flat assembler
Message board for the users of flat assembler.

Index > Main > strange macro to me

Author
Thread Post new topic Reply to topic
yorath



Joined: 10 Sep 2012
Posts: 4
yorath
The macro below is used to encrypt the string at compilation time, and decrypt it at run time.

My question is: since the first instruction is call .s, when will the instructions between the call and the label .s be executed? And the label .s never return, how come?

Code:
macro x_call str
{  local size, .x, .s, .l, x, v
   
   if str eqtype '' 
        call    .s      
                    .x db str, 0
        size = ($ - .x)
   
      if ~ size eq 
               load  x BYTE from (.x)
              repeat size
                         load  v BYTE from .x+%-1
                            store BYTE v xor x at .x+%-1
                end repeat
    .s:
                   push    ecx
                 push    edx
                 mov     ecx, size
                   mov     edx, .x
    .l:
              xor     BYTE [edx+ecx-1], x
                 loop    .l
                  pop     edx
                 pop     ecx
         end if
 else
     push str
 end if
}    


Below is the binary after compilation:
Code:
.code:00401008                 db    0
.code:00401009                 db  0Eh
.code:0040100A                 db  19h
.code:0040100B                 db    5
.code:0040100C                 db  0Eh
.code:0040100D                 db    7
.code:0040100E                 db  58h ; X
.code:0040100F                 db  59h ; Y
.code:00401010                 db  6Bh ; k
01011 loc_401011:                             ; CODE XREF: .code:00401003p
.code:00401011                 push    ecx
.code:00401012                 push    edx
.code:00401013                 mov     ecx, 9
.code:00401018                 mov     edx, 401008h
.code:0040101D
.code:0040101D loc_40101D:                             ; CODE XREF: .code:00401022j
.code:0040101D                 xor     byte ptr [edx+ecx-1], 6Bh
.code:00401022                 loop    loc_40101D
.code:00401024                 pop     edx
.code:00401025                 pop     ecx    


Thanks a lot!!!
Post 10 Sep 2012, 00:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
Well you didn't give us any context so we have guess where you are using this. So I would guess that you are using this in a stdcall function as a parameter push. Amirite?

BTW: If this code is in a loop, or called more than once, then each second time you will print the encrypted text.
Post 10 Sep 2012, 01:05
View user's profile Send private message Visit poster's website Reply with quote
yorath



Joined: 10 Sep 2012
Posts: 4
yorath
revolution wrote:
Well you didn't give us any context so we have guess where you are using this. So I would guess that you are using this in a stdcall function as a parameter push. Amirite?

BTW: If this code is in a loop, or called more than once, then each second time you will print the encrypted text.

sorry, i use the macro like this: x_call 'kernel32'
Post 10 Sep 2012, 01:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
If you gave the context then we could probably be much surer about what is happening, but it appears as though the call is used to push the address of the string onto the stack. And presumably a later stdcall or invoke is present to use that parameter and restore the stack upon return.
Post 10 Sep 2012, 02:30
View user's profile Send private message Visit poster's website Reply with quote
yorath



Joined: 10 Sep 2012
Posts: 4
yorath
This is the whole project: http://pastebin.com/GsQxy3Lh
The purpose is to hide these strings in case that anti-virus may mark it malicious if i use some sensitive api
Is the information above enough?
Post 10 Sep 2012, 02:53
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
So this is why:
Code:
    x_call 'kernel32'
    pop     edx
    invoke LoadLibrary, edx    
'x_call' pushes the address of the string and 'pop edx' retrieves the address of the string for later use.
yorath wrote:
The purpose is to hide these strings in case that anti-virus may mark it malicious if i use some sensitive api
In that case then this code is probably a waste of time. AVs trigger on many things, and modifying your code segment is one of the best ways to trigger an AV detection.

I would suggest instead to not bother with these encrypting tricks, they won't help you avoid the AV triggers. Just write your code normally and there is a much better chance that the AV will let it pass without a problem. Using tricks like this is an excellent way to make the AV nervous and put your code in jail.
Post 10 Sep 2012, 03:08
View user's profile Send private message Visit poster's website Reply with quote
yorath



Joined: 10 Sep 2012
Posts: 4
yorath
Thanks, but the code is not written by me. I couldn't understand how it works. Do you have any ideas? When will the codes between the call .s and the label .s be executed?
Post 10 Sep 2012, 03:39
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
yorath wrote:
When will the codes between the call .s and the label .s be executed?
Never. It is text. You are only using 'call .s' to get a pointer to the text onto the stack.
Post 10 Sep 2012, 03:59
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.