https://github.com/defuse/gas-obfuscation
Extremely simple but inefficient x86-64 assembly obfuscation.
https://github.com/defuse/gas-obfuscation
Last synced: about 1 year ago
JSON representation
Extremely simple but inefficient x86-64 assembly obfuscation.
- Host: GitHub
- URL: https://github.com/defuse/gas-obfuscation
- Owner: defuse
- Created: 2013-07-14T04:06:47.000Z (almost 13 years ago)
- Default Branch: master
- Last Pushed: 2016-03-01T16:52:24.000Z (over 10 years ago)
- Last Synced: 2025-03-25T02:51:18.697Z (over 1 year ago)
- Language: Ruby
- Size: 10.7 KB
- Stars: 35
- Watchers: 2
- Forks: 6
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
gas-obfuscation
===============
This script modifies GNU assembly files (.s) to confuse linear sweep
disassemblers like objdump. It does not confuse recursive traversal
disassemblers like IDA Pro. It is very inefficient, making simple code about 2x
slower.
How It Works
----------------
The script inserts a byte sequence before each instruction in the file. The byte
sequences are designed to confuse the disassembler. For example, the instruction
"PUSH RBP" assembles to 0x55. If we insert the bytes 0xEB, 0x01, 0xB0 before it,
we get 0xEB, 0x01, 0xB0, 0x55, which disassembles to:
400665: eb 01 jmp 400668
400667: b0 55 mov al,0x55
What's really going on is that 0xEB, 0x01 is the instruction "Jump over the next
byte", which causes execution to continue from 0x55 (PUSH RBP). But linear sweep
disassemblers don't look at control flow. They assume that the next instruction
starts right after the jump instruction (at 0xBO), which is the opcode for:
MOV AL,
The disassembler expects a 1-byte immidate operand after the 0xB0, so it
interprets the 0x55 (the actual instruction) as an operand to the MOV.
Example Output
----------------
### Normal
4005d2: 55 push rbp
4005d3: 48 89 e5 mov rbp,rsp
4005d6: 48 83 ec 20 sub rsp,0x20
4005da: 89 7d ec mov DWORD PTR [rbp-0x14],edi
4005dd: 48 89 75 e0 mov QWORD PTR [rbp-0x20],rsi
4005e1: c7 45 fc 2f d3 23 00 mov DWORD PTR [rbp-0x4],0x23d32f
4005e8: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
4005eb: 89 c7 mov edi,eax
4005ed: e8 f2 fe ff ff call 4004e4
4005f2: 89 45 fc mov DWORD PTR [rbp-0x4],eax
4005f5: b8 1c 07 40 00 mov eax,0x40071c
4005fa: 8b 55 fc mov edx,DWORD PTR [rbp-0x4]
4005fd: 89 d6 mov esi,edx
4005ff: 48 89 c7 mov rdi,rax
400602: b8 00 00 00 00 mov eax,0x0
400607: e8 d4 fd ff ff call 4003e0
40060c: 83 45 fc 04 add DWORD PTR [rbp-0x4],0x4
400610: b8 2e 07 40 00 mov eax,0x40072e
400615: 8b 55 fc mov edx,DWORD PTR [rbp-0x4]
400618: 89 d6 mov esi,edx
40061a: 48 89 c7 mov rdi,rax
40061d: b8 00 00 00 00 mov eax,0x0
400622: e8 b9 fd ff ff call 4003e0
400627: c9 leave
400628: c3 ret
### Obfuscated
400665: eb 01 jmp 400668
400667: b0 55 mov al,0x55
400669: eb 01 jmp 40066c
40066b: b4 48 mov ah,0x48
40066d: 89 e5 mov ebp,esp
40066f: eb 01 jmp 400672
400671: b4 48 mov ah,0x48
400673: 83 ec 20 sub esp,0x20
400676: eb 01 jmp 400679
400678: b0 89 mov al,0x89
40067a: 7d ec jge 400668
40067c: eb 01 jmp 40067f
40067e: 0c 48 or al,0x48
400680: 89 75 e0 mov DWORD PTR [rbp-0x20],esi
400683: eb 01 jmp 400686
400685: 0c c7 or al,0xc7
400687: 45 fc rex.RB cld
400689: 2f (bad)
40068a: d3 23 shl DWORD PTR [rbx],cl
40068c: 00 eb add bl,ch
40068e: 01 24 8b add DWORD PTR [rbx+rcx*4],esp
400691: 45 fc rex.RB cld
400693: eb 01 jmp 400696
400695: b4 89 mov ah,0x89
400697: c7 (bad)
400698: eb 01 jmp 40069b
40069a: b0 e8 mov al,0xe8
40069c: 44 fe rex.R (bad)
40069e: ff (bad)
40069f: ff eb jmp
4006a1: 01 b4 89 45 fc eb 01 add DWORD PTR [rcx+rcx*4+0x1ebfc45],esi
4006a8: b0 b8 mov al,0xb8
4006aa: fc cld
4006ab: 07 (bad)
4006ac: 40 00 eb add bl,bpl
4006af: 01 24 8b add DWORD PTR [rbx+rcx*4],esp
4006b2: 55 push rbp
4006b3: fc cld
4006b4: eb 01 jmp 4006b7
4006b6: b0 89 mov al,0x89
4006b8: d6 (bad)
4006b9: eb 01 jmp 4006bc
4006bb: b0 48 mov al,0x48
4006bd: 89 c7 mov edi,eax
4006bf: eb 01 jmp 4006c2
4006c1: 0c b8 or al,0xb8
4006c3: 00 00 add BYTE PTR [rax],al
4006c5: 00 00 add BYTE PTR [rax],al
4006c7: eb 01 jmp 4006ca
4006c9: b0 e8 mov al,0xe8
4006cb: 11 fd adc ebp,edi
4006cd: ff (bad)
4006ce: ff eb jmp
4006d0: 01 b4 83 45 fc 04 eb add DWORD PTR [rbx+rax*4-0x14fb03bb],esi
4006d7: 01 b4 b8 0e 08 40 00 add DWORD PTR [rax+rdi*4+0x40080e],esi
4006de: eb 01 jmp 4006e1
4006e0: 24 8b and al,0x8b
4006e2: 55 push rbp
4006e3: fc cld
4006e4: eb 01 jmp 4006e7
4006e6: b0 89 mov al,0x89
4006e8: d6 (bad)
4006e9: eb 01 jmp 4006ec
4006eb: 0c 48 or al,0x48
4006ed: 89 c7 mov edi,eax
4006ef: eb 01 jmp 4006f2
4006f1: 0c b8 or al,0xb8
4006f3: 00 00 add BYTE PTR [rax],al
4006f5: 00 00 add BYTE PTR [rax],al
4006f7: eb 01 jmp 4006fa
4006f9: 24 e8 and al,0xe8
4006fb: e1 fc loope 4006f9
4006fd: ff (bad)
4006fe: ff eb jmp
400700: 01 b0 c9 eb 01 b4 add DWORD PTR [rax-0x4bfe1437],esi
400706: c3 ret