anti-analysis.md

<- .anti-analysis ->

Reversing Is Easy?

• Aside from that a compiler will bloat up the size of the compiled code, reverse engineering for the purpose of understanding how a program works is really not a hard task. Even though x86 instruction set is enormous and source to assembly is a one-to-many relationship, a compiler will usually prefer only a subset of the x86 instruction set to translate the source code to. It might take longer to understand the disassembly, but after reversing for a while, you will start to notice the same assembly patterns and idioms over and over again. Getting used to those idioms and common assembly constructs for high-level languages (e.g. for loop, if statement, function call) help you decipher the purpose of a group of instructions quicker. Eventually, you will be able to understand on a high level what portion of the disassembly is doing what. Once you reach this state, the program is yours.

Not So Fast...

• Obviously there are people that don't want their programs to be analyzed. When that is the case, they will use various techniques to hinder reversing of their software. The well-known anti-analysis techniques can be seen below in "section overview" but there are also many more undocumented or less-known ones. The good news is: no matter how hard one tries to obfuscate a program, there is no guarantee that it cannot be de-obfuscated. It is only a matter of time before a protected program is taken apart. Furthermore, unless the program is a crackme or a reversing challenge, one can't simply try to make the program as hard to reverse as possible since program performance also needs to be taken into consideration. Depending on the anti-analysis techniques and what portion of the code is hardened, the performance difference could be fairly noticeable.

Ultimate Goal

• "From an anti-reversing perspective, code doesn't have to be hard to reverse engineer....all we really need in the end of the day is we need the reverse engineer give up" - Chris Domas
  • Repsych: Psychological Warfare in Reverse Engineering
  • REpsych's Github Repo

---

section overview

---

• Obfuscation
  • Original Entry Point (OEP) Hiding
  • Functions In/Out-Lining
  • Opcode Obfuscation
  • Code Insertion
  • Pattern-Based Obfuscation
  • Destruction of Sequential and Temporal Locality
  • Imported Function Obfuscation
• Anti-Disassembly
  • Disassembly Techniques
  • Disassembly Desynchronization
  • Processer-Based Control Indirection
  • Parser Differential Attack (File Format Hacks)
• Anti-Debugging
  • Leveraging OS to Detect Debugger's Presence
  • Using Flags within the PEB structure to Detect Debugger's Presence (Windows)
  • Breakpoint Detection
  • Interrupts
  • Timing Checks
  • Detection Before Main
• Anti-Emulation
  • Detection through Syscall
  • CPU Inconsistencies Detection
  • Timing Delays
  • Number of Cores

---

further readings

---

• The "Ultimate" Anti-Debugging Reference: a comprehensive Windows anti-debugging guide by Peter Ferrie
• Al-Khaser: a sample application that performs different types of common anti-analysis tricks
• Analysis of Anti-Analysis: my blog on anything related to anti-reverse engineering

.file-formats <- RERM -> .encodings