News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Hutch/Steve's Code to obfuscate embedded data

Started by P1, September 08, 2017, 06:26:46 AM

Previous topic - Next topic

P1

At one time, Hutch/Steve had code to obfuscate embedded data, making it harder to reverse engineer.

I ran through the current distribution of MASM, and could not find it.

1.  Ok, point to it, in the current distribution of MASM.

- OR -

2.  Attach the code to here, from older distribution or older post.

Thanks In Advance,  Michael, aka P1

jj2007

Something like this?include \masm32\include\masm32rt.inc

.code
start:
call @F
@obs$ dd 0BB11E534h,0BB3F9751h,0DE51FE36h,0B034DE53h,0C346BB25h,0A6349B4Ah,0D214E92Fh,0B6668847h,09612E167h,0F17C880Ch,09011A820h,
0F165C944h,0D101AC20h,0B564CE4Dh,0D044AB39h,0B127D84Ch,0D745B76Ch,0B8319709h,0DC5EF429h,0B83F9C09h,0DD49F97Dh,
08E66911Eh,0FA13D93Eh,0D676B457h,0A256D139h,0CD76A578h
@@: pop edx
mov ecx, sizeof @obs$/4
.Repeat
mov eax, [edx]
xor eax, [edx-4]
add edx, 4
push eax
dec ecx
.Until Zero?

inkey esp

add esp, sizeof @obs$
exit

end start

P1

Quote from: jj2007 on September 08, 2017, 07:00:22 AM
Something like this?include \masm32\include\masm32rt.inc

.code
start:
call @F
@obs$ dd 0BB11E534h,0BB3F9751h,0DE51FE36h,0B034DE53h,0C346BB25h,0A6349B4Ah,0D214E92Fh,0B6668847h,09612E167h,0F17C880Ch,09011A820h,
0F165C944h,0D101AC20h,0B564CE4Dh,0D044AB39h,0B127D84Ch,0D745B76Ch,0B8319709h,0DC5EF429h,0B83F9C09h,0DD49F97Dh,
08E66911Eh,0FA13D93Eh,0D676B457h,0A256D139h,0CD76A578h
@@: pop edx
mov ecx, sizeof @obs$/4
.Repeat
mov eax, [edx]
xor eax, [edx-4]
add edx, 4
push eax
dec ecx
.Until Zero?

inkey esp

add esp, sizeof @obs$
exit

end start

It was two parts, one part encoded the data to be embedded/Cut-N-Pasted into asm file.  The other was the decode proc to return the data unencoded.  I just do not want the clear text to be visible in a utility like ProcExp.  What I remember was it was fairly sophisticated, but not impossible to decode.

You help me to remember, in QEditor, under Code, is "Create Mangle Text".

You get the RBI for this one.   :t

Best Regards,  Michael, aka P1

jj2007

For my version, see Obscure a string. Olly has a rough time with this sort of things, but it can't be perfect. When you step through the code, after a while the string starts showing in Olly ;)

hutch--

#4
Michael,

The link in QE is to an exe called "mangle.exe" which is in the MASM32 directory. There is nothing that you cannot break if you take long enough but the separation of the data and the code will add enough grief to the life of the hacker to slow up most of them.  :P

I should have added, there is a trick to make life even more miserable for the would be hacker, as soon as you have decrypted and used the string, overwrite it with garbage which narrows the window to view the text. The main PHUN with the original technique is to make the binary very hard to modify as it involves changing both code and data.

jj2007

Here is a variant, just for fun (with some checks):include \masm32\include\masm32rt.inc

.code
start:
mov esi, 12345678h ; for later verification
print hex$(esp), 9, "stack", 13, 10
; --------- the fun starts here ----------------
push esi
push sizeof @obs$/4  ; note the reversed order: pop esi, then pop ecx!
call @F
@obs$ dd 0BB11E534h,0BB3F9751h,0DE51FE36h,0B034DE53h,0C346BB25h,0A6349B4Ah,0D214E92Fh,0B6668847h,09612E167h,0F17C880Ch,09011A820h,
0F165C944h,0D101AC20h,0B564CE4Dh,0D044AB39h,0B127D84Ch,0D745B76Ch,0B8319709h,0DC5EF429h,0B83F9C09h,0DD49F97Dh,
08E66911Eh,0FA13D93Eh,0D676B457h,0A256D139h,0CD76A578h
@@: pop esi
pop ecx
.Repeat
xchg eax, edx
lodsd
push eax
xor [esp], edx
dec ecx
.Until Zero?
; --------- ready to use the string ----------------
print esp, 13, 10
add esp, sizeof @obs$ ; cleanup
pop esi ; restore esi
print hex$(esp), 9, "stack", 13, 10 ; check if everything
inkey hex$(esi), 9, "esi", 13, 10 ; is in the right places
exit

end start


Output:0018FF88        stack
At one time, Hutch/Steve had code to obfuscate embedded data, making it harder to reverse engineer.
0018FF88        stack
12345678        esi


And here is a small excerpt of what Olly "sees":00401024              .  56                   push esi                          ; ÚArg2
00401025              .  6A 1A                push 1A                           ; ³Arg1 = 1A
00401027              .  E8 68000000          call 00401094                     ; ÀObfuscateString.00401094
0040102C              .  34 E5                xor al, E5
0040102E              .  11BB 51973FBB        adc [ebx+BB3F9751], edi
00401034                 36                   db 36                             ; char '6'
00401035                 FE                   db FE                             ; char 'þ'
00401036                 51                   db 51                             ; char 'Q'
00401037                 DE                   db DE                             ; char 'Þ'
00401038                 53                   db 53                             ; char 'S'
00401039                 DE                   db DE                             ; char 'Þ'
0040103A                 34                   db 34                             ; char '4'
0040103B                 B0                   db B0
0040103C                 25                   db 25                             ; char '%'
0040103D                 BB                   db BB
0040103E             Ú.  46                   inc esi
0040103F             À.  C3                   retn


When you step over call 00401094 using F8, the string is already printed, and there is no way to go back :P
Project attached, the exe has an int 3 just before the push esi.