EntropyReducer: Reduce Entropy And Obfuscate Your Payload

by do son ·

Obfuscate payload

EntropyReducer: Reduce The Entropy Of Your Payload And Obfuscate It With Serialized Linked Lists

How Does It Work

EntropyReducer algorithm is determined by BUFF_SIZE and NULL_BYTES values. The following is how would EntropyReducer organize your payload if BUFF_SIZE was set to 4, and NULL_BYTES to 2.

Obfuscation Algorithm

  • EntropyReducer first checks if the input raw payload is of a size that’s multiple of BUFF_SIZE, if not, it pads it to be as so.
  • It then takes every BUFF_SIZE chunk from the payload, and makes a linked list node for it, using the InitializePayloadList function, initializing the payload as a linked list.
  • The created node will have an empty buffer of size NULL_BYTES, that will be used to lower the entropy
  • At this point, although EntropyReducer completed its task by lowering the entropy of the payload, it doesn’t stop here. It then continues to randomize the order of each node in the linked list, breaking down the raw payload’s order. This step is done via a Merge Sort Algorithm that is implemented through the MergeSort function.
  • The sorted linked list is in random order because the value in which the linked list is sorted is the XOR value of the first three bytes of the raw payload, this value determines its position in the re-organized linked list, this step can be shown here
  • Since saving a linked list to a file is impossible due to the fact that it’s linked together by pointers. We are forced to serialize it.
  • Serialization of the generated linked list is done via the Obfuscate function here.
  • After that, the serialized data is ready to be written to the output file.

Deobfuscation Algorithm

  • Since the last step in the Obfuscation Algorithm was serializing the linked list, the first thing that must be done here is to deserialize the obfuscated payload, generating a linked list from it, this step is done here in the Deobfuscate function.
  • Next step is to sort the linked list using the node’s Id, which is done using the same Merge Sort Algorithm used before.
  • Now, the linked list is in the right order to re-construct the payload’s bytes as they should. So we simply strip the payload’s original bytes from each node, as done here.
  • Last step is to free the allocated nodes, which is done here.

Install & Use

Copyright (C) 2023 NUL0x4C

Tags: entropyEntropyReducerObfuscate payloadpayload