Obfuscation techniques

--- tags: decompiler title: Obfuscation techniques --- # Overview We need to show that PyFET handles obfuscation techniques we listed in our rebuttal. The key obfuscation techniques listed in rebuttal are as follows: 1. [pjorion](https://koreanrandom.com/forum/topic/15280-pjorion-%D1%80%D0%B5%D0%B4%D0%B0%D0%BA%D1%82%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5-%D0%BA%D0%BE%D0%BC%D0%BF%D0%B8%D0%BB%D1%8F%D1%86%D0%B8%D1%8F-%D0%B4%D0%B5%D0%BA%D0%BE%D0%BC%D0%BF%D0%B8%D0%BB%D1%8F%D1%86%D0%B8%D1%8F-%D0%BE%D0%B1%D1%84%D1%83%D1%81%D0%BA%D0%B0%D1%86%D0%B8%D1%8F-%D0%BC%D0%BE%D0%B4%D0%BE%D0%B2-%D0%B2%D0%B5%D1%80%D1%81%D0%B8%D1%8F-135-%D0%B4%D0%B0%D1%82%D0%B0-11082019/) - Make an account to download the obfuscator 2. Adding NOP instructions as [here](https://www.mandiant.com/resources/deobfuscating-python) 3. Dynamically loaded and executed obfuscation technique [here](https://isc.sans.edu/forums/diary/Nicely+Obfuscated+Python+RAT/26680/) **Ovarall task:** The task is to reproduce the obfuscation techniques to get the obfuscated `pyc` files while at the same time write a script to deobfuscate the obfuscated files. ## Task 1 (PJORION): **Part 1:** The first key task is Obfuscating using pjorion. Follow the [blog](https://koreanrandom.com/forum/topic/15280-pjorion-%D1%80%D0%B5%D0%B4%D0%B0%D0%BA%D1%82%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5-%D0%BA%D0%BE%D0%BC%D0%BF%D0%B8%D0%BB%D1%8F%D1%86%D0%B8%D1%8F-%D0%B4%D0%B5%D0%BA%D0%BE%D0%BC%D0%BF%D0%B8%D0%BB%D1%8F%D1%86%D0%B8%D1%8F-%D0%BE%D0%B1%D1%84%D1%83%D1%81%D0%BA%D0%B0%D1%86%D0%B8%D1%8F-%D0%BC%D0%BE%D0%B4%D0%BE%D0%B2-%D0%B2%D0%B5%D1%80%D1%81%D0%B8%D1%8F-135-%D0%B4%D0%B0%D1%82%D0%B0-11082019/) to obfuscate `pyc` files. **Part 2:** Use approach similar to [this](https://github.com/extremecoders-re/PjOrion-Deobfuscator) to deobfuscate the obfuscated file. **Part 3:** List down the fundamental rules that are used to transform the pyc file to end up with deobfuscation. ## Task 2 (Adding NOP): This one is fairly simple. **Part 1:** Obfuscate similar to shown [here](https://www.mandiant.com/resources/deobfuscating-python). **Part 2:** List down the rules that would be used to deobfuscate the preceding obfuscation. (Essentially will be removing instructions as `[ROT_TWO][ROT_TWO]` -> `[]`). ## Task 3 (Dynamically loaded exec): Obfuscation can be done on dynamically loaded bytecode that does not decompile by decompiler. The technique is shown [here](https://isc.sans.edu/forums/diary/Nicely+Obfuscated+Python+RAT/26680/). **Part 1:** Find a sample (on github perhaps) that uses this technique. **Part 2:** Change payload to one that does not decompile. **Part 3:** Provide me the script with obfuscation/deobfuscation technique. This part is very vague so just provide me code that very close to reproduction.