• Replace all return • load the return value in the retArg • ret void ... %14 = alloca i8* store i8* %retArg , i8** %14 %15 = load i8** %14 %16 = bitcast i8* %15 to i32* store i32 3, i32* %16 ret void
• We still have some problems • Inter-module calls • Distribution of an obfuscated library • API breakage
• Wrappers! The solution for every problems ;) ; Function Attrs: nounwind ssp uwtable define float @bar(float %a) { entry: %ret = alloca float %retPty = alloca float* store float* %ret, float** %retPty %load = load float** %retPty %bit = bitcast float* %load to i8* call void (i128, i8*, ...)* @merge1806660435(i128 49770522224456207387965548547940082999, i8* %bit, float %a) %0 = load float** %retPty %1 = load float* %0 ret float %1 }
Conclusion - Function merging • Use strip! • Fonctions name give a lot of informations • Use it with other obfuscations
Tests • Test suite • LibTomCrypt • OpenSSL • SQLite (+200’000 tests) • Obfuscation of ALL the code • Global idea of the consequences
Conclusion • Both obfuscations works fine • Debugging is hard • Promising project • A lot of others obfuscations • Flattening V2, debug tricks, tamper V2,… • Backend obfuscations • Winner “Bourse Start-Up Heig-VD 2014”
▄▄▄▄▄▄▄▄▄▄ ▄▄█████████▄▄▄▄▄ ██▄▄▄██████▄▄▄██▄▄ ██▄▄▄██████▄████████ ▄██▄████▄▄▄▄▄▄▄▄▄████ ████████████████▄▄███ ██████▄▄▄▄▄▄█████▄▄▄▄ ▀█████▄▄███████▄▄▄█▄▀ Questions? ▄▄▄▄▄▄▄▄▄ ████▄████████▄▄▄▀ ▄▄█████████▄▄ ▄▄██████████▄███ ███████▄▀▀▀▄█▄▄ ▄▄▄█▄▄█▄▄█▄▄▄▄▄▀▀ ████████ ▀▄▄▄▄███▄██▄▄▄███ ████████ ▄▄ ▄▄▄▄▄█▄▄▄▄███████ ████████▄▄██ ██▄▄▄██████████▄▀ ▀▄██████▄▄▄▀ ▀▄█▄██████████▄▀ ▄▄████▄▄██ ▄███▄█▄▄▄▄██▄██ █████████▄▀ █████▄▄▀ ██████ ███▄███▀▀ ███████ ███▄▄▄▄ ▀▄▄▄▀ ████████ ███████ ████████ ████▄▄██▄ ██████▄▄█ ██████▄▄█ █▄▄▄▄█ █▄▄▄▄█

Empfohlen

[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate Compilers[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate CompilersFunctional Thursday
 
Digital system design practical file
Digital system design practical fileDigital system design practical file
Digital system design practical fileArchita Misra
 
Vhdl lab manual
Vhdl lab manualVhdl lab manual
Vhdl lab manualMukul Mohal
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
Introduction to Erlang Part 2
Introduction to Erlang Part 2Introduction to Erlang Part 2
Introduction to Erlang Part 2Dmitry Zinoviev
 
Introduction to Erlang Part 1
Introduction to Erlang Part 1Introduction to Erlang Part 1
Introduction to Erlang Part 1Dmitry Zinoviev
 
Programs of VHDL
Programs of VHDLPrograms of VHDL
Programs of VHDLRkrishna Mishra
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesRicardo Castro
 

Empfohlen

[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate Compilers[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate CompilersFunctional Thursday
 
Digital system design practical file
Digital system design practical fileDigital system design practical file
Digital system design practical fileArchita Misra
 
Vhdl lab manual
Vhdl lab manualVhdl lab manual
Vhdl lab manualMukul Mohal
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
Introduction to Erlang Part 2
Introduction to Erlang Part 2Introduction to Erlang Part 2
Introduction to Erlang Part 2Dmitry Zinoviev
 
Introduction to Erlang Part 1
Introduction to Erlang Part 1Introduction to Erlang Part 1
Introduction to Erlang Part 1Dmitry Zinoviev
 
Programs of VHDL
Programs of VHDLPrograms of VHDL
Programs of VHDLRkrishna Mishra
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesRicardo Castro
 
VERILOG CODE
VERILOG CODEVERILOG CODE
VERILOG CODEDhaval Kaneria
 
Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Béo Tú
 
VLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationVLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationGouthaman V
 
radix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfradix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfsakthi1986
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014Béo Tú
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
 
Lecture 2 verilog
Lecture 2 verilogLecture 2 verilog
Lecture 2 verilogvenravi10
 
VLSI Lab manual PDF
VLSI Lab manual PDFVLSI Lab manual PDF
VLSI Lab manual PDFUR11EC098
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
 
Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Béo Tú
 
Fpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesFpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesMalik Tauqir Hasan
 
VHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESVHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESkarthik kadava
 
verilog code
verilog codeverilog code
verilog codeMantra VLSI
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
CSharp for Unity Day2
CSharp for Unity Day2CSharp for Unity Day2
CSharp for Unity Day2Duong Thanh
 
Klee and angr
Klee and angrKlee and angr
Klee and angrWei-Bo Chen
 
Verilog Lecture2 thhts
Verilog Lecture2 thhtsVerilog Lecture2 thhts
Verilog Lecture2 thhtsBéo Tú
 
Verilogforlab
VerilogforlabVerilogforlab
VerilogforlabShankar Bhukya
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Day2 Verilog HDL Basic
Day2 Verilog HDL BasicDay2 Verilog HDL Basic
Day2 Verilog HDL BasicRon Liu
 
02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++Manzoor ALam
 
Memory Management with Java and C++
Memory Management with Java and C++Memory Management with Java and C++
Memory Management with Java and C++Mohammad Shaker
 

Weitere ähnliche Inhalte

Was ist angesagt?

Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Béo Tú
 
VLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationVLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationGouthaman V
 
radix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfradix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfsakthi1986
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014Béo Tú
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
 
Lecture 2 verilog
Lecture 2 verilogLecture 2 verilog
Lecture 2 verilogvenravi10
 
VLSI Lab manual PDF
VLSI Lab manual PDFVLSI Lab manual PDF
VLSI Lab manual PDFUR11EC098
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
 
Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Béo Tú
 
Fpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesFpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesMalik Tauqir Hasan
 
VHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESVHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESkarthik kadava
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
CSharp for Unity Day2
CSharp for Unity Day2CSharp for Unity Day2
CSharp for Unity Day2Duong Thanh
 
Verilog Lecture2 thhts
Verilog Lecture2 thhtsVerilog Lecture2 thhts
Verilog Lecture2 thhtsBéo Tú
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Day2 Verilog HDL Basic
Day2 Verilog HDL BasicDay2 Verilog HDL Basic
Day2 Verilog HDL BasicRon Liu
 

Was ist angesagt? (20)

VERILOG CODE
VERILOG CODEVERILOG CODE
VERILOG CODE
 
Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014
 
VLSI Anna University Practical Examination
VLSI Anna University Practical ExaminationVLSI Anna University Practical Examination
VLSI Anna University Practical Examination
 
radix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdfradix_4 fft dif with mdc and mdf
radix_4 fft dif with mdc and mdf
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON China
 
Lecture 2 verilog
Lecture 2 verilogLecture 2 verilog
Lecture 2 verilog
 
VLSI Lab manual PDF
VLSI Lab manual PDFVLSI Lab manual PDF
VLSI Lab manual PDF
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes
 
Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014Verilog Lecture5 hust 2014
Verilog Lecture5 hust 2014
 
Fpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesFpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directives
 
VHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLESVHDL PROGRAMS FEW EXAMPLES
VHDL PROGRAMS FEW EXAMPLES
 
verilog code
verilog codeverilog code
verilog code
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
 
CSharp for Unity Day2
CSharp for Unity Day2CSharp for Unity Day2
CSharp for Unity Day2
 
Klee and angr
Klee and angrKlee and angr
Klee and angr
 
Verilog Lecture2 thhts
Verilog Lecture2 thhtsVerilog Lecture2 thhts
Verilog Lecture2 thhts
 
Verilogforlab
VerilogforlabVerilogforlab
Verilogforlab
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
 
Day2 Verilog HDL Basic
Day2 Verilog HDL BasicDay2 Verilog HDL Basic
Day2 Verilog HDL Basic
 

Ähnlich wie Appsec obfuscator reloaded

02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++Manzoor ALam
 
Memory Management with Java and C++
Memory Management with Java and C++Memory Management with Java and C++
Memory Management with Java and C++Mohammad Shaker
 
openMP loop parallelization
openMP loop parallelizationopenMP loop parallelization
openMP loop parallelizationAlbert DeFusco
 
Lecture#6 functions in c++
Lecture#6 functions in c++Lecture#6 functions in c++
Lecture#6 functions in c++NUST Stuff
 
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...corehard_by
 
Practical file
Practical filePractical file
Practical filerajeevkr35
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor ConcurrencyAlex Miller
 
Cse115 lecture04introtoc programming
Cse115 lecture04introtoc programmingCse115 lecture04introtoc programming
Cse115 lecture04introtoc programmingMd. Ashikur Rahman
 
掀起 Swift 的面紗
掀起 Swift 的面紗掀起 Swift 的面紗
掀起 Swift 的面紗Pofat Tseng
 
Object oriented programming system with C++
Object oriented programming system with C++Object oriented programming system with C++
Object oriented programming system with C++msharshitha03s
 
golang_getting_started.pptx
golang_getting_started.pptxgolang_getting_started.pptx
golang_getting_started.pptxGuy Komari
 
Getting started cpp full
Getting started cpp fullGetting started cpp full
Getting started cpp fullVõ Hòa
 
Golang and Eco-System Introduction / Overview
Golang and Eco-System Introduction / OverviewGolang and Eco-System Introduction / Overview
Golang and Eco-System Introduction / OverviewMarkus Schneider
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
NDC Sydney 2019 - Async Demystified -- Karel Zikmund
NDC Sydney 2019 - Async Demystified -- Karel ZikmundNDC Sydney 2019 - Async Demystified -- Karel Zikmund
NDC Sydney 2019 - Async Demystified -- Karel ZikmundKarel Zikmund
 

Ähnlich wie Appsec obfuscator reloaded (20)

02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++02 functions, variables, basic input and output of c++
02 functions, variables, basic input and output of c++
 
Memory Management with Java and C++
Memory Management with Java and C++Memory Management with Java and C++
Memory Management with Java and C++
 
Code optimization
Code optimization Code optimization
Code optimization
 
Code optimization
Code optimization Code optimization
Code optimization
 
openMP loop parallelization
openMP loop parallelizationopenMP loop parallelization
openMP loop parallelization
 
Lecture#6 functions in c++
Lecture#6 functions in c++Lecture#6 functions in c++
Lecture#6 functions in c++
 
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
 
functions
functionsfunctions
functions
 
C++ Functions
C++ FunctionsC++ Functions
C++ Functions
 
Practical file
Practical filePractical file
Practical file
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor Concurrency
 
Cse115 lecture04introtoc programming
Cse115 lecture04introtoc programmingCse115 lecture04introtoc programming
Cse115 lecture04introtoc programming
 
掀起 Swift 的面紗
掀起 Swift 的面紗掀起 Swift 的面紗
掀起 Swift 的面紗
 
Object oriented programming system with C++
Object oriented programming system with C++Object oriented programming system with C++
Object oriented programming system with C++
 
golang_getting_started.pptx
golang_getting_started.pptxgolang_getting_started.pptx
golang_getting_started.pptx
 
Getting started cpp full
Getting started cpp fullGetting started cpp full
Getting started cpp full
 
Golang and Eco-System Introduction / Overview
Golang and Eco-System Introduction / OverviewGolang and Eco-System Introduction / Overview
Golang and Eco-System Introduction / Overview
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
 
NDC Sydney 2019 - Async Demystified -- Karel Zikmund
NDC Sydney 2019 - Async Demystified -- Karel ZikmundNDC Sydney 2019 - Async Demystified -- Karel Zikmund
NDC Sydney 2019 - Async Demystified -- Karel Zikmund
 
C language
C languageC language
C language
 

Mehr von Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Mehr von Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Kürzlich hochgeladen

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Kürzlich hochgeladen (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Appsec obfuscator reloaded

  • 1. Obfuscator Reloaded Johan Wehrli Rinaldini Julien
  • 2. Who the **** are we? • Johan Wehrli • Master of Science HES-SO in Engineering • Scientific Collaborator • @jowehrli • Julien Rinaldini • Master of Science HES-SO in Engineering • Research Engineer • @pyknite / http://rand0m.ch • IICT, Institute for Information an Communication Technology
  • 3. Evil Plan • Obfuscator? • LLVM? • Tamper-proofing • Functions merging • Tests • Conclusion
  • 4. Obfuscator • Research project in IT security • Managed by Phd. Pascal Junod • IICT, HEIG-VD • Open-source (well, not everything ;) ): http://o-llvm.org • Important dates • Born in 2010 • First public release in 2013 • Still in development • Increase software security • Substitution, flattening, BCF, …
  • 5. LLVM • Open-source project, written in C++ • Compilation framework, several modules • Support multiple languages: • C/C++, Obj-C, Haskell, Java,… • … And multiple architectures: • x86, ARM, MIPS, PowerPC,…
  • 6.
  • 7. The tamper-proofing is... • Detecting any modifications • Making sure that a software is run in the way it was expected to be when it was designed
  • 8. The tamper-proofing is not... • A way of preventing the reverse engineering
  • 9. Two-Step • Check • Verification of the result • Calculation of execution time • Hash of a snippet of code • Respond • Ending the software • Restore the initial code • Tamper the result or the performance
  • 10. Typical Attacks • Search for patterns • Statically • Dynamically • Deactivation of the RESPOND • Modification of the condition • Pre-processing the new hash value
  • 11. Prerequisites - Flattening • Flatten the control flow of a function • Uses • External loop • switch • One case per basic block • Basic block -> end -> switch • Branch variable (SwitchVar)
  • 12. int main(int argc, char **argv){ int tab[10] = {5, 9, … , 1}; for(int i = 0; i < 10; ++i){ printf("%d, ",tab[i]); } return 0; }
  • 13.
  • 14. Now, let’s do some meth math…
  • 15. Prerequisites - CRC 1/10 • Linear Code C over a finite field GF(q) of length n • C is a cyclic code if, for every word in the code • Notions • Alphabet : • Word : • Cyclic code : • Generator polynomial : • Equations c = (c0, c1, ..., cn 1) in GF(q)n ⇤ = 0, 1 x = 0b10010 = (1, 0, 0, 1, 0) 2 ⇤5 00000, 00111, 01110, 01001, 11100, 11011, 10010, 101010 g(x) = x2 + x + 1 0 · g(x), 1 · g(x), x · g(x), (x + 1) · g(x), x2 · g(x), (x2 + 1) · g(x), (x2 + x) · g(x), (x2 + x + 1) · g(x)
  • 16.
  • 17. Prerequisites - CRC • Cyclic Redundancy Check • To detect errors during transmission • To calculate the remainder of a polynomial division • Easy to implement (CRC32) • How it works • Cyclic code • Euclidean division • Remainder = CRC
  • 18. Step One • ModulePass, IR code, go through all the program • …
  • 19.
  • 20. Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • ...
  • 21. uint32_t normalCRC(uint32_t init, uint32_t* begin, uint32_t* end){ uint32_t crc = init; while(begin end){ __asm__ __volatile__( crc32l %%ecx, %%esi; :=S (crc) :0 (crc), c (*begin) ); ++begin; } return crc; } uint32_t inverseCRC(uint32_t init, uint32_t* begin, uint32_t* end){ uint32_t crc = init; while(begin end){ __asm__ __volatile__( crc32l %%ecx, %%esi; :=S (crc) :0 (crc), c (*end) ); --end; } return crc; }
  • 22. Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • Place random call to the check • 1..n per basic block • Random area of code • ...
  • 23. ... store i32 1928457517, i32* %crc, align 4 store i32* inttoptr (i32 4196792 to i32*), i32** %begin, align 8 store i32* inttoptr (i32 4196848 to i32*), i32** %end, align 8 %2 = load i32* %crc, align 4 %3 = load i32** %begin, align 8 %4 = load i32** %end, align 8 %call = call i32 @vHpAKyNAxHgMhPd(i32 %2, i32* %3, i32* %4) store i32 %call, i32* %crc, align 4 ...
  • 24. Step One • ModulePass, IR code, go through all the program • Create multiple check functions • Pool of functions • Random names • Place random call to the check • 1..n per basic block • Random area of code • Get all the call result, calcul the new SwitchVar SwitchV ar = const res1 res2 ... resn
  • 25. ... %14 = load i32* %const1 %15 = load i32* %crc, align 4 %16 = load i32* %crc2, align 4 %xor = xor i32 %15, %16 %xor5 = xor i32 %xor, %14 store i32 %xor5, i32* %switchVar ...
  • 26.
  • 27. Problems • Calculation of the precedence • One check area is over the xor • Modify the constant value - Modify SwitchVar • The pass occurs in the middle-end • No addresses • No machine code
  • 28. Solutions • Use static array • Get the value at a certain address • SwitchV ar = tab[0] res1 res2 ... resn • Post-process the binary file • Python script • PyElfTool
  • 29. Post-Processing • Patch the file once the compilation is over • Launch manually • Platform dependent • Created because the LLVM pass lack informations • Begin address • End address • Hash value • Static value
  • 30. Post-Processing • Read the log file • Find the data • Heuristic vs. Search • Search by function • Update the data • Calculate the offset • Update the addresses • Calculate the check • Update the static value
  • 31. Conclusion - Tamper • Selection policies • Area : .Text vs. Function • CHECK placement • Control flow modification • Good combinaison between static and dynamic values • Future • Use the Clang driver, detect link phase • Generic solution, uses the LLVM API
  • 33. // Module test.c int foo(int a) { return a+2; } float bar(float a) { return a+2.0; }
  • 34. // Module test.c void merge(int sw, void *ret, ...) { switch(sw) { case 0: va_list ap; va_start(ap, 1); int a = va_args(ap, int); va_end(ap); int *b = (int*)ret; *b = a+2; break; case 1: va_list ap; va_start(ap, 1); float a = va_args(ap, float); va_end(ap); float *b = (float*)ret; *b = a+2.0; break; } return; }
  • 35. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 36. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 37. • Save all functions, except: • main() • Arbitrary choice • Variadic functions • Special treatment needed • No time left to implement it • fastcall functions • Try to pass arguments through registers
  • 38. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 39. • Merge function • 3 arguments • int sw • void *result • variadic argument (…) • Uses a switch as a dispatcher • Random name - avoid linking problems define void @merge-1196957890(i128 %sw, i8* %retArg, ...) { entry: %sw.addr = alloca i128 store i128 %sw, i128* %sw.addr %sw1 = load i128* %sw.addr switch i128 %sw1, label %default [ ] default: ; preds = %entry ret void }
  • 40. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 41. • switch value • sha256 + salt • Only use 128 bits • Avoid online attack switch i128 %sw1, label %default [ i128 27710209634873760713303062182632130818 , label %0 i128 -6843076191789525760054781676266687358 , label %17 i128 -26221607966511614330399007306620848255 , label %56 ]
  • 42. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 43. ... %ap = alloca i8* %ap2 = bitcast i8** %ap to i8* call void @llvm.va_start(i8* %ap2) %1 = va_arg i8** %ap, i32 call void @llvm.va_end(i8* %ap2) ...
  • 44. input: Module M begin fList ;; foreach function f in module M do if f is not a declaration and f is not main then fList fList[ {f}; end end merge createFunction(); foreach function f in fList do addEntryToSwitch(f,merge); if f has arguments then loadArgs(f,merge); end replaceReturn(f,merge); moveContent(f,merge); createWrapper(f,M); end end
  • 45. • Replace all return • load the return value in the retArg • ret void ... %14 = alloca i8* store i8* %retArg , i8** %14 %15 = load i8** %14 %16 = bitcast i8* %15 to i32* store i32 3, i32* %16 ret void
  • 46. • We still have some problems • Inter-module calls • Distribution of an obfuscated library • API breakage
  • 47. • Wrappers! The solution for every problems ;) ; Function Attrs: nounwind ssp uwtable define float @bar(float %a) { entry: %ret = alloca float %retPty = alloca float* store float* %ret, float** %retPty %load = load float** %retPty %bit = bitcast float* %load to i8* call void (i128, i8*, ...)* @merge1806660435(i128 49770522224456207387965548547940082999, i8* %bit, float %a) %0 = load float** %retPty %1 = load float* %0 ret float %1 }
  • 48. Conclusion - Function merging • Use strip! • Fonctions name give a lot of informations • Use it with other obfuscations
  • 49. Tests • Test suite • LibTomCrypt • OpenSSL • SQLite (+200’000 tests) • Obfuscation of ALL the code • Global idea of the consequences
  • 50. Conclusion • Both obfuscations works fine • Debugging is hard • Promising project • A lot of others obfuscations • Flattening V2, debug tricks, tamper V2,… • Backend obfuscations • Winner “Bourse Start-Up Heig-VD 2014”
  • 51. ▄▄▄▄▄▄▄▄▄▄ ▄▄█████████▄▄▄▄▄ ██▄▄▄██████▄▄▄██▄▄ ██▄▄▄██████▄████████ ▄██▄████▄▄▄▄▄▄▄▄▄████ ████████████████▄▄███ ██████▄▄▄▄▄▄█████▄▄▄▄ ▀█████▄▄███████▄▄▄█▄▀ Questions? ▄▄▄▄▄▄▄▄▄ ████▄████████▄▄▄▀ ▄▄█████████▄▄ ▄▄██████████▄███ ███████▄▀▀▀▄█▄▄ ▄▄▄█▄▄█▄▄█▄▄▄▄▄▀▀ ████████ ▀▄▄▄▄███▄██▄▄▄███ ████████ ▄▄ ▄▄▄▄▄█▄▄▄▄███████ ████████▄▄██ ██▄▄▄██████████▄▀ ▀▄██████▄▄▄▀ ▀▄█▄██████████▄▀ ▄▄████▄▄██ ▄███▄█▄▄▄▄██▄██ █████████▄▀ █████▄▄▀ ██████ ███▄███▀▀ ███████ ███▄▄▄▄ ▀▄▄▄▀ ████████ ███████ ████████ ████▄▄██▄ ██████▄▄█ ██████▄▄█ █▄▄▄▄█ █▄▄▄▄█