Saturday, October 6, 2012

Obfuscation methods

While i was scrolling my old mails in search of some financial document i found one interesting doc on which i was working long time back and due to some unknown reason didn't able to continue it. Here i am posting that unfinished work. I will try to cover topics in detail in  future .



To totally obscure with non-germane information in a verbose manner, with the intent to provide a non-answer, and provide total befuddlement.

“Any hacker worth his salt is an artist in obfuscation”.

In network security, obfuscation refers to methods used to obscure an attack payload from inspection by network protection systems.

Encryption vs Obsfucation

Obfuscation, in general, describes a practice that is used to intentionally make something more difficult to understand. In a programming context, it means to make code harder to understand or read, generally for privacy or security purposes. A tool called an obfuscator is sometimes used to convert a straight-forward program into one that works the same way but is much harder to understand.


The manipulation of data to prevent accurate interpretation by all but those for whom the data is intended. Financial institutions use encryption to increase the security of data transmitted via the Internet.

Method of obfuscation

Recreational Obfuscation

There are many varieties of interesting obfuscations ranging from simple keyword substitution, use/non-use of whitespace to create artistic effects.

Obfuscation by code morphing

This is achieved by completely replacing a section of the compiled code with an entirely new block that expects the same machine state when it begins execution as the previous section, and will leave with the same machine state after execution as the original. However, a number of additional operations will be completed as well as some operations with an equivalent effect.

Obfuscation in malicious software

Spammers frequently use obfuscated JavaScript or HTML code in spam messages. The obfuscated message, when displayed by an HTML-capable e-mail client, appears as a reasonably normal message—albeit with obnoxious JavaScript behaviors such as spawning pop-up windows. However, when the source is viewed, the obfuscations make it far more difficult for investigators to discern where the links go, or what the JavaScript code does.

Trail obfuscation

The purpose of trail obfuscation is to confuse, disorientate and divert the forensic examination process. Trail obfuscation covers a variety of techniques and tools that include “log cleaners, spoofing, misinformation, backbone hoping, zombied accounts, trojan command”.

Advantages of obfuscation

Intellectual property protection

Reduced security exposure

Size reduction

Library linking

Disadvantages of obfuscation

When used alone

At best, obfuscation merely makes it time-consuming, but not impossible, to reverse engineer a

program. When security is important, measures other than obfuscation should be used.


Obfuscated code is extremely difficult to debug. Variable names will no longer make sense, and the structure of the code itself will likely be modified beyond recognition. This fact generally forces developers to maintain two builds:


Obfuscated code often depends on the particular characteristics of the platform and compiler, making it difficult to manage if either change

Obfuscation for Evasion

Protection provided by Security devices can be bypassed by obfuscating the exploit/shellcode . Some of the known methods are:


Directory traversing

Null characters