UNIVERSITY OF OSLO Department of informatics Analysis of Obfuscated CIL code Master Thesis 60 credits Linn Marie Frydenberg 1st August 2006 - 1 - Preface This master thesis is the result of one year’s work in order to fulfill the requirements for the Master degree at University of Oslo, Faculty of Informatics. Acknowledgments First of all, I would like to thank my supervisors, Torgeir Broen at Norwegian Defence Research Establishment (FFI) and Birger Møller-Pedersen at Faculty of Informatics, University of Oslo, for their excellent guidance, various thoughts and good comments during my thesis work. I also want to thank Norwegian Defence Research Establishment (FFI) for making laboratory space available. Last but not least, I would like to thank my boyfriend Alex for his love and support, and also my family and friends for their support and encouragement during my work. Oslo, August 2007 Linn Marie Frydenberg - 2 - - 3 - Abstract This thesis focuses on a technique known as obfuscation. The area has been given much attention in recent years as a low cost technique for software protection. There are already numerous papers concerned with techniques for both obfuscation and deobfuscation, but there are still many untouched issues, and little have been done in practice. The use of obfuscators in practice is one of the issues explored in this thesis, on the .NET platform. Most of today’s obfuscation research is designed and tested on the Java platform. It is therefore interesting to see which techniques that are implemented in the .NET obfuscators. The used .NET language in this thesis is C#. Obfuscation is especially used on high level languages to increase the resilient towards reverse engineering. Reverse engineering is a big problem for software written in Java or .NET languages, because of their bytecode nature. Another issue in this thesis is therefore to look at the techniques used by the obfuscators and investigate if there are techniques which are vulnerable to reverse engineering. A classification of the different obfuscation techniques is therefore given to sort out which techniques that can be viewed as reversible and which are one-way. One thing that is lacking in numerous papers about obfuscation is the actual process of reversing obfuscation techniques. Many papers propose techniques that can be used in reverse engineering, but none show the actual methods. This thesis will therefore try to reverse engineer the obfuscation techniques that are defined as reversible. - 4 - - 5 - Contents ABSTRACT ..............................................................................................................................................- 4 - LIST OF FIGURES..................................................................................................................................- 8 - LIST OF TABLES..................................................................................................................................- 10 - 1 INTRODUCTION.........................................................................................................................- 11 - 1.1 SCOPE OF THIS THESIS ................................................................................................................. - 12 - 1.2 PROBLEM STATEMENT ................................................................................................................ - 12 - 1.3 RESEARCH METHODS .................................................................................................................. - 13 - 1.4 OUTLINE OF THIS THESIS ............................................................................................................. - 13 - 2 BACKGROUND ...........................................................................................................................- 14 - 2.1 CIL CODE.................................................................................................................................... - 14 - 2.2 OBFUSCATION TECHNIQUES ........................................................................................................ - 17 - 2.2.1 Renaming symbols ............................................................................................................- 17 - 2.2.2 Control flow obfuscation ..................................................................................................- 17 - 2.2.3 Breaking Decompilation...................................................................................................- 24 - 2.2.4 Other obfuscation techniques ...........................................................................................- 25 - 2.3 CLASSIFICATION OF THE OBFUSCATION TECHNIQUES ................................................................. - 25 - 2.3.1 One-way obfuscation techniques ......................................................................................- 26 - 2.3.2 Reversible obfuscation techniques....................................................................................- 26 - 2.4 KNOWN METHODS FOR REVERSE ENGINEERING OBFUSCATED CODE......................................... - 26 - 3 SIMULATION ENVIRONMENT...............................................................................................- 28 - 3.1 METHODS.................................................................................................................................... - 28 - 3.2 CODE EXAMPLES......................................................................................................................... - 29 - 3.2.1 Code example 1 ................................................................................................................- 29 - 3.2.2 Code example 2 ................................................................................................................- 29 - 3.2.3 Code example 3 ................................................................................................................- 30 - 3.2.4 Code example 4 ................................................................................................................- 30 - 3.3 OBFUSCATORS ............................................................................................................................ - 30 - 3.3.1 Salamander .NET Obfuscator by Remotesoft ...................................................................- 31 - 3.3.2 Spices .NET Obfuscator by 9Rays.NET ............................................................................- 33 - 3.3.3 DotFuscator by PreEmptive Solutions..............................................................................- 35 - 3.4 OTHER TOOLS USED .................................................................................................................... - 37 - 3.4.1 Microsoft Visual Studio 2005 ...........................................................................................- 37 - 3.4.2 MSIL Disassembler - ILDASM .........................................................................................- 37 - 3.4.3 Lutz Roeder’s .NET Reflector...........................................................................................- 37 - 3.4.4 ILASM...............................................................................................................................- 37 - 3.4.5 Diff method from Linux.....................................................................................................- 38 - 4 SIMULATION RESULTS ...........................................................................................................- 39 - 4.1 SALAMANDER .NET OBFUSCATOR ............................................................................................. - 39 - 4.1.1 CIL code of example 1 ......................................................................................................- 39 - 4.1.2 CIL code of example 2 ......................................................................................................- 42 - 4.1.3 CIL code of example 3 ......................................................................................................- 43 - 4.1.4 CIL code of example 4 ......................................................................................................- 45 - 4.2 SPICES .NET OBFUSCATOR......................................................................................................... - 47 - 4.2.1 CIL code of example 1 ......................................................................................................- 47 - 4.2.2 CIL code of example 2 ......................................................................................................- 50 - 4.2.3 CIL code of example 3 ......................................................................................................- 50 - 4.2.4 CIL code of example 4 ......................................................................................................- 52 - - 6 - 4.3 DOTFUSCATOR ........................................................................................................................... - 53 - 4.3.1 CIL code of example 1 ......................................................................................................- 53 - 4.3.2 CIL code of example 2 ......................................................................................................- 58 - 4.3.3 CIL code of example 3 ......................................................................................................- 59 - 4.3.4 CIL code of example 4 ......................................................................................................-