Editing Obfuscation (software)

{{short description|Deliberate creation of difficult-to-understand code}}
{{Use American English|date = March 2019}}
{{Use mdy dates|date = March 2019}}

In [[software development]], '''obfuscation''' is the practice of creating [[source code|source]] or [[machine code]] that is intentionally difficult for humans or computers to understand. Similar to [[obfuscation]] in [[natural language]], code obfuscation may involve using unnecessarily roundabout ways to write statements. Programmers often obfuscate code to conceal its purpose, logic, or embedded values. The primary reasons for doing so are to prevent [[Anti-tamper software|tampering]], deter [[reverse engineering]], or to create a [[puzzle]] or recreational challenge to deobfuscate the code, a challenge often included in [[Crackme|crackmes]]. While obfuscation can be done manually, it is more commonly performed using [[Executable compression|obfuscators]].<ref>{{Cite web|url=https://searchsoftwarequality.techtarget.com/definition/obfuscation|title=What is obfuscation (obfu)? - Definition from WhatIs.com|website=SearchSoftwareQuality|language=en|access-date=2019-02-01|archive-date=February 2, 2019|archive-url=https://web.archive.org/web/20190202041700/https://searchsoftwarequality.techtarget.com/definition/obfuscation|url-status=live}}</ref>

==Overview==
The architecture and characteristics of some languages may make them easier to obfuscate than others.<ref>{{cite web|last=Binstock |first=Andrew |url=http://www.devx.com/microsoftISV/Article/11351 |title=Obfuscation: Cloaking your Code from Prying Eyes |date=2003-03-06 |access-date=2013-11-25 |url-status=dead |archive-url=https://web.archive.org/web/20080420165109/http://www.devx.com/microsoftISV/Article/11351 |archive-date=April 20, 2008 }}</ref><ref>{{cite web |last=Atwood |first=Jeff |url=http://www.codinghorror.com/blog/archives/000291.html |title=Jeff Atwood, May 15, 2005 |publisher=Codinghorror.com |date=2005-05-15 |access-date=2013-11-25 |archive-date=January 9, 2010 |archive-url=https://web.archive.org/web/20100109174819/http://www.codinghorror.com/blog/archives/000291.html |url-status=dead }}</ref> [[C (programming language)|C]],<ref>{{cite web |url=http://www.kenter.demon.nl/obfuscate.html |title=Obfuscation |publisher=Kenter.demon.nl |access-date=2013-11-25 |archive-url=https://web.archive.org/web/20160304033430/http://www.kenter.demon.nl/obfuscate.html |archive-date=March 4, 2016 |url-status=dead }}</ref> [[C++]],<ref>{{cite web |url=http://www.dreamincode.net/forums/index.php?showtopic=38102 |title=C++ Tutorials – Obfuscated Code – A Simple Introduction |publisher=DreamInCode.net |access-date=2013-11-25 |archive-date=June 28, 2008 |archive-url=https://web.archive.org/web/20080628050430/http://www.dreamincode.net/forums/index.php?showtopic=38102 |url-status=usurped }}</ref><ref>{{cite web |url=http://sites.google.com/site/rcorcs/posts/obfuscatedcode |title=C Tutorials – Obfuscated Code in C |date=2011-07-07 |access-date=2013-11-25 |archive-date=December 27, 2013 |archive-url=https://web.archive.org/web/20131227102549/https://sites.google.com/site/rcorcs/posts/obfuscatedcode |url-status=dead }}</ref> and the [[Perl]] [[programming language]]<ref>{{cite web |author=As of 2013-11-25 18:22 GMT |url=http://www.perlmonks.org/index.pl?node_id=291267 |title=Pe(a)rls in line noise |publisher=Perlmonks.org |access-date=2013-11-25 |archive-date=January 16, 2009 |archive-url=https://web.archive.org/web/20090116074243/http://www.perlmonks.org/index.pl?node_id=291267 |url-status=live }}</ref> are some examples of languages easy to obfuscate. [[Haskell (programming language)|Haskell]] is also quite obfuscatable<ref>{{cite web|url=https://wiki.haskell.org/Obfuscation |title=Obfuscation – Haskell Wiki |date=2006-02-16 |access-date=2020-03-03 |url-status=live |archive-url=https://web.archive.org/web/20170830203204/https://wiki.haskell.org/Obfuscation |archive-date=August 30, 2017 }}</ref> despite being quite different in structure.

The properties that make a language obfuscatable are not immediately obvious.

== Techniques ==
{{Expand section|date=March 2023|explaining more obfuscation techniques in general}}
Types of obfuscations include simple keyword substitution, use or non-use of whitespace to create artistic effects, and self-generating or heavily compressed programs.

According to [[Nick Montfort]], techniques may include:
# naming obfuscation, which includes naming variables in a meaningless or deceptive way;
# data/code/comment confusion, which includes making some actual code look like comments or confusing syntax with data;
# double coding, which can be displaying code in poetry form or interesting shapes.<ref>{{cite web |last=Montfort |first=Nick |title=Obfuscated code |url=http://obfuscationsymposium.org/wp-content/uploads/2014/01/Montfort__Obfuscated_Code.pdf |url-status=dead |archive-url=https://web.archive.org/web/20190424012657/http://obfuscationsymposium.org/wp-content/uploads/2014/01/Montfort__Obfuscated_Code.pdf |archive-date=April 24, 2019 |access-date=2017-11-24}}</ref>

=== Automated tools<span class="anchor" id="Obfuscating software"></span><span class="anchor" id="Examples"></span> ===
A variety of tools exist to perform or assist with code obfuscation. These include experimental research tools developed by academics, hobbyist tools, commercial products written by professionals, and [[open-source software]]. Additionally, deobfuscation tools exist, aiming to reverse the obfuscation process.

While most commercial obfuscation solutions transform either program source code or platform-independent bytecode, {{em|i.e.}} portable code (as used by [[Java (programming language)|Java]] and [[.NET]]), some also work directly on compiled binaries.
* Some [[Python (programming language)|Python]] examples can be found in the [https://docs.python.org/3/faq/programming.html#is-it-possible-to-write-obfuscated-one-liners-in-python official Python programming FAQ] and elsewhere.<ref>{{cite web |author=Ben Kurtovic |title=Obfuscating "Hello world!" |url=https://benkurtovic.com/2014/06/01/obfuscating-hello-world.html |website=benkurtovic.com |access-date=October 18, 2017 |archive-date=September 14, 2017 |archive-url=https://web.archive.org/web/20170914093302/http://benkurtovic.com/2014/06/01/obfuscating-hello-world.html |url-status=live }}</ref><ref>{{cite web |date= |title=Obfuscated Python |url=http://wiki.c2.com/?ObfuscatedPython |website=wiki.c2.com |access-date=October 18, 2017 |archive-date=February 14, 2017 |archive-url=https://web.archive.org/web/20170214190515/http://wiki.c2.com/?ObfuscatedPython |url-status=live }}</ref><ref>{{cite web |title=The First Annual Obfuscated Python Content |url=https://code.activestate.com/lists/python-list/16171/ |website=code.activestate.com |access-date=October 18, 2017 |archive-date=May 25, 2023 |archive-url=https://web.archive.org/web/20230525195529/https://code.activestate.com/lists/python-list/16171 |url-status=dead }}</ref>
* The ''movfuscator'' [[C (programming language)|C]] [[compiler]] for the [[X86|x86_32 ISA]] uses only the [[X86 instruction listings|''mov'']] instruction in order to obfuscate.<ref>{{Citation |last=domas |title=xoreaxeaxeax/movfuscator |date=2022-11-03 |url=https://github.com/xoreaxeaxeax/movfuscator |access-date=2022-11-05 |archive-date=November 12, 2022 |archive-url=https://web.archive.org/web/20221112181448/https://github.com/xoreaxeaxeax/movfuscator |url-status=live }}</ref><ref>{{Citation |title=Break Me00 The MoVfuscator Turning mov into a soul crushing RE nightmare Christopher Domas | date=September 25, 2015 |url=https://www.youtube.com/watch?v=R7EEoWg6Ekk |access-date=2022-11-05 |language=en |archive-date=October 21, 2022 |archive-url=https://web.archive.org/web/20221021143736/https://www.youtube.com/watch?v=R7EEoWg6Ekk |url-status=live }}</ref><ref>{{cite web |url=https://hackaday.com/2021/05/21/one-instruction-to-rule-them-all-c-compiler-emits-only-mov/ |title=One Instruction To Rule Them All: C Compiler Emits Only MOV |last=Williams |first=Al |publisher=[[Hackaday]] |date=2021-03-21 |accessdate=2023-10-23 }}</ref>

=== Recreational ===
Writing and reading obfuscated source code can be a [[brain teaser]]. A number of programming contests reward the most creatively obfuscated code, such as the [[International Obfuscated C Code Contest]] and the [[Obfuscated Perl Contest]].

Short obfuscated [[Perl]] programs may be used in [[Signature block|signatures]] of Perl programmers.  These are JAPHs ("[[Just another Perl hacker]]").<ref>{{cite web |url=http://rochester.pm.org/talks/japh_discussion.txt |title=JAPH – Just Another Perl Hacker |author=<!--Staff writer(s); no by-line.--> |website=pm.org |publisher=Perl Mongers |archive-url=https://web.archive.org/web/20130516074850/http://rochester.pm.org/talks/japh_discussion.txt |archive-date=16 May 2013 |access-date=27 February 2015 }}</ref>

=== Cryptographic ===
{{Further information|Indistinguishability obfuscation|Black-box obfuscation}}
Cryptographers have explored the idea of obfuscating code so that reverse-engineering the code is ''cryptographically'' hard. This is formalized in the many proposals for [[indistinguishability obfuscation]], a cryptographic primitive that, if possible to build securely, would allow one to construct many other kinds of cryptography, including completely novel types that no one knows how to make. (A stronger notion, [[black-box obfuscation]], is known to be impossible in general.)<ref>{{Cite magazine |title=Cryptography Breakthrough Could Make Software Unhackable |url=https://www.wired.com/2014/02/cryptography-breakthrough/ |magazine=Wired |language=en-us |issn=1059-1028 |access-date=2021-03-14 |archive-date=April 14, 2022 |archive-url=https://web.archive.org/web/20220414061648/https://www.wired.com/2014/02/cryptography-breakthrough/ |url-status=live }}</ref><ref>{{Cite journal |last1=Jain |first1=Aayush |last2=Lin |first2=Huijia |author2-link=Huijia (Rachel) Lin|last3=Sahai |first3=Amit |date=2020 |title=Indistinguishability Obfuscation from Well-Founded Assumptions |url=https://eprint.iacr.org/2020/1003 |journal=Cryptology ePrint Archive |arxiv=2008.09317 |access-date=March 14, 2021 |archive-date=March 3, 2022 |archive-url=https://web.archive.org/web/20220303200221/https://eprint.iacr.org/2020/1003 |url-status=live }}</ref>

==Disadvantages of obfuscation==
* While obfuscation can make reading, writing, and reverse-engineering a program difficult and time-consuming, it will not necessarily make it impossible.<ref>{{cite web|title="Can We Obfuscate Programs?" by Boaz Barak|url=http://www.math.ias.edu/~boaz/Papers/obf_informal.html|archive-url=https://web.archive.org/web/20160323104433/http://www.math.ias.edu/~boaz/Papers/obf_informal.html|archive-date=March 23, 2016|access-date=2013-11-25|publisher=Math.ias.edu}}</ref>
* It adds time and complexity to the build process for the developers.
* It can make debugging issues after the software has been obfuscated extremely difficult.
* Once code is no longer maintained, hobbyists may want to maintain the program, add mods, or understand it better. Obfuscation makes it hard for end users to do useful things with the code.
* Certain kinds of obfuscation (i.e. code that isn't just a local binary and downloads mini binaries from a web server as needed) can degrade performance and/or require Internet.

=== Notifying users of obfuscated code ===
Some anti-virus softwares, such as [[AVG AntiVirus]],<ref>{{Cite web |date=2020-07-21 |title=Blocking website and only way to fix is disabling HTTPS s... {{!}} AVG |url=https://support.avg.com/answers?id=9060N000000gbDLQAY |access-date=2022-02-04 |website=support.avg.com |language=en |archive-date=February 4, 2022 |archive-url=https://web.archive.org/web/20220204155910/https://support.avg.com/answers?id=9060N000000gbDLQAY |url-status=live }}</ref> will also alert their users when they land on a website with code that is manually obfuscated, as one of the purposes of obfuscation can be to hide malicious code. However, some developers may employ code obfuscation for the purpose of reducing file size or increasing security. The average user may not expect their antivirus software to provide alerts about an otherwise harmless piece of code, especially from trusted corporations, so such a feature may actually deter users from using legitimate software.

Mozilla and Google disallow browser extensions containing obfuscated code in their add-ons store.<ref>{{Cite web |last=at 05:01 |first=Thomas Claburn in San Francisco 2 Oct 2018 |title=Google taking action against disguised code in Chrome Web Store |url=https://www.theregister.co.uk/2018/10/02/google_chrome_web_store/ |access-date=2019-11-12 |website=www.theregister.co.uk |language=en |archive-date=November 12, 2019 |archive-url=https://web.archive.org/web/20191112154156/https://www.theregister.co.uk/2018/10/02/google_chrome_web_store/ |url-status=live }}</ref><ref>{{Cite web |last=Cimpanu |first=Catalin |title=Mozilla announces ban on Firefox extensions containing obfuscated code |url=https://www.zdnet.com/article/mozilla-announces-ban-on-firefox-extensions-containing-obfuscated-code/ |access-date=2019-11-12 |website=ZDNet |language=en |archive-date=March 5, 2020 |archive-url=https://web.archive.org/web/20200305184837/https://www.zdnet.com/article/mozilla-announces-ban-on-firefox-extensions-containing-obfuscated-code/ |url-status=live }}</ref>

=== Obfuscation and copyleft licenses ===
There has been debate on whether it is illegal to skirt [[copyleft]] [[software license]]s by releasing source code in obfuscated form, such as in cases in which the author is less willing to make the source code available. The issue is addressed in the [[GNU General Public License]] by requiring the "preferred form for making modifications" to be made available.<ref>{{cite web |title=Reasoning behind the "preferred form of the work for making modifications to it" language in the GPL |url=https://lwn.net/Articles/431651/ |access-date=2013-11-25 |publisher=Lwn.net |archive-date=December 2, 2013 |archive-url=https://web.archive.org/web/20131202231646/http://lwn.net/Articles/431651/ |url-status=live }}</ref> The GNU website states "Obfuscated 'source code' is not real source code and does not count as source code."<ref>{{cite web |title=What is free software? |url=https://www.gnu.org/philosophy/free-sw.html |access-date=2014-12-18 |publisher=gnu.org |archive-date=October 14, 2013 |archive-url=https://web.archive.org/web/20131014132149/http://www.gnu.org/philosophy/free-sw.html |url-status=live }}</ref>

== Decompilers ==
A [[decompiler]] is a tool that can reverse-engineer source code from an executable or library. This process is sometimes referred to as a man-in-the-end (mite) attack, inspired by the traditional "[[man-in-the-middle attack]]" in cryptography. The decompiled source code is often hard to read, containing random function and variable names, incorrect variable types, and logic that differs from the original source code due to compiler optimizations.

== Model obfuscation ==

'''Model obfuscation''' is a technique to hide the internal structure of a [[machine learning]] model.<ref>{{cite journal |last1=Zhou |first1=Mingyi |last2=Gao |first2=Xiang |last3=Wu |first3=Jing |last4=Grundy |first4=John C. |last5=Chen |first5=Xiao |last6=Chen |first6=Chunyang |last7=Li |first7=Li |title=Model Obfuscation for Securing Deployed Neural Networks |date=2023 |url=https://openreview.net/forum?id=ib482K6HQod |language=en}}</ref> Obfuscation turns a model into a black box. It is contrary to [[explainable AI]]. Obfuscation models can also be applied to training data before feeding it into the model to add random noise. This hides sensitive information about the properties of individual and groups of samples.<ref>{{cite arXiv|last1=Zhang |first1=Tianwei |title=Privacy-preserving Machine Learning through Data Obfuscation |date=2018-07-12 |eprint=1807.01860 |last2=He |first2=Zecheng |last3=Lee |first3=Ruby B.|class=cs.CR }}</ref>

==See also==
{{Div col|colwidth=20em}}
* [[AARD code]]
* [[Spaghetti code]]
* [[Decompilation]]
* [[Esoteric programming language]]
* [[Quine (computing)|Quine]]
* [[Overlapping instructions]]
* [[Polymorphic code]]
* [[Hardware obfuscation]]
* [[Underhanded C Contest]]
* [[Source-to-source compiler]]
* [[ProGuard (software)|ProGuard (Java Obfuscator)]]
* [[Dotfuscator|Dotfuscator (.Net Obfuscator)]]
* [[Digital rights management]]
* [[Indistinguishability obfuscation]]
* [[Source code beautification]]
{{Div col end}}

==References==
{{Reflist}}

==Further reading==
{{Refbegin}}
* Seyyedhamzeh, Javad, [https://archive.today/20121227220116/http://www.csi.org.ir/paper?conf=30&author_name=&paper_name=&abstract=&page=14 ABCME: A Novel Metamorphic Engine], 17th National Computer Conference, Sharif University of Technology, Tehran, Iran, 2012.
* B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan and K. Yang. [https://web.archive.org/web/20060109155736/http://math.ias.edu/~boaz/Papers/obfuscate.ps "On the (Im)possibility of Obfuscating Programs"]. ''21st Annual International Cryptology Conference'', Santa Barbara, California, USA. Springer Verlag LNCS Volume 2139, 2001.
* {{Cite conference
|last=Mateas
|first=Michael
|author2=Nick Montfort
|title=A Box, Darkly: Obfuscation, Weird Languages, and Code Aesthetics
|book-title=Proceedings of the 6th Digital Arts and Culture Conference, IT University of Copenhagen, 1–3 December 2005
|pages=144–153
|url=http://nickm.com/cis/a_box_darkly.pdf
|access-date=June 28, 2008
|archive-date=June 23, 2008
|archive-url=https://web.archive.org/web/20080623200755/http://nickm.com/cis/a_box_darkly.pdf
|url-status=live
}}
{{Refend}}

==External links==
* [https://www.ioccc.org/ The International Obfuscated C Code Contest]
* [https://web.archive.org/web/20050308231232/http://www.cs.arizona.edu/~collberg/Research/Students/DouglasLow/obfuscation.html Protecting Java Code Via Code Obfuscation], ACM Crossroads, Spring 1998 issue
* [https://web.archive.org/web/20051124025132/http://www.cs.princeton.edu/~boaz/Papers/obf_informal.html Can we obfuscate programs?]
* [http://yury.name/obfuscation.html Yury Lifshits. Lecture Notes on Program Obfuscation (Spring'2005)]
* [[c2:BlackBoxComputation]]

{{Information security}}

{{DEFAULTSORT:Obfuscated Code}}
[[Category:Software obfuscation| ]]
[[Category:Source code]]
[[Category:Program transformation]]

[[es:Ofuscación#Informática]]