In this article, we explore a basic yet effective deobfuscation technique leveraging code snippet substitution, analyzing a Lumma sample with Ghidra for illustrative purposes. The ongoing battle in IT security between attackers (black hats) and defenders (white hats) is mirrored in reverse engineering, where the latter often faces obstacles designed to complicate analysis. Various obfuscation methods challenge analysts, including packers, anti-debugging techniques, anti-VM strategies, and primarily, obfuscation itself.
Obfuscation deliberately renders code incomprehensible to hinder reverse-engineers. While easily understood in scripting languages like JavaScript, binary code obfuscation employs different methods—ranging from junk code insertion and instruction substitution to control flow obfuscation and opaque predicates. Each technique aims to render the original functionality obscured yet intact for the program to operate normally.
Deobfuscation, the reverse process, typically involves automated rather than manual techniques. Our chosen method, referred to as peephole deobfuscation, examines small portions of code to simplify complex obfuscated snippets into comprehensible structures. An example of peephole deobfuscation would transform complicated assembly snippets into simpler equivalents by scrutinizing short sections of code at a time. For instance, commands like mov rax, (rdx) followed by auxiliary operations can present unnecessary complexity that prevents understanding.
We focus on a Lumma sample with a distinct SHA-256 hash, examining its unpacked version. Ghidra serves as our reverse-engineering tool, complemented by a helper library called ghidralib. While Ghidra is chosen for its accessibility and efficacy, the techniques discussed are applicable across various analysis tools.
Beginning our analysis, we discover instances of assembly code that can be simplified; for example, a combination of MOV and arithmetic operations can be equated to a single addition command. Automating this process requires us to identify specific byte sequences in the code, enhancing the deobfuscation accuracy while allowing for variations in the register utilized.
Control flow obfuscation presents a higher hurdle; it can veil significant parts of the code from analysis. Examining the resulting assembly presented by Ghidra reveals misleading function appearances with truncated or unintelligible flows. Analyzing these convoluted branches usually necessitates a detailed inspection of assembly commands, where unique shifting, jumping, and addressing patterns emerge. These patterns often camouflage traditional control structures, making automated analysis severely difficult and manual review labor-intensive.
To counteract control flow obfuscation in our Lumma sample, we develop a specific pattern-matching strategy to locate relevant obfuscated jumps. We leverage Ghidra’s built-in emulator to decode these patterns accurately. The process includes gathering constants and computed addresses from operations prior to obfuscated jumps, resulting in a more transparent control flow presentation.
Despite successfully deobfuscating parts of the Lumma sample, we encounter additional obfuscated jumps and masked constants that impede clarity. Modifications to the memory settings would be required for a complete deobfuscation, particularly marking sections of memory as constant to facilitate further understanding.
In conclusion, this article has presented peephole deobfuscation, demonstrating its power in the reverse engineering toolbox. While only scratching the surface of broader deobfuscation methodologies, acquiring the ability to build lightweight deobfuscators significantly enhances our analytical skills tailored to navigate complex binaries commonly found in malware analysis. While the focus remained on fundamental strategies, further exploration into automated decoding tools, like FLOSS, is beneficial for a holistic understanding of obfuscation challenges in reverse engineering environments. The techniques discussed provide practical solutions suited for everyday reverse engineering and incident response efforts within the cybersecurity domain.