
Movfuscator – A single-instruction C compiler - vasili111
https://github.com/xoreaxeaxeax/movfuscator/blob/master/README.md
======
erlehmann_
Previously on Battlehacker Newslactica:
[https://news.ycombinator.com/item?id=10021259](https://news.ycombinator.com/item?id=10021259)

------
projectdp
Saw this recently after reviewing some Defcon 23 videos. The author goes into
detail about how it's working and some other fun stuff regarding anti-reverse-
engineering.

2015 DEFCON 23 - Chris Domas - Repsych: Psychological Warfare in Reverse
Engineering
[https://www.youtube.com/watch?v=HlUe0TUHOIc](https://www.youtube.com/watch?v=HlUe0TUHOIc)

And a paper by him:
[https://www.cl.cam.ac.uk/~sd601/papers/mov.pdf](https://www.cl.cam.ac.uk/~sd601/papers/mov.pdf)

------
kersny
See also: Demovfuscator

[https://kirschju.re/demov](https://kirschju.re/demov)

------
_c_
Since we are joking, assuming that the MOV instruction exists on many CPU's,
could the input for this compiler be considered a needed "portable assembly
language"?

[http://cr.yp.to/qhasm/20050129-portable.txt](http://cr.yp.to/qhasm/20050129-portable.txt)

------
maxpert
I wonder what happens to performance of same code.

~~~
easuter
For large applications performance will undoubtedly nosedive.

~~~
maxpert
Yep one might just write some key verification code in it but keep rest of the
app in GCC

------
_nalply
Some slides here: [https://recon.cx/2015/slides/recon2015-14-christopher-
domas-...](https://recon.cx/2015/slides/recon2015-14-christopher-domas-The-
movfuscator.pdf)

------
LightMachine
Not sure I understand how that is possible. How would you implement a boolean
"and" with only "mov"? If you can only move stuff around, how do you read and
compare things?

~~~
__s
If you look at turing machines they're pretty minimal, just a state machine
reading/writing state on a tape

Repo includes a good set of slides:
[https://github.com/xoreaxeaxeax/movfuscator/blob/master/slid...](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf)

Indirect memory accesses serve for conditional execution

Here's the macro for boolean and:
[https://github.com/xoreaxeaxeax/movfuscator/blob/master/poc/...](https://github.com/xoreaxeaxeax/movfuscator/blob/master/poc/movfuscator.c#L201)

------
liquidzoot
You should be careful with this, you'll wear a hole in your instruction set.

~~~
sonthonax
Dumb question, could that actually happen? Could you actually use a particular
set of transistors so much with this that they break?

~~~
slacka
This wouldn't do any noticeable damage. Modern CPUs have excellent thermal
management. As far a wear goes, a hot spot in chip would in theory slightly
decrease the long life span of a CPU.

If you expanded your question to hardware in the computer, then yes you can
easily cause damage. BIOS’s can be flashed to make the system unbootable or
overclock/stress components. Back in the bad old days of Linux, you could
easily damage your monitor with the wrong xorg.conf settings.

Your question got me thinking what’s the MTBF of modern CPUs? My google-fu
failed me finding any reliable source of this, but I’m sure it’s long, 10+
years.

~~~
woliveirajr
> Back in the bad old days of Linux, you could easily damage your monitor with
> the wrong xorg.conf settings

You could also damage a floppy drive making it read/write, for many times, few
sectors outer the common limits. Being there, done that.

But after so many discussions on online forums that it was impossible to cause
physical damage using software (other than overwriting firmwares), I gave up
and kept this (and the asm code) deep inside my heart.

And bringing it up still gives me chills that those discussions will return
right now...

~~~
koytch
Sounds close to

[http://www.catb.org/jargon/html/W/walking-
drives.html](http://www.catb.org/jargon/html/W/walking-drives.html)

------
qwertyuiop924
That is hilarious.

------
aub3bhat
Could this be used for creating a ROP Gadget that overcomes ASLR on 64 bit
machines?

~~~
l_zzie
How does it get past aslr? You still need to find addresses of the movs, don't
you?

------
amelius
But MOV is not really a single instruction. I would be more impressed by a
single opcode compiler.

------
tbodt
How do we do arithmetic if we can only do movs?

I know! Lookup tables!

------
isuckatcoding
ELI5 please. What does this mean for a developer?

~~~
haberman
Someone made something very clever, but it has no practical usefulness
whatsoever. It is an interesting intellectual exercise. It's also very
impressive that they could pull this off.

~~~
lucb1e
No practical usefulness? It seems rather great for obfuscation, be it for evil
(viruses) or good (license key verification -- which is deemed 'good' merely
because they're legal, not because they're not a pain in the arse).

~~~
TelmoMenezes
Not really. Creating an algorithm for recovering the jumps and the intent of
the various MOV patterns would be no more work than it was to write this.
Particularly easier because one has access to the obfuscator's code, but I
don't think it would be a major hurdle even without the source code.

~~~
lucb1e
Same could be said for most binaries: they're just compilations (usually with
open source or freely available compilers) of C/C++ code. Shouldn't be too
hard to reverse once you got all the patterns worked out.

I see your point though. I'm not very experienced on this and I'm sure some
patterns can easily be recovered, but until someone goes through the effort
it's still a considerable effort compared to being able to read the program
normally, and even when someone does it's questionable whether the original
can be recovered with some simple 1:1 translation.

------
danjoc
And for the minimalist, the zero-instruction C compiler

[https://github.com/jbangert/trapcc](https://github.com/jbangert/trapcc)

------
2opdude
The MOV mnemonic is more like a family of instructions, isn't it?

Not knowing anything about GPU programming, isn't it similar to Movfuscator in
some respects? Both branches are taken and run simultaneously?

------
toolslive
just what I need for my next virus

------
mighty_atomic_c
Seems like it would give a large performance penalty. I don't get it.

~~~
detaro
It's a joke/demonstration that it is possible, not something you're supposed
to use.

~~~
posterboy
Obfuscation is surely used in malware.

One instruction set computers (OISC) are more than a joke, I suppose, but I
didn't dig far into theoretical computer science and can't say, what's
important about them.

I read a comment the other day, that stipulated neurons would be akin to
massively parallel single instruction computers.

~~~
stcredzero
_One instruction set computers (OISC) are more than a joke, I suppose, but I
didn 't dig far into theoretical computer science and can't say, what's
important about them._

They're for highly parallel programable SIMD number crunching. The OISC would
allow for easily fabricating a whole heaping bunch of ALUs.

