flat assembler
Message board for the users of flat assembler.

Index > Macroinstructions > Obfuscated Call Macro ( 1 Problem)

Author
Thread Post new topic Reply to topic
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 08 Jun 2006, 23:23
Code:
macro ocall proc,retna,key,[parameters]
{

reverse
pushd parameters  

common
push retna 
push  [proc]
xor dword [esp],key
retn

}    


I got everything working except I want to encrypt proc

It would work like this

macro ocall proc,retna,key,[parameters]
{
t = ([proc] xor key) ; This won't work
reverse
pushd parameters

common
push retna
push t
xor dword [esp],key
retn

}

Anyone have any ideas on how to make a macro like this work??

Thanks,
Julio
Post 08 Jun 2006, 23:23
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Jun 2006, 02:23
Code:
include 'win32axp.inc'

macro ocall proc,retna,key,[parameters]
{
common
  local t

  virtual
    dd proc
    load t dword from $-4
    t = t xor key
  end virtual

reverse
  push parameters

common 
  push retna
  push  dword t
  xor dword [esp],key
  retn
}

.code
start:
  ocall Message, exit, -1, 0, text, caption, 0

; Some confusing code that will never be executed
  mov   ebx, 16
  mul   ebx
  mov   byte [eax], 1
; Of course put something more hard to understand than these...

proc Message hWnd, text, caption, type
  invoke MessageBox, [hWnd], [text], [caption], [type]
  ret
endp

exit:
  invoke ExitProcess, 0

.data
  text db 'Hello ofuscated world', 0
  caption db 'Ofuscated call', 0

.end start    

Not sure if there is a more elegant way though. Note that this works only if you pass an offset to it, in case of passing, say, MessageBox, it will fail because MessageBox is the offset of the pointer at the import table and not the offset to the API function.

Regards
Post 09 Jun 2006, 02:23
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 09 Jun 2006, 03:30
Ok I want to be able to use the offset to the API function. Thank you thought... you got me closer to what I need.
Post 09 Jun 2006, 03:30
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Jun 2006, 03:53
Code:
macro oinvoke proc,retna,key,[parameters]
{ 
common 
  local t

  virtual
    dd proc 
    load t dword from $-4 
    t = t xor key
  end virtual

reverse 
  push parameters 

common
  push retna
  mov eax, t
  xor eax, key
  push dword [eax]
  retn

; Or:
; common
;   push retna
;   push  dword t
;   xor dword [esp],key
;   mov eax, [esp]
;   mov eax, [eax]
;   mov [esp], eax
;   retn

}    
Post 09 Jun 2006, 03:53
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 09 Jun 2006, 05:08
Code:
macro ocall proc,retna,key,[parameters] 
{ 
t = ([proc] xor key) ; This won't work 
reverse 
pushd parameters 

common 
push retna 
push t 
xor dword [esp],key 
retn    


I still want to do something like without having to add that extra code.[/code]
Post 09 Jun 2006, 05:08
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Jun 2006, 15:40
But you can't, how do you get [proc] in compile time when actually user32.dll it's not loaded yet and the import table isn't filled with the pointer to the proc?
Post 09 Jun 2006, 15:40
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Jun 2006, 15:46
2 Tomasz, why FASM refuses to do xor with addresses? Even if I do something like:
Code:
  t = MessageBox
  t = t xor key    
fails which seems it perfectly recognizes that it's a label, however MessageBox eqtype 1 is true. Confused
Post 09 Jun 2006, 15:46
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8354
Location: Kraków, Poland
Tomasz Grysztar 09 Jun 2006, 15:54
It's because it's a relocatable value, there's a note about it in FAQ, too.
Post 09 Jun 2006, 15:54
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Jun 2006, 16:06
I see but it's so hard that I prefer to use virtual instead.

Thanks!!
Post 09 Jun 2006, 16:06
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 09 Jun 2006, 16:38
Tomaz ... SO there is no way to possible to do what I need ?
Post 09 Jun 2006, 16:38
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8354
Location: Kraków, Poland
Tomasz Grysztar 30 Jun 2006, 12:01
locodelassembly: check it out with 1.67 version.

shism2: what more can I say that wasn't already said here?
locodelassembly wrote:
But you can't, how do you get [proc] in compile time when actually user32.dll it's not loaded yet and the import table isn't filled with the pointer to the proc?
Post 30 Jun 2006, 12:01
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 30 Jun 2006, 12:27
And now "t = proc xor key" is enough, thank you Very Happy
Post 30 Jun 2006, 12:27
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.