|
Hiya,
D-Jester, I don't think his point is really about 'keys' of any sort since his obfuscation doesn't incorporate any such thing (correct me if I'm misunderstanding something though ;-) ).
The point here is to obfuscate the code flow and try to fool dumpers in the process since only one path is taken through the code on each run. I just can't see how this will work since if in all cases the code is presumably going to run, why will any dumper care whether its obfuscated or not?, a disassembler would be affected though.
So the first time the dumper gets case 1 which decrypts 1 piece of code, the rest of the cases stay encrypted (so any dump doesn't contain the decrypted other cases), on another run it gets case 3 and the others remain encrypted and so on.....
The weaknesses of this approach as I see it is 2 fold.
i). The manner in which you do the selection of a value for your switch statement;
and,
ii). Connecting each of the code block cases to actually do something useful and/or different in each case and that isn't very very obvious.
So this technique isn't really going to prevent even basic dumpers unless we need to care what happens inside each case.
Regards
CrackZ.
Last edited by CrackZ; 04-12-2005 at 09:02.
|