Write an obfuscationner that Imhotep cannot defeat.
I mean a program that generates obfuscation, not manually added obfuscation.

btw I do not mean that Imhotep is the absolute desobfuscationner, but for the moment I have not found obfuscation that really confuses 1.8.
Plus this would help me to greatly enhance the tool, which would in the end benefit to everybody.

hey arthrexes
wondered if u tried it on VOB & COPYLOK ? (lock?)

they use nicer obfuscation than safedisc

opcodes jumping into opcodes to actually do stuff required(copylok), and huge dodgy lumps of obfuscation with one or two real opcodes mixed in (vob)

just wondered

thanks for the tip, I have to check that out...
Do you have any sample to spare ?

The basic principle here is that a program that is generated from C or C++ can have obfuscation added 'between the source code lines' which confuses disassemblers and SoftIce disassembly.

The only reason that you succeed with SafeDisc is because they have compiled their code in 'release' mode. This means that their obfuscation cannot change registers and so they are limited in what they do. (Jumps, mainly). You can therefore look for the signatures of these limited sequences of code and remove them.

If however the code is compiled in 'debug' mode (i.e. is not optimised) then it is possible to use most of the registers. The reason is that each line of source code generates machine code which is 'self-contained'. i.e. most register values are not remembered from one C source code line to the next but are always re-loaded. So, in this mode it is possible to make obfuscation code which cannot be distinguished from real code (e.g loading registers, moving from data segment to a register etc.). You would not be able to remove this code automatically since the code uses the same instructions as the 'real' code.

If you wish I can send you a sample of code generated in this way.

Oh, bye the way, what happened to your message-board?

copylok doesnt jump into opcodes that do stuff required, i made a mistake .. just has 10, 20, 30, 40 byte chunks of junk code that sometimes looks like real code, and alters registers, but basically does nothing .. just like icydee said :-)

looks a lot trickier to remove than the safedisc junk code (which imhotep really makes a fuckin mess of (misses 50% of junk, removes 10% of good code & an internal exception if i select 3 sections to imhoptamize at the same time from a fully decrypted dll))


; copylok junk code unjunked by hand
00618261 cmp dword ptr [ebp-4BCh], 0
00618268 jnz near ptr byte_6182F1
0061826E mov edx, dword ptr ds:unk_6597D5 ; junk
00618274 jnz short loc_618277 ; junk
00618276 db 0B9h ; ¦ ; mov ecx, aaaabbbb
00618277 loc_618277: ; CODE XREF: icd1:00618274j
00618277 xor eax, eax ; aaaa
00618279 xor ecx, ecx ; bbbb
0061827B jz short loc_61827E ; junk
0061827D cdq ; junkie
0061827E loc_61827E: ; CODE XREF: icd1:0061827Bj
0061827E mov ebx, 425D0C23h ; junk
00618283 mov edx, ds:dword_65BB84 ; junk
00618289 clc ; etc.
0061828A dec ecx ; etc.
0061828B clc ; etc..
0061828C mov ecx, [ebp-114h]
00618292 mov edx, [ecx+0Ch]
00618295 add edx, [ebp-2E0h]
0061829B push edx
0061829C call sub_60B97A

same code 'deobfuscated' by hand

00618261 cmp dword ptr [ebp-4BCh], 0
00618268 jnz near ptr byte_6182F1
0061826E db 8Bh, 15h, 0D5h, 97h, 65h, 0, 75h, 1, 0B9h, 33h, 0C0h
0061826E db 33h, 0C9h, 74h, 1, 99h, 0BBh, 23h, 0Ch, 5Dh, 42h, 8Bh
0061826E db 15h, 84h, 0BBh, 65h, 0, 0F8h, 49h, 0F8h
0061828C mov ecx, [ebp-114h]
00618292 mov edx, [ecx+0Ch]
00618295 add edx, [ebp-2E0h]
0061829B push edx
0061829C call sub_60B97A

looks fuckin awful :-)

you can get an example copylok file from http://ftp.gamesweb.com/pub/patches/cossacks_dvdpatch.exe

you need to 'crack' the installer to get dmcr.exe out of it though (2 minutes job reversing jumps)


dunno about any vob exe's floating around the web, try buying a game

i used imhotep from protools, 1.6

level 1, 2, 3 just make the code messier

level 4 seems alright, except misses a lot of junk code, and also deletes a lot of good code that looks like junk

i.e.

jmp $+2
mov eax, 85480a26h
xchg ecx, eax
nop
nop
mov eax, 85480226
xchg ecx, ecx
sub ecx, eax
jmp loc_1
db 89h
loc_0:
xchg ecx, eax
jmp loc_2
loc_1:
jmp loc_0
loc_2:
push sth
push sthelse
push eax
call blah

he has a few 'polymorph' techniques to move values into registers, which imh1.6 removes