Index
> Macroinstructions > Encrypted calls problem |
| Author |
|
|
okasvi 27 Aug 2006, 02:35
this _might_ work, atm. I'm too busy to try,
Code: THIS = vexitdecrypt xor 0ADE51AC8h lea eax, dword [dcall+1] xor [eax], 0ADE51AC8h dcall: call THIS nop vexitdecrypt: push ebp ;... _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
27 Aug 2006, 02:35 |
|
|
shism2 27 Aug 2006, 02:38
YIkes same effect, thanks alot tho... Anyone else have any more ideas???
|
|||
|
27 Aug 2006, 02:38 |
|
|
LocoDelAssembly 27 Aug 2006, 04:20
The problem here is that in run-time you are XORing against the EIP-relative offset while in assembly-time you are XORing against absolute offset.
Posible solution Code: format PE GUI 4.0 macro cryptcall dest { local rel, ..call rel = dest ; Just to stop assembling if dest cannot be resolved as number mov eax, ..call + 1 xor dword [eax], 0ADE51AC8h ..call: call dest load rel dword from $-4 rel = rel xor 0ADE51AC8h store dword rel at $-4 } cryptcall vexitdecrypt ret vexitdecrypt: int3 ; Check it with olly ;D |
|||
|
27 Aug 2006, 04:20 |
|
|
shism2 27 Aug 2006, 14:53
How to make it work on lets say call [vexitdecrpyt] ?
( This is way more complicated, but I believe it's possible) Also,how about to be able to do this : Let every call to cryptcall have, a different xor value rel = rel xor (%t * %t ) and 0FFFFFFFFh have the value that rel is being xored with, be random.. Is that possible? |
|||
|
27 Aug 2006, 14:53 |
|
|
shism2 27 Aug 2006, 15:29
What value is there that is the opposite of purge ??? If I can purge the macro then "unpurgue" the macro... Wouldn't the macro have a different value for %t then ?
|
|||
|
27 Aug 2006, 15:29 |
|
|
LocoDelAssembly 27 Aug 2006, 17:09
Code: format PE GUI 4.0 macro randomize value* { seed = value } macro random res* { seed = ((seed * $08088405) + 1) and $FFFFFFFF res = seed } macro cryptcall dest { local address, ..call, key, opcode random key if (opcode and $FF) = $E8 mov eax, ..call + 1 else if defined opcode & opcode <> $15FF display "Sorry, operand not supported" err end if mov eax, ..call + 2 end if xor dword [eax], key ..call: call dest load opcode word from ..call load address dword from $-4 address = address xor key store dword address at $-4 } randomize $12345678 cryptcall proc1 cryptcall [pointer] cryptcall proc2 ret proc1: mov eax, 1 mov ebx, 2 mov ecx, 3 mov edx, 4 ret proc2: int3 ; Check it with olly ;D pointer dd proc1 |
|||
|
27 Aug 2006, 17:09 |
|
|
shism2 27 Aug 2006, 19:05
Hoewver, here are some modifications more to my liking ...
Code: macro randomize value* { seed = value } macro random res* { seed = ((seed *%t) + 1) and $FFFFFFFF res = seed } macro cryptcall dest { local address, ..call, key, opcode random key if (opcode and $FF) = $E8 xor dword [..call+1], key else if defined opcode & opcode <> $15FF display "Sorry, operand not supported" err end if xor dword [..call+2],key end if ..call: call dest load opcode word from ..call load address dword from $-4 address = address xor key store dword address at $-4 } Thanks alot man you've been alot of help... |
|||
|
27 Aug 2006, 19:05 |
|
|
LocoDelAssembly 27 Aug 2006, 21:36
http://flatassembler.net/docs.php?article=manual#1.2.4 wrote: There's also %t symbol, which is always equal to the current time stamp. This is the first time I see that  |
|||
|
27 Aug 2006, 21:36 |
|
|
shism2 28 Aug 2006, 01:03
hehe lol I saw it in some randomize macro ... in this section.
|
|||
|
28 Aug 2006, 01:03 |
|
< Last Thread | Next Thread > |
Forum Rules:
|