Re: Making C compiler generate obfuscated code

Joshua Cranmer <Pidgeot18@gmail.com>
Thu, 09 Dec 2010 16:53:59 -0500

          From comp.compilers

Related articles
Making C compiler generate obfuscated code dennis.yurichev@gmail.com (Dennis Yurichev) (2010-12-07)
Re: Making C compiler generate obfuscated code paul.biggar@gmail.com (Paul Biggar) (2010-12-09)
Re: Making C compiler generate obfuscated code Pidgeot18@gmail.com (Joshua Cranmer) (2010-12-09)
Re: Making C compiler generate obfuscated code torbenm@diku.dk (2010-12-15)
Re: Making C compiler generate obfuscated code gah@ugcs.caltech.edu (glen herrmannsfeldt) (2010-12-16)
Re: Making C compiler generate obfuscated code Pidgeot18@gmail.com (Joshua Cranmer) (2010-12-16)
Re: Making C compiler generate obfuscated code Pidgeot18@gmail.com (Joshua Cranmer) (2010-12-16)
Re: Making C compiler generate obfuscated code martin@gkc.org.uk (Martin Ward) (2010-12-17)
Re: Making C compiler generate obfuscated code gah@ugcs.caltech.edu (glen herrmannsfeldt) (2010-12-18)
[12 later articles]
| List of all articles for this month |

From: Joshua Cranmer <Pidgeot18@gmail.com>
Newsgroups: comp.compilers
Date: Thu, 09 Dec 2010 16:53:59 -0500
Organization: Georgia Institute of Technology
References: 10-12-017
Keywords: C, code
Posted-Date: 14 Dec 2010 20:34:53 EST

On 12/07/2010 10:07 AM, Dennis Yurichev wrote:
> About my little attempt to hack Tiny C compiler's codegenerator so it
> produces obfuscated code:
> http://blogs.conus.info/node/58


From a decompilation aspect, it's not that difficult of obfuscated
code. Just by removing redundant assignments, knowing nothing else, I
produce this assembly:


a proc near


var_CD500B = byte ptr -0CD500Bh
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_1D364BDE = byte ptr 1D364BE6h


                                  nop
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 0
                                  nop


loc_800001F:
                                  mov ebx, 9EF81F3Eh
                                  mov eax, 0FD6D5D47h
                                  sub ebx, edx
                                  mov eax, [ebp+arg_4] ; *
                                  shl eax, 2 ; *
                                  mov ecx, [ebp+arg_0]
                                  adc ecx, ecx
                                  mov ecx, eax
                                  or ecx, eax
                                  mov ebx, 52A74759h
                                  xor edx, edx
                                  jnz short loc_800001F
                                  mov ecx, [ebp+arg_0] ; *
                                  add ecx, eax ; *
                                  mov ebx, 0DAB5E429h
                                  lea edx, [ebx+75A1EF29h]
                                  or edx, edx
                                  mov eax, ecx ; *
                                  jmp $+5
                                  leave
                                  pop ebx
                                  jmp ebx
a endp




Half the code is gone just by noticing that these values aren't being
used, with extremely liberal values of "used". If i notice that the jnz
branch is never taken, I get even shorter:
                                  mov eax, [ebp+arg_4] ; *
                                  shl eax, 2 ; *
                                  mov ecx, [ebp+arg_0] ; *
                                  add ecx, eax ; *
                                  mov ebx, 0DAB5E429h
                                  lea edx, [ebx+75A1EF29h]
                                  or edx, edx
                                  mov eax, ecx ; *


(I could combine the three obfuscated instructions into one, but I don't
want to do that by hand.)


If I wanted to deobfuscate this code, all I have to do is first run it
through an optimizer, and one simple enough to be written as a course
project at that. If you really want to obfuscate the code, it's better
to modify the control flow graph as opposed to inserting random
do-nothing code.


--
Beware of bugs in the above code; I have only proved it correct, not
tried it. -- Donald E. Knuth



Post a followup to this message

Return to the comp.compilers page.
Search the comp.compilers archives again.