Obfuscation - Proof of concept

To: retroer

But there the point is that there is no final layer of code. At any one point in time there is only a fragment of code available. If I had a psedo-code in the form:

select case
{
case 1: do blah;
case 2: do aaa;
case 3: do bbb;
}

At runtime, case 1 will only decode and run when it is selected, and after it finished it will have overwritten itself. I suppose if you knew there are three cases, you can go and capture each case directly, but I don't think image dumpers can grap it automatically and dump the code.

I thought most on-the-fly system merely decrypts a slap of code, runs it, and then deletes or encrypts it again (and hence allows capturing). Here, there is no encryption as such as the code runs itself. There is no distinction between real code and encrypted code. I know my example is obvious to crack because it is hand-written, but I can imagine a computer generated version.

To visu:
I just can't see what is there to dump, there is no point in time when the entire code. If the dumper saves each line that got executed, it will end up with quite a lot of invalid instructions (all the mov CS:IP, xxx ones), that is not conducive to auto dumping.

Aur

PS Thanks for the reply