Open taylorgag opened 3 years ago
Ali-Razmjoo
commented
3 years ago Before answering, I'd like to mention this project has not been updated for so long; it might have some errors.
Do you mean you want to analyze the assembly code to see what it actually does, or do you mean how to test the PoC if it works?
taylorgag
commented
3 years ago Before answering, I'd like to mention this project has not been updated for so long; it might have some errors.
Do you mean you want to analyze the assembly code to see what it actually does, or do you mean how to test the PoC if it works?
Thanks for your warm reply. What I want to say is how do we make sure that the functions of the code before and after the code obfuscation are the same?
oldkingcone
commented
3 years ago Before answering, I'd like to mention this project has not been updated for so long; it might have some errors. Do you mean you want to analyze the assembly code to see what it actually does, or do you mean how to test the PoC if it works?
Thanks for your warm reply. What I want to say is how do we make sure that the functions of the code before and after the code obfuscation are the same?
by understanding how the obfuscation process takes place, and then going in reverse order.
taylorgag
commented
3 years ago by understanding how the obfuscation process takes place, and then going in reverse order
Do you know any general theorems or open materials to independently prove this?
taylorgag
commented
3 years ago reverse order
'in reverse order' ,what does this mean? Can you explain more details to me about it?
Ali-Razmjoo
commented
3 years ago Sorry for my late answer;
@taylorgag yes, code functionality is the same after and before obfuscation;
there are a few modules that obfuscate the shellcode, it takes the hex values and recalculates them in some random ways. for example if the value is 100, then 50+50, 110-10, 25*4, 300/3 are the same thing, right? so when it calculates the values for example syscall "exec" is 0x100 or whatever, it will just change the value in a way it's just mention to it indirectly.
here is an old blog post it explains a little bit about this; https://web.archive.org/web/20161012002249/http://www.z3r0d4y.com/2015/05/zcr-shellcoder-review-and-analysis_20.html
and here is also a blog post help you to analysis a shellcode;
let me know if you have more questions.
taylorgag
commented
3 years ago Sorry for my late answer;
@taylorgag yes, code functionality is the same after and before obfuscation;
there are a few modules that obfuscate the shellcode, it takes the hex values and recalculates them in some random ways. for example if the value is
100, then50+50,110-10,25*4,300/3are the same thing, right? so when it calculates the values for example syscall "exec" is0x100or whatever, it will just change the value in a way it's just mention to it indirectly.here is an old blog post it explains a little bit about this; https://web.archive.org/web/20161012002249/http://www.z3r0d4y.com/2015/05/zcr-shellcoder-review-and-analysis_20.html
and here is also a blog post help you to analysis a shellcode;
let me know if you have more questions.
Thanks for your warm reply. In fact, I am now doing a new language obfuscation, and then I need to prove that the functionality of the code before and after the obfuscation is same before I can proceed with the next experiment.
Ali-Razmjoo
commented
3 years ago you can create functionality to deobfuscate the code and compare it with the original one maybe...
sorry to bother you, but how can we prove the functionality of code before and after code obfuscation?