I am currently reversing a binary and I am stuck at understanding what the application is trying to do. There is a memcpy operation which is copying almost 1MB from a .data section to a .bss section. This operation is made in an initialising phase and I suspect that the code running subsequently is obfuscated. The reason I think this is that the subsequent code is very convoluted. Would the large memory block being loaded have anything to do with it being obfuscated, a virtual machine maybe? The code isn't junk afterwards but just too complicated to follow what it is doing. It doesn't seem to have any large jump tables so I am sure what I am looking at.
Asked
Active
Viewed 194 times
1
-
is the memcpy function from a library? or did you identify it as memcpy yourself? I have seen functions which look like memcpy, bug on closer inspection also had some decompression code in them. – Willem Hengeveld May 22 '14 at 18:36
-
2There's not really much you give us to work on, so all answers you're going to get are quite uneducated guesses. My uneducated guess is: the application copies some data to a buffer and decrypts that buffer, and the decryption routine just happens to look convoluted in assembler - hey, most encryption/decryption routines look convoluted even in source code. – Guntram Blohm May 22 '14 at 18:43
-
I do agree with @GuntramBlohm about the fact that the memcopy might be moving data to a statically allocated buffer (hence the .bss) for further processing. Could you provide more information, the objdump output for example ? – yaspr May 22 '14 at 20:16
-
It came out as memcpy using IDA Pro so I assuming it is memcpy. I could check it further to see if it is actually something else. I agree that the convoluted section could just be encryption code but I suppose that is my question; how do I work out if something is obfuscated? I am a newbie to this and some pointers on how to spot obfuscation would help dearly. – allbabel May 22 '14 at 20:31
-
Well, a code can be obfuscated using many techniques : padding with garbage bytes, mixing instructions with data, oligomorphism with indirect branches, ... People will be able to help if they have something concrete to look at, mainly CODE. – yaspr May 22 '14 at 20:52
-
Looking at it further it may not be obfuscated. From what I can work out it seems to be using this table as maybe some look up table. It then constructs a series of 'encrypted' messages which it then communicates with another process in a negotiation of sorts. – allbabel May 23 '14 at 14:26
1 Answers
1
I've taken this to mean that you want to know how to analyse further. Load it in IDA pro remotely debugging in a virtual machine (that you can throw away) and have it execute until eip is in an unanalysed region. Highlight, right click, analyse.
offbyseveral
- 111
- 4
-
I have already pulled out the binary and had a look at it and it seems to be a look up table of sorts – allbabel May 23 '14 at 14:22
-
Sounds like compression. Look for where the data is written after the lookup. – offbyseveral May 23 '14 at 14:45
-
Could it be a type of encryption also? I don't think its a public algorithm so I am thinking the complexity I can see in IDA pro is the algorithm for the encryption. – allbabel May 23 '14 at 14:59
-
From your description it could be anything. I'm just trying to give you method hints. Sounds like it's going to both take a long time and be worth it. – offbyseveral May 23 '14 at 15:01
-