flat assembler
Message board for the users of flat assembler.

Index > Main > Assembler programming tricks

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
CandyMan



Joined: 04 Sep 2009
Posts: 414
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan 20 Jun 2023, 15:10
Do you know any instructions that in combination give an interesting effect? It can be such a combination as, for example, a jump to the middle of another instruction that changes its operation. I think the engineers designing the processors thought that such things were not possible. A 1 byte instruction would be useful to test the ZF flag, as SALC does with the CF flag.

jecxnz:
Code:
inc ecx
loop Target    


test al,byte (skips next instruction):
Code:
db 0xA8
db ? - any 1-byte instruction    

_________________
smaller is better
Post 20 Jun 2023, 15:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20757
Location: In your JS exploiting you and your system
revolution 20 Jun 2023, 15:24
There are also the extended nops:
Code:
db 0x0f, 0x1f, 0x80 ; nop [eax+?]
dd ? ; any four byte sequence    
Post 20 Jun 2023, 15:24
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4308
Location: vpcmpistri
bitRAKE 20 Jun 2023, 20:19
Skip call instruction:
Code:
db 0x81
call aFunc    
... rather than jump over a CALL instruction it can be skipped. The processor sees SUB EAX, <relative offset>.

... this one applies to 16/32/64-bit code the same.

_________________
¯\(°_o)/¯ AI may [not] have aided with the above reply.
Post 20 Jun 2023, 20:19
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20757
Location: In your JS exploiting you and your system
revolution 21 Jun 2023, 05:22
This prints "Hello world"
Code:
format elf64 executable
mov rax,0x3D66206F6C6C6548
mov rax,0x3D660A646C726F57
mov rax,0x3D669000000005E8
mov rax,0x3D6690909090905B
mov rax,0x3D66909090DE8948
mov rax,0x3D669090E7C68348
mov rax,0x3D669000000006BA
mov rax,0x3D669000000001B8
mov rax,0x3D669000000001BF
mov rax,0x3D6690909090050F
mov rax,0x3D66909090DE8948
mov rax,0x3D669090F1C68348
mov rax,0x3D669000000006BA
mov rax,0x3D669000000001B8
mov rax,0x3D669000000001BF
mov rax,0x3D6690909090050F
mov rax,0x3D6690000000E7B8
mov rax,0x3D6690909090050F
jmp $-0x9e    
Bonus points to anyone that can figure out how it works. Smile
Post 21 Jun 2023, 05:22
View user's profile Send private message Visit poster's website Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 21 Jun 2023, 11:59
revolution wrote:
This prints "Hello world"
Code:
format elf64 executable
mov rax,0x3D66206F6C6C6548
mov rax,0x3D660A646C726F57
mov rax,0x3D669000000005E8
mov rax,0x3D6690909090905B
mov rax,0x3D66909090DE8948
mov rax,0x3D669090E7C68348
mov rax,0x3D669000000006BA
mov rax,0x3D669000000001B8
mov rax,0x3D669000000001BF
mov rax,0x3D6690909090050F
mov rax,0x3D66909090DE8948
mov rax,0x3D669090F1C68348
mov rax,0x3D669000000006BA
mov rax,0x3D669000000001B8
mov rax,0x3D669000000001BF
mov rax,0x3D6690909090050F
mov rax,0x3D6690000000E7B8
mov rax,0x3D6690909090050F
jmp $-0x9e    
Bonus points to anyone that can figure out how it works. Smile


M/o/Vfuscator.

https://github.com/xoreaxeaxeax/movfuscator wrote:
....compiles programs into "mov" instructions, and only "mov" instructions. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other form of non-mov cheating.
Post 21 Jun 2023, 11:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20757
Location: In your JS exploiting you and your system
revolution 21 Jun 2023, 12:25
The code is not the movfuscator.
Post 21 Jun 2023, 12:25
View user's profile Send private message Visit poster's website Reply with quote
redsock



Joined: 09 Oct 2009
Posts: 439
Location: Australia
redsock 21 Jun 2023, 20:40
revolution wrote:
Bonus points to anyone that can figure out how it works. Smile
This is pretty cool I must say Smile Carefully constructed byte sequences and offsets that make debugging fun and interesting. Nicely done! I cheated and added a breakpoint to it just to make debugging easier so my offsets and gdb output aren't 100% match for the plain one but here is my gdb session:
Code:
(No debugging symbols found in ./revo)
(gdb) run
Starting program: /dev/shm/revo 

Program received signal SIGTRAP, Trace/breakpoint trap.
0x0000000000400079 in ?? ()
(gdb) x/20i 0x400079
=> 0x400079:    nop
   0x40007a:    movabs $0x3d66206f6c6c6548,%rax
   0x400084:    movabs $0x3d660a646c726f57,%rax
   0x40008e:    movabs $0x3d669000000005e8,%rax
   0x400098:    movabs $0x3d6690909090905b,%rax
   0x4000a2:    movabs $0x3d66909090de8948,%rax
   0x4000ac:    movabs $0x3d669090e7c68348,%rax
   0x4000b6:    movabs $0x3d669000000006ba,%rax
   0x4000c0:    movabs $0x3d669000000001b8,%rax
   0x4000ca:    movabs $0x3d669000000001bf,%rax
   0x4000d4:    movabs $0x3d6690909090050f,%rax
   0x4000de:    movabs $0x3d66909090de8948,%rax
   0x4000e8:    movabs $0x3d669090f1c68348,%rax
   0x4000f2:    movabs $0x3d669000000006ba,%rax
   0x4000fc:    movabs $0x3d669000000001b8,%rax
   0x400106:    movabs $0x3d669000000001bf,%rax
   0x400110:    movabs $0x3d6690909090050f,%rax
   0x40011a:    movabs $0x3d6690000000e7b8,%rax
   0x400124:    movabs $0x3d6690909090050f,%rax
   0x40012e:    jmp    0x400090
(gdb) b *0x40012e
Breakpoint 1 at 0x40012e
(gdb) cont
Continuing.

Breakpoint 1, 0x000000000040012e in ?? ()
(gdb) si
0x0000000000400090 in ?? ()
(gdb) x/62i 0x400090
=> 0x400090:    call   0x40009a
   0x400095:    nop
   0x400096:    cmp    $0xb848,%ax
   0x40009a:    pop    %rbx
   0x40009b:    nop
   0x40009c:    nop
   0x40009d:    nop
   0x40009e:    nop
   0x40009f:    nop
   0x4000a0:    cmp    $0xb848,%ax
   0x4000a4:    mov    %rbx,%rsi
   0x4000a7:    nop
   0x4000a8:    nop
   0x4000a9:    nop
   0x4000aa:    cmp    $0xb848,%ax
   0x4000ae:    add    $0xffffffffffffffe7,%rsi
   0x4000b2:    nop
   0x4000b3:    nop
   0x4000b4:    cmp    $0xb848,%ax
   0x4000b8:    mov    $0x6,%edx
   0x4000bd:    nop
   0x4000be:    cmp    $0xb848,%ax
   0x4000c2:    mov    $0x1,%eax
   0x4000c7:    nop
   0x4000c8:    cmp    $0xb848,%ax
   0x4000cc:    mov    $0x1,%edi
   0x4000d1:    nop
   0x4000d2:    cmp    $0xb848,%ax
   0x4000d6:    syscall
   0x4000d8:    nop
   0x4000d9:    nop
   0x4000da:    nop
   0x4000db:    nop
   0x4000dc:    cmp    $0xb848,%ax
--Type <RET> for more, q to quit, c to continue without paging--
   0x4000e0:    mov    %rbx,%rsi
   0x4000e3:    nop
   0x4000e4:    nop
   0x4000e5:    nop
   0x4000e6:    cmp    $0xb848,%ax
   0x4000ea:    add    $0xfffffffffffffff1,%rsi
   0x4000ee:    nop
   0x4000ef:    nop
   0x4000f0:    cmp    $0xb848,%ax
   0x4000f4:    mov    $0x6,%edx
   0x4000f9:    nop
   0x4000fa:    cmp    $0xb848,%ax
   0x4000fe:    mov    $0x1,%eax
   0x400103:    nop
   0x400104:    cmp    $0xb848,%ax
   0x400108:    mov    $0x1,%edi
   0x40010d:    nop
   0x40010e:    cmp    $0xb848,%ax
   0x400112:    syscall
   0x400114:    nop
   0x400115:    nop
   0x400116:    nop
   0x400117:    nop
   0x400118:    cmp    $0xb848,%ax
   0x40011c:    mov    $0xe7,%eax
   0x400121:    nop
   0x400122:    cmp    $0xb848,%ax
   0x400126:    syscall
(gdb) cont
Continuing.
Hello World
[Inferior 1 (process 6186) exited with code 01]
    

_________________
2 Ton Digital - https://2ton.com.au/
Post 21 Jun 2023, 20:40
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20757
Location: In your JS exploiting you and your system
revolution 22 Jun 2023, 02:10
+2

Bonus points duly awarded. Razz
Post 22 Jun 2023, 02:10
View user's profile Send private message Visit poster's website Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 22 Jun 2023, 04:34
Thank @redsock for the clue, and @revolution for the obfuscated code.

So the "jmp $-0x9e" instruction would fix the disassembly.

The following code if compiled can be disassembled correctly in IDA.

Code:
format elf64 executable
mov rax,0x3D66206F6C6C6548
mov rax,0x3D660A646C726F57

;mov rax,0x3D669000000005E8

;db 0x48
;db 0xb8
nop
nop
dq 0x3D669000000005E8 

mov rax,0x3D6690909090905B
mov rax,0x3D66909090DE8948
mov rax,0x3D669090E7C68348
mov rax,0x3D669000000006BA
mov rax,0x3D669000000001B8
mov rax,0x3D669000000001BF
mov rax,0x3D6690909090050F
mov rax,0x3D66909090DE8948
mov rax,0x3D669090F1C68348
mov rax,0x3D669000000006BA
mov rax,0x3D669000000001B8
mov rax,0x3D669000000001BF
mov rax,0x3D6690909090050F
mov rax,0x3D6690000000E7B8
mov rax,0x3D6690909090050F
;jmp $-0x9e              


Last edited by Flier-Mate on 22 Jun 2023, 06:08; edited 1 time in total
Post 22 Jun 2023, 04:34
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 22 Jun 2023, 04:36
Full disassembly:

Code:
0000000000400078                 public start
LOAD:0000000000400078 start           proc near               ; DATA XREF: LOAD:0000000000400018↑o
LOAD:0000000000400078                 mov     rax, 3D66206F6C6C6548h
LOAD:0000000000400082                 mov     rax, 3D660A646C726F57h
LOAD:000000000040008C                 nop
LOAD:000000000040008D                 nop
LOAD:000000000040008E                 call    loc_400098
LOAD:0000000000400093                 nop
LOAD:0000000000400094                 cmp     ax, 0B848h
LOAD:0000000000400094 start           endp
LOAD:0000000000400094
LOAD:0000000000400098
LOAD:0000000000400098 loc_400098:                             ; CODE XREF: start+16↑p
LOAD:0000000000400098                 pop     rbx
LOAD:0000000000400099                 nop
LOAD:000000000040009A                 nop
LOAD:000000000040009B                 nop
LOAD:000000000040009C                 nop
LOAD:000000000040009D                 nop
LOAD:000000000040009E                 cmp     ax, 0B848h
LOAD:00000000004000A2                 mov     rsi, rbx
LOAD:00000000004000A5                 nop
LOAD:00000000004000A6                 nop
LOAD:00000000004000A7                 nop
LOAD:00000000004000A8                 cmp     ax, 0B848h
LOAD:00000000004000AC                 add     rsi, 0FFFFFFFFFFFFFFE7h
LOAD:00000000004000B0                 nop
LOAD:00000000004000B1                 nop
LOAD:00000000004000B2                 cmp     ax, 0B848h
LOAD:00000000004000B6                 mov     edx, 6
LOAD:00000000004000BB                 nop
LOAD:00000000004000BC                 cmp     ax, 0B848h
LOAD:00000000004000C0                 mov     eax, 1
LOAD:00000000004000C5                 nop
LOAD:00000000004000C6                 cmp     ax, 0B848h
LOAD:00000000004000CA                 mov     edi, 1
LOAD:00000000004000CF                 nop
LOAD:00000000004000D0                 cmp     ax, 0B848h
LOAD:00000000004000D4                 syscall                 ; LINUX - sys_write
LOAD:00000000004000D6                 nop
LOAD:00000000004000D7                 nop
LOAD:00000000004000D8                 nop
LOAD:00000000004000D9                 nop
LOAD:00000000004000DA                 cmp     ax, 0B848h
LOAD:00000000004000DE                 mov     rsi, rbx
LOAD:00000000004000E1                 nop
LOAD:00000000004000E2                 nop
LOAD:00000000004000E3                 nop
LOAD:00000000004000E4                 cmp     ax, 0B848h
LOAD:00000000004000E8                 add     rsi, 0FFFFFFFFFFFFFFF1h
LOAD:00000000004000EC                 nop
LOAD:00000000004000ED                 nop
LOAD:00000000004000EE                 cmp     ax, 0B848h
LOAD:00000000004000F2                 mov     edx, 6
LOAD:00000000004000F7                 nop
LOAD:00000000004000F8                 cmp     ax, 0B848h
LOAD:00000000004000FC                 mov     eax, 1
LOAD:0000000000400101                 nop
LOAD:0000000000400102                 cmp     ax, 0B848h
LOAD:0000000000400106                 mov     edi, 1
LOAD:000000000040010B                 nop
LOAD:000000000040010C                 cmp     ax, 0B848h
LOAD:0000000000400110                 syscall                 ; LINUX - sys_write
LOAD:0000000000400112                 nop
LOAD:0000000000400113                 nop
LOAD:0000000000400114                 nop
LOAD:0000000000400115                 nop
LOAD:0000000000400116                 cmp     ax, 0B848h
LOAD:000000000040011A                 mov     eax, 0E7h
LOAD:000000000040011F                 nop
LOAD:0000000000400120                 cmp     ax, 0B848h
LOAD:0000000000400124                 syscall                 ; LINUX - sys_exit_group
LOAD:0000000000400126                 nop
LOAD:0000000000400127                 nop
LOAD:0000000000400128                 nop
LOAD:0000000000400129                 nop    


The "Hello Word" is hid in the first two MOV instruction:
Code:
LOAD:0000000000400078                 mov     rax, 3D66206F6C6C6548h
LOAD:0000000000400082                 mov     rax, 3D660A646C726F57h
    


0x48 = H
0x65 = e
0x6C = l
0x6C = l
0x6F = o
0x20 = (space)
0x57 = W
0x6F = o
0x72 = r
0x6C = l
0x64 = d
0x0A = (linefeed)

Cleverly done!
Post 22 Jun 2023, 04:36
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20757
Location: In your JS exploiting you and your system
revolution 22 Jun 2023, 17:06
The source.
Code:
format elf64 executable

SYS_WRITE       = 1
SYS_EXIT_GROUP  = 231
STD_OUTPUT      = 1
entry main

macro encode inst& {
        local   name, ..start, length, bite
        db      0x48, 0xb8
        virtual
            name::
                ..start:
                inst
                length = $ - $$
        end virtual
        assert length <= 6
        while % <= 6
                if % <= length
                        load bite byte from name:..start+%-1
                else
                        bite = 0x90
                end if
                db bite
        end while
        db 0x66, 0x3d           ; can also use 0x0f, 0x18
}

main:
label hello at $+2
encode  db      'Hello '
label world at $+2
encode  db      'World',10
label rel at $+7
label begin at $+2
encode  call    pc
label pc at $+2
encode  pop     rbx
encode  mov     rsi,rbx
encode  add     rsi,hello-rel
encode  mov     edx,6
encode  mov     eax,SYS_WRITE
encode  mov     edi,STD_OUTPUT
encode  syscall
encode  mov     rsi,rbx
encode  add     rsi,world-rel
encode  mov     edx,6
encode  mov     eax,SYS_WRITE
encode  mov     edi,STD_OUTPUT
encode  syscall
encode  mov     eax,SYS_EXIT_GROUP
encode  syscall
        jmp     begin    
Post 22 Jun 2023, 17:06
View user's profile Send private message Visit poster's website Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 22 Jun 2023, 18:41
revolution wrote:
The source.
Code:
format elf64 executable

SYS_WRITE       = 1
SYS_EXIT_GROUP  = 231
STD_OUTPUT      = 1
entry main

macro encode inst& {
        local   name, ..start, length, bite
        db      0x48, 0xb8
        virtual
            name::
                ..start:
                inst
                length = $ - $$
        end virtual
        assert length <= 6
        while % <= 6
                if % <= length
                        load bite byte from name:..start+%-1
                else
                        bite = 0x90
                end if
                db bite
        end while
        db 0x66, 0x3d           ; can also use 0x0f, 0x18
}

main:
label hello at $+2
encode  db      'Hello '
label world at $+2
encode  db      'World',10
label rel at $+7
label begin at $+2
encode  call    pc
label pc at $+2
encode  pop     rbx
encode  mov     rsi,rbx
encode  add     rsi,hello-rel
encode  mov     edx,6
encode  mov     eax,SYS_WRITE
encode  mov     edi,STD_OUTPUT
encode  syscall
encode  mov     rsi,rbx
encode  add     rsi,world-rel
encode  mov     edx,6
encode  mov     eax,SYS_WRITE
encode  mov     edi,STD_OUTPUT
encode  syscall
encode  mov     eax,SYS_EXIT_GROUP
encode  syscall
        jmp     begin    


Excellent!!
Post 22 Jun 2023, 18:41
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20757
Location: In your JS exploiting you and your system
revolution 23 Jun 2023, 02:30
A variation on a theme. This is the same idea, but is trickier to reverse because the jmp will resynchronise the disassembler back to showing mov rax,.. after each instruction.
Code:
format elf64 executable
mov rax,0x02EB206F6C6C6548
mov rax,0x02EB0A646C726F57
mov rax,0x9003EB00000005E8
mov rax,0x909090909007EB5B
mov rax,0x909004EBE7738D48
mov rax,0x9003EB00000006BA
mov rax,0x9003EB00000001B8
mov rax,0x9003EB00000001BF
mov rax,0x9090909006EB050F
mov rax,0x909004EBF1738D48
mov rax,0x9003EB00000006BA
mov rax,0x9003EB00000001B8
mov rax,0x9003EB00000001BF
mov rax,0x9090909006EB050F
mov rax,0x9003EB000000E7B8
mov rax,0x9090909006EB050F
jmp $$ + 22    
Post 23 Jun 2023, 02:30
View user's profile Send private message Visit poster's website Reply with quote
redsock



Joined: 09 Oct 2009
Posts: 439
Location: Australia
redsock 23 Jun 2023, 02:38
revolution wrote:
+2

Bonus points duly awarded. Razz


x2!! HAH, this new version is a lot better I reckon. Who wants to do the narrative about why this is so confusing to our poor helpless debugger? haha

_________________
2 Ton Digital - https://2ton.com.au/
Post 23 Jun 2023, 02:38
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 23 Jun 2023, 06:43
revolution wrote:
A variation on a theme. This is the same idea, but is trickier to reverse because the jmp will resynchronise the disassembler back to showing mov rax,.. after each instruction.
Code:
format elf64 executable
mov rax,0x02EB206F6C6C6548
mov rax,0x02EB0A646C726F57
mov rax,0x9003EB00000005E8
mov rax,0x909090909007EB5B
mov rax,0x909004EBE7738D48
mov rax,0x9003EB00000006BA
mov rax,0x9003EB00000001B8
mov rax,0x9003EB00000001BF
mov rax,0x9090909006EB050F
mov rax,0x909004EBF1738D48
mov rax,0x9003EB00000006BA
mov rax,0x9003EB00000001B8
mov rax,0x9003EB00000001BF
mov rax,0x9090909006EB050F
mov rax,0x9003EB000000E7B8
mov rax,0x9090909006EB050F
jmp $$ + 22    


Cool ! This time IDA tells sp-analysis failed, after I split the third MOV instruction to be preceded with two NOPs.

The graph view of IDA Free failed (as shown in "After" screenshot below), but the text view still shows the full disassembly.

Code:
                public start
LOAD:0000000000400078 start           proc near               ; DATA XREF: LOAD:0000000000400018↑o
LOAD:0000000000400078
LOAD:0000000000400078 ; FUNCTION CHUNK AT LOAD:0000000000400098 SIZE 00000003 BYTES
LOAD:0000000000400078
LOAD:0000000000400078                 mov     rax, 2EB206F6C6C6548h
LOAD:0000000000400082                 mov     rax, 2EB0A646C726F57h
LOAD:000000000040008C                 nop
LOAD:000000000040008D                 nop
LOAD:000000000040008E
LOAD:000000000040008E loc_40008E:                             ; CODE XREF: LOAD:loc_400118↓j
LOAD:000000000040008E                 call    loc_400098
LOAD:0000000000400093                 jmp     short loc_400098
LOAD:0000000000400093 start           endp ; sp-analysis failed
LOAD:0000000000400093
LOAD:0000000000400093 ; ---------------------------------------------------------------------------
LOAD:0000000000400095                 align 2
LOAD:0000000000400096                 dw 0B848h
LOAD:0000000000400098 ; ---------------------------------------------------------------------------
LOAD:0000000000400098 ; START OF FUNCTION CHUNK FOR start
LOAD:0000000000400098
LOAD:0000000000400098 loc_400098:                             ; CODE XREF: start:loc_40008E↑p
LOAD:0000000000400098                                         ; start+1B↑j
LOAD:0000000000400098                 pop     rbx
LOAD:0000000000400099                 jmp     short loc_4000A2
LOAD:0000000000400099 ; END OF FUNCTION CHUNK FOR start
LOAD:0000000000400099 ; ---------------------------------------------------------------------------
LOAD:000000000040009B                 align 20h
LOAD:00000000004000A0                 db 48h, 0B8h
LOAD:00000000004000A2 ; ---------------------------------------------------------------------------
LOAD:00000000004000A2
LOAD:00000000004000A2 loc_4000A2:                             ; CODE XREF: start+21↑j
LOAD:00000000004000A2                 lea     rsi, [rbx-19h]
LOAD:00000000004000A6                 jmp     short loc_4000AC
LOAD:00000000004000A6 ; ---------------------------------------------------------------------------
LOAD:00000000004000A8                 db 2 dup(90h)
LOAD:00000000004000AA                 dw 0B848h
LOAD:00000000004000AC ; ---------------------------------------------------------------------------
LOAD:00000000004000AC
LOAD:00000000004000AC loc_4000AC:                             ; CODE XREF: LOAD:00000000004000A6↑j
LOAD:00000000004000AC                 mov     edx, 6
LOAD:00000000004000B1                 jmp     short loc_4000B6
LOAD:00000000004000B1 ; ---------------------------------------------------------------------------
LOAD:00000000004000B3                 align 4
LOAD:00000000004000B4                 db 48h, 0B8h
LOAD:00000000004000B6 ; ---------------------------------------------------------------------------
LOAD:00000000004000B6
LOAD:00000000004000B6 loc_4000B6:                             ; CODE XREF: LOAD:00000000004000B1↑j
LOAD:00000000004000B6                 mov     eax, 1
LOAD:00000000004000BB                 jmp     short loc_4000C0
LOAD:00000000004000BB ; ---------------------------------------------------------------------------
LOAD:00000000004000BD                 align 2
LOAD:00000000004000BE                 dw 0B848h
LOAD:00000000004000C0 ; ---------------------------------------------------------------------------
LOAD:00000000004000C0
LOAD:00000000004000C0 loc_4000C0:                             ; CODE XREF: LOAD:00000000004000BB↑j
LOAD:00000000004000C0                 mov     edi, 1
LOAD:00000000004000C5                 jmp     short loc_4000CA
LOAD:00000000004000C5 ; ---------------------------------------------------------------------------
LOAD:00000000004000C7                 align 8
LOAD:00000000004000C8                 db 48h, 0B8h
LOAD:00000000004000CA ; ---------------------------------------------------------------------------
LOAD:00000000004000CA
LOAD:00000000004000CA loc_4000CA:                             ; CODE XREF: LOAD:00000000004000C5↑j
LOAD:00000000004000CA                 syscall                 ; LINUX - sys_write
LOAD:00000000004000CC                 jmp     short loc_4000D4
LOAD:00000000004000CC ; ---------------------------------------------------------------------------
LOAD:00000000004000CE                 db 4 dup(90h)
LOAD:00000000004000D2                 dw 0B848h
LOAD:00000000004000D4 ; ---------------------------------------------------------------------------
LOAD:00000000004000D4
LOAD:00000000004000D4 loc_4000D4:                             ; CODE XREF: LOAD:00000000004000CC↑j
LOAD:00000000004000D4                 lea     rsi, [rbx-0Fh]
LOAD:00000000004000D8                 jmp     short loc_4000DE
LOAD:00000000004000D8 ; ---------------------------------------------------------------------------
LOAD:00000000004000DA                 align 4
LOAD:00000000004000DC                 db 48h, 0B8h
LOAD:00000000004000DE ; ---------------------------------------------------------------------------
LOAD:00000000004000DE
LOAD:00000000004000DE loc_4000DE:                             ; CODE XREF: LOAD:00000000004000D8↑j
LOAD:00000000004000DE                 mov     edx, 6
LOAD:00000000004000E3                 jmp     short loc_4000E8
LOAD:00000000004000E3 ; ---------------------------------------------------------------------------
LOAD:00000000004000E5                 align 2
LOAD:00000000004000E6                 dw 0B848h
LOAD:00000000004000E8 ; ---------------------------------------------------------------------------
LOAD:00000000004000E8
LOAD:00000000004000E8 loc_4000E8:                             ; CODE XREF: LOAD:00000000004000E3↑j
LOAD:00000000004000E8                 mov     eax, 1
LOAD:00000000004000ED                 jmp     short loc_4000F2
LOAD:00000000004000ED ; ---------------------------------------------------------------------------
LOAD:00000000004000EF                 align 10h
LOAD:00000000004000F0                 db 48h, 0B8h
LOAD:00000000004000F2 ; ---------------------------------------------------------------------------
LOAD:00000000004000F2
LOAD:00000000004000F2 loc_4000F2:                             ; CODE XREF: LOAD:00000000004000ED↑j
LOAD:00000000004000F2                 mov     edi, 1
LOAD:00000000004000F7                 jmp     short loc_4000FC
LOAD:00000000004000F7 ; ---------------------------------------------------------------------------
LOAD:00000000004000F9                 align 2
LOAD:00000000004000FA                 dw 0B848h
LOAD:00000000004000FC ; ---------------------------------------------------------------------------
LOAD:00000000004000FC
LOAD:00000000004000FC loc_4000FC:                             ; CODE XREF: LOAD:00000000004000F7↑j
LOAD:00000000004000FC                 syscall                 ; LINUX - sys_write
LOAD:00000000004000FE                 jmp     short loc_400106
LOAD:00000000004000FE ; ---------------------------------------------------------------------------
LOAD:0000000000400100                 db 4 dup(90h)
LOAD:0000000000400104                 db 48h, 0B8h
LOAD:0000000000400106 ; ---------------------------------------------------------------------------
LOAD:0000000000400106
LOAD:0000000000400106 loc_400106:                             ; CODE XREF: LOAD:00000000004000FE↑j
LOAD:0000000000400106                 mov     eax, 0E7h
LOAD:000000000040010B                 jmp     short loc_400110
LOAD:000000000040010B ; ---------------------------------------------------------------------------
LOAD:000000000040010D                 align 2
LOAD:000000000040010E                 dw 0B848h
LOAD:0000000000400110 ; ---------------------------------------------------------------------------
LOAD:0000000000400110
LOAD:0000000000400110 loc_400110:                             ; CODE XREF: LOAD:000000000040010B↑j
LOAD:0000000000400110                 syscall                 ; LINUX - sys_exit_group
LOAD:0000000000400112                 jmp     short near ptr loc_400118+2
LOAD:0000000000400112 ; ---------------------------------------------------------------------------
LOAD:0000000000400114                 align 8
LOAD:0000000000400118
LOAD:0000000000400118 loc_400118:                             ; CODE XREF: LOAD:0000000000400112↑j
LOAD:0000000000400118                 jmp     loc_40008E
LOAD:0000000000400118 LOAD            ends
LOAD:0000000000400118
LOAD:0000000000400118
LOAD:0000000000400118                 end start    


I see multiple jumps!


Description: Before
Filesize: 10.92 KB
Viewed: 10151 Time(s)

h.png


Description: After
Filesize: 19.34 KB
Viewed: 10151 Time(s)

Screenshot 2023-06-23 143943.png


Post 23 Jun 2023, 06:43
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 23 Jun 2023, 12:00
The following code also shows 'sp-analysis failed' in IDA Free, not sure is it because I don't know how to customize IDA...
Code:
format elf64 executable

.i:
call .j
jmp .j

.j:
pop rbx
jmp .i       
Post 23 Jun 2023, 12:00
View user's profile Send private message Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1197
Location: Russia
macomics 23 Jun 2023, 12:38
Flier-Mate, this is because IDA has divided the call transition and the return to .i: into different functions. Press u to reset the code analysis and, after highlighting the entire block, press c (to recreate the code) and then p (to create a single function for the entire code).
Post 23 Jun 2023, 12:38
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 23 Jun 2023, 13:40
macomics wrote:
Flier-Mate, this is because IDA has divided the call transition and the return to .i: into different functions. Press u to reset the code analysis and, after highlighting the entire block, press c (to recreate the code) and then p (to create a single function for the entire code).


I can press 'u' and 'c', but pressing 'p' has no effect, whether I select 'Analyze' or 'Force'....

But it is good to know at least there is a proper way to use IDA. Thanks.


Description: Got this dialog box after pressing 'C'
Filesize: 6.85 KB
Viewed: 10094 Time(s)

Screenshot 2023-06-23 213725.png


Post 23 Jun 2023, 13:40
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20757
Location: In your JS exploiting you and your system
revolution 23 Jun 2023, 17:42
IDA did an okay job there. But it still required some manual tweaking to coax it into getting the result.

Here is the source for that. There is nothing new to see, but just FYI.
Code:
format elf64 executable

SYS_WRITE       = 1
SYS_EXIT_GROUP  = 231
STD_OUTPUT      = 1
entry main

macro encode inst& {
        local   ..start
        db      0x48, 0xb8
    ..start:
        inst
        assert $ - ..start <= 6
        jmp     ..start + 10
        while $ - ..start < 8
                nop
        end while
}

main:
encode  hello:  db      'Hello '
encode  world:  db      'World',10
encode  begin:  call    pc
encode  pc:     pop     rbx
encode          lea     rsi,[rbx + hello - begin - 5]
encode          mov     edx,6
encode          mov     eax,SYS_WRITE
encode          mov     edi,STD_OUTPUT
encode          syscall
encode          lea     rsi,[rbx + world - begin - 5]
encode          mov     edx,6
encode          mov     eax,SYS_WRITE
encode          mov     edi,STD_OUTPUT
encode          syscall
encode          mov     eax,SYS_EXIT_GROUP
encode          syscall
                jmp     begin    
Post 23 Jun 2023, 17:42
View user's profile Send private message Visit poster's website Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 23 Jun 2023, 19:18
revolution wrote:
IDA did an okay job there. But it still required some manual tweaking to coax it into getting the result.

Here is the source for that. There is nothing new to see, but just FYI.
Code:
format elf64 executable

SYS_WRITE       = 1
SYS_EXIT_GROUP  = 231
STD_OUTPUT      = 1
entry main

macro encode inst& {
        local   ..start
        db      0x48, 0xb8
    ..start:
        inst
        assert $ - ..start <= 6
        jmp     ..start + 10
        while $ - ..start < 8
                nop
        end while
}

main:
encode  hello:  db      'Hello '
encode  world:  db      'World',10
encode  begin:  call    pc
encode  pc:     pop     rbx
encode          lea     rsi,[rbx + hello - begin - 5]
encode          mov     edx,6
encode          mov     eax,SYS_WRITE
encode          mov     edi,STD_OUTPUT
encode          syscall
encode          lea     rsi,[rbx + world - begin - 5]
encode          mov     edx,6
encode          mov     eax,SYS_WRITE
encode          mov     edi,STD_OUTPUT
encode          syscall
encode          mov     eax,SYS_EXIT_GROUP
encode          syscall
                jmp     begin    


Thank you for the source code, the macro language can create intricate program!

I posted your second obfuscated code as RE challenge for local forum user, and a person reply :
Quote:
you call sys_write twice
That mov instructions turn into a series of byte values after compilation. Then you jump to certain offset within that byte value. Hard for me to explain it, but it is like obfuscation technique to confuse disassembler


Am not sure how he cracked it, but he managed to do it.
Post 23 Jun 2023, 19:18
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.