Assembler: let’s hide a few commands into a command
Today, I am going to talk about how you can hide the “spare" assembler commands in the regular code. This method is useful for complexity of disassembling the code, especially if the generation of "hidden" commands to automate. Tools: debugger - OllyDbg.
Let's look at the following code in which are hidden a lot of commands:
JNE SHORT 0000009E
(It may be difficult to plug in this fragment of code using the assembler OllyDbg, so I advise to use the built-in HEX-editor: “B8 31 C0 EB 01 BB 90 31 DB 90 39 D8 75 F3 90”)
Do you think this code will run indefinitely? As the EAX and EBX are not equal, and JNE command will make the transition into the area of first command until these two registers will not be the same. Let's set a break-point - NOP, and then run it and see the result.
Let’s set a break-point (the address is highlighted in red, the performance position is black), and press the start button.
The program flow stopped at the needed point after starting.
The program does not freeze and the value of register EAX and EBX are zero. How could this happen?
Let's look more closely at the code. The first command plugs in the value 1EBC031 in the EAX register, the second command plugs in the value 90DB3190 in EBX. CMP compares two registers. JNE makes the transition, if the register values do not match. Here is the funniest part, namely the transition is not made at the beginning of the first command, but it is made at the second byte of the first command. Let us trace the code by one command.
Let’s set it on the first position.
Commands are being run as usual.
In that way we get to the transition.
A short transition is done. What do we see? Two hidden commands: XOR EAX and EAX reset to zero EAX register.
This short transition gives the control to another inside MOV.
There is still extra space :)
So we zero out the second register.
We get to the verification. At this time EAX and EBX registers are zero.
The verification is successful.
The fact is that the machine code command is written in EAX register, so the code could not presented in the assembler language. The assembler commands have the different sizes. MOV EAX,1EBC031 command takes 5 bytes, while XOR EAX, EAX commands take about 2 bytes. Using the help of a binary shift commands and a semi-registers AL and AH we can plug in the whole EAX register.
I want to note that when the machine commands are plugged in like MOV parameter, it is needed to change the sequence of bytes, for example, 31CO (XOR EAX, EAX) command that is plugged in MOV command would look like this: MOV EAX, C031.
This method is used in many software protection systems, making it difficult to search for the transition. Also, the values written in the registers can be used for the simple encryption method XOR. I think it is possible to create a program that automates the process of recompiling a piece of assembler code for such small pieces that will complicate foe sure the process of reverse engineering.
In addition to 32-bit registers, 64-bit systems have 64-bit registers, such as RAX, RBX, RCX, and RDX. There can be placed twice much more commands.
Insertion of an assembler code into the application
There can be used the standard high-level development tools,
for C++ this code will look like this:
MOV EAX, someint
Var someint:Integer; somelong:Longint;
There can also be used OllyDbg, preliminary setting aside the space for the code. Do not forget that the programs in which a piece of assembler code is plugged in use some of the registers, so do not forget to store the registers before they will be changed (PUSH) and restore them after they will be completed (POP).
|Vote for this post
Bring it to the Main Page