Obfuscating asm code
Joerg Sonnenberger
joerg at britannica.bec.de
Wed Oct 12 12:29:35 PDT 2005
On Wed, Oct 12, 2005 at 09:13:26PM +0200, Simon 'corecode' Schubert wrote:
> Sure is. Call/ret = it will come here again. Jmps = it will jump
> there. call *%ebx && there roll back two half stack frames (obviously
> you won't use real ebp frames), jump somewhere else, hop back to where
> you started just with a changed overflow flag so that the conditional
> jump will route differently... Maybe use irets or even SIGSEGV/SIGBUS
> handlers on purpose... Creativity!
Even better, don't rollback the stack pointer, but use it create the
local stack frame :-)
Joerg
More information about the Users
mailing list