flat assembler
Message board for the users of flat assembler.

Index > Main > Some preprocessor voodoo: Obfuscation (not encryption)

Author
Thread Post new topic Reply to topic
nts94



Joined: 10 Jun 2012
Posts: 11
nts94
Hi, i'm pretty newbie in all preprocessor related stuff, so excuse me if what i'm asking for is impossible or so much easy. I'm trying to code some obfuscation macros to... well, just to play with fasm, make a crackme, i don't know yet (but it is funny to see the code you've just written with notepad translated to an understandable hex blob in olly) XD

This is more or like what i was trying:

Code:
display "Obfuscation-mode on", $0D, $0A
  
__seed = %t
  
macro __next_seed ; RNG
{
  __seed = (__seed * 1103515245 + 12345) and $FFFFFFFF
}


macro mov_1 dst, src
{
  __next_seed
  local ..load, ..xor, ..ret
  jmp ..load
  ..ret:
  ret
  ..xor:
  xor dst, __seed
  jmp ..ret
  ..load:
  mov dst, src xor __seed
  call ..xor
}

macro call func
{
  __next_seed
  local ..ret
  push ..ret
  jmp func
  db __seed and $FF
  ..ret:
}

;;;;;;;;;;;;;;;;;;;;;;;;;;;; PROBLEM HERE ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
macro mov dst, src
{
; i know this is not possible as it is, it was just to show what i want to do
  mov_#(__seed and $0F) dst, src 
}
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    


The problem is with the last macro. I just wanted to pick randomly a different obfuscated mov for every "mov" instruction. Thanks in advance
Post 05 Jul 2012, 01:17
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
The major problem you have there is that you are mixing assembler stage calculations with preprocessor stage macros.

One way you might be able to fix it is by using the rept feature of doing preprocessor calculations.

Or alternatively rewrite the mov macro to do assembly time instruction selection with multiple if clauses.
Post 05 Jul 2012, 01:24
View user's profile Send private message Visit poster's website Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Check this article by comrade:

http://comrade.ownz.com/docs/fasm.html

there is an obfuscation template

I tried his same method, using random DB, and the result wasn't better as using fixed DB byte.


Here is a really simple crackme, As you can see, I have a random_seed macro inside, but I don't use it, as the result is much better without it.
Code:
format PE Console
entry start 
 
include '%fasminc%\win32a.inc'
include '%fasminc%\macro\if.inc'
 
random_seed = 4234;
 
macro random {
random_seed = ((random_seed*214013+2531011) shr 16) and 0xffffffff
mov        eax, random
}
 
macro jmp dest {
    push dest
    retn
    db $74
}
 
 
macro call dest {
    local ..ret
    push ..ret
    jmp  dest
    ..ret:
}
 
macro mov dest,src {
    local .._mov,.._over,.._quit
    jmp  .._over
    db $73
    dd $
  .._mov:
    mov dest,src
    jmp .._quit
  .._over:
    jmp .._mov
    cmp       ecx, [$]
    db $74
 
  .._quit:
}
macro add dest,src {
    local .._add,.._over,.._quit
    jmp  .._over
    lea eax, [eax* 2 + $]
    db $75
  .._add:
    add dest,src
    jmp .._quit
    cmp      eax, $
  .._over:
    jmp .._add
    cmp   eax, $
    db $76
  .._quit:
}
 
 
macro xor dest,src {
    local .._add,.._over,.._quit
    jmp  .._over
    lea      eax, [ebx + ecx * 2 + $]
    db $79
  .._add:
    xor dest,src
    jmp .._quit
  .._over:
    jmp .._add
    lea   eax, [ebx + ecx * 2 + $]
    db $7a
  .._quit:
}
 
macro lea dest,src {
    local .._add,.._over,.._quit
    jmp  .._over
    db $7b
  .._add:
    lea dest,src
    jmp .._quit
  .._over:
    jmp .._add
    db $7c
  .._quit:
}
 
macro je dest {
 local ..over
    jmp       ..over
    db $75
    ..over:
    je dest
}
 
macro push op {
 local ..over
    jmp       ..over
    cmp       eax, [$]
    db $7d
 
    ..over:
    push op
}
 
 
section '.data' data readable writeable 
     szPause  db 'PAUSE',0
     szInt   db '%i',0
 szStr   db '%s',0
 szHex   db '%X',0
 szNewStr db '%s',10,13,0
  szValid db 'serial valido',10,13,0
        szNotValid db 'serial no valido',10,13,0
  szInput db 16 dup ?
 iSerial dd ?
        _printf dd ?
        _scanf dd ?
 _sscanf dd ?
 
 
 
 
section '.code' code readable executable 
start: 
      push    ebp
 mov     ebp, esp
 
       mov     eax, [printf]
       mov     [_printf], eax
      mov     eax, [scanf]
        mov     [_scanf], eax
       mov     eax, [sscanf]
       mov     [_sscanf], eax
 
 xor     ebx, ebx
    mov     esi, 0xFF
   push    szInput
     xor     ebx, ebx
    push    szStr
       call    [ebx + _scanf]
      add     esp, 8
 
 
    push    iSerial
     push    szHex
       push    szInput
     call    [_sscanf]
   add     esp, 12
 
        inc     [iSerial]
   lea     eax, [ebx + szValid + esi * 2]
      cmp     [iSerial], 0x45AC34BD + 0x1
 je      end_validation
      lea     eax, [ebx + szNotValid + esi * 2] 
end_validation:
   push    eax
 sub     [esp], esi
  push    szStr
       sub     [esp + 4], esi
      call    [ebx + _printf]
     add     esp, 8
 
 push    szPause
     call    [system]
    add     esp, 4
 
 pop     ebp
 retn
 
 
 
 
 
section '.idata' import data readable writeable 
 
library kernel32,'kernel32.dll',\ 
   user32,'user32.dll',\ 
   msvcrt,'msvcrt.dll'
 
include '%fasminc%\api\kernel32.inc'
include '%fasminc%\api\user32.inc'
include '%fasminc%\api\msvcrt.inc'
    


As you see, you rewrite the normal instructions with macros.
Next time you use MOV it will use the mov macro with obfuscated code.

if you still want to use a normal move, just change the name of the MOV macro to somthing like __mov, or .mov or whatever you want.
Post 05 Jul 2012, 15:10
View user's profile Send private message Reply with quote
nts94



Joined: 10 Jun 2012
Posts: 11
nts94
Ok, thanks for the replies. I agree with you about the fixed DB's after having had to deal with your little crackme in olly Very Happy On the other hand, i wanted mov to be obfuscated in a diferent way every time i used it (maybe with some preprocessor voodoo as the title says). So isn't it possible?
Post 06 Jul 2012, 11:23
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Code:
random_seed = 4234; 
  
macro random { 
random_seed = ((random_seed*214013+2531011) shr 16) and 0xffffffff 
mov     eax, random 
} 
start:
mov eax, FIXED_VALUE
macro_random
mov ecx, eax
    

Its possible, check the macro.

if you use a constant randmon_seed then you will have a constant random sequence wich actually is not a bad trick.
You just need to find a random_seed wich will genarete the best obfuscation for your code.

you can also do:
Code:
macro random_dd { 
random_seed = ((random_seed*214013+2531011) shr 16) and 0xffffffff 
dd  random 
} 
    
Post 06 Jul 2012, 14:04
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22
@nts94 - rather than try to dynamically call a randomly selected macro, just put all your different MOV obfuscation types inside of 1 MOV macro and then use IF blocks to pick which method to use.

Code:
macro obf_MOV, src, dst
{
    __next_seed
    r = __seed mod 2
    if r=0
       db 'obfuscated mov type 1'
    end if
    if r=1
       db 'obfuscated mov type 2'
    end if
}
    
Post 06 Jul 2012, 15:22
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
nts94



Joined: 10 Jun 2012
Posts: 11
nts94
Ok, it seems that I couldn't see the wood for the trees XD I'll put all alternative methods inside a single macro. Thanks a lot
Post 06 Jul 2012, 16:40
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.