{"id":16835431,"url":"https://github.com/defuse/gas-obfuscation","last_synced_at":"2025-04-11T04:50:21.937Z","repository":{"id":9504329,"uuid":"11398146","full_name":"defuse/gas-obfuscation","owner":"defuse","description":"Extremely simple but inefficient x86-64 assembly obfuscation.","archived":false,"fork":false,"pushed_at":"2016-03-01T16:52:24.000Z","size":11,"stargazers_count":35,"open_issues_count":0,"forks_count":6,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-25T02:51:18.697Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/defuse.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-07-14T04:06:47.000Z","updated_at":"2024-11-12T10:48:54.000Z","dependencies_parsed_at":"2022-09-08T05:04:23.716Z","dependency_job_id":null,"html_url":"https://github.com/defuse/gas-obfuscation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defuse%2Fgas-obfuscation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defuse%2Fgas-obfuscation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defuse%2Fgas-obfuscation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defuse%2Fgas-obfuscation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/defuse","download_url":"https://codeload.github.com/defuse/gas-obfuscation/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248345289,"owners_count":21088243,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T12:10:17.046Z","updated_at":"2025-04-11T04:50:21.917Z","avatar_url":"https://github.com/defuse.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"gas-obfuscation\n===============\n\nThis script modifies GNU assembly files (.s) to confuse linear sweep\ndisassemblers like objdump. It does not confuse recursive traversal\ndisassemblers like IDA Pro. It is very inefficient, making simple code about 2x\nslower.\n\nHow It Works\n----------------\n\nThe script inserts a byte sequence before each instruction in the file. The byte\nsequences are designed to confuse the disassembler. For example, the instruction\n\"PUSH RBP\" assembles to 0x55. If we insert the bytes 0xEB, 0x01, 0xB0 before it,\nwe get 0xEB, 0x01, 0xB0, 0x55, which disassembles to:\n\n 400665:\teb 01 \tjmp 400668 \u003cmain+0x3\u003e\n 400667:\tb0 55 \tmov al,0x55\n\nWhat's really going on is that 0xEB, 0x01 is the instruction \"Jump over the next\nbyte\", which causes execution to continue from 0x55 (PUSH RBP). But linear sweep\ndisassemblers don't look at control flow. They assume that the next instruction\nstarts right after the jump instruction (at 0xBO), which is the opcode for:\n\n MOV AL, \u003cimm8\u003e\n\nThe disassembler expects a 1-byte immidate operand after the 0xB0, so it\ninterprets the 0x55 (the actual instruction) as an operand to the MOV.\n\nExample Output\n----------------\n\n### Normal\n\n 4005d2: 55 push rbp\n 4005d3: 48 89 e5 mov rbp,rsp\n 4005d6: 48 83 ec 20 sub rsp,0x20\n 4005da: 89 7d ec mov DWORD PTR [rbp-0x14],edi\n 4005dd: 48 89 75 e0 mov QWORD PTR [rbp-0x20],rsi\n 4005e1: c7 45 fc 2f d3 23 00 mov DWORD PTR [rbp-0x4],0x23d32f\n 4005e8: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]\n 4005eb: 89 c7 mov edi,eax\n 4005ed: e8 f2 fe ff ff call 4004e4 \u003cfoo\u003e\n 4005f2: 89 45 fc mov DWORD PTR [rbp-0x4],eax\n 4005f5: b8 1c 07 40 00 mov eax,0x40071c\n 4005fa: 8b 55 fc mov edx,DWORD PTR [rbp-0x4]\n 4005fd: 89 d6 mov esi,edx\n 4005ff: 48 89 c7 mov rdi,rax\n 400602: b8 00 00 00 00 mov eax,0x0\n 400607: e8 d4 fd ff ff call 4003e0 \u003cprintf@plt\u003e\n 40060c: 83 45 fc 04 add DWORD PTR [rbp-0x4],0x4\n 400610: b8 2e 07 40 00 mov eax,0x40072e\n 400615: 8b 55 fc mov edx,DWORD PTR [rbp-0x4]\n 400618: 89 d6 mov esi,edx\n 40061a: 48 89 c7 mov rdi,rax\n 40061d: b8 00 00 00 00 mov eax,0x0\n 400622: e8 b9 fd ff ff call 4003e0 \u003cprintf@plt\u003e\n 400627: c9 leave \n 400628: c3 ret \n\n\n### Obfuscated\n\n 400665:\teb 01 \tjmp 400668 \u003cmain+0x3\u003e\n 400667:\tb0 55 \tmov al,0x55\n 400669:\teb 01 \tjmp 40066c \u003cmain+0x7\u003e\n 40066b:\tb4 48 \tmov ah,0x48\n 40066d:\t89 e5 \tmov ebp,esp\n 40066f:\teb 01 \tjmp 400672 \u003cmain+0xd\u003e\n 400671:\tb4 48 \tmov ah,0x48\n 400673:\t83 ec 20 \tsub esp,0x20\n 400676:\teb 01 \tjmp 400679 \u003cmain+0x14\u003e\n 400678:\tb0 89 \tmov al,0x89\n 40067a:\t7d ec \tjge 400668 \u003cmain+0x3\u003e\n 40067c:\teb 01 \tjmp 40067f \u003cmain+0x1a\u003e\n 40067e:\t0c 48 \tor al,0x48\n 400680:\t89 75 e0 \tmov DWORD PTR [rbp-0x20],esi\n 400683:\teb 01 \tjmp 400686 \u003cmain+0x21\u003e\n 400685:\t0c c7 \tor al,0xc7\n 400687:\t45 fc \trex.RB cld \n 400689:\t2f \t(bad) \n 40068a:\td3 23 \tshl DWORD PTR [rbx],cl\n 40068c:\t00 eb \tadd bl,ch\n 40068e:\t01 24 8b \tadd DWORD PTR [rbx+rcx*4],esp\n 400691:\t45 fc \trex.RB cld \n 400693:\teb 01 \tjmp 400696 \u003cmain+0x31\u003e\n 400695:\tb4 89 \tmov ah,0x89\n 400697:\tc7 \t(bad) \n 400698:\teb 01 \tjmp 40069b \u003cmain+0x36\u003e\n 40069a:\tb0 e8 \tmov al,0xe8\n 40069c:\t44 fe \trex.R (bad) \n 40069e:\tff \t(bad) \n 40069f:\tff eb \tjmp \u003cinternal disassembler error\u003e\n 4006a1:\t01 b4 89 45 fc eb 01 \tadd DWORD PTR [rcx+rcx*4+0x1ebfc45],esi\n 4006a8:\tb0 b8 \tmov al,0xb8\n 4006aa:\tfc \tcld \n 4006ab:\t07 \t(bad) \n 4006ac:\t40 00 eb \tadd bl,bpl\n 4006af:\t01 24 8b \tadd DWORD PTR [rbx+rcx*4],esp\n 4006b2:\t55 \tpush rbp\n 4006b3:\tfc \tcld \n 4006b4:\teb 01 \tjmp 4006b7 \u003cmain+0x52\u003e\n 4006b6:\tb0 89 \tmov al,0x89\n 4006b8:\td6 \t(bad) \n 4006b9:\teb 01 \tjmp 4006bc \u003cmain+0x57\u003e\n 4006bb:\tb0 48 \tmov al,0x48\n 4006bd:\t89 c7 \tmov edi,eax\n 4006bf:\teb 01 \tjmp 4006c2 \u003cmain+0x5d\u003e\n 4006c1:\t0c b8 \tor al,0xb8\n 4006c3:\t00 00 \tadd BYTE PTR [rax],al\n 4006c5:\t00 00 \tadd BYTE PTR [rax],al\n 4006c7:\teb 01 \tjmp 4006ca \u003cmain+0x65\u003e\n 4006c9:\tb0 e8 \tmov al,0xe8\n 4006cb:\t11 fd \tadc ebp,edi\n 4006cd:\tff \t(bad) \n 4006ce:\tff eb \tjmp \u003cinternal disassembler error\u003e\n 4006d0:\t01 b4 83 45 fc 04 eb \tadd DWORD PTR [rbx+rax*4-0x14fb03bb],esi\n 4006d7:\t01 b4 b8 0e 08 40 00 \tadd DWORD PTR [rax+rdi*4+0x40080e],esi\n 4006de:\teb 01 \tjmp 4006e1 \u003cmain+0x7c\u003e\n 4006e0:\t24 8b \tand al,0x8b\n 4006e2:\t55 \tpush rbp\n 4006e3:\tfc \tcld \n 4006e4:\teb 01 \tjmp 4006e7 \u003cmain+0x82\u003e\n 4006e6:\tb0 89 \tmov al,0x89\n 4006e8:\td6 \t(bad) \n 4006e9:\teb 01 \tjmp 4006ec \u003cmain+0x87\u003e\n 4006eb:\t0c 48 \tor al,0x48\n 4006ed:\t89 c7 \tmov edi,eax\n 4006ef:\teb 01 \tjmp 4006f2 \u003cmain+0x8d\u003e\n 4006f1:\t0c b8 \tor al,0xb8\n 4006f3:\t00 00 \tadd BYTE PTR [rax],al\n 4006f5:\t00 00 \tadd BYTE PTR [rax],al\n 4006f7:\teb 01 \tjmp 4006fa \u003cmain+0x95\u003e\n 4006f9:\t24 e8 \tand al,0xe8\n 4006fb:\te1 fc \tloope 4006f9 \u003cmain+0x94\u003e\n 4006fd:\tff \t(bad) \n 4006fe:\tff eb \tjmp \u003cinternal disassembler error\u003e\n 400700:\t01 b0 c9 eb 01 b4 \tadd DWORD PTR [rax-0x4bfe1437],esi\n 400706:\tc3 \tret \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefuse%2Fgas-obfuscation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdefuse%2Fgas-obfuscation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefuse%2Fgas-obfuscation/lists"}