Home

Awesome

Embuche - Anti-reverse compilation

<p align="center"> <img src="./docs/img/logo.png"> </p>

Embuche is a tool that allows you to implement anti-reversing techniques during the different steps of the creation of an executable.

Check out our poster here!

Summary

What is Embuche

The main goal of Embuche is to implement a collection of anti-reversing techniques in order to make the task of a reverser harder and painful.

Embuche is designed for ELF files and C99.

Embuche will not make your program impossible to reverse, it will just increase the amount of time spent to reverse it.

Embuche is a collection of techniques and tools meant to make your program harder to reverse, you'll find:

Embuche takes a C program and compiles it with GCC. It creates CMake files and make files that will be used for the compilation.

Inside these CMake files, there's the standard compilation process and some custom scripts that will modify the final ELF (depending on the options you've set).

Embuche is also a collection of C snippets (snippets/) to use in your program while creating it and a bunch of C functions to detect debugging.

Here's a schema on how Embuche works:

Diagramme

Requirements and installation

Embuche was tested on Ubuntu 18.04, Arch 5.6.15 & Debian 10.

Requirements

In order to use Embuche you need:

You can install these packages with:

sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt-get update
sudo apt install gcc musl-tools musl-dev cmake python3.8 python3.8-venv python3.8-dev libsasl2-dev python-dev libldap2-dev libssl-dev

Installation

If the previous requirements are installed, you can clone this repo.

mkdir embuche && cd embuche
git clone git@github.com:magnussen7/Embuche.git .

You'll need the python project Hellf.

git clone git@github.com:0xswitch/Hellf.git
export PYTHONPATH=$PYTHONPATH:$(pwd)

The following python packages are also needed:

You can install them with:

python3.8 -m pip install -r requirements.txt

Usage

Project Structure

In order to use Embuche on a project, you have to follow this directory. structure:

myproject/
├── bin
├── build
└── src
    └── myprogram.c

Inside the src directory you'll have all your source code, the build directory will be used for the compilation and the bin directory will be the directory with your compiled program.

I always forget the structure of a new project. Can you help me?

Well, if you don't have the time or energy to create this project structure you can simply use :

./tools/program_init_helper.py path/to/my/new/project

This script will create the structure of the project and create an empty c file (main.c) and some anti-debugging files you can use if you want.

Configuration

Embuche uses a YAML configuration file. Here's an example of configuration (conf.yaml):

source_code: "./example/crackme/src/crackme.c"
files:
  - "anti_debug.c"
options:
  compilation_options:
    strip:
      description: "Remove .symtab section (symbols on disk)"
      value: true
    symbols_hidden:
      description: "Hide .dynsym section (symbols at runtime)"
      value: true
    optimize:
      description: "Optimize code (O3)"
      value: true
    unroll_loops:
      description: "Unroll loop structure"
      value: true
    static:
      description: "Use static dependencies (musl)"
      value: true
    custom:
      description: "Add custom GCC flags"
      value:
        - "fstack-protector-all"
  file_format:
    endianness:
      description: "Switch endianness to big endian"
      value: true
    remove_section_header:
      description: "Remove section header"
      value: true
    flip_sections_flags:
      description: "Flip sections flags (RX to RW & RW to RX)"
      value: true
    hide_entry_point:
      description: "Hide entry point with fake oversized section"
      value: true
    mixing_symbols:
      description: "Mix the name of symbols in .dynsym"
      value: false
  packer:
    packer:
      description: "Cipher the final binary and insert it in a program that will unciphered it at start."
      value: true
    packer_embuche:
      description: "Modify the packed binary with: endianness, remove_section_header, flip_sections_flags and hide_entry_point"
      value: true

With this configuration we will compile crackme.c with the file it needs (anti_debug.c), then we will:

More on options

Techniques dependencies

Some of the techniques are exclusive and can't be use with other techniques or some required an other techniques. Here's the dependencies between the techniques:

Note: When Dependency the other option must be set to use it, when Exclusion the other options must not be set.

symbols_hiddenstaticremove_section_headerflip_sections_flagshide_entry_pointmixing_symbolsINT3 snippetsPtrace (embuche_checker)file_descriptor (embuche_checker)packer
symbols_hiddenExclusion
staticExclusion
remove_section_headerDependencyDependencyExclusion
flip_sections_flagsExclusion
hide_entry_pointExclusion
mixing_symbolsExclusionExclusionExclusionExclusionExclusion
INT3 snippetsExclusion
Ptrace (embuche_checker)Exclusion
file_descriptor (embuche_checker)Exclusion
packerExclusion

Run

Once you've setup your configuration file, you just have to have run Embuche like this:

./embuche.py conf.yaml

Embuche will create the CMake files and Make files and run the compilation.

Your binary will be available in the bin folder of your project.

Techniques

You can learn more about this techniques in the doc.

Obstructing code analysis

Current snippets:

Detecting Debuggers

Here's the techniques used to detect debugging:

GCC Options

Here's the list of GCC flags in Embuche by default:

Available options for compilation:

File Format Hacks

Here's the techniques available:

Packer

A metamorphic packer is available in Embuche. This packer will load your binary and cipher it (AES 256 bits CBC).

If you decide to use the packer, your program will be ciphered and stored in a section of our packer. When you will execute your program the packer will copy itself in memory, unciphered your program and write it on the disk for execution.

Beside cipher your binary, the packer will also ensure its integrity. The encryption keys used for the encryption are based on the SHA sum of the .text section, so if the packer or your program is being debugged the SHA sum will be different of the one used for decryption.

The ELF of the packer can be modified with the packer_embuche options. If this options is set the following techniques will be applied on the packer that contains your program:

MORE

Authors