[hackerspaces] Post Compiling Binary Obfuscation

astera astera at hackerspaces.org
Fri Jul 10 10:21:53 CEST 2009 

Hey Eric,

this note may be redundant already, for Enki's wizardry in this field  
of expertize is extensive.
A packer tool (like Armadillo, for example) is definitely the most  
obvious way to go. However, whether you know when unpacking has  
finished or not while running your application, a debugger will  
definitely tell you, so you could dump the whole decrypted binary out  
of memory...

One combating technique would be to have your app run a debugger at  
all times (where your machine wouldn't allow you to run another  
debugger); or you could have it run inside an x86 emulator.

Though the packer approach might be the most common one, keep in mind  
that - depending on which product you use - anti-virus software might  
throw alarming messages at the user (since this also is the way to go  
when distributing your piece of beloved malware).

Hack on,
/astera

On Jul 10, 2009, at 12:06 AM, Paul Böhm wrote:

> which os? which languages? a few years back (2002) we released the (to
> our knowledge) first ELF binary encrypter (the binary format on a lot
> of unixy OSs). search for teso burneye - but by now there are generic
> unpackers for it. there's a lot more knowledge in the windows world
> about how to do this (packer/unpacking are the keywords and it's
> become an art of its own) - the essential hard part is that you never
> wanna keep the whole binary unencrypted in memory or it can be easily
> (more or less) retrieved from there. if you just wanna fool existing
> tools, you just need to avoid to give indication that the unpacking
> has completed (the program should already be running, and the unpacker
> should just believe it's still the packer that is running). as for
> dynamic languages your best bet is modifying the intermediate
> representation and the interpreter (e.g. the .pyc files for python) -
> possibly protecting the binaries of your own interpreter with the
> binary packing techniques.
>
> enki
>
> On Thu, Jul 9, 2009 at 2:35 PM, Eric Michaud<eric at hackerspaces.org>  
> wrote:
>> Hey Guys and Gals,
>>
>> I had a interesting question posited to me recently at the space  
>> about
>> obfuscating binaries.
>>
>> So the example would be.
>>
>>
>> I have a binary I'm going to distribute. I know it'll eventually get
>> reversed, but what I'm asking is how can I make it take longer  
>> without
>> having to rewrite my code with the intention of obfuscation from the
>> beginning.
>>
>> I'm happy to fill in more if any of you have questions, but I'd  
>> love to hear
>> your thoughts.
>>
>> -E.
>>
>> _______________________________________________
>> Discuss mailing list
>> Discuss at lists.hackerspaces.org
>> http://lists.hackerspaces.org/mailman/listinfo/discuss
>>
>>
> _______________________________________________
> Discuss mailing list
> Discuss at lists.hackerspaces.org
> http://lists.hackerspaces.org/mailman/listinfo/discuss

More information about the Discuss mailing list