flat assembler
Message board for the users of flat assembler.

Index > Macroinstructions > Encrypted calls problem

Author
Thread Post new topic Reply to topic
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
I'm trying to make encrypted calls and such...

xor dword [dcall+1],0ADE51AC8h
dcall:
call vexitdecrypt xor 0ADE51AC8h

However, when it is decrypted the value is different. I know I'm doing this wrong somehow. I'm trying to encrypt the opcode value of the call, not the actuall address.
Post 27 Aug 2006, 02:21
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
this _might_ work, atm. I'm too busy to try,
Code:
THIS = vexitdecrypt xor 0ADE51AC8h
lea eax, dword [dcall+1]
xor [eax], 0ADE51AC8h
dcall:
call THIS
nop
vexitdecrypt:
push ebp
;...    

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 27 Aug 2006, 02:35
View user's profile Send private message MSN Messenger Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
YIkes same effect, thanks alot tho... Anyone else have any more ideas???
Post 27 Aug 2006, 02:38
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
The problem here is that in run-time you are XORing against the EIP-relative offset while in assembly-time you are XORing against absolute offset.

Posible solution

Code:
format PE GUI 4.0

macro cryptcall dest
{
local rel, ..call

  rel = dest ; Just to stop assembling if dest cannot be resolved as number

  mov eax, ..call + 1
  xor dword [eax], 0ADE51AC8h
..call:
  call dest

  load rel dword from $-4
  rel = rel xor 0ADE51AC8h
  store dword rel at $-4
}

cryptcall vexitdecrypt
ret

vexitdecrypt:
int3 ; Check it with olly ;D     
Post 27 Aug 2006, 04:20
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
How to make it work on lets say call [vexitdecrpyt] ?

( This is way more complicated, but I believe it's possible)
Also,how about to be able to do this :

Let every call to cryptcall have, a different xor value

rel = rel xor (%t * %t ) and 0FFFFFFFFh

have the value that rel is being xored with, be random.. Is that possible?
Post 27 Aug 2006, 14:53
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
What value is there that is the opposite of purge ??? If I can purge the macro then "unpurgue" the macro... Wouldn't the macro have a different value for %t then ?
Post 27 Aug 2006, 15:29
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Code:
format PE GUI 4.0

macro randomize value*
{
  seed = value
}

macro random res*
{
  seed = ((seed * $08088405) + 1) and $FFFFFFFF

  res = seed
}

macro cryptcall dest
{
local address, ..call, key, opcode

  random key

  if (opcode and $FF) = $E8
    mov eax, ..call + 1
  else
    if defined opcode & opcode <> $15FF
      display "Sorry, operand not supported"
      err
    end if

    mov eax, ..call + 2
  end if
  xor dword [eax], key

..call:
call dest

  load opcode word from ..call

  load address dword from $-4
  address = address xor key
  store dword address at $-4
}

randomize $12345678
cryptcall proc1
cryptcall [pointer]
cryptcall proc2

ret

proc1:
  mov   eax, 1
  mov   ebx, 2
  mov   ecx, 3
  mov   edx, 4
ret

proc2:
int3 ; Check it with olly ;D

pointer dd proc1    
Post 27 Aug 2006, 17:09
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
Hoewver, here are some modifications more to my liking ...

Code:
macro randomize value* 
{ 
  seed = value 
} 

macro random res* 
{ 
  seed = ((seed *%t) + 1) and $FFFFFFFF 

  res = seed 
} 

macro cryptcall dest 
{ 
local address, ..call, key, opcode 

  random key 

  if (opcode and $FF) = $E8 
   xor dword [..call+1], key 
  else 
    if defined opcode & opcode <> $15FF 
      display "Sorry, operand not supported" 
      err 
    end if 

    xor dword [..call+2],key
  end if 


..call: 
call dest 

  load opcode word from ..call 

  load address dword from $-4 
  address = address xor key 
  store dword address at $-4 
} 
    


Thanks alot man you've been alot of help...
Post 27 Aug 2006, 19:05
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
http://flatassembler.net/docs.php?article=manual#1.2.4 wrote:
There's also %t symbol, which is always equal to the current time stamp.


This is the first time I see that Razz
Post 27 Aug 2006, 21:36
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
hehe lol I saw it in some randomize macro ... in this section.
Post 28 Aug 2006, 01:03
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.