26/08/07 1 shock shaastra obfuscated code contest sriram k r vivek s
TRANSCRIPT
26/08/07
1
SHOCKSHaastra Obfuscated Code Contest
Sriram K RVivek S
26/08/07
2
What is Obfuscation?What is Obfuscation?
• Obfuscation is about concealing the meaning of communication by making it more confusing and harder to interpret.
• One definition of "code obfuscation" is a set of transformations on a program, that preserve the same black box specification while making the internals difficult to reverse-engineer. There turns out to be many such transformations.
• The job of a good obfuscator is to destroy as much as possible of this structure that lends a program to being human-readable.
26/08/07
3
Where it is used ?Where it is used ?
• It is used to deter reverse engineering attempts in languages like Java and the .NET family.
• Reverse obfuscation helps understand programs better.
• Obfuscated code is used by spammers to hide malicious JavaScript code in emails etc.
• Code size can be minimized by Obfuscation.
• Reducing variable name length
• Destroying structures and modules.
• It is done for recreational purposes.
26/08/07
4
International ContestsInternational Contests
• There are contests held in the international level every year to test obfuscation skills of the contestants.
• IOCCC : International Obfuscated C Code Contest
• IORCC :International Obfuscated Ruby Code Contest
• Annual Obfuscated Perl Contest
26/08/07
5
Some ExamplesSome Examples
#include<stdio.h>
int main (int j,char**V){char*R=V[1],i=0,k=48;for(;*R>k;*++R|| puts(R-i))++i;for(;++k<58;*R && main(*R=k,V),*R=1) for(j=81;j --;) *R*=R[j-i]-k||i/9^j/9&&i%9^j%9&&i/27^j/27|i%9/3^j%9/3;}
This 176 character C code solves SUDOKU !
26/08/07
6
#define _ -F<00||--F-OO--;
int F=00,OO=00;main(){F_OO();printf("%1.3f\n",4.*-F/OO/OO);}F_OO()
{
_-_-_-_
_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_-_-_-_-_
_-_-_-_-_-_-_-_
_-_-_-_
}
26/08/07
7
The Tardy Bus problemThe Tardy Bus problem
Given the following statements as premises:
1) If Bill takes the bus, then Bill misses his appointment, if the bus is late.
2) Bill shouldn't go home, if (a) Bill misses his appointment, and (b) Bill feels downcast.
3) If Bill doesn't get the job, then (a) Bill feels downcast, and (b) Bill should go home.
Is it valid to conclude:
Q1) that if Bill takes the bus, then Bill does get the job, if the bus is late? True
Q2) that Bill does get the job, if (a) Bill misses his appointment, and (b) Bill should go home? True
26/08/07
8
Obfuscating Code
• Obfuscation and reversing it• Language specific techniques• C provides a lot of scope for obfuscation• Learning by studying obfuscated programs• Some examples
26/08/07
9
Reversing Obfuscation – An Example
main( _,__,___,____,_____) {long long ago=741760571427457290;__=2925166600716333;___=++_<<--_+_<<_;____ = _;_____ =( ___*((___<<_)-(_<<_)))+(_<<_)+1;_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;while(_---'_')write(____,&__,____);_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>') +_____;write(____,&ago,___);_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;while(_---'_')write(____,&__,____);printf("\n");}
Objective of the program is to print SHOCK surrounded by dashed lines.
26/08/07
10
Step 1 : Indent the program
main( _,__,___,____,_____) {
long long ago=741760571427457290;
__=2925166600716333;
___=++_<<--_+_<<_;____ = _;
_____ =( ___*((___<<_)-(_<<_)))+(_<<_)+1;_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;
while(_---'_')
write(____,&__,____);_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;
write(____,&ago,___);_=_=_=_=_=_=_=_=_=_=(_=_>>_-'>')+_____;while(_---'_')write(____,&__,____);
printf("\n");
}
26/08/07
11
Step 2 :Name variables properly
main( e,d,c,b,a) {
long long ago=741760571427457290;
d=2925166600716333;
c=++e<<--e+e<<e;b = e;
a =( c*((c<<e)-(e<<e)))+(e<<e)+1;e=e=e=e=e=e=e=e=e=e=(e=e>>e-'>')+a;
while(e---'_')
write(b,&d,b);e=e=e=e=e=e=e=e=e=e=(e=e>>e-'>')+a;
write(b,&ago,c);e=e=e=e=e=e=e=e=e=e=(e=e>>e-'>')+a;while(e---'_')write(b,&d,b);
printf("\n");
}
26/08/07
12
Step 3 : Fix verbose statements
main( e,d,c,b,a) {
long long ago=741760571427457290;
d=2925166600716333;
c=++e<<--e+e<<e;b = e;
a =(c*((c<<e) - (e<<e)))+(e<<e)+1;
e=(e>>e-'>')+a;
while(e---'_')
write(b,&d,b);
e=(e>>e-'>')+a;
write(b,&ago,c);
e=(e>>e-'>')+a;
while(e---'_')
write(b,&d,b);
printf("\n");}
26/08/07
13
Step 3 : Resolve the constants
main( e,d,c,b,a) {
char ago[9]="\n\tShock\n";
char f[2]="-";
c=++e<<--e+e<<e;b = e;
a =(c*((c<<e) - (e<<e)))+(e<<e)+1;
e=(e>>e-'>')+a;
while(e---'_')
write(b,&f,b);
e=(e>>e-'>')+a;
write(b,&ago,c);
e=(e>>e-'>')+a;
while(e---'_')
write(b,&f,b);
printf("\n");}
Resolve these constants by printing them
26/08/07
14
Step 3 : Resolve the constants
main( e,d,c,b,a) {
char ago[9]="\n\tShock\n";
char f[2]="-";
c=++e<<--e+e<<e;b = e;
a =(c*((c<<e) - (e<<e)))+(e<<e)+1;
e=(e>>e-'>')+a;
while(e---'_')
write(b,&f,b);
e=(e>>e-'>')+a;
write(b,&ago,c);
e=(e>>e-'>')+a;
while(e---'_')
write(b,&f,b);
printf("\n");}
Resolve these constants by printing them
e = argc = 1
26/08/07
15
The final program
main( e,d,c,b,a) {
char ago[9]="\n\tShock\n";
char f[2]="-";
c=8; b=1; a=115; e=115;
while(e---95)
write(1,&f,b);
e=209;
write(1,&ago,c);
e=115;
while(e---95)
write(1,&f,b);
printf("\n");}
26/08/07
16
Another example
#define _ sum
#define __ prod(
#define l ~0
#define r return
#define ___ )
sum(i){while(!i)r
1;r __ i , ~i , i
^i);}prod(i,j,k){
j = _ (i-1);while
(i-- && (j= ~j))
k= (j>>l-(l<< 5))
?k+((j^~j)
-j):k+j;r k;}
main(){printf("%d"
,_(5));}
26/08/07
17
Step 1 : Indentation
#define _ sum#define __ prod(#define l ~0#define r return#define ___ )
sum(i){ while(!i) r 1; r __ i , ~i , i^i);}prod(i,j,k){ j = _ (i-1); while (i-- && (j= ~j)) k= (j>>l-(l<< 5))?k+((j^~j)-j):k+j;r k;}main(){ printf("%d",_(5));}
26/08/07
18
Step 2 : Resolve the defines
#define l ~0
sum(i){
while(!i) return 1;return prod ( i , ~i , i^i);
}prod(i,j,k){
j = sum (i-1);while (i-- && (j= ~j))k= (j>>l-(l<< 5))?k+((j^~j)-j):k+j;return k;
}main(){
printf("%d",sum(5));}
26/08/07
19
Step 3 : Reduce complicated statements
sum(i){
while(!i) return 1;return prod (i ,~i ,0);
}prod(i,j,k){
j = sum (i-1);while (i-- )k= k+j;return k;
}main(){
printf("%d",sum(5));}
26/08/07
20
The C Preprocessor
• Using defines to obfuscate code• Macros : Recursion and Precedence• The cpp instruction set is Turing Complete• Reversing with the help of cpp
26/08/07
21
What you need to participate?
• Experience with programming in C
Additional skills that can help :
•Knowing other languages
•Some experience with logical puzzles etc
•Bad programming practices
What might not really help:
•Knowledge of obscure C constructs / functions
•Formal introduction to logic
26/08/07
22
Event Format
• Prelims– Written– Questions on logic and code
obfuscation– Time : 30 – 45 mins
26/08/07
23
Event Format
• Finals : – Two rounds
• Forward : You will be given a problem statement and some plain code and asked to obfuscate. Judges will award points to the obfuscated code based on certain criteria.
• Reverse : You will be asked to make sense out of obfuscated code.
26/08/07
24
Event Format
• Finals - Forward Round :– Broadly, short and creative code will fetch more
points– Some of the possible criteria :
• Size / Number of Statements• Flow of control• Hiding constants• Syntax abuse• Legibility of code• Code shape etc
26/08/07
25
Event Format
• Finals – Reverse round :– You might be asked to
• Predict the output• Swat bugs• Interface with the given code etc