Types of obfuscations include simple keyword substitution, use or non-use of whitespace to create artistic effects, and self-generating or heavily compressed programs. According to
Nick Montfort, techniques may include: • naming obfuscation, which includes naming variables in a meaningless or deceptive way; • data/code/comment confusion, which includes making some actual code look like comments or confusing syntax with data; • double coding, which can be displaying code in poetry form or interesting shapes. More sophisticated techniques that obfuscate a program at the semantic level through program transformations also exist (rather than at the source level). These include: • Control flow obfuscating transformations, such as merging the computation of unrelated expressions and splitting the computation of related expressions, randomizing the order of statements that can be computed in any order, and inserting predicates whose values are known to the obfuscator but are computed in non-obvious ways; • Data structure obfuscating transformations, such as modifying the structure of arrays and rearranging the inheritance graph; • Obfuscating transformations of the procedural structure of the code by inserting new procedural abstractions and changing existing procedural abstractions to completely change the code's structure; • Obfuscating the data flow of a program.
Example The following illustrates simple source-code obfuscation. Both programs print the same output, but the second version is intentionally harder to understand.
Clear code: • include int main(void) { int x = 5; int y = 7; printf("%d\n", x + y); return 0; }
Obfuscated code: • include int main(){int _=5,__=7;printf("%d\n",_-~__-1);} In the obfuscated version, meaningful variable names are removed and arithmetic expressions are rewritten in a less readable form, while preserving the program’s behavior.
Payload encoding for malware evasion XOR encryption and
Base64 encoding are two common methods used to hide
malware from
antivirus detection. Both work by changing how malicious code appears in its file form, which prevents security software from recognizing dangerous patterns. In XOR obfuscation, an attacker chooses a secret key and applies the
XOR bitwise operation to the malware binary. This transforms the executable into what looks like random data. Function names in the import table vanish,
PE headers become corrupted, and the entire file loses its structure. The obfuscated payload then gets embedded into a
dropper, which is a normal-looking executable that contains the hidden malware as a resource or data section. When a user runs the dropper, it performs the XOR operation again with the same key to reconstruct the original malware, then either executes it directly from memory or writes it to disk before running it. This process removes several indicators that antivirus software relies on. The
MZ headerthe 2-byte signature "MZ" which marks the beginning of every Windows gets completely obscured by the XOR operation. Security programs frequently scan for this two-byte signature when searching for embedded executables. Base64 encoding achieves similar results through a different method: it converts binary data into
ASCII text such that an executable file ends up looking like plain text (rather than like a program). Research from the 2020 Machine Learning Security Evasion Competition showed that these methods can bypass modern detection systems. Participants used combinations of XOR encoding, Base64 encoding, and dead code insertion to evade all three competition models Entropy-based detection also failed, and in some cases Base64 encoding actually lowered the
entropy compared to the original malware files. The simplicity of these techniques is what makes them particularly dangerous. XOR and Base64 encoding require only basic programming skills to implement, yet they proved effective against advanced
machine learning classifiers. This has pushed security researchers toward new defenses, including automated XOR key recovery tools and deeper analysis of embedded resources in executable files.
Automated tools A variety of tools exist to perform or assist with code obfuscation. These include experimental research tools developed by academics, hobbyist tools, commercial products written by professionals, and
open-source software. Additionally, deobfuscation tools exist, aiming to reverse the obfuscation process. While most commercial obfuscation solutions transform either program source code or platform-independent bytecode, portable code (as used by
Java and
.NET), some also work directly on compiled binaries. • Some
Python examples can be found in the official Python programming FAQ and elsewhere. • The
movfuscator C compiler for the
x86_32 ISA uses only the
mov instruction in order to obfuscate.
Recreational Writing and reading obfuscated source code can be a
brain teaser. A number of programming contests reward the most creatively obfuscated code, such as the
International Obfuscated C Code Contest and the
Obfuscated Perl Contest. Short obfuscated
Perl programs may be used in
signatures of Perl programmers, known as JAPHs ("
Just another Perl hacker").
Cryptographic Cryptographers have explored the idea of obfuscating code so that reverse-engineering the code is
cryptographically hard. This is formalized in the many proposals for
indistinguishability obfuscation, a cryptographic primitive that, if possible to build securely, would allow one to construct many other kinds of cryptography, including completely novel types that no one knows how to make. (A stronger notion,
black-box obfuscation, is known to be impossible in general.) ==Disadvantages of obfuscation==