Jump to content
Tuts 4 You

movfuscator


Recommended Posts

Following the publication of a paper which proves that using 'mov' is turing complete (http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf) someone has written a mov only compiler.

The M/o/Vfuscator (short 'o', sounds like "mobfuscator") compiles programs into "mov" instructions, and only "mov" instructions. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other form of non-mov cheating.

The basic effects of the process can be seen in overview, which illustates compiling a simple prime number function with gcc and the M/o/Vfuscator.

https://github.com/xoreaxeaxeax/movfuscator/

  • Like 4
Link to comment

Yup saw it a while back, pretty interesting, tried following it up, but got lost in compilation xD, I know I know, most of you guys saying: "if you get lost in compiling, u shouldn't be programming at all XD" but like I said that was a while back, and didn't had the complete packages to compile xD

Edited by 0xNOP
Link to comment
Teddy Rogers

Does anyone know if there are any practical examples of this being used anywhere in production code?

Ted.

Link to comment

Would be interesting to see if anyone uses it in prod code, especially given the large increase in code size and inefficiency. Having sad that, movs are fairly fast and it's not much different to an obfuscated VM.

I've not looked at the code, but I presume you could probably deobfuscate fairly easily as it likely uses patterns for each instruction.

I was just impressed someone had pulled it off. The paper is a great read - when I originally saw this I couldn't understand how instructions such jmp and cmp could be done with just movs. I loved the application of simple logic to do it.

  • Like 1
Link to comment
2 minutes ago, Loki said:

probably deobfuscate fairly easily as it likely uses patterns for each instruction.

According to github page, "Current post-processing scripts include: Instruction shuffling and register renaming, to prevent simple decompilation through pattern matching."
But I wouldn't want to spend my time reversing that kind of junk code anyway. :) 

Link to comment

I remember that some of the older versions could be reversed pretty easily using CodeDoctor plugin, to readable and understandable asm code...

Not sure of this newer version though.

Link to comment

Interesting to see this topic coming up here.

It would be nice to see a semi-automatic deobfuscation similar to the symbolic execution approach as in the LLVM-obfuscator
http://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html
Someone wrote briefly about defeating the movfuscator crackme here: https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html
And another one about an attack on a "movfuscated" AES implementation: https://www.reddit.com/r/ReverseEngineering/comments/3gh4kr/movfuscator_writeup/

 

  • Like 3
Link to comment
  • 2 weeks later...

Hey,

I just saw this post on /r/ReverseEngineering ( https://www.reddit.com/r/ReverseEngineering/comments/4ovmg0/demovfuscator/ )
and thought you might be interested in it.

Someone from Germany deobfuscated movfuscator as a part of his bachelor's thesis: 
Here's the thesis: https://kirschju.re/static/ba_jonischkeit_2016.pdf
And the code: https://github.com/kirschju/demovfuscator 
Take a look at it and share your thoughts :)


Side note: Another cool project of the movfuscator developer, in case you haven't seen it yet:
https://github.com/xoreaxeaxeax/REpsych

  • Like 1
Link to comment
  • 1 month later...
  • 11 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...