w32evol icon indicating copy to clipboard operation
w32evol copied to clipboard
verified publisher icon martinvelez

An obfuscation tool?

Open shlomoartsi opened this issue 7 years ago • 3 comments

Obfuscation keeps the same functionality while make the output uninteligible. Adding '00 00 00' changes the functionality.

shlomoartsi avatar Jul 01 '18 07:07 shlomoartsi

I am not sure I understand your question. This is a program that transforms binary x86 code. Given a program, it transforms it into an equivalent program that uses different x86 instructions, sometimes.

martinvelez avatar Jul 01 '18 16:07 martinvelez

Hi, trying to figure out if the new instruction 'add [bx+si],al' doesn't change the functionality. isn't adding al to unknown value of [bx+si] change the functionality? If functionality haven't been changed, how this transformation assist the obfuscation, i mean does the code become hard for reverse engineering? is it unintelligible (hard to understand)?

shlomoartsi avatar Jul 02 '18 10:07 shlomoartsi

I believe that I understand your question now. The obfuscation engine does change the functionality. See "Usage Example 1" in the README.

In this example, we use w32evol.exe to obfuscate (or transform) an instruction to an equivalent instruction in the Intel x86 instruction set. Unfortunately, the obfuscation engines added three extra bytes (00 00 00), and changed the semantics. This demonstrates that some obfuscation engines have bugs.

This could be due to a bug in the original engine or it could be a mistake in the reconstructed code. Frankly, it has been a while.

martinvelez avatar Jul 03 '18 21:07 martinvelez