DragonFly BSD
DragonFly users List (threaded) for 2005-10
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Obfuscating asm code

From: Jonathon McKitrick <jcm@xxxxxxxxxxxxxxxxx>
Date: Wed, 12 Oct 2005 20:02:15 +0100

On Wed, Oct 12, 2005 at 08:44:59PM +0200, Simon 'corecode' Schubert wrote:

OK, here come the questions  :-)

: Obfuscation is not easy.  The best stuff I've seen was a combination of 
: intra-command jumps (all over, every second command or such) with 

So here you mean something like:
mov eax,ebx
jmp .next
dw 0xc705
. next
. .....

Right?  So then disassembling sees the 'dw' value as an instruction, and
garbles the rest of the disassembly, right?

: self-modifying code (close-reach for pipeline tricks and out of pipeline 

1.  You have to modify the binary to allowing writing to the executable area,

2.  Won't pipeline tricks run differently on different CPUs?

: range) and doubly used commands (depending on how it was jumped to).  If 

So the same series of bytes does 2 different things depending on where you
jump into it?  Ouch.

: this stuff is all over the binary it can be a really tedious work to 
: figure out how it works.  Oh and sprinkle the code with function calls 
: that never return (breaking common execution flow) and with 

This is harder to follow than call/ret or jmps?

'What's good for the goose is good for the gander.
What the hell is a gander, anyway?' - George Costanza

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]