Obfuscation of Abstract Data-Types - Rowan
Obfuscation of Abstract Data-Types - Rowan
Obfuscation of Abstract Data-Types - Rowan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CHAPTER 2. OBFUSCATIONS FOR INTERMEDIATE LANGUAGE 25<br />
the target label, otherwise the next instruction following the branch will be<br />
executed.<br />
In this example,<br />
IL0001: ldloc.s V<br />
IL0002: ldc.i4.1<br />
IL0003: bge.s IL0020<br />
IL0004: ...<br />
. . .<br />
IL0020: ...<br />
if V ≥ 1 then IL0020 will be executed next — otherwise, IL0004 will be executed.<br />
When writing IL methods, we require that the code that we produce is<br />
verifiable — here are some conditions that must be met for verifiability:<br />
• Stacks must have the same height and contain the same types when control<br />
flow paths meet.<br />
• Operations must have the correct number <strong>of</strong> items on the stack (e.g. for<br />
a binary operation there must be at least two elements on the stack).<br />
• Operations must receive the type that they expect <strong>of</strong>f the stack<br />
If we have verified code then we can be sure that the code will run safely (e.g. the<br />
code will not access memory locations that it not permitted to) and so we must<br />
ensure that any obfuscations that we apply produce verifiable code.<br />
2.2 IL obfuscations<br />
Now, we will look at how to perform some obfuscations on IL by manually<br />
editing an IL file and assembling this file to make a PE. We look at some <strong>of</strong><br />
the obfuscations given in [10] and we show how to write them in IL. The aim<br />
<strong>of</strong> performing obfuscations on IL is to make it hard for a decompiler to take a<br />
PE and produce C#. Ideally, we would like to stop the decompilation process<br />
altogether but at the very least, we should make the resulting code harder to<br />
understand.<br />
2.2.1 Variable Transformation<br />
For the first example <strong>of</strong> obfuscating IL, we show how to perform a simple variable<br />
transformation (as outlined in Section 1.3.3). The functions we will use to<br />
perform the transformations are:<br />
f = λi.(2i − 1)<br />
g = λj.((j + 1)/2)<br />
Assignment <strong>of</strong> a variable corresponds tostloc and use corresponds toldloc.<br />
Using the GCD example given in Figure 2.2, we aim to transform the local