DragonFly users List (threaded) for 2005-10
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

Re: Obfuscating asm code

From:	"Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>
Date:	Wed, 12 Oct 2005 21:13:26 +0200

Jonathon McKitrick wrote:

: Obfuscation is not easy. The best stuff I've seen was a combination of : intra-command jumps (all over, every second command or such) with
So here you mean something like:
mov eax,ebx
jmp .next
dw 0xc705
.next
......
Right?  So then disassembling sees the 'dw' value as an instruction, and
garbles the rest of the disassembly, right?

i'd use conditional jumps so that an intellegent disassembler can't deduce the execution flow. but basically that's how i ment it.

: self-modifying code (close-reach for pipeline tricks and out of pipeline
1.  You have to modify the binary to allowing writing to the executable area,
right?

No, you can mmap() pages with executable rights.

2. Won't pipeline tricks run differently on different CPUs?

Yes, but some basics will work the same on (almost?) all 386+.

: range) and doubly used commands (depending on how it was jumped to). If
So the same series of bytes does 2 different things depending on where you
jump into it?  Ouch.

Right, like above, just instruction flows that run parallel interweaved. Happy hacking :)

: this stuff is all over the binary it can be a really tedious work to : figure out how it works. Oh and sprinkle the code with function calls : that never return (breaking common execution flow) and with

This is harder to follow than call/ret or jmps?

Sure is. Call/ret = it will come here again. Jmps = it will jump there. call *%ebx && there roll back two half stack frames (obviously you won't use real ebp frames), jump somewhere else, hop back to where you started just with a changed overflow flag so that the conditional jump will route differently... Maybe use irets or even SIGSEGV/SIGBUS handlers on purpose... Creativity!

What are you doing anyways?

cheers
  simon

--
Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low $$$ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \

Follow-Ups:
- Re: Obfuscating asm code
  - From: Joerg Sonnenberger

References:
- Obfuscating asm code
  - From: Jonathon McKitrick
- Re: Obfuscating asm code
  - From: Simon 'corecode' Schubert
- Re: Obfuscating asm code
  - From: Jonathon McKitrick

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]