Assembly obfusscation

[redbull]

Are you refering to Anti-debugging tricks or Anti-Dissassembling tricks or both ??

The best way to prevent dis-assembling is to use self-modifying code.

The only problem is most high level lanugages create code segments which are not writable. (I guess a work around could be MapViewOfFile but that would write the changes back to the exe file)

Eg

In Delphi this code would AV

asm
mov ebp, offset @ChangeHere
mov eax, $102356CB; // something artitary
xor eax , $80B3C65B; // Makes eax contain 4 nops (90909090)

mov dword ptr [ebp], eax; // overwrite the jmp @screwheDisAsm (and push pop pair) with NOPS so it does not execute
// becareful of the PIQ at this point...
// This is where the AV is generated cause you are not allowed to write
// to the code segment in the default EXE

@ChangeHere:
Jmp @ScrewTheDisAsm
push eax
pop eax

jmp @PastTheScrew

@ScrewTheDisAsm:
// this is just garbage that looks like dynamic code
pop ebx
call ebx
cmp edx, 1
jne @ScrewTheDisAsm
db $ea; // first byte of a jmp opcode (IDA can correctly handle this most of the time)
// but out of interest the bytes that follow @PastTheScrew are encoded as part
// of the jmp

@PastTheScrew:
// Carry on Soldier
end;


Now if you edit the PE EXE file that delphi produces and flag all the code segments as writable ... this code should run fine!


Other much safer ways of fucking up dis-assms is to decode your code onto the stack and then make a jmp to esp .... thus executing the code on the stack. .......


Etcv

etc

Nice topic .... we should persue <spelling> this one further