What is obfuscation and how does it work?

What is obfuscation?

mystification means to make something difficult to understand. Programming code is much obfuscated to protect cerebral property or trade secrets, and to prevent an attacker from reverse engineering a proprietorship software program .
Encrypting some or all of a program ‘s code is one obfuscation method acting. early approaches include stripping out potentially revealing metadata, replacing class and variable star names with meaningless labels and adding fresh or meaningless code to an application script. A creature called an obfuscator will mechanically convert square generator code into a program that works the lapp way, but is more difficult to read and understand .
unfortunately, malicious code writers besides use these methods to prevent their attack mechanism from being detected by antimalware tools. The 2020 SolarWinds attack is an example of hackers using obfuscation to evade defenses.

Deobfuscation techniques can be used to reverse engineer — or undo — mystification. These techniques include platform slice, which involves narrowing the program code to merely the relevant statements at a particular distributor point in the course of study. Compiler optimization and program deduction are two other deobfuscation techniques. obfuscation aims to make invert engineer difficult and not worth the trouble .

How does obfuscation work?

bewilderment in computer code uses complex carousel phrases and pleonastic logic to make the code unmanageable for the lector to understand. The goal is to distract the reader with the complicate syntax of what they are reading and make it difficult for them to determine the true content of the message .
With calculator code, the reader may be a person, a computing device or another program. obfuscation is besides used to fool antivirus tools and other programs that rely heavily on digital signatures to interpret code. Decompilers are available for languages such as Java, operating systems such as Android and io, and development platforms like .NET. They can mechanically reverse engineer reference code ; obfuscation aims to make it unmanageable for these programs to do their decompiling arsenic well .
Code obfuscation is not about changing the content of a program ‘s original code, but quite about making the delivery method acting and presentation of that code more confuse. mystification does not alter how the program works or its end output .
What follows is an example snip of normal JavaScript code :

var greeting = 'Hello World';
greeting = 10;
var product = greeting * greeting;

That lapp snip in obfuscate class looks like this :

var _0x154f=['98303fgKsLC','9koptJz','1LFqeWV','13XCjYtB','6990QlzuJn','87260lXoUxl','2HvrLBZ','15619aDPIAh','1kfyliT','80232AOCrXj','2jZAgwY','182593oBiMFy','1lNvUId','131791JfrpUY'];var _0x52df=function(_0x159d61,_0x12b953){_0x159d61=_0x159d61-0x122;var _0x154f4b=_0x154f[_0x159d61];return _0x154f4b;};(function(_0x19e682,_0x2b7215){var _0x5e377c=_0x52df;while(!![]){try{var _0x2d3a87=-parseInt(_0x5e377c(0x129))*parseInt(_0x5e377c(0x123))+-parseInt(_0x5e377c(0x125))*parseInt(_0x5e377c(0x12e))+parseInt(_0x5e377c(0x127))*-parseInt(_0x5e377c(0x126))+-parseInt(_0x5e377c(0x124))*-parseInt(_0x5e377c(0x12f))+-parseInt(_0x5e377c(0x128))*-parseInt(_0x5e377c(0x12b))+parseInt(_0x5e377c(0x12a))*parseInt(_0x5e377c(0x12d))+parseInt(_0x5e377c(0x12c))*parseInt(_0x5e377c(0x122));if(_0x2d3a87===_0x2b7215)break;else _0x19e682['push'](_0x19e682['shift']());}catch(_0x22c179){_0x19e682['push'](_0x19e682['shift']());}}}(_0x154f,0x1918c));var greeting='Hello\x20World';greeting=0xa;var product=greeting*greeting;

The obfuscate version is about impossible to follow using the human eye .

Obfuscation techniques

Obfuscation involves several different methods. Often, multiple techniques are used to create a layer effect .
Programs written in software languages that are compiled, such as C # and Java, are easier to obfuscate. This is because they create intermediate-level instructions that are by and large easier to read. In contrast, C++ is more unmanageable to obfuscate, because it compiles to machine code, which is more unmanageable for people to work with .
Some coarse mystification techniques include the following :

• Renaming. The obfuscator alters the methods and names of variables. The new names may include unprintable or invisible characters.
• Packing. This compresses the entire program to make the code unreadable.
• Control flow. The decompiled code is made to look like spaghetti logic, which is unstructured and hard to maintain code where the line of thought is obscured. Results from this code are not clear, and it’s hard to tell what the point of the code is by looking at it.
• Instruction pattern transformation. This approach takes common instructions created by the compiler and swaps them for more complex, less common instructions that effectively do the same thing.
• Dummy code insertion. Dummy code can be added to a program to make it harder to read and reverse engineer, but it does not affect the program’s logic or outcome.
• Metadata or unused code removal. Unused code and metadata give the reader extra information about the program, much like annotations on a Word document, that can help them read and debug it. Removing metadata and unused code leaves the reader with less information about the program and its code.
• Opaque predicate insertion. A predicate in code is a logical expression that is either true or false. Opaque predicates are conditional branches — or if-then statements — where the results cannot easily be determined with statistical analysis. Inserting an opaque predicate introduces unnecessary code that is never executed but is puzzling to the reader trying to understand the decompiled output.
• Anti-debug. Legitimate software engineers and hackers use debug tools to examine code line by line. With these tools, software engineers can spot problems with the code, and hackers can use them to reverse engineer the code. IT security pros can use anti-debug tools to identify when a hacker is running a debug program as part of an attack. Hackers can run anti-debug tools to identify when a debug tool is being used to identify the changes they are making to the code.
• Anti-tamper. These tools detect code that has been tampered with, and if it has been modified, it stops the program.
• String encryption. This method uses encryption to hide the strings in the executable and only restores the values when they are needed to run the program. This makes it difficult to go through a program and search for particular strings.
• Code transposition. This is the reordering of routines and branches in the code without having a visible effect on its behavior.

How to measure obfuscation success

The success of bewilderment methods can be measured using the play along criteria :

• Strength. The extent to which transformed code resists automated deobfuscation attempts determines strength. The more effort, time and resources it takes, the stronger the code is.
• Differentiation. The degree to which transformed code differs from the original is another measure of how effective it is. Some of the ways used to judge differentiation include:
  • The number of predicates the new code contains.
  • The depth of the inheritance tree (DIT) — a metric used to indicate the complexity of code. A higher DIT means a more complex program.
• Expense. A cost-efficient obfuscation method will be more useful than one that’s expensive, particularly when it comes to how well it scales for larger applications.
• Complexity. The more layers the obfuscator adds, the more complex the program will be, making the obfuscation more successful.

Advantages of obfuscation

The main advantages of bewilderment are as follows :

• Secrecy. Obfuscation hides the valuable information contained in code. This is an advantage for legitimate organizations looking to protect code from competitors and attackers. Conversely, bad actors capitalize on the secrecy of obfuscation to hide their malicious code.
• Efficiency. Some obfuscation techniques, like unused code removal, have the effect of shrinking the program and making it less resource intensive to run.
• Security. Obfuscation is a built-in security method, sometimes referred to as application self-protection. Instead of using an external security method, it works within what’s being protected. It is well-suited for protecting applications that run in an untrusted environment and that contain sensitive information.

Disadvantages of obfuscation

One of the independent disadvantages of mystification is it is besides used in malware. Malware writers use it to evade antivirus programs that scan code for specific features. By obscuring those features, the malware appears lawful to the antivirus software.

common techniques malware authors use include :

• Exclusive or (XOR). An operation that hides data by applying XOR values to code so that only a trained eye would be able to decrypt it.
• ROT-13. An instruction that substitutes code for random characters.

With bewilderment, alternatively of developing modern malware, authors repackage normally used, commodity attack methods to disguise their features. In some cases, malicious actors include vendor-specific techniques .
Another disadvantage of obfuscation is it can make code more unmanageable to read. For exemplar, code that uses the chain encoding bewilderment method acting requires decoding of the strings at runtime, which slows operation .