Index
> Main > Some preprocessor voodoo: Obfuscation (not encryption) |
| Author |
|
|
revolution 05 Jul 2012, 01:24
The major problem you have there is that you are mixing assembler stage calculations with preprocessor stage macros.
One way you might be able to fix it is by using the rept feature of doing preprocessor calculations. Or alternatively rewrite the mov macro to do assembly time instruction selection with multiple if clauses. |
|||
05 Jul 2012, 01:24 |
|
|
Enko 05 Jul 2012, 15:10
Check this article by comrade:
http://comrade.ownz.com/docs/fasm.html there is an obfuscation template I tried his same method, using random DB, and the result wasn't better as using fixed DB byte. Here is a really simple crackme, As you can see, I have a random_seed macro inside, but I don't use it, as the result is much better without it. Code: format PE Console entry start include '%fasminc%\win32a.inc' include '%fasminc%\macro\if.inc' random_seed = 4234; macro random { random_seed = ((random_seed*214013+2531011) shr 16) and 0xffffffff mov eax, random } macro jmp dest { push dest retn db $74 } macro call dest { local ..ret push ..ret jmp dest ..ret: } macro mov dest,src { local .._mov,.._over,.._quit jmp .._over db $73 dd $ .._mov: mov dest,src jmp .._quit .._over: jmp .._mov cmp ecx, [$] db $74 .._quit: } macro add dest,src { local .._add,.._over,.._quit jmp .._over lea eax, [eax* 2 + $] db $75 .._add: add dest,src jmp .._quit cmp eax, $ .._over: jmp .._add cmp eax, $ db $76 .._quit: } macro xor dest,src { local .._add,.._over,.._quit jmp .._over lea eax, [ebx + ecx * 2 + $] db $79 .._add: xor dest,src jmp .._quit .._over: jmp .._add lea eax, [ebx + ecx * 2 + $] db $7a .._quit: } macro lea dest,src { local .._add,.._over,.._quit jmp .._over db $7b .._add: lea dest,src jmp .._quit .._over: jmp .._add db $7c .._quit: } macro je dest { local ..over jmp ..over db $75 ..over: je dest } macro push op { local ..over jmp ..over cmp eax, [$] db $7d ..over: push op } section '.data' data readable writeable szPause db 'PAUSE',0 szInt db '%i',0 szStr db '%s',0 szHex db '%X',0 szNewStr db '%s',10,13,0 szValid db 'serial valido',10,13,0 szNotValid db 'serial no valido',10,13,0 szInput db 16 dup ? iSerial dd ? _printf dd ? _scanf dd ? _sscanf dd ? section '.code' code readable executable start: push ebp mov ebp, esp mov eax, [printf] mov [_printf], eax mov eax, [scanf] mov [_scanf], eax mov eax, [sscanf] mov [_sscanf], eax xor ebx, ebx mov esi, 0xFF push szInput xor ebx, ebx push szStr call [ebx + _scanf] add esp, 8 push iSerial push szHex push szInput call [_sscanf] add esp, 12 inc [iSerial] lea eax, [ebx + szValid + esi * 2] cmp [iSerial], 0x45AC34BD + 0x1 je end_validation lea eax, [ebx + szNotValid + esi * 2] end_validation: push eax sub [esp], esi push szStr sub [esp + 4], esi call [ebx + _printf] add esp, 8 push szPause call [system] add esp, 4 pop ebp retn section '.idata' import data readable writeable library kernel32,'kernel32.dll',\ user32,'user32.dll',\ msvcrt,'msvcrt.dll' include '%fasminc%\api\kernel32.inc' include '%fasminc%\api\user32.inc' include '%fasminc%\api\msvcrt.inc' As you see, you rewrite the normal instructions with macros. Next time you use MOV it will use the mov macro with obfuscated code. if you still want to use a normal move, just change the name of the MOV macro to somthing like __mov, or .mov or whatever you want. |
|||
|
05 Jul 2012, 15:10 |
|
|
nts94 06 Jul 2012, 11:23
Ok, thanks for the replies. I agree with you about the fixed DB's after having had to deal with your little crackme in olly
 On the other hand, i wanted mov to be obfuscated in a diferent way every time i used it (maybe with some preprocessor voodoo as the title says). So isn't it possible? |
|||
|
06 Jul 2012, 11:23 |
|
|
Enko 06 Jul 2012, 14:04
Code: random_seed = 4234; macro random { random_seed = ((random_seed*214013+2531011) shr 16) and 0xffffffff mov eax, random } start: mov eax, FIXED_VALUE macro_random mov ecx, eax Its possible, check the macro. if you use a constant randmon_seed then you will have a constant random sequence wich actually is not a bad trick. You just need to find a random_seed wich will genarete the best obfuscation for your code. you can also do: Code: macro random_dd { random_seed = ((random_seed*214013+2531011) shr 16) and 0xffffffff dd random } |
|||
|
06 Jul 2012, 14:04 |
|
|
r22 06 Jul 2012, 15:22
@nts94 - rather than try to dynamically call a randomly selected macro, just put all your different MOV obfuscation types inside of 1 MOV macro and then use IF blocks to pick which method to use.
Code: macro obf_MOV, src, dst { __next_seed r = __seed mod 2 if r=0 db 'obfuscated mov type 1' end if if r=1 db 'obfuscated mov type 2' end if } |
|||
|
06 Jul 2012, 15:22 |
|
|
nts94 06 Jul 2012, 16:40
Ok, it seems that I couldn't see the wood for the trees XD I'll put all alternative methods inside a single macro. Thanks a lot
|
|||
|
06 Jul 2012, 16:40 |
|
< Last Thread | Next Thread > |
Forum Rules:
|