PerimeterX/restringer

Dynamically reconstruct control flow

Closed this issue · 0 comments

Davincible commented

I wanted to create a discussion for this but I can't seem to open a discussion, so feel free to convert this to a discussion.

I am running into an RE challenge and wondered whether it would be possible to create a module for this lib to tackle this.

The code I am trying to RE, uses a lot of small if statements to obfuscate the control flow. It uses a large array with numbers as a sequence of when to execute which if blocks.

Currently, I have been reverse engineering this by manually stepping through it in a debugger and keeping track of the logic, which works, but gets very tedious for bigger operations. So I was wondering if it would be possible to dynamically analyze the control flow and simplify it.

Simplified example:

// encoded variable content
var data = "484e4f4a403f52...";

// i is the array with > 1000 numbers containing the operating sequence
var i = [];

// Provision i

for (var x = [];;) {
  try {
    // r increases by an arbitrary amount each iteration
    // v dictates which block will be executed next
    var v = i[r++];
    if (v < 33) {
      if (v < 14) {
        // ...
      } else if (v < 22) {
        if (v < 19) {
          if (v < 17) {
          // ...
          } else if (17 === v) {
          // ...
          } else {
          // ...
          }
        } else if (v < 20) {
          // ...
        } else if (20 === v) {
          // ...
        } else {
          // ...
        }
      } else if (v < 25) {
        // ...
      }
    }
  }
  catch (e) {
    // ...
  }
}

Each block here performs a small and simple task, and currently, my RE process entails keeping track of what data is modified in which way. Which as you can imagine gets very labor-intensive for a large sequence of operations.

I was thinking it could perhaps theoretically be possible to simplify the control flow by executing the code and dynamically keeping track of what happens, and then reconstructing that logic.

I understand it's not a simple thing, but I am no expert on the topic so I am curious to hear others' perspectives on this.

So.. Any ideas on if it's possible to create a module for this, or other tips to RE code like this?

I've tried to keep the details here brief for clarity, but I can further elaborate on specific aspects if needed