X hits on this document





61 / 120

7.6.4 Analysis of the Control Flow Obfuscation Using Run Traces

The goal of this analysis is to demonstrate that even though the Password Vault

application is given identical input and delivers identical output on subsequent runs,

OllyDbg run traces, which contain the executed sequence of assembly instructions, will

be significantly different from each other—making it difficult for a reverser to understand

the trial limitation check through live or static analysis of the disassembly. Live analysis

is hampered more by randomization than static analysis is because the control flow of the

trial limitation check is randomized each time it is run; one can imagine the confusion

that would arise if breakpoints are not always triggered, or triggered in an unpredictable


OllyDbg run traces are captured using the run trace view once the execution of a

program has been paused at the desired starting point. To have the trace logged to a file

in addition to the view, select “log to file” on the context menu of the run trace view.

Begin the trace by selecting “Trace into” on the “Debug” menu; the program will

execute, but much more slowly than normal since each instruction must be inspected and

added to the run trace view and optional log file. An OllyDbg trace will include all the

instructions executed by the program and its operating system dependencies; fortunately

the trace is columnar with each instruction qualified by the name of the module that

executed it, so it is possible to post process the trace and extract only those instructions

executed by a particular module of interest. For example, in the case of the Password

Vault traces which we will analyze in this section, the Sed (stream-editor) utility was used


Document info
Document views292
Page views293
Page last viewedFri Oct 28 14:01:46 UTC 2016