Presentation is loading. Please wait.

Presentation is loading. Please wait.

DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 9. Técnicas anti-ingeniería inversa.

Published byBrendan Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 9. Técnicas anti-ingeniería inversa."— Presentation transcript:

1 DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 9. Técnicas anti-ingeniería inversa

2 Técnicas anti- ingeniería inversa 1. ¿Qué es anti-ingeniería inversa? 2. Enfoques 3. Encriptación de código 4. Técnicas anti-depuración 5. Transformaciones de control de flujo 6. Transformación de datos

3 ¿Qué es anti-ingeniería inversa?

4 Regardless of which application No for open source software Then, consider introducing some form of antireversing Some software development platforms really necessitate some form of antiversing measures: bytecode-based platforms such as Java and.NET

5 Enfoques

6 Eliminating Symbolic Information Eliminate any obvious textual information from the program In a regular non-bytecode-based compiled program, this simply means to strip all symbolic information from the program executable In bytecode-base programs, the executables often contain large amount of internal symbolic information such as class names, class member names, and the names of instantiated global objects Obfuscating the Program Generic name for a number of techniques that are aimed at reducing the program’s vulnerability to any kind of static analysis Modify the program¿s layout, logic, data, and organization in a way that keeps it functionality identical yer far less readable

7 ¿Qué es anti-ingeniería inversa? Basic approaches to antireversing Embedding Antidebugger Code Idea: have the program intentionally perform operations that would somehow damage or disable a debugger, if one is attached One approach: detect the debugger and terminate the program

8 Encriptación de código

9 Common method for preventing static analysis Encrypting the program at some point after it is compiled Embedding some sort of decription code inside the executable The program must decrypt the code in runtime before it is executed For the skill full reverser, there is not an incovenience Everything required for the decryption of the program must reside inside the executable (decryption logic and decryption key) Use ofr unpacker programs creates a new executable that contains the original program minus the encryption

10 Encriptación de código improvements 1. Try and hide the key within the program 2. Use separate hardware that stores the decryption key or actually performs the decryption 3. Use a key that is calculated in runtime, inside the program. Such a key-generation algorithm could easily be designed that would require a remarkably sophisticaded unpacker

11 Técnicas anti-depuración

12 A large part of the reversing process often takes place inside a debugger So, incorporate special code in the program that prevents or complicates the process of stepping through the program and placing breakpoints in it Effectiveness of antidebugger techniques  Antibugger techniques + code encryption  Allows the program to decrypt itselt

13 Transformadores de control de flujo

14 Transformaciones de control de flujo Alter the order and flow of a program in a way that reduces its human readability Categories:  Computation transformations  Aggregation transformations  Ordering transformations

15 Transformaciones de control de flujo computation transformations Aimed at reducing the readability of the code by modifying the program’s original control flow structure in ways that make for a funcionally equivant program that is far more difficult to translate back into a high-level language How?  Removing control flow information from the program,. Or  Adding new control flow statements that complicate the program and cannot be easily translated into a high-level alnguage

16 Transformaciones de control de flujo Agregation transformations Destroy the high-level structure of the program by breaking the high-level abstractions created by the programmer while the program was being written Idea  Break such abstractions so that the high-level organization of the code becomes senseless

17 Transformaciones de control de flujo Ordering transformations Less powerful transformations Randomize, as much as possible, the order of operations in a program so that its readability is reduced

18 Transformaciones de control de flujo Opaque Predicates Idea: create a logical statement whose outcome is constant and known in advance  if (x + 1) == x  Is the condition satisfied?  Used to confuse reversers and automated decompilation tools Objetive: create opaque predicates that would be difficult to distinguish from the actual program code and whose behavior would be difficult to predict without actually stepping into the code

19 Transformaciones de control de flujo Confusing Decompilers There exists decompilers for bytecode executables Use of obfuscators confuse decompilers, so the code cannot be easily restored to a highly detailed source code One trick: modify the program binary so that the bytecode contains statements that cannot be translated back into the original high-level language Java does not have the goto statment, but Java bytecode does

20 Transformaciones de control de flujo Table Interpretation Converting a program or a function into a table interpretation layout is a highly powerful obfuscation approach Idea  Break a code sequence into multiple short chunks and have the code loop through a conditional code sequence that decides to which of the code sequences to jump at any given moment Reduces the readability of the code because it hides any kind of structure within it

21 Transformaciones de control de flujo Inlining and Outlining Inlining A compiler optimization technique The functions are duplicated to any place in the program that calls them Instead of having all callers call into a single copy, the compiler replaces every call into the function with an actual in-place copy of it Improves runtime performance It eliminates the internal abstractions created by the software developer Enhancement Inlining + Outlining

22 Transformaciones de control de flujo Inlining: example int pred(int x) { if (x == 0) return 0; else return x - 1; } Before inlining: int f(int y) { return pred(y) + pred(0) + pred(y+1); }

23 Transformaciones de control de flujo Inlining: example After inlining int f(int y) { int temp = 0; if (y == 0) temp += 0; else temp += y - 1; /* (1) */ if (0 == 0) temp += 0; else temp += 0 - 1; /* (2) */ if (y+1 == 0) temp += 0; else temp += (y + 1) - 1; /* (3) */ return temp; }

24 Transformaciones de control de flujo Inlining and Outlining Outlining Means that you take a certain code sequence that belongs in one function and create a new function that contains just that sequence Outlining is opposite of inlining

25 Transformaciones de control de flujo Interleaving Code A reasonably effective obfuscation technique Idea You take two or more functiions and interleave their implementations so that they become exceedingly difficult to read

26 Transformaciones de control de flujo Interleaving Code Function1() { Function1_Segment1; Function1_Segment2; Function1_Segment3; } Function2() { Function2_Segment1; Function2_Segment2; Function2_Segment3; }

27 Transformaciones de control de flujo Interleaving Code Function3() { Function3_Segment1; Function3_Segment2; Function3_Segment3; }

28 Transformaciones de control de flujo Interleaving Code Function1_Segment3; End of Function1 Function1_Segment1; (This is the Function1 entry-point) Opaque Predicate -> Always jumps to Function1_Segment2 Function3_Segment2; Opaque Predicate -> Always jumps to Segment3

29 Transformaciones de control de flujo Interleaving Code Function3_Segment1; (This is the Function3 entry-point) Opaque Predicate -> Always jumps to Function3_Segment2 Function2_Segment2; Opaque Predicate -> Always jumps to Function2_Segment3 Function1_Segment2; Opaque Predicate -> Always jumps to Function1_Segment3

30 Transformaciones de control de flujo Interleaving Code Function2_Segment3; End of Function2 Function3_Segment3; End of Function3 Function2_Segment1; (This is the Function2 entry-point) Opaque Predicate -> Always jumps to Function2_Segment2

31 Transformaciones de control de flujo Ordering Transformations Shuffling the order of operations in a program is a free decently effective method for confusing reversers Idea  Simply randomize the order of operations in a functioin as much as possible  Find operations that are not codependent and completely randomize their order

32 Transformaciones de datos

33 Data transformation are obfuscation transformations that focus on obfuscating the program’s data rather the program’s structure Data transformations also boil down to code modifications

34 Transformaciones de datos Modifying Variable Encoding Modify the encoding of some or all program variables Confuse reversers because the intuitive meaninings of variable values will not be immediately clear Example: simply shift it by one bit to the left  For (int i = 1; i < 100; i++)  For (int i = 2; i < 200; i += 2)

35 Transformaciones de datos Restructuring Arrays Means that you modify the layout of some arrays in a way that preserves their original functionality but confuses reversers with regard to their purpose Many different forms to this transformation  Merging more than one array into one large array  Break one array down into several smaller arrays  Change the number of dimensions in an array

36 Bibliografía Reversing: Secrets of Reverse Engineering  Eldad Eilam  Wiley Publishing, Inc.  2005

37 Fin

Download ppt "DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 9. Técnicas anti-ingeniería inversa."

Similar presentations

Synopsys University Courseware Copyright © 2012 Synopsys, Inc. All rights reserved. Compiler Optimization and Code Generation Lecture - 3 Developed By:

Synopsys University Courseware Copyright © 2012 Synopsys, Inc. All rights reserved. Compiler Optimization and Code Generation Lecture - 3 Developed By:
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Programming Languages and Paradigms

Programming Languages and Paradigms
1 Code Optimization Code produced by compilation algorithms can often be improved (ideally optimized) in terms of run-time speed and the amount of memory.

1 Code Optimization Code produced by compilation algorithms can often be improved (ideally optimized) in terms of run-time speed and the amount of memory.
Chapter 1: Computer Systems

Chapter 1: Computer Systems
3 Decision Making: Equality and Relational Operators A condition is an expression that can be either true or false. Conditions can be formed using the.

3 Decision Making: Equality and Relational Operators A condition is an expression that can be either true or false. Conditions can be formed using the.
DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 5. Descifrado de formatos de archivo.

DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 5. Descifrado de formatos de archivo.
CHAPTER 1: AN OVERVIEW OF COMPUTERS AND LOGIC. Objectives 2  Understand computer components and operations  Describe the steps involved in the programming.

CHAPTER 1: AN OVERVIEW OF COMPUTERS AND LOGIC. Objectives 2  Understand computer components and operations  Describe the steps involved in the programming.
Preventing Reverse Engineering by Obfuscating Bharath Kumar.

Preventing Reverse Engineering by Obfuscating Bharath Kumar.
CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Java Bytecode Teodoro (Ted) Cipresso,

CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Java Bytecode Teodoro (Ted) Cipresso,
Name: Hao Yuan Supervisor: Len Hamey ITEC810 ProjectTransformations for Obfuscating Object-Oriented Programs1.

Name: Hao Yuan Supervisor: Len Hamey ITEC810 ProjectTransformations for Obfuscating Object-Oriented Programs1.
The Java Programming Language

The Java Programming Language
Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Starting Out with Programming Logic & Design First Edition by Tony Gaddis.

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Starting Out with Programming Logic & Design First Edition by Tony Gaddis.
Run time vs. Compile time

Run time vs. Compile time
Obfuscation techniques in Java Therese Berge Jonas Ringedal.

Obfuscation techniques in Java Therese Berge Jonas Ringedal.
Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 7: Methods.

Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 7: Methods.
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.

1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
Compiled by Benjamin Muganzi 3.2 Functions and Purposes of Translators Computing 9691 Paper 3 1.

Compiled by Benjamin Muganzi 3.2 Functions and Purposes of Translators Computing 9691 Paper 3 1.
Copyright © 2009 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Java Software Solutions Foundations of Program Design Sixth Edition by Lewis.

Copyright © 2009 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Java Software Solutions Foundations of Program Design Sixth Edition by Lewis.
1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.

1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.

Similar presentations

Ads by Google