Code Obfuscation

1
Code Obfuscation

• Tool for Software Protection

2
Outline

• Why Code Obfuscation
• Features of a code obfuscator
• Potency
• Resilience
• Cost
• Classification of Obfuscating Transformations

3
Why use Code Obfuscation Techniques

• Mainly to defend against Software Reverse
  Engineering
• We can only make it more difficult for reverse
  engineers
• Available obfuscating tools work in the same way
  as compiler optimizers
• Reduce required space and time for compilation

4

• The level of security that an Obfuscator adds
  depends on
• The transformations used
• The power of available deobfuscators
• The amount of resources available to deobfuscators

5
Main features of a Code Obfuscator

• Potency is the level up to which a human reader
  would be confused by the new code
• Resilience is how well the obfuscated code
  resists attacks by deobfuscation tools
• Cost is how much load is added to the application

6
Code Obfuscation

• Reverse engineering exatracts piece of program
• Obfuscation makes reverse engineering difficult

7
Protection through Obfuscation
http//www.cs.arizona.edu/collberg/Research/Obfus
cation/Resources.html
8
Obfuscation methods

• Mainly based on target information that we want
  to modify/obfuscate

9
Kinds of Obfuscating Transformations

Obfuscation Methods

• Lexical transformations
• Modify variable names
• Control transformations
• Change program flow while preserving semantics
• Data transformations
• Modify data structures
• Anti-disassembly
• Anti-debugging

10
Kinds of obfuscation for each target information
11
Available JavaScript Obfuscators

• Most available commercial JavaScript obfuscators
  work by applying Lexical transformations
• Some obfuscators that were considered are
• Stunnix JavaScript Obfuscator
• Shane Ng's GPL-licensed obfuscator
• Free JavaScript Obfuscator

12
ExampleFrom Stunnix

• Actual code
• function foo( arg1)
• var myVar1 "some string" //first comment
• var intVar 24 3600 //second comment
• / here is
• a long
• multi-line comment blah /
• document. write( "vars are" myVar1 " "
  intVar " " arg1)

• Obfuscated code
• function z001c775808( z3833986e2c) var
  z0d8bd8ba25 "\x73\x6f\x6d\x65\x20\x73\x74\x72\x69
  \x6e\x67" var z0ed9bcbcc2 (0x90b785-0xc04)
  (0x11366437-0x1c4b) document. write(
  "\x76\x61\x72\x73\x20\x61\x72\x65\x3a"
  z0d8bd8ba25 "\x20" z0ed9bcbcc2 "\x20"
  z3833986e2c)

13
Step by step examination

• The Stunnix obfuscator targets at obfuscating
  only the layout of the JavaScript code
• As the obfuscator parses the code, it removes
  spaces, comments and new line feeds
• While doing so, as it encounters user defined
  names, it replaces them with some random string
• It replaces print strings with their hexadecimal
  values
• It replaces integer values with complex equations

14

• In the sample code that was obfuscated, the
  following can be observed
• User defined variables
• foo replaced with z001c775808
• arg1 replaced with z3833986e2c
• myvar1 replaced with z0d8bd8ba25
• intvar replaced with z0ed9bcbcc2
• Integers
• 20 replaced with (0x90b785-0xc04)
• 3600 replaced with (0x11366437-0x1c4b)
• Print strings
• vars are replaced with \x76\x61\x72\x73\x20\x61\
  x72\x65\x3a
• Space replaced with \x20

15
References

• Collberg C. Collberg, The Obfuscation and
  Software Watermarking homepage,
  http//www.cs.arizona.edu/collberg/Research/Obfusc
  ation/index.html
• Stunnix JavaScript Obfuscator www.stunnix.com
• Shane Ng's GPL-licensed obfuscator
  http//daven.se/usefulstuff/javascript-obfuscator.
  html
• Free JavaScript Obfuscator http//www.javascript
  obfuscator.com/