Vikas Gonti

advertisement
Vikas Gonti
References
 https://www.preemptive.com/products/dotfuscator
 https://www.youtube.com/watch?v=dqjYSF-7Q1A
What is Obfuscation?
 Dictionary Meaning:
To confuse, to make obscure a problem with extraneous
information or to darken.
-www.dictionary.com
 In Terms of Technology:
Obfuscated code is source or machine code that has been
made difficult to understand. Programmers may deliberately
obfuscate code to conceal its purpose or its logic to prevent
tampering, deter reverse engineering.
What is Obfuscation?
 Obfuscation in .NET:
- Technology of shrouding the facts.
- Technology that makes .NET assemblies more
difficult to decompile and impedes reverse
engineering efforts.
What is an Obfuscator?
 An obfuscator: An algorithm O, such that for any
program P, O(P) is a program such that
 O(P) has the same functionality as P
 O(P) is infeasible to analyze/”reverse-engineer”
.NET Software Development Lifecycle
2
1
4
Design
Develop
and Build
Deploy
Test
3
Protect
Why Obfuscation?
 .NET Programs compiled in MSIL, which is at a higher level than
binary machine code.
 So .NET Programs are easy to reverse engineer using decompilation.
 Attackers can use a .NET decompiler to easily reverse engineer code.
 The .NET framework ships with a tool (ILDASM) that can disassemble
MSIL.
 Anyone can peruse the details of the software.
Why Obfuscation ctd ..?
 Obfuscation reduces the size of an executable.
 Obfuscation improves the application performance
at runtime.
 Properly applied obfuscation increases protection
against decompilation
Goal of Obfuscation?
 The goal of obfuscation is to create confusion.
 It says nothing about altering the executable logic, but
represents it incomprehensibly.
When an obfuscator tool goes to work on readable
program instructions, a side effect is the output will confuse a human
interpreter and break the decompiler the human interpreter was using.
Dotfuscator – Obfuscator Tool
Dotfuscator is a post-development recompilation
system for .NET applications. It analyzes applications and
makes them smaller, faster, and harder to reverse-engineer.
In short, it makes them better.
 Enhanced Code Security.
 Decreased size of .NET Programs.
 Improved Run- Time Performance.
Dotfuscator – Obfuscator Tool
 Obfuscation is applied to MSIL and not source
code.
 Obfuscated code is functionally equivalent to
traditional MSIL.
 It executes on CLR with similar results.
Dotfuscator features
 Renaming
 Control Flow Obfuscation
 String Encryption
 Pruning
 Linking
 Watermarking
Dotfuscator features
Renaming :
Uses a patented Overload-Induction renaming
system that Renames as many methods as possible to a
same name.
Saves space as short names used for renaming.
Several Options exist for class renaming. For example,
 Specify classes to be renamed while keeping their
namespace membership (keepnamespace).
 Rename namespace names while preserving
namespace hierarchy (keephierarchy)
 Rename completely, removing the namespace.(default)
1.
Renaming Options (keepnamespace)
This methodology is an excellent way to hide the
names of your classes while maintaining namespace
hierarchy. An example of this type of renaming is:
Renaming Options (keephierarchy)
It preserves the namespace hierarchy while
renaming the namespace and class names.
Renaming Options (default)
The default methodology renames the class and
namespace name to a new, smaller name.
Overload Induction Method Renaming
Dotfuscator implements patented technology for method
renaming called Overload-Induction. The underlying idea being that
the algorithm attempts to rename as many methods as possible to
exactly the same name.
After this deep obfuscation, the logic, while not destroyed, is beyond
comprehension. The following simple example illustrates the power of the
Overload Induction technique:
Original Source Code Before Obfuscation
private void CalcPayroll(SpecialList employeeGroup)
{
while (employeeGroup.HasMore())
{
employee = employeeGroup.GetNext(true);
employee.UpdateSalary();
DistributeCheck(employee);
}
}
Overload Induction Method Renaming
Reverse-Engineered Source Code
private void a(a b)
{
while (b.a())
{
a = b.a(true);
a.a();
a(a);
}
}
 Renaming makes decompiled output difficult to understand.
 Since overload-induction tends to use the same letter more often, it
reaches into longer length names more slowly (e.g. aa, aaa, etc.). This
also saves space.
Dotfuscator features ctd ..
2. String Encryption:
Crackers will frequently search for specific
strings in an application to locate strategic logic. For
example, someone looking to bypass a registration and
verification process can search for the string displayed
when the program asks the user for a serial number.
When the attacker finds the string, he can look for
instructions near it and alter the logic.
String Encryption
String Encryption makes this much more
difficult to do, because the attacker's search will come
up empty. The original string is nowhere to be found
in the code. Only its encrypted version is present.
 No strings are encrypted unless you specifically
include a method that uses the string. The intention is
that you will only want to encrypt strings in the
sensitive parts of your application.
Dotfuscator features ctd ..
3. Control Flow Obfuscation:
Traditional control flow obfuscation
Introduces false conditions and other misleading
constructs in order to confuse and break
decompilers.
 It destroys the code patterns.
 The end result is semantically equivalent to
original.
Control flow obfuscation
Original Source Code Before Obfuscation
public int CompareTo(Object o)
{
int n = occurrences – ((WordOccurrence)o).occurrences;
if (n == 0)
{
n = String.Compare(word, ((WordOccurrence)o).word);
}
return(n);
}
After Control Flow Obfuscation
public virtual int _a(Object A_0)
{
int local0; int local1;
local0 = this.a – (c) A_0.a;
if (local0 != 0) goto i0;
goto i1;
while (true) {
return local1;
i0: local1 = local0;}
i1: local0 = System.String.Compare(this.b, (c) A_0.b); goto i0;
}
Dotfuscator features ctd ..
4. Pruning:
Determines unused types, methods and fields. It
extracts exactly the pieces you need for any given
application.
Helps reduce size of the assembly.
 The static analysis works by traversing your code, starting
at a set of methods called “triggers”. (Application Entry Points)
 In standalone application, the Main method would be
defined as a trigger.
 As it traverse each trigger method’s code, it notes which
fields, methods, types are being used.
Pruning
Conditional Inclusion: It allows you to specify types,
methods, and/or fields that you wish to be definitely
included (i.e. Not pruned) in your final application.
Removal Report: It generates a removal report in XML
format that lists all input assemblies and how each was
pruned.
 The report includes pruning status of: types, methods, fields, properties, and managed
resources.
 If a type was pruned, then obviously all its members are pruned.
 Constructors are named .ctor, while static constructors are named .cctor.
Dotfuscator features ctd ..
5. Assembly Linking:
Also called merging, Links multiple assemblies
into one or more output assemblies. The only rule is
that you can't link the same input assembly into
multiple output assemblies.
 The linking feature is fully integrated.
Prime Assemblies:
When you set up linking, you must specify one of the
input assemblies as the prime assembly.
Assembly Linking
Name Mangling:
When the linker is merging assemblies, the linker sometimes
encounters situations where a name needs to be changed in order to
prevent a naming collision.
For example, if two of the input assemblies contain private
classes with identical names then the linker must change one of the
names in order to merge the assemblies.
Dotfuscator features ctd ..
6. Watermarking:
Used to Embed data (copyright info/unique nos.)
into applications, making them unique. This is one
method that can be used to track unauthorized copies
of your software back to the source.
To watermark an application
 Select the assemblies to watermark.
 Select whether the watermark string is to be encrypted and provide a
passphrase if so.
 Provide a string and an encoding that will be the watermark.
 Select how Dotfuscator will behave if the watermark string is too large to fit in
a selected assembly.
Drawbacks
 Maintaining and Troubleshooting becomes difficult.
 Can break code that depends on reflection,
serialization or remoting.
 Hampers the debugging process, as obfuscation alters
MSIL.
Conclusion & References
 Obfuscation is not 100 percent protection.
 If a hacker is perseverant enough, they can find the
meaning of your code.
 The goal of obfuscation is to make the reverse engineering
process extremely time consuming and painful so that it
not worth the effort.
References
 Professional Visual Studio 2005 – Andrew Parsons and
Nick Randolph.
 http://aspnet.4guysfromrolla.com
 http://www.preemptive.com
 http://msdn2.microsoft.com/enus/library/ms227295(VS.80).aspx
Download