Notice how each function segment is followed by an opaque predicate that
jumps to the next segment. You could theoretically use an unconditional jump
in that position, but that would make automated deobfuscation quite trivial.
As for fooling a human reverser, it all depends on how convincing your opaque
predicates are. If a human reverser can quickly identify the opaque predicates
from the real program logic, it won’t take long before these functions are
reversed. On the other hand, if the opaque predicates are very confusing and
look as if they are an actual part of the program’s logic, the preceding example
might be quite difficult to reverse. Additional obfuscation can be achieved by
having all three functions share the same entry point and adding a parameter
that tells the new function which of the three code paths should be taken. The
beauty of this is that it can be highly confusing if the three functions are func-
tionally irrelevant.
Ordering Transformations
Shuffling the order of operations in a program is a free yet decently effective
method for confusing reversers. The idea is to simply randomize the order of
operations in a function as much as possible. This is beneficial because as
reversers we count on the locality of the code we’re reversing—we assume that
there’s a logical order to the operations performed by the program.
It is obviously not always possible to change the order of operations per-
formed in a program; many program operations are codependent. The idea is
to find operations that are not codependent and completely randomize their
order. Ordering transformations are more relevant for automated obfuscation
tools, because it wouldn’t be advisable to change the order of operations in the
program source code. The confusion caused by the software developers would
probably outweigh the minor influence this transformation has on reversers.
Data Transformations
Data transformation are obfuscation transformations that focus on obfuscating
the program’s data rather than the program’s structure. This makes sense
because as you already know figuring out the layout of important data struc-
tures in a program is a key step in gaining an understanding of the program
and how it works. Of course, data transformations also boil down to code
modifications, but the focus is to make the program’s data as difficult to
understand as possible.
Modifying Variable Encoding
One interesting data-obfuscation idea is to modify the encoding of some or all
program variables. This can greatly confuse reversers because the intuitive
Antireversing Techniques 355