ZSC icon indicating copy to clipboard operation
ZSC copied to clipboard

Proof of code obfuscation functionality

Open taylorgag opened this issue 3 years ago • 8 comments

sorry to bother you, but how can we prove the functionality of code before and after code obfuscation?

taylorgag avatar May 06 '21 02:05 taylorgag

Before answering, I'd like to mention this project has not been updated for so long; it might have some errors.

Do you mean you want to analyze the assembly code to see what it actually does, or do you mean how to test the PoC if it works?

Ali-Razmjoo avatar May 09 '21 15:05 Ali-Razmjoo

Before answering, I'd like to mention this project has not been updated for so long; it might have some errors.

Do you mean you want to analyze the assembly code to see what it actually does, or do you mean how to test the PoC if it works?

Thanks for your warm reply. What I want to say is how do we make sure that the functions of the code before and after the code obfuscation are the same?

taylorgag avatar May 10 '21 01:05 taylorgag

Before answering, I'd like to mention this project has not been updated for so long; it might have some errors. Do you mean you want to analyze the assembly code to see what it actually does, or do you mean how to test the PoC if it works?

Thanks for your warm reply. What I want to say is how do we make sure that the functions of the code before and after the code obfuscation are the same?

by understanding how the obfuscation process takes place, and then going in reverse order.

oldkingcone avatar May 10 '21 02:05 oldkingcone

by understanding how the obfuscation process takes place, and then going in reverse order

Do you know any general theorems or open materials to independently prove this?

taylorgag avatar May 10 '21 02:05 taylorgag

reverse order

'in reverse order' ,what does this mean? Can you explain more details to me about it?

taylorgag avatar May 10 '21 02:05 taylorgag

Sorry for my late answer;

@taylorgag yes, code functionality is the same after and before obfuscation;

there are a few modules that obfuscate the shellcode, it takes the hex values and recalculates them in some random ways. for example if the value is 100, then 50+50, 110-10, 25*4, 300/3 are the same thing, right? so when it calculates the values for example syscall "exec" is 0x100 or whatever, it will just change the value in a way it's just mention to it indirectly.

here is an old blog post it explains a little bit about this; https://web.archive.org/web/20161012002249/http://www.z3r0d4y.com/2015/05/zcr-shellcoder-review-and-analysis_20.html

and here is also a blog post help you to analysis a shellcode;

https://web.archive.org/web/20160922154856/http://www.z3r0d4y.com/2015/08/shellcode-analysing-using-gdb.html

let me know if you have more questions.

Ali-Razmjoo avatar May 31 '21 17:05 Ali-Razmjoo

Sorry for my late answer;

@taylorgag yes, code functionality is the same after and before obfuscation;

there are a few modules that obfuscate the shellcode, it takes the hex values and recalculates them in some random ways. for example if the value is 100, then 50+50, 110-10, 25*4, 300/3 are the same thing, right? so when it calculates the values for example syscall "exec" is 0x100 or whatever, it will just change the value in a way it's just mention to it indirectly.

here is an old blog post it explains a little bit about this; https://web.archive.org/web/20161012002249/http://www.z3r0d4y.com/2015/05/zcr-shellcoder-review-and-analysis_20.html

and here is also a blog post help you to analysis a shellcode;

https://web.archive.org/web/20160922154856/http://www.z3r0d4y.com/2015/08/shellcode-analysing-using-gdb.html

let me know if you have more questions.

Thanks for your warm reply. In fact, I am now doing a new language obfuscation, and then I need to prove that the functionality of the code before and after the obfuscation is same before I can proceed with the next experiment.

taylorgag avatar Jun 01 '21 01:06 taylorgag

you can create functionality to deobfuscate the code and compare it with the original one maybe...

Ali-Razmjoo avatar Jun 01 '21 07:06 Ali-Razmjoo