What is deobfuscation?
Deobfuscation (also known as obfuscation) is the removal of code embedded in an executable file. When a computer executes the program, the computer first reads the program instructions. These instructions could be embedded inside the program code or stored separately on a disk or flash drive. Once these instructions are read, they are interpreted by the processor and converted into machine language. Machine language is the programming language that computers understand and can execute. A machine language consists of binary numbers and is what actually controls the hardware components of the computer. In order to run a program, the processor has to know how to recognize certain patterns and sequences of bits. If the pattern does not match, then the processor will throw an error and stop executing the program, instead of running the program.
In order to stop this from happening, someone would have to write a program that recognises these specific patterns and sequences of bits and converts them into human-readable words. This means that someone would have to create a “decoder” that translates the binary code back into the original program instructions. This is called de-obfuscation.
Deobfuscators generally use different algorithms to remove code, such as reversing the bytes, looking at the function calls, and analyzing the data flow. There are many kinds of de-obfuscators, each with its own algorithm.
How does deobfuscation work?
Deobfuscation involves taking obfuscated code/binaries and translating them into readable versions. You may be thinking “Why would someone want to do this? Why make their code unreadable?” Well, if you think about it, who really cares what the code looks like?! If we didn't have obfuscated code, we wouldn't have any security updates for vulnerabilities that hackers seek out and exploit. We wouldn't be able to read other people's code for analysis purposes. So yes, if you're looking to protect yourself or your company, then you should care about protecting your code.
How to use a Deobfuscator?
A de-obfuscator is a tool used to decrypt encrypted data. A de-obfuscator may take text input, look at each character in the string (or byte) and replace it with a substitute character if it matches a predefined set of rules. These rules define what kind of transformation should occur when matching certain characters. For example, some obfuscators use substitution cipher techniques where they randomly replace certain symbols with others. Other types of encryption methods simply encrypt the original message by adding random amounts of noise to the message.
The goal of a de-obfuscator program is to identify the original pattern of the message by deciphering the transformed characters back to the original ones. Most de-obfuscation software comes with a list of possible transformations and tries to find the best match between the input and the output. If two patterns match perfectly then the input will always produce the same result and be decrypted successfully. In many cases, the de-obfuscator looks at the order of the characters and tries to figure out whether they were added or removed in the encrypted version.
Why is obfuscation bad?
Obfuscated code is nearly impossible to debug. Debugging a program involves finding bugs in the code, and fixing them. Obfuscating the code removes that step, making it almost impossible to find errors. Since debugging is necessary to find bugs, it is essential to writing good code. This is why obfuscation is a sign of poor coding practices.