Proof of code obfuscation functionality

[taylorgag]

sorry to bother you, but how can we prove the functionality of code before and after code obfuscation?

[Ali-Razmjoo]

Before answering, I'd like to mention this project has not been updated for so long; it might have some errors.

Do you mean you want to analyze the assembly code to see what it actually does, or do you mean how to test the PoC if it works?

[taylorgag]

Before answering, I'd like to mention this project has not been updated for so long; it might have some errors.

Do you mean you want to analyze the assembly code to see what it actually does, or do you mean how to test the PoC if it works?

Thanks for your warm reply. What I want to say is how do we make sure that the functions of the code before and after the code obfuscation are the same?

[oldkingcone]

Before answering, I'd like to mention this project has not been updated for so long; it might have some errors.
Do you mean you want to analyze the assembly code to see what it actually does, or do you mean how to test the PoC if it works?

Thanks for your warm reply. What I want to say is how do we make sure that the functions of the code before and after the code obfuscation are the same?

by understanding how the obfuscation process takes place, and then going in reverse order.

[taylorgag]

by understanding how the obfuscation process takes place, and then going in reverse order

Do you know any general theorems or open materials to independently prove this?

[taylorgag]

reverse order

'in reverse order' ,what does this mean? Can you explain more details to me about it?

[Ali-Razmjoo]

Sorry for my late answer;

@taylorgag yes, code functionality is the same after and before obfuscation;

there are a few modules that obfuscate the shellcode, it takes the hex values and recalculates them in some random ways. for example if the value is 100, then 50+50, 110-10, 25*4, 300/3 are the same thing, right? so when it calculates the values for example syscall "exec" is 0x100 or whatever, it will just change the value in a way it's just mention to it indirectly.

here is an old blog post it explains a little bit about this; https://web.archive.org/web/20161012002249/http://www.z3r0d4y.com/2015/05/zcr-shellcoder-review-and-analysis_20.html

and here is also a blog post help you to analysis a shellcode;

https://web.archive.org/web/20160922154856/http://www.z3r0d4y.com/2015/08/shellcode-analysing-using-gdb.html

let me know if you have more questions.

[taylorgag]

Sorry for my late answer;

@taylorgag yes, code functionality is the same after and before obfuscation;

there are a few modules that obfuscate the shellcode, it takes the hex values and recalculates them in some random ways. for example if the value is 100, then 50+50, 110-10, 25*4, 300/3 are the same thing, right? so when it calculates the values for example syscall "exec" is 0x100 or whatever, it will just change the value in a way it's just mention to it indirectly.

here is an old blog post it explains a little bit about this; https://web.archive.org/web/20161012002249/http://www.z3r0d4y.com/2015/05/zcr-shellcoder-review-and-analysis_20.html

and here is also a blog post help you to analysis a shellcode;

https://web.archive.org/web/20160922154856/http://www.z3r0d4y.com/2015/08/shellcode-analysing-using-gdb.html

let me know if you have more questions.

Thanks for your warm reply. In fact, I am now doing a new language obfuscation, and then I need to prove that the functionality of the code before and after the obfuscation is same before I can proceed with the next experiment.

[Ali-Razmjoo]

you can create functionality to deobfuscate the code and compare it with the original one maybe...