movfuscator

[Loki]

Following the publication of a paper which proves that using 'mov' is turing complete (http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf) someone has written a mov only compiler.

The M/o/Vfuscator (short 'o', sounds like "mobfuscator") compiles programs into "mov" instructions, and only "mov" instructions. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other form of non-mov cheating.

The basic effects of the process can be seen in overview, which illustates compiling a simple prime number function with gcc and the M/o/Vfuscator.

https://github.com/xoreaxeaxeax/movfuscator/

[Jasi2169]

interesting,aint that would be hard on CPU like will take more time in executing alots of movs ? anyway lets c

[Teddy Rogers]

This makes for really interesting flow graphs!

Ted.

[XenocodeRCE]

This is absolutely awesome ! 

[0xNOP]

Yup saw it a while back, pretty interesting, tried following it up, but got lost in compilation xD, I know I know, most of you guys saying: "if you get lost in compiling, u shouldn't be programming at all XD" but like I said that was a while back, and didn't had the complete packages to compile xD

Edited June 6, 2016 by 0xNOP

[Teddy Rogers]

Does anyone know if there are any practical examples of this being used anywhere in production code?

Ted.

[camilo]

It would be real fun try to debug it Really awesome! Hope never face a target "movfuscated" hahaha.

[Loki]

Would be interesting to see if anyone uses it in prod code, especially given the large increase in code size and inefficiency. Having sad that, movs are fairly fast and it's not much different to an obfuscated VM.

I've not looked at the code, but I presume you could probably deobfuscate fairly easily as it likely uses patterns for each instruction.

I was just impressed someone had pulled it off. The paper is a great read - when I originally saw this I couldn't understand how instructions such jmp and cmp could be done with just movs. I loved the application of simple logic to do it.

[kao]

2 minutes ago, Loki said:

probably deobfuscate fairly easily as it likely uses patterns for each instruction.

According to github page, "Current post-processing scripts include: Instruction shuffling and register renaming, to prevent simple decompilation through pattern matching."
But I wouldn't want to spend my time reversing that kind of junk code anyway.  

[Techlord]

I remember that some of the older versions could be reversed pretty easily using CodeDoctor plugin, to readable and understandable asm code...

Not sure of this newer version though.

[Zulu]

Interesting to see this topic coming up here.

It would be nice to see a semi-automatic deobfuscation similar to the symbolic execution approach as in the LLVM-obfuscator
http://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html
Someone wrote briefly about defeating the movfuscator crackme here: https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html
And another one about an attack on a "movfuscated" AES implementation: https://www.reddit.com/r/ReverseEngineering/comments/3gh4kr/movfuscator_writeup/

 

[Zulu]

Hey,

I just saw this post on /r/ReverseEngineering ( https://www.reddit.com/r/ReverseEngineering/comments/4ovmg0/demovfuscator/ )
and thought you might be interested in it.

Someone from Germany deobfuscated movfuscator as a part of his bachelor's thesis: 
Here's the thesis: https://kirschju.re/static/ba_jonischkeit_2016.pdf
And the code: https://github.com/kirschju/demovfuscator 
Take a look at it and share your thoughts 

Side note: Another cool project of the movfuscator developer, in case you haven't seen it yet:
https://github.com/xoreaxeaxeax/REpsych

[Teddy Rogers]

I bumped in to this today and it reminded me of this topic...

Ted.

[whoknows]

https://github.com/xoreaxeaxeax/movfuscator