Code Obfuscation

Tool for Software Protection

Outline

Why Code Obfuscation

Features of a code obfuscator

Potency
Resilience
Cost

Classification of Obfuscating
Transformations

Why use Code Obfuscation

Techniques

Mainly to defend against Software

Reverse Engineering
We can only make it more difficult for
reverse engineers
Available obfuscating tools work in
the same way as compiler optimizers
Reduce required space and time for
compilation

The level of security that an

Obfuscator adds depends on:

The transformations used

The power of available deobfuscators
The amount of resources available to
deobfuscators

Main features of a Code Obfuscator

Potency: is the level up to which a

human reader would be confused by
the new code
Resilience: is how well the obfuscated
code resists attacks by deobfuscation
tools
Cost: is how much load is added to
the application

Code Obfuscation

Reverse
engineering
exatracts piece of
program
Obfuscation makes
reverse
engineering
difficult
P1, P2, .., Pn

P1
P1, P2, .., Pn

Obfuscatio
n
Q1,
Transformation
s

Reverse
Engineer

Pn

Reverse Engineering
Q2, .., Qm fails

Protection through Obfuscation

http://www.cs.arizona.edu/~collberg/Research/Obfuscation/Resources.html

Obfuscation methods

Mainly based on target information that we

want to modify/obfuscate

Kinds of Obfuscating
Transformations

Lexical transformations

Control transformations

Change program flow while preserving

semantics

Data transformations

Modify variable names

Modify data structures

Anti-disassembly
Anti-debugging

Kinds of obfuscation for each target

information

Available JavaScript Obfuscators

Most available commercial JavaScript

obfuscators work by applying Lexical
transformations
Some obfuscators that were
considered are:

Stunnix JavaScript Obfuscator

Shane Ng's GPL-licensed obfuscator
Free JavaScript Obfuscator

Example:From Stunnix

Actual code:
function foo( arg1)
{
var myVar1 = "some
string"; //first comment
var intVar = 24 *
3600; //second comment
/* here is
a long
multi-line comment blah */
document. write( "vars
are:" + myVar1 + " " +
intVar + " " + arg1) ;
};

Obfuscated code:
function
z001c775808( z3833986e2c)
{ var z0d8bd8ba25=
"\x73\x6f\x6d\x65\x20\x73\x
74\x72\x69\x6e\x67"; var
z0ed9bcbcc2= (0x90b+7850xc04)* (0x1136+64370x1c4b); document.
write( "\x76\x61\x72\x73\x2
0\x61\x72\x65\x3a"+
z0d8bd8ba25+ "\x20"+
z0ed9bcbcc2+ "\x20"+
z3833986e2c);};

Step by step examination

The Stunnix obfuscator targets at obfuscating

only the layout of the JavaScript code
As the obfuscator parses the code, it removes
spaces, comments and new line feeds
While doing so, as it encounters user defined
names, it replaces them with some random
string
It replaces print strings with their hexadecimal
values
It replaces integer values with complex
equations

In the sample code that was obfuscated, the following

can be observed
User defined variables:

foo replaced with z001c775808

arg1 replaced with z3833986e2c

myvar1 replaced with z0d8bd8ba25

intvar replaced with z0ed9bcbcc2

Integers:

20 replaced with (0x90b+785-0xc04)

3600 replaced with (0x1136+6437-0x1c4b)

Print strings:

vars are replaced with

\x76\x61\x72\x73\x20\x61\x72\x65\x3a

Space replaced with \x20

References

[Collberg] C. Collberg, The Obfuscation and

Software Watermarking homepage,
http://www.cs.arizona.edu/collberg/Research/O
bfuscation/index.html
[Stunnix JavaScript Obfuscator]
www.stunnix.com
[Shane Ng's GPL-licensed obfuscator]
http://daven.se/usefulstuff/javascript-obfuscato
r.html

[Free JavaScript Obfuscator]

http://www.javascriptobfuscator.com/