1. Code Obfuscation Tool for Software Protection

2. Outline  Why Code Obfuscation  Features of a code obfuscator Potency Resilience Cost  Classification of Obfuscating Transformations

3. Why use Code Obfuscation Techniques  Mainly to defend against Software Reverse Engineering  We can only make it more difficult for reverse engineers  Available obfuscating tools work in the same way as compiler optimizers  Reduce required space and time for compilation

4.  The level of security that an Obfuscator adds depends on: The transformations used The power of available deobfuscators The amount of resources available to deobfuscators

5. Main features of a Code Obfuscator  Potency: is the level up to which a human reader would be confused by the new code  Resilience: is how well the obfuscated code resists attacks by deobfuscation tools  Cost: is how much load is added to the application

6. Code Obfuscation  Reverse engineering exatracts piece of program  Obfuscation makes reverse engineering difficult P1, P2,.., Pn Reverse Engineer P1 Pn P1, P2,.., Pn Obfuscation Q1, Q2,.., Qm Reverse Engineering fails Transformations

7. Protection through Obfuscation http://www.cs.arizona.edu/~collberg/Research/Obfuscation/Resources.html

8. Obfuscation methods  Mainly based on target information that we want to modify/obfuscate

9. Kinds of Obfuscating Transformations Obfuscation Methods  Lexical transformations Modify variable names  Control transformations Change program flow while preserving semantics  Data transformations Modify data structures  Anti-disassembly  Anti-debugging

10. Kinds of obfuscation for each target information

11. Available JavaScript Obfuscators  Most available commercial JavaScript obfuscators work by applying Lexical transformations  Some obfuscators that were considered are: Stunnix JavaScript Obfuscator Shane Ng's GPL-licensed obfuscator Free JavaScript Obfuscator

12. Example:From Stunnix  Actual code:  function foo( arg1)  {  var myVar1 = "some string"; //first comment  var intVar = 24 * 3600; //second comment  /* here is  a long  multi-line comment blah */  document. write( "vars are:" + myVar1 + " " + intVar + " " + arg1) ;  } ;  Obfuscated code:  function z001c775808( z3833986e2c) { var z0d8bd8ba25= "\x73\x6f\x6d\x65\x20\x73\x 74\x72\x69\x6e\x67"; var z0ed9bcbcc2= (0x90b+785- 0xc04)* (0x1136+6437- 0x1c4b); document. write( "\x76\x61\x72\x73\x20\x61\ x72\x65\x3a"+ z0d8bd8ba25+ "\x20"+ z0ed9bcbcc2+ "\x20"+ z3833986e2c);};

13. Step by step examination  The Stunnix obfuscator targets at obfuscating only the layout of the JavaScript code  As the obfuscator parses the code, it removes spaces, comments and new line feeds  While doing so, as it encounters user defined names, it replaces them with some random string  It replaces print strings with their hexadecimal values  It replaces integer values with complex equations

14.  In the sample code that was obfuscated, the following can be observed  User defined variables: foo replaced with z001c775808 arg1 replaced with z3833986e2c myvar1 replaced with z0d8bd8ba25 intvar replaced with z0ed9bcbcc2  Integers: 20 replaced with (0x90b+785-0xc04) 3600 replaced with (0x1136+6437-0x1c4b)  Print strings: “vars are” replaced with \x76\x61\x72\x73\x20\x61\x72\x65\x3a Space replaced with \x20

15. References  [Collberg] C. Collberg, “The Obfuscation and Software Watermarking homepage”, http://www.cs.arizona.edu/collberg/Research/ Obfuscation/index.html http://www.cs.arizona.edu/collberg/Research/ Obfuscation/index.html  [Stunnix JavaScript Obfuscator] www.stunnix.com  [Shane Ng's GPL-licensed obfuscator] http://daven.se/usefulstuff/javascript- obfuscator.html http://daven.se/usefulstuff/javascript- obfuscator.html  [Free JavaScript Obfuscator] http://www.javascriptobfuscator.com/