Related articles |
---|
Making C compiler generate obfuscated code dennis.yurichev@gmail.com (Dennis Yurichev) (2010-12-07) |
Re: Making C compiler generate obfuscated code paul.biggar@gmail.com (Paul Biggar) (2010-12-09) |
Re: Making C compiler generate obfuscated code Pidgeot18@gmail.com (Joshua Cranmer) (2010-12-09) |
Re: Making C compiler generate obfuscated code torbenm@diku.dk (2010-12-15) |
Re: Making C compiler generate obfuscated code gah@ugcs.caltech.edu (glen herrmannsfeldt) (2010-12-16) |
Re: Making C compiler generate obfuscated code Pidgeot18@gmail.com (Joshua Cranmer) (2010-12-16) |
Re: Making C compiler generate obfuscated code Pidgeot18@gmail.com (Joshua Cranmer) (2010-12-16) |
Re: Making C compiler generate obfuscated code martin@gkc.org.uk (Martin Ward) (2010-12-17) |
Re: Making C compiler generate obfuscated code gah@ugcs.caltech.edu (glen herrmannsfeldt) (2010-12-18) |
[12 later articles] |
From: | Joshua Cranmer <Pidgeot18@gmail.com> |
Newsgroups: | comp.compilers |
Date: | Thu, 09 Dec 2010 16:53:59 -0500 |
Organization: | Georgia Institute of Technology |
References: | 10-12-017 |
Keywords: | C, code |
Posted-Date: | 14 Dec 2010 20:34:53 EST |
On 12/07/2010 10:07 AM, Dennis Yurichev wrote:
> About my little attempt to hack Tiny C compiler's codegenerator so it
> produces obfuscated code:
> http://blogs.conus.info/node/58
From a decompilation aspect, it's not that difficult of obfuscated
code. Just by removing redundant assignments, knowing nothing else, I
produce this assembly:
a proc near
var_CD500B = byte ptr -0CD500Bh
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_1D364BDE = byte ptr 1D364BE6h
nop
push ebp
mov ebp, esp
sub esp, 0
nop
loc_800001F:
mov ebx, 9EF81F3Eh
mov eax, 0FD6D5D47h
sub ebx, edx
mov eax, [ebp+arg_4] ; *
shl eax, 2 ; *
mov ecx, [ebp+arg_0]
adc ecx, ecx
mov ecx, eax
or ecx, eax
mov ebx, 52A74759h
xor edx, edx
jnz short loc_800001F
mov ecx, [ebp+arg_0] ; *
add ecx, eax ; *
mov ebx, 0DAB5E429h
lea edx, [ebx+75A1EF29h]
or edx, edx
mov eax, ecx ; *
jmp $+5
leave
pop ebx
jmp ebx
a endp
Half the code is gone just by noticing that these values aren't being
used, with extremely liberal values of "used". If i notice that the jnz
branch is never taken, I get even shorter:
mov eax, [ebp+arg_4] ; *
shl eax, 2 ; *
mov ecx, [ebp+arg_0] ; *
add ecx, eax ; *
mov ebx, 0DAB5E429h
lea edx, [ebx+75A1EF29h]
or edx, edx
mov eax, ecx ; *
(I could combine the three obfuscated instructions into one, but I don't
want to do that by hand.)
If I wanted to deobfuscate this code, all I have to do is first run it
through an optimizer, and one simple enough to be written as a course
project at that. If you really want to obfuscate the code, it's better
to modify the control flow graph as opposed to inserting random
do-nothing code.
--
Beware of bugs in the above code; I have only proved it correct, not
tried it. -- Donald E. Knuth
Return to the
comp.compilers page.
Search the
comp.compilers archives again.