Loki Posted June 6, 2016 Share Posted June 6, 2016 Following the publication of a paper which proves that using 'mov' is turing complete (http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf) someone has written a mov only compiler. The M/o/Vfuscator (short 'o', sounds like "mobfuscator") compiles programs into "mov" instructions, and only "mov" instructions. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other form of non-mov cheating. The basic effects of the process can be seen in overview, which illustates compiling a simple prime number function with gcc and the M/o/Vfuscator. https://github.com/xoreaxeaxeax/movfuscator/ 4 Link to comment Share on other sites More sharing options...
Jasi2169 Posted June 6, 2016 Share Posted June 6, 2016 interesting,aint that would be hard on CPU like will take more time in executing alots of movs ? anyway lets c Link to comment Share on other sites More sharing options...
Teddy Rogers Posted June 6, 2016 Share Posted June 6, 2016 This makes for really interesting flow graphs! Ted. Link to comment Share on other sites More sharing options...
XenocodeRCE Posted June 6, 2016 Share Posted June 6, 2016 This is absolutely awesome ! Link to comment Share on other sites More sharing options...
0xNOP Posted June 6, 2016 Share Posted June 6, 2016 (edited) Yup saw it a while back, pretty interesting, tried following it up, but got lost in compilation xD, I know I know, most of you guys saying: "if you get lost in compiling, u shouldn't be programming at all XD" but like I said that was a while back, and didn't had the complete packages to compile xD Edited June 6, 2016 by 0xNOP Link to comment Share on other sites More sharing options...
Teddy Rogers Posted June 7, 2016 Share Posted June 7, 2016 Does anyone know if there are any practical examples of this being used anywhere in production code? Ted. Link to comment Share on other sites More sharing options...
camilo Posted June 7, 2016 Share Posted June 7, 2016 It would be real fun try to debug it Really awesome! Hope never face a target "movfuscated" hahaha. Link to comment Share on other sites More sharing options...
Loki Posted June 8, 2016 Author Share Posted June 8, 2016 Would be interesting to see if anyone uses it in prod code, especially given the large increase in code size and inefficiency. Having sad that, movs are fairly fast and it's not much different to an obfuscated VM. I've not looked at the code, but I presume you could probably deobfuscate fairly easily as it likely uses patterns for each instruction. I was just impressed someone had pulled it off. The paper is a great read - when I originally saw this I couldn't understand how instructions such jmp and cmp could be done with just movs. I loved the application of simple logic to do it. 1 Link to comment Share on other sites More sharing options...
kao Posted June 8, 2016 Share Posted June 8, 2016 2 minutes ago, Loki said: probably deobfuscate fairly easily as it likely uses patterns for each instruction. According to github page, "Current post-processing scripts include: Instruction shuffling and register renaming, to prevent simple decompilation through pattern matching." But I wouldn't want to spend my time reversing that kind of junk code anyway. Link to comment Share on other sites More sharing options...
Techlord Posted June 8, 2016 Share Posted June 8, 2016 I remember that some of the older versions could be reversed pretty easily using CodeDoctor plugin, to readable and understandable asm code... Not sure of this newer version though. Link to comment Share on other sites More sharing options...
Zulu Posted June 8, 2016 Share Posted June 8, 2016 Interesting to see this topic coming up here. It would be nice to see a semi-automatic deobfuscation similar to the symbolic execution approach as in the LLVM-obfuscatorhttp://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html Someone wrote briefly about defeating the movfuscator crackme here: https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html And another one about an attack on a "movfuscated" AES implementation: https://www.reddit.com/r/ReverseEngineering/comments/3gh4kr/movfuscator_writeup/ 3 Link to comment Share on other sites More sharing options...
Zulu Posted June 21, 2016 Share Posted June 21, 2016 Hey, I just saw this post on /r/ReverseEngineering ( https://www.reddit.com/r/ReverseEngineering/comments/4ovmg0/demovfuscator/ ) and thought you might be interested in it. Someone from Germany deobfuscated movfuscator as a part of his bachelor's thesis: Here's the thesis: https://kirschju.re/static/ba_jonischkeit_2016.pdf And the code: https://github.com/kirschju/demovfuscator Take a look at it and share your thoughts Side note: Another cool project of the movfuscator developer, in case you haven't seen it yet:https://github.com/xoreaxeaxeax/REpsych 1 Link to comment Share on other sites More sharing options...
Teddy Rogers Posted August 16, 2016 Share Posted August 16, 2016 I bumped in to this today and it reminded me of this topic... Ted. 1 Link to comment Share on other sites More sharing options...
whoknows Posted July 17, 2017 Share Posted July 17, 2017 https://github.com/xoreaxeaxeax/movfuscator 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now