meaninings of variable values will not be immediately clear. Changing the
encoding of a variable can mean all kinds of different things, but a good exam-
ple would be to simply shift it by one bit to the left. In a counter, this would
mean that on each iteration the counter would be incremented by 2 instead of
1, and the limiting value would have to be doubled, so that instead of:for (int i=1; i < 100; i++)you would have:for (int i=2; i < 200; i += 2)which is of course functionally equivalent. This example is trivial and would
do very little to deter reversers, but you could create far more complex encod-
ings that would cause significant confusion with regards to the variable’s
meaning and purpose. It should be noted that this type of transformation is bet-
ter applied at the binary level, because it might actually be eliminated (or some-
what modified) by a compiler during the optimization process.Restructuring Arrays
Restructuring arrays means that you modify the layout of some arrays in a way
that preserves their original functionality but confuses reversers with regard to
their purpose. There are many different forms to this transformation, such as
merging more than one array into one large array (by either interleaving the
elements from the arrays into one long array or by sequentially connecting the
two arrays). It is also possible to break one array down into several smaller
arrays or to change the number of dimensions in an array. These transforma-
tions are not incredibly potent, but could somewhat increase the confusion fac-
tor experienced by reversers. Keep in mind that it would usually be possible for
an automated deobfuscator to reconstruct the original layout of the array.Conclusion
There are quite a few options available to software developers interested in
blocking (or rather slowing down) reversers from digging into their programs.
In this chapter, I’ve demonstrated the two most commonly used approaches for
dealing with this problem: antidebugger tricks and code obfuscation. The bot-
tom line is that it is certainly possible to create code that is extremely difficult to
reverse, but there is always a cost. The most significant penalty incurred by
most antireversing techniques is in runtime performance; They just slow the
program down. The magnitude of investment in antireversing measures will
eventually boil down to simple economics: How performance-sensitive is the
program versus how concerned are you about piracy and reverse engineering?356 Chapter 10