Simple source code level tricks that will make reverse engineering harder

Many people rely only on virtualization software when protecting their binaries which is often very bad. There's plenty of information on existing VM protections on popular reversing sites, some even offer what is pretty much a 1-click devirtualization tool.

However, whether there's existing tools for fighting your choice of VM or it's still undocumented, there's absolutely no reason why you shouldn't put in extra effort to make reverse engineering harder. I will demonstrate one very simple method to do so: emulation of binary operations on the source code level.

Here's a simple implementation of binary addition for 32 bit numbers:

... and here's a header file with some other operations implemented: obf_tricks.h

After emulating the simple operations, you can implement some more complex operations based on the simple ones. For example, three simple ways to compare two integers using XOR, XNOR and bit counting:
#define X_ISEQUAL1(x,y)    (X_XnorIntegers(x,y) == -1)
#define X_ISEQUAL2(x,y)    (X_CountHighBits(X_XnorIntegers(x,y)) == 32)
#define X_ISEQUAL3(x,y)    (X_XorIntegers(x,y) == 0)

For a quick demonstration here's an extremely simple C code that will print all command line arguments:

... which translates into a very straightforward code: main_disassembly_normal.txt

Now we can rewrite the main application using these macros:

... which now translates into something not that straightforward: main_disassembly_obf.txt


This is a very primitive obfuscation attempt and every somewhat experienced reverser will have no real issues understanding the code. However, if you combine this with virtualization software you will complicate things further and the reverser will have to invest more time into the process of understanding how your algorithms work.


Please note that this is just a simple PoC for demonstration. In real world you should come up with your own ideas.. and it's really not hard to come up with something that does not look like the usual code modern compilers output. Start with obfuscation of some very simple operations and then you can base more complex ones on them.

A ready to use Intel PIN Visual Studio project

Intel PIN is a great tool, but configuring a Visual Studio project is not very straightforward from its documentation. I know a couple of people who have heard of it, but have given up after not being able to set up a working project easily.

I've uploaded a ready to use PIN Tool based on a sample code that comes with it. PIN itself is not included, you need to download it and then copy the Pin directory to the folder where PinTool.sln is located.

Download: PinTool.zip

How to encrypt strings in your applications

I have seen many examples and available solutions for string encryption, but they mostly force you to bloat your code with a lot of garbage. Usually it's something in form of randomly generated lines of code that will fill a buffer with the desired string or something in form of:
XorString("\xf0\xdb\x5c\xc3\x6e\xd3\x0d\xd6\x90\xde", 0x6b1c485a, 10)

While these truly are string encryptions and they do their job, it's very hard to quickly modify such strings in your code. In either of those two examples you would have to go back to the application/site that generates the code for you, plus it also makes the code very hard to read.

Writing a string encryption tool takes literally not more than 15-20 minutes and you get to decide how it behaves, which type of encryption you want, etc.

I've written some code quickly to make an easy to understand example. I wanted it to be easy to read and change strings in the code, like this:

After compiling this code, you need to pass it to the string encryption tool:

I won't be explaining the code in details, it's really nothing special and should be easy to understand. Please note that this is just a PoC and that normally you would add a better encryption than simple xor, you would make sure it doesn't leak memory (se_decrypt returns malloc'd memory which is not freed - or you'd make it not allocate new memory, but replace the encrypted string with decrypted, but it involves usage of VirtualProtect), etc.

Download: string_encrypt.zip

x86obf source code

After releasing the x86obf tool for free I received quite a few requests
for the source code. It was planned for the future, but I've decided to
release it sooner.

The source code has been slightly stripped. Junk code generators are
removed (they emit NOP only), data encryption is removed and so is
bytecode encryption/obfuscation.

Virtualization handlers have been removed for some important and some
not so important instructions. One of the important handlers were Jxx
instructions which cannot be executed by the VM in its native form. In
fact, every instruction that somehow changes execution flow (e.g. CALL,
RET, JMP, Jxx, etc) must be handled manually.

I am releasing this as a learning material, not a ready to use
compile-my-own-protector source. It will successfully virtualize and
produce working binaries for short blocks of code which don't have
conditional jumps. If you want to build a real protector on top of this,
you will have to develop some code yourself.

x86obf was initially meant to be a commercial application, but it didn't
work out. It had two versions, local and remote, which is why it's split
into two projects and still has context data transferring code which is
not needed in its current state.

If you have any questions, feel free to send me an email!

The public version of x86obf will continue to be developed, in fact it's
being rewritten slightly to provide better functionality and also to
compensate for this source code release - I am changing its internal VM
design.

You're free to use this source code in free and commercial projects, but
please do credit me.

Writing virtualization handlers is straightforward:

Download:  x86obf_source.zip

x86obf code virtualizer released for free

x86obf is now a free and public project. There are no limitations on number of blocks and number of instructions you can protect.

What is x86obf?
x86obf is a tool for executable binary protection. It works by locating marked code blocks of code and converting them to a series of instructions understood only by a randomly generated virtual machine in order to make reverse engineering harder.

x86obf currently supports only 32bit PE files (EXE and DLLs, kernel drivers are not yet supported).

Please note that not all x86 instructions are virtualized yet and there may be bugs - please report if you find any.

The instructions on how to use and a sample project are inside the archive.

Download: x86obf.zip