In this first part, in a series of posts, I want to talk about obfuscation.
This pretty hard to pronounce word actually means “the art to make things difficult”.
Google translates this word in Dutch as “verduisteren”, to darken/occult or something like that.
In the IT world, it’s a technique to make code or information unreadable by humans, which on its turn makes it almost impossible to analyse…
This can be done because of multiple reasons.
- a software developer doesn’t want his code to be read (think of RSA, iTunes’ DRM fairplay, copy protection like StarForce or SecuROM)
- virus writers trying to hide malicious code, making it harder detect by anti-virus software
- defense contractors making sure not a single terrorist can find a hole in mission control software of a missile
So, any programming language (or even hardware designs!) can be obfuscated (yep, even javascript).
It transforms your initial source code, to something.
A nice example.
void main(){
string name="mendel";
int age=24;
}
could make
void main(){
string a = function1("mendel","24",1);
int b = convert.toint32(function1("mendel","24",2));
}
string void function1(string a, int b, int c){
if(c==1)
return a;
if(c==2)
return b
}
(or something like that ^^)
The result is 100% the same, but the first part gives away a lot more information about what this function does.!
An even funnier example:
void function2()
{
for(int i=0; i<5; i++)
{
if(i>3)
x=4;
else
i++;
}
}
which actually just sets the variable x=4;
The idea behind all this, is when you as a reader, analyse the code, you would not be able to figure out what is does 🙂
It just doesn’t make sense..
These obfuscation translations can go pretty far.
Take a look on the annual IOCCC contest, which results in really crazy stuff!
There are a lot of obfuscators written for IDE’s like visual studio (dotfuscator), java (proguard), and many, many others… All with one reason in mind: protect (or just hide) your code!
If you want to read more code obfuscation, this series is a very good start!
But you’ll find a whoooole lot more on google!
There is no actually reason for this post. But sometimes you come across this kind of code. And I wanted to share this out-of-your-mind subject with you 🙂
I just hope you’re as intrigued with it as I was when I first saw it 🙂
javascript code from the “runforestrun” infection
My first introduction with this subject was at Ghent University.
Next, I stumbled upon more obfuscated code when Stuxnet appeared.
After that, a virus infected a website of a customer at work (screenshot above), also pretty weird.
And even more recently in a DLL originating from a WP7 app.
More on that dll later! 😉
