Index
> Macroinstructions > Obfuscated Call Macro ( 1 Problem) |
| Author |
|
|
LocoDelAssembly 09 Jun 2006, 02:23
Code: include 'win32axp.inc' macro ocall proc,retna,key,[parameters] { common local t virtual dd proc load t dword from $-4 t = t xor key end virtual reverse push parameters common push retna push dword t xor dword [esp],key retn } .code start: ocall Message, exit, -1, 0, text, caption, 0 ; Some confusing code that will never be executed mov ebx, 16 mul ebx mov byte [eax], 1 ; Of course put something more hard to understand than these... proc Message hWnd, text, caption, type invoke MessageBox, [hWnd], [text], [caption], [type] ret endp exit: invoke ExitProcess, 0 .data text db 'Hello ofuscated world', 0 caption db 'Ofuscated call', 0 .end start Not sure if there is a more elegant way though. Note that this works only if you pass an offset to it, in case of passing, say, MessageBox, it will fail because MessageBox is the offset of the pointer at the import table and not the offset to the API function. Regards |
|||
09 Jun 2006, 02:23 |
|
|
shism2 09 Jun 2006, 03:30
Ok I want to be able to use the offset to the API function. Thank you thought... you got me closer to what I need.
|
|||
|
09 Jun 2006, 03:30 |
|
|
LocoDelAssembly 09 Jun 2006, 03:53
Code: macro oinvoke proc,retna,key,[parameters] { common local t virtual dd proc load t dword from $-4 t = t xor key end virtual reverse push parameters common push retna mov eax, t xor eax, key push dword [eax] retn ; Or: ; common ; push retna ; push dword t ; xor dword [esp],key ; mov eax, [esp] ; mov eax, [eax] ; mov [esp], eax ; retn } |
|||
|
09 Jun 2006, 03:53 |
|
|
shism2 09 Jun 2006, 05:08
Code: macro ocall proc,retna,key,[parameters] { t = ([proc] xor key) ; This won't work reverse pushd parameters common push retna push t xor dword [esp],key retn I still want to do something like without having to add that extra code.[/code] |
|||
|
09 Jun 2006, 05:08 |
|
|
LocoDelAssembly 09 Jun 2006, 15:40
But you can't, how do you get [proc] in compile time when actually user32.dll it's not loaded yet and the import table isn't filled with the pointer to the proc?
|
|||
|
09 Jun 2006, 15:40 |
|
|
LocoDelAssembly 09 Jun 2006, 15:46
2 Tomasz, why FASM refuses to do xor with addresses? Even if I do something like:
Code: t = MessageBox t = t xor key  |
|||
|
09 Jun 2006, 15:46 |
|
|
Tomasz Grysztar 09 Jun 2006, 15:54
It's because it's a relocatable value, there's a note about it in FAQ, too.
|
|||
|
09 Jun 2006, 15:54 |
|
|
LocoDelAssembly 09 Jun 2006, 16:06
I see but it's so hard that I prefer to use virtual instead.
Thanks!! |
|||
|
09 Jun 2006, 16:06 |
|
|
shism2 09 Jun 2006, 16:38
Tomaz ... SO there is no way to possible to do what I need ?
|
|||
|
09 Jun 2006, 16:38 |
|
|
Tomasz Grysztar 30 Jun 2006, 12:01
locodelassembly: check it out with 1.67 version.
shism2: what more can I say that wasn't already said here? locodelassembly wrote: But you can't, how do you get [proc] in compile time when actually user32.dll it's not loaded yet and the import table isn't filled with the pointer to the proc? |
|||
|
30 Jun 2006, 12:01 |
|
|
LocoDelAssembly 30 Jun 2006, 12:27
And now "t = proc xor key" is enough, thank you
 |
|||
|
30 Jun 2006, 12:27 |
|
< Last Thread | Next Thread > |
Forum Rules:
|