Obfuscating asm code
George Georgalis
george at galis.org
Wed Oct 12 17:52:28 PDT 2005
On Wed, Oct 12, 2005 at 09:27:58PM +0200, Joerg Sonnenberger wrote:
>On Wed, Oct 12, 2005 at 09:13:26PM +0200, Simon 'corecode' Schubert wrote:
>> Sure is. Call/ret = it will come here again. Jmps = it will jump
>> there. call *%ebx && there roll back two half stack frames (obviously
>> you won't use real ebp frames), jump somewhere else, hop back to where
>> you started just with a changed overflow flag so that the conditional
>> jump will route differently... Maybe use irets or even SIGSEGV/SIGBUS
>> handlers on purpose... Creativity!
>
>Even better, don't rollback the stack pointer, but use it create the
>local stack frame :-)
I realize this is an answer to a different question, but may be of interest anyway.
http://mindprod.com/jgloss/unmain.html
How To Write Unmaintainable Code
http://mindprod.com/jgloss/unmainobfuscation.html
Oh, a special section on obfuscation...
// George
--
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george at xxxxxxxxx
More information about the Users
mailing list