Opaque Predicates Jump is the dead codes

Malware, Reverse Engineering Leave a comment

Hi Fellow reverser

Playing around with the code reversing, I am sharing a small review on the topic related to obfuscation

Code obfuscation is like adding a bunch of decoys to your code so that anyone trying to figure it out gets mixed up and has to spend way more time trying to make sense of it.

Fundamentally, opaque predicates inject superfluous nbranches (a.k.a dead branches), or branches that are never taken during program runtime, into the disassembly. An opaque predicate injects a superfluous branch by syntactically disguising an unconditional branch as a conditional branch. This disguise is enabled by an invariant expression that always evaluates to true or false.

Lets take a look below codes. 

#include <iostream>

int neverCalledCode(int a) {
    if (a == -4) {
        printf("Dead Code %d", a);
    }
    return 1;
}

int main()
{
    int a = 1;

    for (int i = 0; i < 10; i++) {
        if (neverCalledCode(-4)==0) {
            printf("Just Forget this Code");
        }
        if (a == 1) {
            printf("Rio");
            break;
        }
        else if (a == 3) {
            printf("Never Reach here");
        }
        else {
            printf("do nothing");
        }
    }
}

Based on the code above, We actual code intention is just to print “Rio” into the console. with the flow as below

However, the code above has some dead code which actually increase the complexity of the application flow with loop and function call

We can now see that the flow of the application in assembly is more than what is necessary

When we try to reverse the code according to the graph chart produced by IDA, it might seem like the app is kinda complicated.

So, luckily IDA lets us remove dead code when decompiling. When we press F5 to decompile, it only shows the necessary steps without the dead code. This means the highlighted C code below gets removed, making the analysis simpler and faster.

We can compare to the latest Binary Ninja version 4. The High Level IL of the above code still showing the full code without removing the dead code

The High Level IL from the Binary Ninja has been able to reverse the code nicely, We can almost have a reversed code to the original C code

In the above scenario, It is up to you which way is actually will help you to reverse effectively since both have pros and cons

Leave a Reply