X hits on this document

374 views

0 shares

0 downloads

0 comments

44 / 120

to the machine code for the Password Vault application rendered it extremely difficult to

understand. The transformations performed by EXECryptor caused such extreme

differences in the machine code, including having compressed parts of it, that it was not

possible to line up the differences between the original and obfuscated versions of the

machine code to show evidence of the obfuscations. Therefore, to demonstrate machine

code obfuscations in a way that is easy to follow, we'll perform obfuscations at the source

code level and observe the differences in the assembly language generated by the GNU

C++ compiler. The key idea here is that the obfuscated program has the same

functionality as the original, but is more difficult to understand during live or static

analysis. There are no standards for code obfuscation, but it's relatively important to

ensure that the obfuscations applied to a program are not easily undone because

deobfuscation tools can be used to eliminate easily identified obfuscations [5].

Table 7.2 contains the source code and disassembly of VerifyPassword.cpp, a

simple C++ program that contains an insecure password check that is no weaker than the

implementation of the Password Vault trial limitation check. To find the relevant parts of

.text and .rdata sections that are related to the password check, the now familiar

technique of setting a breakpoint on a constant in the .rdata section was used.

Table 7.2. Listing of VerifyPassword.cpp and disassembly of VerifyPassword.exe.

VerifyPassword.cpp:

01: int main(int argc, char *argv[]) 02: {

03: 04:

const char *password = "jup!ter";

string specified;

05:

cout <<

"

Enter password:

"

;

36

Document info
Document views374
Page views375
Page last viewedFri Dec 09 09:41:41 UTC 2016
Pages120
Paragraphs2913
Words25794

Comments