code obfuscation experiment
#1
harmless. feel free to run. comments welcome.

neftis

Code:
/////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>

int main()
{


int mm = 7>4?1:4<2<4?5:4?3>4?8:9:6<1?1:0<4<6?4:6<7>2?4:7?4<6?3:7:1>0?4:3?5>9?2:5<3>8?3:2?1<3?0:8:1>4?1:7:8<5?6:5<8>4?7:6?6<5?7:5:4<8?1:3<0>7?2:8>6<1?1:9?7<9?7:9:4>1?5:6<1<9?7:8>6>2?6:5?2<5?8:7:2<9?5:3?6>9?8:1<2<6?4:7?3>1?4:1:7<7?4:4:4<0?7:6>7<8?7:6?7<1?8:0:4<1?8:7?7<6?1:4<9<3?5:0?7>8?9:1:2<5?2:7<8>9?6:9<2<2?2:8?6>4?5:2:2<8?3:6?6>3?4:3>7<5?2:0?4>0?3:8:3<0?3:7:5<2?8:0<1>3?1:9?7>1?0:3:7<1?4:6:1>8?7:9>2>3?3:1?4>4?9:9:1<4?0:3<3>9?5:7>8<2?5:8?7>6?9:0:3>8?4:9?4>6?9:4<0<5?7:7?6>3?7:1:9>2?0:2:5>0?0:6>1>2?7:9?9>9?1:2:3<0?9:6<2<5?1:0>7>0?7:7?0<2?9:2:9<2?9:6<2>2?1:4<8>0?9:5?3>2?2:1:4>1?2:5?3>1?3:6<8>0?6:7?7>8?2:4:4<8?1:3:0<2?3:3>2<0?7:7?2<4?5:8:8>0?6:8<5>1?3:4>7<9?2:2?2<8?2:0:6<9?6:6<2>4?6:8>1>8?6:2?5<4?4:8:2<3?4:2?7>5?1:2>4<8?5:9?5>5?3:3:5>3?4:7:7<4?2:2>9<7?2:5?1>4?7:2:3<4?6:9?3>7?6:8<0>4?1:2?9<3?7:7:9<6?3:7<0>8?2:1<8<1?4:5?3<2?4:0:9<2?7:6?2<7?1:7>3<6?0:1?3<2?7:3:4>4?6:0:5<2?9:4<5>8?9:0?9>7?3:3:1>8?7:4:9>1?8:7>4<6?8:9?2<9?5:3:7<1?6:8>5<9?3:4>4<1?5:9?8<3?7:2:1>5?2:8?1>1?0:2<0<5?0:9?8<0?3:6:1<8?5:6:2<3?6:5>0>8?4:2?9>4?8:1:1>1?1:0?9>1?0:8<3>0?7:4?3<5?1:0:6>5?0:3>6>8?1:3>3<6?2:3?5>0?7:7:6>1?1:7?9<4?9:3<0<8?9:7?8<3?4:7:1<7?7:0:1<0?6:5<1<8?5:9?5>8?7:5:5>5?3:6>9>8?0:3<4>9?4:7?1<7?6:4:2>4?4:1>5>9?5:6>9<7?2:5?4>3?4:4:4<8?4:0?9>8?7:0<5>9?4:7?5>0?0:7:0>6?0:2:5<9?8:0<1>2?5:7?2>4?1:0:1>4?2:9?9<5?4:2>6<3?2:5?2<6?8:5:0>0?0:6>2>6?5:8>1>2?7:3?4<3?6:5:1>0?2:8?6<2?2:7<1<8?3:7?1<2?4:6:4<0?0:5:6<8?4:1>9<9?8:1?8<5?4:6:2>9?0:0:5<6?9:9>1<0?1:2?7<5?8:1:5<0?0:3>9>2?3:4<5>6?6:5?2<2?5:2:8>6?9:3?0<0?7:9>6>5?4:8?9<0?8:3:8<4?2:9:9<9?6:8<5>5?9:2?3>6?4:9:2<3?8:4:1<8?3:4<8>4?3:3?8>0?5:8:9>9?5:8>0>0?3:5<8>4?1:6?4>4?7:2:9<2?7:2?9>3?1:6>5<6?3:1?8<6?9:5:2>2?1:5:4>9?3:3>9>3?6:2?8<6?3:4:7<5?7:7>6>3?1:2>2<5?3:2?8>5?4:3:9<3?9:9<5>7?4:7>5>1?2:1?8>3?3:4:7<5?3:2?6>8?9:8>7<4?6:7?3<0?1:0:7<3?8:9:8>7?7:1<3<4?8:8?5>6?9:2:2>5?3:8?5>5?1:4<9>1?5:9?8<6?7:5:2<2?4:3>5<3?6:9>1>8?1:6?2>6?8:8:0>1?9:0?2>3?2:0<1>5?6:9?7>0?6:9:2>0?9:9:8<1?6:8<2<3?5:5?4<1?4:4:6<4?5:5:7>0?9:6>9<3?4:3?1<6?0:7:3<9?1:7>4<5?9:3>3<5?2:5?7>2?4:9:1<6?7:9?3<8?5:1<8<3?3:7?0>9?0:5:0>9?2:9:2>2?7:9>3<8?6:1?4>4?5:9:7>7?4:9;

printf("%d", mm);


  return 0;
}

/////////////////////////////////////////////////////////////
Code:
#include <stdio.h>
#include <stdlib.h>

int main()
{


int mm = 0<5?2:0>9<1?2:2?1>7?8:2:5>9?7:6>1<7?3:4<4<8?3:0?1>8?9:7:4<1?0:0?3>9?1:7>2>4?6:4?0<0?8:5:5<8?6:6:7<4?6:9>4<3?8:7?4>8?5:8:5>1?3:0>1>8?4:6>1>5?4:5?2<0?4:1:6<2?4:1>6<4?8:6>3<8?2:5?9<0?6:5:3>7?0:5?5<8?5:7<1<4?6:6?3<1?2:9:7<7?1:6:0<3?4:5<7>8?2:7?6>7?2:7:0>6?0:3?7<5?2:3<7<3?1:4?5<9?2:9:1<2?5:1<9<2?6:7>4<0?9:1?9<1?0:5:8>9?1:4?3<5?0:2<3<3?2:3?9<2?7:4:6>8?7:8:2<4?7:7>0<1?4:9?1<4?5:6:1>5?8:1:2>9?4:2>0>0?0:0?2>9?3:6:0<9?5:5<4<2?9:2>2<6?5:7?3<2?9:8:1<2?7:5?1<4?1:4<3>9?2:9?0>8?2:5:8>1?2:3:3>8?6:9>9<7?7:0?5>1?2:2:8>6?8:5>7<8?5:0<9>8?3:3?6>3?6:2:0>7?1:3<2>4?4:8>1>1?4:7?5>5?2:0:1<6?9:7?7>5?0:5>9<7?5:0?9<9?9:6:9>3?1:5:2<7?3:3<5>6?4:1?1>4?0:3:1<9?7:4>6>3?9:8<1<6?3:6?3<1?9:9:8<1?9:7>7>5?0:7<3>5?7:0?5>1?2:8:7>6?7:6?5<1?8:1>3<9?6:0?7>0?3:4:5<9?5:2:2>1?9:2<9>8?9:8?2>9?8:2:6>3?2:0?0<8?6:8>8>6?6:4?6<2?3:7:3<7?1:7<8>3?8:0>8<6?4:9?4<8?0:7:7<5?2:0?2<7?7:5>9>7?1:6?5>6?2:7:3>7?7:0:0<2?1:0>7<1?6:8?1<1?2:3:4<0?7:8:7<3?2:5<5>6?0:6?6>9?8:6:1<2?3:5<6>1?2:0>8>4?4:7?1<2?8:8:1>3?6:7?3<6?6:3<0>1?0:7?1>9?2:3:8>0?5:9:6>9?9:2<8<3?1:8?9<6?1:4:5<2?3:9?3<4?9:3<8<0?9:7?5>9?2:1:0>3?7:2>2<0?3:2>8<7?9:6?8<0?8:1:4>0?1:1?5<9?3:0<3>1?1:9?5<8?4:8:2>5?3:0:9>5?3:9>3>5?2:1?4>0?0:2:5<8?1:1>2<9?5:6<8>1?9:4?8<6?3:0:0>4?1:3<9<3?6:3<9<4?1:6?5>0?5:8:1<4?4:8?6<0?5:9>0<8?4:9?4>1?6:2:4>0?8:0:2>4?6:1<3<5?5:6?7<6?5:2:7<2?7:6?1>2?3:7<5<7?3:4?8<2?6:5:4<6?6:8<6>9?8:9<3<7?4:5?8<3?9:9:4<5?9:9?8>0?0:7<0>4?6:3?5>6?5:9:8<7?8:7:8<6?0:7>2>4?1:5?9<1?9:1:4>7?8:9:3>4?4:9<8<7?0:3?6<5?5:4:9<6?4:4>2<1?2:2>8>2?2:3?8>2?2:7:4<7?3:4?7<1?2:0<0>7?0:4?4<2?9:0:7>1?3:2:4<9?4:0>9>3?4:2?8>9?0:9:7>8?8:4:9<5?5:0<0>9?1:6?1>8?3:0:6>3?7:8<3>1?6:4<7<6?8:6?9<9?8:6:4<4?6:1?3>6?7:6>9>8?7:0?1<1?1:0:8>2?7:7:1<3?5:6>1<0?3:5?6<4?0:8:5>5?6:9>0<6?6:6>0<1?5:1?9<1?4:1:9<8?9:4<6<8?6:2>0<1?3:9?7<1?3:1:4<5?4:8?8<5?9:9<6<9?0:0?8<7?9:9:4<6?7:7:8>8?5:0>9<5?7:0?0>4?0:1:5<6?7:1?9<9?0:8<5<5?7:5?8>8?8:3:4>1?3:9>3<9?7:3>3<4?8:9?7<9?9:5:4>8?7:5?3<5?2:9>1<9?6:3?9<6?3:0:6>0?3:9:8<2?9:3>8>3?8:3?4<1?1:8:0>3?7:7:6>4?4:7<1>1?6:5?0>3?2:9:3<8?2:6>3>1?0:1>4<4?9:1?3>3?9:6:5>0?3:1?5<6?1:3>0<1?4:5?8>9?0:1:7>8?5:9:8<5?5:3<0>9?1:1?5<8?0:8:7>5?6:0;

printf("%d", mm);


  return 0;
}
Reply
#2
Well yes, but actually no :/
Compiled with:
- VS2019 (MSVC)
- gcc -O3
- gcc

Base gcc (default optimizations) looks like this when disassembled:
[Image: debef1df7693a9ee74742ea147a8e011.png]
It just puts 0x1 on the stack, pushes it into esi, then adds the necessary register values to finally call printf().
In the -O3 version, it skips the stack part and just pushes 0x1 into esi to start.

The MSVC version is a lot more bloated, but that's because it does all sorts of calls to ntdll and ldrp* functions, while the actual compiled code is still only a couple bytes long.

Although the code looks near impossible to read (rather, it's just exponentially faster to print the value instead of trying to decipher it by hand, as you demonstrate), the compiler does this already on its own to speed up the overall execution time. All you end up doing here is making it hard to read the actual source (that you're in charge of writing.)

In other words, it ends up crippling your workflow and your ability to read your own code and doesn't do anything to actually obfuscate the end-result, which is what researchers and antiviruses are going to end up seeing. :/

It might be useful if you're trying to sell source files to someone, but at the end of the day if they're competent enough to edit the files to their specifications, they're going to be competent enough to just print all your obfuscated sections and they'll just be pissed that you tried to hinder them.
Reply
#3
Poppopret-

Thanks for your insights, especially your detailed examination and taking the time to create the your post. Going forward, I think I'll refrain from referring to what I'm doing as "code obfuscation," as that means something very specific. However, I'm working toward that. I have read your comment and will be referring to it in the coming days.

While the source is difficult to read, looking at it disassembled (after compilation) is relatively clear. Is this what you mean?

Hopefully I didn't disappoint you. That wasn't my intention. This is terra incognita for me currently.

Thanks again,
neftis
Reply
#4
hardly disappointed; you had a novel idea and brought it to fruition, even if it is a little bit useless in actual practice
not to mention you did it in c

i mean im not one to badger on about terminology. you had your source code and you obfuscated it, in its most general definition (i.e. you made your source code harder to read.)

i care more about practical scenario. like i mentioned, i dont see any explicit reasons to use something like this, at least in the domain of compiled languages. sure it makes sense for scripting languages, any malicious javascript is usually built in a similar fashion and because js has endless options for syntax, a lot of it is surprisingly hard to read.

but yeah thats what i mean: the compiler makes a lot of optimizations on its own to help speed up the execution time of the final result. i'm not gonna count how many ternary operators you're using. if it compiled to run each conditional statement linearly, then sure it would be a lot more bytecode and significantly slower, but it would still be pretty easy to figure out:

Code:
mov eax,7
cmp eax,6
jg eip+4
mov eax,5
cmp eax,9
jl eip+4
[...]

mov esi,0x0 ;if end of branch is false *****
jmp eip+8
mov esi,0x1 ;if end of branch is true *****
mov eax,0
[...]
call printf
ret

so in reality you would only need to step through the branches and find which branch the conditions end at.

alternatively, you could set a breakpoint somewhere after the conditionals block and before the call to printf and print the stack and all registers to get the value, wherever it's saved.

but now im getting more into reverse engineering rather than obfuscation of a binary so im gonna stop.

all you need to know is that the compiler will make a lot of optimizations on its own to speed up code execution. you can usually figure out when it will if the value you are trying to obfuscate is generated from a lot of fixed/static values (as yours are: all integers and comparisons). in these cases, even disabling compiler optimizations (i.e. -O0 flag) wont help, nor will the use of `volatile`.

edit: also sorry if i dont make any sense and im rambling, im a tiny bit drunk atm
Reply
#5
Added code tags to your original post. Keeps things nice and organized. We use regular BB code as of writing. So a code tag would be added like so:

[ code]

// Source goes here

[ /code ]

Without spaces.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  explorations in BlackMatter machine code and ELF parsing neftis 1 4,911 09-07-2021, 07:37 AM
Last Post: Vector
  primitive ransomware experiment neftis 3 7,902 08-19-2021, 08:54 PM
Last Post: zzeuss
  towards pseudo-obfuscation neftis 5 10,637 07-21-2021, 05:17 AM
Last Post: poppopret
  Malware Source-code Share Insider 5 17,450 06-14-2020, 06:40 AM
Last Post: Insider