What does obfuscated code look like? – What is obfuscation?
An Application obfuscation refers to a set of technologies used to protect an application and its embedded intellectual property (IP) from application-level intrusions, reverse engineering, and hacking attempts. So, what is obfuscation? How does obfuscation work?
What is Obfuscation?
Obfuscation means to make something difficult to understand. Programming code is often obfuscated to protect intellectual property or trade secrets and to prevent attackers from reverse engineering a proprietary software program.
Encrypting some or all of a program’s code is a method of obfuscation. Other approaches include removing potentially revealing metadata, replacing class and variable names with meaningless labels, and adding unused or meaningless code to application scripts. A tool called obfuscator automatically converts simple source code into a program that works in a similar way, but is harder to read and understand.
Unfortunately, malware writers also use these methods to prevent their attack mechanism from being detected by anti-malware tools. The SolarWinds attack of 2020 is an example of hackers using perturbation to evade defenses.
Decryption techniques can be used to reverse engineer – or undo – decode. These techniques include program slicing, which involves narrowing down the program code to only statements that are relevant at a particular point in the program. Compiler optimization and program synthesis are two other decoding techniques. Obfuscation aims to make reverse engineering difficult and unnecessary.
- Below is an obfuscated C code:
- Here is the deobfuscated version which a person can understand:
How does obfuscation work?
Obfuscation in computer code uses complex roundabouts and redundant logic to make the code confusing for readers. The purpose is to distract the reader with the complicated syntax of what they are reading and make it difficult for them to determine the actual content of the message.
With computer code, the reader can be a person, a computing device, or another program. Obfuscation is also used to fool anti-virus engines and other programs that rely heavily on digital signatures to interpret codes. Compilers are available for languages like Java, operating systems like Android and iOS, and development platforms like .NET. They can automatically reverse engineer the source code; obfuscation is intended to make it difficult for these programs to decompile them.
Disrupting the code is not about changing the contents of a program’s original code, but about making the delivery method and presentation of that code more confusing. Obfuscation does not change the way a program works or its output. The obfuscated version is nearly impossible to follow with the human eye.
Obfuscation decoding techniques
Obfuscation involve a number of different methods. Usually, many techniques are used to create a layering effect.
Programs written in compiled software languages, such as C# and Java, are easier to obfuscate. This is because they produce intermediate level instructions that are generally easier to read. In contrast, C++ is harder to obfuscate, because it compiles to machine code, which is harder for everyone.
Some common shuffling techniques include:
• Renaming. The obfuscator changes methods and names of variables. New names may include non-printable or invisible characters.
• Packing. This will compress the entire program to make the code unreadable.
• Flow control. Decompiled code is made to look like spaghetti logic, unstructured, and difficult to maintain when the line of thought is obscured. The results from this code are not obvious and it’s hard to tell what the point of the code is by looking at it.
• Instruction pattern transformation. This approach takes common instructions generated by the compiler and swaps them out for more complex, less common instructions that effectively do the same thing.
• Insert pseudocode. Pseudocode can be added to a program to make it more difficult to read and reverse engineered, but it does not affect the logic or results of the program.
• Metadata or remove unused code. Unused code and metadata provide readers with additional information about the program that, like comments on Word documents, can help them read and debug the program. Removing metadata and unused code leaves the reader with less information about the program and its code.
• Opaque predicate insertion. The predicate in the code is a logical expression that is true or false. Fuzzy predicates are conditional branches – or if-then statements – where the outcome cannot be easily determined by statistical analysis. Inserting an ambiguous predicate introduces unnecessary code that is never executed but confuses the reader trying to understand the decompiled output.
• Anti-debug. Legitimate software engineers and hackers use debugging tools to examine each line of code. With these tools, software engineers can spot problems with code, and hackers can use them to reverse engineer code. IT security professionals can use anti-debug tools to determine when a hacker is running a debug program as part of an attack. Hackers can run anti-debug tools to determine when a debugging tool is being used to determine what changes they are making to the code.
• Anti-counterfeiting. These tools detect code that has been tampered with, and if it has been modified, it stops the program.
• String encryption. This method uses encryption to hide the strings in the executable and restore the values only when they are needed to run the program. This makes it difficult to traverse a program and look for specific strings.
• Transpose the code. This is a reordering of processes and branches in the code with no apparent effect on its behavior.
How to measure the success of obfuscation
The success of obfuscation methods can be measured using the following criteria:
• Strength. The degree to which the converted code resists decryption attempts automatically determines strength. The more effort, time and resources it takes, the more powerful the code.
• Differentiation. The degree to which the converted code differs from the original code is another measure of how well it is performing. Some of the ways used to evaluate the difference include:
o The number of predicates the new code contains.
o Depth of inheritance tree (DIT) – a metric used to indicate code complexity. A higher DIT means a more complex program.
• Expense. A cost-effective method of obfuscation is more useful than an expensive one, especially when it comes to how it scales to larger applications.
• Complexity. The more layers the obfuscator adds, the more complex the program will be, making the obfuscation more successful.
Advantages of obfuscation
The main advantages of obfuscation are as follows:
• Secrecy. Obfuscation hides valuable information in code. This is an advantage for legitimate organizations looking to protect code from competitors and attackers. In contrast, the bad guys take advantage of the secrecy of the obfuscation to hide their malicious code.
• Efficiency. Some obfuscation techniques, such as removing unused code, have the effect of shrinking the program and making it less resource intensive to run.
• Security. Obfuscation is a built-in security method, sometimes called application self-protection. Instead of using an external security method, it works within what is being protected. It is well-suited to protecting applications that run in untrusted environments and contain sensitive information.
Disadvantages of obfuscation
One of the main disadvantages of obfuscation is that it is also used in malware. Malware writers use it to evade anti-virus programs that scan code for specific features. By obscuring those features, the malware looks legit to the antivirus.
Common techniques used by malware authors include:
• Exclusive or ( XOR ). An operation that hides data by applying XOR values to the code so that only a trained eye can decode it.
• ROT-13. A code substitution instruction for random characters.
With obfuscation, instead of developing new malware, the authors repackage commonly used commodity attack methods to disguise their features. In some cases, malicious actors include vendor-specific techniques.
Another disadvantage of obfuscation is that it can make the code harder to read. For example, code that uses the string-encode-decrypt method requires decoding the strings at runtime, which slows down performance.
Obfuscation and SolarWinds attack
An attack against SolarWinds, an IT monitoring and management software manufacturer in Austin, Texas, is believed to have started in September 2019, resulting in a wide range of companies and agencies. other governments are infringed. The attack was discovered in December 2020 and is believed to have been carried out by Russian hackers. It initially compromised SolarWinds’ Orion IT management platform.
More information about the SolarWinds attack
The attackers used the Sunburst malware, which combines obfuscation, machine learning, and AI to create a backdoor in software updates for the Orion platform. To disguise their efforts and bypass defenses, they altered audit logs, deleted files and programs after use, and masqueraded as activity to make it appear like legitimate applications on the net.
This supply chain attack is said to have gone undetected for over a year. The malware inserted in the Orion code lies dormant and hidden until the user downloads the infected updates. It then spread through the network undetected and infected a long list of organizations using Orion.
Thus, it can be summarized that: Obfuscation is a well-known term in software engineering. It is the obfuscation of code intentionally written by the programmer. It is mainly done for security purposes by making it obscure to avoid tampering, hiding implicit values or hiding the logic used. One can obfuscate the code with the help of a language specific decoder to convert it into meaningful code.
If you have any questions, don’t hesitate to leave a comment for Themedipia.com to answer!!!